Search Results

Search found 256 results on 11 pages for 'asa ayers'.

Page 6/11 | < Previous Page | 2 3 4 5 6 7 8 9 10 11  | Next Page >

  • Cisco ASA SSL VPN options?

    - by JonH
    Disclaimer: I am not a network admin so I may be wrong here but I thought asking here would help. I'm a developer mainly on the .net framework as well as helping get a mobile intranet app working. Because this app is only allowed to be used on our network I can easily run this app on our wireless network connection within our building. All is fine and dandy but we'd also like to be able to run this mobile app at say a customer plant using VPN software. I thought surely this could be easy as we exclusively use Samsung s4 phones so I thought I'd download Cisco's Samsung any connect software to allow us to VPN...its right on the play store. Sure enough it doesn't work. I mention it to our network admin who says not possible since we have old technology that doesn't support SSL. He mentions we'd have to upgrade all of our hardware, the firewall, etc. to get this to work. We really need VPN on our phones not only for this app but other internal apps, etc. He did mention the following: We can’t upgrade the software on our ASA, because we don’t have enough memory for the new version.  (the asa is very old).  We can’t add more memory, so we would have to get a new firewall, which I have been told I cannot do. In addition he also mentioned: The Samsung AnyConnect client uses SSL to connect.  With the current (old) version of software that our firewall is running, the SSL connections are unreliable.  We need different hardware in order to upgrade our firewall, which we are unable to attain at this time.  This is the same reason that Windows 8 clients are not able to connect. I am curious hence me asking. vpns seem to be fairly simple to setup. What other options do I have aside from making this a public site or web service that consumes this data over the internet as this is a complete no no. What can we do to make this work without that much effort or cost.

    Read the article

  • Implement QoS/Bandwidth Management or Upgrade Bandwidth?

    - by Michael
    A question that I'm faced with currently. Here's my setup: Cisco ASA 5510 15Mbps Internet Connection @ $1350/month The bandwidth was originally meant for 35-45 people but we've grown quite quickly to roughly 60-65 people. Needless to say, when I check bandwidth logs it's almost always spiked at 15Mbps. I did use Wireshark to do some poking around to see what was hogging up our bandwidth but with everything running through CDNs and Cloud Services it proved difficult to get a good grasp of where our bandwidth was going. So the question is do I ONLY implement bandwidth management through ASA OR upgrade the Internet to 50Mbps ($1600/month) and then implement bandwidth management through ASA? Any suggestions on how to segment the 15Mbps connection if we decided ONLY to go with the bandwidth management solution? Thanks. UPDATE 1 Installed PRTG and used packet content to monitor the traffic. As I suspected still pretty vague. My Top Connections include the following: a204-2-160-16.deploy.akamaitechnologies.com ec2-50-16-212-159.compute-1.amazonaws.com a204-2-160-48.deploy.akamaitechnologies.com a72-247-247-133.deploy.akamaitechnologies.com mediaserver-sv5-t1-1.pandora.com Other than the Pandora destination, the rest doesn't tell me much on how to properly control the bandwidth. Any thoughts or suggestions? Thanks. M

    Read the article

  • Skype performance in IPSEC VPN

    - by dunxd
    I've been challenged to "improve Skype performance" for calls within my organisation. Having read the Skype IT Administrators Guide I am wondering whether we might have a performance issue where the Skype Clients in a call are all on our WAN. The call is initiated by a Skype Client at our head office, and terminated on a Skype Client in a remote office connected via IPSEC VPN. Where this happens, I assume the trafficfrom Client A (encrypted by Skype) goes to our ASA 5510, where it is furtehr encrypted, sent to the remote ASA 5505 decrypted, then passed to Client B which decrypts the Skype encryption. Would the call quality benefit if the traffic didn't go over the VPN, but instead only relied on Skype's encryption? I imagine I could achieve this by setting up a SOCKS5 proxy in our HQ DMZ for Skype traffic. Then the traffic goes from Client A to Proxy, over the Skype relay network, then arrives at Cisco ASA 5505 as any other internet traffic, and then to Client B. Is there likely to be any performance benefit in doing this? If so, is there a way to do it that doesn't require a proxy? Has anyone else tackled this?

    Read the article

  • Outside VPN traffic not able to ping site-to-site VPN remote site

    - by Siriss
    we have two ASA 5510s running 8.4 in a site-to-site VPN setup. All internal traffic is working smoothly. Site/Subnet A: 192.100.0.0 - local Site/Subnet B: 192.200.0.0 - remote VPN Users: 192.100.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible. Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise. I know I am missing a NAT rule, and in 8.2, it was easy as pie to setup using ASDM, but now I can't get it for the life of me as 8.4 apparently made a lot of changes to NAT rules. I am not too comfortable in the ASA command line, but if there is a command I need to add or if you could direct me where I can add this in 8.4 ASDM I would really appreciate it. I have tired NAT Exempt, Static NAT, Static NAT Policies, etc... I think I tried all the options. I also might have my interfaces confused with the new look at feel of ASDM. Thank you much in advance and I hope I have been thorough enough.

    Read the article

  • Router for creating site to site VPN to server provider using Cisco ASA 5540

    - by fondie
    We have dedicated servers hosted for us by a third party, we connect to these over a VPN. My server provider uses Cisco ASA 5540 as VPN devices. Currently we're using software clients on individual machines to connect to this VPN, either: Cisco VPN Client Shrew Soft VPN Connect However, I'm looking to purchase a new load balancing router for our office and thought this could be an opportunity to get VPN client duties taken over by hardware. We could then create a permanent VPN tunnel that could be used by anyone on the network with no software client necessary. Sadly I'm not the most knowledgeable on this kind of stuff so is: 1) This a realizable goal? Next I need to know what kind of hardware I will need. I'm not looking to spend lots of money on this (~$500), so doubtful I can afford any Cisco kit. Therefore, this is the most promising candidate I've seen (as far as my limited knowledge goes): Draytek Vigor 2955 - http://www.draytek.co.uk/products/vigor2955.html 2) Would this be compatible with the Cisco kit my server provider uses? 3) If not, are there any alternatives I should consider? Many thanks in advance.

    Read the article

  • Outbound ports to allow through firewall - core requirements

    - by dunxd
    This question was asked before, but in a rather general way. I'm asking more specifically based on my current requirements. We have a number of remote offices made up of a bunch of PCs and an ASA 5505 which is used as firewall and VPN termination point. In the offices we share the internet connection with one or more other organisations over whom we have very little control, asides from the config on the ASAs. For a bunch of reasons I'd like to lock down these ASA 5505s to only allow outbound traffic to ports used by applications we know we need. I'm putting a standard config to roll out to all the ASAs, and if we need to open up ports for the other orgs we can do it on request. But I want to leave open the most commonly required ports so we can get up and running without waiting on other folks technical staff to get back. I plan to allow the following TCP ports to support email and web access, which I know everyone will need: POP3 (110 and 995) HTTP (80 and 443) IMAP4 (143 and 993) SMTP (25 and and 465) The question really is, what other ports do I need to leave open to allow for "normal" working? I've seen UDP port 53 for DNS as one. Are there any others that would be worth opening up? Just to note - I'll also be setting up monitoring systems to keep an eye on the ports we do allow. Any of the above could be misused of course. We'll also back all this up with signed agreements. But I'm aiming for a technical solutions where I don't have to start out with the full requirements of everyone we share connections with. See also: outbound ports that are always open

