Cisco Firewall :: ASA 5505 - Backup ISP Link Configuration?

Jan 28, 2013

I'm working on setting up a backup link for our ASA 5505 and I've followed these directions:  [URL]
 
The backup ISP gives us a dynamic address, however, when I enable the backup ISP's interface on the ASA, my vpn tunnels drop. As soon as I disable the backup interface, the tunnels come back up. I'm attempting to configure this across one of these tunnels, so obviously this is an issue, as is the fact that other people need the tunnels as well. I'm not sure what I did to make this happen, but I've been over the config many times and can't see anything different from the instructions in the link above.
 
I thought it might be trying to route traffic across the backup interface, but my primary interface is tracked and has SLA running on it, so I would assume it wouldn't roll over onto the backup interface.

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5505 Backup ISP Configuration

Jun 13, 2011

I'm having problems configuring an asa 8.2(1) with a backup isp.  I followed the asdm instructions in this document: [URL]
 
I have my backup interface configured as DHCP and the static routes set. Pinging the gateway and other external IP address from the backup interfaces works normally. I have also tried configuring the backup interface as a static address but got the same results.
 
When removing the primary wan link, all traffic stops. When I ping a external DNS, I get these errors in the log: portmap translation creation failed for udp src inside: 192.168.13.23 dst backup:208.67.222.222_type 8, code0)
 
I though this type of error is related to a NAT problem, not sure where to look though.

View 4 Replies View Related

Cisco VPN :: ASA 5505 Backup Configuration To TFTP Server?

Oct 4, 2011

Is there a way to backup the configuration file to a tftp server? I've tried "copy start tftp" and copy run tftp". No luck, I get an error message.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 With Backup ISP?

May 8, 2012

I am working with a client that currently has an ASA 5505 with two ISPs for failover using a tracked interface.  I would like to configure logging so that the ASA will email us when the Primary ISP goes down and fails over to the backup.  Here is what I have so far...
 
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12

[code]....

The primary interface is Outside and the backup is obviously Backup

View 2 Replies View Related

Cisco WAN :: 5520 / Backup Internet Link Configuration

Dec 14, 2012

i have two internet links each of which from different ISP and different real ip addresses.Want to make the second backup internet work for Internal and external (AnyConnect) users.
 
my question:  is that applicable to register single A record with different real ip addresses? and also is the AnyConnect method the best solution for them?
 
note: i have single firewall 5520 behind the cable modems.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Backup Interface?

Nov 21, 2011

I have setup ASA 5505 with 2 ISP, named outside (primary)  and backup, the scenario is if outside down, then backup will take over, it works now. But it is not working when the primary connection cannot reach the gateway with the interface still up.
 
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
 
My configuration is:
 
ASA Version 8.2(1)
!
hostname cisco

[Code].....

View 4 Replies View Related

Cisco Firewall :: Create A Backup ASA 5505?

Jun 12, 2013

I have a production ASA 5505 that is working perfectly. I wanted to take a spare ASA 5505 and copy the running config to it so that I would have a backup unit that could be swapped out if the production unit went down.
 
Both units have security plus and running 8.2(1). The only difference is that the production ASA has 512MB of RAM while the backup ASA has 256MB. Also the backup has anyconnect and the production unit does not.
 
I copied the running-config to my tftp server and then copied the running config from my tftp server to the backup ASA as startup-config. After reload the device booted with an identical configuration to my production ASA, but after swapping out the units to test it, I have no access to the WAN or DMZ from my LAN. Swapping back to the production unit and all works as it should.
 
I printed out the running config from both devices and compared them line by line. They are identical except for the anyconnect line on the backup ASAs config file.

View 5 Replies View Related

Cisco Firewall :: 5505 Remote VPN And Backup ISP License

Oct 29, 2012

I have 5505 license with default 10 user license, want to increment the remote vpn user to 50 user license;will it be on yearly basis.Another question, can we purchase security plus license for configuring the failover config ,as well support the 50 user license on the same..

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Configuration Backup With Archive?

Nov 15, 2011

On our cisco 3750 switches we can take config backups with the archive command. After every "write mem" it rights the config to our backup server. We would like to do this also for our asa 5520 with version 8.2(2). I also searched in the command reference guide, but I can't seem to find the proper command to do it.

View 2 Replies View Related

Cisco Firewall :: Best Practice For Log Configuration And Backup In ASA5505

Feb 20, 2011

I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?

View 12 Replies View Related

Cisco Firewall :: ASA 5505 With Dual ISP - How To Setup Backup Connection

May 22, 2012

how can I setup that the backup connection will start but after 30s of icmp timeout the default gateway (tracket object - 192.168.1.1)
 
My configuration:
 
sla monitor 123
type echo protocol ipIcmpEcho 192.168.1.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
 
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.2.1 254
 
track 1 rtr 123 reachability

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Transparent Firewall Configuration?

