Cisco Firewall :: ASA 5520 Dual ISP Feature
May 31, 2013I would like to knwo if i have dual ISP feature with my ASA 5520 licence? With ASA 5505 i can see Dual ISP feature but with ASA 5520 it's not!
View 3 RepliesI would like to knwo if i have dual ISP feature with my ASA 5520 licence? With ASA 5505 i can see Dual ISP feature but with ASA 5520 it's not!
View 3 RepliesI have Cisco ASA 5520 . I want to deploy this in the following scenario. Two ISP( for internet) links are connected in the ASA. Three zone ( Outside , DMZ , Inside) specified on the ASA.In DMZ , there are two proxy server ( proxy 1 , proxy 2) . Branch user will use proxy server 1 and Head office will use proxy 2.
In the above scenario management requirements are, Proxy 1 will use ISP 1 and proxy 2 will use ISP 2.If ISP 1 goes down then proxy 1 will use ISP 2 for internet. Please suggest me how I will configure the ASA in the above requirements or if possible send me the configuration.
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
View 3 Replies View RelatedWe are looking to deploy an ASA 5520, but I need to know if it is possible for it to work in this environment.
We have colo space, with two IP ranges. They provide two network drops, one from each switch connected to different routers. One in which has 4 usable IP's for management purposes. This address range will be used only for remote access to the ASA and VPN into the management VLAN. The management VLAN will have all internal devices such as the switches, etc. The second range is for the servers, of which will be assigned directly to the hosts and the ASA will need to act as just a firewall. I can do this on IOS, but not sure about the ASA.
I need to answer the following questions:
Does the ASA support dual network drops, and would this be a failover port configuration in order for it to work?A management VLAN with outbound internet access only, and VPN/RA capability. NAT will need to be used I'm guessing. Can we have a DMZ VLAN which has defined ports, say 80, 443 and 25 inbound and outbound. I need the hosts to have the public IP assigned to them with no NAT configuration.
I know there are some advantaged to using NAT, but I really can't use it because the applications behind prefer public IP's being assigned to them.
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
How do I utilize the dual band feature on my belkin N750 DB? Do I have to set up two separate networks? Even then how when my devices PC, iPod, gaming devices are only recognizing the 2.4GHz band network?
View 3 Replies View RelatedRegion : UnitedStates
Model : TL-WDR3600
Hardware Version : V1
Firmware Version : TL-WDR3600_V1_130320
ISP :
Has anyone gotten the Guest Network feature to work from the new firmware TL-WDR3600_V1_130320?I have my WDR3600 setup as an access point:TPLINK with static IP address connected via ethernet cord from the LAN port and connected to the main Verizon FIOS router which distributes DHCP IP addresses to the netwrok. Can not get the Guest Network feature to work - I see the guest SSID I created but when I connect to it, the IP address assigned is in the 169. range meaning it does not get to my main router.It may be because I have the TPLINK setup as an access point, so are there any people who have gotten Guest Network work either with the TPLINK as the main router or as an access point?
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520? Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ? [code]
View 2 Replies View RelatedI've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...
I configured dual ISP on ASA 5520 following cisco doc below. Now I would like to configure SSL VPN to work with this for failover? I tried to find an article regarding this but I could not. [URL]
View 3 Replies View RelatedWhat is the best way to deploy the IOS firewall feature?I have a Cisco 1841 router running 12.4.
View 4 Replies View RelatedWe got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN . ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.Here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
ASA Version 8.2(1)
hostname Corp-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
I have a client that is requesting redundant internet connections using 2 7204 routers to 2 asa 5520 in an active standby configuration. There is no load balancing requirement this is strictly for failover. The issue that I am having is that I have to have 1 of there public IP addresses on the Lan side of the 7204 for the ASA connectivity. Because of this both routers advertise out their public subnet to the respective providers, but the issue is that when the wan link on the primary router fails and traffic traverses the secondary wan the return traffic comes back in the secondary wan and stops because it sees the link to the asa as being up even though the asa is in standby. No matter what route manipulations I do a directly connected route is alway going to be better. How I can get this to work. Below is a rough sketch:
Verizon------Router A (Primary)-----ASA A (Active)--------------Nexus1
| | |
| IBGP | Keepalive | VPC Link
| | |
AT&T---------Router B (Backup)-----ASA B (Standby)------------Nexus2
Not sure if my subject is a good decription of the problem or not.
