Cisco Firewall :: ASA 5550 - Active Port Availability

Sep 28, 2011

with the 5550 we get 4 gig ports on slot 0 and 8 gig ports on slot 1, also a fast Ethernet management interface port. The documentation states that only 8 ports can be active at any one time but does that exclude this management port so that I can use this as well ?
 
Also is the port assignments for slot 1 like g1/0 - 1/7 ? As the other the 8 ports in slot 1 are 4 x gig E and 4 x gig sfp.

ADVERTISEMENT

Cisco Firewall :: ASA 5520 Configuring Active Standby High Availability

Nov 1, 2011

I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.

View 5 Replies View Related

Cisco Firewall :: ASA 5550 Active / Standby With SSL VPN

Jun 12, 2011

I would like to work with two ASA's 5550 in HA (Acitve-Standby)  like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.

View 1 Replies View Related

Cisco Firewall :: ASA 5550 Lost SSH To Active On Failover?

Dec 19, 2010

I am having a curious problem with two Cisco ASA 5550. They are configured in Active/Standby failover and in routed mode.The problem is: I cannot connect via SSH to the ACTIVE unit, only to the STANDBY. If a switchover is forced the problem is still the same. because it happens both with the primary and the secondary unit.It is not a L2 or a transport problem, because I can ping or access both units via ASDM.

View 8 Replies View Related

Cisco Firewall :: ASA 5550 Transparent Active / Standby Configuration

Dec 20, 2012

I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA: [code]My questions are the following:

1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
 
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
 
3. Which is the best method to add the second box without disrupting the active box?

View 3 Replies View Related

Cisco Firewall :: 5550 - Apply New Startup Configuration To ASA Active Member?

Jun 17, 2012

I have pair of ASA 5550 and I am trying to copy a new config to my member1 (active) as the new configuration I want to use for the pair.  I want to copy this to start-up config on member1 and then reload member1 and have it copy the same config to member2 (stdby).  I guess I am trying to understand if I copy the configuration to member1 and reload it, member 2(stdby) will have become active and try to copy the old configuration to member1 which I do not want. 
 
get the commands straight that I need to execute to make sure the new startup config gets to both members without being overwritten?

View 1 Replies View Related

Dell :: XPS 1340 And WWAN 5550 / 5560 Compatibility And Drivers Availability?

Jul 11, 2013

I'd like to get a new WWAN card for my Dell XPS 1340 - currently there is 5530, though now I would like to put 5550 or 5560. I have read couple of threads on dell forums, other forums regarding the drivers availability and compatibility, however I haven't noticed any for 1340. Even though mentioned cards are not officially available for this model?

View 2 Replies View Related

Cisco Firewall :: ASA 5550 Port Forwarding For HTTPs

Nov 27, 2012

I am setting up an ASA 5550 8.4 and asdm 6.4. Last thing I am missing is to get the static nat rule done for https. Done it with asdm and cli and always end up with "error: nat unable to reserve the port". Looked around the Net so far and changed the http enable port to 4433. ASDM access is only configured for inside and mgmt port. Disabled under RA VPN all checkboxes in clientless ssl and any connection profiles since IKEv1 is used for vpn access.

View 2 Replies View Related

Cisco Firewall :: Configuring NAT Port Forwarding Failover On ASA 5550

Mar 26, 2011

I've two Cisco ASA 5550 firewall. I'm don't have much knowlege on configuring this kind of firewall. I need configuring these firewall for simple NAT. I have 3 public IP address. I would like to allow server's inside of the firewall to be able to connect to internet using private address. A basic NAT. Also need to configure some port forwarding. We've bought two firewall for the Active/Active failover support. How can i configure this through ASDM? My ASDM version is 5.2.

View 1 Replies View Related

Cisco Firewall :: ASA 5520s From Active / Standby To Active / Active

Jul 17, 2012

I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.

View 6 Replies View Related

Cisco Security :: Iron Port S160 High Availability Deployment

Apr 10, 2011

I would like to know how to implement high availability on a S160 ironport device.i have two S160 device but the user guide is not useful.

View 1 Replies View Related

Cisco Firewall :: ASA 5585X Active / Active Failover Group Inter Routing

Mar 20, 2012

I am looking at deploying a pair of 5585X's in an active/active multiple context state.  I am creating Mulitple contexts that need to be able to route to each other.  I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
 
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example. 
 
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2  in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
 
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover.  I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.

View 9 Replies View Related

Cisco Firewall :: ASA 5510 Configuration Modifications In Active / Active Mode

Dec 17, 2012

I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?

View 3 Replies View Related

Cisco Firewall :: ASA5520 - Active / Active Failover In Multiple Security Contexts With Dual ISP?

Jun 1, 2011

I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?

View 1 Replies View Related

Cisco Firewall :: 5520 - ASA Active / Active Failover And IPS Failure

Mar 30, 2011

I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
 
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
 
IPS soft is 6.0(4) and ASA soft is 8.0(3)
 
I have checked cisco doc and it is confusing to me. it says:  "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..

View 2 Replies View Related

Cisco Firewall :: ASA5585-X Active / Active Failover Using Etherchannel?

Dec 27, 2011

its possible to set up active/active failover using etherchannel on 5585s? 

View 1 Replies View Related

Cisco Firewall :: How To Configure ASA5520 For Active / Active

Mar 17, 2013

How to Configure ASA5520 for Active/Active

View 8 Replies View Related

Cisco Firewall :: 5505 High Availability Over Dual WAN Connections

Mar 20, 2011

One of my remote sites acquires Internet connectivity via a cable  modem service.  This goes down intermittently, of course.  I would like  to purchase DSL service from the local telco and configure the edge ASA  (currently a 5505) to use the cable modem path normally ... and fall  back to the DSL path if necessary.
 
These seems hard to  do.  The edge box would need to evaluate the viability of a WAN path  using some set of tests ... perhaps pings to a handful of major Internet  sites.  If all those pings start failing, it would stall for a minute,  to give the WAN service provider time to recover ... then cut over to  the second path.  Cutting to the second path might mean pushing new DNS  server addresses to clients (or perhaps the edge box would hand out both  sets of DNS servers all the time and rely on the clients to try them  all.)  Once the cable modem provider restored service, the edge box  would stall for a while (ten minutes?  an hour?) and then cut back.
 
I'm willing to replace the edge box with something  fancier (a bigger ASA or something sold as a router or whatever),  although I'd like to stay under 10K (list) for such a replacement.

View 3 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
 
This is a single point of failure and what I need is a way to mitigate that. Under:

redundancy
application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
 
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco Firewall :: 5550 Firewall Set Up For Redundant Purpose

Mar 3, 2011

i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary )   ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.

View 6 Replies View Related

Cisco Firewall :: 5550 Firewall Syslog Message

Feb 22, 2013

I have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.

View 2 Replies View Related

Cisco Firewall :: Secondary ASA 5550 Firewall Getting Down Automatically?

Apr 17, 2011

I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.

View 3 Replies View Related

Cisco Firewall :: ASA 5550 Two ACL From Outside To Inside

May 13, 2011

I have  ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL  rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?

View 7 Replies View Related

Cisco Firewall :: ASA 5550 With IOS 8.0(2) Crashes

Jan 31, 2012

we had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
 
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud ,  0/1 for internal LAN users comming form Core Switch  & 1/0 for Server farm LAN   , 1/1  for Internet (outside)
 
the first 3 interface are considered inside with sec set at 100   while the 1/1 is outside with sec at 0.
 
Last night it suddenly started dropping all connections without any warning  or any noticible log form the ASDM logging.
 
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
 
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
 
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped    vector 0x0000000e       edi 0x24d184b0       esi 0x0000000d       ebp 0x1c6ceaf8       esp 0x1c6ceae0       ebx 0x09e965e0       edx

[Code]....

