Cisco Firewall :: ASA 5520 And ACL Between Two Subinterfaces With Same Security?

Jun 17, 2012

I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:
=================================
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.72
description VLAN 72

[code]....
 
(notice that they have the same security-level)I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.

View 9 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 Subinterfaces Design Scenario

Mar 31, 2011

I currently have an ASA 5520 in production without using subinterfaces. I have connected an interface on the ASA to a 4507, the 4507 contains SVIwhich perform the routing for our internal network. I have another ASA 5520 and I am playing around with a few new design scenarios. The problem I am currently having is with SubInterfaces on the inside of the network. I understand the subinterfaces on the outside network, I am using subinterfaces on the outside for dual homing ISPs.
 
I don't understand the multiple subinterfaces on the inside, for some reason I can't wrap my mind around using them. I have created a few and trunked a port from my 3560X to the ASA interface. Here is my design.

ASA 5520 Config(I realize that this isn't how it would look in CLI, I just don't remember all of the commands)
interface Gi 0/1
nameif Physical Interface
no ip address
 
interface Gi 0/1.10
nameif Prod_USERS
ip address 172.16.10.1 255.255.255.0
security-level 100
 
interface Gi 0/1.20
nameif Users
ip address 10.10.16.1 255.255.255.0
security-level 100
 
Alright so in this scenario I would have a trunk port from my 3560X connected to interface Gi 0/1 on the ASA. On the 3560X I would created the two VLANs (vlan 10 and vlan 20); I also created an SVI on the 3560X as follows.
 
3560X config
interface VLAN 10
description PROD_USERS
ip address 172.16.10.2 255.255.255.0
no shut
 
interface VLAN 20
description USER-NET
ip address 10.10.16.2 255.255.255.0
no shut
 
Now I create a default route on the 3560X as follows, "ip route 0.0.0.0 0.0.0.0 172.16.10.1". By doing this, I can only route my 172.16.10.0 network out to the internet, not the 10.10.16.0 network? I have to remove the default route above and add ip route 0.0.0.0 0.0.0.0 10.10.16.0 for clients on that network to browse out to the web.
 
So I am obviously missing something crucial here and I just can't wrap my head around this design scenerio for some reason. the topology necessary for this configuration to function correctly and how I can get both of my VLANs to function properly. I would like for the 3560X to route traffic internally until traffic needs to browse into the DMZ or out to the web, and at such time it should then use the firewall.

View 5 Replies View Related

Cisco Firewall :: Can't Seem To Activate Subinterfaces On Gb Interface On Pix 525

May 2, 2012

i have a pix 525 running 8.0(4) and asdm 6.1(5)i have two ethernet interfaces, and two gb ethernet interfaces
 
i connected both gb ethernet interfaces to a switchport, configured as trunkcan't seem to activate subinterfaces on the gb interface on the pix 525.

View 7 Replies View Related

Cisco Firewall :: ASA 5510 Failover Subinterfaces Monitoring

Jan 30, 2013

i have a couple of ASA 5510 in Active/Failover configuration. Failover LAN is configured on management0/0 e the ASA are connected with a back-to-back direct cable.
 
ASA has an interface in access mode inside with standby ip address and show failover is compliant with expected result in show failover (Normal)
 
ASA-PRIMARY# sh failover Failover On Failover unit PrimaryFailover LAN Interface: LANfailover Management0/0 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy

[Code]....

View 2 Replies View Related

Cisco Firewall :: How To Use Subinterfaces On An Etherchannel For A Lan Failover Link / 3750X

Feb 19, 2012

how to use Subinterfaces on an Etherchannel for a Lan Failover link?I successfully bundled e0/0-1 and e0/2-3 to 2 Port-Channels with a 3750X Stack - and was able to set my "nameifs" and "security level" on Port-Channel Subinterfaces like "Port-channel1.4" As a lan based failover link the subinterfaces seem  to be unusable ....

View 1 Replies View Related

Cisco Firewall :: Do Need Security Plus License To Do HA With Two 5520

Mar 7, 2011

Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license.  Does that mean I can download the security plus license?  Or do I even need it on the 5520.

View 2 Replies View Related

Cisco Firewall :: ACL With Security Levels In ASA 5520

May 6, 2013

I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
 
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 / Same Security Level Interface ACL?

Nov 10, 2011

On a Cisco ASA 5520.  I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface"  I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.  
 
interface GigabitEthernet0/3.175
 vlan 175    
 nameif Test175
 security-level 30
 ip address 172.30.175.1 255.255.255.0

[code]....

