Proxy wit h ASA

I have to apply ASA 5520 with a failover do we really need to proxy server for internet access, ASA. Or only ASA will solve this effect.

I will not see any reaosn why u need a proxy to access the internet.

ASA in a failover can still make the nat and access the internet u.?

Tags: Cisco Security

Similar Questions

Transfer of licenses of Proxy for the UC phone to ASA newest

A few questions about the issuance of licenses for the ASA and the licenses UC phone Proxy.

1 if I buy a block of 24 licenses UC phone Proxy for the ASA 5510, I am able to add more than 24 blocks needed?

2 can if/when tire upward to the ASA and ASA 5510 5520 or 5540, I transfer phone licenses Proxy to the ASA again?

Thanks in advance.

1. Yes, you can buy licensed user CPU upgrade for ASA 5510, with up to 100 users for ASA5510 UC. You can not buy however a user 24 existing UC to be added to the license of the 24 user license. You must acquire a license from 24 to 50 or 24 to 100-user license upgrade.

Here is the URL for your reference:

http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp194956

(Article 'Lines additional guidelines and Limitations', fourth ball point)

2. No, the license is linked in the serial of your ASA no existing, and it is not transferable. Here is the URL for your reference:

http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp194956

(Section 'Guidelines and additional Limitations', second indent)

Hope that answers your questions.

ASA - NG IPS inspect encrypted traffic

Hello

We buy ASA 5525-X with IPS for us to network. We have a number of servers that provide services Web Applications.

We have a big problem installing ASA it is we cannot use ASA inspect and IPS has because over 80% traffic through encrypted.

Thank you to tell me how I can solve this problem.

I know a solution to use Proxy HTTPS in ASA, but for some reason, this solution cannot be implemented.

Thank you.

If you want to protect you own Web servers against attacks from the internet. You cannot use the HTTPS-decryption of the ASA-CX as the internet - customers do not have your CX-certificate.

To resolve this problem, the typical is to place a proxy reversed in a DMZ and do the SSL/TLS-manipulation here. The reverse-proxy sends plain HTTP through the ASA and the IPS may inspect what and protect your servers.

Twice NAT on Site at the tunnel with the same private networks.

Hello

Currently, I am trying to configure a Site to Site tunnel between an IOS router and an ASA 5505 running 9.1

When deprived of the IOS router subnet was 10.0.0.0/24 and the subnet private SAA was 172.16.1.0/24, it connected properly.

I'm now putting in place where the two private networks is 10.0.0.0/24 and objects network created, edited the ACL for interesting traffic and created the rule of NAT translation and twice, but the tunnels are not coming. I was hoping someone could shed some light on where I'm wrong.

There are route it (R1) IOS and ASA (F2). Between them is an Internet addresses asking the router which is just set up to allow both sides to achieve their WAN.

R1 and F2 have private network (10.0.0.0/24) need to communicate. Twice NAT can be done on the ASA to allow this, but I have to do something wrong. The way I understand it, is that the R1 should see traffic coming from 10.51.0.0/24 and send to this traffic. The ASA will have this traffic and the inside network should see it coming entering as 10.50.0.0/24. If F2's private network communicates with 10.50.0.0/24, and the private network R1 sends traffic to 10.51.0.0/24.

I turned on "Debug crypto ipsec" and "debug crypto isakmp" but no output is appear or give any indication that she is trying to establish anything.

Any help would be greatly appreciated! Thank you!

