Cisco Firewall :: 5550 ASA (8.3) - Packet Tracer / Multi-Context Classification
Nov 22, 2011
I've been using packet-tracer for some time on and off with mixed results.
I'm running a multi context firewall with over 10 of the contexts sharing the same outside interface / network. All interfaces obviously have valid, unique IPs and also unique MAC addresses as mac-address auto is enabled in the system context.
This is an ASA 5550 running 8.3(2.10) interim so includes the fix for the well known packet-tracer classication failed bug.
So in theory, with firewall contexts on a shared interface the ASA should use the firewall MAC address to classify incoming traffic to the correct firewall and as far as I am aware, only fall back on using NAT to classify if the interface MACs are the same. In reality on my platform this doesn't seem to be happening and the classifier is using NAT to determine the destination context. I'm seeing this with live traffic (i.e. not generated by packet-tracer) in logs and can prove it by disabling certain NAT rules (there is some overlap with the IP addressing behind each firewall).
My question regarding packet tracer is this - in the above scenario with a shared outside interface, does packet tracer ALWAYS use NAT to determine the destination context? Or does packet tracer look up the MAC address of the ingress interface according to what context you are running packet tracer from? It appears that packet-tracer is using NAT in my case which could be just symptomatic of the potential bug I've described above rather than by design.
View 2 Replies
ADVERTISEMENT
Jan 29, 2012
I am trying to configure multi context on the 5520 ASA , how can i configure 1 outside and 1 inside for the 2 context or how to configure both outside from the same subnet and insides also from the same subnet , i did the below configuration but didn't work . [code]
View 4 Replies
View Related
Apr 25, 2013
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
View 1 Replies
View Related
Apr 5, 2013
I have a project about ISP in packet tracer,I want to know how to make firewall configuration and steps I don't know how to use firewall in packet tracer at all.
View 1 Replies
View Related
May 7, 2013
I have an ASA 5585 in transparent mode, multi-context. It seems that the option to configure a BVI in one of the traffic contexts isn't there. In other words, while I see the option to configure a bridge group interface in the admin context, no such option comes up in the traffic context.
[CODE]....
View 1 Replies
View Related
Jun 1, 2013
On ASA 5515 it shows it is in transparent mode and it has multi context.As in transparent ASA we know it has single Management IP address.This ASA is connected to one switch on two ports gi2 and gi3.One port carries vlan say 800 to the ASA.Other port carries vlan 500 from the ASA to switch But when i log onto ASA and do sh run it shows no VLan info there.
View 3 Replies
View Related
Dec 9, 2012
I need your support for upgrading the Security context license on 5550, at present we have 5 Security context license installed in ASA but we want it to increased till 10 conctexts. I want to understand if we need to get addtional 5 Security context license or 10.
View 5 Replies
View Related
Nov 6, 2011
I'm having a problem with a context, I have two CISCO ASA 5550 (failover) and also we have the CISCO CSM to monitoring it, but since some weeks is showing a memory usage of 100% but then it drops until reach zero and then again the graphic goes up. This is the second time that the graphic shows this
I also check this on the CLI and i'ts fine because is showing the real percent, so my question here is why is showing this kind of behavior, I mean it was working fine before.
In the other hand I checked the secondary device and this is showing a 99% of used memory, but as the other one this graphic doesn't drop
I also checked via CLI and it says that it had the 99% memory used , Is there a way that i can put more memory on the context or what do you suggest that I can check on my firewalls.
View 1 Replies
View Related
Mar 16, 2013
I am trying to troubleshoot a problem where in one of my remote site is not able to access some networks at HQ over Site to SIte VPN ( asa 5505 at Remote and 5520 at HQ). I ran packet tracer and HQ ASA looks clean as everything came out as ALLOW. Remote site ASA packet tracer give me DROP out at Phase 9 (VPN). I am not very sure what to look in ASA for resolution now. Is it an access list that is blocking the traffice or VPN setup.
View 5 Replies
View Related
Dec 29, 2012
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
View 2 Replies
View Related
Aug 12, 2012
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 4 Replies
View Related
Sep 26, 2011
I have ASA 5550, i create 2 context in my ASA 5550. I create a NAT in context A and context B. But when i create NAT in context B i get another i get error message like this "static overlaps with global in another context". I have checked there is same nat translation in context A and context B. My question is : is same nat translation configuration not allowed in context A and context B"
View 4 Replies
View Related
Jun 13, 2012
I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 2 Replies
View Related
Sep 16, 2012
I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
View 3 Replies
View Related
Apr 19, 2011
i'm on the CCNA 4 accessing the WAN part for the Cisco Academy. I'm trying to do a packet tracer 8.6.1 and I'm stuck. I'm looking for the answer so I can figure out what I'm missing.
View 1 Replies
View Related
May 16, 2011
How can I pair a html file to a domain name in packet tracer?
View 2 Replies
View Related
Sep 9, 2012
having some issues. My basic VOIP network I can get to work no problem uner Vlan 1. But when I try tomake multiple basic networks to connect and put them in to diffrent Vlans such as Vlan 2, 3, 4 and conect them the phones now say configuering IP.
