Cisco Firewall :: ASA 5510 - Speed Through 2 Firewalls
Jun 5, 2012
We have a configuration where we go through a firewall (ASA 5510) to a router, which decides if it is internet traffic or another network used for colleges etc in Canada called SR Net. If it is internet traffic it then goes through another ASA 5510 to the internet.
When we tested we were not seeing the speed of our internet (about 1/10th). We tested by putting the laptop before the internet firewall and we get the throughput. We also threw the test laptop before the router and we got the throughput expected. But when the test laptop is before the internal (first) firewall we get about 1/10th the speed. We are Nating on both firewalls, so from the inside we are going from a private IP to a Public IP (so it can go to SR Net is need be), then Nating again to the internet IP on the second firewall.
I have a customer with active/standby on a pair of 5510's with the CSC modules. They were inquiring about the AIP/ASA, and since this would NOT work in their current setup, would getting a pair of 5510/AIP configured for transparent failover work placed in front fo the existing units? Would I need to have a switch placed between the AIP and CSC ASA's? Or would I setup the ASA's for context based Active/Active failover to interconnect the ASA's to the existing units, but I still see a need for a switch.
I was under the impression that those global addresses that we used with NAT were from the outside IP addresses range?Lets say my outside IP address is idk 192.112.40.11 /30 and I only had two usable IPs (since you can't use network and broadcast IPs) so how would I set up NAT for a couple of Inside addresses with a shorting of addresses like this? Idk if that makes sense what I'm trying to say
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
We are using ASA 5510 with internet link of 40 MB. we are facing issue of slow download speed. we have done all basic troubleshootings like: fixed duplex full on interfaces, checked CRC reeors on interfaces.
we are using around 40 L2L VPN tunnels on same ASA.
I am trying to upgrade all my firewalls to Security Plus but I am not sure what firewalls are needing the upgrade. Is there a SNMP pull I can do to see what license is on my firewall? example: "This platform has an ASA 5510 Security Plus license." via SNMP
We'll be building a small remote site that will use two Windows 2008 servers. We would like redundancy in firewalls, IPS's and switches. Is it better to buy stand-alone ASA 5510s (with embedded IPS's) and 2960s, or is it a better option to buy a Cat 6000 with FW modules. We'll have several internet IP addresses available.
I am currently working on our Cisco voice platform at work.
Our Cisco firewall engineer has left and I have been given the task of looking after the firewalls as our Chief Exec seems to think that Cisco Voice is similar to Cisco ASA firewalls,
Are there any books/videos out that you can recommend to learn the about firewalls quickly.
I have two firewalls in 2 different locations. They act as primary and secondary for my WAN connectivity. I would want a way to synchronize access-lists in both without manually replicating.(access list, NAT and Route)FW model cisco 5580
I am trying think of a better way to provide redundancy on some internally protected networks. We maintain our own WAN/backbone between our primary site and backup site. Is it possible to have two Cisco ASA 5550s in setup for failover at completely different sites as long the networks connected are available?
We currently have redundant FWSM's and are planning a migration to standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and are looking at the Nexus 1000V. I understand the Nexus 1000V and VSG architecture and implementation, and I do understand that the ASA 1000V is designed for cloud environments. But I do have one question about the ASA 1000V.
Is it possible for an ASA 5500 series firewall to be replaced by an ASA 1000V? Basically, can an ASA 1000V be a sole firewall solution, or are ASA 5500's still needed? Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?
I've been trying to open ports 5800 and 5900 for UltraVNC and checking them with online port checkers, but they are always listed as closed. I've even tried taking town windows firewall, my router firewall (although as soon as I disable and apply, it automatically switches back to enabled again), and also DMZ'ing my router. I wonder if it might have something to do with my new modem, but in the config page for that, the advanced settings are locked out. the modem is an arris TM722G, and the router is a linksys wrt-54G with DDWRT firmware.
I'm running windows 7 x64 and using a static local IP, I want to be able to use DynDNS to connect to UltraVNC.
I have ASA 5512X and I'm trying to run CX features on it. but the problem is I don't have SSD drive in the chassis. how can I get one? is any kind of SSD drive compatible with cisco ASA-CX firewalls or i should order it from cisco only? what is the part number for that model?
We are planning to install a new SSM-4GE module on both Active and Standby firewalls. how can we install an new SSM-4GE with a minimum outage. I was planning to install the module in the following steps.
1. Power off the secondary firewall(FW02). 2. Install a new module. 3. Power up the secondary firewall 4. Power off the primary firewall(FW01)---> in this step will the secondat firewall become active as there is a hardware conflict. 5. Install a new module. 6. Power up the Primary firewall(FW01)
or do i need to power down both the firewalls and then install the modules?i have is that after the installation only one port on the new SSM-4GE module would be in use on Primary firewall(FW01) which is a terminating link from a router. No link would be terminating on the new SSM-4GE module on secondary firewall. Will the firewalls still fail over in this case or does it require a link going to the secondary firewall on new SSM-4GE module(same port as on primary firewall) from the router.
I installed Comodo Firewall today, and I couldn't access my Internet from then. I actually liked it's UI and all and want to keep it. The only something that I felt that might be causing the problem is "Use Comodo Secure DNS Server"? Is it likely the reason to be the cause of the problem?
I have one Fortigate 200B Fire wall, which is using for wifi internet. i had configured one login page in the fourtigate .The path following below system > config > replacement message > authentication > login page.
it was working earlier. suddenly its not working. when i checked this path, that login page message colum was blanked. when i trying to put the message again its not pasting and am unble to type the message also.
I am new to firewalls and I am trying to make mine block specific websites but so far have had no success. Here are the settings I am using in the router's admin area:
Security > Firewall > General Active firewall Security > Firewall > Rules
i am using windows vista on my laptop.i was using zone alarm firewall, but switched it to windows firewall.after switching, my internet was cutoff. i can see that i am connected to my network, but cant get to internet.when i run diagnosis on my laptop, it gives me three options:
my Ethernet driver is having hardware issue.
my wireless driver is having hardware issue.
ip protocol binding is having issue. check ipv4 and ipv6 settings.
I have disabled windows firewall in Windows 2003 server control panel but only few ports are shown opened when i scanned with advanced port scanner why other ports are closed.How to open the closed ports?
Just got a new 10M circuit installed a few days ago and noticed that when doing bandwidth tests I am getting 9.85 down but only 4.5 up. I plugged directly into the isp's adtran with my laptop and I can hit 10/10 consistently. Not sure what's causing the ASA to get half upload speed. I set the interface speed and duplex to 100/full so I set it back to auto/auto. Thoughts? See config below. We aren't doing any QoS on it.
Recently i had suffering with wireless connection problem, currently my wireless router connected to WAN directly, after that go into firewall and then go thru switch to end user PC, for LAN user there is no issue, but for wireless connected PC it is prompted with limited connectivity problem(DHCP is disable on router), after check with ipconfig /all. it seem likely due to wireless PC cannot get the IP from DHCP server. i am using DLink615 router. i had checked firewall setting there is firewall policy that connected all router ip into company LAN, but i don't think there is DHCP VPN setting up. is there anyway i can go thru firewall and get IP from DHCP server because if i set up DHCP on router, it cannot pass thru and access to LAN.
At my small business (30 employees) we currently don't have a hardware firewall. Should I have one? If so what do you recommend? We are all connected to a Windows Server 2003 domain in one office building.
Besides MAC address filtering, is there another good / easier way to keep visiting laptops etc from plugging in a CAT cable and accessing a LAN protected by a perimeter firewall?
I have a 100mbps internet connection from my ISP but once the connection hits the ASA the download speed gets reduced to 15mbps. My network is setup as follows: ISP Modem ---- Edge Switch ----- ASA --- Internal Cisco Switches
If I plug my computer into an extra port on the Edge Switch I get speeds around 92mbps with normal traffic still going to the ASA. But when I plug into the ASA and internal switches I have speeds of 15mbps.
I have made sure that duplex/speed match on the links. I have done packet captures and within two minutes I do have several dup acks and retransmissions. The retransmissions don't seem to match the dup acks. (The retransmission is not for the dup ack requested so the dup ack keeps being resent)
The only interface error is on the inside interface which includes 700 overruns in a weeks worth of time.I am not using an IPS/IDS. I do have several vpns on it but was not going through a vpn tunnel. I am also using NAT.I am using an ASA 5510 8.2(1)
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
