Cisco Firewall :: 5550 Firewall Set Up For Redundant Purpose
Mar 3, 2011
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
View 6 Replies
ADVERTISEMENT
Jul 23, 2011
I really need understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
Code ....
2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:
policy-map type inspect ccp-inspectclass type inspect ccp-invalid-src drop logclass type inspect ccp-insp-traffic inspectclass type inspect ccp-protocol-httpclass class-default drop.
Code ....
View 1 Replies
View Related
Feb 22, 2013
I have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.
View 2 Replies
View Related
Apr 17, 2011
I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
View 3 Replies
View Related
May 23, 2011
We have a Highly available VPN infrastructure across two data centers. We also use ACS 4.2 servers for authentication. The ACS servers are in teh same "cluster" in a Primary and Secondary fashion. Site A has primary ACS and primary ASA 5550 IPSec VPN termination. Site B has secondary ACS and redundant ASA 5550 IPsec VPN termination. We also use InfoBlox for DHCP IP address assignments. The two IPSec VPN Head end devices, ASA 5550s, they use different subnets for IP pools for the VPN Clients. Site A uses x.x.24.0 and Site B uses x.y.24.0. As indicated VPN clients authenticate using teh ACS 4.2 Radiius server. I can assign static IPs per user on the ACS server but this can only work for the primary site. Once static IP address is assigned on primary ACS for a user, this status will be replicated to the secondary ACS on Site B. When the Primary IPSec VPN Head End ASA or Internet fails on Site A, Clients on DHCP will work fine seemlessly via Site B. But for the static IP users, you have to change the Assigned Static IPs to match the subnet on Site B. How I can assign static IPs to clients via both Sites without manual intervention. Either via DHCP or ASA. I was trying to stay away from creating multiple Groups for VPN and also avoidng creating local ASA users because these options will not scale well as static user base increases. I need users to get a static IP address from Site A subnet when connected to Site A and get a static from Site B subnet when connected through Site B.
View 1 Replies
View Related
Aug 3, 2009
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
View 4 Replies
View Related
Feb 14, 2012
I am configuring a pix 525,i just found out how to activate the subinterface on it so that's good,the box has a primary unit and secondary unit, both are connected from G0 to redundant switches,if i do a show failover, it says it's using the serial based lan failover, which is fine by me,however, do i need to create a single, regular interface.. or a redundant interface?,i.e. if i create a regular subinterface, will failover still apply to this interface?,or for failover to work, do i need to create a redundant interface (with a redundant id)? i do not seem to have the option to create a subinterface when adding a redundant interface.
View 7 Replies
View Related
May 8, 2011
I have two ASA 5540s, ver 8.4 configured in Active/Standby failover.I am also using the redundant interface feature for my Inside interface. Gig0/0 is the active primary and Gig0/1 is standby.
I will activate failover monitoring of the Inside interface using the monitor inside command.
My question concerns the failover monitoring of the redundant interface. If the gig0/0 connection were to fail would the Gig0/1 interface become Active, AND simultaneously result in a full device failover?
Or, does Gig0/1 of the Inside interface redundant pair simply become active and not change the Inside interface device failover state? Thus NOT resulting in a device failover.
View 1 Replies
View Related
Jul 15, 2012
I am using 6500 with VPN Accelerator on this device. I have a dozen other VPN connections GRE and IPSEC to routers and ASA and other Juniper Firewalls.
They all work perfectly.The error I get is map_db_find_best did not find matching map (Never seen this error be for) [code]I can't put the whole config for security reasons.
View 5 Replies
View Related
Aug 26, 2011
Is this this possible to set up two as a redundant pair as you can do with say a pair of 5510s?
View 3 Replies
View Related
Aug 14, 2012
I have configured redundant interface on ASA 5510
interface Redundant1
description *** INSIDES NETWORK ***
member-interface Ethernet0/1 (This is a 1000Mbps Port)
member-interface Ethernet0/2 (This one is 100Mbps)
no nameif
no security-level
no ip address
[code]....
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
[code]...
It's transfer correctly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back. I issued this command again BW remain 100Mbps.
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
[ code]....
I did manually shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
View 1 Replies
View Related
Mar 6, 2011
My customer is running an ASA5505 with 8.3 code.
The have a somewhat flaky proxy between their inside LAN and the firewall. I'd like to have a configuration as follows:
LAN > Proxy > VLAN 1 (eth0/2) on ASA
and
LAN > VLAN 1 (eth0/3) on ASA
So that in the event of Proxy failure (let's just say it loses power) the eth0/3 interface will kick in.
This appears to be easily configured according to the documentation:
"The following example creates two redundant interfaces:
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# interface redundant 2
hostname(config-if)# member-interface gigabitethernet 0/2
hostname(config-if)# member-interface gigabitethernet 0/3"
But these commands don't seem to be available on a 5505.
View 7 Replies
View Related
May 13, 2011
I have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
View 7 Replies
View Related
Jan 31, 2012
we had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
[Code]....
View 2 Replies
View Related
Oct 4, 2011
I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
View 7 Replies
View Related
Oct 21, 2012
I have two 5505 ASA. I would like to know can I make two 5505 failover redundant with active standby setup?
View 11 Replies
View Related
Jun 10, 2013
we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack. Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack. for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document [URL]
So my question is :
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
View 1 Replies
View Related
May 21, 2013
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
View 2 Replies
View Related
Mar 10, 2013
I have Active Standby ASA5550 setup with VPN premium license. A few days back we had a requirement of SSL VPN connection for and we got a temporary from Cisco for same, this license expired and the ASA reverted to it's original license. 3 4 days after this we saw a sudden increase in CPU utilization (upto 90% + -5%) on the ASA during production hours but were not able to figure out the reason, in order to restore the services we failovered the firewall to secondary and everything worked fine. We were suspecting one of the following but there were no logs for any of this
1. The ASA hardware was haivng problem
2. Some client was doing a DoS attack to bring down the ASA (no logs for this as well).
We took a downtime to look further by failovering the ASA back to primary and it worked fine without any issues ruling out the 1st option. We also came across a licesing doc [URL]
Downgrading any license (for example, going from 10 contexts to 2 contexts).
# Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
As per this doc, sooner or later a restart was required on the ASA. We restarted secondary ASA and everthing was fine but when we restarted the primary ASA by swtiching over to secondary some of the server (not all) in the DMZ stopped working (even ICMP unreachable) and only came back to normal when the primary ASA was restored and working fine (with failover).
The reboot was done by shuting down the physical link between the Core switch and ASA inside individually.
I am not sure what could be the issue that the servers in the DMZ wen unreachable.
View 0 Replies
View Related
Aug 9, 2010
In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?
View 6 Replies
View Related
Jun 12, 2011
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies
View Related
Apr 26, 2011
I am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies
View Related
May 10, 2013
i have Cisco ASA 5550 and i want to do URL filtering using Web sense,can i use Micorsoft Forefront TMG2010 as websense server to do that?
the idea is to filter the HTTP & HTTPS URLs,if the Micorsoft Forefront TMG2010 is not suitable,refer to suitable Websense URL filtering server?
View 2 Replies
View Related
Oct 3, 2011
I have the following problem, right now we have an ASA 5550 connected to the client´s side. A reset is being received on the client´s side, but when we run the sniffers on both extremes of the network, we can see that the reset is not being sent by the server´s side.
We have narrowed it down to the 5550 ASA, but have found no bug that matches the description.
The characateristics of the reset packet are the following:
- It is the only packet with a TTL of 255.
- Both server and client have very different window sizes, and the reset packet even though has the server´s ip and port as source of the packet, it has the client´s window size.
- It has a correct ack number.
-Before the reset is received, there are a couple of retransmissions of the last packet sent.
- We´re handling a VPN tunnel between both servers.
View 1 Replies
View Related
Feb 7, 2011
i m looking for asa 5550 product.Part # ASA5550-BUN-K9 - Cisco ASA 5550 Appliance with SW, HA, 8GE+1FE, 3DES/AES
1) does 5550 contains built in CSC / IPS modules.? why i m asking because the "quick refrence guide " indicates that expansion slots are not available.
2) can asa 5550 natively protects natively against networks attacks against virus / worms etc with out CSC OR IPS MODULE.?
View 9 Replies
View Related
Apr 23, 2013
I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.
View 4 Replies
View Related
May 22, 2012
I cannot logon with adsm anymore.when I run adsm, I type in my pw, and the screen keeps displaying "contacting the device". No timeout, just stays this way.I've updated the java version, no luck.I can connect with SSH with no problem. device = asa5550, 8.2(1) asdm 6.2(1) [code]
notice that there is no "with cookie-based authentication" here -- is this relevant?
Rebooting the device is not really an option.
View 7 Replies
View Related
May 2, 2012
I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828, flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0
View 0 Replies
View Related
Jan 10, 2011
i'm installing a Firewall Cisco ASA 5550 with 8 Gigabit interfaces.
I have installed firmware 8.2.3.
Is it possible to make link aggregation on ASA to have more bandwith?
View 7 Replies
View Related
Aug 7, 2011
I have a couple of ASA5520 and ASA5550, and I wanted to know if it is worth it to upgrade the software from 8.2(4) to 8.2(5)? Because of the RAM I cannot upgrade to 8.3 for now.
View 1 Replies
View Related
Jan 8, 2013
I just got a brand new ASA 5550, i configured the port g0/0 on asa with an ip address 192.168.10.1 then configure my computer with ip 192.168.10.2 and default gateway is 192.168.10.1. I'm able to ping the asa from my computer. I remote to ASA thru the console port and try to copy iOS from flash to my pc but it doesn't work.
Cisco asa# copy flash tftp://192.168.10.2/asa804-k8.bin
Source file name []? asa804-k8.bin
Address or name of remote host [192.168.10.2]?
Destination file name [asa804-k8.bin]?
Writing file tftp://192.168.10.2/asa804-k8.bin...
!%Error writing tftp://192.168.10.2/asa804-k8.bin (Timed out attempting to connect)
Cisco asa#
View 3 Replies
View Related
Apr 6, 2011
I have two box cisco asa 5550 in multiple context mode and failover.
My network topology is:
Outside Network
•
•
•
DMZ2 Network • • • • (CISCO ASA 5550) • • • • DMZ1 Network
•
•
•
Inside Netowork
My interface "Inside Network" is full(I think).I can't diagnose this, based on command "sh interface gigabitEthernet"
109042974565 packets input, 100691006385765 bytes
94097614769 packets output, 59002295942465 bytes
999339444 packets dropped
My interface is 1GB, based on the above command, it is full?If interface is full, i have a problem! All the ports on asa firewall are using, how do resolve this? I can compress all data on this interface with class maps and policy maps?
View 4 Replies
View Related
Apr 22, 2013
We are having Cisco ASA 5550 appliance. from some days i am not able to access this ASA using ASDM. I am able to access ASA using SSH.[code]
At the same time standby firewall works perfectly fine with ASDM. I have tried by reloding the firewall, then it worked for 2 days & again stopped working.
View 6 Replies
View Related
