Cisco Firewall :: 5585 - Two Different Subnets Assigned To Single Bridge Group
Apr 9, 2013
We are deploying two Cisco 5585 in transparent mode and multiple contexts. they are running Active-Active fail over.
There are a lot of V LANs need to be added in the contexts, we are trying to use least contexts to fulfill.
ASA supports 8 bridge groups for each contexts, and maximum 4 interfaces for each bridge group.
We have assigned four interfaces in different V LANs , set two of them as a pair with one IP sub net and the other two interfaces are in another IP sub net.
For example :
Bridge group 1:
inside1 and outside1 -------> 192.168.1.0/24
inside2 and outside2 -------> 192.168.2.0/24
However, we can only make one sub net(V LAN pairs ) work when the BVI is set to that IP sub net. If the BVI set to 192.168.1.0/24, the inside1 and outside1, the other pair not work. If the BVI set 192.168.2.0/24, then only inside2 and outside2 work.
Since the BVI can only be assigned to either of the sub net, Is it possible to make both vlan pairs work ? Or we only can have one sub net in one bridge group ?
View 1 Replies
ADVERTISEMENT
May 27, 2013
ASA 5585-x10, ver 9.1. I have about 10 public sub nets that will be used for NAT translation on the outside interface. These sub nets are different from the sub net the outside interface. Is there a way to advertise these routes using OSPF from the ASA?
I tried to redistribute a static route, but can't make the destination router an interface that is on the ASA. I don't own or control the upstream router.
View 1 Replies
View Related
Nov 17, 2011
Is there any significance to the parameter "firewall-group" in the command
firewall vlan-group <firewall-group> <vlan-id>…<vlan-id>?
In other words is the series of commands
firewall switch 1 module 3 vlan-group 1,2
firewall vlan-group 1 100,101,102
firewall vlan-group 2 200,201,202
exactly equivalent to
firewall switch 1 module 3 vlan-group 3
firewall vlan-group 3 100,101,102,200,201,202
or
firewall switch 1 module 3 vlan-group 1,2,3
firewall vlan-group 1 100,200
firewall vlan-group 2 101,201
firewall vlan-group 3 102,202
All three of these options associate the same set of vlans to the FWSM but using different groupings. As far as I can tell, these groupings have no functional significance either on the switch side or the FWSM side. These are simply three different ways of specifying exactly the same thing? Am I correct?
View 2 Replies
View Related
Dec 28, 2011
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
View 1 Replies
View Related
Nov 7, 2011
I am setting up a new pair of ASA 5585's in a multi-context, active/active failover design. I cannot create management SSH connection to the contexts that are assigned to failover group 2. With all the security contexts that are assigned to failover group 1 I can SSH to the inside interface IP and login without a problem. When I try to do that to the group 2 contexts there is no response from the firewall at all, PuTTY just times out.
My firewalls are running version 8.2(4). The contexts seem to be functioning normally in all other respects.
View 5 Replies
View Related
Nov 14, 2011
I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;
route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
How can I achieve outside per individual bridge-group?
FWSM context config:
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside
[code]...
View 2 Replies
View Related
Dec 10, 2012
At the small church I attend, and where I'm the IT guy, we have an RVS4000 router which has worked well for us including the VPN capability. Our internet connection is through AT&T (not my choice) and last week we had to switch from DSL to U-Verse because AT&T is doing away with the former.
Unfortunately as part of this switch, the old modem was discarded and an NVG510 installed. The NVG510 is a combo modem/router. But since it doesn't have VPN capability and is not as good a router all around as the RVS4000 (even though the 4000 is an aging device), I am trying to run both.
I finally figured out how to set up IP Passthrough on the NVG510 so now VPN is again working to the RVS4000 so that's not an issue. We do have a couple of PCs that are in a room where no wired connections are possible so they are using wireless. But they are not very close to the wireless antennas so they don't have the greatest throughput. The NVG510 does have wireless capability and is physically located to where it would provide a much better signal. However, the NVG510 will only use a 192.168.x.x subnet and our LAN is setup for 10.x.x.x. I'm not about to change the LAN as it runs a Windows domain with enough equipment that I don't want the exercise of changing subnets.Can the RVS4000 be setup so that it will route domain traffic between the 2 subnets? As it is now, connecting a PC to the 192.168.x.x subnet on the NVG510 allows it to have internet access but it can't access domain resources on the 10.x.x subnet. I don't understand networking well enough to know why this won't work. I know it can because when I worked for a large corporation, they had different subnets that were routed so that PCs on one subnet could be on the same Windows domain as PCs on another subnet and all access resources on both subnets.
The RVS4000 may be capable of doing this but my limited knowledge of networking (I know servers, not switches, etc) means I'm not sure of what I see on the router to know if it can do it or not.I'd be appreciative to know first off if the RVS4000 can do it, and secondly if it can, then how to set it up. I've worked with the RVS4000 since we got it 3+ years ago so I'm fairly familiar with it, I just don't know the rest.
View 1 Replies
View Related
Mar 25, 2012
3750 can not support multiple subnets in it's DHCP server pool config.
Is this an issue that can be fixed with a different iOS or is there a different Cisco switch that I can replace the 3750 with that will handle multiple subnets within an individual pool?
View 1 Replies
View Related
Aug 15, 2012
I need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
View 2 Replies
View Related
Jan 13, 2013
I have a Cisco ASA 5505 that I've setup with an SSL VPN. This is for personal use, and I therefore don't have need for anything more than local authentication. [code]
I'd like to have one profile/policy where I only encrypt data going to my split-tunnel ACL, and I'd like to have one profile/policy where I encrypt all traffic.
The issue ive been fighting is - it doesn't seem like its possible to associate more than one group policy per user. If it IS possible - can you tell me how I associate both groups to my local account?
View 1 Replies
View Related
May 13, 2012
I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]
View 2 Replies
View Related
Jul 19, 2012
On the Cisco forums, an example is shown for how to configure BVI and bridge-groups on an ASR1004 but the same command (bridge-group) is not available under the interface on our ASR routers. We are running version of code: asr1000rp1-advipservicesk9.03.06.00.S.152-2.S.bin
View 1 Replies
View Related
Jan 21, 2013
We are connecting a cisco router (819) to wireless lan network (lwapp) through its wireless interface.
clients ---> 819 ---->AP (WGB) ------ lwapp ----- AP ---> LAN ---> servers.
since the clients are on the same subnet as the the VLAN on the lwapp, everything works great.When we add a new L3 VLAN on the 819 router, and we try to ping the clients from the servers, the packets can reach the clients but never received by the servers back. it seems like the bridge is dropping the packets when they go back from the client to the servers.when we use a GRE tunnel from the 819 to the LAN, everything works great.
View 3 Replies
View Related
Apr 23, 2013
I've to bring vlan 2 access to a remote site through 2 AP1261N configured as bridges. Here it is the network diagram
One AP1261N is configured as root bridge. Its ethernet interface is connected to a switch with vlan 1 native and vlan 2 tagged. Vlan 1 is for APs and switches management. Vlan 2 is for users access. The other AP1261N is configured as non-root bridge and one PC is directly connected to the AP's ethernet interface. I've successfully managed to create i wireless link between the 2 APs and so I can reach the vlan 1 IP address of the non-root AP. My problem is that I can't reach the PC connected to the non-root AP.
Here are the conf of the 2 APs:
root AP
version 15.2
no service pad
[Code].....
View 8 Replies
View Related
Dec 6, 2011
What is the maximum allowed number of wired clients behind a workgroup bridge? In other words, is there a limit on MAC addresses?I assume 1262 AP in WGB mode is connecting to a lighweight AP (1262 or 3502), latest IOS and WLC software. I wasn't able to find the answer from Cisco documentation.
View 2 Replies
View Related
Oct 7, 2011
Does the 5585X supports BGP ? What if someone wants to use Antivirus + IPS feature in that . I have seen IPS modules for 5585X but looks like the antivirus module is not avaliable for 5585X
View 1 Replies
View Related
Nov 29, 2011
I want to configure Qos for 2 diffrent Vlan 2 , each vlan for 2 mbps bandwidth .(VLAN details VLAN 10 (10.10.x.x /24) and vlan 20(20.20.x.x/24) Is any difference regarding initials configuration B/w ASA 5520 and 5585
View 9 Replies
View Related
Jan 29, 2012
Am not conversant with Firewalling. however i have need to set up CISCO ASA 5585 out of the box.
