Cisco Firewall :: ASA 5540 - BGP Dynamic Routing
Jan 10, 2012Does ASA 5540 support BGP routing protocol to be configured on it??
I'm talking about the latest versions.
ADVERTISEMENT
Cisco Firewall :: 5540 PIM Multicast Routing In ASA Scenario
Jun 19, 2011We have an ASA-5540 (8.4(1)) The inside interface faces a few multicast receivers. The outside interface faces the multicast source.All of the ASA multicast documents I've download describe very simple network designs, such as a single segment on the ASA inside.Our PC hosts that will be multicast receivers are a couple router hops away from the ASA inside interface. I'm not sure what the best way is to configure multicast on the ASA.Should I configure the ASA with PIM routing and a static RP address (plus the ACL to allow the multicast source traffic in) since the receiver hosts are a couple hops away? I think I understand the IGMP joins are for a local PIM router, so configuring as a Stub Multicast router wouldn't work? The two Cisco routers between the host and the inside ASA interface already have PIM, a static RP address, and IP PIM Spare-Mode configured.
View 1 Replies View RelatedCisco Firewall :: Configure MAC Address Based Routing In ASA 5540?
May 10, 2012I have a network setup where two servers from inside need to communicate with a remote network via 2 VPN gateways. The destinations are same. However, the chalange is each server need to follow it's own VPN gateway. Since i can't configure PBR (policy based routing) in ASA, can i configure something like MAC Address based routing. I can't use destination based routing since the remote network are reachable from the both VPN Gateways.
View 1 Replies View RelatedCisco Firewall :: ASA5510 Dynamic Routing And Static NAT
Dec 10, 2011I have a ASA5510 with 2 internal interfaces (inside1 and inside2 same security level) configured with OSPF for dynamic routing with 2 routers to corporate subnets. I have a server in a private subnet that needs to be accessed from Internet. So static pat is used in ASA with the command
static (inside1, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255
As OSPF is in use, the subnet 192.168.1.0/24 may be reachable from interface inside2. When I tried to configure the static command for inside2,
static (inside2, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255.the error message came out "WARNING: mapped-address conflict with existing static...". Is this just a warning, or this is not possible in ASA.
Cisco Firewall :: ASA 5540 - Version Change In Firewall?
Mar 15, 2012How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies View RelatedCisco Firewall :: Polycom HdX8000 Behind ASA 5540 Firewall?
Dec 28, 2012I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
Here is the problem.I get connected to the call but I cannot the remote site cannot see and hear me.But I can see and hear them.
Cisco Firewall :: ASA 5540 Upgrade From 7.1 To 8.4
Jul 16, 2012i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....
Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control
Nov 19, 2011ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
Cisco Firewall :: Cannot Log In To ASA 5540 ASDM After Configuration IPS
Jun 10, 2012I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
View 2 Replies View RelatedCisco Firewall :: High CPU Utilization On ASA 5540
May 11, 2008I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?
View 2 Replies View RelatedCisco Firewall :: ASA 5540 - NAT Not Working After Upgrade
Apr 26, 2011Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
Cisco Firewall :: Reasons To Upgrade ASA 5540
Apr 29, 2012I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
View 4 Replies View RelatedCisco Firewall :: ASA 5540 Simulation In GNS3
Jan 26, 2013I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".
View 2 Replies View RelatedCisco Firewall :: Asa 5540 8.2.3 Arbitrarily Reload
Dec 19, 2011I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.
View 4 Replies View RelatedCisco Firewall :: ASA 5540 And FTP Over Implicit TLS / SSL Client
Jan 3, 2012I am having the EXACT same problem as this user:URL
Error: GnuTLS error -53: Error in the push function.
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.
Cisco Firewall :: ASA 5540 SSH Not Working From Outside Port
Mar 13, 2011We are try to connect ssh via outside system (from Internet) its was not getting connected.
When we try to connect from outside pool of ip than its working.
Cisco Firewall :: ASA 5540 IPS Module Removal
May 20, 2012I have 2 ASA 5540's that I want to run in HA A/F. The active ASA has an IPS module running. I no longer need this and would rather remove it than purchase another module for the spare. What is the process to do this safely? After removal will the HA wizard recognize that the module was removed or do I have to update the software?
View 3 Replies View RelatedCisco Firewall :: ASA 5540 / Nat Line Removed From 8.4(3) To 8.4(4) 1?
Sep 23, 2012we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?
View 1 Replies View RelatedCisco Firewall :: Unable To Run FTPS (FTP Over SSL) Across ASA 5540?
Mar 19, 2012there was remote FTP - users behind ASA5540 can connect to it.
Now, with this ftp there is SSL/TLS encryption added and users behind this ASA can't connect to this FTPS.
It this possible for users behind ASA to connect to FTPSs?
Cisco Firewall :: How To Load IOS From ROM Monitor In ASA 5540
Jul 20, 2011I was looking in the CISCO webpage how to load an IOS from a tftp server but i got some questions:
I got the information from this webpage: [URL]
rommon #1> ADDRESS=10.132.44.177 <---- Which IP address? the one that I got on my firewall?
Cisco Firewall :: Getting ASA 5540 Default Contexts?
Apr 19, 2011Q1. I would like to confirm like how many total of contexts do I have by default when I purchase the ASA 5540 ? are they two contexts aside from the admin context or two contexts including the admin context?
Q2. can I configure the default box with High Availability using the default contexts?
Cisco Firewall :: ASA 5540 To Block Software
Aug 10, 2012I have an ASA 5540 , how can i block softwares like TeamViewer , VPN Adapters like Hamachi and all. Also , I have tried URL Blocking but i suppose ASA supports only HTTP url block and not HTTPS.
View 2 Replies View RelatedCisco Firewall :: ASA 5540 8.2 - Way To Make A Simple PAT
Sep 3, 2012I have a cisco ASA 5540 and i cant make a simple PAT (many private IP to one public IP). Below you can find my conf.
[code]...
Cisco Firewall :: ASA 5540 - Code Versions / 8.4 Or 9.x
Feb 28, 2013I am in the process of rebuilding our ASA 5540 pair. We are currently on 8.2 code with this set of firewalls and I was going to upgrade it to 8.4 being I have a couple of other firewalls running this code currently and am familiar with it. That said, I saw that the 9.x code is out there now. Are there any major advantages or caveats with the 9.0 code? I plan to use this firewall with SSL VPN and RSA Secure ID integration for the next 2-3 years at least. Any quick pointers on these two code versions and on upgrading to 9 or staying with 8.4 line.
View 2 Replies View RelatedCisco Firewall :: WCCP Redirection On ASA 5540?
Apr 3, 2013I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp
Global WCCP information:
Router information:
Router Identifier: 200.X.X.X
Protocol Version: 2.0
[code]....
Cisco Firewall :: Slow SQLnet Throughput On ASA 5540?
Nov 14, 2011I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file.
View 6 Replies View RelatedCisco Firewall :: 5540 - Multicast Over Lan To Lan Ipsec Tunnel
May 3, 2011I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.
View 2 Replies View RelatedCisco Firewall :: 5540 - Remote VPN Authentication Fail?
Mar 15, 2011 wht would be change on configuration of remote access VPN on asa 5540.
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,
[Code].....
Cisco VPN :: Juniper Firewall To ASA 5540 Drops Every 45 Minutes
Oct 10, 2012We have a VPN established between the above devices (I don't have more info on the Juniper as it's a client site) The Juniper initiates the VPN and all is well, tunnel is up all ok but approx every 45 minutes the VPN drops.
the tunnel parameters are set to keep it alive for 8 hours but that doesn't work.
Cisco Firewall :: Active Session Count Of ASA 5540 In HA?
Apr 15, 2012We have configured our ASA5540 in active-standby failover.We are observing that current active session count is twice of session count before configuring HA. Earlier average active session was 50000 and now after HA it is around 100000. Failover configuration of both firewall are as follows
failover
failover lan unit primary
failover lan interface FOLan GigabitEthernet1/0
failover polltime unit 15 holdtime 45
failover replication http
failover link StateLink GigabitEthernet1/1
failover interface ip FOLan 10.3.3.1 255.255.255.0 standby 10.3.3.2
[code]....
Cisco Firewall :: ASA 5540 Redundant Interface Failover
May 8, 2011I have two ASA 5540s, ver 8.4 configured in Active/Standby failover.I am also using the redundant interface feature for my Inside interface. Gig0/0 is the active primary and Gig0/1 is standby.
I will activate failover monitoring of the Inside interface using the monitor inside command.
My question concerns the failover monitoring of the redundant interface. If the gig0/0 connection were to fail would the Gig0/1 interface become Active, AND simultaneously result in a full device failover?
Or, does Gig0/1 of the Inside interface redundant pair simply become active and not change the Inside interface device failover state? Thus NOT resulting in a device failover.
Cisco Firewall :: 5540 Changing Host-name In Asa Cluster
Feb 11, 2013I have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?
View 1 Replies View RelatedCisco Firewall :: ASA 5540 Use For Protection From Internet Zone
Mar 7, 2012-1x Cisco ASA5540
-1x Catalyst 3750x-48T (L3 Core Switch)
Id like to seek expertise on validating a simple firewall setup.
Do i trunk core switch traffic to the cisco ASA OR assign L3 link instead? It is basic understanding that the Cisco ASA is usually use for protection from our internet zone.A typical Cisco ASA setup would consist of outside, inside, dmz zone.
L3 core switch consist of 20 VLANS20 vlan needs to be blocked from each other. Eg Wireless Vlan does not have access to Server Vlan etc etc.
what is the best practise to filter ip address within vlan from reaching each other.Should i trunk all my vlan to the Cisco firewall? (For easy vlan restrictions: but is that best practise?)Or do ACL on the core switch itself? but what if i have tons of servers ip that needs specific ports blocking or etc.How would i be able to manage all my ACL on the core switch.