I have implemented ASA 5520 as the main firewall. The outside interface is connected to a cisco router and the router is connected to an ISP. I want to make my security system more secure. Which product is the best as the internet gateway solution. Which licenses are required for this one and what is the,cost for each license. Where can I find the DMZ diagram recommended by cisco ?
View 1 Replies
My current network setup has pix 525 firewall and for IDS i have 4215 box.As the utilization is high i am buying new ASA5520 firewall.
My query is
1 My IDS is end of support should i buy an IPS moudle with the asa 5520.is it recommended?
2 Other than firewalling what are the default features supported in asa 5520 like vpn,content filtering etc.
Looking for a recommended code on the ASA 5585x firewall. We ran into a bug (CSCtr24705) on version 8.4.2 where it rebooted the primary firewall. The bug has to do with modifying an existing ACL that's part of a custom policy-map inside a service-policy. If we upgrade to 8.4.5 (which has the previous bug fix in it), there is another major bug (CSCud70273) where if you use the packet-tracer input command on an inside interface it causes problems too.
I don't understand why packet-tracer input would have a bug associated with it when it's been around for a long time and we use it on a daily basis for troubleshooting. Is there stable code for the 5585x to upgrade to without running into possibly a major bug? This is our core firewall so there are no VPN tunnels on it. It's setup in active/standby failover in routed mode.
We are in the process of building a new DC and would like to know which is the recommended version of code to run on the following:
Firewall Services Module
Cisco ASA5580, 5550, 5520
ACE module
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the fail over settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. [code]
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:%PORT_SECURITY-2- PSECURE_ VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?
How to draw a lan/wan diagram
View 1 Replies View RelatedI was trying to draw a diagram for my network, when the following problem occurs.When using "show cdp neighbor" command on my primary core switch i see the proper name and interface # of the attached secondary core switch. However, upon using the "show cdp neigh fa1/1 detail" command (fa1/1 is the port i get that is attached directly to the secondary core switch and is the correct int that is connected to it) i get the wrong ip!!! The ip it gives me is not that of the secondary core switch but is that of the asa firewall!! When i go on the secondary core switch and do the same thing i get the same result but it gives me the ip of the 2nd asa firewall instead.
Notes: I am logged in to the management vlan. Firewall vlan is separate as well. asa is also connected to the switches but on different ports.
Can I add an ASA 5510 to my network diagram on the CNA?If I can, what monitoring and contol can be done on the ASA?The ASA is being managed using SDM.
View 4 Replies View RelatedI need A network diagram for 50 PCs with Network monitoring
View 3 Replies View RelatedI am running LMS 4.2 , using that i am monitering some switches . I am using topology services also. In that i am getting veiw of all connected devices with links. But bandwidth utilization is for those links are not showning in topology veiw .
Is there any settings to be done in LMS 4.2.2 or any configuration changes to done on my switches ? to find the traffic flow bandwidth utilization.
I have a problem where clients cannot roam between Cisco 1231g-e-k9 and recently installed cisco 1242g-e-k9 access points.. On looking at the CDP option on the 1231 and 1242 access points they are all aware of each other. However if I use the Network View option I see a different picture. All the 1231 access points can see each other but not see the 1242's. Network View on the1242 shows all the 1231's but none of the 1242's. The 1231 are running ver. 12.3(8)JEB and the 1242's are running ver. 12.4(21a)JA1.
View 2 Replies View RelatedI have added manually the cisco asa 5520 to lms 4.2 , because automatically the lms didn't discover it ,however when i tried to open the device using cisco.MessageCannot find applicable device package for 192.168.100.100This error could be due to one of the following:- The device package for this device type is not installed.- Device support for this device type is not available.- You are trying to open a component inside a device.To correct the problem, either install a device package for the device type, or open the parent device to manage the component.
View 1 Replies View RelatedI've tried to set up IPSec over TCP with a VPN-Client V5.0.07.0440 on Win 7 64b to my ASA 5520 (Version 8.2(2)16) regarding to
[URL]
IPSec over TCP activated at the ASA
crypto isakmp ipsec-over-tcp port 10000
and in the transport tap of the VPN connection 'enable transport tunneling' with IPSec over TCP an port 10000 instead of 'IPSec over UDP' The connect timed out with error code 412 And this is my log from the ASA:
%ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000
%ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x
%ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000
%ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x
I don't have a clue what's here missing.I have static crypto maps for the L2L tunnels and the default dynamic crypto map for the VPN clients which come over NAT-T
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address INTERNET_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedAny diagram showing the antenna position or signal pattern from the EA2700? I know that Cisco recommends that the unit be placed "near the ceiling" but I'm looking for more specific information. Should the unit be mounted vertically or horizontally.
View 1 Replies View RelatedWe are looking at providing an ISR 819 for one of our customers using FTTC & 3G for failover .. However, I cant seem to find any recommended throughput guidence for the device? We could be looking at up to 80Mbps via the ethernet interface and I just dont know if the device will cope?
View 4 Replies View RelatedI'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedI have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
I would like to perform vulnerability scan on Cisco switch and router.Is there any free vulnerability scan tool recommended for Cisco device ?
View 2 Replies View RelatedI currently have a 50Mbps Internet Connection provided by an ethernet handoff for hosting some webservers. We are looking at adding an additional 10Mbps Internetn connection and route BGP between the two. For the 50Mbps connection, i'm using a Cisco 2951 router. I also have another 2951 router to terminate the 10Mbps connection. Does these router have enough horsepower to fully route BGP?
View 1 Replies View RelatedI am lacking experience in BGP and now I am trying to figure out what should be the ideal and recommended design.
Scenario:
- Having two Internet Service Provider with two ASN
- Having one idenpendant IPv4 public address
- Having two Internet Cisco Router e.g. 2811
- Having two Cisco ASA Firewall e.g. 5510
Are there any recommendations for configuring the VM for the ACS 5.x? What are the required minimum CPU-Cycles to dedicate and also the minimum RAM to dedicate?
View 1 Replies View RelatedI am setting up a DMVPN between several dozen sites using 2800, 2900 and 3900 series ISRs. The DMVPN Design Guide recommends current 12.4 or 12.4T IOS, but the DG was last updated in July 2008. I cannot seem to find any recommendations newer than this. I'm hoping Cisco or the community can give me an updated recommendation.
View 5 Replies View RelatedMy wifi router recently busted and looking to upgrade. In doing some research, I think I've come to the conclusion of these specs:
-Up to 300 mbps
-10/100/1000 WAN and LAN
-Dual band
-a/b/g/n
Ideally, I'd like to stream my media content from the desktop to my PS3. I don't know if it's a bandwidth issue or my old router, but streaming non-HD movies would buffer like crazy. My RoadRunner connection is about 25 mbps down/1 mbps up. Not sure if the upload bandwidth is the culprit. I know there's not a huge use for 1000M WAN, but I guess I was looking towards the future. Am I overcompensating on the WiFi? My desktop has gigabit port.url...
I am currently at my parents house. They have a internet/phone package with Talk Talk, with the free D-Link DSL-2680 router (which is located at the front of the house). I've run a speed test on this and get almost 6Mbps download on the wired desktop.If I bring my laptop into the room and try it wirelessly I am getting the same sort of speed. However, if I walk 10 meters into the back of the house, I go down to 0.3Mbps.I am wanting my parents to be able to use their iPad in the living room at the back of the house as well as they could use their wired desktop in the front of the house.Is the D-Link DSL-2680 good enough? Do I need a wireless extender/bridge/whatever?
View 1 Replies View Relatedi have an DIR-655 Hardware Version: A4, with Firmware Version: 1.21.Its dated: 2008/11/13.Do i get any improvement updating? And in such case, which FW should i use? It must be rock solid!
View 3 Replies View RelatedI have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies View Related
