Cisco Firewall :: 5520 Recreate Logical Interfaces For Each Physical Interface
Nov 29, 2012
We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections. We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?
View 1 Replies
ADVERTISEMENT
May 12, 2011
Does any know why the ASA will monitor physical interfaces by default, but monitoring of logical interfaces is disabled by default? Or better yet, is anybody doing a monitor-interface for a subint without issue? I'd imagine it isn't enabled by default for a reason.
View 2 Replies
View Related
May 30, 2011
I enabled snmp config ASA 5505 with Version 7.2(4), the NMS/reporting system can give graphs for CPU & Memory usages. But I can't see any elements about physical interfaces.
View 1 Replies
View Related
May 2, 2013
ASA have two context groups say admin and and x. Its interface gi0/2 has 6 subinterfaces from 1 to 6.3 subinterfaces ----0/2.1 to 3 are in admin and last 3 are in context x.when i went to system context it does not show where interface gi0/2 belongs to it only shows up up.how can i find which context group physical interface gi0/2 belongs?
View 4 Replies
View Related
Feb 22, 2012
when I migrated the ASA config from 8.2 to 8.3, in all groups the group members has been replaced by the IP address object. However, the "name" for this object has been migrated, but there is the "object network name" configuration missing.
What I can do now is that I can open the new created object in the ASDM, search for the object with this IP address and then enter the object name I had before. When I apply the config, ASDM then creates the object and replaces all affected objects in all groups, by replacing the object group memeber "network-object host hostname" with "network-object object hostname".
Do you know if there exists an automated way, which checks all the groups for members "network-object host", creates the "object network" and replaces the "network-object hosts" with "network-object object" within the group? As long we have a lot of groups which contains partially > 50 members?
View 2 Replies
View Related
Oct 8, 2012
I have a node with one physical wireless interface and I need it to offer AP service to other nodes, connect to an existed AP, and connect to other nodes in ad hoc mode. If I create 3 logical wireless interfaces of that interface and configure each one respectively to the modes above, would this work? do they use the same MAC address or each needs to be configured a different one?
View 2 Replies
View Related
Sep 7, 2011
i have an ASA 5520 running ver 8.4(1). have attached my interface config below and need to do the following, NAT traffic coming on GigabitEthernet0/2.101 to GigabitEthernet0/1, i.e. packets with destination 10.21.110.25 will be forwarded to 10.11.21.25, will a nat (Production,Advocate_MPLS) static ... statement work ?
------------------------------------------------------------------------
interface GigabitEthernet0/1
description Production
nameif Production
security-level 100(code)
View 1 Replies
View Related
Jul 10, 2012
We have an ASA 5520 which is in multiple context mode. We are trying to pass traffic from the outside interface to the dmz interface. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28 Inside Interface GigabitEthernet0/2 with 192.168.20.0/24 DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29 So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.
View 20 Replies
View Related
Jun 12, 2011
Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
View 4 Replies
View Related
Feb 28, 2011
I have a Cisco ASA 5520 running 8.2.2 with the VPN Plus license. I am wondering what is the max number of sub-interfaces you can have on a physical interface. I know on the 5505 it was 20 sub-interfaces if you were running the Security Plus license. What is the magic number for the 5520. I have hit 20 sub-interfaces on gi0/1 interface and now I am starting to run into problems with sub-interface #21.
View 1 Replies
View Related
May 23, 2012
I have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA
View 7 Replies
View Related
Oct 15, 2012
I have two virtual interfaces on my ASA 5520:
GigabitEthernet0/1.338 172.30.0.81/28
GigabitEthernet0/1.345 172.30.0.129/28
I have the security levels for both set to 50 and in the ASDM I have checked off "Enable traffic between two or more interfaces which are configured with same security levels"
But now the need has arisen that we allow each subnet to be routable to each other for SMTP traffic, how can I accomplish this?
View 5 Replies
View Related
May 31, 2011
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
View 5 Replies
View Related
May 28, 2012
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
-static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10 access-list production_nat_static_1
View 2 Replies
View Related
Mar 27, 2013
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
View 6 Replies
View Related
Sep 20, 2011
One line of an ACL was changed on an ASA 5520 (primary) and a wr mem was issued to save the change. It appears that when the wr mem was executed, the interfaced on the standby ASA bounced. Configurations have been saved in the past without the result of what's in the log entry..
ADC-5520-MGMT-FW01/stby# show logSyslog logging: enabled Facility: 22 Timestamp logging: enabled Standby logging: enabled Debug-trace logging: disabled Console logging: level errors, 1203060 messages logged Monitor logging: level errors, 1203060 messages logged Buffer logging: level errors, 17590658 messages logged Trap logging: level informational, facility 22, 450126258 messages logged Logging to management 10.5.3.214 Logging to management 10.142.20.214 Logging to management 10.218.3.31 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 464351755 messages loggedSep 21 2011 17:35:29: %ASA-1-709006: (Primary) End Configuration Replication (STB)Sep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface managementSep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface outsideSep 21
[code]....
View 11 Replies
View Related
Jul 5, 2012
We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.
View 7 Replies
View Related
Jul 19, 2010
We'll be implementing Cisco NAC guest server for Guest Wireless users, ( Model #3310), the question is do we need to configure separate physical interface for User authentication requests( from Wireless ) and a separate Interface for Guest server to talk to AD for SSO?
View 2 Replies
View Related
Jun 22, 2011
I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code. It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it.
View 4 Replies
View Related
Nov 29, 2011
I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.
View 1 Replies
View Related
Apr 5, 2011
I have five 877 routers connected to ADSL circuits provided by Vodafone. Each has a VPN tunnel back to a PIX.
Occasionally one of the sites will lose it's connection to the PIX.
When we check the log, we find entries like these:-
Apr 5 01:31:54.085 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to downApr 5 01:33:19.344 UTC: %CRYPTO-
[Code].....
As you can see, the physical interface (ATM0) is not being reported as changing state to down, neither is the Dialer interface.
When the router is in this state we have to SSL to the public IP address of it and manually restart the ISAKMP SA.
When the router sees the ATM interface go down and subsequently come back up, the VPN connection to the PIX also recovers.
So - in a long winded way I think I'm asking....why does the Virtual interface go down and is there anything I can do to stop it happening?
View 3 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Dec 19, 2011
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
View 1 Replies
View Related
Feb 17, 2013
I have a query on natting on 8.4 ASA. We are going to configure IPsec tunnel with our client. Our client has provided a single ip(192.168.32.11) which would be the source at his end. Is it possible to Nat my end network(10.130.20.0/24) with logical ip (192.168.32.11) which is not configured anywhere.
here are details.
my end internal network(inside) : (10.130.20.0/24)
logical ip to be natted my internal ip: (192.168.32.11)
Client end network : (10.100.10.0/24)
View 5 Replies
View Related
Nov 15, 2011
We have a block of addresses assigned to us by our ISP. We need to assign one of these addresses to a vendor we use for traffic to one of their internal devices. Lets say the address we gave them out of that block of addresses is 1.2.3.4
How do I add that address to the outside interface so that when traffic s sent to it that the traffic actually gets to the ASA as right now when we send traffic to that address it doean't make it to the ASA.
View 1 Replies
View Related
Jun 14, 2011
I currently terminate my L2L VPN sessions on the "OUTSIDE" interface via the actual IP address assigned to that interface. Can I assign the OUTSIDE interface a second address (VIP, Logical, Virtual etc.) and then terminate my L2L VPN sessions on that second address?
View 3 Replies
View Related
Feb 3, 2013
I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
Inside Interface
interface GigabitEthernet0/0.96
description L3 Interface - Informational Zone
vlan 96
[Code].....
