we have a cat6509 with FWSM. We pass to the FWSM several VLANs. AllL3 is assigned to the FWs.In the Cat6500 log we have received this message %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks ,when we configure 2 vlans in a trunk to an ESX server (these 2 VLANs are alreadyassigned to the FWSM).Idea is to share an interface to a ESX server with several VLANs, some of them are assigned also to FWSM.
View 1 RepliesI've been tasked with finding all switch ports that are configured as Trunks. We plan to use LMS 4.2 to push (via Netconfig) new interface level commands to all user (non-trunked) ports. From my experience, this poses a problem because we do not know which ports are configured as trunks -vs- user ports.
Using Netconfig is not going to be easy since there is no way to script this. It would be great if I could run a show command on a switch and then have CWSI peform a change based upon the output.In other words, we need a way to run a job based upon the output of a command.
I'm building this network and I stumbled upon a problem that I don't understand. Here is how my config looks:
PC -----------vlan5-------Cisco 3560----trunk3-5----Cisco AP1420
Vmware guest
Configuration of 3560:
interface Vlan3
description ID-180, wifi1
ip address x.x.x.x 255.255.255.224
ip access-group 115 in
[code] .......
Configuration of WIFI AP:
interface FastEthernet0
no ip address
no ip route-cache
[code]....
PC and vm ware are plugged in port 5 and 6, wifi in port 7. There if no V LAN ID set on the PC, but there is V LAN ID set on the VM ware esx interface. If I try to ping WIFI from PC or esx, ping doesn't get through. If I plug WIFI to port 5 or 6, I get access it.
Im just starting to learn cisco, currently I already have a cisco catalyst 3750 configured for 3 vlans, and now im planning to have another 3750 for redundancy.
View 5 Replies View RelatedWe have a working PBR route map on a 6509 switch and a 3750 switch, each in different locations.On both devices, the route-map is configured to match on one of multiple ACLs, then set the next hop to a directly-connected IP address, like so: [code]
When copying in the ACL contents for "ACL20", they were accidentally copied in to the ACL1 list, and ACL20 was never created. Shortly after this was done, the next hop router went unreachable in both locations. Pings failed and the 6509 and 3750 each lost the EIGRP adjacency to the 1.1.1.5 router. After troubleshooting, I removed "match ip address ACL20" and connectivity returned.
My question is...if a PBR route-map tries to match on a non-existent ACL, what happens? Does it mark the next hop unreachable (even though it's directly connected) or does it match for ALL traffic and send *everything* there (thus, making it appear unreachable, as if a broadcast storm was happening)?
In the following scenario, how will the 2950/2960/2960S series behave:
- VTP server/domain configured on a 6509
- A access switch (2960) currently configured in transparent mode with all VLAN it requires
Will the switch drop any traffick if we change it from transparent to client mode if the VTP server has the exact same vlans defined as the access switch had when it was in transparent mode?
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
View 2 Replies View RelatedWe have the need to create a large number of VLANs on one of our networks. We're talking about 60! These will all terminate on a pair of 6509-E switches (building core). We use MSTP as a standard on our network so I'm going to stick with that so that we can dramatically reduce the number of STP instances needed. However, regarding the SVIs (default gateways) is there any reason why creating 60 of these guys would be considerd a big no-no? Or would you expect the 6509s to deal with them like a boss?
View 4 Replies View RelatedConfiguring FWSM in a 6509. When I set "firewall vlan-group 40 40-42,251", it results in: "No more than one svi is allowed. Command rejected.".
I had "firewall multiple-vlan-interfaces" set for a previous use of this module, but took that off with the "no" command. Suspect that is the issue, but do not see how to resolve. Seems similar to bug CSCsr48563, but I am at the fixed code for that bug.
I have D-Link's DSL-2730U modem/router. I've enabled the router's firewall and disabled TR-069 (putting in some dummy ACS URL and login credentials as well). However port scans show 30005 as open. I believe this is used by the TR-069 client. How do I definitively filter this port?
View 9 Replies View RelatedWe have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can i resrict access to the server VLANs? Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered?
View 3 Replies View RelatedWe have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can I restrict access to the server VLANs?Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered ?
View 9 Replies View RelatedI am testing rogue on wire using 5508 WLC and , I have a dedicated AP configured as rogue detector and configured the switch port where the Rogue detector is connected as trunk. I have plugged in an autonomous AP with open authentication to the same switch so that it can act as a rogue. On the WLC, I can see that Autonomous AP as rogue on Wire. But along with that I am seeing another AP as rogue on wire, even though i have plugged in only one Autonomous AP to the switch.
View 3 Replies View RelatedIs it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies View RelatedI have seen similar questions but with not a lot of answers for the ASA platform. As the title states, What procedures can I use to copy a pre-existing configured CISCO ASA 5520 to a brand new CISCO ASA 5520. I have found a URL that seems to answer some questions but not all. [URL]
The URL talks more about the PIX's than the ASA
Is there any documentation or shorter procedures for product specific on the 5520?
I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
i have cisco ASA5510 Firewall and configured one site to VPN . i want to configure another s2s vpn in the FW for another Site location.what to in the existing Firewall so that 2 site to site vpn can work.
View 4 Replies View RelatedI have 2 Cisco 5520 ASAs and was configured for Fail over. Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA. What is the best practice to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?
View 6 Replies View RelatedI am trying to determine if this is possible or not. I have tried several configurations and I can only get half of it to work.
LAN (10.1.1.0/24) =====> <===== OUTSIDE (T-1)
ASA5510
DMZ (10.1.10.0/29) ====> <===== BACKUP (DSL LINE)
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line. No inside traffic (inbound or outbound) should go through the T-1. No DMZ traffic (inbound or outbound) should go through the DSL line.
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.
i want to Use Cisco AP 1142 in my network. Also new to the enterprise edition AP.I have configured AP WEB mode the SSID and able to connect without the Security Key. Also want to enable MAC Address filter on the AP. Any configuration details on web and CLI Mode.
View 1 Replies View Related I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
!
[code]....
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
View 5 Replies View RelatedI need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
We have a 3560 switch behind a ASA 5510 at a site that we are trying to access via telnet over the internet, we find out the switch does not have a default gateway configured. So I configure the following rule on the 5510: [code] Try accessing the switch, and all is good. One of our change control steps is to identify any others are connected to the device via: [code] I see the connection and show users command return 172.16.30.15, as expected. How is it possible that address can connect to that switch.
View 7 Replies View RelatedI am attempting to allow traffic from one vlan to another.Vlan 1 is on Interface 0/2.vlan1Vlan 2 is on int 0/3.vlan2Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients My problem is that I am unable to communicate between the two vlans. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). It appears as if the packet never reaches the other interface. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. Testing from either vlan to connect to the other fails. Below are the accee-rules for each vlans. Once I get basic connectivity working.
access-list aVlan1; 3 elements; name hash: 0xadecbc34
access-list aVlan1 line 1 extended permit ip any 192.168.151.64 255.255.255.192 (hitcnt=0) 0xeb0a6bb8
access-list aVlan1 line 2 extended permit ip any 192.168.151.128 255.255.255.128 (hitcnt=0) 0x3a7dfade
access-list aVlan1 line 3 extended permit ip any 192.168.151.0 255.255.255.0 (hitcnt=0) 0x93302455
access-list aVlan2_access_in; 3 elements; name hash: 0x6dc9adc7
access-list aVlan2_access_in line 1 extended permit ip 192.168.151.64 255.255.255.192 192.168.150.0 255.255.255.240 (hitcnt=0) 0x054508b7
access-list aVlan2_access_in line 2 extended permit ip 192.168.151.128 255.255.255.128 192.168.150.0 255.255.255.240 (hitcnt=0) 0xc125c41e
access-list aVlan2_access_in line 3 extended permit ip host 192.168.151.3 192.168.150.0 255.255.255.240 (hitcnt=0) 0x4adc114c
I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot
[Code].....
I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View Relatedcommunication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
I am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
I have an ASA 5505, firmware 7.2 (4). Configured ACLs, NAT, it's all working, but after a while it seems that running crashes, no longer makes the directions of NATs, the logs until they stop working. To resolve, I have to restart the ASA, and everything will work again.
View 2 Replies View RelatedHow to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?There are no free modules on Catalyst 6500 to install a FWSM module.What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
View 1 Replies View RelatedLet's say I have a Brocade switch, and a Cisco switch, and I've formed a VLAN trunk between the two.On the Cisco switch, I configure the trunk to utilize VLAN 3 for its native VLAN.On the Brocade switch, I utilized the command 'default-vlan-id 2'. I have configured the port going to the Cisco switch in dual mode.From my understanding, when a port is placed in dual mode, it sends frames that are untagged as the default vlan. Does this cause a native VLAN mismatch?
View 19 Replies View RelatedI do have the below setup,,
1. I have 6509 switch
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
3. On switch side i have configured the port as Trunk
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?