Cisco Firewall :: ASA 5510 Connected To MPLS And LAN Via 6506-E Core Switch
Apr 19, 2011
I am attempting to install an asa 5510 at my hq. Our MPLS network is provided by our ISP and the routers are managed by them. They will be working with me to add the needed routes to the routers. Using version 8.4.1 That said, here is my challenge:
I am connecting the MPLS routers and WAAS device to my core switch(also performing inter-vlan routing) in VLAN 2. There are 3 connections needed for the mpls equipment and they are all in vlan 2 on my core switch. The firewall (ASA 5510 with security plus licensing) also has an interface (outside) in vlan 2.
e0/0
shutdown
no nameif
[Code]....
configuration guides or suggest TAC as they have been a bit inconsistent with this issue thus far. What am I missing because I cannot get to where inside interface of the firewall is pingable by the lan and the outside interface of the firewall is pingable by the lan.
View 1 Replies
ADVERTISEMENT
Mar 29, 2012
I wanted to ask a question about the diagram I have included. We are bringing up 2 MPLS WAN connections and would like some specifics on the best design. We are using BGP to the providers. From there we have big questions. We can run BGP internal and are licensed to do so on the N5K's. The N5Ks are currently using HSRP for inside LAN clients as default gateway. We want to load balance and provide redundant routes using a dynamic approach. Should we use BGP internal utilizing the connections between the routers? Should we use HSRP on the routers? How best to get the routes to the N5K and should we be considering this?
View 5 Replies
View Related
Dec 5, 2012
I got new task moving WS-3560X24 port layer 3 core switch from one branch to be moved to my branch and connect WS3560 layer 3 core switch my site network. Both core switch has got 3-4 cisco 2960 switch underneath and lots of vlan offcourse. I am thinking about creating etherchannel between these two switch.
View 2 Replies
View Related
Jan 25, 2012
i'm already has one internet connection is conecting directily to the Core Switch 6509, and the Switch is route any internet request with default route:
SW6509-conf)# ip route 0.0.0.0 0.0.0.0 10.170.10.10
10.170.10.10 is --> Next hop for the DSL router internal IP, and it's working fine.
We have a new internet connection with another ISP/ with another DSL router, how to connect both of them to exit from the Core Switch 6509.
is it ok if i make another default route to the Next hop to the new DSL router as:
SW6509-conf)# ip route 0.0.0.0 0.0.0.0 10.80.10.10
10.80.10.10 is --> Next hop for the new DSL router internal IP.
View 6 Replies
View Related
Oct 24, 2011
I have an Cisco 6500 CS and there is a Cisco Unified Communication Manger Server connected directly to the Core Switch.I tried to change duplex and speed ( fix and auto ) for both sides, but the same problem.
View 9 Replies
View Related
Apr 26, 2011
I do have the below setup,,
1. I have 6509 switch
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
3. On switch side i have configured the port as Trunk
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?
View 2 Replies
View Related
Jul 4, 2012
Is there any traffic interruption if turning on TE in a working MPLS core?
View 8 Replies
View Related
Oct 31, 2012
I need to create a DMZ Vlan. Core switch is a 6509. FW is an ASA5520. Need to create a VLAN for DMZ purposes for outside facing servers. NAT is used on ASA.
View 7 Replies
View Related
Apr 13, 2013
I have a 3750X four-switch stack acting as the core of a fairly simple LAN. All I need to achieve (and this seems inordinately hard, but it is entirely likely that I'm just being dense) is to get access to the internet through my core switch, through the firewall and out through my VSAT. I've spoken at some length with the firewall providers (Cyberoam) and they tell me all I need to do when I migrate onto my new system (Cyberoam is currently in place at the entrance to our existing LAN) is change the local IP address of the Firewall, plug in the new switch to the LAN port, and away I go. Tried that, didn't work, so obviously I'm missing something.
View 22 Replies
View Related
Mar 13, 2013
I want to receive full BGP in my switch 6506 with the follow characteristics: cisco WS-C6506-E (R7000) processor (revision 1.2) with 458720K/65536K bytes of memory and Supervisor Engine 720.When I configure the session BGP in my router with me peer the switch begins to work slow and restarts.
View 2 Replies
View Related
Aug 17, 2011
I am little confused of how to take bootloader backup of cisco 6506 switch with WS-C6506-1300A CHASSIS and WS-X6K-SUP2-GE sup I am pesting a the part of sh run to show you the image files for the switch.
!
boot buffersize 522200boot system sup-bootflash:c6sup22-jsv-mz.121-8b.EX5boot bootldr bootflash:c6msfc2-boot-mz.121-8b.EX5enable password !
redundancymain-cpu auto-sync standarddiagnostic level complete
take backup two files in a tftp server.
View 1 Replies
View Related
Apr 18, 2012
Our client has MPLS connected all sites. Each site has a router connected to MPLS via serial interface, and connected to the switch (6500) via ethernet interface. There is QoS applied on the serial interface for outbound.
It appears there are lots of inbound traffic coming to the site, and the client applied QoS on outbound.What I learned that after the packet are marked by the CPE, the ingree Provider Edge Router (PER)uses these marking to map flows to various Label Switched Paths (LSPs) providing differentiated treatment accross the network. Then at egree, the PER applies queuing policying based on the CPEs orginal DSCP markings to properly allocate bandwidth on the egrees link during congestion. My guess we really don't need to have inbound policy applied in the serial interface on the router, am I correct?
The serial interface has 1.5 MB, and the goal is we want to have 1 MB for cirtical apps, and 0.5 MB for download/upload internet access. If we apply this policy on the switch, A) should I apply it on the VLAN interface or the port connected to the router?
View 6 Replies
View Related
May 4, 2012
I tried to upgrade IOS from SXI2a to SXI9 in cat 6506 VSS. But the problem is that switch always boot with old IOS. I put the new IOS in sup-bootdisk and slave sup-bootdisk, bootvar is ok with new IOS: [code] Show bootvar is ok but switch always boot with old IOS SXI2a, some bug in IOS sxi2a???, I will try to delete de old IOS from sup bootdisk and try with the new one only.
View 5 Replies
View Related
May 14, 2012
The core switch is a 6506 and one of the modules is the 48port POE module. The 6506 resides in the main building and we need to interconnect two other annexes to the main building via fibre. is it possible to have just 2 sfp ports on the 48 port module or how to connect the fibre cable to the switch?
Also, if the existent network is made up of Cat5e cables would it be of anyuse to use Cat6 cables for uplink for the switches on each segment to the core switch. I feel basically the Cat5e would nullify the speed of the Cat6 or am i wrong and this would make uplink speed faster.
View 10 Replies
View Related
Dec 26, 2012
We have one Catalyst 6506 ( with WS-SUP720-3B, IOS is 12.2(18)SXF14 ) and one Catalyst 6509 ( with WS-SUP720-3B, IOS is 12.2(18)SXF17a ). We used WhatsUP to collect I/O & process memory utilization for both switches. The memory utilization for Catalyst 6509 was ok, but it seems not correct for Catalyst 6506 ( show proc memory displayed the total memory is 512MB, but the WhatsUP displayed only 64MB only )
View 1 Replies
View Related
Oct 18, 2011
The Voip pbx resides on a seperate lan, not connected to the ASA. Users from behind the ASA (inside) try to connect to the VOIP pbx using a soft phone. The Voip connection is established, however users cannot here conversations on either end.Im assuming this is possibly a Sip and Pat issue? The ASA firewall is using a seperate Global IP for PAT. Also I have opened ports on the outside interface for SIP udp 8081, 2088,16000-16010 and 15000-15511. I have both SIP and H323 h225 inspection in place as well.
View 5 Replies
View Related
Mar 20, 2012
We have an inside interface, 192.168.10.0/23We have an outside interface, public ip...We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24,When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read [URL] and I am confused even more.
View 8 Replies
View Related
Feb 13, 2013
I have a single 5510 ASA and a paired of 3750 Stacked Switches. I was trying to create an Ether channel on the ASA and connected to the SW Stack port channel to support different VLANs sub interfaced at the ASA. am confused with the following statement from doc. [URL].
Section Guidelines and Limitations :
"The ASA does not support connecting an Ether Channel to a switch stack. If the ASA Ether Channel is connected cross stack, and if the Master switch is powered down, then the Ether Channel connected to the remaining switch will not come up.
What "If the ASA Ether Channel is connected cross stack"? or better. Is it possible to use the ASA 8.4 Port-Channel to connect it to the 3750 ether channel stack?
View 8 Replies
View Related
Sep 12, 2011
I am migrating over from and old PIX to an ASA 5510. After configuring the new device everything else is functional (Internet) but users are unable to pass traffic when connected through the vpn, they are able to authenticate and I see their session connected on the ASDM but no data is passed..[code]
View 4 Replies
View Related
Sep 27, 2011
Is there any way to use an asa 5510 to detect which computer on the inside of my network is connecting to ip 87.255.51.229. I am being blacklisted for w win32/Zbot connection, I need to identify this computer and get it disconnected from the network ASAP.
View 6 Replies
View Related
May 3, 2013
One of the customers has deployed Cisco 7609S in their infrastructure for Branch/RO connectivity. When we tried to configure per-tunnel QoS with DMVPN for MPLS connected sites, we came to know that Cat 6500 and Cisco 7600 series routers don't support this feature.
Now, we are looking for suitable replacement of Cisco 7609S. I found a document for configuring above feature on Cisco ASR 1000 series routers, but it has many restrictions always.
We are now looking for
(a) suitable platform in the league of Cisco 7609S which support above feature.
(b) suitable technology replacement of DMVPN with minimum restrictions.
View 1 Replies
View Related
Nov 3, 2011
Two Router Connected on One Switch and switch on Firewall?
View 2 Replies
View Related
Sep 4, 2012
Why is it that when SNMPv3 user "TestV3-User" was added to my SNMPv3 implementation on my 6506 switch, the group/MD5/Emcryption settings are missing for this user (See "sh snmp user" output)???
router#sh snmp user
User name: TestV3-User
Engine ID: 80000009030000249706EFC0
storage-type: nonvolatile active access-list: test
[Code]....
View 3 Replies
View Related
Sep 27, 2011
We have an aironet 1130ag in a remote office connected to the data centre over MPLS. The Radius server is based on server 2003.We have hundreds of these points set up exactly the same but this is the only one giving me issues, I even stripped the config and rebuilt it and then swapped with a new access point
The issue is that clients can't authenticate when connecting to the access point but provides nothing in event viewer. Checking the RADIUs server provides nothing either.The access point error logs just state station: authentication failed
On looking deeper into the problem I enabled RADIUS debugging on the access point and got some interesting results, in particular is the line:
no sg in radius-timers: ctx 0x12EF0A4 sg 0x0000.I can't find out what no SG in Radius-timers actually means, but after that line appears I just see more retransmits and no sg fails.
I inspected the packets on the RADIUs server and found lots access requests coming from my access point and lots of access-challenges returning back from my RADIUS server - I'm not sure how often that's supposed to happen or if it's a one time occurance. I did however see directly after the first access-request that the RADIUS server returns with UDP and is fragmented, length is 1514...... could this be the problem? If so why cannot it hanlde fragmented packets?
View 2 Replies
View Related
Jan 11, 2013
In my organization we have several 2950T that conected each other. We have 4 floor with each floor have 1 sw except 4th flr have 3 sw.
Main server, apps, db ( 15 units) connected to core sw at 4th flr. Currently the problem is others devices can't connected to the server at core sw. Test ping and the network to core sw is intermittent problem. When ping 100 times only 30 reply. After 10 minutes the connection restored. Ping 100 times successful. It will not having problem again until the next day. This already happen 3 days. Any command for me to use to check if port or the switch having problem? Any log i can collect
View 7 Replies
View Related
Sep 7, 2012
We have two catalyst 6506 switches with 10 gb u plinks and around 120 edge switches cat 3750-x switches. Still the module on the core wheere servers are connected is 1000mbps port.Now if we induct a nexus switch to the datacenter what kinds of benefits we can reap In a virtulised environment as well as real environment?following are the some of the queries.Can we reduce the number of edge switches? ( by virtual environment), Inter operabaility between cat ios and nexus ios, how this will affect the environement,What will be the over all benefits ?, What are the cons of this induction ?
View 22 Replies
View Related
Apr 15, 2011
I have several 2960s and 3750s and two 6506 (ws-cac-3000w) recently move to new location The power outlet is the same ,but Volt is different current 2960/3750 use this(one phase 3 wire) 220v and new location change to (from 3 phase 4 wire -> one phase 220v)6506 current using(one phase 3 wire) and will be change to (from 3 phase 4 wire -> one phase 220v)
I had search doc about power supply /cable , only show support single phase 220 v ,but not description vlot between each wire !!Does new location power outlet suit for 2960/3750s power and 6500 ws-cac-3000w ?!? Do I need chane power outlet back to current using?
View 1 Replies
View Related
Feb 29, 2012
I'm looking for Routing Design scenarios to complete our configuration needs for remote branches. We will have two 1921 routers in each location, one with a T1 from our MPLS carrier, the other with a DSL connection from an ISP. The T1 router will have an assigned AS and use BGP to router back to head quarters. The DSL router will have an IPSec tunnel back to an ASA 5510 at head quarters. I envisions a GRE tunnel from the DSL router back to head end routers connecting to MPLS at head quarters. Not sure yet how to manipuate the routing between head quarters and the branches such that the T1 router is the primary route to and from the branches and the DSL router is for failover/backup.
View 1 Replies
View Related
Apr 30, 2012
I've studied and labeled out MPLS and MPLS VPNs several times. The situation I'm presented with is a little different from most of the case studies I've seen in my MPLS books. I've attached a diagram.
We have a IPsec site to site tunnel from our main HQ router to a Cisco ASA 5510 in the core network in the colo. This allows our HQ office to reach the private sub nets in our core without using a Cisco VPN client. The problem we are running into is that this seems to be putting undue strain on the Cisco 2811. I feel like the 2811 should be able to handle it but doing any kind of upload or download through the tunnel spikes the CPU/Interrupts and makes the router CLI basically stop responding until the traffic transfer is stopped or completed. During this time, certain Cisco SCCP phones on our Broad works platform cycle while the SIP phones on the same platform are OK. We are trying to alleviate the load on the 2811 by setting up a VRF from the HQ network to the private VRF used in the Core for private sub net communication. The problem I'm having is the the HQ also has some public traffic that I do not want to include in the VRFs and would like to have it travel through the P2P circuit we have and access the internet or other public devices through the core public IP Internet routing table.
The flow would be this:
-going to a public address use the public internet routing table
-going to private address in the 10.x.x.x or 172.x.x.x - use VRF to core Private network.
This is a little different of a set up from most of the VRF VPN examples I've seen. Most of those the CE devices is completely private. This is not the case at our HQ.
View 6 Replies
View Related
Jun 6, 2011
In my Company there is a core Switch 4500 series , to which in the 1st module servers are connected and in the second module 2960 , 3750 series Switches are connected, problem is that the Utilization of Core switch is very high and the core gets hanged. the configuration of the senerio is VTP domain i.e core is Server and the rest are Clients....
View 12 Replies
View Related
Jul 19, 2011
there are more than 15 servers which include xen,esx,vmware,also san etc..which are connected to L3 core switch directly. And vlans are created for each.....xen,iscsi,vmware,xen,server. wanted to know is there any other technology other than directly connecting servers to core switch and assigning vlans that can be used in place?
View 4 Replies
View Related
Jun 10, 2012
We have a L3 core switch with multiple VLANs setup. Is there a way to place an IPS so as to monitor the traffic passing between, lets say, VLANS 1-3 and VLANs 4-10?
View 3 Replies
View Related
Aug 31, 2012
I am facing issue with LMS 4.0. The Core Switch is showing in RED color,and device type as UNKNOWN. It was working fine but some how it is showing this problem.
View 14 Replies
View Related
