Cisco Firewall :: ASA 5520 Interfaces Bounced Due To WR Mem Executed

Sep 20, 2011

One line of an ACL was changed on an ASA 5520 (primary) and a wr mem was issued to save the change. It appears that when the wr mem was executed, the interfaced on the standby ASA bounced. Configurations have been saved in the past without the result of what's in the log entry.. 
 
ADC-5520-MGMT-FW01/stby# show logSyslog logging: enabled    Facility: 22    Timestamp logging: enabled    Standby logging: enabled    Debug-trace logging: disabled    Console logging: level errors, 1203060 messages logged    Monitor logging: level errors, 1203060 messages logged    Buffer logging: level errors, 17590658 messages logged    Trap logging: level informational, facility 22, 450126258 messages logged        Logging to management 10.5.3.214        Logging to management 10.142.20.214        Logging to management 10.218.3.31    History logging: disabled    Device ID: disabled    Mail logging: disabled    ASDM logging: level informational, 464351755 messages loggedSep 21 2011 17:35:29: %ASA-1-709006: (Primary) End Configuration Replication (STB)Sep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface managementSep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface outsideSep 21

[code]....

View 11 Replies


ADVERTISEMENT

Cisco Firewall :: 5520 - ASA Sub-interfaces NAT

Sep 7, 2011

i have an ASA 5520 running ver 8.4(1). have attached my interface config below and need to do the following, NAT traffic coming on GigabitEthernet0/2.101 to GigabitEthernet0/1, i.e. packets with destination 10.21.110.25 will be forwarded to 10.11.21.25, will a  nat (Production,Advocate_MPLS) static ... statement work ?
 
------------------------------------------------------------------------
interface GigabitEthernet0/1
description Production
nameif Production
security-level 100(code)

View 1 Replies View Related

Cisco Firewall :: Routing Between Interfaces On ASA 5520?

Jul 10, 2012

We have an ASA 5520 which is in multiple context mode. We are trying to pass traffic from the outside interface to the dmz interface. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28 Inside Interface GigabitEthernet0/2 with 192.168.20.0/24 DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29 So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.

View 20 Replies View Related

Cisco Firewall :: 5520 VPN Traffic Between Interfaces

Jun 12, 2011

Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).

View 4 Replies View Related

Cisco Firewall :: Max Sub-interfaces For ASA 5520 Running 8.2.2?

Feb 28, 2011

I have a Cisco ASA 5520 running 8.2.2 with the VPN Plus license.  I am wondering what is the max number of sub-interfaces you can have on a physical interface.  I know on the 5505 it was 20 sub-interfaces if you were running the Security Plus license. What is the magic number for the 5520.  I have hit 20 sub-interfaces on gi0/1 interface and now I am starting to run into problems with sub-interface #21.

View 1 Replies View Related

Cisco Firewall :: Configure Sub-interfaces In ASA 5520?

May 23, 2012

I have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA

View 7 Replies View Related

Cisco Firewall :: Routing Between Two Sub Interfaces On ASA 5520?

Oct 15, 2012

I have two virtual interfaces on my ASA 5520:

GigabitEthernet0/1.338     172.30.0.81/28
GigabitEthernet0/1.345     172.30.0.129/28
 
I have the security levels for both set to 50 and in the ASDM I have checked off "Enable traffic between two or more interfaces which are configured with same security levels"
 
But now the need has arisen that we allow each subnet to be routable to each other for SMTP traffic, how can I accomplish this?

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Sub-interfaces With IPv6 Prefix

May 31, 2011

We have been testing out IPv6 configurations on a 5520 running 8.2(4).  We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly.   I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work.  I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes.  But using the two methods yields two different interface configurations:
 
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test

[Code].....

View 5 Replies View Related

Cisco Firewall :: 5520 Static NAT And Same IP Address For Two Interfaces

May 28, 2012

We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
 
-static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10  access-list production_nat_static_1

View 2 Replies View Related

Cisco Firewall :: ASA 5520 8.2 With Same Security Level Interfaces

Mar 27, 2013

I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]

I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.

View 6 Replies View Related

Cisco Firewall :: 5520 Recreate Logical Interfaces For Each Physical Interface

Nov 29, 2012

We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections.   We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?

View 1 Replies View Related

Cisco Firewall :: Create Etherchannel With Sub-interfaces On Asa 5520 Running 8.4.1 Code?

Jun 22, 2011

I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code.  It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it. 

View 4 Replies View Related

Cisco :: Log Buffer Has Logged All The Commands Executed

Jan 3, 2012

In case I view the crashinfo file with more crashinfo:data, there is a "Log buffer:" section, which has logged all the commands executed by users.

View 4 Replies View Related

Why Does DSL CKT Gets Bounced With Delivery Of Large Packet

May 20, 2011

Why does DSL CKT gets bounced with delivery of large packet?

View 11 Replies View Related

Cisco Security :: ASA 5520 And Redundant Interfaces Design

Apr 17, 2011

We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches

My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
 
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.

View 1 Replies View Related

Cisco Switching/Routing :: ASA 5520 - Can't Ping / Pass Traffic Through Interfaces

Apr 17, 2012

I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).

Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.

View 1 Replies View Related

Cisco Firewall :: Redundant Interfaces In ASA 8.0?

Aug 3, 2009

In ASA 8.0,I have following queries related to redundant interfaces
 
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?

b)Is Redundant interface supported in the Multiple context mode

View 4 Replies View Related

Cisco Firewall :: How To NAT To Multiple Interfaces In 8.3

Jan 15, 2013

Having upgraded to 8.3 from 8.2 I and read much about the differences , it seems that 8.3 deals with NAT in a much more managed method.However I am confused on how one would NAT a network object to multiple interfaces? i.e I know you can specficy a NAT adddress within the network object howeveer this only allows you to specific a single IP address.What if I want to talk accross multiple interfaces how would I specify this?

View 5 Replies View Related

Cisco Firewall :: ASA5585 - Sub-interfaces On PO

May 17, 2012

I have put 2 physicl interfaces (te0/8 & 9) on the ASA-5585 into a PO and am assigning ips/vlans to the sub-interfaces. I have 2 issues: - Why am I not able to ping the other sub-interface from the ASA itself? (I can ping the 1st one), Secondly, why the IPs are not visible in "sh int ip brief" ?Although I can see them in "sh ip" ..
 
/actNoFailover(config-if)# int po17.100
/actNoFailover(config-subif)# vlan 100
/actNoFailover(config-subif)# ip add

[Code]....

View 2 Replies View Related

Cisco Firewall :: ASA 8.3 Server NAT To Different Interfaces?

Apr 10, 2011

Do i need to create 2 objects for nating a server to 2 different interfaces?That is an inside server published in two different dmzsAutomatic migration to 8.3 creates 2 objects (one for each nat)Can I do the same with only one object? like this or I need an object for each nat?
 
object network server
 
host 192.168.128.10
 nat (inside,dmz) static 172.24.1.10
 nat (inside,dmzguests) static 10.10.0.10

View 5 Replies View Related

Cisco Firewall :: ASA 5510 - IP Sec VPN On Sub-interfaces

Jun 20, 2012

Can  ASA sub-interfaces run separate IP Sec VPN tunnels eg
 
There are 02 sub-interfaces of 01 physical interface of Cisco ASA5510 [ASA Version 8.2(5)] and I need to run 01 IP Sec VPN tunnel on each of these

View 1 Replies View Related

Cisco Firewall :: ASA5510 Multiple Outside Interfaces

Jun 16, 2011

We have an ASA 5510 firewall.  There are 4 ports on it configured as 2 outside, one inside, and one DMZ.  We have two cable modems attached to the outside ports.  Our plan is to have the "inside" port directed to one outside port/cable modem, and the DMZ port directed to the other outside port/cable modem.
 
We have been able to get the "inside-to-outside" setup to work but not the "DMZ-to-outside" setup (at least at the same time).First off, is this possible?  If so, what are we likely missing - some way to have a second default route for the DMZ?(My manager is the "Cisco person" here, not me, so I may not have enough info.

View 1 Replies View Related

Cisco Firewall :: How To Enable Not Used Interfaces On ASA5520

May 12, 2011

I have a pair of brand new 5520s I am in the middle of commission.  After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2).  How can I turn these "Not used" interfaces into useable ones?

View 2 Replies View Related

Cisco Firewall :: Communication Between Interfaces Of ASA 5510?

Mar 12, 2011

I configured ASA 5510 ...
 
Totally it had 5 ports..
 
How to provide communication between two different interfaces which had configured as same security level?
 
How many trunks will support ASA 5510 with base-license?
 
How to configure trunk to an interface with different VLNs( Router on a stick).

View 6 Replies View Related

Cisco Firewall :: ASA-5-305013 / Ssh Between 2 Internal Interfaces?

Jun 14, 2012

I have a problem on allowing ssh traffic between 2 different INTERNAL interfaces. Both the interfaces have the same security level (100).What I have to do is to allow a ssh command from 172.16.0.2 to 172.17.1.200. The firewall is configured but I am experiencing issues on the NAT.The error I get is as follows:#%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse  

View 3 Replies View Related

Cisco Firewall :: DMZ Sub Interfaces Into Sub Interface Of Asa5510

Jul 5, 2012

We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.

View 7 Replies View Related

Cisco Firewall :: 5580 - Can't Ping ASA Different Interfaces

May 23, 2012

We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
 
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
 
We are not doing any natting in firewall, for that we used the Load Balancer.

View 7 Replies View Related

Cisco Firewall :: How Many Outside Interfaces Are Allowed On ASA 5550

Apr 26, 2011

I am using an ASA5550 for a complex secure network that has at least six "outside" networks.  Each "outside" network is assigned to a specific port each set at level "0".  I also have a DMZ, set to level "50".  I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks.  Is there a limit to the number of "outside" interfaces?  I will provide a redacted config file as soon as possible.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Can't Configure Interfaces

Mar 20, 2012

Got new ASA5550, code 8.2.2 in flash, can't configure "nameif" or "ip address" on the interfaces: [code] These are all the options that I get! Another weird thing I noticed is "<system>" string in "show ver" top line: [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5515 - Two Interfaces Cannot Be In Same Subnet

Dec 5, 2012

I am working on translating configuration from a firewall named Joe box to ASA 5515. On Joe box, it has 5 continuous public IP addresses (xx.xx.xx.73 -77/29), first one as interface IP and others as alias, on the Internet-facing interface. I need to configure ASA 5515 in the same way, however it seems not simple.

- The way to configure sub interfaces on 5515 is by configuring V LAN.
- The interface can hold xx.xx.xx.73/29 without a problem.
- The first sub interface can have IP address xx.xx.xx.74 however with different mask(/16), as it doesn’t allow /29.
- The second sub interface doesn’t allow to enter IP xx.xx.xx.75, saying "Failed to apply IP address to interface GigabitEthernet0.x, as the network overlaps with interface GigabitEthernet0. Two interfaces cannot be in the same sub net."

View 6 Replies View Related

Cisco Firewall :: Gigabit Interfaces In ASA5510-SEC-BUN-K9?

Jul 14, 2011

I know with a ASA5510-SEC-BUN-K9, you can increase eth0/0 and eth0/1 to gigabit with the right IOS.  Is the same possible with the CSC version of the ASA?

Exact pn is ASA5510-CSC10-K9.  I believe I only have the base license for the ASA, but the security plus for the CSC.

View 4 Replies View Related

Cisco Firewall :: Can ASA5510 Be Configured To Use 2 Outside Interfaces

Feb 12, 2013

I am trying to determine if this is possible or not.  I have tried several configurations and I can only get half of it to work.
 
LAN (10.1.1.0/24) =====>                      <===== OUTSIDE (T-1)
                                            ASA5510
DMZ (10.1.10.0/29) ====>                      <===== BACKUP (DSL LINE)
 
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line.  No inside traffic (inbound or outbound) should go through the T-1.  No DMZ traffic (inbound or outbound) should go through the DSL line.
 
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.

View 3 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved