Question about Cisco ASA 5520 Firewall

1 Answer

I am trying to block TCP level access for a particular remote host, it is not happening since already a rule for IP any any is allowed in my inside access list. How to block the TCP access by keeping the IP ANY ANY access?

Posted by on

Ad

1 Answer

  • Level 2:

    An expert who has achieved level 2 by getting 100 points

    MVP:

    An expert that gotĀ 5 achievements.

    Governor:

    An expert whose answer gotĀ voted for 20 times.

    Hot-Shot:

    An expert who has answered 20 questions.

  • Expert
  • 80 Answers

I'll assume you are using unix linux or BSD you can iptables IP to 1.1.1.1 or route IP to 127.0.0.3

This will disable all access

Posted on Jun 02, 2010

Ad

1 Suggested Answer

6ya6ya
  • 2 Answers

SOURCE: I have freestanding Series 8 dishwasher. Lately during the filling cycle water hammer is occurring. How can this be resolved

Hi,
a 6ya expert can help you resolve that issue over the phone in a minute or two.
Best thing about this new service is that you are never placed on hold and get to talk to real repairmen in the US.
the service is completely free and covers almost anything you can think of.(from cars to computers, handyman, and even drones)
click here to download the app (for users in the US for now) and get all the help you need.
Goodluck!

Posted on Jan 02, 2017

Ad

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

In My computer I don't have hosts file in system32/drivers/etc/ folder. I would like to block some websites then what should I do?


This is a very generalized question... (more information would be useful...) as the Windows Firewall exists in different versions... and has different capabilities with each version... etc.
(Assuming you're running windows 7, and you're ONLY wanting to use the windows-firewall) The short answer is: Sort-of. You can deny access to a IP address, which would in-turn deny access to any websites hosted on that IP address. This rule would apply to any application attempting to connect to that ip-address. (Windows 7 has the only windows-firewall that blocks outbound connections) The only fly in that ointment, is that most companies of any large scale have many IP addresses all of which serve pages for that website. yes you can block them all, but it's really an excessive amount of work.
(If you don't mind getting your hands dirty) you can also modify the hosts file (c:\windows\system32\drivers\etc\hosts) and put a bogus entry in there for the domain in question, but a lot of anti-virus with some level of heuristics will identify this as some sort of suspicious activity, and others will silently wipe out any changes you make.
The third option is to invest in a router that has some sort of content-filtering options... (there's quite a few out there that work quite well that aren't too expensive) or look at software like netnanny or other solutions like OpenDNS to provide whatever level of filtering you require.
shareimprove this answer answered Apr 13 '11 at 20:50

TheCompWiz
5,837916 add a comment up vote0down vote First of all Go to Command Prompt and Do Ping URL to get IP address of that website:
Ping example .comand you get IP Address of website
Pinging example.com [93.184.216.119] with 32 bytes of data:
Reply from 93.184.216.119: bytes=32 time=287ms TTL=43
Reply from 93.184.216.119: bytes=32 time=286ms TTL=43
Reply from 93.184.216.119: bytes=32 time=285ms TTL=43
Reply from 93.184.216.119: bytes=32 time=294ms TTL=43
Ping statistics for 93.184.216.119:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 285ms, Maximum = 294ms, Average = 288msgo to Control Panel > windows FireWall > in the left side click Advanced Setting
go to Outbound Rule and in right side Click New Rule
  • in New OutBound Rule Wizard select Custom and click Next
  • in Program Screen Select All Program And click Next
  • in protocol and ports Leave default Setting and click Next
  • in Scope Screen Under Which remote IP address Does This rule apply to? select These IP address and click add Button
  • in IP Address Dialog under This IP address or subnet: enter IP address of website and click ok and then click next
  • in Action screen select Block the connection and click next
  • in Profile screen leave all 3 check box selected and click next
  • in Name Screen choose name for rule and click finish
    test what you do by enter URL in any browser that you want
    good luck!

Aug 18, 2015 | Computers & Internet

1 Answer

Firewall Rules


You don't want a new rule; you want an exception to the first rule. Start reading here Open port in Windows Firewall Windows Help

Jul 29, 2014 | Microsoft Windows 7 Professional Upgrade...

1 Answer

Unable to access mailserver from out side my office


I have no idea what firewall you are using. Your posting is lacking crucial detail and that makes this almost impossible to answer you. However, I use a Cisco 5520 in a Data Center and i Host my own Exchange server. This is what you have to do to allow inbound and outbound SMTP traffic in that type of environment.

name (Internal IP here) Exchange description Internal mail server

access-list Inside_access_in remark Allow internal Exchange Server to send SMTP email outbound.
access-list Inside_access_in extended permit tcp host (Internal IP Here) any eq smtp

access-list outside_access_in remark Allow external entities to send SMTP email to Exchange Server
access-list outside_access_in extended permit tcp any host (Public IP Here) eq smtp

Hope this helps you.
Brian

Jun 29, 2010 | SonicWALL NSA 3500 (01-SSC-7016) Firewall

1 Answer

Remote access DVR through dydns


the host name does not reside in DNS. Try accessing with the external public ip address

Jan 20, 2010 | 2wire 2700HG-B Router (2700HGB)

1 Answer

How do you unblock your computer with a D-Link DIR-628 router? My brother blocks me and I'm trying to play some team fortress 2. My connection just dies cause he blocked the router at the worst times. Is...


You can do a port forwarding first, remember, to configure router you have to log in as an administrator.

Type in this in your browser's address bar.
http://192.168.0.1
Log in.

These are the ports
Steamclient1: 27000 - 27020
Steamclient2: 27020 - 27050
SteamServ: 27015

Do like this(at your own risk-port forwarding may be vulnerable)

This will allow you to open a single port or a range of ports.
Port Forwarding
Enter a name for the rule or select an application from the drop-down menu. Select an application and click << to populate the fields.
Enter the IP address of the computer on your local network that you want to allow the incoming service to. If your computer is receiving an IP address automatically from the router (DHCP), you computer will be listed in the “Computer Name” drop-down menu. Select your computer and click <<.
Enter the TCP and/or UDP port or ports that you want to open. You can enter a single port or a range of ports. Seperate ports with a common.
Example: 24,1009,3000-4000
Select Allow All (most common) or a created Inbound filter. You may create your own inbound filters in the Advanced > Inbound Filter page.
The schedule of time when the Virtual Server Rule will be enabled. The schedule may be set to Always, which will allow the particular service to always be enabled. You can create your own times in the Tools > Schedules section.

You can also add application rules

Name: Enter a name for the rule. You may select a pre-defined application from the drop-down menu and click <<.
This is the port used to trigger the application. It can be either a single port or a range of ports.
Select the protocol of the trigger port (TCP, UDP, or Both).
This is the port number on the Internet side that will be used to access the application. You may define a single port or a range of ports. You can use a comma to add multiple ports or port ranges.
Select the protocol of the firewall port (TCP, UDP, or Both).
The schedule of time when the Application Rule will be enabled. The schedule may be set to Always, which will allow the particular service to always be enabled. You can create your own times in the Tools > Schedules section.

Your brother may be filtering your mac address(network card address)
Check from Advanced->MAC address filtering
Turn it off.

You can set a policy also to prevent this.

Here's how

Go to Advanced-> Add policy of your router configuration page.

Do the following

Click the Add Policy button to start the Access Control Wizard.
Click Next to continue with the wizard.
Enter a name for the policy and then click Next to continue.
Select a schedule (I.E. Always) from the drop-down menu and then click Next to continue.
Enter the following information and then click Next to continue.
• Address Type - Select IP address, MAC address, or Other Machines.
• IP Address - Enter the IP address of the computer you want to apply the rule to.

(To find the MAC address
(click Start, then Run, then type cmd in the text box.)
Type in ipconfig/all in the Command Prompt Windows.
The 12-digit Physical Address is the same as MAC address
)

Select the filtering method and then click Next to continue.
Access Control Wizard (continued)
Enter the rule:
Enable - Check to enable the rule.
Name - Enter a name for your rule.
Dest IP Start - Enter the starting IP address.
Dest IP End - Enter the ending IP address.
Protocol - Select the protocol.
Dest Port Start - Enter the starting port number.
Dest Port End - Enter the ending port number.
To enable web logging, click Enable.
Click Save to save the access control rule.

Go to tools-> syslog to create a new user. you can create an admin account here.

You can download the manual of the router from here.
If this is helpful to you, please rate this :)
Thanks :) Wish You Luck

Jun 16, 2009 | D-Link DIR-625 (790069292637) Wireless...

1 Answer

Belkin 54 g wireless router....cant find on the net. need to port forward to host blizzard.net games HELP!


Make sure your private IP address is statically set.  Your public IP address is obtained from your ISP and is what other users will be connecting to.  You can not manipulate your public IP address so if your ISP is running DHCP, it is very possible that your public address is changing.  Also if you are frequently disconnecting your modem, it is possible your ISP is leasing you a new public IP address each time.  So try to keep things as static as possible.  As far as the battle net stuff.

Diablo, Warcraft II Battle.net Edition, and StarCraft: 
Allow port 6112-6119 TCP and UDP out and in
Diablo II: 
Allow port 6112 TCP out and allow established sessions in 
Allow port 4000 TCP out (realm games) 
Allow port 4000 TCP out and in (hosting open games only) 
Warcraft III: 
Allow port 6112 TCP out and allow established sessions in 
Allow port 6112 TCP in (hosting custom games) 
Allow port 6113-6119 TCP out and in (hosting custom games if you've changed the default port in the Options/Gameplay screen) 
If you are still having problems after you open up the required ports, try opening 116(TCP) and 118(TCP). I don't really know if these ports are required or not. 
I have had people tell me that opening up those two ports have helped them connect to battle.net.


Hope that helps.  For manipulating ports in your router I suggest consulting your user manual, or online FAQ.  Save your router config before applying any changes, and always remember, opening up ports subjects you to different types of security threats so be aware that is a risk you are taking.

Mar 12, 2009 | Belkin Computers & Internet

2 Answers

Pix 515 E allow few websites only.


Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Ploblems with dmz-outside (webpage). pix


Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Feb 28, 2009 | Cisco PIX Firewall 506

1 Answer

Cisco asa5505 problem


You seem to have the last resort (o.o.o.o) set to VLAN1 which is set as an inside interface.
Is VLAN1 connected to the outside router or internet backbone?
If not, change the last resort to the outside Ethernet port.

Apr 16, 2008 | Cisco ASA 5500 Firewall

1 Answer

Vpn error. 800


Resolutions: 1) if you have firewall, open TCP Port 1723, IP Protocol 47 (GRE). 2) make sure you can reach the VPN server by using ping. Sometimes, poor connection can cause this issue too. 3) You may need to updated firmware on a router or firewall if other OS (win9x/nt/me/w2k) works except XP. 4) The VPN server may not be able to get IP from DHCP for the VPN client. So, you may want to re-configure VPN host networking settings. For XP pro VPN host, go to the Properties of the VPN>Network, check Specify TCP/IP address and Allow calling computer to specify its own IP address, and uncheck Assign TCP/IP addresses automatically using DHCP. 5) Make sure no other secure software blocks your access, for example, if you use Norton secure software, you may need to add the remote client's IP so that the client can access. 6) If your VPN running on a Windows RRAS with NAT enabled, you may want to check the NAT settings. 7) If you can establish the VPN from the desktop at home but not from the laptop. Make sure no security software like Microsoft OneCare software that blocks the GRE.

Oct 01, 2007 | Acer Aspire 5100 Notebook

Not finding what you are looking for?
Cisco ASA 5520 Firewall Logo

Related Topics:

105 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

Prashant M
Prashant M

Level 3 Expert

2260 Answers

Gareth Tomlinson
Gareth Tomlinson

Level 2 Expert

116 Answers

Are you a Cisco Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...