R1 #show run

version 12.4

hostname R1

crypto ISAKMP policy 50
BA 3des
preshared authentication
Group 2
address of cisco crypto isakmp 10.2.0.254 keys

Crypto ipsec transform-set esp-3des esp-sha-hmac L2L_SET

50 CRYPTO ipsec-isakmp crypto map
defined by peer 10.2.0.254
game of transformation-L2L_SET
match address CRYPTO

interface FastEthernet0/0
10.0.0.253 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
IP ospf message digest authentication
Cisco IP ospf authentication key
automatic duplex
automatic speed

interface FastEthernet0/1
IP 10.1.0.254 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP ospf message digest authentication
Cisco IP ospf authentication key
automatic duplex
automatic speed
Crypto card CRYPTO

IP classless
IP route 0.0.0.0 0.0.0.0 10.1.0.253
IP route 10.2.0.0 255.255.255.0 10.1.0.253
!
!
IP http server
no ip http secure server
overload of IP nat inside source list SHEEP interface FastEthernet0/1
!
IP extended CRYPTO access list
Licensing ip 10.0.0.0 0.0.0.255 10.51.0.0 0.0.0.255
SHEEP extended IP access list
deny ip 10.0.0.0 0.0.0.255 10.51.0.0 0.0.0.255
allow an ip

=========================================================================

See the F2 # running
: Saved
:
ASA Version 9.1 (1)
!
hostname F2
activate 3a57ZsZ4Kgc.ZsL0 encrypted password
3a57ZsZ4Kgc.ZsL0 encrypted passwd
names of

interface Vlan1
nameif inside
security-level 100
IP 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.2.0.254 255.255.255.0

network of the PRIVATE object
10.0.0.0 subnet 255.255.255.0

network of the PARTNER_PRIVATE object
10.0.0.0 subnet 255.255.255.0
network of the PARTNER_VPN_INBOUND object
10.50.0.0 subnet 255.255.255.0
network of the PARTNER_VPN_OUTBOUND object
10.51.0.0 subnet 255.255.255.0

Access extensive list permits all ip a OUTSIDE_IN
CRYPTO extended access list ip 10.0.0.0 allow 255.255.255.0 10.50.0.0 255.255.255.0

NAT static (inside, outside) PARTNER_VPN_OUTBOUND PRIVATE destination static source PARTNER_PRIVATE PARTNER_VPN_INBOUND
!
network of the PRIVATE object
NAT dynamic interface (indoor, outdoor)
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 10.2.0.253 1
outdoor 10.1.0.0 255.255.255.0 10.2.0.253 1
the ssh LOCAL console AAA authentication

Crypto ipsec transform-set esp-3des esp-sha-hmac L2L_SET ikev1
Crypto ipsec pmtu aging infinite - the security association
crypto L2L_MAP 50 card matches the address CRYPTO
card crypto L2L_MAP 50 set peer 10.1.0.254
card crypto L2L_MAP 50 set transform-set L2L_SET ikev1
L2L_MAP interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 50
preshared authentication
3des encryption
sha hash
Group 2
life 86400

tunnel-group 10.1.0.254 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.0.254
IKEv1 pre-shared-key *.
```
object network PRIVATE

    subnet 10.0.0.0 255.255.255.0
object network PARTNER_PRIVATE

    subnet 10.0.0.0 255.255.255.0

    object network PARTNER_VPN_INBOUND

    subnet 10.50.0.0 255.255.255.0

    object network PARTNER_VPN_OUTBOUND

    subnet 10.51.0.0 255.255.255.0
access-list OUTSIDE_IN extended permit ip any any

    access-list CRYPTO extended permit ip 10.0.0.0 255.255.255.0 10.50.0.0 255.255.255.0
nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination static PARTNER_PRIVATE PARTNER_VPN_INBOUND
```
Here in nat rule u use subnet PARTNER_PRIVATE, which is the same as a local, so the devices never send this traffic to the ASA, cause they know that this subnet (10.0.0.0/24) is in their local subnet. Therefore, you must write the nat rule in this way (i.e. the change of objects Web places):
```
nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination

static  PARTNER_VPN_INBOUND PARTNER_PRIVATE
```
So the hosts on the subnet behind ASA will see the hosts on the subnet behind SRI as 10.50.0.0/24 and trying to reach the subnet behind SRI, you must use the 10.50.0.x one-to-one wich addresses correspond to 10.0.0.x it.

