static in the firewall

Hi all

My acquaintance said the static statement used in asa, is two-way. In this case, if used for surfers to access any server, this does mean that the server is also able to initiate connections to the outside using this alone?

If so, is there a way that we cannot deny the server to initiate connections to the outside using this static.

Thank you.

Use ACL

Tags: Cisco Security

Similar Questions

  • remote access to manage the Firewall works not

    I can't connect remotely ASDM, works very well on the management port. I can't either SSH remote for ASA.

    I have a VPN IPSEC of L2L with a SonicWall working to the 192.168.1.0 subnet. It connects on the external interface.

    I work SSL VPN AnyConnect. Remote users connect their browser to the external interface, click AnyConnect and are directed to their subnet by a bookmark.

    I can connect to the external interface with a VPN IPSEC client and then use SSH to manage my switches in the demilitarized zone and inside.

    On the spot, I can manage the firewall traversing when directly connected to the management interface. (Console works too).

    But I can't remotely manage the SAA itself! My config is attached. Any help will be appreciated!

    Hello

    Since you have the 'management-access to inside' command configured, you will need to connect inside the IP interface when you access the device through a virtual private network, rather than the external IP address. However, you are also in the bug following in 8.4 (2):

    CSCtr16184 - To-the-box traffic switches vpn hosts after upgrade to 8.4.2

    To fix, you must add the keyword 'search route' at the end of the following NAT rules (anything that overlaps your inside interface subnet):

    nat (inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static
    

    obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup
    

    nat (inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static
    

    obj-172.16.32.0 obj-172.16.32.0 no-proxy-arp route-lookup
    

    nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

    Hope that helps.

    -Mike

  • Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

    I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

    I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

    I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
    =========================================================

    Here is a skeleton of the FWa configuration:

    name 172.16.1.0 network-inside
    name 192.168.20.0 HprCnc Thesys
    name 10.52.100.0 ring52-network
    name 10.53.100.0 ring53-network
    name S.S.S.S outside-interface

    interface Vlan1
    nameif inside
    security-level 100
    IP 172.16.1.1 255.255.255.0
    !
    interface Vlan2
    Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
    nameif outside
    security-level 0
    outside interface IP address 255.255.255.240

    the DM_INLINE_NETWORK_5 object-group network
    network-object HprCnc Thesys 255.255.255.0
    ring52-network 255.255.255.0 network-object
    ring53-network 255.255.255.0 network-object

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network 255.255.255.0 network-object
    network-object HprCnc Thesys 255.255.255.0
    ring53-network 255.255.255.0 network-object

    outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
    inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
    permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

    NAT (inside) 0 access-list sheep
    NAT (inside) 101-list of access inside_nat_outbound
    NAT (inside) 101 0.0.0.0 0.0.0.0
    NAT (outside) 0-list of access Outside_nat0_outbound

    card crypto VPN 5 corresponds to the address Outside_5_cryptomap
    card crypto VPN 5 set pfs Group1
    VPN 5 set peer D.D.D.D crypto card
    VPN 5 value transform-set VPN crypto card
    tunnel-group D.D.D.D type ipsec-l2l
    IPSec-attributes tunnel-Group D.D.D.D
    pre-shared key *.

    =========================================================

    FWb:

    name 10.52.100.0 ring52-network
    name 10.53.100.0 ring53-network
    name 10.51.100.0 ring51-network
    name 10.54.100.0 ring54-network

    interface Vlan1
    nameif inside
    security-level 100
    address 192.168.20.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address IP D.D.D.D 255.255.255.240
    !
    interface Vlan52
    prior to interface Vlan1
    nameif inside2
    security-level 100
    IP 10.52.100.10 255.255.255.0

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network 255.255.255.0 network-object
    ring53-network 255.255.255.0 network-object

    the DM_INLINE_NETWORK_2 object-group network
    ring52-network 255.255.255.0 network-object
    object-network 192.168.20.0 255.255.255.0
    ring53-network 255.255.255.0 network-object

    inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
    inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

    outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside2_nat0_outbound (inside2) NAT 0 access list
    NAT (inside2) 1 0.0.0.0 0.0.0.0

    Route inside2 network ring51 255.255.255.0 10.52.100.1 1
    Route inside2 network ring53 255.255.255.0 10.52.100.1 1
    Route inside2 network ring54 255.255.255.0 10.52.100.1 1

    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    outside_map game 1 card crypto peer S.S.S.S
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    outside_map interface card crypto outside

    tunnel-group S.S.S.S type ipsec-l2l
    IPSec-attributes tunnel-group S.S.S.S
    pre-shared key *.

    =========================================================================
    I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

    Ping Successul FWa inside the interface on FWb

    FWa # ping 192.168.20.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
    Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
    ! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
    ....

    FWb #.
    Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
    ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
    ==============================================================================
    Successful ping of Fwa on a host connected to the inside interface on FWb

    FWa # ping 192.168.20.15
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
    ! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
    ...

    FWb #.
    Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
    ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

    ===========================
    Unsuccessful ping of FWa to inside2 on FWb interface

    FWa # ping 10.52.100.10
    Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
    ? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
    ...

    FWb #.
    10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
    10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
    ....

    ==================================================================================

    Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

    FWa # ping 10.52.100.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

    FWb #.
    Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
    Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

    =======================

    Thank you

    Hi odelaporte2,

    Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

    This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

    It may be useful

    -Randy-

  • Cannot ping across the firewall

    I'll put up the asa in GNS3 lab, but I can't do a ping through the firewall to the inside of the interface for the external interface. Here's my running-config... I don't know that miss me some I don't know what. If anyone can find out what it is, that would be nice.

    See the race
    : Saved
    :
    ASA Version 8.4 (2)
    !
    ciscoasa hostname
    activate 8Ry2YjIyt7RRXU24 encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface GigabitEthernet0
    nameif inside
    security-level 100
    the IP 10.0.0.2 255.255.255.0
    !
    interface GigabitEthernet1
    nameif outside
    security-level 0
    4.2.2.2 IP address 255.255.255.0
    !
    interface GigabitEthernet2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    passive FTP mode
    pager lines 24
    Enable logging
    timestamp of the record
    logging buffered information
    logging trap information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
    Route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
    outdoor 172.16.2.0 255.255.254.0 10.0.1.2 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    crashinfo record disable
    Cryptochecksum:d6838a5cc1c3620ba830e7d745eaf9a1
    : end

    After having thought about it twice, it's clear. I wrote to change because it is a good practice, but with the ASA on the other side, it is necessary.

    If you use the output as the destination of a route interface, the router must be able to arp for the IP of destination (for each that is used) L2 address of next hop. The other side (the ASA in your scenario) must have a proxy-arp enabled for this because demand is not a configured address.

    If you configure an IP address as the next hop, the router must only address L2 a jump next-address IP used in the static route.

  • PIX 501 in the firewall of the Web server

    Hello

    At the suggestion of a colleague, we bought a firewall PIX 501 to protect our new Win2003 web server and a UNIX/Oracle DB server.

    I've never worked with before firewalls.

    Our servers are located in a cage at the ISP and belong to us. There are only two servers providing web site. I have read the documentation in the Getting Started book and it does not answer my question.

    We have 2 web sites with different IP numbers on our web server. Let's say 140.5.5.4 and 140.5.5.5. I understand that I have will redefine the numbers with the firewall (192,...) but I do not understand how the routers at the ISP will be able to route requests for two websites to the firewall when it has one IP number, say 140.5.5.1?

    Any help is appreciated.

    Thank you, Jerry

    Jerry,

    what you are referring is called port forwarding. Whether you a PIX with a public IP address 12.1.1.1 and your web servers are respectively and 12.1.1.2 12.1.1.3. Port forwarding is really a 2 step process:

    * a static translation of the public IP address of the PIX (12.1.1.1) at the address of the web server (12.1.1.2)...

    static (inside, outside) tcp 12.1.1.1 12.1.1.2 www www netmask 255.255.255.255 0 0

    * an intermediate statement basically "all web requests should be allowed in the pix outside of the interface"...

    driving permit tcp host 12.1.1.1 eq www everything

    Here is a link that will help you to clarify this point:

    www.Cisco.com/warp/Customer/707/28.html

    This should help you get started. Regarding the basic configuration, it takes config examples on the Cisco site, if you have access CCO.

    Let me know if it helps.

    Rob H.

  • IP in the firewall does not work in ESXi 5.5 are they allowed?

    Hello to all users of the VMWare communities,

    I am new to the management and use of VMWare.

    Recently, we bought a server with VMWare VSphere ESXi 5.5.

    It is on an ISP, with a public IP address in which VMWare management network is configured. By default, all the management ports are open (SSH, Web, VSphere Client ports, and a lot of more ports I think I won't use...).

    The problem is that I want to protect as much as possible this host. I have no external firewall to this host to close unused ports so I want to use the built-in firewall.

    I am trying to use the feature "Allowed IP addresses" the integrated firewall of ESXi, but it does not work. I want to only allow SSH connections and management via vsphere client of static public ip address from my office, I put this IP address in the settings of the firewall for each service, but apparently it does not work, I can still continue to access across all services.

    No idea who might be the problem?

    Thank you very much.

    Finally, I found the problem.

    The firewall is disabled!

    I connect to ssh host and do: 'esxcli get network firewall' to get the status of the firewall and after seeing it is disabled, "esxcli network - enabled true firewall.

    I Don t know why, but by default in the installation of vmware, the firewall is disabled.

    After that I enabled, apparently it remains enabled between restarts.

    Thank you everyone (for nothing ;-\)

  • I forgot to turn on the firewall

    After updating Adobe Flash, I forgot to re - activate my firewall. I checked it after noticing that a number of Web sites, I have visited not appeared in my web browser (Firefox). It was late, so I've re-enabled the firewall, turn off my iMac and went to bed. The next morning, I'm sending you this from my iPhone. How can I tell if there is malicious software on my iMac?

    Oh! I've also been alerted by a friend that she had an email 'me' which of course was not

    Help!

    marsue

    Try to run this program, copy and paste the result in a response. The program was created by Etresoft, a regular contributor.  Use please copy and paste the screenshots can be difficult to read. On the screen with the Options, please open Options and tick the boxes in the bottom 2 before the race. Click on the button "Report share" in the toolbar, select "Copy to Clipboard" and then paste into a response. This will show what is running on your computer. No personal information is shown. Alternatively, you can run Malwarebytes.

    Etrecheck - Information System

    10.8 Malwarebytes Anti-Malware for Mac and later versions

    What should I do if Malwarebytes Anti-Malware for Mac does not solve my problem?

  • Firefox 36.0.1 problems with addon and MP sent after notification of the firewall on Win7

    Yesterday, I had a problem after clicking on 2 or 3 times to open the firewall et seq. asked to unlock even if I did a long time ago. I'm not an admin, but I know that the local administrator password that allows me to put things in the control panel. After what's happened alert HitmanPro cannot load on FF opening; PIX downloaded with Picture Picker addon are not saved in the destination folder, even if the message indicates that they are registered and also I can't send pms in some sites. I don't know what other damage is done.

    It seems that the bug in the picture picker is because the new FF updated (it works in it), it is the same with Facebook album downloader. There are numerous answers in their pages. MP is a temporary problem, and IMHO, all the things that I've met are because the update. I would ask some mod to close my question.

  • Firefox Beta 36 requires to define the parameters of the firewall to startup every time

    Beta 36 for Firefox from a few days ago asking to add an exception to the OSX Firewall to startup every time. Even if I accept and enter my administrator credentials. Also if I add Firefox to the standing of firewall settings. He never asked me before the latest beta version.

    I use 10.10.2

    FredMcD said

    Some problems occurs when your Internet security program has been implemented.
    trust the previous version of Firefox, but not more acknowledges your
    update as being approved. Now how do I solve the problem: to allow
    Firefox to connect to the Internet

    • Make sure your Internet security software is up-to-date (for example, you are using the latest version).
    • Delete Firefox to list your program of programs approved or recognized. For detailed instructions, see

    Configure the firewall so that Firefox can access the Internet. {web link}

    Thanks for the reply, but it's fixed now with a new beta 37.0

    The previous version of Firefox has not solved even after that I removed and then Firefox again added to the firewall exceptions list.

  • Remove the firewall

    Hello

    in the firewall settings is a list of allowed connections.

    As I have latest granted these connections I want to delete them, but no idea how to do that these connections are not in the list of output connection.

    Hint please?

    In the case where if you do not want to allow all incoming connections the box block all incoming connections, stealth mode and click ok.

  • El Capitan screen sharing does not connect to less than the firewall disabled

    I reinstalled my Mini to El Capitan server and I can not connect via screen sharing. Screen sharing is enabled and the application firewall indicates incoming connections to it are allowed. But the customer never connect unless I turn off the firewall. Sniffing the network says that port 5900 is the problem, but I see no way to specify ports in the application firewall. I do not use the Adaptive firewall, and I don't see anything in the config of pf which would block 5900. This machine is on the public network, I can't throw without a firewall, but I can not understand how to sort goes with her.

    Firewall of Apple's specific app, not specific port

    using a network utility or the wall of the fire out of 3rd?

    If so, uninstall them to test.

    If this isn't something else between your mac and their computer may contribute to cause as the public network itself.

  • last version of Firefox can not ensure a secure connection without disabling the firewall, why?

    I've upgraded to the latest version of Firefox and now whenever he goes to a secure connection, it debits far and doesn't connect or said that the connection was refused. I'm under Firewall PC Tools and strangely when I turn off the firewall, it connects. I don't really like it. I tried to remove Firefox to the list of applications and add new, but it did not help.

    One possible cause is security software (firewall) that blocks or limits Firefox or plugin-container process without informing you, possibly after the detection of changes (update) for the Firefox program.

    Delete all rules for Firefox and the plugin-container in the permissions list in the firewall and leave your firewall again ask permission to get full unlimited access to the internet for Firefox and the plugin-container and the update process.

    See:

  • cannot access the internet through firefox, IE is ok, checked the firewall settings and network

    Have used firefox for ages w / no problem - this morning, firefox will not have internet access - modem and the router are fine, inernet explore what access very well. Firefox is configured to use the system, not considered proxy settings 'no proxy', has not worked, checked windows and Mcaffey firewalls, not found something that should be blocked. Have restarted/rebooted everything

    This has happened

    Each time Firefox opened

    This moringing - last successfully used there - 3: 00 children asks that they "did nothing...". »

    User Agent

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729)

    They did something with firefox 3.6.8, which upsets the McAffee Firewall currently. Since the upgrade, I get the firewall Alerts pop ups. If you click on the block (which could have your children), then Firefox will be blocked completely.

    If you dig in the McAffee Firewall tools-> program authorities, you will likely find that Firefox listed as "blocked."

    On my machine, the entry is for 'Free' only and I now get alerts. I think they will disappear if I switch it to "Full". But I'm reluctant to do this, why a browser should accept incoming connections, why this change has been made and what benefit is it for us as users?

  • Satellite P10-504 - impossible to turn on the firewall

    Hi friends,

    I m unable to turn on my firewall, I get the widows message cannot start the firewall/internet connection sharing ics service. I have the Satellite P10 504 with WXP SP3.

    All ideas welcome

    Thank you
    Colin

    There are a few articles Microsoft Knowledge on this problem:

    [Some administrative of the Windows XP Security Guide templates can prevent you from starting the Windows Firewall service in Windows XP Service Pack 2: http://support.microsoft.com/kb/892199]

    [You cannot start the Windows Firewall service in Windows XP SP2: http://support.microsoft.com/kb/920074]

    Check both maybe you could solve using the workaround solution described in the present statutes

    Good luck

  • The firewall on the iMac should be turned ON or OFF?

    What is the advantage or disadvantage of having the firewall enable or DISABLE?

    There's no advantage having.

    Update the iMac has more benefits.

Maybe you are looking for

  • Need a replacement to break links more

    I love. As always, this addon is disabled once again.What addons provide the same functionality, i.e. "to highlight multiple links and open them in tabs. Yes, I could do another search of 60 minutes and the analysis, but I already did 3 times before

  • Re: A110-231 - what is the largest HDD compatible player?

    Hello. I want to change the hard drive with others larger. I need to know what is the biggest hard drive I can install it. Can I install a SATA II or SATA III disc?. Thanks in advance. F.F.: Sorry my poor English.

  • IPhone will support dual sim?

    Hello Apple!  International travelers would like to have a double SIM to the iPhone version.  Of course, T-Mobile has unlimited 3G data roaming in many countries, but there is still time when a traveler needs a local SIM card for contacts local, taxi

  • On reboot I got a black screen and status: 0xc0000006

    I have a HP Pavilion dv6700 with Windows Vista Premium. After I allowed Windows to download updates from Microsoft, Windows asked to reboot the system. I rebooted, so when the system of loading as usual, after the first screen with the logo of HP bla

  • Includes related .h paths

    Hello I have a project that refers to other projects in the workspace. Is there a way to refer to these projects if I can avoid to think like this: #include '... / Screens/MainMenuScene.h. and I can do it instead? #include "MainMenuScene.h". Thank yo