Cisco Firewall :: ASA 5505 Dual WAN Settings Required
Feb 27, 2012
I have a 5505 configured with a active/standby dual wan setup using the sla tracked connection settings. Is there a way to configure the ASA to stay on the backup connection after activating? We had a situation where the main T1 was bouncing, so the backup connection was being activated and deactivated very often. The problem is that there is an app being used that does not allow users to reconnect to dropped connections immediately, so every time the asa switches wan connections it causes a significant disruption.I should note that I already set monitor options frequency to 240 seconds. I could set it higher, but then we have a longer delay when the main connection dies.
I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.
I have a problem with the configuration of the ACL of my ASA 5505 router.However, the syntax seems okay,access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 .
My client is transitioning to a new ISP and want to migrate there web servers in stages. therefore they would like to keep some servers running on the old ISP and some servers use the new ISP.
I have set this up in a lab and keep running into routning issues (I am using 5510 for the lab as I do not have a 5505 available). I know that ASA's don't support PBR. Is there any way or trick to get this to work on the ASA?
I have a feeling this is not possible and we would need to get another ASA or a Router to get this to work.
I need to configure my asa as follows: Two active ISP´s, one(ISP1) for outbound traffic (normal internet traffic) and the other one for inbound traffic(ISP2), http to a web server in the inside network. I have two default routes, one pointing to ISP 1 with metric 1 and the other to ISP2 with metric 2. I perform dynamic nat to ISP1 interface with hosts in the inside network and static nat to ISP2 interface with web server.
I am attempting to set up failover dual ISP on a 5505 running 8.4(4) with the Sec Plus license. Everything i have been able to reference so far, points to old commands not available or relevant in 8.4
I would like to configure a Cisco ASA 5505 with Dual ISP (ISP 1 and ISP2) and two networks (network 1 and network 2). My customer need that clients in the network 1 connect to Internet with ISP1 and clients in the network 2 connect with ISP2. If a failure occurs in ISP1 (just an example) the network 1 clients connect with ISP2.
Currentry all traffic is passing thru Outside2 and it's correct, also s2s and ra VPN is also running on Outside2 ?My current case is to use Outside1 for webvpn services only. I can't use Outside2 becouse on 443 port other services are running, also I cant change webvpn port to other.
How can I match packets incoming to interface Internet1 from Interner side nad route them back thru Internet1 interface.
IPSLA is not a good solution becouse I need to have both WAN links used Now in routing table I have only onre record
S* 0.0.0.0 0.0.0.0 [20/0] via x.x.x.x, INTERNET2
for link with lower metric, but after some problems with provider for link Internet2 routing has changed for Internet1 and didn't change it back after resolving problem? how to create it for all traffic incoming for Internet1 interface from outside?
ISP1 (Our IP = 30.100.150.50, gateway 30.100.150.8) ISP2 (Our IP = dynamic, gateway 20.100.150.9) - ADSL Our internal LAN IP range is 10.9.8.0/24
We want to configure the ASA 5505 to allow users via ISP2 for http traffic We then want to use ISP1 for strictly VPN and access to internal web resources (eg OWA) as we have public IP's there.
Our idea was to configure two gateways on the ASA (e.g. 10.9.8.5 via ISP2 and 10.9.8.6 via ISP1)
Then give the users gateway 10.9.8.5 for web browsing etc Is this configuration possible on the ASA 5505?
I have a small office with about 20 people. I currently have a T1 line which feeds a Cisco ASA 5505. I would like to replace the T1 line with two (2) ADSL lines. I need a dual WAN switch/load balancer. I researched a bit and found that Cisco RV042 will probably work for me even though I don't need another VPN and would have to disable it.
My question: Is there anothe device from Cisco or others which will give me the dual WAN and load balancing but not the VPN piece. My assumption is that it would be a less expensive device if such an animal exists.
I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
Does the following setting is a shipping default in the ACS 5.1?,In the Access Policies ->Network Device Admin -> Identity -> Advanced Options, the If user not found was set to “Continue” .
Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP
(2) identical DSL connections, configured as Static IP (not PPPoE) with modems in bridged mode. Static IP's are /25 subnet and same gateway ** this may be a problem? Dual WAN set for Load Balance, network service detection is OFF
We have a 2003 terminal server running and successfully receiving connections through both WAN connections. Depending on location, half the users are connecting to WAN1 IP and the other half to WAN2 IP. We are getting sporadic disconnects of the remote users when they are idle for a couple minutes and automatic reconnection of the session takes over a minute. If they close the (locked up) session and reconnect manually it will let them in right away.
Could the handling of the Dual-WAN be the culprit? Could the same gateway for both WAN's create this issue upstream (out of my control)?I am going to move everyone to connecting through WAN1 and then change to Smart Link Backup and see if the issues persist.
Another thought is to use a secondary IP on the terminal server and use Protocol Binding to match "All traffic" for IP1 to WAN1 and IP2 to WAN2, which theoretically would stabilize the situation?
I had an WRVS4400 (but didn't use the wireless), it it died. I'm replacing with an RVS4000. I have all the settings from the prior router, but my question has to do with the DSL modem in use in conjunction with the router, because (in my absence) my wife had a conversation with SBC, trying to use the hook to the modem directly and ended up altering settings on the modem that may affect the RVS4000 when I go to install it upon its receipt from Amazon tomorrow.
We have a business that uses a third party software vendor's website; their servers access our data on our server behind the router. So we use a static IP address, and port forwarding. No problem there. But I could have sworn that, with the WRVS4400 we used to have the modem configured as bridged; as of this morning, the modem shows PPPoE, and my wife can't recall what SBC had her do in that regard!
So, for the situation I've described, should I put the modem into bridge mode (and porting it into the RVS4000). Like I said, we have a static WAN IP address, and a range of more static IP addresses.
Recently switched DSL providers and now have Cisco modem DPC3008. Able to connect to internet directly thru modem. Able to connect wired or wireless to router. Unable to get router to connect to internet via modem. Tried restart, reset, and new set-up. Called ISP (Charter) - no way, said contact Belkin.
Region : UnitedKingdom Model : TL-WDR4300 Hardware Version : not clear Firmware Version : ISP : BT
I am thinking of buying a TL-WDR3600, but just need to know the answer to the question below.Can anyone confirm if the TL-WDR3600 supports NAT Loopback functionality?
Region : Germany Model : TL-WDR3600 Hardware Version : V1 Firmware Version : 120820 ISP : German university ISP
I have a big problem with several TP-Link routers (WDR3600, WR1043ND, WR741ND), always with the latest firmware and also with older ones. After a day or so, my internet & network connection will drop all of a sudden and all the routers need a reboot. There is no indication on what provoces these lock-ups. The routers can handle heavy traffic (bittorrent /w 100s of connections) but will stop working when browsing casually. The web-GUI will become unreachable. No pings to the outside are possible anymore, not even to direct IPs (8.8.8.8 for example). No pings to devices in the same network are possible either.
We have got site to site VPN configured between local site with PIX515 6.3(5) and remote site with ASA 5505 7.2(4) . Because of very unreliable internet connection in remote site , we have added new ISP link which we want to use as redundant link .i understand ASA 5505 can be configured with two ISP link with SLA monitor method for redundancy as per this document ,[URL]
my question is how do i set up this pix 515 to have redundant VPN tunnel with remote site (when primiary ISP link fails in remote site and secondary ISP links takes over ) . I was thinking of using PIX 515 with 2 peers in same crypto map used for that sepcific site to site vpn tunnel,not sure that is the right way or not though.But how would i configure ASA 5505 to use backup interface(where secondar isp router conects ) to particitae in Site to site Tunnel .
I have a computer in my garage that is connected to my Linksys router in the house via Cat 6 Cable. The computer in the garage has dual NIC cards installed and working fine. I am trying to get the Camera to feed back to the router from the second NIC card in the garage computer.The first NIC is communicating fine with the router.
Linksys Settings: 192.168.1.1 255.255.255.0
NIC 1: 192.168.1.145 (static) 255.255.255.0 192.168.1.1
[code]....
After messing around with many different thoughts and tries, I have successfully contacted 192.168.1.120 (the camera) from garage Computer While camera is connected to NIC 2.Camera wants a crossover cable to function properly and won't accept patch cable, I have tried with new cables...no change it needs crossover cable when connected straight to the NICs.
Camera: 192.168.1.120 255.255.255.0 192.168.1.1
Now the problem is I cannot view or access the Camera from my main Computer inside the house Like I need to....
Region : Philippines Model : TL-WR2543ND Hardware Version : V1 Firmware Version : ISP : Smartbro WiMax
I'm using the router TL-WR2543ND, I have pesonally configured the router myself, I'm no that good in computer but I managed to do so. I never had difficulty doing it. I have decided to switch to Smartbro Wimax and tried to connect it to my tp-link router but no luck. I browsed the net for possible instructions to do it but just frustrates me. I have changed the IP address of the router to avoid conflict, cloned the MAC address, still unable to connect the router.
I have a Virgin Superhub at home which is capable of 2.4 OR 5GHz wireless. I have a mixture of 2.4 and 5 GHz tech at home so would like to use dual band. My wireless settings on my Superhub modem look like this.As you can see it has settings for 2.4 OR 5GHz and wireless modes of 54, 144 or 300Mbps.
What setting should I be using for my EA4500 to operate in dual band mode? I'm guessing I should put by Virgin Superhub modem in modem mode at 5GHz/300Mbps.I will besetting up seperate SSIDs for 2.4 and 5GHz bands.
Region : Germany Model : TL-WDR3600 Hardware Version : V1 Firmware Version : 3.13.26 Build 130129 Rel.59449n ISP :
all my systems are configured under "IP & MAC Binding". Binding is activated globally and all check marks for every ID are set. After i finished my configurations, the "ARP List" status shows, that everything is bound - so far everything is great. The problem appears after a router reboot or after shutting the router down and powering it on again. The "ARP List" then shows only a few of my IDs and their status is unbound. I need to go back to the "Binding Settings" and hit "Save" - after that all my IDs appear in the ARP-List and everything is OK again.
I am quite new to firewall, in my company one asa 5510 firewall is there.I configured inside, outside, dns, dhcp and nating.I need to config bandwidth limit (1Mbps) for inside port and I restruct like facebook, youtube and pornsites..And I heard that some subscription is required, really is it required?
I have one firewall need to be configured in transparent mode. I have inside and outside router. What is the configuration of transparent firewall ASA8.2. I didn't find the configuration on Cisco site.
At the moment I'm running a T1 to a Cisco ASA 5505 device. I'm in the process of getting a backup ISP. My question is, is it possible to configure this firewall with two ISPs so that the same internal webserver can be accessed via backup ISP?
