Cisco Firewall :: 5510 Inspect SIP Dropping Request Message Packets

Mar 17, 2011

I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
 
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
 
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
 
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?

View 15 Replies


ADVERTISEMENT

Cisco Firewall :: Enable Inspect Http On ASA 5510?

Feb 15, 2012

how to enable inspect http on ASA 5510, so that  URL information  populate in the syslogs?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Can't Inspect And Intercept For HTTPS Traffic

Feb 23, 2011

I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?

View 2 Replies View Related

Cisco Firewall :: HTTP Inspect In ASA 5510 Messes Up SVN Authentication

May 13, 2013

I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:

Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk  {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk  {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk  {HTTP:3, TCP:2, IPv4:1}
 
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
 
Packet # 4 is an actual differentiators.

I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.

View 1 Replies View Related

Cisco Switching/Routing :: C3825 ISR IP Inspect Dropped Packets?

Oct 31, 2011

i am wanting to log dropped and oop packets on a c3825 isr with ios12.3(11)T3.  on other routers(like a 2951 running 151-4.M2)i can state ip inspect log drop-pkt and it will log to buffer or syslog all dropped and oop packets.  can i do this on this 3825 another way

View 1 Replies View Related

Cisco Firewall :: ASA5505 Dropping Packets

Apr 30, 2013

I am  having an issue where the ASA is dropping packets on the vlan  interfaces. I have it as a dedicated router/firewall for a 100mb connection .
 
Vlan1 is the internal networkVlan2 is the network to cable modem
 
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full  Duplex at each end, this is the inside interface. Eth 0/0 is the  connection to the cable modem, this is the outside interface, set at  auto at both ends.
 
Im getting on the vlans eg. 51253 packets dropped however network  traffic isnt impacted and everything runs fine, as well as 46532 switch  ingress policy drops.
 
Example;
 
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask 255.255.255.0 Traffic Statistics for "inside": 43250588

[Code]......

View 1 Replies View Related

Cisco Firewall :: ASA 8.2.4(4) Seems To Be Dropping Valid TCP SYN Packets?

Feb 28, 2012

We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB.  We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
 
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:

ASA01-Internet# sh asp drop
Frame drop:  Invalid TCP Length (invalid-tcp-hdr-length)                                  1  Reverse-path verify failed (rpf-violated)                                  319  Flow is denied by configured rule (acl-drop)                            477077  First TCP packet not SYN (tcp-not-syn)                                   10212  TCP data send after FIN (tcp-data-past-fin)                                 41  TCP failed 3 way handshake (tcp-3whs-failed)                               824  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 1419  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             6  TCP SYNACK on established conn (tcp-synack-ooo)                              1  TCP packet SEQ past window (tcp-seq-past-win)                              821  TCP invalid ACK

[code]....

View 9 Replies View Related

Cisco Firewall :: 871 - Default Class Map Is Dropping All Packets

Aug 21, 2012

I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
 
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
 
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run

Building configuration...
  
Current configuration : 8005 bytes
!
version 12.4
no service pad

[Code].....

View 1 Replies View Related

Cisco Firewall :: ASA5540 Dropping Packets On Large FTP Transfer

May 23, 2011

I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout".  What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?

View 1 Replies View Related

Cisco Routers :: RV042 / Getting Message 400 Bad Request?

Feb 6, 2012

I am getting the message '400 bad request' whenever I try to backup the configuration or export a certificate under Certificate Management.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 / Dropped Packets In VPN AnyConnect Connections?

Dec 5, 2012

Our Cisco ASA 5510 running 8.4(4)1 just started dropping packets and our AnyConnect clients are seeing horrible performance.  The system is extremely slow compared to just a couple days ago.Nothing has changed on the system.  I can post the configs if needed.
 
firewall# sho int
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
    Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
    Input flow control is unsupported, output flow control is off
    Description: == WAN Interface ==

[code]....
 
