Cisco Firewall :: 5510 - Multiple ASA Configs For Cold Spare
Oct 2, 2012
I have a few sites all running Cisco ASA 5510s. They all share the same asa (8.4(4)1) and asdm (6.4.9) version, but their configs differ significantly. I have a cold spare sitting in my office in the event we have a physical failure. Is there a quick and simple way I can load up multiple configs and then boot up the cold spare to then run the config from Site_A or Site_B? Just looking for a quick solution rather than doing a full restore should something fail spectacularly. Nice to say upon bootup, using confreg perhaps, to boot Site_A config rather than Site_C.
View 1 Replies
ADVERTISEMENT
Oct 8, 2012
how to convert your PIX configs to an ASA 8.X? [code]
View 5 Replies
View Related
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
Mar 26, 2013
I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side.
START CONFIGURATION
ASA Version 9.1(1)
!
hostname ASA5510
[Code].....
View 7 Replies
View Related
Feb 27, 2013
I'm having a bit of trouble determining the best way to do this... I have 12 V LAN's set up (sub interfaces on a redundant group of two NICs) on my ASA 5510. On several of these, I want them to be able to access the internet but not access other V LAN's.
By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great. But if I create an ACL on the interface, this rule disappears. I can restore internet access by adding an "any to any" or "(this interface's sub net) to any" rule, but this seems to imply that it allows access to any v LAN. Do I have to create a set of "deny" rules for each V LAN, on each V LAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?
View 2 Replies
View Related
Feb 7, 2013
i've two cisco asa5510 with 4 FastEthernet interfaces each.They are connected as below:
[code]...
to three different ISP each of them! The 4rth interface of each of them, is connected to internal LAN network. Both Firewalls, offers VPN Services to ISP connections on Fa0/0
How can i achieve high availability for this scneario?is this possible to implement some HighAvailability and to offer the actual services to each of them, in case that the other firewall fail?What about using subintefaces? can i connect bothe ISP and Customers links on one or each of them, in case that firewall01 fails, all the services to be online on firewall02?
View 1 Replies
View Related
Jan 13, 2013
Whether it is possible to have same vlan on multiple interface on ASA 5510 and higher models ?
View 2 Replies
View Related
Dec 2, 2010
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
View 15 Replies
View Related
Oct 19, 2011
I am running a ASA 5510 in multiple context mode. IOS 6.4(2), ASDM 6.4(5)106.
In older ios/asdm versions it was possible to backup the configuration using ASDM.
In 6.4(5)106 i am missing this feature (see attachment)
Is it possible to backup a multiple context firewall using ASDM and above mentioned software versions?
View 3 Replies
View Related
Apr 8, 2011
can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies
View Related
May 15, 2013
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
route isp2 0 0 yy.yy.yy.yy 50
route isp1 0 0 xx.xx.xx.xx 31 track 1
route isp1 0 0 xx.xx.xx.xx 32 track 2
route isp1 0 0 xx.xx.xx.xx 33 track 3
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
View 1 Replies
View Related
Jul 13, 2011
Is there a way to restore the device to factory settings. I tried the reset button with a paper clip.
View 2 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
May 14, 2013
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
View 2 Replies
View Related
Oct 10, 2012
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
View 1 Replies
View Related
Apr 28, 2011
When pusing configs using tftp, for example using Ciscoworks, does it push out an entire new config or does it just edit specific changes?
View 1 Replies
View Related
Mar 21, 2011
We setup both site-to-site VPN and Remote Access VPN client on VPN 3005 Concentrator. We want to migrate all the configs to the new ASA 5540. Do you recommend that we migrate all the configurations for VPN client first before setting up the site-to-site VPN on the ASA or it does not make any difference?
