i need to configure a new ASA 5515-X with a 3 trunk port for vlans that become from switch, but i need turn on IPS in in-line mode, somebody has an example and limitations for this configuration type?
View 3 RepliesI'm starting my configuration and i created a test environment side by side with my production. i just run startup config and connected my ad-test.com AD host to it. i can ping ad-test.com from console, ok. but it can't get internet from inside environment
here's the config..............................
: Saved
: Written by enable_15 at 07:56:40.638 UTC Mon Apr 15 2013
!
ASA Version 8.6(1)2
[Code].....
On ASA 5515 it shows it is in transparent mode and it has multi context.As in transparent ASA we know it has single Management IP address.This ASA is connected to one switch on two ports gi2 and gi3.One port carries vlan say 800 to the ASA.Other port carries vlan 500 from the ASA to switch But when i log onto ASA and do sh run it shows no VLan info there.
View 3 Replies View RelatedWe have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level. All VLAN Gateways are configured in context level.
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During migration of devices from one Dc to a new DC we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
During the activity ( Primary switch movement )We powered off the Primary switch and mean time before shifting into new Data center We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
Later we had moved Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE and primary device was not responding and devices went off network and immediatly we removed the VSL link and brought up primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original VLAN ip 10.200.112.1 has become 10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.
I'm trying to configure Any connect SSL RA VPN. I have followed the config guide for 8.4 & 8.6 but can't even get the Any connect page to load. I'm pasting the config below. Pl check and let me know what I have missed. Objectives are:
1. The user simply opens https://<outside-ip> and is prompted to install the any connect vpn client.
2. Is able to access internal LAN resources and browse the internet simultaneously (is split-tunneling required?)
ASA Version 8.6(1)
hostname Harpoon
domain-name xxxxx.com
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
[code]....
I have IOS 8.0(4) and the base 50 User License...will this config work? I have two networks; my home network, and my lab. I want to split my Internet connection between them, but keep the networks separate for the most part. Will my license allow this config since I can't do DMZ?
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 1
!
interface Ethernet0/2
switchport access vlan 2
[code]....
I have a problem whit the configuration of a Firewall ASA 5585 whit the BVI Interface and transparent Firewall, I have 2 VLAN that i want to interconnect.
The problem is whit the configuration of VLAN. The traffic does not cross the FW.
ASA 5505, I got a security plus license which allows multiple VLANs.I want to be able to configure the ASA to allow only RDP session (One way) to another Switch where all the VLANs are. I've attached a pic of what I want but I'm struggling.
I looked at documentation saying you should have inside and outside interface but I'm not sure on this scenario.I've configured inside interface on ASA e0/1 and interface VLANs but not sure what to do between ASA and Switch?
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 216.10.100.10. and the IP of the inside interface is say - 198.1.1.10/24 on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
I have a ASA 5515-X-IPS firewall and I want to communicate firewall through ASDM-IDM. Already done the below procedure;
•1. Connect cable to Management port.
•2. Open browser and type https://192.168.1.1/asdmin and download the ASDM-IDM Launcher v1.5(55) and install my laptop(OS: windows 7)
•3. Connect asdm-idm launcher we put IP Address: 192.168.1.1 and username, password enter.
Just whenever we login the wizard then the message shown “ Unable to connect the asdm manager”For your kind information we already setup jre6u7 java software.
Is there a way through the CLI to have the ASA 5515-x power back on after a power failure? Currently, the only way to restore power is to press the power button. The X series does not have a power switch the same as the 5500 series.
View 1 Replies View RelatedI am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).
View 4 Replies View RelatedWe are trying to get Teamviewer to work on our WAN, from the log traffic from the PC's to our Cisco IronPort Web Filter it looks like the ASA Firewall is blocking the traffic. We have opened everything we can open on our Cisco IronPort Web Filter and I have a Cisco TAC case open and they said it appears the ASA Firewall must be blocking the traffic.
View 3 Replies View Relatedi would like to use ASA 5515-k9 with Antivirus and antispam but i don't know the part number that support this and how it process .
View 3 Replies View RelatedI´m triing to setup a QoS policy on ASA 5515, i read several pages, but my questions are, how setup the real BW?, or is not necessary to do this?
View 7 Replies View RelatedRecently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Any conflict whit PAT to Static NAT?
View 3 Replies View RelatedWe have one Cisco ASA5515 firewall, I configured ftp mode to passive, inspect ftp in service, use anoother public to do NAT with ftp server, and also configued ACL in outside interface, but I failed to access the ftp server from internet use that public ip address, no problem to acces the ftp server use its inside address in LAN.
View 9 Replies View RelatedI've got a little problem with my ASA 5515-X after upgrade from version 8.6 to 9.1.
I've got two 5515-X in A/S-mode and upgraded both as described on cisco's website (first standby-unit, failover, etc.). Everything worked just fine except pinging the ASA-interfaces themselfes. Before upgrade it was possible to ping from any subnet to the internal interface, but now it's not. If I'm on the router next to the ASA I'm able to ping, but every ping from behind that router fails. The ICMP-packets get into the ASA (counter on ACL raises up), but no reply is getting into the source.
The configuration fir ICMP was not changed and says "permit 0.0.0.0 0.0.0.0" for any ICMP on the internal interface. The router betwenn my subnet and the ASA has no ACL installed and - as said above - the ICMP gets obviously to the ASA but doesn't come back!?
I was purchase ASA5515-K9 (Without IPS Edition) firewall and this is run smoothly our network. But right now i want to IPS facilities. Can i have any licnese purchase and upgrade from ASA5515-K9 to ASA5515-IPS-K9 abd use IPS edition ?
View 1 Replies View RelatedI am working on translating configuration from a firewall named Joe box to ASA 5515. On Joe box, it has 5 continuous public IP addresses (xx.xx.xx.73 -77/29), first one as interface IP and others as alias, on the Internet-facing interface. I need to configure ASA 5515 in the same way, however it seems not simple.
- The way to configure sub interfaces on 5515 is by configuring V LAN.
- The interface can hold xx.xx.xx.73/29 without a problem.
- The first sub interface can have IP address xx.xx.xx.74 however with different mask(/16), as it doesn’t allow /29.
- The second sub interface doesn’t allow to enter IP xx.xx.xx.75, saying "Failed to apply IP address to interface GigabitEthernet0.x, as the network overlaps with interface GigabitEthernet0. Two interfaces cannot be in the same sub net."
im changing the firewall 5510 to 5515, with ASA5510 the incoming and outgoing calls work perfectly, but when i active the 5515 the outgoing calls doesnt work, only the incoming calls work.
As you see on the topology,the flow of calls happens this way:
In the outgoing calls the phone forward the call to the PABX(172.17.3.4), and the PABX forward the call through the ISP LINK to SIP SERVER (10.140.131.208). The incoming calls occur in the reverse path.
ASA 5510 config:
ASA Version 7.0(8)
name 172.17.3.4 PABX
dns-guard
!
!
interface Ethernet0/1
[Code]...
Im changing the firewall 5510 to 5515, with ASA5510 the incoming and outgoing calls work perfectly, but when i active the 5515 the outgoing calls doesnt work, only the incoming calls work.
As you see on the topology,the flow of calls happens this way: In the outgoing calls the phone forward the call to the PABX(172.17.3.4), and the PABX forward the call through the ISP LINK to SIP SERVER (10.140.131.208). The incoming calls occur in the reverse path.
ASA 5510 config:
ASA Version 7.0(8)
name 172.17.3.4 PABX
dns-guard
!
!
interface Ethernet0/1
description ***ISP SIP Network***
[Code]....
Why do my cli commands just scroll all the content rather than having to press space to show more? It is hard to type sh run and the entire config flays past rather than being to inspect it page by page.
View 3 Replies View RelatedI just would like to know if possible to block the multiplayer games?? I'm using ASA 5515-X.
View 2 Replies View RelatedThe datasheet contains the following regarding rails and brackets:
Cisco ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X spare rail kit - ASA-RAILS=
Cisco ASA 5512-X, 5515-X, 5525-X brackets for rack mounting - ASA-BRACKETS=
The word spare seems to imply that it comes with a set of rails. Does the ASA-5515-X come with rails and brackets, or must both of these be ordered?
[URL]
I have a 5515 ASA that has the webVPN configured on it and it is using active directory to authenticate. The client would like to set up groups in active directory and restrict access to those groups when they are connected to the webVPN. For example, they have a group in active directory that they only want to access their "web" interface. What is the best way to configure this on the asa?
View 2 Replies View RelatedI have two ASA 5515 configured as active / standby. I configured the failover and I checked for proper operation. But when I configured access rules and NAT, I realized that the failover does not work anymore: two interfaces, inside and outside, are "Unknow (Waiting)". The other LAN interface and management are "Normal (Monitored)." [code] It is possible that some access rule deny the communication between the two asa?
View 9 Replies View RelatedI am moving from ASA 5505 to ASA 5515 because we are maxing out the number of connections that the 5505 can handle. The 5515 runs version ASA 8.6(1)2 and ASDM 6.6(1) and the 5505 version is ASA 8.2(5) ASDM 6.4(5). On the 5505 I used e0/0, 0/2, 0/4 and 0/5 as outside port with teh switch ports feature but there is no switch port feature on the 5515. I have tried to set the ports individually to numerous public IP addresses that I have but I get an error that they subnet is already associated with another interface. How do I replicate the same setup on the 5515?
View 3 Replies View Relatedwhere I can find detailed documentation on these two products. Particularly, I am looking for high availability capabilities and any license requirements.
View 1 Replies View RelatedWorried about denial-of-service attacks. They have 11 vm's that share a connection and want to set it up so that there is a maximum amount of traffic allowed to hit each vm, so if there is a DDoS attack it will only affect that one VM instead of all the VM's on the same connection.
What is the best way to go about this from the ASA? This is behind a 5515 with asa code version 8.6. Is there a way to rate-limit by ip address?
We installed a new ASA 5515 about a month ago for the corporate office we also have 40 branch locations that feedback VOIP, camera, and Citrix to the corp location. Each of the branch locations have a separate DSL connection with a local provider and all of them are dynamic IP addresses.
The problem I have is that I cannot figure out a access rule to make the voip traffic work 100% of the time what ends up happening is five or six random locations change IP address's every day and I could not figure out how to create a access rule for that so I create a static route with that dynamic IP and then it will change a week or so later. That's a horrible security risk and a lot of manual work.
I am trying to find out if the ASA 5515-X is EAL4 certified, and if not, what recommendations of EAL4 certified devices can I use.
View 5 Replies View RelatedIs the 5512 able to be field upgraded to a 5515 and so on through 5555? I.E. Can I add ram and other hardware to make the boxes more powerful as my requirements increase? I was hoping this would have been a new feature with the ngen firewalls.
View 3 Replies View Related