I have an ASA 5520 at my home office and a SonicWALL NSA2400 at my remote office. The remote office has dual internet connections and I wanted to create two seperate VPNs between the devices using each internet connection on the SonicWALL.
I know how to configure this on the SonicWALL, the problem is on the ASA 5520
OK Basic network config
Main Office
ASA Public IP 1.1.1.1
ASA Internal network 192.168.1.0 (VPN source)
Remote office
Public IP 1 2.2.2.2
Public IP 2 3.3.3.3
Iternal network 192.168.2.0 (VPN destination on ASA)
If I have a VPN from the main ASA to either one of the SonicWALL's public IPs everything works fine
If I create 2 VPN tounels from the main ASA, 1 to each public IP on the SonicWALL, the VPN shows as up but no traffic flows.
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies View RelatedI'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
My Second Query
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:Traffic from these sub-interfaces should be NATTed to outside interface when going to internetBut, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.
I have upgraded ASA5550 version from 7.2(4) to 8.4(2).
On version 7, I am used to "names" command, like this:
names
name 107.25.1.10 Picard
name 107.25.2.20 Administrativa
By addition, when configuring acls it was very usefull, for example:
access-list inside_access_out line 15 extended permit udp host Picard host 107.25.4.61 eq snmp
On version 8, I have verified that names replacement is no more available:
ASA(config)# access-list outside_access_in permit ip host ?
configure mode commands/options:
A.B.C.D Source host IP address
I have the following: 1 5520 ASA connected to the internet, 2 core switches, and several access switches.Aside from implementing RSTP, VRRP, hard code access and trunk ports, is there any other recommendation you would like to add.
View 7 Replies View RelatedShould we active IPS feature in ASA 5500-x by useing license?in the 5500-x ordering guide:IPS is only sold as ASA-IPS combo SKUs i.e., one cannot add IPS service as an option on top of ASA SKU. For example, if IPS service is desired on ASA 5515-X appliance, the relevant SKU is ASA5515-IPS-K8 or ASA5515-IPS-K9.But my customer has actived it by using the ASA5525-IPS-SSP on ASA5525-K9.
View 2 Replies View Relatedi am going to implement a ASA5505 in one of my offices. I would like to use web filtering feature on it. Will it cause any performance degradation in ASA? will it utilized more memory?
View 1 Replies View RelatedRecently I want to apply traffic shape on my ASA5520, but after entering the configure mode of policy-map, I couldnot find the shape command.. If I type the command, the device would notify me that there is no such command.. My version is 8.0(2),PS. Police command is working fine...
View 5 Replies View RelatedMe to a 2951 router with fireawall featureset. Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to be typed in bur when i look at the ACL afterwards they are not what i typed in.
View 2 Replies View RelatedIn Cisco ASA Firewall 5510 does the feature content filter come built in?
View 1 Replies View RelatedAt this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.
View 1 Replies View RelatedIn Cisco ASA Firewall 5510 does the feature content filter come built in?
View 3 Replies View RelatedI have an ASR1001 installed and I want to implement the firewall feature set.The current license level is IPbase and I have the firewall feature installed. The firewall feature shows acive, Not in use. I have tried to activate it without success. My question is: do I need to get a license for advipservices or adventerprise to activate the firewall feature set?
View 5 Replies View RelatedI am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup
INFO: Sending test message to fcaccam@example.com...
ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33)
ERROR: Failed: CONNECT_FAILED(33)
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedI'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View Related