Got new ASA5550, code 8.2.2 in flash, can't configure "nameif" or "ip address" on the interfaces: [code] These are all the options that I get! Another weird thing I noticed is "<system>" string in "show ver" top line: [code]
View 2 RepliesI have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA
View 7 Replies View RelatedI have a pix515 v6.3.3. Is it possible to configure dual ISP on two interfaces and have redundancy between them?
View 1 Replies View RelatedI am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.
View 14 Replies View RelatedIt is my understanding that ACLs can only be bound to logical interfaces using the access-group command. However, is it possible to somehow apply ACLs simply based on the ASA's local Ethernet interface? For instance, consider the following:
Â
Device A with IP 192.168.1.1/24 is connected to Ethernet0/0 on the ASA. Device B with IP 192.168.1.2/24 is connected to Ethernet0/1 on the ASA.
Â
Since both devices are in the same subnet and presumably the same VLAN, is it possible to manipulate the traffic to and from physical Ethernet interfaces using ACLs in this manner?
Â
My predicament is fairly simple:
Â
Internet --- ASA --- ROUTER
|
DMZ
Â
In addition to NAT, VPN, and various other tricks, my ASA is also routing traffic from my internal LAN and the Internet to servers in the DMZ configured on the ASA. Due to a combination of Internet and DMZ traffic, my relatively slow ASA is struggling to route and thus becoming a bottleneck. My router is comparatively modest in terms of functionality when compared to the ASA but it is fast. My ideal solution would be to somehow harness the ASA's filtering capabilities for my DMZ but use the router to get traffic to and from my internal LAN into the DMZ without using the ASA to route it.
Â
Additionally, it is worth noting that my DMZ is fairly restrictive so using protected or isolated ports would not quite work for me.
I trying to allow traffic between 2 inside interfaces with the same security level. VLAN1 and VLAN15. The are on different physical ports on the ASA. I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'. With this ASA version, I do not need NAT to allow this, correct?
 Â
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
I have an ASA 5505 running 8.2(1), that is configured with three interfaces as follows:
Inside (security 100) 10.0.0.0 /24
Inside 2 (security 100) 192.168.0.0 /24
Outside (security 0) internet
Â
Inside is connected to my internal network, inside 2 is connected to the network of a sister organization, outside is outside.
Â
I'd like to be able to route between from inside to inside 2, and have NAT translate me to inside2's address.
Â
I have inter-interface traffic configured, and when I use a NAT exemption, I can route fine. But the resources on network 2 must see my request as coming from the inside2 interface IP.
This is for an ASA 5505 with the base license...I have a situation where I will not have one interface in my outside VLAN, but instead I want to have interfaces 1-7 in my outside VLAN and interface0/0 in my inside VLAN.
Â
Is this supported with the Base license, and if so how would I do this? Do I still just need to assign one IP address to the outside VLAN?
Â
Or will I need to upgrade to the Security Plus license and put each interface in a separate outside VLAN, so in essence I would have 7 outside VLANs each with the same security level (0)?
Â
My situation is that I have several partner networks that i want to "aggregate" thru my one ASA 5505. So each outside interface represents a separate partner (outside) network, each of which I want to get to from my inside network. Hence the many outside to one inside.
My customer is running an ASA5505 with 8.3 code.
Â
The have a somewhat flaky proxy between their inside LAN and the firewall. I'd like to have a configuration as follows:
Â
 LAN  > Proxy > VLAN 1 (eth0/2) on ASA
Â
and
Â
LAN > VLAN 1 (eth0/3) on ASA
Â
So that in the event of Proxy failure (let's just say it loses power) the eth0/3 interface will kick in.
Â
This appears to be easily configured according to the documentation:
Â
"The following example creates two redundant interfaces:
Â
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# interface redundant 2
hostname(config-if)# member-interface gigabitethernet 0/2
hostname(config-if)# member-interface gigabitethernet 0/3"
Â
But these commands don't seem to be available on a 5505.
How can i enable Netflow for each Vlan Or interface indvidually in Cisco ASA? currently i have setup Netflow and only 2 interfaces are shwoing traffic for Netflow which are not even as my physical or Vlan interfaces . (see screen shot )
Â
EscapeASA# sh interface ip brief
Interface                 IP-Address     OK? Method Status               Protocol
Internal-Data0/0          unassigned     YES unset up                   up
[Code].....
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Â
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1Â
Â
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
I am attempting to set up failover dual ISP on a 5505 running 8.4(4) with the Sec Plus license. Everything i have been able to reference so far, points to old commands not available or relevant in 8.4
Â
For instance:
Â
global (backup) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
route backup 0.0.0.0 0.0.0.0 30.30.30.1 10
Â
What is the new syntax that should be used to mimic these commands? I have the sla and trach reachability configuration already set up.
I am trying to configure an IPSEC vpn on an ASA5505 I setup an SSL vpn and it works fine, I can browse to the https: address log in and connnect to servers However when I try to setup the ipsec client access vpn it will not connect and I am getting the errors below I used the wizard for the initial configuration Looks like the inital IKE is being blocked or dropped?
Â
%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/500
%ASA-7-710005: UDP request discarded from my external IP/35781 to external:ASA-external/137
I have a firewall Cisco ASA 5505, and currently it is a command line firewall. I want to configure ASDM so that i can use it as a GUI Web Base interface.I really don't know what to do. How can I configure ASDM on my firewall.
View 7 Replies View RelatedI want to configure my Cisco asa 5505 as a dns server, so that when i configure any of my network systems ip address and use my firewall as a default gateway and dns ip, the system should be able to browse internet.
View 5 Replies View RelatedI am absolutely new in the enterprise firewall world but I would like to start learning how to configure ASA 5505 and 5510. I did some research myself and I found that the material or the topic itself is a huge adventure (lots to read and understand). My company uses IOS versions until 8.2 due to the differences in the NAT-ting rules with 8.3 and 8.4.
View 1 Replies View RelatedI have a test ASA 5505 at home. The DHCP IP address in my real home firewall is 192.168.1.x and as you are aware the default ip address in ASA is the same. how to configure the ASA.
In the link below there is an instruction, it seems it is working for everybody except me. I followed the instruction up and the only change was assigning the IP address, which I chose something other than 192.168.1.x But after the step of creating NAT, I do not have access to the internet. [URL] Also I followed the link below, but the revision of the ASDM in the instruction does not match with mine, so I was not lucky to figure the device.[URL]
1- How can I configure the ASA 5505 with an IP address different than 192.168.1.x (at home = no incoming static IP address = DHCP on subnet 192.168.1.x for the incoming internet) I have installed ASDM 6.3 on my laptop (From work) but when I connect to the ASA it wants to install ASDM 5.7.I tried to connect to the device through ASDM 6.3 and input the IP address 192.168.1.1It takes for ever and it does not connect to the device
2- How can I connect to the device by ASDM 6.3 or any ASDM with higher version than the original of the device?
I want to configure multiple DHCP pool on ASA. that I create like
Â
int e0/2
no shut
Â
interface Ethernet0/2.10vlan 10nameif inside10security-level 100ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2.20vlan 20Â Â Â Â Â Â nameif inside20 security-level 100ip address 192.168.20.1 255.255.255.0
dhcpd address 192.168.10.10-192.168.10.254 inside10dhcpd dns x.x.x.x y.y.y.y interface inside10dhcpd enable inside10
dhcpd address 192.168.20.10-192.168.20.254 inside20dhcpd dns h.h.h.h z.z.z.z interface inside20dhcpd enable inside20
Â
I have following query...
Â
1. int e0/2 work as trunk port, is it? any special confiduration require other than dot1Q?
Â
2. How can I configure inside interface? is it like,
   access-group inside_access_in_1 in interface inside10
   access-group inside_access_in_1 in interface inside10
Â
3. How can I configure static NAT ?
Â
4. How can i configured inside route?
Â
5. How can I configured default NATing?
Â
6. On which interface I access ASA? currently using inside interface.
I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding.It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM.[code]
View 4 Replies View RelatedI have a closed network that is not connnected to the internet, just other sites that we want to communicate with. We have a cisco router connected to the outside interface on an ASA5505 and a cisco router connected to the inside interface on the same ASA5505. I have an inside interface that connects our management LAN, five separate DMZ interfaces with a separate LAN (VLAN) on each DMZ interface and the outside interface that connects to the other sites. Data is not allowed to mingle between the five DMZ's.Â
Â
Alll connections to the other separate nodes are handled with the router on the external interface. IPSEC GRE tunnels have been established between all sites and BGP routing has been verified. Pings are good between inside, dmz and external interfaces and between the DMZ's and the other sites, to include hosts on our local networks and hosts at the remote sites. Inter and intra traffic is enabled.
Â
When a remote site attempts an https connection, the initial ACK handshake makes it through the ASA5505, but the return SYN/ACK is being knocked down and I don't understand why (it is not because of ACL's, they are any any at this point).
Â
Why the return SYN/ACK to the remote site isn't getting through the ASA5505 outbound. Will probably have the same issue with FTP, but right now, just trying to solve one problem at a time.
Â
ASA5505 is in routed mode, not looking to NAT since the IP addresses in the DMZ need to be reached by their real IP address.
I am trying to configure an ASA 5505 with a username and password. I set all the pass words: [code]
Â
When I reload the device it prompts me for the username, then the password and it fails and just asks for the username again. I have even tried to delete the username / password combo but it still prompts me for it. When I do password recovery the confreg is 0x00000001.
[URL] I am not savy configuring ASAs at all and I can't get it to work. We are switching to a SIP trunk phone system and I am in charge of setting up the ASA to not only make it work but also make sure that there's packet priority or QoS.I've never configured something like this and I was giving another set of instructions to make sure that this is working:
[URL]
Configuration:
My configuration is very basic:
3 interfaces - Outside/Inside/Guest
ASA Version: 7.2(3)
ASDM Version 5.2(3)
Firewall Mode: Routed
Â
Solution: When I tried following the instructions on brian-kayser's blog I get an error when I'm sending the following command:
shape average
^Â Invalid marker
service-policy PRIORITY-POLICY
^ Incomplete commandÂ
Â
I think it's because my version of ASA doesn't have this functionality but I don't know.
I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
Â
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
I am now going to configure IPSec VPN connection for Cisco ASA 5505 (Version 8.4)
View 3 Replies View RelatedASA 5505 and DMZ, I have a Base License.
Â
What do I need to do for access inside network to DMZ?
Â
I successfully configure, internet Access for DZM and inside network, web server can be accessed from internet, but I have problem to configure communication from inside network to DMZ.
I'm trying to support a friend. They just switched to TWC Business Class from Megapath. They have a Cisco 5505 ASA and are trying to configure it to work with the new TimeWarner cable modem. But we can't get PCs behind the firewall out to the Internet.
Â
We think it should be a pretty simple config. They have the ASA connected directly to the modem. The modem is running DHCP, and we''ve configured the ASA to get its address via DHCP. We have a Windows server behind the firewall; it can't get out the Internet either. It's set up to be a DHCP server and is giving IP addresses to the PCs on the network.
Â
Laptops connected via wifi to a wireless router attached to the modem are able to connect to the internet, thus we know the modem is up and running fine.
Â
Here's our running config:
Â
ASA Version 8.4(1)!hostname ciscoasadomain-name opanslab.comenable password yYME2neTGgA0S1./ encryptedpasswd yYME2neTGgA0S1./ encryptednames!interface Vlan1nameif insidesecurity-level 100ip address
[Code].....
Currently I have an ASA setup as a Firewall with 1 outside interface and 2 inside interfaces. Initially, the Guest interface was setup to receive DHCP from the ASA and everything was working. I'm adding router and a server for the guest interface and what I'm trying to accomplish now is the following: ASA 5505 > Airport Extreme with a public static IP (69.xx.xx.6), handling DHCP and NAT > Mac Server as DNS Server.Right now, when I connect to my Airport Extreme with any computer, I don't have internet. I don't understand what's wrong. My DNS Server has a reserved IP address: 192.168.226.2 and it's pointing to itself and forwarding the ISP DNS servers, the Airport Extreme is handling the DNS Server IP and the ISP DNS Server IP but I can't connect to the internet from the server. [code]
View 31 Replies View RelatedWe've just started with the ASA 5505. We do run a DHCP server on the inside interface, so it is in the same VLAN 1 as all of the clients. However, we cannot get it to work.We can't use DHCP Relay, as the ASA 5505 only allows to relay to DHCP servers in a different subnet.Or do we have to move the DHCP server to a different subnet. If so, how would we configure that scenario?
View 13 Replies View RelatedI'm trying to learn Cisco ASA IOS commands, I have bought myself a 5505 ASA for my home network and plan to implement it. How best to configure it.
I have attached a diagram of how I want my network to look. The internet connection is via the Virgin Media cable modem.
I have a question, it is possible to have two WAN interfaces to configure a cisco 892 router with an ip 255.255.240.0 84.197.167.111 adderess of the first interface and a different ip address 84.197.174.182 255.255.240.0 on the second interface
View 5 Replies View RelatedI have an ASA 5505 with 3 host license.I want to configure 2 outside interfaces and have inside interface. The outside interface going to a separate ISP.Will this work or do I need more licences?
View 3 Replies View RelatedI have WLC 2504 controller and six access points AIR-LAP1042N. I reading Cisco 2500 Series Wireless Controller Deployment Guide url...trying to set up along the lines.
Â
It is also possible to have multiple AP-managers in a different subnet than the management interface. However, in this case, it is recommended that you disable the AP-manager from the management interface and create another AP-manager interface on different physical ports in a different subnet than the management interface. All multiple AP-managers in this scenario should be in the same subnet.
I maping management interface on physical port 1 and disabled ap-manager on it. Set up 192.168.7.0 subnet with non tagged vlan. This iface/port I want to use only for access to WLC web-interface. Then I create dynamic interface ‘dynamic1’, map him on port 2, enable ap-manager on him, and set up 192.168.110.0 subnet with vlan 10. Then I tryed map wlan1 to this iface, but I can’t because in the choice was only management iface to map wlan1.
Â
There is three dynamic interfaces on same subnet and vlan, in example above. But when I try to add dynamic iface with the same vlan/subnet as an existing dynamic interface, I get an error, and can’t adding.
I have set up site-site VPN on 5505s on 2 sites. I can ping outside interfaces from both sites but cannot get replies when I ping clients behind the 5505 from the ASA itself. I have also tried to ping from 10.x.x.x to 217.41.x.x and to 192.168..x.x but do not get a response.
Â
I was expecting the configuration to be enough but there might be something I am missing.