Cisco Firewall :: 5515x Apply On Firewall / Switches To Make Implementation Successful
Apr 22, 2013
I will be implementing a new firewall (cisco asa 5515x) on my existing 3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the implementation successfull. I will put my 3750x as my DMZ and my 2960s as my inside. The 3750x have multiple subnet and also the 2960s.which features and technologies i need to know on those 3 products. my 3750x and 2960s don't have any ACL defined and most common features are vlan, switchport, trunking, spanning-tree, stacking, vtp.how my asa knows that my 3750x/2960s have multiple vlans. my current connection right now on 3750x and 2960s is just through 6 ports i assigned as one trunk, below is my config [code]
my 2960s vlans are almost the same with my 3750x except vlan 160, 170, 192. but of course when i put this in asa, i have to segragate vlan for 3750x (192, 100, 110,160, 170) and 2960s (130, 150). for my 2960s connection to the asa and since this will have big bandwidth, i will use 3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2 ports on my asa (and trunk it) connecting to my 3750x. the one internet ports and my one management ports on my asa will stay like that.
I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.
I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured. Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.
I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?
I'd like to enable client to router VPN connections. I have a question how to make any sucessful VPN connection to RV220W. From all the tests I made only SSL VPN on Windows XP x86 client machine was working.
For IPSec VPN I always receive this message: [rv220w][IKE] ERROR: Could not find configuration for XXX.XXX.XXX.XXX[500]. I tried with windows and shrewsoft vpn client.
Can't make SSL VPN to work in Windows 7 x64 client because the drivers are not digitally signed. It only works in Windows XP x86 but this is not acceptable. I need universal solution for win clients.
I also need working solution for Android Phone? Router firmware 1.0.3.5. I also tried this step by step guide. No go.
I need to upgrade to firewall which supports Active/Standby configuration.I am currently using a ASA-5510,SSM-20 8.2(5).Will the configuration file from the ASA-5510 work on the 5515X?
I have ASA 5515x and it has already Internet Connection since my firewall is not "production". So right now I'm trying to configure a Remote Session just for a test and eventually I was not able to connect from it. I followed the instructions from technotes but still Remote Connection dropped. Here's my sample configuration on my firewall, btw I also configured a service policy rule and ACL just to make sure if I can able to access the Server inside my network but Session also dropped.
I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1 channel-group 1 mode active no nameif
Just a few questions. We are looking to deploying Cisco ASA 5545 into a network. I have a couple of issues with designing the network correctly.
We need to be able to scale out to more hosts than a single VLAN, we would also be considering adding 4948E switch behind the ASA and potentially a stack in front.
The problems are:
1) If we have an outside stack of public 4948E (so we can connect some hosts outside the firewall, such as additional ASA's running in NAT mode) for VPN. Is this a reliable, recommended configuration? The reason being we need to have the ability to add other seperate ASA protected networks that we don't want going through the 5545 as it's going to quickly run it out of capacity. If I have the L3 switch stack in front I'm guessing we would have a small subnet to link upstream and then sub-subnetwork into two blocks, one on the inside interface and one on the L3 switch for the other hosts? Or would it be better to let the upstream provider do this, and then just get them to provide us with two smaller subnets rather than one big one? As below if we do L3 stack ourselves we would need to small subnets, one to communicate with upstream and one to link ASA subnets. This seems like a waste of IP's. I was wondering if I could use Internal IP space on the L3 > ASA link, but I thought that could be an issue for BOGONS list.
2) If I want to extend the inside network (Cisco ASA would not run NAT, just public IP's on the inside, routed to the outside interface of the ASA) there are two ways. Use the ASA to create subinterfaces/VLANs (but that would be routed via the ASA - may be a performance hit?) or use a L3 switch behind the ASA. How does one accomplish running L3 switch behind ASA properly?
I have a customer who is going to host a VOICE services like providing SIP services to its customers. What specific ports required to be opened up for this on ASA 5515X. I would rate it ASAP.
I need to know if the cisco ASA next generation specially ASA 5515X support PBR or no ?how to implement it? Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation.
I have a FWSM cluster that I exceeded the maximum number of static nat entries on. i migrated the connectivity off to a pair of PIX 535's that seem to be handling the adderess translation needs. however the number of NAT entries being required is increasing and being the PIX series wal EOL'd several years back..I need to replace them.. The static 1-1 nat entries cannot be summarized into network as the hosts that are being nat'd are scattered all over various micro subnets in the all 3 rfc1918 ipv4 address ranges and they are being manged directly by snmp and SNMP-trap and other services that prohibit the use of many-to-one nat. Is there a mknown maximum number of static 1-1 nat entries that can be defined on the ASA 5515-x, 5525=x and higher ASA firewalls? Say I wanted to be able to grow to 2500 or more static 1-1 nat entries. I am currently running 2010 1-1 static host nats currently.
Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.
How many concurrent SIP channels should I expect to be able to make through a PIX firewall? We currently have a PIX 515 with the SIP fixup enabled.it worked fine for a low volume of traffic, but once we got to around 400-500 concurrent SIP calls the PIX started to struggle. Calls were dropping and other Internet traffic was intermittent. When I decreased the call volume it recovered and everything returned to normal.Bandwidth wise, we were only using about 20MB, so I think that as it needs to inspect and remember SIP packets for the purposes of opening RTP ports, we probably hit a bottleneck in terms of either the PIX's CPU or memory capacity. I've not seen any specs detailing how many SIP fixups a PIX (of any capacity) is able to handle.I'm thinking of upgrading to a PIX 525 or PIX 535, but I'd like to know how many SIP calls they will be able to handle before committing.
we have a nat exemption rule for 10.0.0.0/8 to w.x.y.z followed by some static nat rules and then dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d.When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).We are running the following software on an ASA5520.
I'm trying to configure policing and/or shaping on a setup of 2 x ASA 5505 Sec Plus. The units are placed in office A and office B and each have a ISP connection to the internet and a leased line with a capacity of 4/4 Mbit/s for interoffice communication.
On each ASA there's four subnets. VLAN 200 is used to connect the offices through the leased line.
I've read a lot of articles and posts about shaping and policing on the ASA but still can't get it to work like I wan't to. I'm trying to limit all traffic besides IP-telephony traffic to 3 Mbit/s and thus reserving 900 Kbit/s for voice traffic. I tried setting a service-policy on the linknet interface on each ASA and set Traffic match to Any traffic and QoS settings for both input and output.
I can see traffic passing the policy when I run the "show service-policy police" command but it never seems to be high enough to be policed which is strange since the ASDM monitoring shows that I'm pushing 3900 kbit/s. I file transfers verifies that policing does'nt work.
I have pair of ASA 5550 and I am trying to copy a new config to my member1 (active) as the new configuration I want to use for the pair. I want to copy this to start-up config on member1 and then reload member1 and have it copy the same config to member2 (stdby). I guess I am trying to understand if I copy the configuration to member1 and reload it, member 2(stdby) will have become active and try to copy the old configuration to member1 which I do not want.
get the commands straight that I need to execute to make sure the new startup config gets to both members without being overwritten?
I'm planning to separate voice and data traffic with two vlans. I have a COR switch catalyst 3750, a UC560 for VOIP with SIP trunk and SGE2000P as access switches. The thing is i had configured VLAN1 (data vlan) and VLAN8 (voice vlan), i've created the vlan 8 in the database on 3750 and let pass those vlans through a TRUNK port. In the SGE2000P configuration i've created the VLAN8 and the the ports as trunk for letting pass the two vlans for the PC and the IP phone. This works but some phones aren't registering, and for example i've unplugged a register phone and plug and doesn't registering anymore.
our company backbone is hp 5406, and desktop switches are hp 2510 currently we are working with ipv4.if we want to start use IPV6 for test environment, what’s things we need to enable in our backbone/regular switches.i mean for example if we want to set static IPV6 address for 2 servers and send ping between them, or even make new vlan with IVP6 subnet, and use it like regular vlan but with static ip's(until we got ipv6 dhcp).i have hp 5406 manual for IPV6 but i can't understand what i really need to do for start using IPV6.
I installed the Cisco LMS 4.0.1 (test mode), and monitoring services of the switches (data collection and information system) are working.
But when I need to apply some configuration via CiscoView settings are not applied.
The following message is displayed when I try to apply some configuration on an interface of any one switch.
"Message Timeout on 172.20.1.10. This error could be due to lack of access to the host, invalid SNMP credentials, or a busy device. To correct the problem, do one of the following:
- Verify access to the host.
- Check the SNMP credentials.
- Increase the timeout value through the preference options on the chassis view."
I've checked the credentials and SNMP communities, the problem continues.
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
i have a 5510 with SDM 8.2.5 from clients connected to LAN i cant open a VPN connection! (using windows client L2TP or PPTP) there is not rules tho block this ports, why i cant connect?
i have router 3845 and then it's connected with pix and then its connected with vpn tunnel to the customer router. i am here trying to make vpn connectivity for devices. so on router i did static nat statements 10.124.90.124 10.200.200.1. this type of six statements i wrote for six devices. on the pix i did
i have one question that i need to use physical subnet or nat subnet for crypto map acl? and also on the customer router which subnet they can use as well nat sunet or my router physical subnet?
I want to make ipsec vpn between ASA and Cisco 877 Router,crypto isakmp and crypto ipsec ACTIVE state its works fine but Cisco 877 can not ping ASA internet interface but can ping behind ASA PC,PC can ping 192.168.2.1 but Cisco877 can ping only behind ASA PC thats ip 172.20.1.18
Ex: 192.168.2.0(Cisco877) =====ASA(172.20.1.0)-------172.20.1.18 PC ASA IP : 172.20.1.2.54 C877 IP 192.168.2.1
I´m a IOS CLI fanatic. Its the first tiem that I have to configure a SB switch. Its very confusing, I want setup a voice vlan id as 200. but I don see that this value change when I try to apply the smartport macro to the interface.Its possible change a smartport macro?
I have turned on the aaa command authorization without applying adequate privileges to the user. I can now log in through that user but the ASA 5510 displays an error :ASA 5510# show running-config
I am unable to make any configuration changes on the firewall. Is there any default user through which I can log in and disable the aaa authorization ? if not, how can I resolve this situation ?
