Changing the server IP in an ASA 5505?
Hi everyone, I know don't know anything about cisco devices. I just wanted to go on the spot. I recently did a job that has a configuration 5505 as the network gateway and a vpn for employees to work from home via the Cisco VPN remote client program. We had a main server which is the domain controller, dns, and dhcp. It was an old box 03, and I install a new 08 r2 on a different IP address box and all of the above functions migrated to it. Old server was a xxx.xxx.xxx.31, the new server xxx.xxx.xxx.6. I found the java (6.1) ASDM program and connected to the ASA, and I change.31 a.6 in as many places as I can find, however, vpn clients on the outside can connect is more to their workstations, because when I open a prompt on his computer, only IP they can ping is xxx.xxx.xxx.31, ping xxx.xxx.xxx.6, or any other address fails. I guess maybe it's in the firewall of the asa, but don't have really not ideal. At it no matter what else was I supposed to do? Somewhere I forgot? I did save for flash and reload the current, but not a physical power Reset Since I made the changes.
Thank you.
This new server (. 6), has he any windows firewall that might block incoming access? Well pls want to check on the server itself.
If you can always test the old server (. 31), then the configuration on the SAA does not really much matter it has been configured to allow the subnet (192.168.0.0/24).
Tags: Cisco Security
Similar Questions
-
Block the specific IP traffic in ASA 5505
Hi, we have an ASA 5505 in transparent mode and run a web service online. However, we notice a number of attempts to intrution from China and Korea and we need to block these IP traffic can anyone help please?
config script is
transparent firewall
hostname xxyyASA
Select msi14F/SlH4ZLjHH of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Description - the Internet-
switchport access vlan 2
!
interface Ethernet0/1
Description - connected to the LAN-
!
interface Ethernet0/2
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
Bridge-Group 1
security-level 100
!
interface Vlan2
nameif outside
Bridge-Group 1
security-level 0
!
interface BVI1
Description - for management only-
IP address xxx.yyy.zzz.uuu 255.255.xxx.yyy
!
passive FTP mode
network of the WWW-SERVER-OBJ object
Home xxx.yyy.zzz.jjj
Description - webserver-
WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
Description - Services published on the WEB server-
WWW-SERVER-SERVICES-UDP-OBJ udp service object-group
Description - Services published on the WEB server - UDP
Beach of port-object 221 225
1719-1740 object-port Beach
OUTSIDE-IN-ACL scope tcp access list deny any any eq 3306
OUTSIDE-IN-ACL scope tcp access list deny any any eq telnet
OUTSIDE-IN-ACL scopes allowed icmp an entire access list
OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
access list OUTSIDE-IN-ACL scopes permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306
OUTSIDE-IN-ACL scopes permitted udp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
We need to block access of host say 64.15.152.208
Just need the best step to follow and block access, without affecting the service or other host
Thank you
Insert a line like:
OUTSIDE-IN-ACL scope access list deny host ip 64.15.152.208 all
in front of your 3rd line "... to enable icmp a whole."
If you have many of them, maybe do:
object-group network blacklist
host of the object-Network 64.15.152.208
network-host another.bad.ip.here object
object-network entire.dubious.subnet.here 255.255.255.0
...
OUTSIDE-IN-ACL scope object-group BLACKLIST ip deny access list all
If you want to take in scores of reputation on the outside, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.
Note that fleeing bad hosts help with targeted attacks, but not with denial of service; only, he moves to point decline since the application for the firewall server, without much effect on the net on your uplink bandwidth consumption.
-Jim Leinweber, WI State Lab of hygiene
-
The import of the PIX 501 config to ASA 5505
Is there something special that must occur to import a PIX 501 (IOS Version 6.3) config to an ASA 5505 appliance or is it as simple as download the config?
Greg
No, this isn't unfortunately because your pix is running 6.4 and the ASA 5505 will run a minimum of code 7.x and there were quite a few changes. Note that many existing commands would work, but some will not. Attached is a link to a doc for improving pix ASA who speaks both a manual method and an assisted version of tool -.
http://www.Cisco.com/en/us/docs/security/ASA/migration/guide/pix2asa.html
Jon
-
Install two the separate IPSec VPNS on ASA 5505
Hello
I'll have set up a second tunnel IPSec VPN on my Cisco ASA 5505 to another office. I was able to configure one without problem through the ASDM, but were not able to get the second.
The IPSec tunnel connects to a WRVS4400N router to the other office. I tried the debug crypto isakmp and ipsec crypto, but I get nothing. Here is the config. Something seems wrong on my end? I've also attached a screenshot of the configuration settings on the remote router.
Output of the command: "show run".
: Saved
:
ASA Version 8.2 (5)
!
hostname WayneASA!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 70.91.18.205 255.255.255.252
!
interface Vlan5
Shutdown
No nameif
security-level 50
IP 192.168.10.1 255.255.255.0
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
75.75.75.75 server name
75.75.76.76 server name
domain 3gtms.com
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
inside_access_in of access allowed any ip an extended list
IPSec_Access to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
TunnelSplit1 list standard access allowed 192.168.10.0 255.255.255.224
TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
outside_2_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
RemoteTunnel_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0pager lines 24
Enable logging
Within 1500 MTU
Outside 1500 MTU
IP mask 255.255.255.224 local pool VPNPool 192.168.10.1 - 192.168.10.30
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0inside_access_in access to the interface inside group
Access-group out_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNTransformSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto IPSec_map 1 corresponds to the address IPSec_Access
card crypto IPSec_map 1 set peer 50.199.234.229
card crypto IPSec_map 1 the transform-set VPNTransformSet value
card crypto IPSec_map 2 corresponds to the address outside_2_cryptomap
card crypto IPSec_map 2 set pfs Group1
card crypto IPSec_map 2 set peer 98.101.139.210
card crypto IPSec_map 2 the transform-set VPNTransformSet value
card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
IPSec_map interface card crypto outside
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.199.234.229crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal RemoteTunnel group strategy
attributes of Group Policy RemoteTunnel
value of server DNS 75.75.75.75 75.75.76.76
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteTunnel_splitTunnelAcl_1
3gtms.com value by default-field
eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
username password encrypted URsSXKLozQMSeCBk privilege 5 lestofts
username lestofts attributes
type of remote access service
algobel lBWy5eNbHMCDPzuL encrypted password username
username algobel attributes
type of remote access service
type tunnel-group RemoteTunnel remote access
attributes global-tunnel-group RemoteTunnel
address pool VPNPool
Group Policy - by default-RemoteTunnel
IPSec-attributes tunnel-group RemoteTunnel
pre-shared key *.
tunnel-group 50.199.234.229 type ipsec-l2l
IPSec-attributes tunnel-group 50.199.234.229
pre-shared key *.
tunnel-group 98.101.139.210 type ipsec-l2l
IPSec-attributes tunnel-group 98.101.139.210
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
Review the ip options
inspect the dns
inspect the pptp
inspect the sip
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:a86adc4b23977672679b6fb72d0bc187
: endYou are also missing the NAT0 rule
inside_nat0 to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.5.0 255.255.255.0
-Jouni
-
Photosmart HP 6520: lost my photosmart 6520 by manually changing the server address
Hello
My printer is connected wireless and prints well by AirPrint and when I send it jobs by email, but after successfully scanning to e-mail several times it suddenly wouldn't connect to the Internet, which gives an error message. Tried to turn it works several times. Leva help on the forum and follow-up of boards to manually change the DNS server to 8.8.8.8 and 8.8.4.4 another server. This resulted in my losing access to my printer via his IP on my browser so I can't undo my actions and my printer always gives the error message when I ask him to scan to e-mail. All other functions work.
Help, please. Thank youHey @Kybosh,
Welcome to the Forum from HP Support.
I understand that you are having connectivity problems with your HP Photosmart e-all-in-one 6520, printer. I want to help you with this.
I'm surprised that a manual DNS has interfered with your setup - I think generally it does the opposite and enhances connectivity. In any case, do not despair! I have some suggestions that can restore the features of your printer.
I recommend a fresh start by restoring the default settings of your printer to avoid any persistent configuration problem. Here's how:
- Front panel of the printer, press the key
- Touch tools
- Touch Restore Factory Defaults
- * Note that this will reset your settings wireless and webservices. If you have an address custom ePrint it is deleted permanently. Click here for more information about setting up a custom address ePrint.
With your restored default settings, continue on as indicated:
- Touch the wireless icon ()
- Run the Wireless Setup Wizard and reconnect to your network (SSID)
- Enter the wireless password if prompted
- Once you have created a wireless connectivity, reactivate your webservices/ePrint feature (essential for the use of scan to e-mail)
- Tap the icon of webservices ()
- Enable Web services and press OK to enable your printer will automatically update
- Once completed, it will print a page of information. If you are looking to complete an ePrint installation, it will be useful later - click here for more information.
Now, if all goes well you can rebuild your Setup email scan:
- Tap the scan icon
- Tap the scan to E-mail
- Enter your personal email address
- Retrieve the PIN code of your Inbox
- Enter the PIN on your requested to complete printer installation
The above restore the functionality you were missing?
Please let me know the result of your troubleshooting by responding to this post. If I helped you to solve the problem, feel free to give me a virtual h.o.t. by clicking on the 'Thumbs Up' icon below.
Please post in the Forum of HP's Support and have a great day!
-
BlackBerry smartphone how to change the server password
Hi, yesterday we changed the password on the server. Since then, I have a couple of 9300 Blackberry's that no longer work. I think I need to go to the blackberry and the change of the password but Im not sure what are the options that I have to go. I trired options - device but I don't have the possibility to advance options, but do not have the option of advanced system settings. Can someone help me were I can find the option for the mail server if I can change the password. I hope the above makes sense
BIS is not able to interface directly with Exchange, but have to use OWA, IMAP or pop. However, see:
- Article ID: KB05255 Associated e-mail account is no longer accessible by the BlackBerry Internet Service account
Cause 3 may be what you need.
Good luck and let us know!
-
Hi all,
I have 10.2 g database on a Windows Server 2003 in production.
What would be the impact on the database if I change the time on the server, i.e. If I roll the clock back?
My database server takes time to my DC server and I used to roll the clock back on the server to DC.
Thank you!871486 wrote:
Hi all,I have 10.2 g database on a Windows Server 2003 in production.
What would be the impact on the database if I change the time on the server, i.e. If I roll the clock back?
My database server takes time to my DC server and I used to roll the clock back on the server to DC.Thank you!
Planners will be affected. I mean by planners; Oracle has defined planners (maintenance window, etc.) and user-defined planners.
-
How to change the server session time out?
Hello
When I start writing a file of more than about 2 MB of files using Java APIs writeResource(). My application upward changes and he says that the server time is out by throwing Exception...
But I don't face any problem when writing to a file of about 1 MB.
Can you tell me how set\increase the server time of the configurations.
Concerning
Sunil Gupta
You should have write access to the jboss installation folder to change this settings.
for example, if the Jboss installed on a computer, the connection in the machine and locate the following file:
for example c:\Adobe\Adobe LiveCycle ES2\jboss\server\all\deploy\jboss-web.deployer\server.xml
The path is just for your reference; Contact your system administrator for the exact location of this file.
Look for the sessionTimeout and change/increase in the value attribute.
It is clear now?
Nith
-
Is there an impact on the database if we change the server time?
Hello
Our DB server time is 45 minutes before our application server. We have to reset the database server time. Is there an impact on the database if we change the synchronization of the server?
Platform: Solaris
DB version: 10.2.0.2.0
bash $
bash-3. $00 date
Thu Apr 23 20:26:19 2009 IST
bash-3. $00 sqlplus/nolog
SQL * more: release 10.2.0.2.0 - Production on Thu Apr 23 20:27:15 2009
Copyright (c) 1982, 2005, Oracle. All rights reserved.
SQL > conn virtue sysdba
Connected.
SQL > select sysdate to double;
SYSDATE
---------
23 APRIL 09
SQL > select systimestamp from double;
SYSTIMESTAMP
---------------------------------------------------------------------------
APRIL 23 09 08.27.53.250947 H + 05:30It's a matter of enforcement, not a question of Oracle.
Oracle doesn't care what time it is, or when the weather changes. Your applications, however, can occupy. If you use SYSDATE to fill a line and depend on the date later to be unique or to indicate that the actual command lines have been inserted, changing the date on the server, in particular, he back off, could cause problems for your application. Your application has problems running when daylight saving time to save changes?
