Cisco NetPro -

global NAT - now need some dynamic policy NAT

Fri, 9 May 2008 07:14:49 PST

Hi, We've got a global NAT rule static (inside,outside) interior-192.168.0.0 interior-192.168 netmask 255.255.0.0 But now we need some dynamic policy NAT: access-list inside_nat_outbound line 1 extended permit ip 192.168.0.0 255.255.0.0 host 217.77.27.188 global (outside) 1 193.14.22.1-193.14.22.10 netmask 255.0.0.0 The problem is, when we connect to the external network where we need to be natted (217.77.27.188) we always fall on the global NAT rule. Which is needed for other purpose. Is there a way to use the global NAT rule but also use a dynamic policy NAT but with same networks? searchrail

DHCP pools on ASA 5510/5520

Fri, 9 May 2008 07:07:30 PST

Hi. I cant seem to figure out how to have a dhcp pool for inside users that is a different subnet than what the inside interface is. For example, inside interface is 10.0.0.1/24 but I want dhcp pool to be 10.1.0.1/24 Honestly, this is for a customer and I dont know his reasoning behind it, so I cant address that. I read this document: http://cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ip.html And it didnt tell me I could or couldnt do it. Am I just missing something? Thanks!

Excessive UDP teardown

Fri, 9 May 2008 07:05:22 PST

Hello can a pix generate a UDP teardown without a subsequent UDP setup. I am seeing excessive teardown on the network. Trying to find out the cause.

asa5505 nat pat configurations help.

Fri, 9 May 2008 07:05:22 PST

This is my network configuration: interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.0.7 255.255.255.0 ! interface Vlan12 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.2.254 255.255.255.0 ! There must be a communication: from any inside host -> to outside. from any dmz host -> to outside. from any inside host -> to dmz. using pat from any outside to some services in inside servers. these configurations are ok, but i'm not able to communicate from some servers in dmz to some inside servers which e.g. use smpt, pop3 protocol. access-list outside_access_in extended permit tcp any host 192.168.0.12 object-group Linuxsrv_servizi access-list outside_access_in extended permit tcp any host 192.168.0.8 object-group Mailsrv1_servizi access-list outside extended permit tcp any host 192.168.0.12 eq www access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any access-list dmz_access_in extended permit tcp host linuxsrv any eq www access-list dmz_access_in extended permit tcp host websrv any eq www access-list dmz_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list dmz_access_in extended permit icmp 192.168.2.0 255.255.255.0 any access-list dmz_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq domain ---------------------------------------------------------------------------------------------------------------------- This is my nat configuration. global (outside) 1 192.168.0.8 netmask 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.1.0 255.255.255.0 static (inside,outside) tcp 192.168.0.8 www 192.168.1.201 www netmask 255.255.255.255 static (inside,outside) tcp 192.168.0.8 5500 192.168.1.132 5500 netmask 255.255.255.255 static (inside,outside) tcp 192.168.0.8 smtp 192.168.1.201 smtp netmask 255.255.255.255 static (dmz,outside) 192.168.0.12 linuxsrv netmask 255.255.255.255 static (inside,dmz) 192.168.2.0 192.168.1.0 netmask 255.255.255.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 192.168.0.254 1 Shall i make another nat rule, e.g. from inside to dmz? i tried to make it but i always get an error.. "this rule is overlapping an existent nat rule" static (inside,dmz) 192.168.2.0 192.168.1.0 netmask 255.255.255.0 Could you please tell me where I am wrong? Kind regards

PIXEOS Migration Tool

Fri, 9 May 2008 05:58:14 PST

On a Techwise Podcast on Mar 10, 2008 - Per Hagen spoke about the PIXEOS migration tool. I was wondering if the tool has been published yet?

Fixup command and VOIP

Fri, 9 May 2008 05:50:57 PST

hi all, We recently implemented VOIP on one of our sites, the main callmanager is in the head office and all traffic goes through a PIX 515. The VOIP phone would get the correct IP address from DHCP but simply didnt work properly. After removing the fixup h232 command it started working fine, can someone pls explain exactly what fixup does and how removing it fixed the prob? Thanks in advance.

Remote access VPN problem

Fri, 9 May 2008 04:14:11 PST

My remote access client are not able to ping inside network. my concentrator is connected with core switch. My 172.28.31.171 is also connected in core switch. InterVLN routing is working fine. server and conncentrator is able to reach other via core switch. concentrator private Ip address 172.28.31.92/248 Public IP address: 208.74.112.157 VPN POOL: 172.28.31.128/248 Split tunnel is enable for 172.28.0.0/16, 172.29.0.0/16. Routing on concentrator is 172.28.0.0/16 is connected via 172.28.31.91 172.29.0.0/16 is connected via 172.28.31.91 Core switch Ip address is 172.28.31.91 Core switch also has the route ip route 0.0.0.0 0.0.0.0 172.28.31.85 ip route 10.0.0.0 255.255.224.0 172.28.31.68 ip route 10.11.0.32 255.255.255.224 172.28.31.68 ip route 172.28.0.0 255.255.0.0 172.28.31.68 ip route 172.28.0.0 255.255.224.0 172.28.31.77 ip route 172.28.31.128 255.255.255.248 172.28.31.92 ip route 172.29.0.0 255.255.0.0 172.28.31.68 ip route 172.31.205.224 255.255.255.224 172.28.31.68 ip route 192.168.249.0 255.255.255.0 172.28.31.68 ip route 192.168.250.0 255.255.255.0 172.28.31.68, As u have tested you are able to connect but not able to reach anywhere, though from internal network I can ping your vpn IP 172.28.31.129. In VPN session i can see sometimes bytes send and receive, and sometime only sending no recving. No firewall involoved in the path between the concentrator and desired server 172.28.31.171. Both connected on same switch but different VLAN. but Inter VLAN routing is working and both are able to ping. ONly remote access client 172.28.31.128/248 is not able to reach anywhere. VPN concentrator has public default filter on public interface and private filter on local interface.

Max Number of VPNGroup on ASA

Fri, 9 May 2008 04:11:58 PST

We have a client who wishes to configure upwards of 250 vpngroups for different schools and remote support companies. Do you know the maximum for ASA5510-SEC model? I thought of ACS server controlling ACL's, but I need to answer this question.

P2P and IM blocking with ASA 5520 using GUI

Fri, 9 May 2008 03:59:40 PST

Hi everyone, We have an ASA 5520 working since somedays, and we want now to block IM and P2P network traffic through our firewall. We asked our distributor and they send us a link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml In this link we have information about blocking such traffic by modifying directly in the running-config file. Our question is whether we can find or not a way to do it using the GUI. We will fell safer if we do it like this. In case there is no chance to do it through GUI, how should I proceed to modify running-config file. Thank you.

Cisco VPN Client error

Fri, 9 May 2008 01:39:56 PST

Hi, When I try to connect VPN by using Cisco VPN client then I am getting this exception error "error 403, can not contact security gateway". Please advise.. Thanks

How to upgrade PIX 7.x without downtime

Fri, 9 May 2008 01:22:59 PST

Hi Guys, Please enlighten me how to do a "zero downtime upgrade" without rebooting my machine. Is there any other command that i need to issue other than "reload"? Please help me. Thanks, Jong

ASA 5520 Rebooting Automatically -Urgent

Fri, 9 May 2008 00:32:57 PST

Hi, I have cisco ASA 5520.It was working fine without any problem.But from yesterday it is rebooting automatically after every 2-3 minutes.I have remoed it from network and check it at that time it was not rebotting. What might be the problem?is it any hardware isssue?please assist to resolve this issue.. Thanx, som

Unblae to communicate on SFTP port (Port No 22) between different VLANs

Thu, 8 May 2008 21:39:26 PST

I am having following trouble.. Source IP from where he is trying to SFTP: 10.254.227.* (DMZ VLAN) Destination IP: 10.254.230.* where we need access(Also a VLAN) There is a Checkpoint and PIX firewall on which access-lists are configured. On checking logs on both firewalls the SFTP is permitted. We tested it many times from command prompt but connections fails saying 'Connection failed on port 22' For eg: >telnet ip address 22 Tried to telnet from server (ip 10.254.227.*) to (10.254.230.*) We tried telnetting on port 22 first and then 21 also but no joy. Can someone give some ideas as what could be preventing the connection? I have checked logs on Checkpoint and it says request accepted when I am sending request from 10.254.227.x using FileZilla software to connect to another server which is in different VLAN (10.254.230.x). I have found that on cisco PIX, traffic is getting accepted but its not going to the appropriate destination. Pls check my following logs from CISCO PIX For PIX firewall it seems like address translation issue. We have got log from PIX firewall as follows **************************************** 2008-05-07 21:31:29 Local6.Info 192.168.1.1 %ASA-6-106100: access-list Outside-inbound permitted tcp Outside/10.254.227.*(3882) -> OperWebMgmt/10.254.230.*(22) hit-cnt 1 first hit 2008-05-07 21:31:29 Local6.Error 192.168.1.1 %ASA-3-305005: No translation group found for tcp src Outside:10.254.227.*/3882 dst OperWebMgmt:10.254.230.*/22 *************************************** Looks to us like PIX is allowing to make inbound connection but not able to make it out towards destination. There is a route between both VLAN's. Due to security reasons ping and tracert are disabled.

export

Thu, 8 May 2008 20:31:30 PST

Hi All, I want to export my fw configuration in to .xls or .csv format. Kindly help me Thank you Vijay K

VPN map ACL and Routing on ASA

Thu, 8 May 2008 20:16:44 PST

Hi, I have a question on VPN map access list and routing in ASA. I am considering a scenario of an ASA firewall with VPN tunnel configured for outside interface and has static or dynamic routing running. An access list defines match for incoming traffic from inside interface. Matching traffic will be sent on the VPN tunnel. But what if I have a static route/dynamic route (respective of AD) that gives an exit way to the same traffic through some other interface (e.g. DMZ)? Which will take preference here, the VPN map ACL or the routing table and why? Will the AD in the routing table affect selection between VPN and exit interface? Let’s say static route will be on top of everything and traffic won’t flow through the VPN tunnel. Against what the traffic will be matched first? VPN map or routing table? I think it is access list then routing. Actually I am trying to use this for failover between a direct connection through a middle interface and a VPN tunnel. Thanks... Kapish

Asyncronous routing within Active Standby ASA pair

Thu, 8 May 2008 20:16:35 PST

Hi I have 2 pairs of ASA5520's one pair at my Head Office the other pair at my DR site. they are configured as Active Standby Pairs at each site with a vpn tunnel between the two sites. I have traffic that originates off one of the interfaces on the ASA but arrives back in on a different interface. Will the ASA support this? I have VPN's from my field sites that needed to come in and go out on the same interface so I have configured the same-security-traffic permit intra-interface for them but my WAN has some asyncronous routing that allows traffic to come in on a different interfacethan it went out on. Please Help

delayed http dns lookups

Thu, 8 May 2008 18:55:49 PST

Hi, This is a problem that I can't seem to resolve, and TAC couldn't help with either. Everytime I browse the web, my DNS lookups seem to be delayed and can sometimes take up to a minute before the lookup is done and the web page returns. This is on a 5505 for my small business and I can put linux and os x boxes behind it and they all have the same problem. Anyone have any ideas on how find this problem? Any help much appreciated. winky# sh run : Saved : ASA Version 7.2(3) ! hostname winky domain-name network.local enable password ************** encrypted names name 192.168.1.0 INSIDE ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd ***************** encrypted banner motd ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 73.214.34.205 name-server 68.87.85.98 domain-name network.local pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http INSIDE 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.11 255.255.255.255 inside telnet timeout 10 ssh INSIDE 255.255.255.0 inside ssh timeout 10 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.20-192.168.1.40 inside dhcpd enable inside ! ! ! username pinky password ******************** encrypted privilege 15 prompt hostname context Cryptochecksum:170961d3152823431bba5137e1295291 : end

BitTorrent and ASA5510

Thu, 8 May 2008 13:14:29 PST

I just installed an ASA5510. Cisco is brand new to me, and I'm still struggling with writing rules for the thing. I have some understanding, having worked previously with an old Livingston firewall. Also read the O'Reilly Firewall book :) I was looking at the firewall dashboard and it showed Bit Torrent taking up about 40% of the total traffic for the last hour. The ASA5510 dashboard seems to have detected that on it's own, I don't have anything specific written to trap BT. I'd like to know, is there information I can pull out of the thing? Can I tell which of my internal hosts is generating this traffic without writing a specific trap to log? And, is there a one-liner I can write under Configuration/Firewall, to block Bit Torrent? It's against a company policy here to be using it anyway. Fred

site being blocked

Thu, 8 May 2008 11:14:58 PST

We just replaced our obsolete 515 with an ASA5510 and find that one of the sites that was available before is no longer available, switching them back brings the site access back. So, our new configuration is not allowing one particular site and I'm trying to identify why it is blocked. The site - www.ci.detroit.mi.us Thanks for all comments

ASA 5520 with SSM

Thu, 8 May 2008 10:58:34 PST

Hi all, I have ASA 5520 with CSC-SSM modul. And, i am intrested in, What IP address and Gateway have i to assign to SSM module. I know, IP which will be assign SSM module have to reach internet for Trend Micro for updates. I just need to assign inside interface any IP address and gateway ??? Need UR advice :))) tnx in advance

ASA upgrade to version 8 of code not working

Thu, 8 May 2008 10:56:00 PST

We are in the process of upgrading our IOS on the ASA to version 8 of code but when we upgrade and migrate over our current running config all traffic is able to go out but not come in. We havent opened a ticket with Cisco yet but I would like to hear if anyone has any recomendations