In addition, your proxy-acl on asa must use post-nat addresses, which should look like this:

IP 10.51.0.0 allow CRYPTO access list 255.255.255.0 10.0.0.0 255.255.255.0

Flash through WEBVPN

Hello

I have some problem to access internal pages with flash through the webvpn. Is there a compatibility issue?

Thank you

You can configure the feature Smart Tunnel on the iNotes bookmark directly. When the user clicks on the bookmark, a connection will be via the client browser to the server as a proxy using the ASA iNotes. All traffic for the iNotes session will be sent through the tunnel, bypassing the engraver.

Todd

cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

some help me

(Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

Note - I can ping PC but not the same subnet ip on ASA2 L3

PC---> > ASA1 - ASA2<>

Hi Matt,

Let me answer your question in two points:
- You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.
For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside
- Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.
We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

ASA auth-proxy Radius and downloadable ACLs

Hello

I want to have ACLs that decide what traffic to allow after authorization auth-proxy.

1. What are the options I have to ASA + ACS?

2. can I use auth-proxy on SAA with the CSA and download RADIUS and ACLs?

3. can I use auth-proxy on SAA with the ACS and Ray 01/09/00-cisco-av-pair (will be ASA understeand it?)

4. can I use auth-proxy on ASA attrbuts auth-proxy ACS and Ganymede (with ACLs)?

Thanx

Hello

Take a look at this guide to see if that helps answer your question. You can use the downloadable ACLs or the cisco av pair, I saw that the cisco-av-pair method works a little better because he has the user name who logged in as part of the acl which facilitates troubleshooting.

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_fwaaa.html#wp1150820

Thank you

Tarik Admani

Configuration of the ASA to ISA authentication proxy support

I have an ASA configured for internet and remote vpn termination. I would use a proxy for remote access vpn clients ISA authentication. Configure this support on the SAA?

Topology: Inside ===> ISA ===> ASA ===> Internet network

David,

Given that this is a forum of Cisco (I can google it, but I'd rather have a recording directly in a thread), can you tell me what is the role of proxy of the ISA authentication? And how it works.

Normally proxy authentication (auth-proxy on the router and passage of a proxy in the firewalls) are transparent to other devices in the network on the network.

Firepower ASA Web Proxy services

I was wondering is it possible to configure the web proxy http and https on the SAA with services of firepower?

Kind regards

Caesar

He inspects inline http and not as a proxy server.

We have limited how much we can do with https because from the version current (5,4) we cannot SSL decryption on the modules of firepower.

If you ask about the firepower modules itself, it is adjustable to use a proxy server for its external communication.

VPN IPSEC ASA with overlap proxy-ID

All,

Currently I have a VPN from a single network ASA spoke to a single hub of AAS, so I set up my access lists so that the source is specific to speak it (for example 192.168.1.0/24) and I use the word "any" key for destination. I need to add a few more VPN connections, so can I just add lower inside specific networks to any instruction in the card encryption. See below.

outside_10_cryptomap list extended access allowed object-group home-networks-networks another ip

outside_20_cryptomap list of allowed ip extended access object-group network inside everything

card crypto outside_map 10 correspondence address outside_10_cryptomap

card crypto outside_map 10 set peer 1.1.1.1

outside_map card crypto 10 the transform-set ESP-3DES-MD5 value

card crypto outside_map 20 match address outside_20_cryptomap

card crypto outside_map 20 peers set 2.2.2.2

outside_map card crypto 20 the transform-set ESP-3DES-MD5 value

Gregory

Now I come to think of it, I remember a problem with less specific entries in the ACL before more specific entries.

So it should work, but you must make sure that the most specific comes before the less specific that you seem to have done with your config.

Jon

Firefox will not pages, and none of the steps in the section support help. I need a real person to help. Reset, reloading, Proxy, Firewall...

I went through all the bandages above after receiving the following message "unable to connect".

