We are currently running ASA9 at a location with redundant ip connectivity. We’d love to configure ip sla so that internet access survives a single carrier outage. I’m aware of the ip sla commands, however when I’ve tried to prepopulate the required NAT rules, the addition of the second rule will overwrite the first. Here is an example:

object network NYHQ_GUESTWIRELESS_10.110.6.0_24
 nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_FIOS) dynamic interface

When I attempt to add an additional nat rule, perhaps

nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface

The new rule overwrites the preexisting rule, as so:

object network NYHQ_GUESTWIRELESS_10.110.6.0_24
 nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface

Is there any way that I can have both of these rules in place so that NAT can cooperate with our SLA rules to ensure that regardless of which provider is used, NAT still works properly?

The way that we deal with this is to create an separate object group for interface that we want to have redundant connectivity to, it is a little messy but it should work for what you need.

So you would have a FIOS object

object network FIOS_NYHQ_GUESTWIRELESS_10.110.6.0_24
    nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_FIOS) dynamic interface

and a Cogent object

object network COGENT_NYHQ_GUESTWIRELESS_10.110.6.0_24
    nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface

And you should be all set.

It is a pain if you have multiple servers and multiple upstreams, but it works for us. I am sure there is a more streamlined solution and am interested in what others are doing to solve this issue.

Check more discussion of this question.

Cisco ASA 5510
I currently have a NAT for SMTP on one outside IP to an internal IP. I need to setup 2 external IPs to NAT to the same IP internally. How can I do that?
ex:
10.10.10.1 25 –> 192.168.0.200 25
10.10.10.3 25 –> 192.168.0.200 25

You won’t be able to use static PAT for this as you would break the 1:1 mapping rule. Firewall has to know what mapping to use in both directions – both in->out and out->in. In your case if 192.168.0.200 originated connection from port 25 firewall would not know which global IP to use. In other words, it’s not possible this way.

Easiest solution would be to assign additional IP address on the internal device and keep the NATs clean. Let’s say you assign additional IP of 192.168.0.201. Configuration would be:

static (inside,outside) tcp 10.0.0.1 25 192.168.0.200 25
static (inside,outside) tcp 10.0.0.3 25 192.168.0.201 25

Check more discussion of this question.

I am using Cisco ASDM for ASA

I have my internal network called soa. My outside interface is called outside. Let’s say my outside IP given to me by my ISP isp is y.y.y.y I have a web server inside my network with a static ip of x.x.x.110. I have configured 2 static nat rules (one for http the other for https).

Source is x.x.x.110. Interface is outside, service (http or https).

Maybe I am doing this wrong, but when I run the packet tracer, I choose outside interface and for the source IP I used 8.8.8.8 and the destination ip is my outside IP address, y.y.y.y

When I run that, it shows the packet traversing successfully, using 9 steps.

For my other test, I switch to the soa interface, input an ip on that network, and leave the destination the same. This test comes up with 2 steps and then fails on my access list.

When I see the rule that fails, it is my catch all which is source: any desitnation: any, service: ip action: deny.

What rule do I need to make to allow my soa network access to go out and come back in by my external IP addess (using a domain name attached to that ip in my dns, of course)?

Not sure about Cisco, but on Linux and *BSD this wont work. Even when you try to connect to the external address from the internal network, the packet never passes the external interface as the kernel is too clever, notices his own address and consumes the packet. As the packet never travels through your external interface, the NAT rule for port-forwarding never applies.

Read http://www.openbsd.org/faq/pf/rdr.html#reflect for some (BSD-biased) docs on this.

Check more discussion of this question.

I searched a lot and found some options but none worked. This is for a test lab setup:

landing server(192.168.49.26)—(.49.25/29)Cisco6500(.49.1/29)—(49.2)Cisco ASA(x.x.55.81)—External

The C6500 is the core of the test lab to which the “landing server” with IP Address 192.168.49.26 is connected. The interface to which this server is connected has the IP 192.168.49.25/29. I have 2 more L2 switches connected to the Cisco 6500 on 2 VLANs, namely VLAN 10 and 11 and some computers connected to those L2 switches. The communication between the devices connected to Cisco6500 works fine.

The Cisco ASA firewall (inside interface IP 192.168.49.2) is connected to an interface on the Cisco6500 whose IP Address is 192.168.49.1/29. Again, the rest of the devices connected to the Cisco 6500 is able to reach the inside interface of the Cisco ASA.

The outside interface of the Cisco ASA has the IP x.x.55.81. The requirement is that users from the outside should be able to reach 192.168.49.26 (server IP) when they RDP to x.x.55.81. Once they reach this landing server, users will telnet or SSH to other devices and servers for their testing.
Iam unable to get ASDM work on my machine and so my only option is CLI. But what route, NAT, etc do I need and what commands do I use. Please help.

Regards,
Don Thomas

ok you need free ip address from your offical net x.x.55.81. on the asa in global configuration mode (conf t) you had to create a static nat from inside to outside

static (inside,outside) x.x.55.81 192.168.49.26

after that you had to allow traffic to the server on the outside interface.
with the commad

show run access-group 

you get the acl name bind to the outside interface. you can allow traffic on the acl in global configuration mode for RDP access

access-list ACL-Name permit tcp any host x.x.55.81 eq 3389

or for a specified host

access-list ACL-Name permit tcp host a.b.c.d host x.x.55.81 eq 3389

or net

access-list ACL-Name permit tcp netaddress subnetmask host x.x.55.81 eq 3389

Check more discussion of this question.

we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.

Site/Subnet A: 192.100.0.0 – local (8.4(4))
Site/Subnet B: 192.200.0.0 – remote (8.2(5))
VPN Users: 192.100.40.0 – assigned by ASA

When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.

Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc… is not reachable by ping or otherwise.

I downgraded to 8.2 and then went back up to 8.4 on the Site A ASA. Site B is now running 8.2(5).

Thank you much in advance and I hope I have been thorough enough.

It turns out it was a combination of the NAT rule and the Site-to-Site ACL. For some reason, the ACL settings were not sticking because of a conflict in the configuration due to the 8.2 – 8.4 upgrade. It is complicated for me to explain, but after an 1.5 hours on the phone with Cisco, they rebuilt the site-to-site tunnel in 8.4(4) and it set the ACL correctly. If you ever run into this again and you just updated from 8.2 – 8.4, the solution seems to be to rebuild the site-to-site from scratch. Thanks for the help everyone!

Check more discussion of this question.

I’m trying to open a hole in the firewall (ASA 5505, v8.2) to allow external access to a Web application. Via ASDM (6.3?), I’ve added the server as a Public Server, which creates a static NAT entry [I'm using the public IP that is assigned to 'dynamic NAT--outgoing' for the LAN, after confirming on the Cisco forums that it wouldn't bring everyone's access crashing down] and an incoming rule “any… public_ip… https… allow” but traffic is still not getting through. When I look at the log viewer, it says it’s denied by access-group outside_access_in, implicit rule, which is “any any ip deny”

I haven’t had much experience with Cisco management. I can’t see what I’m missing to allow this connection through, and I’m wondering if there’s anything else special I have to add. I tried adding a rule (several variations) within that access-group to allow https to the server, but it never made a difference. Maybe I haven’t found the right combination?

I also made sure the Windows firewall is open on port 443, although I’m pretty sure the current problem is Cisco, because of the logs.

Any ideas? If you need more information, please let me know.

Thanks

Edit:
First of all, I had this backward. (Sorry) Traffic is being blocked by access-group “inside_access_out” which is what confused me in the first place. I guess I confused myself again in the midst of typing the question.

Here, I believe, is the pertinent information. Please let me know what you see wrong.

access-list acl_in extended permit tcp any host PUBLIC_IP eq https  
access-list acl_in extended permit icmp CS_WAN_IPs 255.255.255.240 any  
access-list acl_in remark Allow Vendor connections to LAN  
access-list acl_in extended permit tcp host Vendor any object-group RemoteDesktop  
access-list acl_in remark NetworkScanner scan-to-email incoming (from smtp.mail.microsoftonline.com to PCs)  
access-list acl_in extended permit object-group TCPUDP any object-group Scan-to-email host NetworkScanner object-group Scan-to-email  
access-list acl_out extended permit icmp any any  
access-list acl_out extended permit tcp any any  
access-list acl_out extended permit udp any any  
access-list SSLVPNSplitTunnel standard permit LAN_Subnet 255.255.255.0  
access-list nonat extended permit ip VPN_Subnet 255.255.255.0 LAN_Subnet 255.255.255.0  
access-list nonat extended permit ip LAN_Subnet 255.255.255.0 VPN_Subnet 255.255.255.0  
access-list inside_access_out remark NetworkScanner Scan-to-email outgoing (from scanner to Internet)  
access-list inside_access_out extended permit object-group TCPUDP host NetworkScanner object-group Scan-to-email any object-group Scan-to-email  
access-list inside_access_out extended permit tcp any interface outside eq httpsstatic (inside,outside) PUBLIC_IP LOCAL_IP[server object] netmask 255.255.255.255access-group inside_access_out out interface inside  
access-group acl_in in interface outside
access-group acl_out out interface outside

I wasn’t sure if I needed to reverse that “static” entry, since I got my question mixed up… and also with that last access-list entry, I tried interface inside and outside – neither proved successful… and I wasn’t sure about whether it should be www, since the site is running on https. I assumed it should only be https.

Uh yearh probably it’s CISCO fault. Honestly for me ASDM it’s a bit confusing so I will pass you the command lines directive:

ssh pix@INTERNAL_IP
[type cisco password]
enable
[retype password]
show conf <- retrieve the config plain text

Now you should have lines like that

access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any interface outside eq www

Maybe the access-list name is different, but doesn’t matter. Also in my case the outside interface it’s an alias for the VLan2 on which is the internet connected. This allows traffic for www connection to be accepted.

Now for the port forwarding you need a line like that:

static (inside,outside) tcp interface www LOCAL_IP www netmask 255.255.255.255

Again the inside it’s an name for my local interface, which act as an gateway for the network. If you con’t have lines like that just add them with configure terminal. Add the magic lines and should work. If you need any help in the console just use the magic ?

Check more discussion of this question.

I have a Cisco ASA router running firmware 8.2(5) which hosts an internal LAN on 192.168.30.0/24.

I have used the VPN Wizard to setup L2TP access and I can connect in fine from a Windows box and can ping hosts behind the VPN router.

However, when connected to the VPN I can no longer ping out to my internet or browse web pages. I would like to be able to access the VPN, and also browse the internet at the same time – I understand this is called split tunneling (have ticked the setting in the wizard but to no effect) and if so how do I do this?

Alternatively, if split tunneling is a pain to setup, then making the connected VPN client have internet access from the ASA WAN IP would be OK.

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.30.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 208.74.158.58 255.255.255.252 
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.128 
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.30.192 255.255.255.192 
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.30.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.30.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool LANVPNPOOL 192.168.30.220-192.168.30.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.30.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 208.74.158.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.30.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.30.3
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
username user password Cj7W5X7wERleAewO8ENYtg== nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
 address-pool LANVPNPOOL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
: end

Which client software are you using to connect? Split tunneling is set up, but I believe you’ll need to be connecting with the Cisco client software for it to function.

Anyway, to get the VPN client’s internet traffic to make it out to the internet, looks like all you need is:

same-security-traffic permit intra-interface
nat (outside) 1 192.168.30.0 255.255.255.0

Check more discussion of this question.

I am trying to configure a Cisco ASA 5510 to assign specific IP-addresses to specific MACs. Firmware on my ASA is 8.2(5). I have used this feature in our previous device (Cisco SA-520W). I have also read that this feature is (not yet) implemented. How do I work around this problem, if not by direct assignment? Do I need to specify fixed IP’s on concerned devices themselves?

I also have a SG 300-52 switch for our LAN. We cannot specify IP-addresses to ports, because we have further switches down the line.

Your best option is probably to run DHCP on the Windows server, since it’ll have the needed DHCP reservation capability.

If the server is in a different broadcast domain as the one you’re providing addresses for, you’ll need to have the ASA act as a DHCP relay – that’s configured with the dhcprelay enable and dhcprelay server commands.

Check more discussion of this question.

Whenever I write some command in ASA , it hides the full command and show the bit of command . What is the way to increase the length of Commands I write in ASA, so it doesn’t hide the command written on the Terminal Session? I tried to google it but not able to find the solution

(ASA)#sho run object-group id $

You’d need to modify the terminal width parameter on the ASA to a value greater than the default of 80 columns.

Check more discussion of this question.

We have a small business office, but due to PCI compliance we need to segment this into two internet networks (one ‘compliant’ and one for any other devices to use).

We currently have a Draytek modem/wan load balancer which also has firewalling but this is very basic and doesn’t support seperate security policies on each vlan.

As such, I have just purchased an ASA 5505 and would like some pointers to setting things up:

VLANS:

1. Outside (draytek)
2. InsidePci (our secure zone, contains a windows domain controler/dhcp/etc)
3. Inside (just a regular network that just has internet access and no connection to vlan

My Questions:

1. At the moment everything is on one subnet 192.168.2.x. The draytek has a static IP and everything else is allocated an IP from our Windows DHCP Server. As this windows server will be within the ‘insidepci’ network I was planning to have this vlan continue to use that, and the regular ‘inside’ network using DHCP from the ASA. Is that possible?

2. Do I need to put the draytek on it’s own subnet (so just the draytek is on say 192.168.3.x) as it seems I cant allocate an IP in the same range to two different VLANs.

3. From looking at one of the online guides, it seems I would then need an internal router? I wasn’t aware of this, I was hoping I could just assign one switch to the ‘inside’ VLAN and a seperate switch to the ‘insidepci’ vlan? There isn’t a need to communicate between these VLANS but both need to be able to access ‘outside’ (draytek gateway)

When it comes to PCI compliance, the number one thing you want to do is find every way you can to limit your scope. You’re already making good headway with your network segmentation by actually thinking about what systems are not involved and moving them somewhere else. In a perfect world, your PCI environment would be housed in a physically separate network, however that is not a requirement. The best way to conceptualize your segmentation is around the idea of a broadcast domain. There are actually a lot of different ways you can adequately get the necessary level of segmentation,

• Placing your in-scope equipment on a separate subnet
• Placing your in-scope equipment on a private VLAN in the same address space as out-of-scope
• Installing a transparent firewall between in-scope and out-of-scope
• etc

All that being said, you should be able to get away with using the 5505 as your primary isolation device, and hanging other switches off of it if you need additional ports. You just want to make sure that any traffic from the inside VLAN passes through the firewall module before entering the insidepci VLAN.

The PCI Security Standards Council has a document called Navigating the PCI DSS v2.0. I would highly recommend reading through it so you can better understand the intent of the requirements. That should help you frame the requirements properly for compliance.

Disclaimer: I am not a QSA, ASV, or ISA. Any advice I give is friendly and following it in no way implies compliance.

Check more discussion of this question.