Cisco :: 5500 - Count Bytes For Some Interesting Traffic Crossing Firewall In It?
Mar 20, 2013
I need to count the bytes for some interesting traffic crossing the firewall in ASA 5500. Packet Capture is so far as I need, cause I only need the number of bytes during a long time for about 3 months (source host - destination host)
capture capin type raw-data access-list cap buffer 33554432 interface inside circular-buffer [Capturing - 33553570 bytes]
I need to get only the exactly amount of "33553570 bytes" The pcap file is not needed
View 6 Replies
ADVERTISEMENT
Feb 9, 2013
I am having trouble making my remote access vpn decrypt traffic. I am using an ASA5510 and the cisco 5.0 vpn client. I have no problem getting the tunnel to come up. But the "decrypted traffic" stays zero and the "discarded traffic" increments continuously.Here is the ASA5510 crypto config:OK I guess this site doesn't allow pasting text so I attached the config.I am pretty sure that I can't pass traffic because I have not been able to figure out how to specify the interesting traffic for the vpn connection. What is the syntax for this? It looks like it should be some kind of tunnel- group commands.
Am I the only one who thinks that the Cisco documentation is worthless on this subject? The ASA config guide gives you everything you need to set up a tunnel, but has absolutely nothing on the config required to actually pass traffic.
View 3 Replies
View Related
Feb 2, 2013
I have issue with ipsec vpn between Cisco 1841 & Cisco asa5500, packets are getting encrypt on both end but both end the decrypt count is 0.
View 7 Replies
View Related
Sep 25, 2011
Running an ASA 5500, and using ASDM to connect. I need to view the historical metrics in graph form for traffic overview, that is shown on the firewall dashboard. I have enabled historical data, but all I see the 5 minute intervals.
View 4 Replies
View Related
Oct 9, 2012
I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)Initially I observed that a connected VPN had dropped.Then when I attempted to use ASDM or SSH I was blocked.
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.The only obvious error I can see when observing various debug traces is this;
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8
[code]....
View 5 Replies
View Related
Mar 6, 2011
ASA v 8.2What does the ACL hit count count ? I always thought that the acl hitcount counted the numbers of packets hitting that line in the ACL, however that is not the case. if I setup a icmp permit rule then that will only increment 1 even if I send 4 packets that hits the line. udp and tcp seems to do the same. is there some way I can make the ACL actually count the packets that hits ? where can I learn more about this ?
View 4 Replies
View Related
Nov 7, 2012
I have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?
View 1 Replies
View Related
Apr 15, 2012
We have configured our ASA5540 in active-standby failover.We are observing that current active session count is twice of session count before configuring HA. Earlier average active session was 50000 and now after HA it is around 100000. Failover configuration of both firewall are as follows
failover
failover lan unit primary
failover lan interface FOLan GigabitEthernet1/0
failover polltime unit 15 holdtime 45
failover replication http
failover link StateLink GigabitEthernet1/1
failover interface ip FOLan 10.3.3.1 255.255.255.0 standby 10.3.3.2
[code]....
View 3 Replies
View Related
Feb 10, 2011
I have been trying to conect a Cisco VPN client through an ASA and it makes the connection but doesn't allow any traffic through. The ASA does have a site to site VPN attached to the outside interface.I suppose the first question is it possible to allow VPN client to connect through an ASA 5500 from the inside network when there are Site to Site VPN's already attached to the outside interfaces?If possible then what have I missed. I have tried adding NAT exempt for the traffic between the internal networks and "an IPSEC pass thru Inspect Map".
View 4 Replies
View Related
Feb 9, 2012
We are running a ASA5520 with system image of "disk0:/asa843-k8.bin". I'm also running ASDM ver: 6.4(7)So my question is while I'm in the ASDM on the configuration of the firewall, I'm looking at the Access Rules. When I do a show log on any of the rules that have hit counts on them, it opens up a Real-Time Log Viewer but I don't see any information. It's not showing anything, nothing appears, it just sit's there like it's waiting but no data is coming. Even though if I go back out to all the rules, I can see the hit count incrementing. The same thing happens no matter which rule I pick with hit counts on them.
View 1 Replies
View Related
Sep 4, 2012
I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.
View 1 Replies
View Related
Feb 14, 2012
At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
View 2 Replies
View Related
Nov 11, 2012
I restored the HA pair back to Active/Standby.
1 remaining issue.
I have 3 IPsec Site-to_SIte tunnels.
I noticed that when the NEW UNIT becomes ACTIVE that I am unable to pass traffic over the VPN tunnels.When I failback I am able to pass traffic.
View 7 Replies
View Related
Feb 23, 2012
Every link and guide i see about stacking two 3750 switch , the port 1 is connected to port 2 on the other switch and vice versa
i mean you can connect port 1 to port 1 on the other and connect their port 2 to each other
1- is it any benefit in the cross connection ?
2- do i encounter any problem if i stack a 24ts with a 48ts or a 12s-s (all are 3750)
3-i stacked two switches with each other and the ports became 1/0/* and 2/0/* and then i removed stack but on second switch the ports are still 2/0* !! when there is only one switch the interfaces should be 1/0/*
View 4 Replies
View Related
May 16, 2013
I'm trying to configure Cisco 1262 AP's to allow me to use the 2.4 gHz radio for client access and the 5.x radio for the repeater connection back to a root AP connected to a LAN.
I have already configured the AP's to associate with each other via the 5.x radio, and have a client connected to the repeater AP via the 2.4 gHz radio. From my laptop on the LAN, I can connect to the repeater AP, but I cannot ping nor otherwise communicate with the distant client.
When I use the 2.4 gHz radio for repeater mode, clients that connect to the repeater AP can be seen and communicated with.Is there something special that needs to be done to get my desired scenario to work?All radios are members of bridge group 1.
View 5 Replies
View Related
Jan 20, 2013
I have a Nexus 5500 which is the core of our network and we have access layer switches uplinked to it. I know by default the qos markings will be trusted.
1. On a trunk uplink from an access layer switch to the Nexus, I have "mls qos trust dscp". Will the DSCP marking be preserved when it reaches the Nexus?
2. How do I do prioritization of voice traffic on an uplink on Nexus based on DSCP EF?
View 3 Replies
View Related
Apr 16, 2012
Two computers (XP and Win7) connected on office LAN, cisco 2960, not same switches, but all in the same rack, and link togeter, same IP subnet, tried to copy some kind of 26G files from one to another, using Windows share folders, and it showed need 23 hours to finish the copying.It's not the first time, actually we always experienced very slow speed when copying files on Windows share folders. Did not see any particualler message on the switch. ports are all full/100m.
View 9 Replies
View Related
Feb 28, 2010
Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.
View 2 Replies
View Related
Jan 25, 2012
I purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)
View 1 Replies
View Related
May 7, 2012
I have a functioning site-to-site VPN between two ASA 5505 appiances. Sub-net on one side is 192.168.20.0/24 (inside I/F) and on the other side is 192.168.30.0/24 (inside I/F). VPN is built over public Internet (outside I/Fs of those two ASAs).
Now I connected another subnet on 192.168.30.0/24 - e.g. 192.168.35.0/24. Traffic from 192.168.30.0 subnet is routed to 192.168.35.0 via Gateway at 192.168.30.250 IP.
My task is to make packets from 192.168.20.0 subnet to go to 192.168.35.0 subnet and vice versa.
I setup a static route on 20.0 ASA's Inside interface as 192.168.35.0 255.255.255.0 to 192.168.30.250. I also created NAT examptions for outbound packets from 20.0 to 35.0 and inbound as well. I also added destination network of 35.0 to VPN cryptomap traffic selection (on both ASAs).
View 2 Replies
View Related
Nov 21, 2012
Is it configurable to allow wifi user to user traffic on WLC 5508?
View 4 Replies
View Related
Mar 10, 2011
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies
View Related
Nov 27, 2012
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
View 3 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Jan 2, 2013
I have a problem with my vpn between two ASAs, I review the running config of two devices, but I couldnt see anything out of normal.As you can see in the image the VPN is up, but in the ASA 5510 I don't have Bytes Rx (ZERO), I tried to config again two ASAs but I have the same trouble.
View 19 Replies
View Related
Feb 12, 2011
For the last 3 weeks or so (right around the time I upgraded to IE8), my computer has been receiving a ridiculous number of bytes compared to what it sends.Within 5-10 minutes of logging on (I still use dialup), a check on the status shows around 100,000 bytes sent and over 2,000,000 received.I've been online for around 40 minutes, and it currently shows 650,000 sent (23% compression rate) and over 5,000,000 received (4% compression rate).Of course, the browser starts lagging and freezing after a while, which I assume is from the large number of bytes being received.
At the same time, there's a noticeable lag when I try to run programs, even when offline. For example,I click on my ISP connection and nothing happens for 5-6 seconds, then the dialog box appears. This is something that's never happened before. I'm running XP Home and no one else has access to my computer.I'm using the standard Windows firewall.I've run my AV and spyware programs multiple times (nothing found), cleaned my temporary files and cookies, even adjusted the FIFO buffers (the last thing I tried was turning the buffers off). I've been running Disk Cleanup everyday (which lags and runs slower than ever before), but it doesn't solve anything.I don't know how to adjust the compression rate for bytes received to see if that works.
View 4 Replies
View Related
Aug 13, 2012
i have to open ports for vedio conferencing in my Firewall configuration ,
View 1 Replies
View Related
Jun 14, 2011
I have two ASA 5510 with Security Plus license and Shared SSL VPN licensing enabled.
The problem is that the client get “Session could not be established: session limit of 25 reached” but ther is only 6 ssl vpn user connected with AnyConnect.The software on the firewall’s is 8.2(1)Is there any BUG in this software related to this problem?
View 1 Replies
View Related
Oct 22, 2012
Why do i have 0 bytes of free space on my cd rom??
View 1 Replies
View Related
Mar 5, 2012
I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.
View 1 Replies
View Related
Jun 6, 2012
I have an issue with a Cisco ASA 5520. It seems to block some emails incoming from some recipients. The sender's mail server clearly reports my ASA as cause of the problem (see attached image). Unfortunately I have not the logs about that event and the time frame to close this issue is very narrow.
View 5 Replies
View Related
Nov 20, 2011
We have to set up voip for our network(for 50 phones not he cisco phones).
I need to just the route the voip traffic to gateway address of telephonic company(1.1.5.7) where they provide us the connectivity for the setination call.
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
We are using only voip for asa and no data or other traffic should be allowed.
inside adrees: 10.10.10.0/24 for all voip phones
outside:121.21.22.1
telephoneic gateway: 1.1.5.7
View 1 Replies
View Related
Oct 23, 2011
Is there a way to shut down the AUX port on the ASA?
View 1 Replies
View Related
