So, I made the fatal mistake while consoled in to do a "Show Run". Now, it is just stuck in that cycle. I tried the usual "Ctrl+Shift+6" command, and even the "Ctrl+6" with no success.
View 5 RepliesTried setting up a Shape Policy and it states its invalid. Worked fine on my 5520, just curious to know why its coming as invalid now
ciscoasa(config-pmap-c)# shape
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# shape ?
ERROR: % Unrecognized command
how can i check that ASA is passing traffic? Also what command we can use to make sure VPN is working fine.
View 2 Replies View RelatedNeed to check how many tunnels IPSEC are running over ASA 5520.Tried commands which we use on Routers no luck?
View 6 Replies View RelatedI have an installation of a new SMU on an ASR9k. Unfortunately, a previous install from a remote FTP source has stalled at 1%. The router is currently running v4.2.1, and the stalled installation was for a 4.2.0 SMU.
View 1 Replies View RelatedI had to reboot my laptop and reset my wireless. Now I cannot sign on unless I am on the desktop connected to the router. How do I start over and reconfigure. I have another desktop and a laptop that I need to have access for internet.
View 1 Replies View RelatedWe have 4 data T1s providing our office with 6Mbs of internet bandwidth.I have been trying to track down the reason(s) for the steadily increasing frame and abort errors on the Multilink interface of our new router.We have a new 2961 with 2 2 port T1 interface cards (VWIC2-2MFT-T1/E1).
At first it looked like the T1s were completely clean, but after diving down a bit the last of the 4 T1s does appear to have a decent amount of slip and error seconds.Is that something that would cause the Multilink interface to show input, frame, and abort errors?Any config or debug commands I should start with to narrow down what might be causing this problem?
Config snippets:
card type t1 0 0card type t1 0 1!controller T1 0/0/0clock source internalcablelength short 440channel-group 0 timeslots 1-24description HCFD-XXXXXX!controller T1 0/0/1clock source internalcablelength short 440channel-group 0 timeslots 1-24description HCFD-XXXXXX!controller T1 0/1/0clock source internalcablelength short 440channel-group 0 timeslots 1-24description HCFD-XXXXXX!controller T1 0/1/1clock source internalcablelength short 440channel-group 0 timeslots 1-24description HCFD-XXXXXX!interface Multilink1ip address X.X.X.X 255.255.255.252ip nat outsideip virtual-reassemblyppp multilinkppp multilink group 1ppp multilink fragment disable!interface Serial0/0/0:0description T1 : HCFD-XXXXXXno ip addressencapsulation pppppp
[code]....
i have a dell desktop and a dell laptop when i am using the internet on the desktop cancel appears on the screen sometimes if i click on cancel it does not crash but works other times the internet crashes. this does not happen on the laptop.
View 1 Replies View RelatedI started a download to a 5508 to upgrade to 7.2.110, but the connection across a vpn is slow and taking too long. Can I cancel the download w/o corrupting the current image and/or setup?I don't see a cancel button anywhere in the gui and don't want do it unless the controller will handle an incomplete download correctly.
View 5 Replies View RelatedI'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedI am in the process of migrating a production firewall from PIX 6.3 to ASA 8.4(2). This is going to be a complete firewall rebuild and I will not be upgrading the configs because they have become out of date and very bloated. I am in the process of converting the NAT commands.[code] I am hoping these commands would be enough to replicate the previous functionality. I removed all the static identity NATs because NAT control is no longer in place so those rules are not required. Additionally I didn't re-create the rules that had NAT ID 0 or 1 because it didn't look like they were doing anything. correct way to do the static NAT commands at the bottom.
View 3 Replies View RelatedI am designing a new NAT configuration for an ASA 8.4
On my PIX 8.0 configuration I needed to allow bidirectional traffic between interfaces with different security levels. For example, Inside at 100 and dmz at 50.To accomplish this in 8.0 I used a static NAT command along with any necessary ACLs.
