Cisco Firewall :: ASA 5520 - ISP Change Procedure
Oct 30, 2011
our company is going to change its´ ISP. The External Isp are going to obviously change too. We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible. In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-to Site VPN, Remote Access Webvpn, ACLs and also routing. I have looked up some information in this community and still I am not sure about the steps to be made so to reach our goal.
I have read that changing only the "names" from the old IP Range to the new Ip range would not really make the change. The old Ip range will still be configured in the features using the external Ip address. Therefore we have to first delete all the information (in the running config) connected to these Variables and then re insert them. My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out during the deleting and inserting procedure.
How we could make this change with a low percentage of "copy and paste failures"? I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout? Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12).
View 4 Replies
ADVERTISEMENT
Apr 10, 2012
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
View 5 Replies
View Related
Sep 12, 2012
I need to upgrade the IOS and therefore change the flashcard on a router 2811.
What is the procedure to change the flash (64MB to 256MB) on a 2811 router?
I can remove the flashcard when the router has already started, change the flashcard and load the new IOS?
View 3 Replies
View Related
May 19, 2013
i have a asa 5520 that is working with three zones DMZ, inside and outside.
my DMZ is for all my branches and it had a /24 subnet my inside had a /24 subnet and all was fine i could talk to branches and they could talk to me. i also had all the branchess accessing internet via the ASA which is at HO. i changed the subnets from /24 to /21 and broke everything
below is the configs for the asa
!
interface GigabitEthernet0/0
nameif outside
[Code].....
View 4 Replies
View Related
Apr 27, 2011
My bussines have an old PIX 515e and im about to install it in a "testing" eviorment but no one can remeber the password for this old equipment. Is there a way to reset the password?
But when it reboots and I write "enable" in the console it asks for a password, and the password isn't "cisco" as factory default. I really need this firewall up and runing ASAP.
How to reset the "enable"-password?
View 3 Replies
View Related
Jan 6, 2012
I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure. I read "Upgrading an Active/Standby Failover Configuration" at [URL] which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby. But I was wondering if there's a way to a way to be a bit safer. I'd like to modify the standby unit, without affecting the config on the active. So I'd like to modify the boot statement on the standby without modifying the active config. That way incase there's a problem and the active reboots, it won't upgrade.
Can I modify the config on the standby without affecting the active? Then I'd like to test the newly upgraded unit with our production traffic. Would that simply be no failover active, and then once the standby becomes active -- test traffic? Once everything is okay, I would upgrade the second unit, and fail traffic back.
View 3 Replies
View Related
May 25, 2012
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
View 7 Replies
View Related
Aug 19, 2012
I have a customer that wants to change their Nortel 5520 switches to a Cisco solution, and I wanted to ask what would be a good solution for this customer. presently they have 4 48 port PoE and 2 24 port PoE stackable 5520, and they are interested in redundant power supplies for the switches. I was thinking that the 3750 is good for this site.
View 4 Replies
View Related
Jan 27, 2013
I am configuring ise to do the posture assessment. I am having avaya as my LAN and Core switches. The idea is once the user is authenticated using 802.1x then it will be moved to qurantine vlan and after it is compliant with the company's policy then it will be moved to the actual vlan. I have configured the avaya switch to accept the radius assigned vlan and also configured the 802.1x dynamic-authorization. Currently, radius assigned qurantine vlan is working but once the nac agent scan and mark the PC status as Compliant then the CoA is not happening and User is not moved to the actual vlan.
I tested the same ise authorization policy of dynamically assigning VLANs on cisco switches and it worked perfectly, but the same is not happening on avaya switch.
View 1 Replies
View Related
Jun 3, 2013
We are using an ASA 5520, running 8.4(3). We have users running the AnyConnect Secure Mobility Client 3.1.02026. I have the AnyConnect connection profile configured to authenticate users using LDAP over SSL. I enabled the password management and am able to get password change prompts to appear in the AnyConnect client. However, new passwords are rejected and changing passwords through that prompt does not work. I'm not sure what the cause of the problem is, since LDAP over SSL is enabled and working, which is required for the password management feature
View 9 Replies
View Related
Jan 17, 2012
I have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
View 3 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Mar 15, 2012
How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Apr 15, 2013
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies
View Related
Jan 4, 2012
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
Jan 1, 2012
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
View 1 Replies
View Related
Mar 26, 2013
Why isn't a GUI upgrade possible instead of CLI initiated upgrade?Is this (GUI) only for patch upgrades or is it a valid upgrade path to use the Cisco Prime's GUI (Administarion; Software Update) in order to upload update file. Check for updates gives no results though successful login to [URL].
View 3 Replies
View Related
Feb 27, 2011
I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
View 12 Replies
View Related
Nov 29, 2011
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies
View Related
Oct 4, 2012
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies
View Related
Apr 8, 2011
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
View 1 Replies
View Related
May 29, 2012
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)
View 1 Replies
View Related
Oct 20, 2011
where I can find a CLI password recovery procedure for the administrator account?
View 1 Replies
View Related
Mar 17, 2011
We have ASA 5540. After setting up one-to-one nat, do I need to do anything else? static (Inside,Outside) public ip address private ip address netmask 255.255.255.255.
View 4 Replies
View Related
Dec 20, 2010
checked all the recovery doc, however, there is no one specific for 3900 series router
View 2 Replies
View Related
Oct 17, 2011
where I can find a CLI password recovery procedure for the administrator account?
View 2 Replies
View Related
May 4, 2011
procedure to apply the 5-2-0-26-4.tar.gpg patch. I don't know how to get the patch file into the ACS server.The procedure in the "Read me" for the patch does not indicate anything about how to this:
1. open CLI console2. define new repository in which the 5-2-0-26-4.tar.gpg resides3. issue: 'acs patch install 5-2-0-26-4.tar.gpg repository YOUR_REPOSITORY'4. verify installation by getting the following version information via CLI by issuing:#show application version acs I don't know how to put the patch file from my local machine to the repository created in the GUI (if there is where the actual place to creat the repository).
View 3 Replies
View Related
May 2, 2012
From PEC training - Cisco says to perform a proper ASR 1004 shutdown by executing 'reload' , then wait for bootstrap message to appear, then [before commencement of unpacking of the IOS] turn off the power switch. IS THIS ACCURATE. Anyone have any doc related to the recommended POWER DOWN process on the ASR 1004. We have a UPS cutover coming up and I want to be ready to power down and restart the new ASR 1004s we have - properly.
View 3 Replies
View Related
Dec 3, 2011
we purchase only Cisco Supervisor Engine VS-S720-10G and use it in our old C6509-E chassis.Now the supervisor engine was dead,(means not working and no LED's are ON). How can i claim the RMA from cisco?
We purchase from one of our partner. We send it to them,they are not able to find the Serial number from the Supervisor Engine module (Because lot of serial numbers are on the board). Also the customer through the catoon.
Now how we can know which is exact serial number of sup? How to get RMA from the Cisco on which serial number?
View 4 Replies
View Related
