The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below?
View 1 Repliesi'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.
I have a static IP for the host RV180, however do I need a static IP for the remote RV180 ?
View 2 Replies View RelatedI have Cisco ASA5510 OS version 8.4(1), when i try to apply static command, this command is not found, the NAT issues used nat(inside,outside).
So why i can't found this command ?
We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can i change my inside security leval to 69 then i think it will ping.
i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
View 1 Replies View RelatedI'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?
View 11 Replies View RelatedI have a spare ASA5505 w/Base License that we want to use as the router/firewall between our wi-fi network and our secondary internet connection. Currently we have a NetGear box as the router there and it is on its last legs. In order for the ASA w/Base license to be able to issue over 150 IP address via DHCP which license do I need to purchase for it.
View 7 Replies View RelatedI Have ASA 5510. And I had two ISPs and I need to configure ISP failover. So which license i need? I Had License ASA-CSC10-PLUS License.
View 1 Replies View RelatedI have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?
View 1 Replies View RelatedI am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
View 2 Replies View RelatedWe have deployed a few ASA 5585 SSP40 in our data centers to seperate different customer/security zones connected with 10Gig interfaces. Currently we have a dedicated log server attached to each ASA connected with a p2p 10Gig interface. While detailed log information is considered important I somehow have the gut feeling all this high end equipment and bandwidth is used a little too wasteful. I have little experience with these big firewalls and I have not yet seen the equipment in an attack situation, however I doubt a firewall could ever generate 10gig of log data, while doing the primary fire walling job at the same time. Looking at the typical packet size of a syslog message I don't even believe a 1 gig link could ever be saturated with pure syslog messages.
View 3 Replies View RelatedI have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View Relatedaccessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.
View 5 Replies View RelatedI got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
But this is the message that I gettin:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?
I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
When i checked this MAC address in the same firewall it shows too many IP Addresses. What could be the reason ?
We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
We are not doing any natting in firewall, for that we used the Load Balancer.
A customer's ASA is presenting the System LED flashing red.I have already analysed the show tech-support and show environment output: Found nothing, everythink seems OK.Cisco ASA 5580-20 - 8.2.1.Single appliance, no failover, multiple context and transparent mode.
View 5 Replies View Relatedwe are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies View RelatedIn my ASA 5580-20 system LED is flashing RED how can i trobleshoot this.
I checked rarepanel everything is ok also i saw environment also showing ok
I have encountered a problem in one of customer that the Active ASA 5580 is unable to sync with Standby Failover ASA. When Active is connected with FO and push the configs to it will not find the ethernet/Gig interfaces due to which the all the configuration were not applied and when the primary ASA the secondary is unable to respond.
When i attached console with the Standby ASA i have seen this error.
Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby.
For detail undestanding i am attaching the configs of primary and standby ASA. The KHI-DR-ASA-BB-01 is the standyby firewall.
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed. after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time . we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal
We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key? Can we generate PAK or Activation Key using SO (service order) number?
View 1 Replies View RelatedI have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies View RelatedI have two firewalls in 2 different locations. They act as primary and secondary for my WAN connectivity. I would want a way to synchronize access-lists in both without manually replicating.(access list, NAT and Route)FW model cisco 5580
View 1 Replies View RelatedWe have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
View 5 Replies View RelatedWe are going to setup a L2L VPN with a vendor and they asked us to NAT a couple IP addresses for remote access to a couple of servers on our inside network. Our device is an ASA 5580 with version 8.1 and we have a handfull of public IP addresses for use if needed. The vendor's remote network is a public IP address but for this posting I will use 192.168.10.0. Our inside servers are 10.100.10.20 and 10.100.10.30. Because 10.100.10 is in use with another customer they asked us to NAT 10.77.97.20 and 10.77.97.30 to the two inside servers.
View 2 Replies View RelatedDoes ASA supports NAT in bridge mode? especially the 5580 series x??
View 1 Replies View RelatedI have got new cisco ASA 5580 running 7.2(4) on it when i am trying to configured Virtual interface on vlan 400 in Gi0/0.400 to LBASE.now the problem is from my MZ zone 10.242.107.17 to Lbase virtual interface 10.242.103.1 iam not able to ping.
View 2 Replies View RelatedThis is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
Upgrading the License for a Failover using ASDM (No Reload Required) Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
•1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match. •
2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.•
3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
6. Click Apply. This completes the procedure.link: [URL]
But then I checked on the cisco web page that there are some license that need to reload I see this:
All models
#Downgrading any license (for example, going from 10 contexts to 2 contexts).#Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
[URL]
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
I have a asa5580 with multiple interfaces. To replicate me databases to another site, I mainly use two interfaces on that firewall. Those interfaces have a steady pace, around 95%.
I am wondering when I should consider that the thoughput between those two interfaces is too much? Is there a good document that could explain me clearly why?
Also I want to be sure that I won't affect the normal traffic between the other interfaces. Is there a way to garantee certain traffic over others on an ASA? I don't have any router in me setup layer 3 role is perform by asa firewalls (static routes).
Preparing to upgrade the IOS on a failover pair of ASA 5580's and was wandering what is gonna happen after I've upgraded the IOS on the standby unit and rebooted. How is the active unit going to react when it sees an IOS mismatch prior to me making the standby the primary and upgrading it's IOS ?
View 2 Replies View Related