Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About RJI
RJI
Member since
12-05-2010
.jpg){kind=icon}
VIP Advocate
IT contractor based in the UK, specialising in design and implementation of network/security solutions. CCDA, CCNP (Security and Routing & Switching)
1797
Posts
2247
Helpful
270
Solutions
Recent Badges
Awards
Cisco Designated VIPs 2019 VPN, Policy and Access, Firewalls
1
06-15-2019
11:15 AM
Hi,
To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-
access-list OUTSIDE_IN extended permit icmp any any time-exceeded access-list OUTSIDE_IN extended permit icmp any any unreachable access-group OUTSIDE_IN in interface OUTSIDE
By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-
policy-map global_policy class class-default set connection decrement-ttl
Further examples here and here.
HTH
... View more
06-15-2019
01:06 AM
Hi,
@CiscoBlueBelt wrote:
What about if I must NAT internal host so they can be reached from Outside/internet via let's say 3389: nat (insde,outside) dynamic (mapped IP address) service tcp 3889 3889 access-list Outside-IN extended permit tcp any host (real IP) eq 3389
You will need to use static instead of dynamic.
nat (inside,outside) static (mapped IP address) service tcp 3889 3889
Also RDP isn't that secure, it would probably be more secure using a RAVPN to allow access to the server.
HTH
... View more
06-14-2019
01:44 PM
Hi, For inbound traffic, NAT is processed before the ACL (ASA 8.3 - 9.x), therefore you always use the real IP address of the hosts in the ACL. HTH
... View more
06-14-2019
12:43 PM
@Noclss2000 I see no reason why the ISR1111 cannot be used for home users. Do you want to clarify your issue in more detail?
The 5506X series is now EOL, checkout the new Firepower 1000 series appliances this new hardware with FTD 6.5 code due for release later this year should also allow for switchport interfaces.
HTH
... View more
06-14-2019
12:02 PM
Hi, Are you referring to the IKE debug logs? Can you upload for review please? Has VPN been configured on this firewall before? Could it be that IKE (v1 or v2) has not been enabled on the outside interface, therefore it would not respond.
... View more
06-13-2019
01:31 PM
Ok, I've re-read your original question. You are trying to access the INSIDE interface from the INSIDE-68 network....that won't work by design. You'll have to SSH to the local interface you are connect to, so from the INSIDE-68 network SSH to 192.168.168.65 should work.
... View more
06-13-2019
01:09 PM
Hi, Can the ASA actually communicate with the networks you are trying to SSH from?.....as you don't appear to have any routes for "inside" networks. HTH
... View more
06-12-2019
12:19 PM
You have a lot of drops "Flow is denied by configured rule (acl-drop) 189268" this would be traffic denied in an ACL - possibly an attack. The logger process has high CPU utilisation, which could be explained if you are logging each deny. Potentially rate-limit logging until the attack stops. 199.x.x.202 is your outside interface IP address? What is the destination address? You've edited the screenshot, does it not display the src/dst ports? Can you run a packet capture from src to destination and upload the pcap.
... View more
06-12-2019
10:57 AM
Hi, Run "clear asp drop" to reset the counts, wait a couple of minutes and then re-run "show asp drop", upload the output for review. Also run a capture "capture asp-drop type asp-drop all" and then uplaod the output of "show capture asp-drop" What logging levels do you have configured? Run "show run logging" or "show logging"
... View more
06-11-2019
04:33 AM
Hi, You would probably need a NAT exemption rule if you had an existing NAT rule that would NAT outbound traffic, e.g for internet access. In this instance the source traffic would usually be natted behind the outside interface and so would the VPN traffic unless you had a NAT exemption rule. If you do not have any existing NAT rules then no you would not need a NAT exemption rule. HTH
... View more
06-07-2019
03:24 PM
Hi,
You can use VPN Filter to restrict the access you require, example here and here.
HTH
... View more
06-07-2019
10:47 AM
Reference document says "IPsec VPN Peers" = 2500, so each peer would be 1 tunnel, so therefore 2500 tunnels supported.
... View more
06-07-2019
10:30 AM
Hi,
The ASA 5545-X supports 2500 VPN tunnels, reference here. Even though you only have 1 IP address, the sequence number used on the crypto map is used to distinguish between the different peers. So I don't see why in your scenario you could not configure up to 2500 VPN tunnels.
HTH
... View more
06-07-2019
10:02 AM
Hi,
You define the 2 radius server IP address and key, then reference those 2 servers in the AAA group. E.g:-
radius server ISE1 address ipv4 192.168.10.20 auth-port 1812 acct-port 1813 key Cisco1234 radius server ISE2 address ipv4 192.168.10.21 auth-port 1812 acct-port 1813 key Cisco1234 aaa group server radius ISE server name ISE1 server name ISE2
HTH
... View more
Created by
RJI
in VPN and AnyConnect
RJI
in VPN and AnyConnect
06-07-2019
01:53 AM
06-07-2019
01:53 AM
Hi,
I would group those network objects and use the network object group as the original source in the nat rule. This way you only have one NAT entry and any modifications you just add the network object to the group. The translated source would still be your object_30.1.1.1 object.
object NAT_HOSTS_GROUP network-object object NAT_Host_IPSEC network-object object NAT_Host2_IPSEC nat (INSIDE,OUTSIDE) source static NAT_HOSTS_GROUP object_30.1.1.1 destination static SiteB_LAN SiteB_LAN
HTH
... View more
Saturday
Hi, To traceroute through the ASA you need to permit icmp time-exceeded
and unreachable inbound on t...
Saturday
Hi, @CiscoBlueBelt wrote: What about if I must NAT internal host so they
can be reached from Outside...
Friday
Hi,For inbound traffic, NAT is processed before the ACL (ASA 8.3 - 9.x),
therefore you always use th...
Friday
@Noclss2000 I see no reason why the ISR1111 cannot be used for home
users. Do you want to clarify yo...
Friday
Hi,Are you referring to the IKE debug logs? Can you upload for review
please?Has VPN been configured...
Thursday
Ok, I've re-read your original question. You are trying to access the
INSIDE interface from the INSI...
Thursday
Hi,Can the ASA actually communicate with the networks you are trying to
SSH from?.....as you don't a...
Wednesday
You have a lot of drops "Flow is denied by configured rule (acl-drop)
189268" this would be traffic ...
Wednesday
Hi,Run "clear asp drop" to reset the counts, wait a couple of minutes
and then re-run "show asp drop...
Tuesday
Hi,You would probably need a NAT exemption rule if you had an existing
NAT rule that would NAT outbo...
a week ago
Reference document says "IPsec VPN Peers" = 2500, so each peer would be
1 tunnel, so therefore 2500 ...
a week ago
Hi, The ASA 5545-X supports 2500 VPN tunnels, reference here. Even
though you only have 1 IP address...
Created by
RJI
in Policy and Access
a week ago
a week ago
Hi, You define the 2 radius server IP address and key, then reference
those 2 servers in the AAA gro...
Created by
RJI
in VPN and AnyConnect
a week ago
a week ago
Hi, I would group those network objects and use the network object group
as the original source in t...
Public Statistics
| Date Registered | 12-05-2010 06:35 AM |
| Date Last Visited | |
| Total Messages Posted | 1,797 |
| Total Helpful Votes Received | 2247 |
Helpful Votes Given To
Helpful Votes From
| User | Helpful Count |
|---|---|
| 165 | |
| 200 | |
| 10 | |
| 20 | |
| 5 |
.jpg "Hall of Fame Master"){kind=icon}
Awards
Cisco Designated VIPs
2019 VPN, Policy and Access, Firewalls
