Source Community: 
Firewalling
Undefined

ASA Firewall NAT - Manual NAT, Object NAT, After Auto NAT

Unanswered Question
Apr 24th, 2017
User Badges:

Hi All,


I am studying ASA concepts - NAT.


I Know ASA has three types of NAT as follows :


Manual NAT/Twice NAT - Best preferred

Object NAT/Auto NAT- Preferred after Manual NAT/Twice NAT

After Auto Manual NAT - Preferred After Object NAT/Auto NAT

I have seen few senarios where people write Manual NAT instead of Object NAT even though same function can be achieved from  Object NAT/Auto NAT.

Loading.

FTP access issue over NAT

Unanswered Question
Apr 24th, 2017
User Badges:

I have configured the NAT for FTP on the FWSM .


static (INSIDE-HTTPGTW,INTERNET) tcp 21.22.39.13 20 172.6.1.15 20 netmask 255.255.255.255
static (INSIDE-HTTPGTW,INTERNET) tcp 21.22.39.13 21 172.6.1.15 21 netmask 255.255.255.255

access-list INTERNET-ACCESS-IN line 16 extended permit tcp any host 21.22.39.13 eq ftp


When I tried to access the ftp through public ip , it doesn't respond . If I access ftp server through private ip from inside the network , it works fine.

Please help to resolve the issue.

Loading.

asdm connection problems

Unanswered Question
Apr 24th, 2017
User Badges:

Hi there, 

I am struggling to browse to ASDM which just hangs. See below my current setup though i have tried with other version of ASA and ASDM


ciscoasa(config)# show asdm image
Device Manager image file, disk0:/asdm-771-150.bin
ciscoasa(config)#
ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.7(1)150

Compiled on Sat 21-Mar-15 11:43 PDT by builders
System image file is "boot:/asa941-smp-k8.bin"
Config file at boot was "startup-config"

Loading.

Upgrading Cisco ASA 5545-X

Unanswered Question
Apr 24th, 2017
User Badges:

We currently have a cisco ASA 5545-X with fire power services in high availability. It is currently at version 9.4(2)11 with ASDM 7.6(1). We want to upgrade to the latest recommended version and have some queries. We are looking at versions 9.6.3.1, which is recommended by Cisco and the later version 9.7.1.4. After looking at the release notes, it is seen that version 9.6.3.1 but has quite a few bugs open whilst version 9.7 seems to have alot of the bugs resolved with little open. Which software version should would be best to upgrade to?

Loading.

Cisco ASA Outside Interface (1 outgoing rule)

Unanswered Question
Apr 24th, 2017
User Badges:

Do I need to configure access list rules for the outside interface outbound traffic?


Right now I have one configuration on the Outside interface 


Firewall# sh run | i outside_access_out
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
access-list outside_access_out_1 extended permit object-group DM_INLINE_SERVICE_8 any4 any4
access-group outside_access_out_1 out interface outside

Loading.

5516x w/firepower, unable to console to asa cli

Unanswered Question
Apr 24th, 2017
User Badges:

I have a new 5516-x with firepower. Console gives access to the firepower cli but I can't seem to get to the asa cli. the escape sequence 'CTRl-^X' is not dropping me out of firepower and into ASA. Am I missing something here? Firepower is running v6.1.0.

Loading.

ASA 5510 dropping UDP DNS request with label length exceeds the litmit

Unanswered Question
Apr 24th, 2017
User Badges:

I am getting number of SYSLOG messages from my ASA about dropping DNS request that has label length exceeds the litmit. I dont know what is that mean. is there anything to increase the limit of bytes or this might be a security threat. 

the message is as follows:

Dropped UDP DNS request from outside: 158.140.xx.xx/59709 to inside: 192.168.xx.xx/53; label length 46 bytes exceeds remaining packet length limit of 17 bytes

Loading.

Moving from ASA5505 to Meraki Mx64

Unanswered Question
Apr 24th, 2017
User Badges:

Hi all,


We are looking at moving from a Cisco asa 5505 to a Meraki MX64 and I am looking for thoughts and advice on how to go about it. We have a lot of rules setup on the ASA and wondered if there is a process for migration or it is all setup manually.


Many thanks,
Simon

Loading.

IPSEC interoperability between PAN and Cisco 5510 ASA

Unanswered Question
Apr 24th, 2017
User Badges:

Hi,


We have a Site A with Palo Alto (PAN) Firewall and Site B with Cisco ASA 5510. IPsec tunnel is built between these 2 sites.


In certain occasions, we have ISP B network up, but the users are experiencing no internet in Site B. As it is only a single link, the only way we did is to reboot the ASA appliance and the users are able to access internet again.


Loading.