Cisco Firewall :: 5585x - Threat Detection Log Entries In Multi Context Mode
Dec 29, 2012
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
On ASA 5515 it shows it is in transparent mode and it has multi context.As in transparent ASA we know it has single Management IP address.This ASA is connected to one switch on two ports gi2 and gi3.One port carries vlan say 800 to the ASA.Other port carries vlan 500 from the ASA to switch But when i log onto ASA and do sh run it shows no VLan info there.
I am interested in gathering cumulative threat-detection statistics from an ASA running 8.3, and displaying number of attacks over time. I am already capturing traffic information via netflow, but am interested in getting threat information.
Is there a way to capture the statistics via SNMP or any other method?
Can threat detection provoke frequent disconnections on allowed traffic?We are using asa 5520 with 8.3.1 IOS For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).
I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
I have two ASA 5510 in an Active/Active failover configuration; On the first ASA I have a license for five security contexts, on the second one I have the default two. On the pair I configured seven security contexts and everything works as expected; so far so good. Let's suppose now that the first ASA (the one with the license for 5 contexts) goes up in smoke; all the contexts migrate to the surviving firewall and life is still good. But what happens if, for some reason, I need to reboot the second ASA before the first one is repaired? My guess is that it will come up with just its own license for two contexts and that I will not be able to operate all my virtual firewalls.
I am trying to configure multi context on the 5520 ASA , how can i configure 1 outside and 1 inside for the 2 context or how to configure both outside from the same subnet and insides also from the same subnet , i did the below configuration but didn't work . [code]
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
I have an ASA 5585 in transparent mode, multi-context. It seems that the option to configure a BVI in one of the traffic contexts isn't there. In other words, while I see the option to configure a bridge group interface in the admin context, no such option comes up in the traffic context. [CODE]....
I've been using packet-tracer for some time on and off with mixed results.
I'm running a multi context firewall with over 10 of the contexts sharing the same outside interface / network. All interfaces obviously have valid, unique IPs and also unique MAC addresses as mac-address auto is enabled in the system context.
This is an ASA 5550 running 8.3(2.10) interim so includes the fix for the well known packet-tracer classication failed bug.
So in theory, with firewall contexts on a shared interface the ASA should use the firewall MAC address to classify incoming traffic to the correct firewall and as far as I am aware, only fall back on using NAT to classify if the interface MACs are the same. In reality on my platform this doesn't seem to be happening and the classifier is using NAT to determine the destination context. I'm seeing this with live traffic (i.e. not generated by packet-tracer) in logs and can prove it by disabling certain NAT rules (there is some overlap with the IP addressing behind each firewall).
My question regarding packet tracer is this - in the above scenario with a shared outside interface, does packet tracer ALWAYS use NAT to determine the destination context? Or does packet tracer look up the MAC address of the ingress interface according to what context you are running packet tracer from? It appears that packet-tracer is using NAT in my case which could be just symptomatic of the potential bug I've described above rather than by design.
We have a pair of cisco Asa 5520 currently running multiple context mode. We wish to change to single context mode for following reasonWe will migrate infrastructure to hosted vendor . I was thinking of configuring site to site . Current Asa we pal to kee since wireless sits in our DMz and we have net screen that hosts tunnel for erp1. Is context change required for running site to site2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls?
Recently i have configured ASA5550 with 2 Contexts in Transparent mode. Traffic can pass through a single Firewall context but through both contexts it couldn't.
Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.?I am havin 5585-x and asa version 8.4?
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1 Log into active/primary ASA Configure Multiple Context mode Reboot both devices Login to active/primary ASA
I have 2xASA5510 with securityPlus license.i have configured 3 context and Active/Active Failover.Everything works fine. But also want to use rometeAccessVPN but couldn't fine anything for VPN. does it support VPN in multiple mode?
I have setup a 5515-X in transparent multi-mode and setup 5 security contexts with inside and outside ports, one admin and 4 others. The problem I have run into is setting up a management IP for each context. On one of my other transparent firewalls in production we were able to apply an IP to the security context (not interface) however the new firewall is running the latest software and this same functionality is not available. The only options for IP in context mode is IP AUDIT. So my next plan was to create sub-interfaces of the management interface and assign one to each context however the 5515-x does not allow sub-interfaces on the management interface. How I setup a management IP on each context?