Firefox can't establish a connection to the server at www.msn.com.
```
   The site could be temporarily unavailable or too busy. Try again in a few moments.
   If you are unable to load any pages, check your computer's network connection.
   If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web."
```
I reset, I checked the proxy (for no), I checked the firewall (enabled for FF), I uninstalled/reinstalled, I ran malware check (negative). I'm at my wit's end because I NEED FF for applications work which will not come through IE because of the policy of the company. I need serious help or I'm screwed.

FF worked perfectly up until a week ago. Now, it starts on the homepage of FF but goes no further, even in safe mode. What gives?

I uninstalled Chrome, same.

Hello, normally these problems are caused by a security/firewall software which does not recognize and therefore blocks the new versions of firefox. Please try to remove all the program rules for firefox in your firewall and let it detect the program again: problems connecting to websites after Firefox update

Allow Exchange (SMTP) server by ASA 8.2 (5)

Please help me! Tomorrow, I have to go on a customer site and configure the firewall to allow traffic from the server through it.

I am CCIE Routing & switching certified. But did not have enough hands with the ASA.

Here is the configuration of the firewall running

QLC-11-FW-1 # sh run
: Saved
:
ASA Version 8.2 (5)
!
QLC-11-FW-1 hostname
activate 42Vosoeb.xpDtu0m encrypted password
42Vosoeb.xpDtu0m encrypted passwd
names of
name 10.10.128.0 comments
name 10.10.129.0 Guest_Wirless
name 10.10.0.0 Internal_Networks
!
interface Ethernet0/0
Description ' connection to BB-1-Gi2/5 ".
nameif outside
Security 0
IP 10.10.102.254 255.255.255.0
!
interface Ethernet0/1
Description ' connection to the BB-1-Gi2/3 ".
nameif inside
security-level 100
IP 10.10.101.254 255.255.255.0
!
interface Ethernet0/2
Description ' connection to the BB-1-Gi2/7 "»
nameif DMZ
security-level 50
IP 10.10.103.254 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
object-group network invited
The object-network 255.255.255.0 comments
object-network Guest_Wirless 255.255.255.0
object-group service Guest_services
the purpose of the echo icmp message service
response to echo icmp service object
the purpose of the service tcp eq www
the eq https tcp service object
the eq field udp service object
splitTunnelAcl standard access list allow Internal_Networks 255.255.0.0
outside_in list extended access permit icmp any one
ips_traffic of access allowed any ip an extended list
inside_access_in list extended access allow object-group objects invited to a Guest_services-group
inside_access_in list extended access deny ip object-group invited all
inside_access_in list extended access permitted ip Internal_Networks 255.255.0.0 everything
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
IP local pool ra_users 10.10.104.10 - 10.10.104.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Access-group outside_in in external interface
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 10.10.102.250 1
Route inside Internal_Networks 255.255.0.0 10.10.101.10 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
Enable http server
http 192.168.1.0 255.255.255.0 management
http Internal_Networks 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set distance esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map ra_dynamic 10 set transform-set remote control
map ra 10-isakmp ipsec crypto dynamic ra_dynamic
ra outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH Internal_Networks 255.255.0.0 inside
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GP group policy
GP group policy attributes
value of server DNS 212.77.192.60
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnelAcl
username admin privilege 15 encrypted password gXmhyPjHxCEshixG
ahmed vDClM3sGVs2igaOA encrypted password username
type tunnel-group GP remote access
attributes global-tunnel-group GP
address ra_users pool
Group Policy - by default-GP
tunnel-group GP ipsec-attributes
pre-shared key *.
!
class-map ips_traffic_class
corresponds to the ips_traffic access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
class ips_traffic_class
IPS inline help
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:57e5e9b117c38869a93a645f88309571
: end

Thank you

So I don't see any configuration nat here, so I guess it's either a private wan or you have a router upstream do nat? If no Nat is required on the SAA so it should be as simple as

outside_in list extended access permit tcp any host mail server eq smtp

Site to site VPN - impossible to reach the other side ASA

Hello

Recently, I replaced a Juniper with a Cisco ASA 5505 firewall in a branch. This branch has a VPN site to another seat. Firewall at Headquarters is a Juniper and managed by third parties. I have configured the ASA and replaced Juniper. Everything at the Branch works, and can reach all subnets and servers. As the user is concerned, there is no problem.

But corporate headquarters, I am unable to reach this ASA on the interface of data or management. See the image, I am unable to ping or join a network 192.168.10.0 and 192.168.200.0 or any other subnet 10.15.8.0 to Headquarters. However, I can ping computers from branch office which is in the same subnet as the data interface.

You guys could help me as I need to reach the ASA headquarters branch. I welcome all networks on both sides inside and the external interface. I also created a NAT as below. Am I wrong configured NAT

NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 HO_Subnets HO_Subnets non-proxy-arp-search of route static destination
!
NAT Dynamics obj_any interface of source to auto after (indoor, outdoor)

DIWA

This information is useful. You try to SSH to the address inside or management? May I suggest that we focus for now on access to inside? After we get this working, we can watch access via the management.

It does not appear in what you posted, but I'm not sure if it might be something that you have removed before posting. Do you have configured access to the administration? If this is not the case, may I suggest that you add access management inside the config.

HTH

Rick

The firewall CISCO ASA not getting connections do not time-out

Hello

I see the connections that are established by the ASA are not getting deleted from the table of connection.

In the world, I set the conn timeout on the firewall, but you see not that idle connections do not timeout & removed from connection table.

!

Timeout conn 01:10 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Timeout sip 01:30 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00

!

Here are some of the number of connections that are observed more than chronology configured.

Y.y.y.y:162 UDP dmz1 inside the x.x.x.x:162, slow 227:28:39, bytes 9946115-flags.

The TCP flags dmz1 z.z.z.z:22 inside the x.x.x.x:64880, slow 243:16:17, byte 13755432, UI

Y.y.y.y:162 UDP dmz1 inside the x.x.x.x:49962, slow 640:41:09, bytes 1599882-flags.

A.a.a.a:22 TCP dmz1 inside the x.x.x.x:56750, slow 600:06:46, bytes 148361, flags UIO

Meet some connections he defined indicator that says his top, but whereas that much are didn't all (empty) set of flags.

I'm running with 9.1 2 code.

Hello Sanjay

The behavior that you note does not seem normal that the device is configured for specific waiting periods.

I suggest you check the following defect which is reported for ASA.

Here is a link to default:

https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCuh13899/?reffering_site...

It could be that useful...

Thank you

RS

ASA 5555 X with power Module of fire and redirect URL to WSA

My question is related to the flow of traffic with an ASA 5555 X with the power of fire services module and a WCCP redirect a device of the WSA.

I think that the traffic flow should occur such as:

Traffic http--> ASA--> FP IPS--> WCCP in the WSA Proxy--> (Internet cloud)

In this way the IPS could identify all customers before traffic hits the Proxy of the WSA.

So the question is, is the policy of Service on the SAA get processed before the WCCP redirect? Is - this configurable? Or the ASA deals the WCCP redirect before the Service policy routing traffic through the ASA?

Y at - it guides that go into the details of this scenario?

Thank you

David

David,

There is no plan to join WSA ASA/power of fire or FTD. Each has strengths and treats the customers with different requirements.

WSA like you know offer customization deep and rich reports or web filtering. However, it is limited to http/80 and https/443. Firepower is an easy solution if you already use it for NGIPS and/or Malware protection. It lacks some of the features of the ASO reporting (although FMC can be highly customized if you dig deep).

There are also OpenDNS to consider whether it's capabilities are calls for you.

Proxy wit h ASA

Similar Questions

Maybe you are looking for