I have done a "sho vpn-sessiondb detail svc" and I can see the dropped packets of the individual users, but cannot see why the packets are still dropping.how I can correct this and restore speeds?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Error Message 5405 RADIUS Request Dropped

Feb 22, 2011

The error message "5405  RADIUS Request dropped", what does it mean ? We have implemented 802.1X on a C4506 switch running IOS 12.2(53), it has worked fine for about 3 months but now I get users not able to authenticate. In the loggs on the ACS I get the obove message.
 
ACS 5.2 is running 5.2.0.26 Build 3075.

View 6 Replies View Related

Cisco Firewall :: 3825 - ASA 5510 And Edge Router Not Altering SIP Packets

Oct 2, 2012

My SIP provider is not convinced that my ASA  and Edge Router is not altering the SIP packets.  On the ASA I've removed the inspect SIP, and H323, what else needs to be done to make the firewall not mess with the SIP Traffic.
 
Packets are flowing in/out. 
 
access-list hbg-outside-198_access_in extended permit udp host <SIP HOST> object sfipoffice_o eq sip
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o gt 49152
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o lt 53246
  
Here are my Policy Maps.
 
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto

[code]...

On the 3825 Its jsut a pretty simple config that jsut routes packets form one interface to another, all Public Addresses, so no NAT on it.

View 2 Replies View Related

Cisco Firewall :: VPN Setting Keep Dropping On ASA 5510?

Jan 23, 2012

I have a Cisco ASA 5510 firewall, my problem is that when the first VPN connections is established everything is good.  But when that connections is cancel or terminated due to non connectivity.  No one can connect to that firewall through that VPN unless that firewall is restarted.

View 1 Replies View Related

Cisco Firewall :: 5510 / L2L Tunnel Keeps Dropping?

May 15, 2013

I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code.  The main site has a T1 and the remote site is using a DSL connection.  About every other day I have to reset the connection at the remote site.  The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the  nat statement.  The connection usually comes back up and a few minutes.  I am trying to see what is causing this to drop.

View 5 Replies View Related

Cisco Firewall :: ASA-5510 Dropping Outbound SMTP Traffic?

Aug 21, 2011

A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
  
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
 
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:   JWillar@email.com on 8/21/2011 9:49 AM  Could not deliver the message in the time limit specified. Please retry or contact your administrator.  <630.SM.Local #4.4.7>
 
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
 
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.

View 13 Replies View Related

Cisco :: IP Inspect Firewall

Apr 16, 2012

ip inspect firewall should be performing no inspection on traffic traversing an IPSec VPN right?

View 2 Replies View Related

Cisco WAN :: 3945e Udp Packets Are Dropping

Dec 13, 2012

I have a NAT setup. Some of my udp packets are dropping. How to find more about the NAT to find whether it missed anything or not. the router is 3945e. [code]

View 3 Replies View Related

Cisco Firewall :: 5510 - Display User Message When User Connects Using AnyConnect Client?

Apr 20, 2009

We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
 
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy?  Can the message be displayed when the action is "Continue" rather than "Terminate"?  I can't seem to get this to work and wondered if there was a LUA function to do this.
 
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.

View 4 Replies View Related

Cisco Firewall :: Inspect Not Working In ASA5520?

Aug 15, 2012

I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
 
service-policy global_policy global
 Global policy:
  Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0

[code]....

View 1 Replies View Related

Cisco VPN :: VPN To Juniper ISG 1000 Dropping Packets

Aug 1, 2012

I have ASA 5510 with 8.4 connected to ISG 1000, when traffic is passing the VPN tunnel is working fine, when the traffic stops, ASA will drop the packet but the VPN tunnel on ISG still up .When new traffic started from ISG side, it will drop, as the tunnel is not up on ASA side.

View 2 Replies View Related

Cisco WAN :: 800 Router Dropping SMTP Packets

May 29, 2012

We have a cisco 800 series router between the internal network and the WAN. the problem is we are unable to receive some of our mail due to dropped packets by our router. the conversation between the two servers stops at the point were our server responds with the command 250 2.1.5 user@mydomain.com | 354 Start mail input; end with . i was able to trace the packet, using Packet Export, on the internal interface but not on the external interface. Also i have noticed that the external interface has about 160,000 unknown protocol drops while the internal interface has 0.

Is there anyway to find out way the external interface is dropping the packets.

View 4 Replies View Related

Cisco Switches :: SG300 Is Dropping Packets?

Apr 10, 2012

We have a customer who we sent to Cisco to replace some aging Dell switches. They purchased 5 SG300-52’s for 2 different networks. Their production LAN has 2 “live” switches and 1 spare. The 2nd, a development LAN has 1 switch and 1 spare. Their primary production SG300-52 has GE1-8 VLAN’d off as VLAN2 for public IPs. The untrusted (WAN) interfaces of 2 x ASA-5510’s, 1 x ASA-5505, and 2 x RV082 v2’s are connected to GE2-6. GE1 is the uplink to the co-location center’s Cisco switches. GE7 & 8 are spare ports. Each SG and device port is hard coded for 100/Full.
 
One of the ASA-5510’s and the ASA-5505 maintain a site-to-site VPN (the development LAN used to be in a different facility hence the VPN). Recently the developers have stated the performance is horrible. I noticed ping traffic loss from PCs on the dev side to servers on the production side in the order of 20-30%. I assumed it was a VPN issue so I opened a ticket with Enterprise TAC (all the ASAs and the SGs have either SmartNet or extended support contracts). TAC determined the problem happened even if you ping from inside the ASA to the untrusted side of the other ASA thus eliminating the VPN as the culprit.
 
The 2nd ASA-5510 has the AIP module and was not even live until this weekend. Turning it up and giving it a basic config returned the same results. #ping x.x.x.x repeat 100 will drop 20-40 packets. I have no security enabled on the SGs and even tried using the spare SG300-52 this weekend in place of their primary with the same result. I’m to the point of returning one of the Dell switches to production, but this cannot be a good sign. I’m also a bit frustrated that I’ve yet to figure out how to get Cisco Enterprise to speak with Cisco Small Business on this. The customer has over $10k invested in Cisco equipment and Cisco isn’t jumping in to figure this out.
 
The latest rep wants a packet capture from the SG300’s VLAN2 but there are no PCs there to do this with and the manual doesn’t even talk about doing this. How we can do this as well as get the 2 divisions working together to fix this? BTW, the RV082’s exhibit the SAME exact problem. I can ping from ANY device on VLAN2 to any other device and drop packets. Copying a simple 1MB file over the VPN can take minutes where it should take 1 second. I can reproduce this for 24/7.

View 8 Replies View Related

Cisco Routers :: RV082 Dropping Packets?

Feb 14, 2013

It appears we might have an issue with our RV082 (v4.2.1.02) dropping packets during the teardown of many TCP conversations.  I have attached two packet captures of what I believe is the same conversation.  One is from outside the router (Wireshark using an Ethernet Tap) and the other is from the client inside the router (SLES11SP2 running TCPDump).  These are both very small captures 9 packets and 18 packets and I'm hoping it will identify the problem.
 
It appears that the RV082 is prematurely closing the natted port used to communicate with the host outside the network.  The host sends a FIN, ACK packet, to which the client responds with an ACK,  However, when the client then sends his FIN,ACK sequence, it never makes it outside the router.  The client sends a total of 9 FIN,ACKs trying to contact the outside server, but none of those appear to make it through the router.
 
Is the router slamming the door prematurely?  (I've been fighting with this problem for 3 weeks now!)
 
Inside Capture:
----------------------
No.     Time                       Source                Destination           Protocol Length Info
1 2013-02-13 19:32:37.827942 192.168.1.45          38.113.116.214        TCP      76     35975 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=635644783 TSecr=0 WS=128

[Code].....

View 19 Replies View Related

Cisco Firewall :: DNS Through ASA5510 Returns Inspect-DNS-Invalid-PAK

Dec 27, 2011

ASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz.  The problem is a new use.  I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far.  The ASA inside interface is the default gateway for the inside network.  My test worksttion can PING inside hosts, so the static route is OK.
 
     ASA 10.1.1.2/16     DNS Server 10.1.5.1/16
                |                                  |
------------------------------------------------------------------
                    |
               Switch 10.1.8.20/16

[code]....
                        
  But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives.  I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak".  I can't find any more there to tell just what is invlid about it.  So I'm trying to figure out global inspection.  Here's an extract from the config:
 
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default

[code]....

View 26 Replies View Related

Cisco VPN :: Srp527 VPN Tunnel Dropping Packets Intermittently

Dec 12, 2012

We have a Cisco ASA and recently purchased a cisco small business srp527 router.  It is connected to our ADSL2 connection and is working fine.  I have configured the device with an ipsec tunnel using an ike profile and the tunnel is created successfully with packets traversing the tunnel.  However packets are being dropped intermittently, with no cause.  The link is currently not being utilised, there is no load on the network however when I ping Google and any address subject to the rules of the tunnel i notice that a single packet is dropped every now and then.

View 0 Replies View Related

Cisco WAN :: 1811- MTU 1500 - Router Dropping Certain Packets

Dec 15, 2011

I seem to be having an issue where certain very packets are being dropped/lost by my office router. The reproducible situation is, when I attempt a DNS zone transfer from my linux bind DNS server (A.A.A.A) to any server on my network behind NAT (Y.Y.Y.Y) the first packet (Seq 1) of the response is lost. The client making the query asks for first packet (Seq 1) to be resent, and the DNS server attempts to resend it repeatedly, but those are lost too.

View 10 Replies View Related

Cisco Switching/Routing :: Why C2960 Is Dropping Packets

Dec 26, 2012

We have a customer who uses about 20 x c2960's switches for access layer and 2 x c3560e for distribution layer. C2960's uses C2960-LANLITEK9-M , Version 12.2(58)SE1. Everything was working fine. Now we got information, that sometimes there are problems with connectivity. Customer tries to reach internet.
 
SW11#sh int fa0/18       
FastEthernet0/18 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is e8ba.806a.4412 (bia e8ba.806a.4412)

[Code].....

View 7 Replies View Related

Cisco WAN :: Dropping Scavenger Packets On ASR 9000 During Congestion

Aug 6, 2012

I am trying to find a solution using modular QOS when there is congestion in circuit we drop packets with WRED which are marked with a DSCP value of say AF21. I can drop those traffic completely in case of congestion.  I was thinking to allocate 100% bandiwth to rest of the traffic.

View 1 Replies View Related

D-Link DIR-655 :: Dropping Packets While Gaming On Computer

Mar 27, 2012

I bought a DIR-655 a less than a year ago on amazon, and it was working great up until about 4 weeks ago. Ive noticed that it has been dropping alot of packets while I am gaming on my computer. I would run about 95-98 ping usually and now it jitters every 5-10 mins or so from 95-98 to up to 500. It is really troublesome during games and I dont know what to do. Ive tried disabling QoS and still nothing. I run on wireless G and N with auto 20/40 mhz. Standard WPA(personal) and it was running absolutely great until now. I know its the wireless because I have hardwired it into my laptop, both from the router and just the modem itself with no problems whatsoever. I dont know what to do about it.

View 3 Replies View Related

Cisco Firewall :: ASR 1000 ZBF Can Use Police Action In An Inspect Rule

Mar 23, 2011

I have two questions about ZBF on ASR1000 with Firewall and Flexible Packet Inspection license:
 
1 is IPv6 supported?

2 can I use police action in an inspect rule? I want to limit some protocols to low bandwidth. There is no police command in ZBF policy map.

View 7 Replies View Related

Cisco Firewall :: Configure ASA 7.2 (4) To Inspect SCCP Traffic From A CUCM V7

Aug 11, 2010

I am trying to configure my ASA 7.2(4) to inspect SCCP traffic from a CUCM v7.I have been advised that the ASA device needs to support the version of Skinny I am running.What version of Skinny does ASA 7.2(4) support? How can I find out what version my phones are using?

View 3 Replies View Related

Cisco Firewall :: ASA 9.X Routed - Inspect Traffic For All L3 And Transparent Contexts

May 12, 2013

We are currently looking at design models for a Multi-Tenancy solution.The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.
 
We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure  who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.
 
I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved