ASA - that allows HTTP return traffic?
Hello
I'm just playing with a few ASA and ask yourself which allows return HTTP traffic in the firewall? Also, what other traffic is allowed by default as HTTP?
Traffic is from a security interface upper (inside, 100) to a lower (outside, 0) security interface. There is no ACLs not applied on all interfaces.
I ask because ICMP does not work unless inspection is on (global service-policy global_policy).
Thanks for any help.
Firewalls like ASA is with State so for TCP and UDP (albeit with UDP State is handled a little differently) if traffic is allowed a way it automatically allows him back.
So, when a connection is initiated, if it is permitted through the firewall that is recorded in the table of the State and when the return package arrives at the firewall level, if there is a matching entry, the traffic is allowed and there is no verification of the acl.
Registration is made on the IP source and destination port numbers, and for TCP it has also used the connection indicators.
ICMP uses ports so initially, that she could not be redirected and you had to allow him to return with an acl (if the traffic was less than the increase security level).
But then stateful inspection has been added for ICMP, as well, but you still must activate it Unlike TCP and UDP.
Jon
Tags: Cisco Security
Similar Questions
-
Site2Site VPN ASA 5505 - allow established traffic
Hello
I have an ikev1/Ipsec tunnel between two ASA.
Network with local 10.31.0.0/16
The other network with local 172.21.0.0/24
But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?
(to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)
Best regards, Steffen.
Hello
If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.
The ASA has the following global configuration, which is the default if you don't the have not changed
Sysopt connection permit VPN
This show CUSTOMARY in CLI configuration given above is the default setting.
You can check this with the command
See the race all the sysopt
This will list even the default setting
Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)
What you could do is to insert the following configuration
No vpn sysopt connection permit
What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.
If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)
So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.
- Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
- Return for this connection of course traffic be would allow by the same ASA like all other traffic.
- IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL
Hope this made sense and helped
Think about scoring the answer as the answer if it answered your question.
Naturally ask more if necessary
-Jouni
-
VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network
Hello
I'm a little confused as to which is the problem. This is the premise for the problem I have face.
One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.
Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)
So essentially the encryption field is configured as follows:
access-list
line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-listline 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-listline 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173) Free NAT has been configured as follows (names modified interfaces):
NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP
the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202NAT (interface2) 0-list of access VPN-SHEEP
VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252
After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.
There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)
The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.
Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).
This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access listPhase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new streamPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outsidePhase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:Access-group interface interface1
access-list extendedallow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next moduleResult:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allowSo, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?
And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.
access-list extended
allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.
Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)
If there is any essential information that I can give, please ask.
-Jouni
Jouni,
8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).
If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)
Marcin
-
VPN site to site thanks to a pair of asa 5505 does not pass traffic
the configurations are fairly simple. Ping between the two lan pc fails. "show isakmp crypto his" and "crypto ipsec to show his" got out, if.
Please refer to the attached text and diagram files.
I'm pre-configures the ASA, for external interfaces have ip addresses private for the moment.
all entries are welcome.
Thank you!
Your look simple configurations.
As the Phase 1 and Phase 2 SAs are coming, the VPN seems correct.
We see program leaving ASA1 and decaps ASA2, but no return traffic seems to come in.
I suspect a problem with the host 192.168.102.5. Can you capture the top packages and check that it receives traffic initiated from the host 192.168.101.5 (side ASA1) and he answers with the ASA2 as its default gateway?
-
I want to be able to create a java script function that allows me to target some names of classes on specific Web sites. I want to do a custom button to initialize the function in the toolbar of Mozilla. Similar to Adblock but as a button to toggle so I can turn it on when I want to.
Hello Kalevera, you could build a simple extension to achieve, but this will obviously go beyond the scope of this support forum.
for some resources start you can refer to
https://developer.Mozilla.org/en-us/add-ons/SDK
https://developer.Mozilla.org/en-us/add-ons/SDK/low-Level_APIs/ui_button_toggle
https://forums.Mozilla.org/viewforum.php?f=7 -
My computer crashed
I got it running again (after taking it to the repair shop), but it must now install this icon that allows me to use all the features of the scanner.
I have no idea where the disk is - I've looked everywhere, so I must assume he threw by accident (we had this printer for many years). It means that I try to find a way to do this without using the disk.
I downloaded something on the HP site which allows me to use the scanner, but only allows me to reframe what I scan. This feature is extremely important for me because I use it for business and need to crop the photos all the time. For example, I tested it with a single photo 4 x 6 and it scanned all white spaces as well... which is usually not serious, but there is no feature of allowing me to reframe what part of the analysis, I wanted to save it.
Please... oh please, please, please... let some knowledable, do-gooder see this post and help me with this...
No, it wasn't she... .. .but thank you very much for offering to help me
BUT... After several attempts to search, we found what worked (oh, thank God!)
http://support.HP.com/us-en/document/c03286146
Click on the blue highlighted link in the first paragraph: HP print and Scan Doctor
-
My xbox and TV aren't in the same place. I have a cat5e cables in walls between av closet and tv, but have no cables usb2.0 for the kinect in the wall. Rather than hacking open the walls, I want the kinect on cat5e and convert it back to USB before plugging the xbox. I've seen online products that allow you to do this but they are not Microsoft products and they cost more expensive than the xbox! Can bring you a solution to this problem.
Thank youHello
Check with your local computer store.
Answers has no influence on the XBox or XBox Live If you need to contact them.
XBox - Support
http://support.Xbox.com/en-us/pages/default.aspxXBox - Contact us (support)
http://support.Xbox.com/en-us/contact-usXBox - Support Forums - and my XBox (top-right)
http://forums.Xbox.com/Xbox technical support phone number
- Toll-free: (800) 4MY-XBOX or (800) 469-9269
I hope this helps.
Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="">-><- mark="" twain="" said="" it="">->
-
original title WAV file: windows media player
Multimedia player that allows some of my WAV files to be played in a more quick read but other WAV files are NOT allowed to read at a faster speed. Any suggestions on how to fix?
Thank you
Hello
1 did you change on your computer before this problem?
2. what happens when you try to play?
3. what operating system is running on your computer?What version of the operating system Windows am I running?
http://Windows.Microsoft.com/en-us/Windows7/help/which-version-of-the-Windows-operating-system-am-i-running
Follow the suggestions and see if it helps.Method 1
You can run Windows Media Player settings convenience store.
Open the troubleshooting Windows Media Player settings Troubleshooter
http://Windows.Microsoft.com/en-us/Windows7/open-the-Windows-Media-Player-settings-TroubleshooterMethod 2
You can read the article and then check.
Change playback speed in Windows Media Player
http://Windows.Microsoft.com/en-us/Windows7/change-playback-speed-in-Windows-Media-PlayerSee also:
Play an audio or video file: frequently asked questions
http://Windows.Microsoft.com/en-us/Windows7/play-an-audio-or-video-file-frequently-asked-questions
Play an audio or video file
http://Windows.Microsoft.com/en-us/Windows7/play-an-audio-or-video-file -
Rumors of new device for xbox 360 that allows players to play the Kinect in less space?
Will there be a new device for xbox 360 that allows players to play the Kinect in less space?
Hello
You will need to check with the XBox Forums.
XBox - Support Forums - and my XBox (top-right)
http://forums.Xbox.com/XBox - Kinect
http://www.Xbox.com/en-us/KinectI hope this helps.
Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">->
-
We will use a script that allows users to connect only once.
We will use a script that allows users to connect only once.
However some users need a second possibility of connection.
How is - this can be handled in a script?The users in question are members of the same group secuity.
Where the use of Windows server 2003 with xp clients.
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in Windows 7 IT Pro Technet Forums network.
http://social.technet.Microsoft.com/forums/en/category/WindowsServer/
I hope this helps.
-
Download a new version of Disk Defragmenter that allows scheduled defragmentation?
Download a new version of Disk Defragmenter that allows scheduled defragmentation? I use Windows XP. My laptop, using Windows 7 has a feature.
original title: Disk DefragmenterHi, Frank III,.
