Cisco Firewall :: ASA 5512-X Version 9.1 Multiple Contexts Supported?
Apr 3, 2013
if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
I found different information on the Cisco web, the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6 [URL]
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) [URL]
View 7 Replies
ADVERTISEMENT
May 6, 2013
We are deploying the Cisco ASA 5585 in transparent mode with multiple contexts, the port-channel was configured to connect to the core switches using dot1q trunk. We are experiencing an issue which is the core switches are configured loop guard globally, therefore the port-channel connected to the firewalls will be put into inconsistent state when the failover happen, and the two firewalls' failover can not fulfill the failover at last.
I have two queries below:
1. Does the firewall allow the BPDU passing through when it is in standby mode, for example, secondary firewall is active for group 2 and standby for group 1. does the secondary firewall block the BPDU from the vlans under group1 ?
2. Can we disable the loop guard feature on the switch port-channel or is there any other way to solve this issue ?
View 1 Replies
View Related
Feb 5, 2012
We are going to deploy a active/active setup of 2 ASA 5585's. Here we will implement a concept of security zones through context's where different services will be firewall through a separate firewall context. will a security context consume 1 or 2 licenses because we are running in a Active/active setup? Right now I got completely confused when my manager asked me that question.I would say that we only use on security context license - but since we are running in a active/active setup - even though the other instance is standby - will it consume a context license? We are using ASA OS 8.4.x.
View 5 Replies
View Related
Jun 1, 2011
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies
View Related
Feb 21, 2011
Is it possible to route among contexts (I have 5 contexts) in the ASA without sending traffic to a fusion router (external router) to be routed. I am running ASA 8.3.
View 2 Replies
View Related
Sep 4, 2012
Is SSH v2 feature is supported on cisco 3560G switch for below image if no what is the latest image .
c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin)
View 11 Replies
View Related
Dec 14, 2011
We've recently started using some 2911's on our network running IOS 15.0(1r)M9. I noticed, much to my frustration that the OIDs with the MIB RFC1213: ip RouteTable1.3.6.1.2.1.4.21 are not supported.
Any alternative MIB for viewing routing table information via SNMP on any of these devices running a similar IOS?
View 2 Replies
View Related
Jan 31, 2012
In the latest code, is VPN still disabled when using contexts? If you use a 5520 as an ISP based firewall for customers, then what would be used for VPN access? Also how many contexts does a 5520 support, and would putting 2 interfaces into an etherchannel for inside, and 2 for outside work? Reason I ask about that, the inside and outside would connect to 2 different core routers. I would be for an MPLS setup.
View 5 Replies
View Related
Jun 4, 2013
What is the maximum number of contexts a pair of 5515Xs in HA mode can support?
I know each 5515X can have a max of 5 contexts, but does that mean in HA mode a pair can support 10 with license pooling?
View 8 Replies
View Related
Apr 19, 2011
Q1. I would like to confirm like how many total of contexts do I have by default when I purchase the ASA 5540 ? are they two contexts aside from the admin context or two contexts including the admin context?
Q2. can I configure the default box with High Availability using the default contexts?
View 3 Replies
View Related
Mar 18, 2012
I see several code versions that seem to support on ACE30.Is A2.3.4 Or A2(3.5) that latest version for ACE20-MOD-9?Will the version 4 or 5 run on ACE20?I currently user A2(3).
View 3 Replies
View Related
Apr 18, 2012
The table referenced in the new 1.1 ISE guide show 12.2(33)SXI6 is the minimum version for support. Does this mean this version or above? Does ISE is tested in newer SXJ streams? We have a massive rollout of SUP720s to do and need to know the most stable version to load in preparation for ISE.
View 1 Replies
View Related
Dec 19, 2012
i want to know of the IOS verstion of cisco switch which support STP,some one told me that this feature is activated by deafalut if it not activated,how to turn on this Feature.i am using cisco 2960 Switch.
View 2 Replies
View Related
May 9, 2012
I need to know for shure if the aps listed below are compatible with 5508 controller version 7.1.91.0
the ap's are
AIR-LAP1242AG-E-K9
AIR-LAP1242G-E-K9
AIR-CAP3501E-E-K9
AIR-CAP3502E-E-K9
AIR-LAP1231G-E-K9
of course I checked release notes [URL]
View 8 Replies
View Related
Mar 27, 2011
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
View 5 Replies
View Related
Feb 27, 2012
I have two 7609S routers each with a FWSM running 4.0( 8). I am licensed for 20 contexts.