    Read the article

  • Outbound ports to allow through firewall

    - by dunxd
    This question was asked before, but in a rather general way. I'm asking more specifically based on my current requirements. We have a number of remote offices made up of a bunch of PCs and an ASA 5505 which is used as firewall and VPN termination point. In the offices we share the internet connection with one or more other organisations over whom we have very little control, asides from the config on the ASAs. For a bunch of reasons I'd like to lock down these ASA 5505s to only allow outbound traffic to ports used by applications we know we need. I'm putting a standard config to roll out to all the ASAs, and if we need to open up ports for the other orgs we can do it on request. But I want to leave open the most commonly required ports so we can get up and running without waiting on other folks technical staff to get back. I plan to allow the following TCP ports to support commonly required resources: POP3 (110 and 995) HTTP (80 and 443) IMAP4 (143 and 993) SMTP (25 and and 465) The question really is, what other ports do I need to leave open to allow for "normal" working. I've seen UDP port 53 for DNS as one. Are there any others that would be worth opening up? Just to note - I'll also be setting up monitoring systems to keep an eye on the ports we do allow. Any of the above could be misused of course. We'll also back all this up with signed agreements. But I'm aiming for a technical solutions where I don't have to start out with the full requirements of everyone we share connections with. See also: outbound ports that are always open

    Read the article

  • Can't access shared drive when connecting over VPN

    - by evolvd
    I can ping all network devices but it doesn't seem that DNS is resolving their hostnames. ipconfig/ all is showing that I am pointing to the correct dns server. I can "ping "dnsname"" and it will resolve but it wont resolve any other names. Split tunnel is set up so outside DNS is resolving fine So one issue might be DNS but I have the IP address of the server share so I figure I could just get to it that way. example: \10.0.0.1\ well I can't get to it that way either and I get "the specified network name is no longer available" I can ping it but I can't open the share. Below is the ASA config : ASA Version 8.2(1) ! hostname KG-ASA domain-name example.com names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.253 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS name-server 10.0.0.101 domain-name blah.com access-list OUTSIDE_IN extended permit tcp any host 10.0.0.253 eq 10000 access-list OUTSIDE_IN extended permit tcp any host 10.0.0.253 eq 8333 access-list OUTSIDE_IN extended permit tcp any host 10.0.0.253 eq 902 access-list SPLIT-TUNNEL-VPN standard permit 10.0.0.0 255.0.0.0 access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool IPSECVPN-POOL 10.0.1.2-10.0.1.50 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 10000 10.0.0.101 10000 netmask 255.255.255.255 static (inside,outside) tcp interface 8333 10.0.0.101 8333 netmask 255.255.255.255 static (inside,outside) tcp interface 902 10.0.0.101 902 netmask 255.255.255.255 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 10.0.0.0 255.255.0.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set myset esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map dynmap 1 set transform-set myset crypto dynamic-map dynmap 1 set reverse-route crypto map IPSEC-MAP 65535 ipsec-isakmp dynamic dynmap crypto map IPSEC-MAP interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption aes hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh 70.60.228.0 255.255.255.0 outside ssh 74.102.150.0 255.255.254.0 outside ssh 74.122.164.0 255.255.252.0 outside ssh timeout 5 console timeout 0 dhcpd dns 10.0.0.101 dhcpd lease 7200 dhcpd domain blah.com ! dhcpd address 10.0.0.110-10.0.0.170 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 63.111.165.21 webvpn enable outside svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 svc enable group-policy EASYVPN internal group-policy EASYVPN attributes dns-server value 10.0.0.101 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL-VPN ! tunnel-group client type remote-access tunnel-group client general-attributes address-pool (inside) IPSECVPN-POOL address-pool IPSECVPN-POOL default-group-policy EASYVPN dhcp-server 10.0.0.253 tunnel-group client ipsec-attributes pre-shared-key * tunnel-group CLIENTVPN type ipsec-l2l tunnel-group CLIENTVPN ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect icmp ! service-policy global_policy global prompt hostname context I'm not sure where I should go next with troubleshooting nslookup result: Default Server: blahname.blah.lan Address: 10.0.0.101