View 4 Replies
View Related
Feb 23, 2011
Recently our network experience a Internal DoS attack. One internal server ( the network/security team doesnt have any access to the adninistration of these server) starts to send a lot of DNS bogus request to some DNS servers on the Internet. With sh conn detail we saw the IP of these server and blocked it with an ACL in the Internal ASA 5520 interface. After that, the server team disconnect the server, and made their job cleaning these infected device. Everything goes normal again....
Today, the same server starts again with the same problem. But a lot worst thant the first time. The ASA starts to drops packets in the internal interface, the overruns was increasing dramatically ( like 10000 per second), the asp-drop table shows the same amount of traffic than interface overruns in the ACL-Drop line , and the CNT blocks for 16xxx with sh blocks was in zero. The sh acess-list INSIDE shows near 9 million hints in the line that deny the DNS request from the server to the Internet. Again, we disconnect the server and the problem was solved by the server team.
It seems that our ASA cant handle in their internal interface the amount of traffic that these server send outbound. IS there anyway to raise the blocks in the firewall? What is the best way to deny the servers connections ( ACL, or MPF or threat detection maybe), and avoid the ASA interface overruns even when the server sends these large amount of request.
View 1 Replies
View Related
Mar 16, 2013
i have a Problem with SNMP on the ASA Outside Interface. I want to monitor the Interface via SNMP (linkup, link down). I have a Active/Passive Cluster running on 8.4.2 and configured SNMP (v1) for Test on the Outside Interface. It's not that hard but when i try to test my Configuration with (peerless) SNMP Tester the Interface doesn't respond. Did i forget to configure something? Searched the forum but didn't find anything useful.
View 4 Replies
View Related
Feb 3, 2011
I have a network with Two 3800 Cisco Routers as Central and many Cisco 2811 Router as Branches. Now I set two Tunnel on each router connection Interface FastEthernet from each 2811 to SubInterface Fastethernet on 3800. I set OSPF as Routing Protocol and I configure QOS on Tunnel connections. Then I have a safe connection with backup connection between 3800 Router and each 2811 Router. Now I want to set VPN with IPSEC and Certification Authentication with CA Server for Security all connection. I set IPSEC and ISAKMP and Certificate on each Router and Set Dynamic VPN on Cisco 3800 Router and Static VPN on each Cisco 2811 Router. Now when if I configure tunnel with Crypto map, it works correct and all packets are encrypt. But if I try to set crypto on physical Interface(because I want to set qos on tunnel then protect packets on physical interface) however all packets are routed but crypto and encrypt d o not work. Set qos on tunnels and crypto on fastethernet interface.
View 4 Replies
View Related
Jun 5, 2012
I am preparing configuration (currently in lab) for Per-Tunnel QoS in DMVPN on ASR 1002F for one of our customers, and I came across one issue. According to restrictions for this feature, I cannot apply per-tunnel QoS in conjunction with interface based QoS. This means, I can provide shaping with hierarchical CBWFQ for each spoke, but I cannot guarantee anything on physical interface! What if there are services in native MPLS? I am also unable give reservations for BGP which is used on PE-CE link! How about monitoring spoke PE-CE links natively? I can only apply policy-map with class-default on physical interface. When I add anything related to queuing for that class (or any other non-default class) I get the message:
R1(config- pmap)class routing
R1(config- pmap-c)#bandwidth 16
service-policy with queuing features on sessions is not allowed in conjunction with interface based
[Code] ........
View 8 Replies
View Related
Feb 15, 2012
I have my wan connection on the eth0. The bandwidth is 2mbps. I am running qos on that interface saying 192.168.200.0/24 can use 80% of the bandwidth and 192.168.201.0/24 can use 20% of the bandwidth. I Also have vtun VPN inteface to our branch office. I also wan to run some qos on that interface. How do i go about allocating the bandwidth on this interface? it is actually going via the eth0 interface, but the system actually see's it a an independent interface on its own right, so it requires it's own qos policy.
View 3 Replies
View Related
Nov 10, 2011
On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
interface GigabitEthernet0/3.175
vlan 175
nameif Test175
security-level 30
ip address 172.30.175.1 255.255.255.0
[code]....
View 13 Replies
View Related