Hello Georg, This is a new device out of the box. Please find attached run config file. I am currently not using it as IR Router or AP. For now we just want to give devices behind it, access to internet using PAT . I will be connecting the Internet Uplink connection to it's WAN interface port. The internal devices that i am referring to are connected to a L2 switch and this Switch is in turn connected to the GE1 (LAN) interface. One dumb question if i may, I need to enable http web UI on this. Do i just run a "ip http-server" from the enable mode ? Thanks in advance
... View more
Hello All, We have an IR829GW router. I need to use it as a typical old school NAT router such that whatever devices are behind it use a NAT IP for the traffic that's going outbound ( For instance Internet access). I have looked in the config guide and couldn't find any instructions regarding this. Secondly, this device has a hyper-visor style architecture. Can someone educate me what is the purpose of creating a VM on such devices ? What would be the use-case ? My internal devices are connected to a L2 switch which in-turn will have a uplink from one of the interfaces of this IR829. My requirement is that all internet bound traffic originating from these internal devices should be Dynamic NAT'd or PAT based on whatever NAT IP i assign. THanks
... View more
Hello All, I have a Allen Bradley Stratix Firewall/Router in our environment. The Allen Bradley runs Cisco IOS behind the scenes. They are equivalent of cisco catalyst routers. Upon analyzing our traffic, we see lot of traffic destined to/from ip-addresses ending with *.*.*.255 as the last octet. I understand this is the broadcast IP of the subnet. Is there any way to reduce this traffic ? Are they any cisco cli commands that i can run to bring down this noise ?
... View more
Thank you mikael. Appreciate your quick response.
On a different note, while reading online further i came across a diff product called Firepower Module . Is Firepower module and this FTD which i am referring to , the same thing ?
... View more
Hello, We are currently have a Cisco ASA 5512. We are looking to procure the FTD protection license to have features like DOS protection (Rate limiting) , URL filtering etc. Reading online i think the latest FTD software version is 6.2.2
What happens to all the existing configuration (ACLs, AAA group, users, Anyconnect client VPN etc) on ASA when we re-image it with this new FTD image? Do we loose everything & need to create everything from scratch ?
I am more concerned about the client vpn. Does FTD support anyconnect client VPN ? If not, how can we also have the VPN & still use the FTD 6.2.2? If someone can point me to the right documentation that will be much appreciated.
... View more
I am new to ASA & looking for some guidance. We have internet access working via our ASA. We have lot of servers in our internal network with their apps/ services that make outbound connection requests to their respective vendor websites or all sorts of public domains. It is this traffic that we are trying to filter when passing thru the ASA. I have a requirement that we need to allow outbound internet traffic only to specific domains like (Microsoft, Symantec) from a patching/updates point of view & Deny all other outbound traffic. I am sure this is a common scenario in every environment. We are not in a position to buy other 3rd party tools like web sense etc.
We have an inside interface called "LAB_LAN" and our Outside interface is called "Ren Internet". Our internal servers are located in this LAB_LAN network, they use this interface as their default GW.
Please find below our config. Can someone please advise what ACL's do we need to put in to restrict traffic going out of LAB_LAN ?
ASA Version 9.6(1) ! hostname ciscoasa domain-name mgmt.lab enable password 8Ry2YjIyt7RRXU24 encrypted names
! interface GigabitEthernet0/0 shutdown nameif vfnet security-level 0 ip address 126.96.36.199 255.255.255.128 ! interface GigabitEthernet0/1 description Dmz Interface nameif DMZ security-level 80 ip address 10.100.1.1 255.255.255.0 ! interface GigabitEthernet0/2 description Public Interface for NCCOE testing nameif Public-Test-NCCOE security-level 80 ip address 188.8.131.52 255.255.255.0 ! interface GigabitEthernet0/3 description Ren internet interface nameif REN_Internet security-level 0 ip address 184.108.40.206 255.255.255.224 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 description Testbed Lan nameif lab_lan security-level 80 ip address 10.100.0.1 255.255.255.0 ! interface Management0/0 description Management Interface management-only nameif management security-level 100 ip address 10.100.2.6 255.255.255.0 ! interface GigabitEthernet1/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! boot system disk0:/asa961-smp-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup REN_Internet dns server-group DefaultDNS name-server 220.127.116.11 domain-name mgmt.lab same-security-traffic permit inter-interface object network Plant_VLAN subnet 172.16.1.0 255.255.255.0 description Plant_VLAN object network Manf_VLAN subnet 172.16.2.0 255.255.255.0 object network Process_Control subnet 172.16.3.0 255.255.255.0 description Process_Control_ object network Ruggedcom host 10.100.0.20 object network FieldBus-Network subnet 192.168.1.0 255.255.255.0 object network internal-lab-lan subnet 10.100.0.0 255.255.255.0 description Test Bed lan network object network CTRL_SYS_Robotics range 192.168.0.1 192.168.0.253 description CTRL_SYS_Robotics object network obj-microsoft.com fqdn microsoft.om object network obj-ubuntu.com fqdn ubuntu.com object-group network DM_INLINE_NETWORK_1 network-object object Manf_VLAN network-object object Plant_VLAN network-object object Process_Control object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq www port-object eq ssh object-group network DM_INLINE_NETWORK_2 network-object object Manf_VLAN network-object object Plant_VLAN network-object object Process_Control object-group protocol DM_INLINE_PROTOCOL_1 protocol-object icmp protocol-object tcp protocol-object udp access-list lab_lan_access_in extended permit ip 10.100.0.0 255.255.255.0 any access-list lab_lan_access_in extended permit icmp any any access-list lab_lan_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 10.100.1.0 255.255.255.0 access-list lab_lan_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 18.104.22.168 255.255.255.0 object-group DM_INLINE_TCP_1 access-list lab_lan_access_out extended permit object-group DM_INLINE_PROTOCOL_1 any any access-list REN_Internet_access_in extended permit icmp any any echo-reply log disable pager lines 24 logging enable logging trap warnings logging asdm informational logging device-id hostname logging host lab_lan 10.100.0.14 mtu vfnet 1500 mtu DMZ 1500 mtu Public-Test-NCCOE 1500 mtu REN_Internet 1500 mtu lab_lan 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (lab_lan,vfnet) source dynamic any interface inactive ! object network internal-lab-lan nat (any,REN_Internet) dynamic interface ! nat (management,vfnet) after-auto source dynamic any interface inactive access-group REN_Internet_access_in in interface REN_Internet access-group lab_lan_access_in in interface lab_lan access-group lab_lan_access_out out interface lab_lan router ospf 100 network 10.100.0.0 255.255.255.0 area 400 area 400 log-adj-changes ! route REN_Internet 0.0.0.0 0.0.0.0 22.214.171.124 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 aaa-server Mgmt-Radius protocol radius aaa-server Mgmt-Radius (management) host 10.100.2.4 key ***** radius-common-pw ***** user-identity default-domain LOCAL aaa authentication http console Mgmt-Radius LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 172.16.3.0 255.255.255.0 lab_lan http 10.100.2.5 255.255.255.255 management http 10.100.2.157 255.255.255.255 management no snmp-server location no snmp-server contact no service resetoutbound crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal subject-name CN=ciscoasa crl configure crypto ca trustpool policy telnet 172.16.3.0 255.255.255.0 lab_lan telnet timeout 5 ssh stricthostkeycheck ssh 172.16.3.0 255.255.255.0 lab_lan ssh 10.100.2.0 255.255.255.0 management ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ntp server 10.100.0.15 source lab_lan prefer tftp-server management 10.100.2.5 C:\tftp ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" dynamic-access-policy-record DfltAccessPolicy username icsuser password P6FUAZab.KDm/ZR1 encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:4f9ab1e9ba71d2e5ef0ebcd0f9ab8137 : end
... View more