View 13 Replies View Related

Cisco Firewall :: ASA 5520 8.2 With Same Security Level Interfaces

Mar 27, 2013

I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]

I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.

View 6 Replies View Related

Cisco Firewall :: Connection Failure In ASA 5520 Security Contexts

Mar 27, 2011

Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
 
I even tried upgrading to ASA version 8.4(1) but still the same.

View 5 Replies View Related

Cisco Firewall :: Difference Of VPN Plus License And Security Plus License ASA 5520

Oct 16, 2012

What's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.

View 1 Replies View Related

Cisco :: Using Subinterfaces For Failover?

Sep 13, 2011

Does anyone know if it's possible to use a single interface on the ASA for both the failover interface and for stateful failover? Here's my situation.I'm looking to provision a pair of ASAs and I want to do stateful failover.The problem is that I need four interfaces (inside, outside, and two physical DMZ interfaces).I'm looking at either the 5520s or 5540s and these boxes need to run the IDS SSMs, so I can't use the 4-port expansion SSM.

I want to do stateful failover so I need two failover interfaces.What I'm wondering is if I can take one physical interface,run two subinterfaces on it, and then use those two subinterfaces for my failover and stateful failover interfaces.That would leave me with the four interfaces that I need for everything else

View 3 Replies View Related

Cisco WAN :: ASR 1001 CBWFQ Not Supported On Subinterfaces And Efps

Mar 19, 2012

I have problems to configure CBWFQ on a ethernet sub-interface on a Cisco Router ASR 1001. Then I applied the policy in the physical interface but it should be is in the sub-interface.  How can I configure CBWFQ on sub-interface in ASR 1001. (version 3.02).
 
Error Messages:
 
CBWFQ: Not supported on subinterfaces and efps
 
This the final output:
 
interface GigabitEthernet0/0/0
description Conexion WAN
bandwidth 153600
no ip address
load-interval 30
no negotiation auto

[code]....

View 2 Replies View Related

Cisco Switching/Routing :: C4506 - L3 Subinterfaces Between Two Switches

Jul 3, 2012

I have two C4506 switches and I would like to create two L3 links between them by using only one physical link. I will then assign each L3 link to a different VRF.
 
I think I have two choices but I'm not sure however that the second one is possible...

---------------
1st choice: creating two VLANs and two SVIs on each switch
 
interface Vlan10
ip address 10.10.10.1 255.255.255.252
ip vrf forwarding vrf1
 
interface Vlan20
ip address 10.10.10.5 255.255.255..252
ip vrf forwarding vrf2(code)

View 1 Replies View Related

Cisco WAN :: 7600s / Auto Add Of Subinterfaces As No Passive-interface In OSPF?

May 29, 2011

I've been having a problem with my cisco routers (7600s) where sub-interfaces that we create for ldp tunnels are added automatically to the main ospf process as no passive when created. In order, here is how to reproduce the issue:
 
- Configure ospf process as "passive-interface default"

- Configure interfaces that have to be active as "no passive-interface blah"

- ospf works as expected.

- Create new sub- interface somewhere with encapsulation on a certain vlan for xconnect.

- New sub-interface gets added as "no passive-interface" in main ospf process.

- When adding a new port-channel interface, behavior is the same.
 
Is that normal for cisco, should I continue removing sub-interfaces manually every time from the ospf process?

View 4 Replies View Related

Cisco Switching/Routing :: 1721 / Vlans Talking To Each Other Without Subinterfaces Set?

Sep 14, 2012

I have set up a couple of vlans on a cisco 1721 router 4esw card using the vlan database and assigning an ip address of 192.168.1.x and 192.168.2.x for each vlan interface.Strangely enough connected computers can talk to the other vlan and I have not set any subinterfaces on the etherner0 (layer 3) and not even connected a cable.Is there any reason why this should happen since they should not talk to eachother being on seperate vlans.Doing a tracert shows that first the vlan ip address is hit and then straight to the target pc in the other vlan?

View 4 Replies View Related

Cisco Security :: ASA 5520 - Upgrade 8.2.x To 9.1.x?

Jan 17, 2013

I have a project to upgrade an ASA 5520 to 9.1.x, then add another ASA for failover.  What will be the correct way ?
 
I had the 2 Gb memory.
 
I have rewritten all nat statements (during my other 8.2 to 8.3 or 8.4 upgrade project, the nat conversion was catastrophic, so I rewrite all now).
 
Can I upgrade directly to v9 ? Or 8.2 -> 8.4 -> 9.1 ?
 
I think to :
 
- inject actual config in the new ASA in 8.2
- remove nat statement
- upgrade to 8.4
- configure new nat
- upgrade to 9
- connect the new ASA to the network and deconnect the other ASA
- test
- upgrade old ASA to 8.4 or 9 directly ?
- configure failover

View 1 Replies View Related

Cisco Security :: Configuring SSL Certificate On ASA 5520

Jun 20, 2011

I have a SSL certificate from a third party that is showing under the Identity in ADSM, howerver the audit scan of the firewall shows that the SSL Certificate Signed with an unknown certification Authority. I have installed the Intermediate Primary and Secondary Certificate from the third party under the CA Certificate of the ADSM however when I verify the SSL certificate it still shows as self-signed. What other steps do I miss. I have attached some screenshots.

View 2 Replies View Related

Cisco Security :: ASA 5520 VPN To Nortel Connectivity

Feb 1, 2007

I'm trying to establish a site to site ipsec tunnel between an ASA 5520 and a Nortel Connectivity box. Despite trying a number of different transform sets and IKE setups it keeps failing at phase 1 with:

Information Exchange processing failed
Received an UN-encrypted INVALID_ID_INFO notify message dropping.

View 4 Replies View Related

Cisco Security :: ASA 5520 No Longer Sending Log To FTP

Sep 22, 2011

We have a ASA 5520 which is configured to send log files to an ftp server.  It has been doing that until recently I found out that it stopped sending the logs on August 11.  I can't remember what I have changed in the ASA config to make the ftp stop.  I changed the ftp config to another server but it won't upload any log file.
 
What can I do to make the ASA save the log buffer to the ftp server again?

View 1 Replies View Related

Cisco Security :: ASA 5520 And Redundant Interfaces Design

Apr 17, 2011

We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches

My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
 
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.

View 1 Replies View Related

Cisco Security :: Dual ASA 5520 WCCP Configuration?

Dec 6, 2012

I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover.  The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device.  I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?

View 1 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Security / Firewalls :: Cisco ASA 5520 - Mac Address On Servers And Switches

Dec 16, 2011

I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.How can i stop the Firewall from changing the mac addresses of the devices on the network.My ASA is a 5520 and i have 2960Switches.

View 4 Replies View Related

Cisco Security :: 5520 Build A WebVPN For The Company Urls

Jun 22, 2008

I have a ASA 5520 upon which I need to build a WebVPN for the company urls - webmail, intranet portals etc. There will be 2 groups -

a. Confidential Access - For senior management.
b. Public Access - For employee access.
 
RSA Token & LDAP auth would be used for access to the WebVPN. However, I am unclear on certain aspect.How do I isolate the 2 groups?  I mean only Senior management should be able to view & access the first set of links while employees see and access the other set of links only.Both the groups will be available to all users loggin on to the WebVPN. Since the authentication mechanism - LDAP - is the same, anyone would be able to access the groups and in turn, urls.

View 2 Replies View Related

Cisco Security :: Unable To Access ASA 5520 Using HTTP / HTTPS?

Dec 9, 2010

I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
 
My browser show the error message as attach image.
 
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip

[Code]....

View 7 Replies View Related

Cisco Switching/Routing :: Port Security On Nortel 5520

Jun 6, 2012

I've just completed a port security project at a site on numerous Cisco switches and all works well, however they have 2 Nortel 5520 switches (which I left until the end) which they would like to lock down.  I have logged a message on the Nortel forums and I have heard nothing for days.  I just need to lock 2 ports down to the Mac address of 2 computers stopping any other computer being plugged in. 

View 2 Replies View Related

Cisco Security :: Subinterface Stops When Use VLan 1 Default ASA 5520

Mar 17, 2011

I´m trying to configure a subinterface named Inside with vlan 1 but the interface stops work with this vlan.My switch is a Cisco and use the lan with vlan 1 too.If I change de vlan for other i.e vlan13 works fine. And all others vlans works fine too.Is there a problem to use the vlan 1?
 
My configuration is:
 
Cisco ASA:
interface gig0/3
no ip address
no security
no nameif
 
Interface gig0/3.1
vlan 1
nameif Inside
Securirity-level 100
ip address 10.x.y.x 255.255.224.0

The  giga port of the swtich is configure to trunk model.

View 2 Replies View Related

Cisco Security :: ASA 5520 - VPN Client Remote User Limit

Jun 16, 2012

how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.

View 1 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
 
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
 
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Cisco Firewall :: Launch LAND Attack Against Firewall ASA 5520

Apr 15, 2013

I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved