I am currently working on our Cisco voice platform at work.
Our Cisco firewall engineer has left and I have been given the task of looking after the firewalls as our Chief Exec seems to think that Cisco Voice is similar to Cisco ASA firewalls,
Are there any books/videos out that you can recommend to learn the about firewalls quickly.
I need to prioritize voice traffic through the ASA
priority-queue outside
tx-ring-limit 200
queue-limit 2000
Do the above values look correct? and why is the priority queue applied to the outside interface and not the inside? (or both). Also is this the part that ensures that the regular traffic does not choke the voice traffic?
class-map voip-class
match dscp ef
policy-map outsidemap
class voip-class
priority
service-policy outsidemap interface outside
Will the global policy remain which this interface policy taking priority?
I have a customer with active/standby on a pair of 5510's with the CSC modules. They were inquiring about the AIP/ASA, and since this would NOT work in their current setup, would getting a pair of 5510/AIP configured for transparent failover work placed in front fo the existing units? Would I need to have a switch placed between the AIP and CSC ASA's? Or would I setup the ASA's for context based Active/Active failover to interconnect the ASA's to the existing units, but I still see a need for a switch.
View 1 Replies View RelatedI am trying to setup a Cisco ACS 5.2 for both login and enable authentication to asa 5505s, 5510s, and catalyst switches. I am testing with an ASA 5505. The initial authentication to the firewall works, but when I try to enter privileged exec mode using the enable command, it doesn't work. I have the user setup on the ACS with a password and an enable password and privilege level 15, I have the device setup on the ACS, I have the tacacs+ server setup on the firewall and pointed to the correct server address, and the AAA commands for telnet, ssh, and enable.
View 9 Replies View RelatedOur company has recently upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform. Needless to say the interface on the Cisco platform is much more complex and I don't have much experience working with firewalls. Our other IT guy is out of town and this is the first time I have worked on this setup.
I need to create the following access rule
I need to open port 4**0 to be allowed through the firewall from external ip address 10.XXX.XX.XXX only. Then forward port 4**0 to 10.XX.XX.XX port 80 tcp
can some one suggest me will it be recommended to use PIX firewall 525 on Voice ( sip ) network for 5000 CC to 1000 CC calls in signaling mode since our server are using public IP so will i be able to use it without NAT / PAT also will there be any issue of QOS.
View 1 Replies View RelatedI have a question regarding firewall configurations. Is it possible to have two interfaces ( for two internet service providers) one for voice and one for data. Can I have two Outside Interfaces that one will apply to a pppoe client group and the other will apply to a static IP? Is this possible and if so What would be the steps on applying this connection? Also to note I have a point to point connection already established for the pppoe. I also have another point to point connection for data, but however I do not know how to apply this to the firewall.
View 3 Replies View RelatedI have a customer who is going to host a VOICE services like providing SIP services to its customers. What specific ports required to be opened up for this on ASA 5515X. I would rate it ASAP.
View 3 Replies View Relatedi am using asa5540 with 7.0(8). firewall was configured in transparent mode.
now i am looking for block ip phone communication from site to site and head office. i am using cucm 7.1.2b.
all site was connected through ofc. no nat was using.
Trying to set-up a priority queue for Voice and Video traffic, below is the current ASA config. The WAN link is 6mb, trying to limit the Internet traffic to 4mb and save 2mb for the PQ, config belowTraffic just isn't hitting the PQ
priority-queue outside
queue-limit 512
tx-ring-limit 200
!
class-map Video
description Video
match dscp af31
[code]....
I was under the impression that those global addresses that we used with NAT were from the outside IP addresses range?Lets say my outside IP address is idk 192.112.40.11 /30 and I only had two usable IPs (since you can't use network and broadcast IPs) so how would I set up NAT for a couple of Inside addresses with a shorting of addresses like this? Idk if that makes sense what I'm trying to say
View 3 Replies View RelatedWe have a configuration where we go through a firewall (ASA 5510) to a router, which decides if it is internet traffic or another network used for colleges etc in Canada called SR Net. If it is internet traffic it then goes through another ASA 5510 to the internet.
When we tested we were not seeing the speed of our internet (about 1/10th). We tested by putting the laptop before the internet firewall and we get the throughput. We also threw the test laptop before the router and we got the throughput expected. But when the test laptop is before the internal (first) firewall we get about 1/10th the speed. We are Nating on both firewalls, so from the inside we are going from a private IP to a Public IP (so it can go to SR Net is need be), then Nating again to the internet IP on the second firewall.
I'm not sure how I turn off my firewall
View 4 Replies View RelatedI have two firewalls in 2 different locations. They act as primary and secondary for my WAN connectivity. I would want a way to synchronize access-lists in both without manually replicating.(access list, NAT and Route)FW model cisco 5580
View 1 Replies View RelatedI am trying think of a better way to provide redundancy on some internally protected networks. We maintain our own WAN/backbone between our primary site and backup site. Is it possible to have two Cisco ASA 5550s in setup for failover at completely different sites as long the networks connected are available?
View 3 Replies View RelatedWe currently have redundant FWSM's and are planning a migration to standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and are looking at the Nexus 1000V. I understand the Nexus 1000V and VSG architecture and implementation, and I do understand that the ASA 1000V is designed for cloud environments. But I do have one question about the ASA 1000V.
Is it possible for an ASA 5500 series firewall to be replaced by an ASA 1000V? Basically, can an ASA 1000V be a sole firewall solution, or are ASA 5500's still needed? Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?
I've been trying to open ports 5800 and 5900 for UltraVNC and checking them with online port checkers, but they are always listed as closed. I've even tried taking town windows firewall, my router firewall (although as soon as I disable and apply, it automatically switches back to enabled again), and also DMZ'ing my router. I wonder if it might have something to do with my new modem, but in the config page for that, the advanced settings are locked out. the modem is an arris TM722G, and the router is a linksys wrt-54G with DDWRT firmware.
I'm running windows 7 x64 and using a static local IP, I want to be able to use DynDNS to connect to UltraVNC.
I have a scenario whereby I need to add a second VPN tunnel to a Cisco ASA, however its peer address will be on the outside2 interface on the remote firewall.
we have ASA1-HQ 5505
Inside address - 172.16.20.0
Outside1 - 1.1.1.1
Outside 2 - 2.2.2.1
ASA2-DC 5510
Inside Address- 172.16.30.0
Outside1 - 3.3.3.1
Outside2 - 4.4.4.1
There is currently a VPN tunnel between 1.1.1.1 and 3.3.3.1. I need to add a 2nd VPN tunnel utilising outside2 addresses 2.2.2.1 & 4.4.4.1 respectively.
I have labbed this out, however i cannot get traffic going down to the 2nd VPN tunnel. I have created the following routes on each firewall
ASA1-HQ
Outside1 0.0.0.0 0.0.0.0 1.1.1.2 (metric 1) (Next hop for outside1 interface)
Outside2 4.4.4.1 255.255.255.255 2.2.2.2 (metric 1) Peer address of 2nd vpn tunnel)
ASA2-DC
Outside1 0.0.0.0 0.0.0.0 3.3.3.2 (metric 1) (Next hop for outside1 interface)
Outside2 2.2.2.1 255.255.255.255 4.4.4.2 (metric 1) Peer address of 2nd vpn tunnel)
I have tried adjusting the Crypto map Priority values however this has made no difference. One theory I have is the local addresses potentially would need to be on a separate network in order for traffic to traverse the 2nd VPN tunnel.
the crypto maps i have created are:
ASA1-HQ
Outside1 (Priority10) S 172.16.20.0 /24 D 172.16.30.0/24 Protect ESP-3DES-SHA Peer 3.3.3.1 (Nat T Enabled)
Outside2 (Priority 1) S 172.16.20.50 /32 D 172.16.30.50/32 Protect ESP-3DES-SHA Peer 4.4.4.1 (Nat T Enabled)
ASA2-DC
Outside1 (Priority10) S 172.16.30.0 /24 D 172.16.20.0/24 Protect ESP-3DES-SHA Peer 1.1.1.1 (Nat T Enabled)
Outside2 (Priority1) S 172.16.30.50 /32 D 172.16.20.50/32 Protect ESP-3DES-SHA Peer 2.2.2.1 (Nat T Enabled)
Is what I am attempting feasible?
I have ASA 5512X and I'm trying to run CX features on it. but the problem is I don't have SSD drive in the chassis. how can I get one? is any kind of SSD drive compatible with cisco ASA-CX firewalls or i should order it from cisco only? what is the part number for that model?
View 3 Replies View RelatedWe are planning to install a new SSM-4GE module on both Active and Standby firewalls. how can we install an new SSM-4GE with a minimum outage. I was planning to install the module in the following steps.
1. Power off the secondary firewall(FW02).
2. Install a new module.
3. Power up the secondary firewall
4. Power off the primary firewall(FW01)---> in this step will the secondat firewall become active as there is a hardware conflict.
5. Install a new module.
6. Power up the Primary firewall(FW01)
or do i need to power down both the firewalls and then install the modules?i have is that after the installation only one port on the new SSM-4GE module would be in use on Primary firewall(FW01) which is a terminating link from a router. No link would be terminating on the new SSM-4GE module on secondary firewall. Will the firewalls still fail over in this case or does it require a link going to the secondary firewall on new SSM-4GE module(same port as on primary firewall) from the router.
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
View 4 Replies View RelatedI installed Comodo Firewall today, and I couldn't access my Internet from then. I actually liked it's UI and all and want to keep it. The only something that I felt that might be causing the problem is "Use Comodo Secure DNS Server"? Is it likely the reason to be the cause of the problem?
View 1 Replies View RelatedI have one Fortigate 200B Fire wall, which is using for wifi internet. i had configured one login page in the fourtigate .The path following below system > config > replacement message > authentication > login page.
it was working earlier. suddenly its not working. when i checked this path, that login page message colum was blanked. when i trying to put the message again its not pasting and am unble to type the message also.
I am new to firewalls and I am trying to make mine block specific websites but so far have had no success. Here are the settings I am using in the router's admin area:
Security > Firewall > General
Active firewall
Security > Firewall > Rules
[Code].....
i am using windows vista on my laptop.i was using zone alarm firewall, but switched it to windows firewall.after switching, my internet was cutoff. i can see that i am connected to my network, but cant get to internet.when i run diagnosis on my laptop, it gives me three options:
my Ethernet driver is having hardware issue.
my wireless driver is having hardware issue.
ip protocol binding is having issue. check ipv4 and ipv6 settings.
I have disabled windows firewall in Windows 2003 server control panel but only few ports are shown opened when i scanned with advanced port scanner why other ports are closed.How to open the closed ports?
View 2 Replies View RelatedI'm using Fortigate 200A firmware Versionv4.0.3,build0106,090616 and IPS Definitions 2.00673 (Updated 2009-08-11).
View 1 Replies View RelatedRecently i had suffering with wireless connection problem, currently my wireless router connected to WAN directly, after that go into firewall and then go thru switch to end user PC, for LAN user there is no issue, but for wireless connected PC it is prompted with limited connectivity problem(DHCP is disable on router), after check with ipconfig /all. it seem likely due to wireless PC cannot get the IP from DHCP server. i am using DLink615 router. i had checked firewall setting there is firewall policy that connected all router ip into company LAN, but i don't think there is DHCP VPN setting up. is there anyway i can go thru firewall and get IP from DHCP server because if i set up DHCP on router, it cannot pass thru and access to LAN.
View 9 Replies View RelatedAt my small business (30 employees) we currently don't have a hardware firewall. Should I have one? If so what do you recommend? We are all connected to a Windows Server 2003 domain in one office building.
View 7 Replies View RelatedMy company have a Cisco PIX 525 firewall which is cater for NOC internal data network and also voice network, the subnet for data network is 192.168.2.0/24 and the subnet for voice network is 172.16.2.0/24. someday this NOC firewall was faulty. I was migrated the data network from this NOC firewall to the other temporary firewall just at the moment. And the voice network i migrated it from where it orginal at NOC firewall to a VOIP system which actually having a connection with my temporary firewall(This temporary FW only to take the traffic of data network). After the migration of data network from old firewall to temporary firewall and also the migration of voice network from old firewall to PABX system. The subnet for data network remain the same as 192.168.2.0/24, but the subnet of voice network i edit from 172.16.2.0/24 to 192.168. 3.0/24.Now when i want to use one Cisco router 2600 to replace this temporary firewall then facing problem at the voice network....The data network after migrated from temporary firewall to new 2600 is ok, users can browsing. But when i trying to at the same time when the data network been migrated , it will affect the voice network which still located at PABX. ..user cannot make call...I was thinking reason because this voice network which currently in 192.168.3.0/24 is tight to somewhere on the 192.168.x.x at the old firewall internetwork. So, when i migrated the data network over to new router, it will also cause the failure of voice even thought after i migrated the voice system to new router.So when i do the disaster recovery back to the temporary firewall for both data and voice. The voice is resuming to normal.
View 4 Replies View RelatedBesides MAC address filtering, is there another good / easier way to keep visiting laptops etc from plugging in a CAT cable and accessing a LAN protected by a perimeter firewall?
View 5 Replies View RelatedHow I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
We are looking to deploy ISE supporting 5000 devices and would like to use the Cisco UCS platform to host this. Looking at the spec required a C22 M3 would be sufficient; however we would also like to host some UC applications on the same server if resources allow.
Therefore we would like to deploy ISE on a C220 M3 server and connect the associated NIC to a DMZ. We would then like to deploy UC applications such as CUCM and CUPS on the same UCS server with a NIC attached to the internal network.
Also while the UC application would require a UC Foundation License (R-VMW-UC-FND5-K9) whould this also meet the requirements for ISE?