View 3 Replies
View Related
Jun 24, 2012
We are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?
View 1 Replies
View Related
Jun 2, 2013
We have installed 5585-x in active/active mode with transparent firewall. We have created two virtual sersors for vs1 and vs2 in IPS module and linked with ASA context C1(vs1), C2(vs2) and admin(vs0).
As firewall is working in transparent mode, we have bridge IP address for context C1 10.1.1.1 and for context C2 10.2.2.1.
I have added default routed for context C1 10.1.1.2 .It is in the outside of asa and SVI on switch.For the other context C2 10.2.2.2.
IP address range for the IPS module and what should be the gateway for IPS module.AS the traffic is coming from outside and going to inside interface of ASA.
View 1 Replies
View Related
May 6, 2012
I have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.
> Failover : Enabled > Encryption-DES : Enabled > Encryption-3DES-AES : Enabled > Security Contexts : 20 > GTP/GPRS : Disabled > AnyConnect Premium Peers : Default > Other VPN Peers : Default > Advanced Endpoint Assessment : Disabled > AnyConnect for Mobile : Disabled > AnyConnect for Cisco VPN Phone : Disabled > Shared License : Disabled > UC Phone Proxy Sessions : Default > Total UC Proxy Sessions : Default > AnyConnect Essentials : Disabled > Botnet Traffic Filter : Disabled > Intercompany Media Engine : Disabled > 10GE I/O Plus : Disabled(code)
View 4 Replies
View Related
Sep 24, 2012
I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..
View 3 Replies
View Related
Jun 4, 2013
I have just set up my asa5505 and while in the sh run I have the following lines
-dhcpd address 192.168.2.200-192.168.2.231 inside
-dhcpd enable inside
-dhcpd dns 68.94.156.1 interface outside
When a client connects to the device like: 192.168.2.215 there is no dns assigned. My devices are unable to access the internet unless I manually assign the dns in the local settings for that host.
View 6 Replies
View Related
Jan 28, 2013
I have a new 5585x with only basic ip information on it. I can't get the ASDM to load from any interface. Browser just says cannot load page. I upgraded to 9.1 and ASDM 7.11-52. (Also did not work before I upgraded) I can ping the managment 0 interface and can tftp data to and from it. Also unable to telnet to the management interface. [code]
View 2 Replies
View Related
Jan 23, 2013
I have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585
View 1 Replies
View Related
Aug 29, 2012
Any document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..In the data sheet this information is not specified.
View 5 Replies
View Related
Sep 21, 2011
I have a 5585 with version 8.4.2?I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following:
10.8.251.30 -- addess assigned from the pool
10.8.251.4 -- inside interface address in the ASA
1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.
group-policy pol1 attributes
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pol1_splitTunnelAcl
[code]....
If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.
View 7 Replies
View Related
Jul 3, 2012
I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
View 6 Replies
View Related
May 2, 2011
Shared licensing of ASA?I have 2 ASA 5585 in cluster and I have to Implement SSL / VPN license My question:Since I have a cluster in 8.3 version, can I use only one license VPN / SSL for two, without necessarily implement the Shared Server licenses and participant.
View 4 Replies
View Related
Feb 23, 2011
Is it true, that the new ASA Platform 5585 does not support Multicast. Here on Page 7:[URL] because the old ASAs support Multicast.
View 2 Replies
View Related
Aug 29, 2011
where I can get a visio stencil for a asa-5585-x.
View 3 Replies
View Related
Jun 20, 2011
I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.
View 4 Replies
View Related
Apr 27, 2011
I am looking to deploy a cloud/borderless network solution and cannot get my head around how the licenses (AnyConnect Mobile and essentials) will be applied in a multiple context deployment. Any correct documentation.
View 1 Replies
View Related
