Cisco Firewall :: ASA 5520 For Dual Active ISPs

Dec 14, 2011

I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved.  Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time.  I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.

View 3 Replies


ADVERTISEMENT

Cisco WAN :: Dual ISPs In ASA 5520

Jul 10, 2011

We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN . ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
 
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.Here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
  
ASA Version 8.2(1)
hostname Corp-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....

View 1 Replies View Related

Cisco Firewall :: ASA5520 - Active / Active Failover In Multiple Security Contexts With Dual ISP?

Jun 1, 2011

I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?

View 1 Replies View Related

Cisco Firewall :: Dual ISPs On ASA 5505

Dec 5, 2011

We have a cisco ASA 5505 with sec bundle plus
 
We have two ISP's:
 
ISP1 (Our IP = 30.100.150.50, gateway 30.100.150.8)
ISP2 (Our IP = dynamic, gateway 20.100.150.9) - ADSL 
Our internal LAN IP range is 10.9.8.0/24
 
We want to configure the ASA 5505 to allow users via ISP2 for http traffic We then want to use ISP1 for strictly VPN and access to internal web resources (eg OWA) as we have public IP's there.
 
Our idea was to configure two gateways on the ASA (e.g. 10.9.8.5 via ISP2 and 10.9.8.6 via ISP1)
 
Then give the users gateway 10.9.8.5 for web browsing etc Is this configuration possible on the ASA 5505?

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Split Traffic On Dual ISPs

Jul 31, 2012

I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Nat / Routing DMZ With Dual ISPs (4 Legged)?

Apr 11, 2013

I am in the process of configuring a ASA 5510 to replace an older PIX.  This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces.  I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs.  The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details.  Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited).  For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
 
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network.  It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks..  Is there a way to get them both to operate ?
 
Network layout looks like this (IP ranges altered):

DMZ  172.10.0.0.0 Class C
INTERNAL 10.0.0.0  Class C
Outside  1.2.3.0  Class C
Outside2  2.3.4.0  Class C

[code]....

After applying it I could access the public IP (1.2.3.50) from the internal network, but I could no longer access the DMZ IP (172.10.0.2) from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
 
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.

View 8 Replies View Related

Cisco Firewall :: ASA5510 With Dual ISPs And Static NAT On Backup

Dec 12, 2012

Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.

View 4 Replies View Related

Cisco Firewall :: 5520 - ASA Active / Active Failover And IPS Failure

Mar 30, 2011

I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
 
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
 
IPS soft is 6.0(4) and ASA soft is 8.0(3)
 
I have checked cisco doc and it is confusing to me. it says:  "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..

View 2 Replies View Related

Cisco Firewall :: ASA505 - 2 Sets Of NAT Rules To Accommodate Dual ISPs

Oct 10, 2012

I am setting up an ASA550 ver 7.2(3) - does this need upgrading?I have my ISP interfaces setup as primary and backup I have a static route pointing out:route primary 0.0.0.0 0.0.0.0 1.2.3.4 1 Question:Do I put the next static route to be route secondary 0.0.0.0 0.0.0.0 3.4.5.6 254 Will this set a high metric on the secondary route that will only take effect if the primary route is down? I assume I will need to have 2 sets of NAT rules to accommodate the dual ISP's

View 1 Replies View Related

Cisco Firewall :: 3900 - Configuring Active / Standby With Dual ISP

Jan 12, 2013

1. We have Two 3900 Router on the core layer which are terminated with one ISP on one Router and Secondary ISP on Second Router.

2. Can we configure my ASA 5520 with Active/Standby termenating two IPS providers one on Active ASA 5520  and Other ISP  on Standby ASA 5520, so that when Active ISP fail ASA Secondary can become Active and send the Traffic throough Secandary ISP.
 
3. The reasion behind giveing Public IP on Firewall is to Terminate VPN on our Firewall i.e. SSL and IPSEC VPN.
  
Few Clarification If we can achive the above:
 
1. How will the DMZ Servicec nated with my Primary ISP on my Primary ASA will be routed when the Secondary ASA is acting as Active Firewall.

2. Can Web SSL and Client To Site IPSEC  VPN users access service  via the Secondary ISP- ASA when my Primary ASA and ISP is down.

View 7 Replies View Related

Cisco Firewall :: ASA 5510 Dual ISP Active / Standby Fail Over

Apr 2, 2013

I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in.  [code]
 
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?

View 10 Replies View Related

Cisco Switching/Routing :: ASR1000 - Dual ISP Active / Active Connection On Single Router

Jun 10, 2012

I am working on a network which has two ISP connections (Active/Active) terminating on router (ASR1000). From the LAN side (6500 switch) all the traffic need to be route on ISP1 but some of the specific subnets like 10.250.0.0/16 need to be route on ISP2 connection.
 
I am planning to use PBR and NAT with route maps. any documents or refrences are provided.  
 
(access switches)---------(core switch)----------(routers)----------------(ISP1)
----------------------(ISP2) 

View 1 Replies View Related

Cisco Firewall :: 5520 - Active FTP Does Not Work

Oct 9, 2011

I have an asa 5520 that works fine if you are using passive ftp and ftp inspection is on globally. It is not working for an active ftp session. I tried allowing all ports back to the external ip address of the internal client as a test and this did not work either.
 
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.2(3) 
policy-map Global_Policy

[Code].....
 
I read another article saying that this command needs to be on the asa "fixup protocol ftp 21"
 
If this is enabled will it show on the firewall?  How do I enable it?

View 2 Replies View Related

Cisco Firewall :: Show Active TCP Connections In ASA 5520?

Jun 5, 2013

how many active TCP sessions my ASA has but having a hard time finding this information.  When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP.  Is there any way to get just the TCP connections?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Active Standby And IPS Configure

Mar 3, 2013

I have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
 
Is IPS should be in Fail-Open or Fail-Close mode ?
 
Is Mangement ip for both IPS module should be same or diffrent. ?

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Active And Standby Preempt Functionality

Aug 6, 2012

Is the preempt option available in active standby ASA firewall setup with single context...somewhere i have read that same is available in active-active setup or active/standby setup with multiple context.If i active the multiple context mode on product environnement with two ASA5520 in Active/Standby mode, what are the impacts on the the production?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Active / Standby Failover - IP Addressing?

Mar 15, 2011

I am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.

View 2 Replies View Related

Cisco Firewall :: Upgrade ASA 5520 In Active / Standby Configured From 7.2(4) To 8.3(1)

Oct 9, 2011

I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
 
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
 
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
 
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
 
The approach I am thinking of is simply as follows;

- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Needed To Be Configured In HA Active / Passive

May 24, 2011

I have the following Setup, Two Cisco ASA 5520 needed to be  configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?

View 1 Replies View Related

Cisco Firewall :: Multiple Context Active / Standby (ASA 5520)

Mar 8, 2013

I need to configure multiple context mode with active/standby failover solution.
 
Even after reading some Cisco documents I still can't understand if active/standby failover configuration has to be done within the admin context only or also within every single context (context-1, context-2 for example). In this case I have to allocate as failover interface a subinterface for each context (admin, context-1, context-2), right ?
 
Therefore a I have an other question: within the admin context, in a failover solution, do I have to allocate all interfaces I want to be moniotred, even though some will be used by context-1 only context and some others will be used by context-2 only context ?
 
An other question is: if active/standby failover configuration has to be done within each context, can I set regular failover within context-1 while stateful failover within context-2 ?
 
The last question is: can I use management interface within all 3 contexts ?

View 8 Replies View Related

Cisco WAN :: Dual DHCP ISPs On ASA5505?

Jul 1, 2012

I've been searching the net for days now trying to configure the ASA5505 for dual DHCP ISP use. All guides available assume you have one static.
 
After realizing that it required a Security Plus license to even configure 3 VLANs.
 
I can choose a backup interface in ASDM. It even says dual ISP enabled. Why cant there be a guide or simple configuration example or am I the only one looking for this kind of solution?
 
