Cisco Firewall :: ASA 5550 Module 1 Interface
Oct 25, 2011Is it possible to use ports from 2 SFP and 2 RJ45 Interface on ASA 5550 Module 1.
View 5 RepliesIs it possible to use ports from 2 SFP and 2 RJ45 Interface on ASA 5550 Module 1.
View 5 RepliesI've got a ASA 5550 firewall interface failover issue. (File attached).
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall), It failed to failover. but when I shut down the Gi 1/12 of the Core 1 switch, The firewall failover very well.
I followed this guide but I was not able to failover. [URL]
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down, it can failover ? Code...
the inside interface on our primary ASA seemed to "hang". It dropped all the packets it received. Because the interface didnt go down, failover didn't happen. Device's info;
-Cisco Adaptive Security Appliance Software Version 8.2(3)
-Device Manager Version 6.3(3)
-Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
-Internal ATA Compact Flash, 256MB
-BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
I attached a capture picture shows that traffic didnt go to the roof when the issue happened. Why the interface would "freeze" randomly?
I am normally only doing IOS config. I have little problem when trying to setup this unit.,It boots ASA software 8.0.4 fine.,When i go to enable mode and into configuration mode and try to configure ip on an interface i have a problem.,
ciscoasa(config)# intciscoasa(config)# interface manciscoasa(config)# interface management 0/0ciscoasa(config-if)# ?,Interface configuration commands: default Set a command to its defaults description Interface specific description dhcp Configure parameters for DHCP client duplex Configure duplex operation exit Exit from,interface configuration mode Interactive help for interface subcommands no Negate a command or set its defaults shutdown ,Shutdown the selected interface speed Configure speed operationciscoasa(config-if)#
I did try to upload the new software 8.4.2 from rommon using TFTP. ,It boots 8.4.2 fine, but have same problem as in 8.0.4.,I did try to create a user haveing priv 15 and logging on as that user. It gives the same.,The firewall is not in transparent mode.
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
object network remote-server
host 192.168.2.155
nat (outside,inside) static 10.168.2.155
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
object network remote-server
host 192.168.2.155
object network remote-server-mapped
host 10.168.2.155
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.
I am switching a switch connecting to the ASA5550 tomorrow. My current switch is using fiber connecting to the ASA. The new one only support copper. If I switch between fiber to copper on the ASA (change media-type command on interface) will it cause a down time? I have VPN tunnel on the ASA and don't want the session to reset.
View 2 Replies View Relatedcan we connect ASA 5550 to Nexus 7K F2 module using twinax cable?
View 4 Replies View RelatedI am thinking about buying Dell 5550 module to my Latitude E6410. I know that for E6410 is designed 5540 module, but newer 5550 for E6420 has ability to use faster HSPA+ networks.
So my question is, any info on this combination of Latitude E6410 and Dell 5550 module?
I have a 1t3/e3 card in a new 2951. When I statred the router, I found no interface corresponding to this module when do "show ip interface brief"
View 3 Replies View Relatedi two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
View 6 Replies View RelatedI have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.
View 2 Replies View RelatedI am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
View 3 Replies View RelatedI need to configure a Cisco 2911. I need to give an interface in this module (VWIC3 - 4MFT-T1/E1) an IP address. My question is, how to assign an IP to an interface in this module.
My purpose is to get connectivity via T1 line to another router.
i will going to buy a router 2911 but i want know if support a interface ADSL modulo like backup in case that my primary link WAN Ethernet down and up the adsl link with a module HWIC ADSL pots.
View 1 Replies View RelatedI have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
View 7 Replies View Relatedwe had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
[Code]....
I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
I have Active Standby ASA5550 setup with VPN premium license. A few days back we had a requirement of SSL VPN connection for and we got a temporary from Cisco for same, this license expired and the ASA reverted to it's original license. 3 4 days after this we saw a sudden increase in CPU utilization (upto 90% + -5%) on the ASA during production hours but were not able to figure out the reason, in order to restore the services we failovered the firewall to secondary and everything worked fine. We were suspecting one of the following but there were no logs for any of this
1. The ASA hardware was haivng problem
2. Some client was doing a DoS attack to bring down the ASA (no logs for this as well).
We took a downtime to look further by failovering the ASA back to primary and it worked fine without any issues ruling out the 1st option. We also came across a licesing doc [URL]
Downgrading any license (for example, going from 10 contexts to 2 contexts).
# Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
As per this doc, sooner or later a restart was required on the ASA. We restarted secondary ASA and everthing was fine but when we restarted the primary ASA by swtiching over to secondary some of the server (not all) in the DMZ stopped working (even ICMP unreachable) and only came back to normal when the primary ASA was restored and working fine (with failover).
The reboot was done by shuting down the physical link between the Core switch and ASA inside individually.
I am not sure what could be the issue that the servers in the DMZ wen unreachable.
In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?
View 6 Replies View RelatedI would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies View RelatedI am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies View Relatedi have Cisco ASA 5550 and i want to do URL filtering using Web sense,can i use Micorsoft Forefront TMG2010 as websense server to do that?
the idea is to filter the HTTP & HTTPS URLs,if the Micorsoft Forefront TMG2010 is not suitable,refer to suitable Websense URL filtering server?
I have the following problem, right now we have an ASA 5550 connected to the client´s side. A reset is being received on the client´s side, but when we run the sniffers on both extremes of the network, we can see that the reset is not being sent by the server´s side.
We have narrowed it down to the 5550 ASA, but have found no bug that matches the description.
The characateristics of the reset packet are the following:
- It is the only packet with a TTL of 255.
- Both server and client have very different window sizes, and the reset packet even though has the server´s ip and port as source of the packet, it has the client´s window size.
- It has a correct ack number.
-Before the reset is received, there are a couple of retransmissions of the last packet sent.
- We´re handling a VPN tunnel between both servers.
i m looking for asa 5550 product.Part # ASA5550-BUN-K9 - Cisco ASA 5550 Appliance with SW, HA, 8GE+1FE, 3DES/AES
1) does 5550 contains built in CSC / IPS modules.? why i m asking because the "quick refrence guide " indicates that expansion slots are not available.
2) can asa 5550 natively protects natively against networks attacks against virus / worms etc with out CSC OR IPS MODULE.?
I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.
View 4 Replies View RelatedI cannot logon with adsm anymore.when I run adsm, I type in my pw, and the screen keeps displaying "contacting the device". No timeout, just stays this way.I've updated the java version, no luck.I can connect with SSH with no problem. device = asa5550, 8.2(1) asdm 6.2(1) [code]
notice that there is no "with cookie-based authentication" here -- is this relevant?
Rebooting the device is not really an option.
I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828, flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0
i'm installing a Firewall Cisco ASA 5550 with 8 Gigabit interfaces.
I have installed firmware 8.2.3.
Is it possible to make link aggregation on ASA to have more bandwith?
I have a couple of ASA5520 and ASA5550, and I wanted to know if it is worth it to upgrade the software from 8.2(4) to 8.2(5)? Because of the RAM I cannot upgrade to 8.3 for now.
View 1 Replies View RelatedI just got a brand new ASA 5550, i configured the port g0/0 on asa with an ip address 192.168.10.1 then configure my computer with ip 192.168.10.2 and default gateway is 192.168.10.1. I'm able to ping the asa from my computer. I remote to ASA thru the console port and try to copy iOS from flash to my pc but it doesn't work.
Cisco asa# copy flash tftp://192.168.10.2/asa804-k8.bin
Source file name []? asa804-k8.bin
Address or name of remote host [192.168.10.2]?
Destination file name [asa804-k8.bin]?
Writing file tftp://192.168.10.2/asa804-k8.bin...
!%Error writing tftp://192.168.10.2/asa804-k8.bin (Timed out attempting to connect)
Cisco asa#
I have two box cisco asa 5550 in multiple context mode and failover.
My network topology is:
Outside Network
•
•
•
DMZ2 Network • • • • (CISCO ASA 5550) • • • • DMZ1 Network
•
•
•
Inside Netowork
My interface "Inside Network" is full(I think).I can't diagnose this, based on command "sh interface gigabitEthernet"
109042974565 packets input, 100691006385765 bytes
94097614769 packets output, 59002295942465 bytes
999339444 packets dropped
My interface is 1GB, based on the above command, it is full?If interface is full, i have a problem! All the ports on asa firewall are using, how do resolve this? I can compress all data on this interface with class maps and policy maps?