Sep 11, 2007

I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 - SIP Configuration Without NAT

Oct 15, 2012

I am new to using the ASA 5505 appliance.  I have successfully configured it so far, but the one piece that eludes me and I can't find an example of configuring SIP with internal (DMZ security level 50)) VoIP phones to an external call manager (external, security level 0) without using NAT.  I have an internal V LAN to an internal B2 router (and management) on eth0/7, an external V LAN (/30 to an external B1 border router) and five different DMZ V LAN on ports eth0/1-eth0/5.
 
On the external router, the internal interface going to ASA5505 are separate sub-interfaces for each V LAN in the DMZ and one /30 V LAN to connect between the router and ASA.  I am using vrf forwarding on the DMZ sub interfaces with IPSEC/GRE tunnels to keep the routing tables separate.  I cannot have the different DMZ V LAN's communicate with each other (that's why I am using vrf).
 
Everything works, all my tunnels are up, I  can ping to the external sites from the DMZ V LAN's and pass data, but I am stymied by setting up VoIP.  When I used the wizard (big mistake) it setup up all sorts of certificates and NAT (since I really didn't know what I was doing at this point).
 
Any hints on configuring VoIP from phones in the DMZ V LAN's to an external call manager?
 
I would include the current config, but I have to hand transcribe it since we don't allow usb connectivity.  I might be able to provide it a little later.  i am using ASDM 6.4 and ASA IOS 8..4

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - Set Up DSL Configuration?

Nov 11, 2012

I am setting up an ASA 5505 for a customer. I am not sure how to config the firewall when it is connected to a dsl modem. I tried to do a ordinary config just like the ones thats connected to a ordinary router.
 
The topology is:

[code]...

View 2 Replies View Related

Cisco Firewall :: ASA 5505 DMZ Configuration

Jan 9, 2012

I am attempting to configure an ASA 5505 which is connected to 3 networks for access to an inside email server.  Don't pay attention to the names on this config as they are not intuitive.
 
The 3 vlans are:
vlan 1 which has an IP of 192.168.x.1 - Connected to inside (which is really the dmz)
nameif inside
e0/1 is assigned to this

[Code].....

View 5 Replies View Related

Cisco Firewall :: QoS Policing Configuration On An ASA 5505?

Jun 10, 2013

I'm working on QoS policing configuration on an ASA 5505.The ASA is situated behind a cable modem which provides an SLA of 3.2Mbps out.I've configured a QOS policy to place VoIP and other essential traffic (RDP/Citrix/PCoIP) into a priority queue, whilst policing default class to 3.2Mbps to police out to the cable modem.I can see on the outside interface graphs that this is rating the output traffic down to 3.2Mbps as expected, but noticing at certain points of high output traffic drops down to 1.6Mbps.  I can't see anything obvious in syslog or any other areas to look, so looking for any pointers as to why the speed is suddenly dropping down.  Likewise if I rate the output to 2Mbps, it will suddenly drop down to 1Mbps at high output rates.the ASA is running on 8.0(5) and I enclose a copy of the sample QoS config below and attached a sanitized run config, as well as screenshot taken of the outside interface Bit Rates plus service-policy.
 
access-list VoIP-Traffic-OUT extended permit tcp 172.16.6.0 255.255.255.0 host 68.98.217.252 eq h323
access-list VoIP-Traffic-OUT extended permit udp 172.16.6.0 255.255.255.0 host 68.98.217.252 object-group rtp
access-list VoIP-Traffic-OUT extended permit tcp 172.16.6.0 255.255.255.0 host 68.98.217.252 eq 2000  
access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 3389
access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq citrix-ica
access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 4172

[code]....

View 6 Replies View Related

Cisco Firewall :: 5505 - Restore Configuration From Other ASA

Sep 26, 2012

I have the configuration file of the ASA  5505 I have another exactly model that asa is new but  this my first time working with an ASA.
 
I going to configure it an  ip address  in the  0/0 interface and then use TFTP to upload the config to the   start-up config and the save it and reload the ASA.

is that enough? or the ASA has  extra steps??

View 3 Replies View Related

Cisco Firewall :: 1-1 NAT And PPTP Configuration - ASA 5505?

Mar 22, 2011

I need add following to our firewall configuration ( we are changing watchguard firewall to cisco and it was necessary to be configured this way )
 
1) I need to create 1-1 NAT for our voip system and video conferencing unit and to do it as bellow

VOIP-SIP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 5060
VC-SIP : from any_external to 217.207.96.120 on port tcp/udp 5060
VC-Video : from any_external to 217.207.96.120 on port tcp/udp 60000 to 64999
VOIP-RTP :  from 85.90.225.100 to 217.207.96.121 on port tcp/udp 10000 - 20000
 
2) I need to eneble to pass PPTP traffic from outside to inside and vice versa
 
current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(2) !hostname ciscoasa
 
namesname 10.10.1.19 barracudaname 192.168.1.2 ctxdmzname 10.10.1.39 ftp1name 10.10.1.38 ftp2name 10.10.1.37 ftp3name 10.10.1.192 mailsvrname 217.207.96.114 outside_114name 217.207.96.115 outside_115name 217.207.96.116 outside_116name 217.207.96.117 outside_117name 217.207.96.118 outside_118name 217.207.96.119 outside_119name 217.207.96.120 outside_120name 10.10.1.8 transfer_servername 10.10.1.10 backupsvrname 10.10.1.4 citrixsvr1name 85.90.225.100 voip_sipname 10.10.1.9 minimac1name 82.111.186.146 sdt_rdpname 217.207.96.121 outside_121!interface Vlan1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 !interface Vlan3 nameif dmz security-level 50 ip address 192.168.1.1

[code]....

View 5 Replies View Related

Cisco Firewall :: PPoe Configuration In ASA 5505?

Mar 19, 2012

I want to know the ppoe configuration in asa5505 firewall. IN my office i have a asa5505 and i get conncetion from local isp which is nothing but ppoe connection so how to do this.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Configuration For AT&T Microcell

Mar 2, 2011

We got an AT&T Microcell a couple of weeks ago, hooked it up to our CISCO PIX 506 firewall and it worked "out of the box". We then upgraded to a CISCO ASA 5505 when the Pix died last week. Got the ASA 5505 up and running pretty much "out of the box", only having to setup our IP addresses (inside & outside). The 5505 is NOT configured as DHCP since I have an existing server in house that assigns IP addresses and I don't want to mess around with changing everything. However the Microcell wasn't working on the new 5505. Found in the Microcell manual that the following had to be "open":

123/UDP (NTP)
443/TCP (HTTPS)
4500/UDP (IPSec NAT Traversal)
500/UDP (IPSec phase 1 prior to NAT detection)
 
From the 5505 Config Guide, I found that I needed to ENABLE NAT-T, so I did this with the following commands:
crypto isakmp enable outside
crypto isakmp nat-traversal 3600
 
Using the "Packet Tracer" in ASDM, I found that ALL 4 types of packets were allowed going from the ATT Microcell (192.168.10.52 on my INSIDE network) to the OUTSIDE interface (66.xxx.xx.xx). However, all 4 types of packets FAILED when the Packet Trace was reversed (Source = 66.xxx.xx.xx, Destination 192.168.10.52).
 
The Packet Trace pointed to the "implicit rule" to DENY IP traffic. So, using the ASDM, I setup Access Lists for the above 4 ports/protocols, both on the INSIDE & OUTSIDE interface, both INCOMING & OUTGOING. Still, no success and the Packet Trace in ASDM still pointed to the IMPLICIT DENY rule on either the INSIDE or OUTSIDE interface, depending on which Interface I was initiating the Packet Trace. I tried setting the Access Rules for "Any" IP Address (not just the public IP or the Microcell IP) on both the Source/Destination for all 4 ports. What is even more confounding is that when setting up these access lists to PERMIT traffic, my internal network  Internet traffic stopped for ALL workstations on my network. Phone started ringing no more than a minute after I applied any PERMIT rule. By deleting the rule just installed, traffic started flowing again.
 
My number one questin is why don't the access lists work and why does settin up a "permit rule" kill my internet traffic?
 
I'm not a network expert and sprinkle holy water on our network every morning. I cringe when I have to make changes (like putting in a new firewall) because I don't know all the inner workings, parameters and setups done over the years by predecessors. I need to get the ATT Microcell up and running and figure the experience will be beneficial as our next step is to setup a VPN.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Configuration Required

Apr 29, 2013

I have a problem with the configuration of the ACL of my ASA 5505 router.However, the syntax seems okay,access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 .

View 3 Replies View Related

Cisco Firewall :: Getting ASA 5505 Vlan Configuration?

Mar 14, 2013

I have IOS 8.0(4) and the base 50 User License...will this config work?  I have two networks; my home network, and my lab.  I want to split my Internet connection between them, but keep the networks separate for the most part.  Will my license allow this config since I can't do DMZ?
 
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 1
!
interface Ethernet0/2
switchport access vlan 2

[code]....

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Configuration Cannot Get To Internal Network

Jan 25, 2012

I now need to configure an ASA 5505 for a small server farm.  It's fairly straightforward:isp -> asa5505 -> internal servers,'m using static addresses -- no DHCP involved.VPN works;  I can get into the internal network.pinging from the ASA to an external address works,However, I cannot get from a laptop connected to an internal port out to the internet, either using ping or typing an address in the browser.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 Active / Standby Configuration?

Sep 21, 2011

i have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
 
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
 
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Configuration For Home Network

Sep 4, 2012

I've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. The Cisco 1841 is running sub-interfaces for my VLAN's.

View 4 Replies View Related

Cisco Firewall :: Prepare ASA 5505 Configuration To Be Used At Next Reboot

Jan 26, 2012

For a customer I have to move the ASA 5505 firewall to a new internet connection. I have modified the config in a notepad textfile and want to put it on flash or so, so that it will be loaded at next reboot.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 8.4.4 Stops Using EzVPN After Configuration

Sep 24, 2012

I've got some ASA5505 which run as EzVPN clients in NEM, connecting to a ASA5510 as head-end. The ASAs are configured with a CSM and AUS. But whenever they are getting a new configuration through the AUS they stop trying to establish an EzVPN connection to the head-end. After a "reload" they run with the new configuration and establish the tunnel as expected.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - DMZ Configuration With Base License

May 24, 2011

My ASA 5505 base license allows for three VLANs, the third one can only initiate traffic to one other VLAN (as specified by no forward interface vlan <number> on the third VLAN). This doesn't mean it can't "access" the other VLAN, it just can't initiate traffic to it. A lot of people get that wrong.Let's say you've got three VLANs, one is OUTSIDE, two is DMZ, and three is INSIDE. On the second VLAN would I enter the no forward interface as vlan 3, then set the name via the nameif command and everything will work just fine. The DMZ will not be able to initiate traffic to the INSIDE, but will to the outside, and assuming you have your ACLs and NAT set up properly, it will be able to respond to traffic from the INSIDE.
 
Would that be best practice or would I enter the "no forward" interface as in VLAN 1, thus is being able to respond to traffic from the outside as opposed to the inside.
 
I had a DMZ set up but since there was an intrusion into my network, I am building it again.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 VLAN Or Trunk Configuration?

Sep 2, 2012

ASA 5505, I got a security plus license which allows multiple VLANs.I want to be able to configure the ASA to allow only RDP session (One way) to another Switch where all the VLANs are. I've attached a pic of what I want but I'm struggling.
 
I looked at documentation saying you should have inside and outside interface but I'm not sure on this scenario.I've configured inside interface on ASA e0/1 and interface VLANs but not sure what to do between ASA and Switch?

View 2 Replies View Related

Cisco Firewall :: Random ASA 5505 Configuration Reloads?

Oct 16, 2011

I've been trying to track down intermitent problems with one of our branch office ASA5505's .The way we have been tracking it is primarily through ping/icmp connectivity. Occasionily our tracking software will report that is stops responding to ping requests then in almost less than a minute it will start replying again. I'm allowing icmp to that interface and it is internal. Examing the logs it almost looks like the config is being reloaded but I've never seen this kinda of log before so I'm not sure if it is just sending it's config to a host or actually reloading its config.
 
Here is the first part of it:

2011-10-17 07:05:05          Local4.Notice          192.168.22.10          Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.20' command.
2011-10-17 07:05:05          Local4.Notice          192.168.254.10          Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.21' command.
2011-10-17 07:05:05          Local4.Notice          192.168.254.10          Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN1 192.168.254.9 1 track 1' command.
2011-10-17 07:05:05          Local4.Notice          192.168.254.10          Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN98 192.168.254.9 1 track 2' command.
2011-10-17 07:05:05          Local4.Notice          192.168.254.10          Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN202 192.168.254.9 1 track 3'

[code]....
 
I've santized certain parts, but it does look like its realoding the config?

View 2 Replies View Related

Cisco Firewall :: How To Restore Factory Configuration On ASA 5505

Jun 18, 2007

while configuring my ASA 5505 I changed the IP address range of the internal network. Obviously I made an error because I cannot reach the box neither at the old nor the new address. How can I restore the interface and firewall definitions or reset the box to its initial state ? I found a doc how to reset the password, but not explaining how to restore the complete initial config.

View 10 Replies View Related

Cisco Firewall :: Multiple DHCP Pool Configuration On ASA 5505

Oct 4, 2012

I want to configure multiple DHCP configuration on ASA 5505. I tried to create sub interface for different IP Pool but it was not configure on ASA 5505. is it possible to create subinterface on ASA 5505?
 
ASA 5505 IOS version: 8.3(1)
License: Security Plus

View 4 Replies View Related

Cisco Firewall :: ASA 5505 - Losing Configuration When Device Powered Off

Feb 28, 2011

i did a reset on my asa by stopping the boot process because i could not remember what my enable password was, i had no problems with the reset the asa came backup as it should and i started configuring the device again. My problem is when the device is powered off and back on i lose all configuration that were made, i save the changes with "write me" before the restart and they are still being over wrote.

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved