Cisco Firewall :: 5515x Apply On Firewall / Switches To Make Implementation Successful

Apr 22, 2013

I will be implementing a new firewall (cisco asa 5515x) on my existing  3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the  implementation successfull.  I will put my 3750x as my DMZ and my 2960s  as my inside.  The 3750x have multiple subnet and also the 2960s.which  features and technologies i need to know on those 3 products.  my 3750x  and 2960s don't have any ACL defined and most common features are vlan,  switchport, trunking, spanning-tree, stacking, vtp.how  my asa knows that my 3750x/2960s have multiple vlans.  my current  connection right now on 3750x and 2960s is just through 6 ports i  assigned as one trunk, below is my config [code]

my  2960s vlans are almost the same with my 3750x except vlan 160, 170,  192.  but of course when i put this in asa, i have to segragate vlan for  3750x (192, 100, 110,160, 170) and 2960s (130, 150).  for my 2960s  connection to the asa and since this will have big bandwidth, i will use  3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2  ports on my asa (and trunk it) connecting to my 3750x.  the one  internet ports and my one management ports on my asa will stay like  that.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5515X - Config Loss After Primary Firewall Reloaded

Sep 23, 2012

I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
 
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
 
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.

View 2 Replies View Related

Cisco Firewall :: Upgrade From 8.2 To 8.6 For New ASA 5515X

Sep 19, 2012

My customer has a rather complex configuration on an ASA 5510 running version 8.2.

They are migrating to new ASA 5515X models which of course only version support 8.6
 
How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
 
The X series seems to be a great option for new deployments but what about replacements of existing older models?

View 3 Replies View Related

Cisco Firewall :: ASA 5515X 8.6 IOS For NAT Control

Feb 21, 2013

I am in a process of replacing the Cisco ASA 5510 with 7.3 OS with a new Cisco ASA 5515X with 8.6OS. In the existing Cisco ASA 5510, we have configured 'no nat-control' for which the traffic from all sub-interfaces were flowing to the lower security interfaces without any NAT command. Just access-lists were configured. Now how do i acheive the same in the Cisco ASA 5515X with 8.6? I do not find any 'no nat-control' command available for it.

View 3 Replies View Related

Cisco Firewall :: ASA 5515X Max Contexts In HA Mode

Jun 4, 2013

What is the maximum number of contexts a pair of 5515Xs in HA mode can support?
 
I know each 5515X can have a max of 5 contexts, but does that mean in HA mode a pair can support 10 with license pooling? 

View 8 Replies View Related

Cisco Firewall :: ASA 5515X - How To Block Traffic Of P2P

Jan 28, 2013

I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?

View 2 Replies View Related

Cisco Routers :: RV220W - How To Make Successful VPN Connection

Jan 16, 2012

I'd like to enable client to router VPN connections. I have a question how to make any sucessful VPN  connection to RV220W. From all the tests I made only SSL VPN on Windows XP x86 client machine was working.
 
For IPSec VPN I always receive this message: [rv220w][IKE] ERROR:  Could not find configuration for XXX.XXX.XXX.XXX[500]. I tried with windows and shrewsoft vpn client.
 
Can't make SSL VPN to work in Windows 7 x64 client because the drivers are not digitally signed. It only works in Windows XP x86 but this is not acceptable. I need universal solution for win clients.
 
I also need working solution for Android Phone? Router firmware 1.0.3.5. I also tried this step by step guide. No go.

View 2 Replies View Related

Cisco Firewall :: Upgrade From ASA-5510 SSM20 To ASA-5515X?

Dec 25, 2012

I need to upgrade to firewall which supports Active/Standby configuration.I am currently using a ASA-5510,SSM-20 8.2(5).Will the configuration file from the ASA-5510 work on the 5515X?

View 1 Replies View Related

Cisco Firewall :: Remote Desktop Connection To ASA 5515x

Feb 5, 2013

I have ASA 5515x and it has already Internet Connection since my firewall is not "production". So right now I'm trying to configure a Remote Session just for a test and eventually I was not able to connect from it. I followed the instructions from technotes but still Remote Connection dropped. Here's my sample configuration on my firewall, btw I also configured a service policy rule and ACL just to make sure if I can able to access the Server inside my network but Session also dropped. 
 
nat (inside,outside) source static 1.1.1.1 2.2.2.1
access-list 110 extended permit tcp host 3.3.3.1 host 2.2.2.1 eq 3389
CiscoASA(config)#class-map rdpmss

[Code].....

View 5 Replies View Related

Cisco Firewall :: Management Interface In Cluster ASA 5515x?

Jan 6, 2013

I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
 
my config
 
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif

[Code].....

View 9 Replies View Related

Cisco Firewall :: Testing 5515x At Home - No Internet Route

Apr 15, 2013

im new to cisco asa and the model is 5515x with license plus.  below is my config at home,
 
ciscoasa#
ciscoasa# sh run
: Saved

[Code]......

View 1 Replies View Related

Cisco Firewall :: ASA Implementation With 5545

Dec 6, 2012

Just a few questions. We are looking to deploying Cisco ASA 5545 into a network. I have a couple of issues with designing the network correctly.
 
We need to be able to scale out to more hosts than a single VLAN, we would also be considering adding 4948E switch behind the ASA and potentially a stack in front.
 
The problems are:
 
1) If we have an outside stack of public 4948E (so we can connect some hosts outside the firewall, such as additional ASA's running in NAT mode) for VPN. Is this a reliable, recommended configuration? The reason being we need to have the ability to add other seperate ASA protected networks that we don't want going through the 5545 as it's going to quickly run it out of capacity. If I have the L3 switch stack in front I'm guessing we would have a small subnet to link upstream and then sub-subnetwork into two blocks, one on the inside interface and one on the L3 switch for the other hosts? Or would it be better to let the upstream provider do this, and then just get them to provide us with two smaller subnets rather than one big one? As below if we do L3 stack ourselves we would need to small subnets, one to communicate with upstream and one to link ASA subnets. This seems like a waste of IP's. I was wondering if I could use Internal IP space on the L3 > ASA link, but I thought that could be an issue for BOGONS list.
 
2) If I want to extend the inside network (Cisco ASA would not run NAT, just public IP's on the inside, routed to the outside interface of the ASA) there are two ways. Use the ASA to create subinterfaces/VLANs (but that would be routed via the ASA - may be a performance hit?) or use a L3 switch behind the ASA. How does one accomplish running L3 switch behind ASA properly?

View 5 Replies View Related

Cisco Firewall :: Ports To Be Opened Up For Hosted Voice Access On ASA 5515X

Sep 23, 2012

I have a customer who is going to host a VOICE services like providing SIP services to its customers. What specific ports required to be opened up for this on ASA  5515X. I would rate it ASAP.

View 3 Replies View Related

Cisco Firewall :: New ASA 5515X Generation Support PBR Or Not / ISPs Links Redundancy

Jun 9, 2013

I need to know if the cisco ASA next generation specially ASA 5515X support PBR or no ?how to implement it? Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation.

View 1 Replies View Related

Cisco Firewall :: Maximum Number Of 1-1 Static Nat Entries On ASA 5515X Or 5525X?

Aug 7, 2012

I have a FWSM cluster that I exceeded the maximum number of static nat entries on.  i migrated the connectivity off to a pair of PIX 535's that seem to be handling the adderess translation needs.  however the number of NAT entries being required is increasing and being the PIX series wal EOL'd several years back..I need to replace them..  The static 1-1 nat entries cannot be summarized into network as the hosts that are being nat'd are scattered all over various micro subnets in the all 3 rfc1918 ipv4 address ranges and they are being manged directly by snmp and SNMP-trap and other services that prohibit the use of many-to-one nat.   Is there a mknown maximum number of static 1-1 nat entries that can be defined on the ASA 5515-x, 5525=x and higher ASA firewalls?  Say I wanted to be able to grow to 2500 or more static 1-1 nat entries.  I am currently running 2010 1-1 static host nats currently.

View 1 Replies View Related

D-Link DIR-825 :: IPv6 Firewall Implementation

Apr 17, 2012

Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.

View 14 Replies View Related

Cisco Firewall :: Make Communication Between 2 Vlans On Firewall 5520 ASA 8.2

Jan 1, 2012

communication between 2 vlans.i have 2 vlans
 
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add    2.2.2.2 
 
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.

View 1 Replies View Related

Cisco Firewall :: 515 How Many Concurrent SIP Channels Able To Make Through Firewall

Apr 13, 2011

How many concurrent SIP channels should I expect to be able to make through a PIX firewall? We currently have a PIX 515 with the SIP fixup enabled.it worked fine for a low volume of traffic, but once we got to around 400-500 concurrent SIP calls the PIX started to struggle. Calls were dropping and other Internet traffic was intermittent. When I decreased the call volume it recovered and everything returned to normal.Bandwidth wise, we were only using about 20MB, so I think that as it needs to inspect and remember SIP packets for the purposes of opening RTP ports, we probably hit a bottleneck in terms of either the PIX's CPU or memory capacity. I've not seen any specs detailing how many SIP fixups a PIX (of any capacity) is able to handle.I'm thinking of upgrading to a PIX 525 or PIX 535, but I'd like to know how many SIP calls they will be able to handle before committing.

View 4 Replies View Related

Cisco Firewall :: 5520 Why Does Dynamic Policy NAT Rule Apply

Jun 4, 2013

we have a nat exemption rule for 10.0.0.0/8 to w.x.y.z followed by some static nat rules and then dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d.When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).We are running the following software on an ASA5520.

View 7 Replies View Related

Cisco Firewall :: 5505 - How To Apply Policing On ASAs With Leased Lines

Jul 2, 2012

I'm trying to configure policing and/or shaping on a setup of 2 x ASA 5505 Sec Plus. The units are placed in office A and office B and each have a ISP connection to the internet and a leased line with a capacity of 4/4 Mbit/s for interoffice communication.
 
On each ASA there's four subnets. VLAN 200 is used to connect the offices through the leased line.
 
Subnets:
Outside = 2
Data = 10
Voice = 100
Linknet = 200
 
I've read a lot of articles and posts about shaping and policing on the ASA but still can't get it to work like I wan't to. I'm trying to limit all traffic besides IP-telephony traffic to 3 Mbit/s and thus reserving 900 Kbit/s for voice traffic. I tried setting a service-policy on the linknet interface on each ASA and set Traffic match to Any traffic and QoS settings for both input and output.
 
I can see traffic passing the policy when I run the "show service-policy police" command but it never seems to be high enough to be policed which is strange since the ASDM monitoring shows that I'm pushing 3900 kbit/s. I file transfers verifies that policing does'nt work.

View 2 Replies View Related

Cisco Firewall :: 5550 - Apply New Startup Configuration To ASA Active Member?

Jun 17, 2012

I have pair of ASA 5550 and I am trying to copy a new config to my member1 (active) as the new configuration I want to use for the pair.  I want to copy this to start-up config on member1 and then reload member1 and have it copy the same config to member2 (stdby).  I guess I am trying to understand if I copy the configuration to member1 and reload it, member 2(stdby) will have become active and try to copy the old configuration to member1 which I do not want. 
 
get the commands straight that I need to execute to make sure the new startup config gets to both members without being overwritten?

View 1 Replies View Related

Cisco Switches :: Voice VLAN Implementation On SGE2000P

Sep 17, 2011

I'm planning to separate voice and data traffic with two vlans.  I have a COR switch catalyst 3750, a UC560 for VOIP with SIP trunk and SGE2000P as access switches.  The thing is i had configured VLAN1 (data vlan) and VLAN8 (voice vlan), i've created the vlan 8 in the database on 3750 and let pass those vlans through a TRUNK port.  In the SGE2000P configuration i've created the VLAN8 and the the ports as trunk for letting pass the two vlans for the PC and the IP phone.  This works but some phones aren't registering, and for example i've unplugged a register phone and plug and doesn't registering anymore. 

View 0 Replies View Related

Routers / Switches :: IPV6 Implementation In IPV4 Network

Jul 1, 2012

our company backbone is hp 5406, and desktop switches are hp 2510 currently we are working with ipv4.if we want to start use IPV6 for test environment, what’s things we need to enable in our backbone/regular switches.i mean for example if we want to set static IPV6 address for 2 servers and send ping between them, or even make new vlan with IVP6 subnet, and use it like regular vlan but with static ip's(until we got ipv6 dhcp).i have hp 5406 manual for IPV6 but i can't understand what i really need to do for start using IPV6.

View 5 Replies View Related

Cisco :: LMS 4.0.1 Does Not Apply Settings On Switches

Jul 28, 2011

I installed the Cisco LMS 4.0.1 (test mode), and monitoring services of the switches (data collection and information system) are working.
 
But when I need to apply some configuration via CiscoView settings are not applied.
 
The following message is displayed when I try to apply some configuration on an interface of any one switch.
 
"Message Timeout on 172.20.1.10. This error could be due to lack of  access to the host, invalid SNMP credentials, or a busy device. To correct  the problem, do one of the following:

- Verify access to the host.

- Check  the SNMP credentials.

- Increase the timeout value through the preference  options on the chassis view."
 
I've checked the credentials and SNMP communities, the problem continues.

View 1 Replies View Related

Cisco Firewall :: 5520 Single Firewall With 2 Core Switches

Jan 4, 2012

Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.

View 8 Replies View Related

Cisco Firewall :: Asa 5510 Can't Make PAT

Nov 27, 2011

according to this document I do port translation through CLI and I have following config:

View 4 Replies View Related

Cisco Firewall :: 5510 - ASA 8.2.5 To Make VPN Connection From LAN To Outside?

Sep 19, 2011

i have a 5510 with SDM 8.2.5 from clients connected to LAN i cant open a VPN connection! (using windows client L2TP or PPTP) there is not rules tho block this ports, why i cant connect?
 
my configuration:
 
FIREWALLP01# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MAIOR.local
enable password 28kg/dOQX80WtMHA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

[code]....

View 1 Replies View Related

Cisco Firewall :: 3845 - How To Make VPN Connection

Aug 22, 2012

i have router 3845 and then it's connected with pix and then its connected with vpn tunnel to the customer router. i am here trying to make vpn connectivity for devices. so on router i did static nat statements 10.124.90.124 10.200.200.1. this type of six statements i wrote for six devices. on the pix i did

isakmp key ******** address 208.39.107.230 netmask 255.255.255.255
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 208.39.107.230
crypto map outside_map 60 set transform-set ESP-3DES-SHA-1

i have one question that i need to use physical subnet or nat subnet for crypto map acl? and also on the customer router which subnet they can use as well nat sunet or my router physical subnet?

View 7 Replies View Related

Cisco Firewall :: ASA 5540 8.2 - Way To Make A Simple PAT

Sep 3, 2012

I have a cisco ASA 5540 and i cant make a simple PAT (many private IP to one public IP). Below you can find my conf.

[code]...

View 4 Replies View Related

Cisco Firewall :: Make IPSec VPN Between ASA And 877 Router?

Jan 22, 2013

I want to  make ipsec vpn between ASA and Cisco 877 Router,crypto isakmp and crypto ipsec ACTIVE state its works fine but Cisco 877 can not ping ASA internet interface but can ping behind ASA PC,PC can ping 192.168.2.1 but Cisco877 can ping only behind  ASA PC thats ip 172.20.1.18
  
Ex:
192.168.2.0(Cisco877) =====ASA(172.20.1.0)-------172.20.1.18 PC
 ASA IP : 172.20.1.2.54
C877 IP 192.168.2.1

[code]....

View 5 Replies View Related

Cisco Switches :: SG200 Apply The Smart Port Macro To Interface

May 23, 2012

I´m a IOS CLI fanatic. Its the first tiem that I have to configure a SB switch. Its very confusing, I want setup a voice vlan id as 200. but I don see that this value change when I try to apply the smartport macro to the interface.Its possible change a smartport macro?

View 1 Replies View Related

Cisco Firewall :: Make Report Of VPN History On ASA 5510?

Sep 30, 2012

I need to make a report of the VPN history on an ASA 5510 and I cannot find a way that fast.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Displays Error - Unable To Make Any Configuration Changes

Feb 4, 2012

I have turned on the aaa command authorization without applying adequate privileges to the user. I can now log in through that user but the ASA 5510 displays an error :ASA 5510# show running-config

ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed.

I am unable to make any configuration changes on the firewall. Is there any default user through which I can log in and disable the aaa authorization ? if not, how can I resolve this situation ?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved