Cisco Firewall :: 5540 PIM Multicast Routing In ASA Scenario
Jun 19, 2011
We have an ASA-5540 (8.4(1)) The inside interface faces a few multicast receivers. The outside interface faces the multicast source.All of the ASA multicast documents I've download describe very simple network designs, such as a single segment on the ASA inside.Our PC hosts that will be multicast receivers are a couple router hops away from the ASA inside interface. I'm not sure what the best way is to configure multicast on the ASA.Should I configure the ASA with PIM routing and a static RP address (plus the ACL to allow the multicast source traffic in) since the receiver hosts are a couple hops away? I think I understand the IGMP joins are for a local PIM router, so configuring as a Stub Multicast router wouldn't work? The two Cisco routers between the host and the inside ASA interface already have PIM, a static RP address, and IP PIM Spare-Mode configured.
View 1 Replies
ADVERTISEMENT
May 3, 2011
I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.
View 2 Replies
View Related
Mar 31, 2011
I currently have an ASA 5520 in production without using subinterfaces. I have connected an interface on the ASA to a 4507, the 4507 contains SVIwhich perform the routing for our internal network. I have another ASA 5520 and I am playing around with a few new design scenarios. The problem I am currently having is with SubInterfaces on the inside of the network. I understand the subinterfaces on the outside network, I am using subinterfaces on the outside for dual homing ISPs.
I don't understand the multiple subinterfaces on the inside, for some reason I can't wrap my mind around using them. I have created a few and trunked a port from my 3560X to the ASA interface. Here is my design.
ASA 5520 Config(I realize that this isn't how it would look in CLI, I just don't remember all of the commands)
interface Gi 0/1
nameif Physical Interface
no ip address
interface Gi 0/1.10
nameif Prod_USERS
ip address 172.16.10.1 255.255.255.0
security-level 100
interface Gi 0/1.20
nameif Users
ip address 10.10.16.1 255.255.255.0
security-level 100
Alright so in this scenario I would have a trunk port from my 3560X connected to interface Gi 0/1 on the ASA. On the 3560X I would created the two VLANs (vlan 10 and vlan 20); I also created an SVI on the 3560X as follows.
3560X config
interface VLAN 10
description PROD_USERS
ip address 172.16.10.2 255.255.255.0
no shut
interface VLAN 20
description USER-NET
ip address 10.10.16.2 255.255.255.0
no shut
Now I create a default route on the 3560X as follows, "ip route 0.0.0.0 0.0.0.0 172.16.10.1". By doing this, I can only route my 172.16.10.0 network out to the internet, not the 10.10.16.0 network? I have to remove the default route above and add ip route 0.0.0.0 0.0.0.0 10.10.16.0 for clients on that network to browse out to the web.
So I am obviously missing something crucial here and I just can't wrap my head around this design scenerio for some reason. the topology necessary for this configuration to function correctly and how I can get both of my VLANs to function properly. I would like for the 3560X to route traffic internally until traffic needs to browse into the DMZ or out to the web, and at such time it should then use the firewall.
View 5 Replies
View Related
Apr 2, 2012
We're in the process of swapping in a new pair of ASA5520s and Catalyst 3750s to support two separate business units. We want Firewall A and Switch A to handle traffic for Org A (VLAN 100). Similarly, firewall B and Switch B should handle traffic for Org B (VLAN200). But we want to be able to fail traffic over in case of firewall or switch failure. Traffic between the two Orgs is being routed at the switch level. [code]
The uplink interface on each switch is currently a routed port with a static address on the uplink subnet. This works fine in a normal state. However, when we fail over one of the firewall contexts to the other chassis, this results in the inability to route internal traffic because the internal interface is now physically connected to a different switch with a different IP port address (obvious in hindsight). The question is, rather than a routed port, what would be the proper way to handle traffic between the switches and firewalls in a failover scenario? If I make the uplink ports into trunks, won't this cause all packets destined for either firewall to hit both both? Seems like that's not the way to go either? [code]
View 0 Replies
View Related
Jul 26, 2012
I'm fairly new at trying to create isolated network segments on Cisco switches. What I'm trying to do is have multiple isolated paths that originate from my v Sphere infrastructure travel through a layer 2 link, v LAN, up to a MLS, and ultimately out to to the internet through a firewall. Each sub net might ultimately have a number of hosts on it, but I don't think the make up of those hosts will matter here.
My initial thought was creating v LAN tagged port groups on v Switches on my v Sphere infrastructure. Physical connections will go from my ESXi hosts to the 2900 series Cisco switch connected to trunk ports. Both v LANs would be configured on the switch but not assigned to physical ports. The physical connection to the 3750 would also be a trunk port connection from the 2960. The 3750 would have SVI's created that are attached to VRFs that would control route traffic. This might be totally wrong but from what i've read it seems to be going down the correct path I think.
Two part question, is this the best way to go about designing this network? If so I seem to be really struggling with the SVI/VRF part. Every time I create an SVI all of my hosts on the 10.10.10.x network can ping them, regardless of which v LAN they're on.
I just cannot seem to isolate the 172 network.
View 3 Replies
View Related
Jan 10, 2012
Does ASA 5540 support BGP routing protocol to be configured on it??
I'm talking about the latest versions.
View 3 Replies
View Related
Feb 19, 2013
I try to pass multicast traffic between two vrf on the same 3750 switch. I have IP services IOS and sdm template routing.
here is my config:
ip routing
!
ip vrf vpn2
rd 1:1
mdt default 232.1.1.1
route-target export 1:1
route-target import 1:1
[code]....
Now I'm stuck - I don't know what to do to pass multicast traffic. Do I have any chance to run this config on 3750 chassis?Perhaps "Configuring Multicast VPN Extranet Support" document will be useful, but it concerns Catalyst 6500? [URL]
View 0 Replies
View Related
May 10, 2012
I have a network setup where two servers from inside need to communicate with a remote network via 2 VPN gateways. The destinations are same. However, the chalange is each server need to follow it's own VPN gateway. Since i can't configure PBR (policy based routing) in ASA, can i configure something like MAC Address based routing. I can't use destination based routing since the remote network are reachable from the both VPN Gateways.
View 1 Replies
View Related
Jun 26, 2011
I can't seem to find where in ASDM (6.4.1), can we configure IGMP forwarding? ASA5520(config-if)# igmp forward interface outside The ASDM doc reference does not seem to be correct pointing to:configuring Stub Multicast Routing
Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Multicast > IGMP.
#Step 2 In the Multicast pane, check the Enable Multicast routing check box.
#Step 3 Choose MForwarding.
which generates:
ASA5520(config-if)# mfib forwarding
View 4 Replies
View Related
Feb 19, 2012
WAN1 <-> LAN traffic
WAN2 <-> LAN traffic
WAN1 <-> WAN2 traffic?
Say, it is set DISABLED, what is / isn't blocked?
It reads: Multicast Pass Through IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.
View 1 Replies
View Related
May 12, 2013
I have the following devices :
-1 VM Host
-2 Layer 3 switches
I would like to provide full redundancy for all vlans being used by VM Guests on the VM Host as well as the management vlan being used by the VM Host.I have created two LACP etherchannel connections on the VM Host. Each etherchannel from the host consists of 4 ports spanning a single NIC. One etherchannel connection goes to a trunked etherchannel connection on switch 1, and the other etherchannel connection goes to a trunked etherchannel connection on switch 2.Switch 1 and switch 2 have an etherchannel connection between them that carries all of the vlans in the topology.Vlan 2 is the managment vlan. Vlans 3, 4, and 5 are vlans that VM guest systems will be using for normal data traffic.
I intend to use switch 1 as the VRRP active router and spanning-tree root bridge for vlans 2 and 3.I intend to use switch 2 as the VRRP active router and spanning-tree root bridge for vlans 4 and 5.The spanning-tree configuration is using multiple spanning-tree with two instances. Instance 1 has vlans 2 and 3 associated and Instance 2 has vlans 4 and 5 associated. I would like to have this topology be fault tolerant to the point where if one of the etherchannel links between the host and one of the switches goes down, (for example, if switch 1 was powered off) traffic will be automatically redirected through the other functional link. I believe that my VRRP configuration would allow for a fairly quick failover of layer 3 services, but I am not certain that my design will be functional at a layer 2 level.
What I am uncertain about is how spanning-tree will converge. I am assuming that the virtual switch on the VM host will not be forwarding any BPDUs being sent by either switch. Would either of the links connecting to the host be considered a redundant link by either switch?Would the link between switch 2 and the host be inactive for all vlans in MST instance 1 during normal operation?Conversely, would the link between switch 1 and the host be inactive for all vlans in MST instance 2 during normal operation? Would all links remain active for ALL vlans? Would this mean that some traffic may travel through switch 2 to reach switch 1 instead of going directly to switch 1?
View 1 Replies
View Related
Mar 15, 2012
How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies
View Related
Dec 28, 2012
I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
Here is the problem.I get connected to the call but I cannot the remote site cannot see and hear me.But I can see and hear them.