Justin
-
Can I change the server port, but Windows Mail continues to change at 25
I can get my outgoing mail working by changing the port from 25 to 587, but whenever I close the Windows Mail application and re-open it, it comes back to port 25 (and will not work). Thanks for the help!
You should always back up when you use a Microsoft product. Your hard drive may die too. But deleting the e-mail account does not delete messages, and repair the database will not ruin it. I have not had one person complaining about this program (WMUtil) except for one person who said their antivirus software falsely reported that the file is infected (it was not).
Steve
-
Changing the server publishing point Mobile
Hello
A question:
We have added fields in a table in the repository.
For these fields are downloaded on the client:
Is it necessary to drop and re-create the publication element?
or
It would suffice to change the element of 'request' for the publication?
GreetingsHello
I usually follow the number following and found issues.
IM using MDW1. first remove the item from publication to publication
2 remove the repository publication point
3 publishing point with a new query to recreate
4. Add to the publication
5 reset the repository mobileserver
6. it should be ok for most customers. But if any issue I reset the client setting in MDW for a specific user and it's a complete customer required not refresh for all.Paninie.
-
cannot NMCS emails Windows live 2011 because incorrect spelling server id. How can I fix it?
Please ask your question in the Windows Live Solution Center. Brian Tillman [MVP-Outlook]
--------------------------------
https://MVP.support.Microsoft.com/profile/Brian.Tillman
If a response may help, please vote it as useful. If a response to the problem, please mark it as an answer. -
Hey guys
I have a server that accepts traffic on a port within my network and external clients need to access this server. the nat and accesslist works well, but it is a matter of wait time and connection failed... Note that without the client server asa directly works fine... and note also that the traffic is encrypted (ssl)... are there additional provisions that I have to configure? y is it expire? Packet Capture see traffic from the outside to reach inside the interface but no response from the inside to the outside...
I don't have that only one access list reloads the traffic from the outside to the server and a nat rule.
advice needed...
Thank you
Hello
So from what I understand
"inside the xxx.114 interface the default route on the server is xxx.1 which is one interface on another asa.
This means that the default route on the server is an another ASA. It won't work unless you apply TCP statebypass.
ASA is a statefull firewall. This means for the TCP IP, always see two way traffic. If SYN crosses an ASA should see SYN/ACK back. If an ASA did not syn and sees syn/ack due to asymmetric routing, is wrong in the wok.
Change the default route in the same ASA server or configure TCP statebypass (which is not recommended however).
Thank you
-
Cannot change the incoming mail server. no text highlight
I am unable to send mail from my Mac. No problem with iphone or iPad. Cannot change incoming mail server as text is not highlighted. Cannot change the server for outgoing (SMTP) mail. Cannot change the list of SMTP servers. Says offline.
Hi Granny Smith 1.
Thank you for using communities Support from Apple. Sorry to hear that you are having problems with mail. It's a little bit clear exactly what you see when you say that you cannot change any server info, but if you continue to have problems sending or receiving mail, you will find the troubleshooting steps in the following article useful:
If you cannot send or receive e-mail on your Mac - Apple Support
Kind regards.
-
In Windows Mail, I need to change the incoming Pop IMAP server info
In Windows Mail, I need to change the server incoming IMAP POP on my existing account info. Windows Mail is not allowing this change. Is it possible to change or should I create a new account?
You need get the settings of your mail server that you do not even mention.
Maybe you are looking for
-
COMPLETELY change your Mac's default language (ex: recovery mode)
Hello I bought a used MacBook Pro 13 "(début 2015)." It's a french MacBook, which means that it has a French keyboard. However, I completely formatted via a USB stick with El Capitan pre-loaded and chose English as my tongue throughout the installati
-
Should I for an Apple iPad 2 Air security
-
Appearance of the SONY Internet Player NSZ - GS7 logo then black screen, no signal.
NSZ - GS7 unable to connect to the TV without connection for SONY installation logo then only black screen no signal. Help, please? I bought this player online, the initial Setup was easy... connected wireless to the network, combined with distance a
-
set the affinity automatically at startup of the program?
Hello.. I play a lot of older games. but we would like to keep my computer up-to-date. I am running win7 Ultimate 64. and am using an amd 64 x 2 5000 +. StarCraft is an older game that often results in a computer system completely lock unless you set
-
I got a serial number, but when I try to license it says that the number is not valid
now what should I do?