The following link contains useful information on this topic: http://support.microsoft.com/kb/130539Basically, Diskeeper Corp. (now Condusiv Technologies) which has provided the tool found in the Windows Defragmenter also offers a product called Diskeeper that automatically removes and prevents fragmentation.I hope this helps!-Alex -
I am trying to create a VPN connection, but when I get to the step that allows me to create the VPN, the radial buttons are grayed out, it is a Windows component is missing and does not allow me to create VPN. I am running Windows XP Home addition. I recently got a Malware attack and had the quarantine and fix trojen attempts. After the restoration, I found that my previous VPN connection was broken. When I tried to add a new connection, I'm stuck on the screen connection virtual network in the the radial button private network connection wizard is grayed out, he could not check.
Hello
Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Windows XP TechNet forum. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en/itproxpsp/threads
-
Recently, I installed Wubi, an application that allowed me to try out Ubuntu while still maintaining my installation of Windows XP. Sience I've not unhooked the Ubuntu Microphone stopped recording
I tried to watch http://support.microsoft.com/ph/1173 and have searched to my problem on this page, but I came up with results relating to Windows 95.
I checked the "recording control" and other kinds of options in my 'Control Panel '. Yet I came empty, any suggestions in this area of the Panel control, or elesewhere would be greatly appreciated. Thank you
Hello Purplehaze412,
Thank you for your message. What kind of microphone do you have? It's USB or it plug into the microphone as the speakers or headphones port?If it uses the headphone:Click "Start" > click on "Control Panel" > double-click "sounds and Audio devices".Select the tab "Audio".Under "Sound recording" you can change the default device?If it is USB, try the following:Click 'Start' > right click on 'My computer' > select 'manage '.Select "Device Manager".Double-click "USB" - remove your device microphone, remove the microphone, then plug it back to recognize.We can't wait to hear back on your part.See you soonEngineer Jason Microsoft Support answers visit our Microsoft answers feedback Forum and let us know what you think.
-
Where can I get the best version of Windows Movie Maker that allows me to publish movies in FULL HD? For windows 7 rc?
Hello, sebianoti
Please use the Forum for answers and help to test Windows 7!
Windows Movie Maker is no longer included in Windows 7. Be sure to check the Windows Live Movie Maker beta available at http://download.live.com/moviemaker.
Let us know if that helps.
David
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
How devil my touchpad - done before, but if the work done on the laptop that allowed him. When I go to devices and mouse and pointer Manager
Hello AndreauLuty,
It will be different depending on the manufacturer of the computer that you have. Go to the control panel and go to the mouse option. On some computers, there is a tab for the Touchpad and you can turn it off from there.
See the thread below the TechNet that describes how to disable the touchpad.
http://social.technet.Microsoft.com/forums/en/w7itprogeneral/thread/a2c8b891-09a0-4F0A-9419-c21190fff642I hope this helps.
Marilyn
Maybe you are looking for
-
CD/DVD drive does not work
Windows cannot start this hardware device because its information of configuration (in the registry) is incomplete or damaged. (Code 19)
-
Satellite Pro A100-622 can not read the card SD and Memory Stick with Windows Explorer
I have a Satellite Pro A100-622 running MS Vista Home Basic Edition. I tried to use the card reader integrated with SD and Memory Stick card but cannot view the contents using Windows Explorer. In both cases, the laptop recognizes the card and try to
-
Satellite A30 won't read dvd but will read a cd/cd rom
I have problems with my satellite A30/dvd/cdrw drive (TEAC DW-224th-A), it will not read DVDs but will play CDs and cd rom drive will turn looking for the dvd but it won't find it and when I try to start the dvd menu from my computer it says the empt
-
Can't access "Change Date" property of the DataSet
Hello: Ive had similar messages, but nothing seems to match what I would make in 2012 tiara. I want to get a time stamp from a set of data to show exactly when the test was run. The data I work with have a datetime string, but it is set by default t
-
Upgrade to msata but now original 320 GB HARD drive not recognized
Hi all I just upgraded to an msata that works quite well. However, the HARD disk refuses to be recognized in the BIOS or in windows 7, I just get a 2100 on startup error. I can boot windows after pressing a few keys, but the hard drive is nowhere to