Cisco Firewall :: ASA 5510 High Drop Count On Management Interface
Sep 4, 2012I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.
View 1 Replies
ADVERTISEMENT
Cisco Firewall :: ASA 5510 7.2.1 High Traffic On Outside Interface Very High Input?
Oct 13, 2011Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running constantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
View 6 Replies View RelatedCisco Firewall :: ASA 5510 - Management Interface
Feb 13, 2012I am having issues with the ASA 5510 management interface. I can't communicate with this interface. It is showing DOWN/DWON even if I type NO SHUT several times.
My existing config is as follows
our-asa-01# sh run
Saved
ASA Version 7.2(5)
hostname our-asa-01
names
dns-guard
interface Ethernet0/0
[code]....
Cisco Firewall :: Verification Of Management Interface Usage On 5510
May 24, 2012I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
Cisco Firewall :: ASA 5510 High Traffic On Outside Interface
Jul 31, 2012I have little experience with firewalls, what I've learned has been by dealing with issues like this that arise from time to time.I know, I need to upgrade the version. It's in the works now. Anyways, my question/problem is: Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running contstantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
View 2 Replies View RelatedCisco Firewall :: ASA 5510 / Management Interface Stopped Working After Upgrade?
Jun 24, 2012After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.
Cisco Firewall :: ASA 5510 / 4GE SSM - FP L2 Rule Drop
Nov 10, 2011ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.
Cisco Firewall :: ASA 5510 / 8.0 - Capture Type ASP Drop Entries With No Reason?
Dec 4, 2011I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason. See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0# show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]
View 2 Replies View RelatedCisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?
May 5, 2013I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedCisco Firewall :: ASA5512-X Setup Using Management Interface
Jun 28, 2012I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it. However, the Management Interface is not working. I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown. So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?
View 2 Replies View RelatedCisco Firewall :: ASA5540 Management Interface IP Addressing?
May 9, 2011How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed
Cisco Firewall :: 5520 - Configuring ASA Management On Sub-interface
Jul 27, 2010I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
I need to use 4 interfaces four data traffic
1- Inside
2- Outside
3- dmz-1
4- dmz-2
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
1- I used the management0/0 for The stateful failover.
2- I used gig 0 for outside
3- I used gig 1 for inside
4- I used gig 2 for dmz-1
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only
Cisco Firewall :: Management Interface In Cluster ASA 5515x?
Jan 6, 2013I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
[Code].....
Cisco Firewall :: ASA5510 - Cannot SSH Or ASDM To Management Interface
Jan 21, 2013I try to SSH and get access denied.
I try to ASDM and get "Unable to launch device manager from 172.16.252.100"
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
login as: test
test@172.16.252.100's password:
Access denied
[Code].....
Cisco Firewall :: ASA5520 Use Management Interface As Regular
Oct 16, 2011i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?
Cisco Firewall :: ASA 5550 - Configuring Sub-interfaces On Management Interface
Nov 29, 2011I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.
Cisco Firewall :: Provide Access To The Management Interface / Vlan On ASA 5505
Jun 8, 2011I've got an ASA 5505 running 6.3 I've connected the management interface to our management vlan (which contains switch IPs, ilo's etc)Is there a way to allow access to this vlan from another?
View 1 Replies View RelatedCisco Firewall :: ASA5510 Static Routes For Management Interface Not Working
Mar 30, 2011We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
Cisco Firewall :: ASA 5510 - Bandwidth Management And Content Security
Sep 13, 2012I have some clarifications regarding ASA firewall, it can be support bandwidth management and content security at the same time. we are looking for below features in ASA5510.
IP/Policy based bandwidth management.Controll the bandwidth and allocate the bandwidth to specified users or servers.Content Security. If not, which device I need to set for Internet Bandwidth Management and content security.
Cisco WAN :: 7609 Ten Gigabit Interface Can Not Count Bit Rate
Oct 18, 2011I've got Cisco 7609 with WS-X6708-10GE (8x10Ge)And one port (te9/4) from it have zero bit rate counters, but all the rest of it are very good.I can see traffic if read it by SNMP. [code]
View 1 Replies View RelatedCisco Firewall :: Pass Management VLAN Traffic Through ASA 5510 In Transparent
Mar 10, 2013We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
View 2 Replies View RelatedCisco Firewall :: High Memory Utilization On ASA 5510
Sep 13, 2012We recently added about 400 users to our network for a total of 1000. Looking at the ASDM we are holding very tight to 75% utilization and we have 256mbs. This is also running IOS 8.2(1). Our firewall recently crashed after a major download was forced through it. This was after only being booted up for about a week. We had reloaded it a week prior after having ran it for about a year without issue. We havent made any changes in the last month other than adding more users to our network.
View 3 Replies View RelatedCisco Firewall :: ASA 5510 And 2960S - CSC SSM High CPU Usage
Jan 28, 2013I have configured an ASA 5510 and 2960S 48 port switch in a lab environment. I have two laptops connected to seperate subinterfaces with server 2003 as dhcp server for one network. Everything has been working fine as we have been testing the ASA while also testing the csc smm module. When we came in today we noticed the csc module cpu is running at 100% constantly and http traffic is extremely slow. I have not yet received my smartnet contracts from the vendor or I would open a TAC case and I have read on the net that this is a common problem.
View 1 Replies View RelatedCisco VPN :: ASA 5510 Maximum Tunnel Count Allowed
Apr 18, 2012We have a ASA 5510 (v8.2.2 with ASDM 6..4.7, 256Mb mem) with a license for 250 VPN Peers. The machine has currently one site-to-site VPN active. I've added a remote-access IPSec VPN for some users but when connecting from the remote site the connection is dropped and the ASA reports %ASA-4-713239 Tunnel Rejected : The maximum tunnel count allowed has been reached.
I've searched for info relating to this message but I found none. Before I plan a restart (it's up for 222 days), is there something I could do on CLI to fix this ?
Cisco Switching/Routing :: Catalyst 4506 Count Interface Input / Output Rate Always 0
Jan 20, 2013Our customer get the problem that the switch count the 5mins input/output rate of connected traffic interface always ZERO.The problem only occur in the module 3,4 and 5 interface, module 2 has no problems.
-------------------------------------------------------------------------------------------------
Catayst 4506E
12.2(52)SG
Chassis Type : WS-C4506-E
Power consumed by backplane : 0 Watts
Mod Ports Card Type Model Serial No.---+-----+--------------------------------------+------------------+-----------1 6 Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E 2 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45 3 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E 4 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E 5 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E
[code]....+
Cisco Switching/Routing :: 3950 - High Latency And Packet Drop Towards Access Switches?
Jan 27, 2013My network Infrastructure consists of 2 core switches(cisco 3950, 24 port) and 3 access switches (cisco 2960G, 48port). No distribution layer.Both Core switches are connected to the BVI of a VPN router.PVST is running in all switches. The STP results are all good. We have 3 VLAN's in the LAN an IP routing is enables in the core switch. The network diagram is attached.
The issue we are facing is that , we get intermittent packet drops while pinging towards the access switches, and there is always a higher latency towards these assess switches.These issues are present even with no other users using the LAN. But these issues are not present while pinging towards the GW.
I guess, it is because of this, we have issues the accessing file server in the LAN. How do we go ahead with the troubleshooting. Will upgrading the IOS resolve this.The present version details is..
WS-C2960G-48TC-L 12.2(44)SE6 C2960-LANBASEK9-M
Cisco Firewall :: Unable To See Interface On ASA 5510 Firewall?
Jul 29, 2012I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br Interface IP-Address OK? Method Status Protocol Ethernet0/0 x.x.x.x YES CONFIG up up Ethernet0/1 x.x.x.x YES CONFIG up up Ethernet0/2 unassigned YES unset administratively down down Internal-Control0/0 127.0.1.1 YES unset up up Internal-Data0/0 unassigned YES unset up up Management0/0 192.168.1.1 YES CONFIG up up
Cisco Firewall :: ASA 5510 - VPN From DMZ To Outside Interface
Mar 20, 2011Have an ASA 5510. Setting up a new DMZ zone for wireless and it will only have Internet access. What are the steps so that users on this new DMZ subnet can VPN into the Outside interface on the same ASA?
View 4 Replies View RelatedCisco Firewall :: ASA 5510 - Web Interface And SSL VPN Pass Through?
Mar 1, 2011I have a trouble with Cisco ASA 5510. I configured an SSL VPN with bookmarks to some application. When the users make access to the Web Portal they have to login twice: one for enter in the SSL and one for enter in the application.
How to bypass double authentication?
Cisco Firewall :: ASA 5510 - Routing Between Interface
Mar 26, 2013I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.
sh run
: Saved
:
ASA Version 8.0(4)
[Code].....
Cisco Firewall :: Route To Same Interface On ASA 5510?
Sep 14, 2011I would like to route traffic that are coming in and going out to the same interface on ASA. I am using inside interface with security-level 100. In this URL, [URL], ASA is able to do that.
View 5 Replies View RelatedCisco Firewall :: SSH Access On Outside Interface On ASA 5510?
Oct 5, 2012I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside access-list acl_outside extended permit tcp host ipremoved any eq 22 but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5) Device Manager Version 6.4(5)
Cisco Firewall :: ASA 5510 - Routing Between Interface
Mar 26, 2013I have a WAN interface and 2 LAN interface. I need both the LAN be able to access a server outside the network via the WAN (outside) interface. I am using a ASA 5510 firewall instead of a router, because I don't have a router. It looks simple enough but it does not work. I ping from the a PC (172.16.22.8) connected to LAN (inside) Network to 10.10.10.1 which is the WAN local interface also did not work. But from the ASA Firewall, I could ping my LAN (inside) PC. I followed a config i get from this forum. However, it did not work. Below my config.
interface Ethernet0/0
nameif outside
security-level 0
[Code]....