Cisco Firewall :: ASA 5550 To Setup Unit / Cannot Configure IP In Interface
Nov 12, 2011
I am normally only doing IOS config. I have little problem when trying to setup this unit.,It boots ASA software 8.0.4 fine.,When i go to enable mode and into configuration mode and try to configure ip on an interface i have a problem.,
ciscoasa(config)# intciscoasa(config)# interface manciscoasa(config)# interface management 0/0ciscoasa(config-if)# ?,Interface configuration commands: default Set a command to its defaults description Interface specific description dhcp Configure parameters for DHCP client duplex Configure duplex operation exit Exit from,interface configuration mode Interactive help for interface subcommands no Negate a command or set its defaults shutdown ,Shutdown the selected interface speed Configure speed operationciscoasa(config-if)#
I did try to upload the new software 8.4.2 from rommon using TFTP. ,It boots 8.4.2 fine, but have same problem as in 8.0.4.,I did try to create a user haveing priv 15 and logging on as that user. It gives the same.,The firewall is not in transparent mode.
I'm trying to do some research on the Dispatch Unit process. It seems High CPU and this process go hand in hand. I haven't figured out an effective way of determining what underlying issue is the actual source. How to understand what the Dispatch Unit process is doing? I have an ASA 5550. I have seen the cpu hover around 85% +- 5% for sustained long periods, 30 - 60 min +. I have always been under the impression that around 80% cpu and you're probably dropping packets (that could be an out-dated belief).
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall), It failed to failover. but when I shut down the Gi 1/12 of the Core 1 switch, The firewall failover very well.
I followed this guide but I was not able to failover. [URL]
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down, it can failover ? Code...
the inside interface on our primary ASA seemed to "hang". It dropped all the packets it received. Because the interface didnt go down, failover didn't happen. Device's info;
-Cisco Adaptive Security Appliance Software Version 8.2(3) -Device Manager Version 6.3(3) -Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz -Internal ATA Compact Flash, 256MB -BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
I attached a capture picture shows that traffic didnt go to the roof when the issue happened. Why the interface would "freeze" randomly?
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
I am switching a switch connecting to the ASA5550 tomorrow. My current switch is using fiber connecting to the ASA. The new one only support copper. If I switch between fiber to copper on the ASA (change media-type command on interface) will it cause a down time? I have VPN tunnel on the ASA and don't want the session to reset.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
I want absolute max throughput possible to be achieved in all focal points. We're all in internet related industries. Between gaming and web-development latency and throughput are major factors for us.
1) Garage (office). downstairs
2) Each bedroom x4. upstairs
3) Living room. downstairs
The fastest line we can get is Comcast 50mbdown/5up (Wideband).
I am looking for the best way to achieve wireless and wired performance for our setup.
Our gaming computers may be in our bedroom, and we also may bring it down to the office every now and then for LAN sessions. Most wireless will be happening downstairs with our laptops, but since we may do LAN sessions then hard wired latency may be important there too.
I dont know if placing one D-link DGL 4500 on the top floor would be enough; which I currently own. url...As far as I'm aware wireless signals transfer best top down. Would this wireless router be enough on top floor and that's it?
I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.I need to route my data & voice traffic separately. Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route separately.
I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it. However, the Management Interface is not working. I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown. So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?
We already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
We've just started with the ASA 5505. We do run a DHCP server on the inside interface, so it is in the same VLAN 1 as all of the clients. However, we cannot get it to work.We can't use DHCP Relay, as the ASA 5505 only allows to relay to DHCP servers in a different subnet.Or do we have to move the DHCP server to a different subnet. If so, how would we configure that scenario?
I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
I've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
Did setup iaw instructions. got to step 9 where it went into configure mode. last few messages
192.168.1.5 to 192.168.1.1 (BUILT IN BOUND TO TO IDENTIFY), then 192.168.1.5 START SSL HANDSHAKE FOR TLSW1 SESSIN, THEN 192.168.1.5 COMPLETED HANDSHAKE, THEN
[Code].....
now i am unable to do anything with the 5505. can not log in , can not get a ping of 192.168.1.1, can not get into the unit and do a factory reset
What process I need to follow to rebuild my failover unit? I've had to turn it off because it seems that both the primary and secondary were thinking they should both be the active unit. I'm not sure why. But in turning off the failover, I had internet access again. So I think I want to rebuild the secondary unit's configuration. Do I need to turn off failover from the primary unit first? Disconnect the secondary unit, console into it and remove the configuration (command to remove from flash?)? Rebuild the interfaces..all interfaces or just STATE between the units? Just trying to get a list of the process
I have just noticed that my Cisco ASA 5510 cpu utilization increasing upto 30-35 % and when i issue sh processes cpu-usage, i have found dispatch unit occupied most of utilization.
So i setup a failover active / passive with 2 ASA5520's
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
output of secondary asa : Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active
we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
I have a single production 5510 with 2 contexts. Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall? How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?
For example, do I need to add the following on the secondary or will it be sync'd from the primary?
admin-context NAME context NAME allocate-interface Ethernet0/0.14
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed 2. secondary took over and is now secondary - active (as per sh fail) 2. requested RMA at Cisco 3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary 4. issued wr erase and reloaded 5. copied the following commands to the new (RMA) primary unit: failover lan unit primary failover lan interface Failover Ethernet3 failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10 int eth3 no shut failover wr mem 6. installed primary unit into rack 7. plugged-in all cables (network, failover, console and power) 8. fired up the primary unit 9. expected that the unit shows: Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate. 10. but nothing happened on primary unit
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
We received an ASA5520-K8 through Cisco's Loan program so we could demo it as a replacement for our aging Cisco 3005 VPN appliances. Given that we are a non Cisco shop (except for specific appliances like concentrators and wireless access points), I don't have a great deal of experience with Cisco gear.I started to set to setup the appliance this morning but immediately ran into issues. The 5520 doesnt seem to be acting as a DHCP server, and worse yet, I can't access the unit even if I hard code the IP on the PC being used for configuration. I have to say that I feel kinda stupid having to post this, since I actually followed the documentation avaiable for this menial task and I fully expect the problem to be a simple one. Namely, I am using two specific sources of info for connections.
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
I have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
we had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