Another interesting thing i read is that the managment IP assigned to a context (if i could figure out how to set it up), has to be in the same subnet as the data interface which if fine but it also says that the management interface should not be connected to the same switch as the data interface because of MAC address table update issues, meaning that i could not use a sub-interface of one of the already configured context ports.
On my production environment I have a firewall with already two contexts defined (15% of CPU used) and I want to add a new one.
This context is going to use the same interfaces as the others contexts. When I will enable the context, can I have some sort of repercussion on these two context ?
I know most QoS capabilities aren't available in multiple context mode, but I need to do some really simple policing on one of my contexts. I just want to apply a hard 20Mbps cap on an interface. I've seen a few places that suggest that basic policing is possible in multiple context mode, but apparently not by the normal commands.
Looking for a recommended code on the ASA 5585x firewall. We ran into a bug (CSCtr24705) on version 8.4.2 where it rebooted the primary firewall. The bug has to do with modifying an existing ACL that's part of a custom policy-map inside a service-policy. If we upgrade to 8.4.5 (which has the previous bug fix in it), there is another major bug (CSCud70273) where if you use the packet-tracer input command on an inside interface it causes problems too.
I don't understand why packet-tracer input would have a bug associated with it when it's been around for a long time and we use it on a daily basis for troubleshooting. Is there stable code for the 5585x to upgrade to without running into possibly a major bug? This is our core firewall so there are no VPN tunnels on it. It's setup in active/standby failover in routed mode.
Is it possible to install LMS 4.2 in multiserver mode but with possibility to select installed components/applications? I'm talking about Solaris version. I can't see such an option. It will install all the components on every server which I don't want to. We have LMS 3.2 working in such setup: one server with most major components, other running just DFM and third one with only HUM installed.
I've got an ASA which has a number of contexts. They all share the same external interface, and in the interest of saving addresses I'm wondering if the standby address for each context is really necessary. I know that in active/passive the standby address is what allows the two to communicate and monitor that particular interface, however, in active/active I don't see the point as the context is either going to be on one or the other.
I would like to know does MSE 3350 supports HA mode,I have 2 M|SE 3350 appliance and I want to configure one as primary and second as redundent for the primary,I am not finding any documentation for the same in the cisco website.
I have two ACE working on active-standby mode, I have one context configured on bridge mode, with two vlans, the client (vlan 100) and server (vlan 101) sides.I need to balance another service for two servers (different from the ones on the first context ) on the vlan 101, so as the documentation says i can't configure the same vlan on another context because it is already configured on the 1st context as bridge.so my question is the only way i could balance this service is to configure it on the same context??. or there is another way?.These are the design limitations that i have to do this:
1.- I can't change the servers IP address.
2.- The VIP which will answer the clients request is on the same IP network segment as the servers, for example: server1: 192.168.100.125, server2: 192. 168. 100.126, VIP: 192.168.100.124
I am desiging a topology with two Cat 6509 and Two ACE Module, one ACE per Catalyst. I am thinking to use bridge mode for the customer contexts, I would like to know if the Bridged mode is an Assymetric topology.
The server gateway is the ip address of the ACE or the Router?
Im looking for some clarification regarding running a Cisco ASA in transparent mode with multiple contexts. To give you an insight into the network design we have the following -
Collapsed Core/Aggregation Layer running Cisco 3750s. The 2 Cisco 3750s are using SVIs with HSRP for default gateways per customer with a total of 8 customers. Each customer is segregated into seperate VLANs with Cisco 2960 switches used in the Access layer. Each customer has 2 Cisco 2960 switches with redundant uplinks to the Core/Aggregation layer. Customers are spanning tree loadbalanced between core/aggregation switches.
What i need to now do is add two transparent firewalls into the mix in either an active/active or active/standby setup. I need the firewalls to support all 8 customers, therefore I am guessing they need to run in multiple context mode. Having read into this it has left me somewhat confused as to how to integrate them into the above setup as a bump in the wire so to speak.
I am wondering what is Latency value for Cisco ASA 5585X and 5555X . I can see on websites that it says "low latency firewall" but I dont see any value.
Looking to replace an "all-in-one" type firewall (UTM/Firewall, SSL VPN) with a cisco product - the issue i'm running into is that we have multiple ISPs plus WAN and DMZ - overall more than 5 ports on mid-range ASA devices - and from what i read, adding 4-port module precludes me from adding CSC module.
Is there an solution to that other than going for 5585-x model? (kind of over our budget, granted we need 2 for failover)