    Read the article

  • ASA5505 Novice. Setting up Outside/Inside/and DMZ as Guest Network

    - by GriffJ
    I need a little help in developing a config for our ASA5505. I'm an MCSA/MCITPAS but I don't have a lot of practical cisco experience. Here is what I need help with, we currently have a PIX as our boarder gateway and well it's antiquated and it only has a 50 user license which means I'm constantly clearing local-host throughout the day as people complain. I discovered that the last IT person bought at couple ASA5505s and they've been sitting in the back of a cupboard. So far I've duplicated the configuration from the pix to the asa but as I was going to be going this far I thought I'd go further and remove another old cisco router that was used only for the guest network, I know the asa can do both jobs. So I'm going to paste a scenario I wrote up with the actual IPs changed to protect the innocent. ... Outside Network: 1.2.3.10 255.255.255.248 (we have a /29) Inside Network: 10.10.36.0 255.255.252.0 DMZ Network: 192.168.15.0 255.255.255.0 Outside Network on e0/0 DMZ Network on e0/1 Inside Network on e0/2-7 DMZ Network has DHCPD Enabled. DMZ DHCPD Pool is 192.168.15.50-192.168.15.250 DMZ Network needs to be able to see DNS on Inside Network at 10.10.37.11 and 10.10.37.12 DMZ Network needs to be able to access webmail on inside network at 10.10.37.15 DMZ Network needs to be able to access business website on inside network at 10.10.37.17 DMZ Network needs to be able to access the outside network (access to the internet). Inside Network has NO DHCPD. (dhcp is handled by domain controller) Inside Network needs to be able to see anything on the DMZ network. Inside Network needs to be able to access the outside network (access to the internet). There is some access-list stuff already, some static mapping already. Maps external IPs from our ISP to our inside server IPs static (inside,outside) 1.2.3.11 10.10.37.15 netmask 255.255.255.255 static (inside,outside) 1.2.3.12 10.10.37.17 netmask 255.255.255.255 static (inside,outside) 1.2.3.13 10.10.37.20 netmask 255.255.255.255 Allows access to our Webserver/Mailserver/VPN from the Outside. access-list 108 permit tcp any host 1.2.3.11 eq https access-list 108 permit tcp any host 1.2.3.11 eq smtp access-list 108 permit tcp any host 1.2.3.11 eq 993 access-list 108 permit tcp any host 1.2.3.11 eq 465 access-list 108 permit tcp any host 1.2.3.12 eq www access-list 108 permit tcp any host 1.2.3.12 eq https access-list 108 permit tcp any host 1.2.3.13 eq pptp Here is all the NAT and route stuff I have so far. global (outside) 1 interface global (outside) 2 1.2.3.11-1.2.3.14 netmask 255.255.255.248 nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 1.2.3.9 1

    Read the article

  • Assist me access my firewall using ASDM

    - by ghp
    Have configured my asa 5520 with all the interfaces inside -- 10.11.12.1 outside - 70.71.72.4 Have not connected the management interface ..left it as is. Im remotely accessing this firewall from a different location by SSH, but would like to use the asdm to access it remotely. I have configured the HTTP SERVER enable and assigned http 10.11.12.254 255.255.255.255 inside Please can someone let me know the config which can help me access this firewall using ASDM.

    Read the article

  • Cisco: Site-to-site VPN with cisco 878 and ASA weirdness

    - by cpf
    I currently have 2 sites, both connected to each other through 2 firewalls / routers in a site-to-site VPN. Pinging from server to server (Using 2mb/2mb SDSL) through that VPN obviously works, however, at one site, we have another internet connection (7m/400k ADSL), and only the link between the two sites should be on the other connection. All pc's should go over the other connection for internet, just communication between servers & Communication between pc's and the server at the other side should go through there too. What is configured at the moment is the server is using the SDSL directly as default gateway. Since it's not intended to surf anything it is a safe config. PC's are configured on the ADSL as default gateway. Now I wanted to route through everything that uses the range used on the other site, it should be sent from the ADSL modem to the SDSL modem, which has the VPN connection. I figured I could use OSPF to do so, however, OSPF doesn't seem to "detect" the range of the external site. Also (due to bad ip subnetting thanks to the other administrator), the ip used internally as the server on the other site also exists on the internet (causing a lot of confusion), so rdp-ing from our server to the server of the other site works (somehow), but tracerouting on the SDSL router (which should actually, in my opinion, go over the VPN) actually goes all over the internet. My question(s): Why doesn't the SDSL router ping the external ip through VPN, but the server does? Why can't I route from the ADSL router to the SDSL over VPN? I would seriously appreciate some help, since I can't figure out why it does it like this.

    Read the article

  • Cisco ASA 5505: Force NAT before IPsec?

    - by WuckaChucka
    I'm trying to route public-to-public IPs over an IPSec tunnel. However, the src IP is not "interesting" to the Cisco's IPSec engine because it doesn't appear to be getting translated to the outside IP before being evaluated by the Cisco's IPSec engine. From WEST to EAST, my public-to-public IPSec works fine: I can make a request from 192.168.0.5:any to 200.200.200.200:80 because the Vyatta does the NAT translation before the IPSec tunnel inspects the traffic, so the remote-subnet and local-subnet matches (see below). However from EAST to WEST, I see a deny in my Cisco logging buffer for Deny tcp src inside:192.168.1.5/59195 dst outside:100.100.100.100/80 which leads me to believe that the IPSec engine is not matching the encrypt_acl because the address has not been translated yet. Any ideas? WEST (Vyatta): inside: 192.168.0.0/24 inside host: 192.168.0.5/24 outside: 100.100.100.100 IPSec local-subnet: 100.100.100.100/32 IPSec remote-subnet: 200.200.200.200/32 EAST (Cisco): inside: 192.168.1.0/24 inside host: 192.168.1.5/24 (DNAT'ed on port 80 to outside) outside: 200.200.200.200 IPSec local-subnet: 200.200.200.200/32 IPSec remote-subnet: 100.100.100.100/32

    Read the article

  • Cisco ASA 5505 (8.05): asymmetrical group-policy filter on an L2L IPSec tunnel

    - by gravyface
    I'm trying to find a way to setup a bi-directional L2L IPSec tunnel, but with differing group-policy filter ACLs for both sides. I have the following filter ACL setup, applied, and working on my tunnel-group: access-list ACME_FILTER extended permit tcp host 10.0.0.254 host 192.168.0.20 eq 22 access-list ACME_FILTER extended permit icmp host 10.0.0.254 host 192.168.0.20 According to the docs, VPN filters are bi-directional, you always specify the remote host first (10.0.0.254), followed by the local host and (optionally) port number, as per the documentation. However, I do not want the remote host to be able to access my local host's TCP port 22 (SSH) because there's no requirement to do so -- there's only a requirement for my host to access the remote host's SFTP server, not vice-versa. But since these filter ACLs are bidirectional, line 1 is also permitting the remote host to access my host's SSH Server. The documentation I'm reading doesn't seem to clear to me if this is possible; help/clarification much appreciated.

    Read the article

  • Cisco ASA 5505 network route for static IP hosts

    - by TheCapn
    I've configured my internal VLAN using the most basic settings where ports 1-7 are assigned from a pool of addresses in the range 192.168.15.5 - 192.168.15.36. These hosts are given access to the internet and it works great. What I'm trying to set up now is allowing users who are connected to the device and specify their IP (say I connect and request 192.168.15.45) are given internet access and can still work alongside DHCP hosts. Those with a DHCP assigned address are blocked from the internet. Mostly the issue resides in that I am very new to working with the device. I feel that the solution is easy but I'm not looking in the right spots and don't have the correct terminology down to google it. Do I need to define access control lists? Group policies? a new VLAN? The rules that are set up seem to be specific to the entire /24 subnet but when I request a static IP outside of the DHCP range I get blocked from other hosts and the internet.