Customer has two ADSL internet connections and want to switch between them if they fail. No load balancing required.

View 2 Replies View Related

Cisco VPN :: Active / Active ASA 5520 Remote VPN Access Limitations?

Sep 19, 2011

We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Active / Standby Remote Software Update

Jun 7, 2011

We have a pair of 5510s and a pair of 5520s, each in Active/Standby mode.  I'd like to upgrade the ASDM and ASA software on these, but am finding no documentation that advises on how this can be done without physical access to the devices.  It so happens I am on site, but we will be deploying these throughout our network and I'd like to be able to perform this type of maintenance without travelling to each site.  We utilize CSM and ASDM to manage these for the most part, but are certainly capable of configuring via CLI. 
 
The issue may be my lack understanding of the ASA fundamentals, but I don't really get how the software can be copied to the individual ASAs of the pair so they may be reloaded and upgraded without outage. With a remote SSH connection to the pair, I'm only copying the software to the Active ASA, correct?  Or is there a way to get the software to each disk individually from the single SSH connection?  I'm not quite sure how to manage the Standby ASA without consoling into it... If I can indeed remotely get the software to each ASA (copying to different disks?? i.e. disk0: and disk1:?), then I also run into an issue updating the boot statement for each of them individually, though to resolve that I suppose I could just remove the old software, but that seems like bad practice before confirming the new software is ok.If there is a simpler way of deploying new code via ASDM or CSM, I'm certainly open to that.

View 4 Replies View Related

Cisco Firewall :: ASA 5520 Configuring Active Standby High Availability

Nov 1, 2011

I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.

View 5 Replies View Related

Cisco Firewall :: 5520 Running 8.4(2) - Setup Active / Standby Failover

Jan 30, 2012

I am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Interface Reconfiguration In Active / Passive Failover

Dec 20, 2011

Currently l have two ASA 5520's in a active/passive failover scenario.  Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching?  or could l possibly disable failover and reconfigure each ?

View 6 Replies View Related

Cisco Firewall :: ASA 5520 / Use Active Directory Groups For Allow Internet To Clients?

Dec 18, 2012

it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / Use Active Directory Groups For Allow Internet To Clients

Feb 21, 2012

it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Dual ISP

Mar 12, 2011

I have Cisco ASA 5520 . I want to deploy this in the following scenario. Two ISP( for internet) links are connected in the ASA. Three  zone ( Outside , DMZ , Inside) specified on the ASA.In DMZ , there are two proxy server ( proxy 1 , proxy 2) . Branch user will use proxy server 1 and Head office will use proxy 2. 
 
In the above scenario management requirements are, Proxy 1 will use ISP 1 and proxy 2 will use ISP 2.If ISP 1 goes down then proxy 1 will use ISP 2 for internet. Please suggest me how I will configure the ASA in the above requirements or if possible send me the configuration.

View 3 Replies View Related

Cisco WAN :: WAN / Dual ISPs - Can ASA 5505 Do Load Balancing As Well

Jan 24, 2010

I want to link ASA 5505 to two ISP's for backup purpsose. I can see this configuration example here url...
 
Question - does the ASA 5505 do load balancing as well for both connections - is there an example somewhere? (I do not want to buy two ASA 5505's!) which seems the only way I could find configuration details for!

View 6 Replies View Related

Cisco Firewall :: ASA 5520 Dual ISP Feature

May 31, 2013

I would like to knwo if i have dual ISP feature with my ASA 5520 licence? With ASA 5505 i can see Dual ISP feature but with ASA 5520 it's not!

View 3 Replies View Related

Cisco VPN :: Dual ISPs On ASA5510 And Remote Access Client

Jul 7, 2012

i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
 
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.

View 1 Replies View Related

Cisco VPN :: ASA 5510 With Dual ISPs Split Traffic Between VPNs And Internet

Jul 1, 2011

I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
 
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
 
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
 
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
 
ASA 5510, SSM-10      1GB RAM
ASA version                8.4(1)
ASDM Version            6.4(3)
Context Mode            Single
FW Mode                  Routed
License                     Security Plus

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved