I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 RepliesCurrently l have two ASA 5520's in a active/passive failover scenario. Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching? or could l possibly disable failover and reconfigure each ?
View 6 Replies View RelatedI have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot
[Code].....
Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies View RelatedUsers cannot download some files from a FTP in a software over VPN Explanation users work with a program and inside the program they download claim (the software goes to the FTP and download the file)
But the program returns an error 3018 in FTPGET. If the user goes to the old PPTP VPN it works like a charm so the problem is the Cisco VPN.
I cannot post my complete config but we use the filter vpn value to associate a special access-list to a user.
The user that has this problem has this as an access-list.
access-list 201 extended ip permit 10.250.128.0 255.255.255.0 192.168.202.0 255.255.255.0
I've made some research and i've added this info
policy-map global_policy
class inspection_default
Inspection ftp
Still doesn't work.
I have to add that normally the internal network is 2.0 and not 202.0 but since we have user with 2.0 at home we had to do this.
So when a user sends a request to 202. the cisco fowards it to the Juniper inside the network and it translate it back to 2.0 Also that is the ONLY thing that doesn't work. The client can work all day on that program and it will work #1 exept when she does the claims
I am also been working on this VPN for 2-3 months without any problems.
i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
If the Active ASA goes down, the Standby ASA switch to Active.
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.
I had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.
View 3 Replies View RelatedI have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.
View 5 Replies View RelatedWe have an ACE 4710 that has two web servers in an active/passive scenario. The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again. Is there are way to ensure that node one is not placed back into service if it becomes available again.
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;
The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.
1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.
2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?
3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?
Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.
Additional Details/Requirements -
BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.
ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)
Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.
ISP's are not Symentrical, one is 50mbps and the other is 250mbps.
All NAT should take place at the ASA's
Additional Questions:
The routers that have gig etherswitches, can they run HSRP?
Should I be putting Layer 3 switches between the routers and the ASA's instead?
Where should I run my iBGP communication for the routers?
I have seen similar questions but with not a lot of answers for the ASA platform. As the title states, What procedures can I use to copy a pre-existing configured CISCO ASA 5520 to a brand new CISCO ASA 5520. I have found a URL that seems to answer some questions but not all. [URL]
The URL talks more about the PIX's than the ASA
Is there any documentation or shorter procedures for product specific on the 5520?
I have 2 Cisco 5520 ASAs and was configured for Fail over. Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA. What is the best practice to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?
View 6 Replies View RelatedI am purchasing 2 5512x ASAs to be configured as an Active/Passive pair as a VPN device. Do I need to purchase anyconnect licenses for both devices?
View 2 Replies View Relatedwe operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.
View 1 Replies View RelatedI am attempting to allow traffic from one vlan to another.Vlan 1 is on Interface 0/2.vlan1Vlan 2 is on int 0/3.vlan2Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients My problem is that I am unable to communicate between the two vlans. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). It appears as if the packet never reaches the other interface. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. Testing from either vlan to connect to the other fails. Below are the accee-rules for each vlans. Once I get basic connectivity working.
access-list aVlan1; 3 elements; name hash: 0xadecbc34
access-list aVlan1 line 1 extended permit ip any 192.168.151.64 255.255.255.192 (hitcnt=0) 0xeb0a6bb8
access-list aVlan1 line 2 extended permit ip any 192.168.151.128 255.255.255.128 (hitcnt=0) 0x3a7dfade
access-list aVlan1 line 3 extended permit ip any 192.168.151.0 255.255.255.0 (hitcnt=0) 0x93302455
access-list aVlan2_access_in; 3 elements; name hash: 0x6dc9adc7
access-list aVlan2_access_in line 1 extended permit ip 192.168.151.64 255.255.255.192 192.168.150.0 255.255.255.240 (hitcnt=0) 0x054508b7
access-list aVlan2_access_in line 2 extended permit ip 192.168.151.128 255.255.255.128 192.168.150.0 255.255.255.240 (hitcnt=0) 0xc125c41e
access-list aVlan2_access_in line 3 extended permit ip host 192.168.151.3 192.168.150.0 255.255.255.240 (hitcnt=0) 0x4adc114c
I have an asa 5520 that works fine if you are using passive ftp and ftp inspection is on globally. It is not working for an active ftp session. I tried allowing all ports back to the external ip address of the internal client as a test and this did not work either.
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.2(3)
policy-map Global_Policy
[Code].....
I read another article saying that this command needs to be on the asa "fixup protocol ftp 21"
If this is enabled will it show on the firewall? How do I enable it?
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
View 3 Replies View Relatedhow many active TCP sessions my ASA has but having a hard time finding this information. When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP. Is there any way to get just the TCP connections?
View 3 Replies View RelatedI have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
Is IPS should be in Fail-Open or Fail-Close mode ?
Is Mangement ip for both IPS module should be same or diffrent. ?
Is the preempt option available in active standby ASA firewall setup with single context...somewhere i have read that same is available in active-active setup or active/standby setup with multiple context.If i active the multiple context mode on product environnement with two ASA5520 in Active/Standby mode, what are the impacts on the the production?
View 1 Replies View RelatedI am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.
View 2 Replies View RelatedI need to configure multiple context mode with active/standby failover solution.
Even after reading some Cisco documents I still can't understand if active/standby failover configuration has to be done within the admin context only or also within every single context (context-1, context-2 for example). In this case I have to allocate as failover interface a subinterface for each context (admin, context-1, context-2), right ?
Therefore a I have an other question: within the admin context, in a failover solution, do I have to allocate all interfaces I want to be moniotred, even though some will be used by context-1 only context and some others will be used by context-2 only context ?
An other question is: if active/standby failover configuration has to be done within each context, can I set regular failover within context-1 while stateful failover within context-2 ?
The last question is: can I use management interface within all 3 contexts ?
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
View 1 Replies View RelatedWe have a pair of 5510s and a pair of 5520s, each in Active/Standby mode. I'd like to upgrade the ASDM and ASA software on these, but am finding no documentation that advises on how this can be done without physical access to the devices. It so happens I am on site, but we will be deploying these throughout our network and I'd like to be able to perform this type of maintenance without travelling to each site. We utilize CSM and ASDM to manage these for the most part, but are certainly capable of configuring via CLI.
The issue may be my lack understanding of the ASA fundamentals, but I don't really get how the software can be copied to the individual ASAs of the pair so they may be reloaded and upgraded without outage. With a remote SSH connection to the pair, I'm only copying the software to the Active ASA, correct? Or is there a way to get the software to each disk individually from the single SSH connection? I'm not quite sure how to manage the Standby ASA without consoling into it... If I can indeed remotely get the software to each ASA (copying to different disks?? i.e. disk0: and disk1:?), then I also run into an issue updating the boot statement for each of them individually, though to resolve that I suppose I could just remove the old software, but that seems like bad practice before confirming the new software is ok.If there is a simpler way of deploying new code via ASDM or CSM, I'm certainly open to that.
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
View 5 Replies View RelatedI am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.
View 3 Replies View Relatedit is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
View 1 Replies View Relatedit is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
View 1 Replies View RelatedI have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies View RelatedI am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
View 3 Replies View RelatedI have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies View Related