I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
View 1 RepliesTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedConnecting ASA 5520 to two Catalyst 3560G layer 3 switches. What's the best practice to connect the asa-5520 at the edge, to the core of my network? What I'm looking to do is connect two routed gigabit ports (gi0/2 and gi03) to two seperate layer 3 routed ports on catalyst 3560G. I'm wondering how to do it, or if there's any type of failover method? I'm running EIGRP in the network and the link to the first core switch has a /30 point to point connection. Everything works fine, I'm just not sure how to connect the second switch to the firewall. Should I use the a different /30 for the point to point connection to csw02 gi0/48? (See attachment) How would this affect traffic flowing through this interface? Would I have to duplicate rules I have on my inside (gi0/2) interface? Is there a way to make the inside2 interface standby some how? I want to know the best way to set this up, so in the event csw01 goes down I don't loose internet. Will EIGRP work it's magic and only use 1 path to the ASA? Should I even be using routed interfaces on the ASA and just use trunked mode?Running ASA 8.4?
View 1 Replies View RelatedUsing SFP-10G-LRM with single mode fiber? We have 1310nm.
View 2 Replies View RelatedI have 3 Data centres which I am linking up via Single Mode Single Strand Fibre.The switches at each data centre are WS-C4948-E
-Distance between Data Centre 1 and Data Centre 2 is 60km single mode single strand
-Distance between Data Centre 2 and Data Centre 3 is 70km single mode single strand
What type of SFP do I need to use in each Data Centre for the WS-C4948-E switches for these distances.
I'm working with a customer who has an SGE2000P and a Catalyst 2960 to setup and configure a single mode fiber link. The SGE2000P has an MFELX1 fiber GBIC and the 2960 has a GLC-LH-SMD GBIC. When I have the customer plug in his fiber, there is a power light that comes on on the MFELX1 GBIC. Neither GBICs/switches show that a link or activity is occurring, but the presence of that light makes me think that they are connecting somehow. Are these two switches/GBICs compatible?
View 1 Replies View RelatedI'm looking for switches that support single mode fiber connections and would like to know if "WS-C3750-FS-S Catalyst 3750 24 100BaseFX + 2 SFP" and "WS-C3750G-12S-S Catalyst 3750 12 SFP" can serve the purpose?
View 6 Replies View RelatedThe module WS-X4306, support fibber fiber single mode ó fiber multi mode? what GBIC is for fiber single mode or fiber multi mode?
View 1 Replies View RelatedPrior we only had 62.5u multi mode.I've got 3750x switches and new SM SFP and yellow fiber patch cables. None of my links show connected. No lights and trunk port interfaces show down/down.
Is there a special command you have to do on a port when using SM fiber? Do you think I need cross over fibers?
Also, should I be able to see a laser signal light like MM or is SM a different frequency so it's not as visible as MM?
I have a 7206vxr with a NPE-G1 card in it. I am planning to add some PA-GE card with a ws-g5486 to light single mode Gigabit dark fibre.
it seems that users are experiencing throughput of around 200Mbps. Is this per card, or for the entire chasis? I have 6 free slots, if i were to fill 3 of them up with PA-GE card would i get 200Mbps on each card ?
I'm having a problem with some new gear and can't seem to figure it out. I have a 3750X-48P-S with a C3KX-10G-NM using SFP-10G-LR transceivers and I'm trying to trunk that with a 6509 that has a X2-10G-LR transceiver over single mode fiber. This is not working. Cisco TAC says the SFP+'s that we just got brand new are both bad and we need to order new ones. I find that hard to believe but who knows.
The switch recognized the module and I tested all 4 ports in gigabit mode using GLC-SX-MM transceivers, all worked great. I have the SFP+'s in tengig1/1/1 and 1/1/2 as they should be. There are no other SFP's in the module either.
When I do a sho int tengig1/1/1 and 1/1/2 the media type doesn't show the transceiver that is installed like it does for the GLC-SX-MM ones. Maybe it's not supposed to or maybe it just doesn't recognize them and it's a hardware issue.
I have a requirement to connect two 3750 switch with 10G speed between two sites with 150km distance. We will lay-out our own fiber (48 core) between two sites. I just want to consult the following:
1. Could i use two core switch 6500 with single mode fiber as a transport equipment?
2. Or i need to use SDH equipment because of the distance concern? If so do i need a repeater?Could i use Cisco Metro Core ONS, which one?
3. Any other option to achieve this requirement?
We've just purchased a WS-C3750-24FS-S, only to find that the 100baseFX ports will not work over Single Mode fibre, backhaul links. Any way or a device that convert from MM to SM?
View 2 Replies View Relatedconnecting a Cisco 3945 Router to an Ethernet WAN Link. The service provider has provided a 100M Ethernet Single Mode Fiber handoff to the customer premises with SC Connector. The CPE configuration proposed for this setup is like this. [code]
Since the SFP has LC Connector, i suppose i need to have an SC-LC Cable for connecting the Ethernet link. Do i need anything else, apart from above?
We have a project in which we are using 34 Cisco SG200-18's each with a MGBLX1 (LC Single Mode Fiber) SFP mini-GBIC.All the fiber's come back to one building where we must "bridge" all 34 fiber connections. What hardware should be used to accomplish this? A L2 switch? For example, a 12 port SFP Switch with Fiber SFP's accepting the first 12 fiber connections, then other switch with SFP for the next 12 and so on, until there is a overall capacity of 36 and having patch cables between the 3 switches?
what cisco or non cisco hardware would work with these SF200-18's to accomplish this?
I have a problem with the connections to the remote webservice passing through ASA 5520 firewall. Connections are usually interrupted in perod of half an hour in every few days.
This ASA 5520 firewall is only one firewall in a path to the remote webservice.
During the interruption I find the logs:
UTC: %ASA--4-419002: Duplicate TCP SYN from dmz1:x.x.x.x/.... to outside:y.y.y.y/p with different initial sequence number
Teardown TCP connection 28309406 for outside:y.y.y.y/p to dmz1:x.x.x.x/.... duration 0:00:30 bytes 0 SYN Timeout
How I could find root cause? Could it be solution implemetation of TCP State Bypass?
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies View RelatedDevice Cisco ASA
Model:5520
OS 8.4(2)
I am not able to access the device via SSH .After connecting to teh console I have found that allowed SSh session are fully utilized with show resource usage command and the output is [code]
So I used show ssh session command to see who is using the sessions but in the output it has showed only one session and the output was [code]
I was wondering why it shows only one session above instead of showing all the 5 sessions which are utilized as confirmed by show resource usge command.We are usning some internal tool for ssh monitoring on device which is poling the device after a fixed interval for port 22 reachabilty .I dont think these tools are making any issue as this is secondary firewall and we are not facing any reachabilty issue for primary firewall.also we are using 10 min for idle ssh timeout.
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?
View 6 Replies View RelatedI have a Cisco ASA 5520 that we was working properly. I tried to create a VPN IPSEC to test but when I finished the wizard I lost the conection between the inside interface and outside. I use other interface for DMZ and other for printers network but this adapters are working properly. I have reviewed the NAT's and the ACL's but I don't see the problem?
I have delete the VPN IPSEC but it's still not working and I have the network down
I have a server in a DMZ behind the ASA, connections to this server work sometimes and then fail others, so I dont think i'm looking at an ACL or NAT problem here.The syslogs report a SYN Timeout,I have taken a trace on the ASA, it seems that a SYN-ACK does come from the destination server within the 30sec timeout, but its not passed through the ASA back to the source ? there is one odd thing, what seems to be an out of sequence ACK from the destination which arrives before the SYN-ACK at the ASA, i'm wondering if this might be the problem ? This only occurs on the connections which fail, the connections that work, the destination responds quickly to the initial SYN, and the 3way handshake completes.
Syslogs :
Oct 18 19:17:32 nzlsudfedsi001-pri Oct 18 2011 19:17:32 NZLSUDFEDSI001 : %ASA-6-302013: Built outbound TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 (172.24.32.31/21) to BPO-TRANSIT:x.x.x.x/59392 (x.x.x.x/59392)
Oct 18 19:18:02 nzlsudfedsi001-pri Oct 18 2011 19:18:02 NZLSUDFEDSI001 : %ASA-6-302014: Teardown TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 to BPO-TRANSIT:x.x.x.x/59392 duration 0:00:30 bytes 0 SYN Timeout
[code].....
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224 / 29. We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225. We assigned 198.24.210.230 255.255.255.0 to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?
I am using a pptp server running on windows 2008 server and I have configured my ASA 5520 to let the PPTP traffic to pass throught.
The solution works quite well but exactly every 120 minutes the connection drops and people have to reconnect. Is there any setting to change? In the PPTP server I haven't found any setting to change.
Currently in our environment we have have two buildings with an ASA 5520 in each and a core stack of 3750's in each building. I am currently working on a network segmentation project and am thinking of adding another stack of 3750's in each building to add more redundancy to our network. This will allow our access layer switches to have a trunk to each stack and prevent an outage if one of the links or stacks were to go down.
My question is how I would set this up on the ASA end of things while using a common subnet and HSRP on the 3750's. I understand how to use HSRP and STP on the switches to achieve this on the 3750 end of things. I saw you can do etherchannel on the ASA with 8.4 but how does that work in a failover situation?
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
View 1 Replies View RelatedI have been doing network and computer work for a small public library which will soon be needing to change internet providers. Our planned route will be to have a fiber connection directly from our local ISP, but we need to figure out the best network hardware to accommodate this network connection.We currently have two HP 1810-24G switches connected to a Sonicwall TZ100 firewall as the primary router. The firewall/router connects to the internet with Cat6 connected to a fiber optic media converter. The media converter is on lease from the current internet provider so it will be gone.Our new ISP has said that they can provide a fiber connection in our building to an SFP port termination, which is their recommendation. Ideally, this would be an SFP port in a router or firewall. However, there seems to be very few options for routers with SFP and they're all incredibly expensive compared to a network switch with SFP. While I imagine we could just terminate the fiber optic connection into a cheaper switch with SFP and connect to that with the firewall, our network is further complicated in that we have a CISCO LifeSize video conferencing system which ideally runs best without running directly through the firewall, which can cause some lag and glitches in the signal it seems. I don't believe it's possible to have the router WAN interface connect through to the ISP with a static IP and PPPoE sign on as well as another network devices using the PPPoE and a separate static IP address, am I correct?Have I just over-complicated this network issue, and everything should just be run behind the existing firewall, or should I be able to find a different firewall/router or switch that can connect with SFP to the ISP?
View 2 Replies View RelatedMy Storage supports RJ45 Connectivity. Some it gives slow performance. What if i connect all the Macpro using fibre optic and use some sort of converter to convert all the fibre connection to LAN. Will it increase performance?
View 2 Replies View RelatedI've recently upgraded from a 512k adsl connection to a 16mb fiber optic connection.Whereas I never had a problem previously, my rvs4000 slows to a crawl once or twice per week. The only solution seems to be to cycle the power since the admin interface freezes. I also have to cycle the power on my two wireless ap to get them back up.I believe I have the latest firmware, is this a common problem on a faster connection?
View 1 Replies View RelatedWe’ve just begun the transition from our old 3Com switches to new Cisco switches and we’ve encountered interoperability problems as we start the transition.Goal: Extend 6 VLANs (each representing an IP subnet) via fiber from a port on the 3Com 5500G-EI to a port on the Cisco SG-300-52
We assign an IPV4 address to the Cisco SG-300-52. We can successfully ping/web-manage at this address if we do a temporary copper jumper from a 3Com switch to the Cisco. IP address is in the subnet assigned to VLAN7•2) At the 3Com side, the fiber port is set as “hybrid” and is passing VLAN 1 untagged; VLANs 3-8 tagged•3) At the Cisco side, the fiber port is set as “trunk” and is defined with VLAN 1 untagged and VLANs 3-8 tagged.
If I try to change the management interface on the CISCO from VLAN 1 to VLAN 7 (as I would on the 3Com), I lose connectivity over the temporary copper connection•B)
If I remove the temporary copper jumper from the Cisco (keeping the “working” management IP address) and create the fiber link between the 2 switches, I lose connectivity to the management IP , If I set the 3Com fiber port to “access” and make the fiber connection, I can ping the management interface – but of course, I can’t pass the other VLANs to untagged access ports on the Cisco – and it has the fun side benefit of messing with IP management settings on other 3Com switch stacks attached to the 5500G-EI. However, it does demonstrate that we can get network traffic communicating over the fiber link between the 2 switches.
How I can proceed to a) have the management IP address in the IP subnet defined on VLAN 7 while passing the other VLANs to access ports on the Cisco? BTW, I’m a networking neophyte (it’s a very small part of my job and I do it infrequently), so I prefer to use GUI management to CLI options, although I can perform CLI configuration if presented with the right commands.
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).