View 5 Replies
View Related
Mar 4, 2012
we have 55 of the 1841 routers here, and one of them always boots to ROMMON from a very cold (down 1 hour or more) start. The image on all 55 is c1841-ipbasek9-mz.124-24.T4.bin. 32 MB Cisco brand flash. Here's what's been done thus far:In ROMMON changed to 0x2102. Then 'reset' and the image boots fine. Change config-reg to 0x2102. Save config. Reload and image boots fine again. Wait an hour or more and boots to ROMMON.Boot from ROMMON to USBflash0: Format the CF then copy over the bin file. Change to 0x2102 and save. Reload and image boots fine again. Wait an hour or more and boots to ROMMON.Swapped CF with another unit. Again, works fine to reload, but shut down and restart an hour or more later and boots to ROMMON. Format this CF and copy over image while on router. Image boots fine. Wait an hour or more and boots to ROMMON.In each case of very cold start the configuration register has reverted to 0x0 {why it boots to ROMMON}Tried dx mode with 0x8001. Nothing seen that is unusual to me, but I'm not an expert by any means.It doesn't seem to a CF card problem, but could be a connection to the CF card and then something behind that.
Here is the output of diagnostic boot mode:
Cisco 1841 (revision 7.0) with 116736K/14336K bytes of memory.
Processor board ID FTX1231W0JA
2 FastEthernet interfaces
2 Low-speed serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
[code].....
View 7 Replies
View Related
Feb 1, 2012
I have a 5520 runing 8.4 and I would like to activate a previosuly saved configuration without reloading the 5520.
View 3 Replies
View Related
Dec 22, 2011
I am having issue with a RV082 with firmware:
v4.1.0.02-tm (Sep 16 2011 18:40:48)
On setup 1 I have;Using 2 WAN, 1 from fiber 5mbps symetric fixed public IP and other is DSL private dynamic dhcp address 3mbps/900kbps
On setup 2 i have:Using 1 WAN, from fiber 5mbps symetric fixed public ip Both router have exact same firewall configuration, subnet and port forwarding and we have the seccont backup DSL coming in a few day for setup 2.on both setup, the RV082 is the main internet gateway/firewall for a set of server...
Setup 1 work perfectly and been online for 2 week (since install) without issue
Setup 2 worked for 2 day then had to reboot, then work for few days then need reboot, now it look like it need to be rebooted every day. the internet just stop working and a simple reboot does the trick... also, when that happen I can stil remote in server that have port forwarded in the router or connect to router management port, but internet on the server is down... I tried opendns and google dns on both WAN connection and still no luck.I have followed instruction on various support forum;
-more reliable dns server
-lower MTU
-failover vs load balance
-disabling SPI and DoS protection
at this point I'm about to swap both router to see if it not a defective hardware or disconnect DSL WAN on setup 1 to see if its more stable but the whole point of installing this router was for Internet redundancy which so far dosent work as expected.
View 2 Replies
View Related
Apr 23, 2013
My customer uses WS-C3560G-48TS-E switches in air traffic control systems. A requirement for one project is that the entire system be up and running in under five minutes. The WS-C3560G-48TS-E and its replacement - WS-C3560X-48T-E with C3KX-NM-1G - take about four minutes to start up. With other devices added in they exceed their required startup time.They also use WS-C3560V2-48TS-E switches which take about two minutes to start up but they want they GE.
1) Is there way to improve the start up time in the WS-C3560G-48TS-E and WS-C3560X-48T-E switches?
2) Is there another Catalyst switch with similar specifications to WS-C3560G-48TS-E and WS-C3560X-48T-E that has a quicker start up time.
View 13 Replies
View Related
May 31, 2012
I am seeing SNMP coldstart traps that either are delayed by many hours or are false (e.g. right after receiving the coldstart trap a query to sysUptime shows the nodes been up for days).I seen this twice this week in a new network environment for me for two different C2900s running C2900-UNIVERSALK9-M Version 15.0(1)M3 Assuming the coldstart traps are coming from the actual source nodes, I am curious what could be going on here.
1) One guess I have is possibly the system clock changed could cause the SNMP agent to send a false cold start trap. Then my guess is in the device log I should see a system time change syslog message.
2) I recall hearing once that syslog and possible traps messages are held in configurable buffer who default value is 1 and if not sent are held and then suffer a delayed sent. Is it true for both traps and syslog ? In the past I assumed this was simply the logging history buffer and applicable to syslog traps only. My assumption in the past was that last trap or last syslog message is sometimes held on reload and sent immediately after restart regardless of device connectivity to the management target.