View 9 Replies
View Related
Mar 27, 2012
My topologie is to connect IBM Mainframes into a Single Gateway Scenario. All the configurations in the machines are correct, and during a feel period of elapsed time we had the mainframe XCA/line/PU Station (Side DLSW) and the PU from CCU 3745 line (Single Gateway Side) both into ACTIVE state. The problem occured when we tried to INACT and ACT the mainframe VTAM lines; The lines, after this restart operation stayed in PCTD1 all the time. Searching the problem into DLSW's Border Router definitions, we observe that there are two Routers Serial Interfaces defineds with the same SDLC VMAC address (4000.3745.0000). Executing the DEBUG DLSW command was verified that there are the following messages:
00:39:07: CSM: delete group cache for 4000:3745:1, group 0
00:39:07: CSM: delete group cache for 4000:3745:1, group 0
00:39:07: DLSw: START-FSM (2147483685): event:DLC-CloseStn.Cnf state:CLOSE_PEND
00:39:07: DLSw: 2147483685 to dead queue
My question is, the ocurrence of these two delete group cache for the same Mac Address 4000.3745.1, group 0, means the mistake into maintain defined two Serials Interfaces with the same SDLC VMAC Address ?
The messages dispalynd the CONNECTED state never appears and iI think mus be something like that sample:
%DLSWC-3-RECVSSP: SSP OP = 8( CONQ ) from peer 10.17.2.198(2065)
DLSw: START-FSM (488636): event:WAN-CONQ state:CKT_ESTABLISHED
DLSw: core: dlsw_action_i()
DISP Sent : CLSI Msg : CONNECT.Req dlen: 16
[Code]...
View 1 Replies
View Related
Apr 18, 2012
Why do we need MP-BGP (and not BGP) to exchange multicast prefixes between multicast domains?
View 2 Replies
View Related
Jul 16, 2012
i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....
View 2 Replies
View Related
Nov 19, 2011
ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
View 2 Replies
View Related
Jun 10, 2012
I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
View 2 Replies
View Related
May 11, 2008
I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?
View 2 Replies
View Related
Apr 26, 2011
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
View 6 Replies
View Related
Apr 29, 2012
I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
View 4 Replies
View Related
Jan 26, 2013
I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".
View 2 Replies
View Related
Dec 19, 2011
I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.
View 4 Replies
View Related
Jan 3, 2012
I am having the EXACT same problem as this user:URL
Error: GnuTLS error -53: Error in the push function.
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.
View 1 Replies
View Related
Mar 13, 2011
We are try to connect ssh via outside system (from Internet) its was not getting connected.
When we try to connect from outside pool of ip than its working.
View 1 Replies
View Related
May 20, 2012
I have 2 ASA 5540's that I want to run in HA A/F. The active ASA has an IPS module running. I no longer need this and would rather remove it than purchase another module for the spare. What is the process to do this safely? After removal will the HA wizard recognize that the module was removed or do I have to update the software?
View 3 Replies
View Related
Sep 23, 2012
we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?
View 1 Replies
View Related
Mar 19, 2012
there was remote FTP - users behind ASA5540 can connect to it.
Now, with this ftp there is SSL/TLS encryption added and users behind this ASA can't connect to this FTPS.
It this possible for users behind ASA to connect to FTPSs?
View 2 Replies
View Related
Jul 20, 2011
I was looking in the CISCO webpage how to load an IOS from a tftp server but i got some questions:
I got the information from this webpage: [URL]
rommon #1> ADDRESS=10.132.44.177 <---- Which IP address? the one that I got on my firewall?
View 3 Replies
View Related
Apr 19, 2011
Q1. I would like to confirm like how many total of contexts do I have by default when I purchase the ASA 5540 ? are they two contexts aside from the admin context or two contexts including the admin context?
Q2. can I configure the default box with High Availability using the default contexts?
View 3 Replies
View Related
Aug 10, 2012
I have an ASA 5540 , how can i block softwares like TeamViewer , VPN Adapters like Hamachi and all. Also , I have tried URL Blocking but i suppose ASA supports only HTTP url block and not HTTPS.
View 2 Replies
View Related
Sep 3, 2012
I have a cisco ASA 5540 and i cant make a simple PAT (many private IP to one public IP). Below you can find my conf.
[code]...
View 4 Replies
View Related
Feb 28, 2013
I am in the process of rebuilding our ASA 5540 pair. We are currently on 8.2 code with this set of firewalls and I was going to upgrade it to 8.4 being I have a couple of other firewalls running this code currently and am familiar with it. That said, I saw that the 9.x code is out there now. Are there any major advantages or caveats with the 9.0 code? I plan to use this firewall with SSL VPN and RSA Secure ID integration for the next 2-3 years at least. Any quick pointers on these two code versions and on upgrading to 9 or staying with 8.4 line.
View 2 Replies
View Related