    Read the article

  • Cisco WebVPN RDP Plugin and NLA

    - by bab
    I'm having trouble finding anything in Cisco's docs or with Google searches, so I'm hoping someone out in ServerFault land might know. We've recently enabled NLA domain-wide to protect against some of the recent RDP vulnerabilities. However, we can no longer use the Cisco WebVPN on our ASA to connect to these boxes (Connection Failure). I assume this is because the RDP2 plugin (as of Apr 27 2012) doesn't support NLA? Is there another version of the plugin that does? Thanks!

    Read the article

  • Routing to a Terminal Services Cluster

    - by Dave
    I am trying to connect to a Load Balanced Windows 2008 R2 cluster using Remote Desktop Services. I have no trouble connecting to the the Servers' IP addresses (.253.16 and .253.17) or the Cluster address (.253.20) from inside the subnet (.253). The trouble is when I try to connect from the other subnet(.251). I can remote to the other non-clustered servers (.253.12 and .253.15) inside the .253 subnet from the .251 without an issue. I receive a ping reply from the cluster and other servers when I am on the .251 subnet. But when I try to connect via remote desktop it times out but only to any of the IPs on the cluster (.20,.17,.16). My ASA 5510 handling the routing reports message in the log: Deny TCP (no connection) from 192.168.251.2/4283 to 192.168.253.16/3389 flag FIN PSH ACK Here is a picture if it helps http://dl.dropbox.com/u/4217864/terminal%20server.jpg Thanks for any help

    Read the article

  • AnyConnect SSL VPN split tunneling for a single website?

    - by Daniel Lucas
    We have a Cisco ASA 5510. We use split tunneling for AnyConnect SSL VPN clients. All internal addresses are tunnelled. Everything else is routed through the client's own internet connection. We use a SaaS service that only responds to requests when they come from one of our own public IP addresses. Because of this, VPN users are unable to access it currently. Is there a way to specify that a specific website should be tunneled and all others should not? NOTE: Worst case we will use a web bookmark on the clientless portal to tranlate through our network, but I'd like to see if the above is possible first.

    Read the article

  • Finding a private (NAT) host's IP using historic destination data

    - by l0c0b0x
    The issue: An unknown private (NAT) client is infected with malware and it's trying to access a Bot server at random times/dates. How we know about this: We receive bot traffic notices/alerts from REN-ISAC. Unfortunately, we don't receive those until the next day after it has happened. What they provide to us is: The source address (of the firewall) The destination addresses (it varies, but they're going to network subnet allocated to a German ISP) The source port (which varies--dynamic ports). Question: What would be the best approach to finding this internal host (historically) with a Cisco ASA as firewall? I'm guessing blocking anything to the destination address(es), and logging that type of traffic/access might allow me to find the source host, but I'm not sure which tool/command would be the most useful. I've seen Netflow thrown into a few responses when it comes to logging, but I'm confused with it's association of Logging, NAL, and nBAR, and how they relate to Netflow.

    Read the article

  • What ports do I allow over my internal firewall interface?

    - by blsub6
    I have a Cisco ASA that I have VPN tunnels to connect my internal Windows network. I ran into some trouble logging into my domain so I unblocked all the ports on that internal interface. On a previous question posted here, the general consensus was that I should be blocking ports on my inside interface but my question is: what ports should I unblock? I've tried unblocking ports 88, 139, 135, 389, and 445 and Windows logins still give me problems. Is there some MS documentation somewhere that tells me what I need to unblock to allow Windows logins and other things?

    Read the article

  • Windows updates behind a physical firewall with only IP based rules and generic outbound connections are turned off

    - by user125245
    I have some boxes that I do not want to allow any in or outbound traffic to the internet Except for windows updates. However the fire wall in place (Cisco ASA) apparently only supports ip based rules. As best I can tell access to Microsoft updates via anything other then the half dozen URL masks the Microsoft lists as needed does not appear possible. I have kicked around building a full WSUS that I would then manually copy the update files to so that no direct Microsoft access is needed but this sounds very top heavy for the very few boxes involved. I have also kicked around manual updates all around but am not certain how to be conveniently and confidently sure that the correct updates are being applied in the correct order. Any ideas from any direction would be appreciated. I want this as simple / cost effective as possible but have very little flexibility on the only absolutely required internet access policy.

    Read the article

  • Cisco 5505 VPN RDP not working

    - by user1058275
    I am in dire straights over here. We just changed our LAN from a 192.168.1.0 to a 172.16.4.0. We run Active Directory in our environment and our gateway is a Cisco 5505 ASA. Since the change, our clients can VPN in and make a connection but cannot RDP to any machines that they need to get to on the LAN that they VPN into. I updated the VPN address pool and DNS servers but I'm not sure what else I need to configure. I can send anything you need as I am not an expert and I really, really appreciate the help!

    Read the article

  • Cisco adaptive security appliance is dropping packets where SYN flag is not set

    - by Brett Ryan
    We have an apache instance sitting inside our DMZ which is configured to proxy requests to an internal NATed tomcat instance inside our network. It works fine, but then all of a sudden requests from apache to the tomcat instance stop getting through with the following in the apache logs: [error] (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header Investigating into the Cisco log viewer reveals the following: Error Message %ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name. Explanation The adaptive security appliance discarded a TCP packet that has no associated connection in the adaptive security appliance connection table. The adaptive security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the adaptive security appliance discards the packet. Recommended Action None required unless the adaptive security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent. All are machines are virtualised using VMware, and by default machines have been using the Intel E1000 emulated NIC. Our network administrator has changed this to a VMXNET3 driver in an attempt to correct the problem, we just have to wait and see if the problem persists as it's an intermittent problem. Is there something else that could be causing this problem? This isn't the first service where we have had similar issues. Our apache host is running Ubuntu 11.10 with a kernel version of 3.0.0-17-server. We have also had this issue on RHEL5 (5.8) running kernel 2.6.18-308.16.1.el5, this machine also has the E1000 NIC. NOTE: I am not a network administrator and am a software architect and analyst programmer responsible for these systems.

    Read the article

  • Cisco "copy startup-config tftp" results in a 0 byte file on the server?

    - by Geoffrey
    I'm pulling my hair out figuring this out. My startup-config is good, I can view it with a show command. I'm trying to copy it to a tftp server: asa5505# copy startup-config tftp Address or name of remote host []? ipaddress Destination filename [startup-config]? t !! %Error writing tftp://ipaddress/t (Timed out attempting to connect) On my TFTP server (SolarWinds), I get the following: binary, PUT. Started file name: C:\TFTP-Root\t binary, PUT. File Exists, C:\TFTP-Root\t binary, PUT. Deleting Existing File. binary, PUT. Interrupted by client, cause: The process cannot access the file 'C:\TFTP-Root\t' because it is being used by another process I've used tftpd32 with same results. I've tried different servers, even one on the same network as the asa ... same results. It'll create a 0 byte file and never do the dump. What's going on? Everything is working normally except for this.

    Read the article

  • Port translation in router causing some email to fail

    - by user22037
    We are in the process of setting up a spam filter (SAVASM). One change we are making is to push incoming email on port 25 through our spam filter/server but have users actually send their email on a different port. I am attempting to make this happen by using port address translation to send port 25 traffic to the SAVASM server IP. As a step in making this change I setup port translation without actually changing the IP addresses. The NAT rules for the email server went from one Static NAT rule with no port specified, to multiple Static NAT rules each with a port or group matching the Access Rules for that server (smtp, pop3, http, https, and some other custom ports). The problem we are running into is confusing. Some outgoing mail through this server is failing when the router has the multiple NAT rules with port translation settings. Email goes through fine FROM our email to our internal accounts and to Gmail. However email fails when FROM our client's email address TO our client's email or their personal Comcast. The only situation that worked for them was if they changed FROM to Comcast and then messages went through fine to both Comcast and the client's accounts. Switching back to regular Static NAT rule everything then worked for them. Does anyone have a clue as to what might be going on? We are on a Cisco ASA 5500 box.

    Read the article

< Previous Page | 2 3 4 5 6 7 8 9 10 11  | Next Page >