DNS question on ASA5505

Thu, 8 May 2008 10:32:28 PST

Is it possible using a ASA5505 to sort of...augment the DNS resolution? We are using DHCP to configure inside hosts and they are being given the ISP's DNS server info but we have one internal server we would like them to be able to resolve as well. So like hello.world.com maybe doesnt exist, but i would like it to resolve internally to 10.10.10.10. Is this possible?

allow some users can access IM

Thu, 8 May 2008 09:34:22 PST

Hi, I enable the fw and it can block all IM (yahoo and MSN). However, I would like to enable some customers (192.168.25.12 and 192.168.25.13) can use MSN and yahoo IM. How do I config the csico 1811? ### config : : appfw policy-name test application im aol server deny name oam-d09a.blue.aol.com audit-trail on application im msn service default action reset alarm service text-chat action reset alarm application http port-misuse im action reset alarm application im yahoo service default action reset alarm service text-chat action reset alarm server deny name scs.msg.yahoo.com : : : interface Vlan1 ip inspect test in

ASA Active/Standby ASDM Configuration Problem

Thu, 8 May 2008 08:53:14 PST

Hi, I am trying to configure Active/Standby LAN-based stateful failover on two ASA 5510 running OS version 7.2(3)and having Security Plus license. I assigned IP addresses to the interfaces as shown in the attachement and I could ping all interfaces. The interfaces are connected using cross-over cables. When I started High Availability Wizard in ASDM to configure Failover, I get the error message " One or more of the peer connectivity or cpmpatibility test failed. You must resolve the problems before you can proceed further." Also, I tried configuring failover using the CLI according to the document at http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wpmkr1133737. When I got to step 4b under LAN based failover, I get the error message: Primary-ASA(config)# failover interface ip failover 192.168.200.1 255.255.255.252 standby 192.168.200.2 Interface failover is not a failover or stateful interface. Any ideas on what I am doing wrong? Any problems with licensing on these ASAs? Thanks for your help. Attachment Keywords : 1) Failover Config Error Capture.JPG 2) Failover Config Error_001.txt

SNMP counter 32 or counter 64

Thu, 8 May 2008 06:13:29 PST

Hi I would like to know how would I go about finding out whether the Cisco Firewall Services Module Version 3.1(6) for snmp/mib is either 32 or 64? is there a show command to view this? I have a problem pulling stats using my NMS and feel that the wrap is too quick for my poll. Thanks in advanced. Regards,

Version 8.3

Thu, 8 May 2008 06:10:13 PST

Hi, We have multiple ASA's (7.2) and installed on different locations and we have established VPN connection among all of them. Now we want to upgrade 8.3 version one by one on all location. After upgrading it is required new configuration or all configuration will be remaining same and can VPN tuneel support between installed asa 5505 both have different versions (7.2 and 8.3). Please tell us the advantage of version 8.3 as well. Thanks..

ASA ignoring gratuitous ARP

Thu, 8 May 2008 04:25:48 PST

Hi there, I have a pair of F5 Firepass SSL VPN devices. They are sitting behind a pair of ASA's. When the Firepass devices fail over they send a gratuitous ARP informing of the MAC change but the ASA ignores this. The only way I can resolve it is to cleat the ARP on the Firewalls. I searched existing posts here and found a similar topic but not much repsonse. Has anybody seen this before? Any help appreciated. Mark

configuration of firewall in unique way

Thu, 8 May 2008 04:07:43 PST

I have a firewall ASA-5510 ver 7.0 with 3 interfaces, one is connected to my internal LAN, one interface is connected to ISPs with public IP 203.27.53.112 and last is going to a router which is connected to another ISP with public IP 57.12.26.53. I am using a summarized address of 192.168.0.0/16 . my requirement is that I have 2 subnet 192.168.1.0/24 and 192.168.2.0/24. I want to send my 192.168.1.0/24 internet traffic via 203.27.53.112 and 192.168.2.0/24 via 57.12.26.53(via router).Is it possible, if yes, please guide me through. regards Ravi

Two ASA Firewalls - only one works

Thu, 8 May 2008 03:08:01 PST

We have two ASA 5510 devices. Both configured exactly the same. One is working, the other isn't. We plug ASA (2) in to the network and unplug ASA (1) and we can ping internally, and to our DMZ, but we can't browse to the web. We go back to ASA (1) and all is fine. Any suggestions? NB: We are not using anything as fancy as Failover - just manually unplugging one and plugging the other one in.

PIX525 and IE

Thu, 8 May 2008 01:53:00 PST

Hi all, How can i make PIX525 working through IE, Which program that should be added to PIX525 that make it working through IE? best regards thaar