View 2 Replies View Related

Cisco Firewall :: 5550 - How To Do NAT Exemption With V8.4

Oct 4, 2011

I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
 
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.

View 7 Replies View Related

Cisco :: What Is Active / Passive Port-channel

Feb 7, 2013

what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.

View 5 Replies View Related

Cisco Firewall :: ASA 5550 IPv6 Compatibility?

May 21, 2013

I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
 
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.

View 2 Replies View Related

Cisco Firewall :: High CPU Utilization On ASA 5550?

Mar 10, 2013

I have Active Standby ASA5550 setup with VPN premium license. A few days back we had a requirement of SSL VPN connection for and we got a temporary from Cisco for same, this license expired and the ASA reverted to it's original license. 3 4 days after this we saw a sudden increase in CPU utilization (upto 90% + -5%) on the ASA during production hours but were not able to figure out the reason, in order to restore the services we failovered the firewall to secondary and everything worked fine. We were suspecting one of the following but there were no logs for any of this
 
1. The ASA hardware was haivng problem

2. Some client was doing a DoS attack to bring down the ASA (no logs for this as well).
 
We took a downtime to look further by failovering the ASA back to primary and it worked fine without any issues ruling out the 1st option. We also came across a licesing doc [URL]
  
Downgrading any license (for example, going from 10 contexts to 2 contexts).
 
# Note If  a temporary license expires, and the permanent license is a downgrade,  then you do not need to immediately reload the security appliance; the  next time you reload, the permanent license is restored.
  
As per this doc, sooner or later a restart was required on the ASA. We restarted secondary ASA and everthing was fine but when we restarted the primary ASA by swtiching over to secondary some of the server (not all) in the DMZ stopped working (even ICMP unreachable) and only came back to normal when the primary ASA was restored and working fine (with failover).
 
The reboot was done by shuting down the physical link between the Core switch and ASA inside individually.
 
I am not sure what could be the issue that the servers in the DMZ wen unreachable.

View 0 Replies View Related

Cisco Firewall :: ASA 5550 - Two Different Syslogs Servers?

Aug 9, 2010

In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?

View 6 Replies View Related

Cisco Firewall :: How Many Outside Interfaces Are Allowed On ASA 5550

Apr 26, 2011

I am using an ASA5550 for a complex secure network that has at least six "outside" networks.  Each "outside" network is assigned to a specific port each set at level "0".  I also have a DMZ, set to level "50".  I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks.  Is there a limit to the number of "outside" interfaces?  I will provide a redacted config file as soon as possible.

View 3 Replies View Related

Cisco Firewall :: ASA 5550 - URL Filtering Using Web Sense?

May 10, 2013

i have Cisco ASA 5550 and i want to do URL filtering using Web sense,can i use Micorsoft Forefront TMG2010 as websense server to do that?
 
the idea is to filter the HTTP & HTTPS URLs,if the  Micorsoft Forefront TMG2010 is not suitable,refer to suitable Websense URL filtering server?

View 2 Replies View Related

Cisco Firewall :: ASA 5550 Sending Reset With TTL Of 255

Oct 3, 2011

I have the following problem, right now we have an ASA 5550 connected to the client´s side. A reset is being received on the client´s side, but when we run the sniffers on both extremes of the network, we can see that the reset is not being sent by the server´s side.
 
We have narrowed it down to the 5550 ASA, but have found no bug that matches the description.
 
The characateristics of the reset packet are the following:
 
- It is the only packet with a TTL of 255.

- Both server and client have very different window sizes, and the reset packet even though has the server´s ip and port as source of the packet, it has the client´s window size.

- It has a correct ack number.

-Before the reset is received, there are a couple of retransmissions of the last packet sent.

- We´re handling a VPN tunnel between both servers.

View 1 Replies View Related

Cisco Firewall :: Does 5550 Contains Built In CSC / IPS Modules

Feb 7, 2011

i m looking for asa 5550 product.Part # ASA5550-BUN-K9 - Cisco ASA 5550 Appliance with SW, HA, 8GE+1FE, 3DES/AES
 
1) does 5550 contains built in CSC / IPS modules.? why i  m asking because the "quick refrence guide " indicates that expansion slots are not available.
 
2) can asa 5550 natively protects natively against networks attacks against virus / worms  etc with out CSC OR IPS MODULE.?

View 9 Replies View Related

Cisco Firewall :: ASA 5550 To ASA 5555-X Migration

Apr 23, 2013

I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.

View 4 Replies View Related

Cisco Firewall :: ASA 5550 Cannot Logon With ADSM

May 22, 2012

I cannot logon with adsm anymore.when I run adsm, I type in my pw, and the screen keeps displaying "contacting the device". No timeout, just stays this way.I've updated the java version, no luck.I can connect with SSH with no problem. device = asa5550, 8.2(1) asdm 6.2(1) [code]

notice that there is no "with cookie-based authentication" here -- is this relevant?
 
Rebooting the device is not really an option.

View 7 Replies View Related

Cisco Firewall :: ASA 5550 Flags E Connection

May 2, 2012

I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
 
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828,    flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0

View 0 Replies View Related

Cisco Firewall :: Link Aggregation On ASA 5550?

Jan 10, 2011

i'm installing a Firewall Cisco ASA 5550 with 8 Gigabit interfaces.
 
I have installed firmware 8.2.3.
 
Is it possible to make link aggregation on ASA to have more bandwith?

View 7 Replies View Related

Cisco Firewall :: ASA 5520 / 5550 - Cannot Upgrade To 8.3

Aug 7, 2011

I have a couple of ASA5520 and ASA5550, and I wanted to know if it is worth it to upgrade the software from 8.2(4) to 8.2(5)?  Because of the RAM I cannot upgrade to 8.3 for now.

View 1 Replies View Related

Cisco Firewall :: ASA 5550 - Cannot Copy IOS From Flash To PC

Jan 8, 2013

I just got a brand new ASA 5550, i configured the port g0/0  on asa with an ip address 192.168.10.1 then configure my computer with ip 192.168.10.2 and default gateway is 192.168.10.1. I'm able to ping the asa from my computer. I remote to ASA thru the console port  and try to copy iOS from flash to my pc but it doesn't work.
 
Cisco asa# copy flash tftp://192.168.10.2/asa804-k8.bin
Source file name []? asa804-k8.bin
Address or name of remote host [192.168.10.2]?
Destination file name [asa804-k8.bin]?
 Writing file tftp://192.168.10.2/asa804-k8.bin...
!%Error writing tftp://192.168.10.2/asa804-k8.bin (Timed out attempting to connect)
Cisco asa#

View 3 Replies View Related

Cisco Firewall :: How To Compress Data On ASA 5550

Apr 6, 2011

I have two box cisco asa 5550 in multiple context mode and failover.
 
My network topology is:
 
                                Outside Network
                                         •
                                         •
                                         •
DMZ2 Network • • • • (CISCO ASA 5550) • • • • DMZ1 Network
                                         •
                                         •
                                         •
                                Inside Netowork
   
My interface "Inside Network" is full(I think).I can't diagnose this, based on command "sh interface gigabitEthernet"
 
109042974565 packets input, 100691006385765 bytes 
94097614769 packets output, 59002295942465 bytes
999339444 packets dropped
 
My interface is 1GB, based on the above command, it is full?If interface is full, i have a problem! All the ports on asa firewall are using, how do resolve this? I can compress all data on this interface with class maps and policy maps?

View 4 Replies View Related

Cisco Firewall :: Not Able To Access ASA 5550 Through ASDM

Apr 22, 2013

We are having Cisco ASA 5550 appliance. from some days i am not able to access this ASA using ASDM. I am able to access ASA using SSH.[code]
 
At the same time standby firewall works perfectly fine with ASDM. I have tried by reloding the firewall, then it worked for 2 days & again stopped working.

View 6 Replies View Related

ADVERTISEMENT