Cisco Firewall :: ASA 5520 And ACL Between Two Subinterfaces With Same Security?
Jun 17, 2012
I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:
=================================
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.72
description VLAN 72
[code]....
(notice that they have the same security-level)I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.
I currently have an ASA 5520 in production without using subinterfaces. I have connected an interface on the ASA to a 4507, the 4507 contains SVIwhich perform the routing for our internal network. I have another ASA 5520 and I am playing around with a few new design scenarios. The problem I am currently having is with SubInterfaces on the inside of the network. I understand the subinterfaces on the outside network, I am using subinterfaces on the outside for dual homing ISPs.
I don't understand the multiple subinterfaces on the inside, for some reason I can't wrap my mind around using them. I have created a few and trunked a port from my 3560X to the ASA interface. Here is my design.
ASA 5520 Config(I realize that this isn't how it would look in CLI, I just don't remember all of the commands) interface Gi 0/1 nameif Physical Interface no ip address
interface Gi 0/1.10 nameif Prod_USERS ip address 172.16.10.1 255.255.255.0 security-level 100
interface Gi 0/1.20 nameif Users ip address 10.10.16.1 255.255.255.0 security-level 100
Alright so in this scenario I would have a trunk port from my 3560X connected to interface Gi 0/1 on the ASA. On the 3560X I would created the two VLANs (vlan 10 and vlan 20); I also created an SVI on the 3560X as follows.
3560X config interface VLAN 10 description PROD_USERS ip address 172.16.10.2 255.255.255.0 no shut
interface VLAN 20 description USER-NET ip address 10.10.16.2 255.255.255.0 no shut
Now I create a default route on the 3560X as follows, "ip route 0.0.0.0 0.0.0.0 172.16.10.1". By doing this, I can only route my 172.16.10.0 network out to the internet, not the 10.10.16.0 network? I have to remove the default route above and add ip route 0.0.0.0 0.0.0.0 10.10.16.0 for clients on that network to browse out to the web.
So I am obviously missing something crucial here and I just can't wrap my head around this design scenerio for some reason. the topology necessary for this configuration to function correctly and how I can get both of my VLANs to function properly. I would like for the 3560X to route traffic internally until traffic needs to browse into the DMZ or out to the web, and at such time it should then use the firewall.
i have a couple of ASA 5510 in Active/Failover configuration. Failover LAN is configured on management0/0 e the ASA are connected with a back-to-back direct cable.
ASA has an interface in access mode inside with standby ip address and show failover is compliant with expected result in show failover (Normal)
ASA-PRIMARY# sh failover Failover On Failover unit PrimaryFailover LAN Interface: LANfailover Management0/0 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy
how to use Subinterfaces on an Etherchannel for a Lan Failover link?I successfully bundled e0/0-1 and e0/2-3 to 2 Port-Channels with a 3750X Stack - and was able to set my "nameifs" and "security level" on Port-Channel Subinterfaces like "Port-channel1.4" As a lan based failover link the subinterfaces seem to be unusable ....
Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license. Does that mean I can download the security plus license? Or do I even need it on the 5520.
I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.
On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
What's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.
Does anyone know if it's possible to use a single interface on the ASA for both the failover interface and for stateful failover? Here's my situation.I'm looking to provision a pair of ASAs and I want to do stateful failover.The problem is that I need four interfaces (inside, outside, and two physical DMZ interfaces).I'm looking at either the 5520s or 5540s and these boxes need to run the IDS SSMs, so I can't use the 4-port expansion SSM.
I want to do stateful failover so I need two failover interfaces.What I'm wondering is if I can take one physical interface,run two subinterfaces on it, and then use those two subinterfaces for my failover and stateful failover interfaces.That would leave me with the four interfaces that I need for everything else
I have problems to configure CBWFQ on a ethernet sub-interface on a Cisco Router ASR 1001. Then I applied the policy in the physical interface but it should be is in the sub-interface. How can I configure CBWFQ on sub-interface in ASR 1001. (version 3.02).
Error Messages:
CBWFQ: Not supported on subinterfaces and efps
This the final output:
interface GigabitEthernet0/0/0 description Conexion WAN bandwidth 153600 no ip address load-interval 30 no negotiation auto
I have two C4506 switches and I would like to create two L3 links between them by using only one physical link. I will then assign each L3 link to a different VRF.
I think I have two choices but I'm not sure however that the second one is possible...
--------------- 1st choice: creating two VLANs and two SVIs on each switch
interface Vlan10 ip address 10.10.10.1 255.255.255.252 ip vrf forwarding vrf1
interface Vlan20 ip address 10.10.10.5 255.255.255..252 ip vrf forwarding vrf2(code)
I've been having a problem with my cisco routers (7600s) where sub-interfaces that we create for ldp tunnels are added automatically to the main ospf process as no passive when created. In order, here is how to reproduce the issue:
- Configure ospf process as "passive-interface default"
- Configure interfaces that have to be active as "no passive-interface blah"
- ospf works as expected.
- Create new sub- interface somewhere with encapsulation on a certain vlan for xconnect.
- New sub-interface gets added as "no passive-interface" in main ospf process.
- When adding a new port-channel interface, behavior is the same.
Is that normal for cisco, should I continue removing sub-interfaces manually every time from the ospf process?
I have set up a couple of vlans on a cisco 1721 router 4esw card using the vlan database and assigning an ip address of 192.168.1.x and 192.168.2.x for each vlan interface.Strangely enough connected computers can talk to the other vlan and I have not set any subinterfaces on the etherner0 (layer 3) and not even connected a cable.Is there any reason why this should happen since they should not talk to eachother being on seperate vlans.Doing a tracert shows that first the vlan ip address is hit and then straight to the target pc in the other vlan?
I have a project to upgrade an ASA 5520 to 9.1.x, then add another ASA for failover. What will be the correct way ?
I had the 2 Gb memory.
I have rewritten all nat statements (during my other 8.2 to 8.3 or 8.4 upgrade project, the nat conversion was catastrophic, so I rewrite all now).
Can I upgrade directly to v9 ? Or 8.2 -> 8.4 -> 9.1 ?
I think to :
- inject actual config in the new ASA in 8.2 - remove nat statement - upgrade to 8.4 - configure new nat - upgrade to 9 - connect the new ASA to the network and deconnect the other ASA - test - upgrade old ASA to 8.4 or 9 directly ? - configure failover
I have a SSL certificate from a third party that is showing under the Identity in ADSM, howerver the audit scan of the firewall shows that the SSL Certificate Signed with an unknown certification Authority. I have installed the Intermediate Primary and Secondary Certificate from the third party under the CA Certificate of the ADSM however when I verify the SSL certificate it still shows as self-signed. What other steps do I miss. I have attached some screenshots.
I'm trying to establish a site to site ipsec tunnel between an ASA 5520 and a Nortel Connectivity box. Despite trying a number of different transform sets and IKE setups it keeps failing at phase 1 with:
Information Exchange processing failed Received an UN-encrypted INVALID_ID_INFO notify message dropping.
We have a ASA 5520 which is configured to send log files to an ftp server. It has been doing that until recently I found out that it stopped sending the logs on August 11. I can't remember what I have changed in the ASA config to make the ftp stop. I changed the ftp config to another server but it won't upload any log file.
What can I do to make the ASA save the log buffer to the ftp server again?
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.How can i stop the Firewall from changing the mac addresses of the devices on the network.My ASA is a 5520 and i have 2960Switches.
I have a ASA 5520 upon which I need to build a WebVPN for the company urls - webmail, intranet portals etc. There will be 2 groups -
a. Confidential Access - For senior management. b. Public Access - For employee access.
RSA Token & LDAP auth would be used for access to the WebVPN. However, I am unclear on certain aspect.How do I isolate the 2 groups? I mean only Senior management should be able to view & access the first set of links while employees see and access the other set of links only.Both the groups will be available to all users loggin on to the WebVPN. Since the authentication mechanism - LDAP - is the same, anyone would be able to access the groups and in turn, urls.
I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
My browser show the error message as attach image.
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip
I've just completed a port security project at a site on numerous Cisco switches and all works well, however they have 2 Nortel 5520 switches (which I left until the end) which they would like to lock down. I have logged a message on the Nortel forums and I have heard nothing for days. I just need to lock 2 ports down to the Mac address of 2 computers stopping any other computer being plugged in.
I´m trying to configure a subinterface named Inside with vlan 1 but the interface stops work with this vlan.My switch is a Cisco and use the lan with vlan 1 too.If I change de vlan for other i.e vlan13 works fine. And all others vlans works fine too.Is there a problem to use the vlan 1?
My configuration is:
Cisco ASA: interface gig0/3 no ip address no security no nameif
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.