Recently, I added a context for a new application and required access to a VLAN that already had an interface in another context.
The MAC address assigned to the interface in the new context was assigned the same MAC address as the interface in the previous context. This caused an application running through the first context to fail.
I know that on the FWSM I cannot hard code a MAC address to an interface in a context so how do I get around this problem caused by the duplicate MAC addresses?
View 1 Replies
View Related
Mar 26, 2012
I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
At the moment we can make the control connection but when we issue commands the connection times out.
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).
View 1 Replies
View Related
Jun 28, 2011
I am just designing a solution where a FWSM consists of 2 contexts initially and has a shared outside interface pointing to the 6500 switch. There are 3 subnets connected to each of the FWSM contexts. So if anyone wants to access these 6 subnets then a route would be needed pointing to the interface vlan of the shared interface on the switch. But that would not be enough to access the subnets.. I am sure we have to define static NATS to point them to the right context where these subnets reside.
The FWSM is running version 3.x code So say 1.1.1.0(shared), 10.10.0.0(inside1), 10.20.0.0(inside2) and 10.30.0.0(inside3) reside in Context 1 and 1.1.1.0(shared), 20.10.0.0(dmz1), 20.20.0.0(dmz2) and 20.30.0.0(dmz3) reside in Context 2 in each of the context we would have to make three static NATS
static(inside1,shared) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static(inside2,shared) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static(inside3,shared) 10.30.0.0 10.30.0.0 netmask 255.255.255.0
The same would go for context 2 as well
static(dmz1,shared) 20.10.0.0 20.10.0.0 netmask 255.255.255.0
static(dmz2,shared) 20.20.0.0 20.20.0.0 netmask 255.255.255.0
static(dmz3,shared) 20.30.0.0 20.30.0.0 netmask 255.255.255.0
By creating these NAT statements, would the outside users be able to access the subnets residing in the context?
View 1 Replies
View Related
May 12, 2013
We are currently looking at design models for a Multi-Tenancy solution.The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.
We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.
I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?
View 4 Replies
View Related
Jan 28, 2013
I have a ASA 5510 with Security Plus License and when I looked at the devices a few days ago I had 2 contexts, however after configuring the Mgm port as a regular port the contexts show 0, why? I can not find any post on the internet where this issue has happen: here is the output from show ver:
Cisco Adaptive Security Appliance Software Version 7.0(8)
Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
[Code]......
View 3 Replies
View Related
Feb 6, 2012
We have 2 x C6506E and 2 x C3560-48's, they are all interconnected via port channels at 2Gb per channel. The 6506's are running CEF but the 3560's are not (The 3560's carry all our server traffic).When I do a show CEF on the 3560's it says %IPv4 CEF not running. There does not appear to be a global command to enable CEF on these switches.Is this an IOS version option or is not supported on the hardware platform?
View 3 Replies
View Related
Jan 23, 2013
I have setup a 5515-X in transparent multi-mode and setup 5 security contexts with inside and outside ports, one admin and 4 others. The problem I have run into is setting up a management IP for each context. On one of my other transparent firewalls in production we were able to apply an IP to the security context (not interface) however the new firewall is running the latest software and this same functionality is not available. The only options for IP in context mode is IP AUDIT. So my next plan was to create sub-interfaces of the management interface and assign one to each context however the 5515-x does not allow sub-interfaces on the management interface. How I setup a management IP on each context?
Another interesting thing i read is that the managment IP assigned to a context (if i could figure out how to set it up), has to be in the same subnet as the data interface which if fine but it also says that the management interface should not be connected to the same switch as the data interface because of MAC address table update issues, meaning that i could not use a sub-interface of one of the already configured context ports.
View 3 Replies
View Related
Feb 6, 2013
I have a Cisco 1921 Router, a Cisco Catalyst 2960 and a Cisco Catalyst 2970 and I want the router to be able to assign ip-addresses by what VLAN a device is active on.
VLAN1: 10.0.0.0/24
VLAN2: 10.0.1.0/24
The router is connected to the Catalyst 2960 and there on to the Catalyst 2970 so the VLAN1 and VLAN2 is active on the to switches and the Router.is it possible?
View 8 Replies
View Related
Apr 18, 2013
I'm looking to make a possible configuration for a customer. They need a device to provide :- firewalling- bandwidth limiting based on protocols, IP, users- web content filtering- good reporting to see which device/users are consuming most of the bandwidth.I used to use cisco ASA as firewall but it's a while I last installed on and I'm nt uptodate which current state.So I thought of using an ASA 5512-X but I'd like to know if it comply with all the requirements .Most important being the reporting and bandwidth limiting capability. It would be great to have some configuration example regarding bandwidth management.
View 1 Replies
View Related
Nov 10, 2012
I have a windows 2003 server and an ASA 5512
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
On Friday people were connecting, but now I get a message "Login Error" in the browser. In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages AAA Marking LDAP server in group as FAILED AAA Marking LDAP server in group as ACTIVE
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
If I stop my IAS server on my Windows box i get the same error but much more quickly.
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
View 5 Replies
View Related
Feb 18, 2013
My collegue and I have been trying to figure out why we are unable to get this ASA to NAT Overload correctly. I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
ASA Version 8.6(1)2
!
hostname ASA5512-X-Remote
enable password ********** encrypted
passwd ********** encrypted
names(code)
View 5 Replies
View Related
May 21, 2013
I have a customer who needs a 5512-X set up with two ports on the "Outside" interface and act like a switch on the outside. This is very easy to do with the way the ASA 5505 works just by creating vlans and treating the ports as members of the vlan.
View 3 Replies
View Related
May 14, 2013
I am having soem difficulty getting documentation and setup procedures for the new ASA 5512-X (or X models in general) firewalls.I know the IPS sensor is a software-based one, but I'm not sure how much different the setup in than with a 5510 and IPS module.
Also, is the IOS upgrade procedure different?
View 2 Replies
View Related
Apr 10, 2013
I'm trying to access our ASA 5512-X via the Management port, but the address https://192.168.1.1/admin can't be displayed.
View 35 Replies
View Related
Jun 9, 2013
I am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
View 1 Replies
View Related
Jun 3, 2012
I installed a new ASA 5512-X over the weekend for a client. Their backup ISP connection is DHCP based. I need to use the 'dhcp client route track' command on the interface, but it is not available. However according the all the documentation I am looking at and even the ASDM says it should be available.
This is the version of ASA and ASDM they are running:
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
I did upgrade to the latest ASA software, so has this command been removed? If I do a '?' in the interface, there isn't a 'dchp' option.
View 2 Replies
View Related
May 2, 2013
I'm porting our configuration from a Pix 515 firewall to an ASA 5512x. What's vexing me right now is with the deprecation of the "static" command, I can't quite figure out the best way to Identity NAT my inside sub nets (multiple) to the DMZ sub net
So on the pix I have my identiy NATs as an example:
static (inside,dmz) <IntSubA> <IntSubA> netmask 255.255.255.0
static (inside,dmz) <IntSubB> <IntSubB> netmask 255.255.255.0
static (inside,dmz) <IntSubC> <IntSubC> netmask 255.255.255.0
Cisco's migration guide seems to do them one object at a time, which I guess is straightforward enough to do:
object network SubA
subnet <IntSubA> 255.255.255.0
[code]...
I'm thinking that there must be an easier way (aka less lines) to implement this for all the sub nets I want to Identity NAT to the DMZ.
1) Can I do this creating objects using a sub net with a net mask of 255.255.0.0 - one object to cover multiple internal sub nets?
2) Can I do this using object groups and trim this down to: (assuming I have to commands right)
Object-group network Inside_Subs
network-object <IntSubA> 255.255.255.0
network-object <intSubB> 255.255.255.0
network-object <intsubC> 255.255.255.0
nat (inside,dmz) source static Inside_Subs Inside_Subs no-proxy-ARP route-enabled. What would be the best way to translate my Identity NATs?
View 10 Replies
View Related
Mar 25, 2013
If you look at the data sheet for the 5512-X the High Availability section states "Not Supported; ActiveActive or ActiveStandby" while the ASA 5515-X states "ActiveActive or ActiveStandby". What does "Not Supported" mean for the ASA 5512-X? Does this mean HA does not work, or that I need to purchase an additional license to use the HA feature?
[URL]
View 5 Replies
View Related