View 1 Replies
View Related
Jan 29, 2013
I'd like to know if packet tracer 6 can be download yet?
View 5 Replies
View Related
Mar 6, 2011
I'm trying to set up a network comprised of three LANs connected by serial. As this is a small part of an assignment I've been instructed to subnet into /26 and to use /30 subnets for my serial connections.At the moment I can ping between devices on each of the LANs but I can't ping between routers at all. Embarrassingly I'm not sure why, I think it may be something I've missed on setting up the serial links as I have set routers up fine before using other connection types.
View 12 Replies
View Related
Oct 25, 2011
how to unlock the config tab in packet tracer?
View 1 Replies
View Related
Oct 27, 2012
I'm preparing myself for CCNA exam and i started doing a lot of different examples. I've got problem with Packet Tracer when i'm trying to apply some security settings for the range of switch ports in default VLAN 1. I might just demonstrate my commands so it will be easier do understand.
View 2 Replies
View Related
Dec 5, 2012
I am trying to test PIM SM mode between some 2811 routers built up in my packet tracer 5.3.3 .But surprisingly PIM option is not coming in the interface mode .Even IP multicast option is not shown in global config mode.
View 6 Replies
View Related
May 27, 2012
I have been playing around with Packet Tracer trying to understand EIGRP and to put it into practice. Well im not doing so well, I cant get the routers to form an adjacency therefore nothing is pinging outside of the routers. [URL]
View 4 Replies
View Related
Jan 21, 2013
I'm an IT student and I've been assigned with homework simulating a network including an ISA server and some clients in Packet Tracer but I can't find anything which can be configured like an ISA (Internet Security and Acceleration) server(this is kind of Microsoft's technology as I know) in Packet Tracer, the generic Server from the devices box has only some basic services such as HTTP, DHCP, DNS, FTP, AAA, ... but none of anything related to ISA, all the servers in Packet Tracer have only 1 interface whereas the ISA server (as far as I know) should have at least two interfaces, and there is also no CLI supported for those servers so I think I can't simulate ISA server in Packet Tracer, can I?
View 4 Replies
View Related
Mar 18, 2013
I'm trying to create a silent, scripted install of Cisco Packet Tracer 5.33. At the end of the install there is a box that comes up about Packet Tracer Skills Based Assessment (PTSBA). Is there a way to supress this dialogue box? I'm using "PacketTracer533_setup.exe" /sp- /verysilent /norestart" with no luck.
View 2 Replies
View Related
Jan 16, 2011
have 2 routers connected in cluster ith serial dte link. screenis locked. I need to draw a topology of Internet cluster, but i don't know how to discover whats is in it, because i don't have set ip
View 2 Replies
View Related
Oct 12, 2012
using packet tracer, how can i find dns server ip address and i am having trouble pinging the desktops and server that i manually assigned the ip addresses to
View 2 Replies
View Related
Sep 29, 2011
I am using packet tracer 5.3 version and I am trying to configure IGRP on it but it doesn't show me igrp under routing protocol selection.Router number is 2621XM.IOS version is 12.2.learn the configuration of IGRP.
View 2 Replies
View Related
Mar 22, 2013
I'm student from IT school and i have a school project but i have a problem on packet tracer.In a vlan, i must block the communication between computers in it but i dont know how i must do that.Effectively, it's about 250 computers in this VLAN but each computer can't caommunicate between us.
View 4 Replies
View Related
Oct 20, 2011
Asking about Packet Tracer. I currently use packet tracer 5.3.2.Can you give me any link where to download router template on packet tracer? I want to explore cisco 2821 but packet tracer 5.3.2 has an existing of cisco 2811 only then, I tried to add the 4 ports of RJ11 but I cannot see the 4 port telphone.
View 4 Replies
View Related
May 30, 2012
I am unable to get traffic from any VLAN to communicate outside of the router, as well as get any traffic from outside of the router to communicate with any device on either VLAN. I am able to ping the router from each device on each VLAN, and vice versa. However, the traffic seems to die at the router, and I cannot figure out why. I know it's probably a small, easy fix, but I cannot seem to find any kind of documentation on it.
View 13 Replies
View Related
Sep 16, 2012
here, am used to the RouterSwitch CLI but been asked to set up an ASA 5505 8.4.Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running-packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:nat (inside,outside) source static server publicIP service RDP RDP
Additional Information:
[code]....
Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut!
[code]...
View 3 Replies
View Related
May 23, 2012
i have made a topology in packet tracer related to etherchannel configuration.i am using 2 3560 switches and 1 2950 switch. Now what i want is to bundle up the redundant links between these 3 switches. The links fa0/1-3 between 2950_1 and 3560_1 switches have been bundled up but when i try to bundle the links fa0/4-6 of 3560_1 to fa0/4-6 of 3560_2 it wont work. i am using channel-group 1 mode desirable between the 3560 switches. secondly if i want to assign ip to port channels then it has to be of same subnet between 2 3560 switches right and it must be same between 2950_1 and 3560_1. But these 2 subnets should be different from one another.
View 3 Replies
View Related