I now need to apply this same 8.0 config for 8.4. With the static command not availablein 8.4 I am unsure of which NAT commands to use to achieve the bidirectional traffic.
what the new command is for NAT in version 8.3?The config i have is from Version 7.2 and doesnt work on 8.3. [code]
View 12 Replies View RelatedI'm coming from a 5505/5510 ASA to a 5512x. I see the following 7.2 commands are now set with the NAT command in 8.6:
-------------begin 7.2 commands---------------------
global (outside) 1 interfaceglobal (inside) 10 interfaceglobal (wireless) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 192.168.3.0 255.255.255.0static (inside,outside) tcp interface www 192.168.3.114 www netmask 255.255.255.255static (inside,outside) udp interface 5008 192.168.3.117 5008 netmask 255.255.255.255static (inside,outside) tcp interface 3390 192.168.3.101 3389 netmask 255.255.255.255static (inside,outside) tcp interface h323 192.168.3.118 h323 netmask 255.255.255.255
--------------end 7.2 commands----------------------
Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.
View 17 Replies View RelatedWhat is the new configuration in ASA 8.4 to replace the old "nat 0" command.
View 1 Replies View Relatedwant to know the command for configuring NAT on My ASA5505.
Local IP - 192.168.1.0/241
Public IP - 182.73.109.118 255.255.255.252
I have a PIX506E that was resently reset and it has version PIX Version 7.1(2) . It either uses some different commands or I am not using them correctly. [code]
View 2 Replies View Relatedi'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedI have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
How do you save the command output from the CLI to a file on flash?
With IOS, I would normally use a pipe command to redirect to tftp, but the ASA doesn't support this as far as I can tell. As a work around I was thinking I could save the output to flash and then tftp that file off the ASA.
we just bought a 2921 with the following modules: 4 port clear channel T1/E1 HWICSM-ES3G-24-P: EtherSwitch.I read some CISCO documents, and not be able to find what I need. I would prefer all instructions from you are for CLI interface.This is my first time to deal directly with T1, WIC and 2921 etc. The following is what I get from ATT, IP masked IP Address Block IP Address: 20.20.20.136/29 WAN Link Details: WAN Link IP Address:13.13.13.92 AR Serial INT IP Address:13.13.13.93 CR Serial INT IP Address:13.13.13.94 WAN Link Subnet Mask:255.255.255.252
A: how do I configure T1, what does "AR, CR" stands for, and do I need to use both IP addresses? What is the WAN Link IP for?
B: We have two T1 lines, so I should plug them both to the WIC, say port 0 and port 1, how to configure them?
C: how do I access the firewall from the command line?
D: I followed T1/E1 HWIC installation guide, and as soon as I add channel-group to the controller t1, the serial interface went down?
The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below?
View 1 Replies View RelatedBefore running firmware asa722-k8.bin and asdm-522.bin ASDM "asdm location" config lines were created when we created a network object. After the upgrade to asa722-k8.bin and asdm-522.bin this dissapeared.We recently upgraded to asa724-k8.bin and asdm-524.bin which brought those config lines back.So if "asdm location" is needed, if not can we make sure those lines wont pollute the config file?
View 3 Replies View RelatedWe have an ASA 5540 failover bundle working in Active/Standby mode. On our active asa 5540 when the sh run command is issued it gets stuck and displays the output after more than 15-20 mins.. and it takes another 10-15 mins to get back to the prompt..
However on the standby asa 5540 if the sh run command is issued, it displays the ouput and comes back to the prompt (even though this also takes 2-3 seconds)
I have tried rebooting the active asa 5540.We are running asa version 8.2.2.
i am wanting to open up snmp on a pix 501 6.3 version. I am planning on doing it with the following configuration: [code]
I noticed you cannot specify RO on the snmp-server command with the older pix. I don't want this configuration to open up any write access to the pix. Is there a way to specify only read only for snmp