Cisco Firewall :: ASA 5520 Interfaces Bounced Due To WR Mem Executed
Sep 20, 2011
One line of an ACL was changed on an ASA 5520 (primary) and a wr mem was issued to save the change. It appears that when the wr mem was executed, the interfaced on the standby ASA bounced. Configurations have been saved in the past without the result of what's in the log entry..
ADC-5520-MGMT-FW01/stby# show logSyslog logging: enabled Facility: 22 Timestamp logging: enabled Standby logging: enabled Debug-trace logging: disabled Console logging: level errors, 1203060 messages logged Monitor logging: level errors, 1203060 messages logged Buffer logging: level errors, 17590658 messages logged Trap logging: level informational, facility 22, 450126258 messages logged Logging to management 10.5.3.214 Logging to management 10.142.20.214 Logging to management 10.218.3.31 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 464351755 messages loggedSep 21 2011 17:35:29: %ASA-1-709006: (Primary) End Configuration Replication (STB)Sep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface managementSep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface outsideSep 21
[code]....
View 11 Replies
ADVERTISEMENT
Sep 7, 2011
i have an ASA 5520 running ver 8.4(1). have attached my interface config below and need to do the following, NAT traffic coming on GigabitEthernet0/2.101 to GigabitEthernet0/1, i.e. packets with destination 10.21.110.25 will be forwarded to 10.11.21.25, will a nat (Production,Advocate_MPLS) static ... statement work ?
------------------------------------------------------------------------
interface GigabitEthernet0/1
description Production
nameif Production
security-level 100(code)
View 1 Replies
View Related
Jul 10, 2012
We have an ASA 5520 which is in multiple context mode. We are trying to pass traffic from the outside interface to the dmz interface. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28 Inside Interface GigabitEthernet0/2 with 192.168.20.0/24 DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29 So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.
View 20 Replies
View Related
Jun 12, 2011
Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
View 4 Replies
View Related
Feb 28, 2011
I have a Cisco ASA 5520 running 8.2.2 with the VPN Plus license. I am wondering what is the max number of sub-interfaces you can have on a physical interface. I know on the 5505 it was 20 sub-interfaces if you were running the Security Plus license. What is the magic number for the 5520. I have hit 20 sub-interfaces on gi0/1 interface and now I am starting to run into problems with sub-interface #21.
View 1 Replies
View Related
May 23, 2012
I have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA
View 7 Replies
View Related
Oct 15, 2012
I have two virtual interfaces on my ASA 5520:
GigabitEthernet0/1.338 172.30.0.81/28
GigabitEthernet0/1.345 172.30.0.129/28
I have the security levels for both set to 50 and in the ASDM I have checked off "Enable traffic between two or more interfaces which are configured with same security levels"
But now the need has arisen that we allow each subnet to be routable to each other for SMTP traffic, how can I accomplish this?
View 5 Replies
View Related
May 31, 2011
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
View 5 Replies
View Related
May 28, 2012
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
-static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10 access-list production_nat_static_1
View 2 Replies
View Related
Mar 27, 2013
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
View 6 Replies
View Related
Nov 29, 2012
We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections. We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?
View 1 Replies
View Related
Jun 22, 2011
I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code. It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it.
View 4 Replies
View Related
Jan 3, 2012
In case I view the crashinfo file with more crashinfo:data, there is a "Log buffer:" section, which has logged all the commands executed by users.
View 4 Replies
View Related
May 20, 2011
Why does DSL CKT gets bounced with delivery of large packet?
View 11 Replies
View Related
Apr 17, 2011
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
View 1 Replies
View Related
Apr 17, 2012
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
View 1 Replies
View Related
Aug 3, 2009
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
View 4 Replies
View Related
Jan 15, 2013
Having upgraded to 8.3 from 8.2 I and read much about the differences , it seems that 8.3 deals with NAT in a much more managed method.However I am confused on how one would NAT a network object to multiple interfaces? i.e I know you can specficy a NAT adddress within the network object howeveer this only allows you to specific a single IP address.What if I want to talk accross multiple interfaces how would I specify this?
View 5 Replies
View Related
May 17, 2012
I have put 2 physicl interfaces (te0/8 & 9) on the ASA-5585 into a PO and am assigning ips/vlans to the sub-interfaces. I have 2 issues: - Why am I not able to ping the other sub-interface from the ASA itself? (I can ping the 1st one), Secondly, why the IPs are not visible in "sh int ip brief" ?Although I can see them in "sh ip" ..
/actNoFailover(config-if)# int po17.100
/actNoFailover(config-subif)# vlan 100
/actNoFailover(config-subif)# ip add
[Code]....
View 2 Replies
View Related
Apr 10, 2011
Do i need to create 2 objects for nating a server to 2 different interfaces?That is an inside server published in two different dmzsAutomatic migration to 8.3 creates 2 objects (one for each nat)Can I do the same with only one object? like this or I need an object for each nat?
object network server
host 192.168.128.10
nat (inside,dmz) static 172.24.1.10
nat (inside,dmzguests) static 10.10.0.10
View 5 Replies
View Related
Jun 20, 2012
Can ASA sub-interfaces run separate IP Sec VPN tunnels eg
There are 02 sub-interfaces of 01 physical interface of Cisco ASA5510 [ASA Version 8.2(5)] and I need to run 01 IP Sec VPN tunnel on each of these
View 1 Replies
View Related
Jun 16, 2011
We have an ASA 5510 firewall. There are 4 ports on it configured as 2 outside, one inside, and one DMZ. We have two cable modems attached to the outside ports. Our plan is to have the "inside" port directed to one outside port/cable modem, and the DMZ port directed to the other outside port/cable modem.
We have been able to get the "inside-to-outside" setup to work but not the "DMZ-to-outside" setup (at least at the same time).First off, is this possible? If so, what are we likely missing - some way to have a second default route for the DMZ?(My manager is the "Cisco person" here, not me, so I may not have enough info.
View 1 Replies
View Related
May 12, 2011
I have a pair of brand new 5520s I am in the middle of commission. After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2). How can I turn these "Not used" interfaces into useable ones?
View 2 Replies
View Related
Mar 12, 2011
I configured ASA 5510 ...
Totally it had 5 ports..
How to provide communication between two different interfaces which had configured as same security level?
How many trunks will support ASA 5510 with base-license?
How to configure trunk to an interface with different VLNs( Router on a stick).
View 6 Replies
View Related
Jun 14, 2012
I have a problem on allowing ssh traffic between 2 different INTERNAL interfaces. Both the interfaces have the same security level (100).What I have to do is to allow a ssh command from 172.16.0.2 to 172.17.1.200. The firewall is configured but I am experiencing issues on the NAT.The error I get is as follows:#%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
View 3 Replies
View Related
Jul 5, 2012
We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.
View 7 Replies
View Related
May 23, 2012
We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
We are not doing any natting in firewall, for that we used the Load Balancer.
View 7 Replies
View Related
Apr 26, 2011
I am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies
View Related
Mar 20, 2012
Got new ASA5550, code 8.2.2 in flash, can't configure "nameif" or "ip address" on the interfaces: [code] These are all the options that I get! Another weird thing I noticed is "<system>" string in "show ver" top line: [code]
View 2 Replies
View Related
Dec 5, 2012
I am working on translating configuration from a firewall named Joe box to ASA 5515. On Joe box, it has 5 continuous public IP addresses (xx.xx.xx.73 -77/29), first one as interface IP and others as alias, on the Internet-facing interface. I need to configure ASA 5515 in the same way, however it seems not simple.
- The way to configure sub interfaces on 5515 is by configuring V LAN.
- The interface can hold xx.xx.xx.73/29 without a problem.
- The first sub interface can have IP address xx.xx.xx.74 however with different mask(/16), as it doesn’t allow /29.
- The second sub interface doesn’t allow to enter IP xx.xx.xx.75, saying "Failed to apply IP address to interface GigabitEthernet0.x, as the network overlaps with interface GigabitEthernet0. Two interfaces cannot be in the same sub net."
View 6 Replies
View Related
Jul 14, 2011
I know with a ASA5510-SEC-BUN-K9, you can increase eth0/0 and eth0/1 to gigabit with the right IOS. Is the same possible with the CSC version of the ASA?
Exact pn is ASA5510-CSC10-K9. I believe I only have the base license for the ASA, but the security plus for the CSC.
View 4 Replies
View Related
Feb 12, 2013
I am trying to determine if this is possible or not. I have tried several configurations and I can only get half of it to work.
LAN (10.1.1.0/24) =====> <===== OUTSIDE (T-1)
ASA5510
DMZ (10.1.10.0/29) ====> <===== BACKUP (DSL LINE)
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line. No inside traffic (inbound or outbound) should go through the T-1. No DMZ traffic (inbound or outbound) should go through the DSL line.
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.
View 3 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