I always assumed coldstart traps are never delayed for any reason and that they were pretty accurate substitutes for system reload syslog messages. Does anyknow know any reason for false or delayed coldstart traps on a C2900 with IOS 15.0(1) ?
View 1 Replies
View Related
Dec 2, 2012
I have a client that is using an ASA5510 and would like to make some changes ,current config ,int 0/0 - external connection (T1) with multiple VPN site to site tunnels and VPN client tunnels ,int 0/1 Internal (10 network),Proposed config , add cable internet to int 0/3 , route default internet traffic to cable internet , leave VPN tunnels on T1 ,failover internet in the event of cable internet outage(using tracking) ,Would one or both of these options work? if so what is the better way to do it?
View 2 Replies
View Related
Dec 21, 2011
I found a server and couple of switches not being used. My supervisor let me use those hardware to learn about networking with a condition to never take it liveowever, I am new to networking and don't know what to do with it.urrently I am working on Network + certification. Right now it is more about knowledge than the certification itself
View 4 Replies
View Related
Aug 20, 2012
I am trying to enable a second WAN interface on our ASA.the end goal is to move all internet traffic to the new connection, but first i want to test it working.I have setup my computer as an object in the ASDM and the interface is configured correctly (same settings on a different router and that was working)I setup a route with a lower metric ( 1 lower than the default route which routes everything through current main internet interface) to route traffic from my computer out through the new interface but i am still connected on the old interface.I duplicated some of th NAT rules (but i would have thought if these werent working then i would have no internet connection anyway)
View 5 Replies
View Related
Mar 3, 2013
We have ordered a new 4507 chasis with a supervisor engine.We have also ordered a spare supervisor engine.As per Cisco documentation WS-X45-SUP7L-E is shipped with a default IP base license.My question is that is this a e-delivery or a paper base license.The Cisco documentation also states that we can use the same license to upgrade both the redundant and active supervisor from lan base to IP base.
View 2 Replies
View Related
Apr 30, 2012
Currently I have an asa 5510 set up with one block of outside IP addresses. Everything is working fine in regards to my initial setup. However we needed to purchase additional IPs from our provider and ended up being a whole complete different block. Where I am getting stuck is getting the new IPs to NAT to inside addresses.
View 2 Replies
View Related
Jan 23, 2012
im lookin to establish a a multiple L2L ips tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination. should the cisco asa capable of this ?
View 6 Replies
View Related
Sep 9, 2012
I would like to create two site-to-site VPNs, one for data and one for VoIP, between the same sites. One end is an ASA 5510 and the other is a third party firewall. Is this possible if I use different sets of IP addresses for each tunnel?
View 3 Replies
View Related
Nov 9, 2011
I use a Cisco ASA 5510 with the AnyConnect VPN for remote workers. Now we want to give access to a select group of consultants who only need access to one sever and block everything else.
I was thinking this could be done by creating a separate AnyConnect Connection Profile on the ASA. From that new connection will come a new GroupPolicy with a ACL to only allow access to the one system. That GroupPolicy will point to the Radius Server looking for an account in a specific MemberOf group.
My question is - Could you explain how the ASA knows what Connection Profile to use when a user tries to authenticate? Does it automatically hunt down each Connection Profile until there is a username match via RADIUS in the Connect Profile?
View 1 Replies
View Related
Oct 5, 2012
Laptop has 2 ethernet ports and receives the internet via one of those Ethernet ports. Can I plug a ethernet lead from my spare port on my laptop to a wireless router and create a wireless network (via the internet from my laptop)? Is this possible and how do I do it ?
View 11 Replies
View Related
Mar 28, 2011
-My landlord has his modem/router connected by a wire that runs downstairs to my desktop computer; and my desktop computer's internet is excellent. -I have a laptop in the other room that is connected wirelessly to my landlord's router with poor internet strength. -I have a spare linksys wireless G broadband router that is not being used.
How can I use this router to increase the signal strength on my laptop in the other room?
View 3 Replies
View Related
Oct 18, 2012
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
View 4 Replies
View Related
