Cisco Firewall :: ASA 5585 / SSP 40 - 10Gig Interface Needed For Log Server

Apr 26, 2013

We have deployed a few ASA 5585 SSP40 in our data centers to seperate different customer/security zones connected with 10Gig interfaces. Currently we have a dedicated log server attached to each ASA connected with a p2p 10Gig interface. While detailed log information is considered important I somehow have the gut feeling all this high end equipment and bandwidth is used a little too wasteful. I have little experience with these big firewalls and I have not yet seen the equipment in an attack situation, however I doubt a firewall could ever generate 10gig of log data, while doing the primary fire walling job at the same time. Looking at the typical packet size of a syslog message I don't even believe a 1 gig link could ever be saturated with pure syslog messages.

View 3 Replies


Cisco Firewall :: 5580-40 - Input Errors / Overruns And Reset Drops On 10Gig Interface?

May 10, 2012

I have an issue with input errors, overruns, and input reset drops on the inside interface of an 5580-40 (v8.2.5: Transparent mode)  The box is not stressed at all according to the 'show' commands in the Cisco troubleshooting performance document for PIX/ASA v8.2.5.  Nothing stands out because is pretty much normal, nothing (processes, RAM, blocks, IO...) really being highly utilized.  I have replaced the 10Gig card and that seemed to work because the rate of errors has gone down tremedously.  The next step is to RMA the whole box.My question is what would be the cause of the inside interface to stop processing traffic (I say that because the syslog server stops receiving messages) for some periods of 30 seconds periodically throughout the day and clients lose their connections (ie Outlook, IBM Sametime, Oracle, MSSQL..etc).  Can the issue be somewhere related to the overruns and input errors?

View 2 Replies View Related

Cisco Firewall :: 5585 Can't Access ASA HTTP Server

Jun 20, 2011

I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.

View 4 Replies View Related

Cisco Switching/Routing :: Nexus 5k To 2k To 10gig Server Connectivity?

Nov 11, 2012

We are in the plan of implementing a new 10gig network. For this we have chosen the Nexus 5596 and 2232 pair. What are the transceivers/accesories I should order for connecting 10Gig servers of NC552SFP dual port NICs to the 2232 in High availability (NIC 1 to 2232PP 1 and NIC 2 to 2232PP 2). Should I order the FEX SFP+ uplink conector to conect 5k and 2232 also (or its aded to the Nexus box itself) ? Also, is it fine to have Nexus 2232 in floor 2 and Parent neus in Floor 3 (say seperatd by a max of 400meters)?

View 1 Replies View Related

Cisco Firewall :: Running 10Gig Traffic Through FWSM On C6509

Oct 30, 2011

Our customer is experimenting really bad performance when running 10Gig traffic through FWSM on C6509. Test with1 Gig traffic are providing find result perfromance as expected in this document: url... I have made a simple drawing so everyone can understand the setup:
The issue is when running 10 Gig traffic between Netapp servers. This traffic is going though the FWSM and the perfomance are really bad: around 50 Mbit/sec. If the traffic is not going though the FWSM ther performance are around 900 Mbit/s.
The customer and I think that the issue is releated the buffer in the C6509 and the FWSM which has big trouble managing 10G to 1G traffic convertering between C6509 and FWSM 6 G etherchannel connection.
When running 10G traffic through FWSM the number of output drops are increasing as you can see on the output bellow. The last thing which is wired a is that the speed is showing 1000 Mbits and not 6000Mbits. [code]

View 4 Replies View Related

Cisco Firewall :: ASA 5585 / Identity Firewall With Single Forest / Multi-Domain

Dec 28, 2011

I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.

Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. 

View 1 Replies View Related

Dell R710 2U Server - Minimum Length Needed For Quick Rails To Snap-lock

May 11, 2011

I have a couple Dell R710 2U servers that came with the Dell quick rails. The rack I am trying to place them in is a 4-post open cabinet, but the depth of the posts are about an inch too short to allow the Dell quick rails to snap-lock to the square holes. Are there any 2U extenders I can attach to the back two posts of the cabinet to give the minimum length needed for the Dell quick rails to snap-lock? The extenders would also need to have the square holes.

View 3 Replies View Related

Cisco :: Zone Based Firewall Really Needed

Sep 18, 2012

I'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?

View 11 Replies View Related

Cisco Firewall :: ASA5505 Which License Is Needed

Jun 8, 2011

I have a spare ASA5505 w/Base License that we want to use as the router/firewall between our wi-fi network and our secondary internet connection. Currently we have a NetGear box as the router there and it is on its last legs.  In order for the ASA w/Base license to be able to issue over 150 IP address via DHCP which license do I need to purchase for it.

View 7 Replies View Related

Cisco Firewall :: SQL Server Access From DMZ Interface ASA 5505

May 25, 2011

I would like to allow users from network,, access to our SQL server( located on the inside interface( network) Those networks ( come from the DMZ interface.

View 12 Replies View Related

Cisco Firewall :: 5585 - CSC And AIP

Oct 7, 2011

Does the 5585X supports BGP ? What if someone wants to use Antivirus + IPS feature in that . I have seen IPS modules for 5585X but looks like the antivirus module is not avaliable for 5585X

View 1 Replies View Related

Cisco Firewall :: 5580 Do Static Command Needed

Oct 3, 2011

The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below? 

View 1 Replies View Related

Cisco Firewall :: 5510 - Which License Needed For ISP Failover

Mar 3, 2011

I Have ASA 5510. And I had two ISPs and I need to configure ISP failover. So which license i need? I Had License ASA-CSC10-PLUS License.

View 1 Replies View Related

Cisco Firewall :: ASA 8.42 Need To Access Https Server On Inside Via Outside Interface

Nov 24, 2011

Configuring an asa 5505 with 8.42 software.I need to access an https server on the inside via the outside interface. have moved the http server enable to port 10443.Tried to make a "network object nat rule"

object network Vejrstation nat (any,outside) static interface service tcp https https object network Vejrstationnat (any,outside) static interface service tcp https https.

View 21 Replies View Related

Cisco Firewall :: 5505 Which License Needed To Buy For Normal Base

Sep 22, 2012

I have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?

View 1 Replies View Related

Cisco Firewall :: Source Routing Work Around Needed With ASA5515

Jun 10, 2013

I am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 Needed To Be Configured In HA Active / Passive

May 24, 2011

I have the following Setup, Two Cisco ASA 5520 needed to be  configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?

View 1 Replies View Related

Cisco Firewall :: QOS Configuration On ASA 5585?

Nov 29, 2011

I want to configure Qos for 2 diffrent Vlan 2 , each vlan for 2 mbps bandwidth .(VLAN details VLAN 10 (10.10.x.x /24) and vlan 20(20.20.x.x/24) Is any difference regarding initials configuration B/w ASA 5520 and 5585

View 9 Replies View Related

Cisco Firewall :: Setup ASA 5585 Out Of The Box?

Jan 29, 2012

Am not conversant with Firewalling. however i have need to set up CISCO ASA 5585 out of the box.

View 3 Replies View Related

Cisco Firewall :: Upgrading PIX 525 With ASA 5585-X / SSP-10

Jun 24, 2012

We are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?

View 1 Replies View Related

Cisco Firewall :: 5585-x With IPS SSM 40 Module

Jun 2, 2013

We have installed 5585-x in active/active mode with transparent firewall. We have created two virtual sersors for vs1 and vs2 in IPS module and linked with ASA context C1(vs1), C2(vs2) and admin(vs0).

As firewall is working in transparent mode, we have bridge IP address for context C1 and for context C2

I have added default routed for context C1 .It is in the outside of asa and SVI on switch.For the other context C2

IP address range for the IPS module and what should be the gateway for IPS module.AS the traffic is coming from outside and going to inside interface of ASA.

View 1 Replies View Related

Cisco Firewall :: ASA 5585-X Licensing

May 6, 2012

I have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.
> Failover : Enabled > Encryption-DES : Enabled > Encryption-3DES-AES : Enabled > Security Contexts : 20 > GTP/GPRS : Disabled > AnyConnect Premium Peers : Default > Other VPN Peers : Default > Advanced Endpoint Assessment : Disabled > AnyConnect for Mobile : Disabled > AnyConnect for Cisco VPN Phone : Disabled > Shared License : Disabled > UC Phone Proxy Sessions : Default > Total UC Proxy Sessions : Default > AnyConnect Essentials : Disabled > Botnet Traffic Filter : Disabled > Intercompany Media Engine : Disabled > 10GE I/O Plus : Disabled(code)

View 4 Replies View Related

Cisco Firewall :: ASA 5585 HA Failover?

Sep 24, 2012

I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i  powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..

View 3 Replies View Related

Cisco Firewall :: Configure DHCP Server On Inside Interface ASA 5505

May 9, 2012

We've just started with the ASA 5505. We do run a DHCP server on the inside interface, so it is in the same VLAN 1 as all of the clients. However, we cannot get it to work.We can't use DHCP Relay, as the ASA 5505 only allows to relay to DHCP servers in a different subnet.Or do we have to move the DHCP server to a different subnet. If so, how would we configure that scenario?

View 13 Replies View Related

Cisco Firewall :: 3750 / ASA 5510 - Allow Access To Server On Inside Interface From DMZ?

Feb 28, 2013

My internal network consists of Catalyst 3750 switches segmented into different VLANs.  There is a default route on the layer 3 Catalyst switch sending all unknown traffice to the inside Internet of the ASA 5510.  However, I'd like to have a separate VLAN for wifi guest access and send all of that traffic through one of the DMZ interfaces on the ASA 5510.  I don't think you can have separate default routes based on VLANs on the 3750 switches so my only option is to make the ip address of the DMZ port the default gateway for all hosts on the wifi guest VLAN. 
The problem I have is that I have a couple servers behind the inside interface that have services available to the public Internet via a NAT address on the outside interface.  I want the guests on the wifi VLAN to have the ability to access the servers on the inside interface using the public address as well, but have not been able to come up with a solution yet. 
Here is my config that pertains to this setup:
interface Ethernet0/0description Outside Interfacenameif Outsidesecurity-level 0ip address 76.47.10.x rip send version 1rip receive version 1!interface Ethernet0/1description Inside Interfacenameif Insidesecurity-level 100ip address rip send version 1rip receive version 1!interface Ethernet0/3description Wifi Guest Accessnameif DMZ2security-level 50ip address
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1
nat (DMZ2) 1
static (Inside,Outside) 76.47.10.x netmask
I've tried the following commands below but no dice. 

same-security-traffic permit intra-interface
static (inside, inside) 76.47.10.x netmask

View 3 Replies View Related

Cisco Firewall :: ASA 5585 ASDM Won't Load

Jan 28, 2013

I have a new 5585x with only basic ip information on it.  I can't get the ASDM to load from any interface.  Browser just says cannot load page.  I upgraded to 9.1 and ASDM 7.11-52. (Also did not work before I upgraded)  I can ping the managment 0 interface and can tftp data to and from it.  Also unable to telnet to the management interface. [code]

View 2 Replies View Related

Cisco Firewall :: ASA-AC-M-5520 Migration To ASA-AC-M-5585?

Jan 23, 2013

I have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585

View 1 Replies View Related

Cisco Firewall :: More Detailed Specifications For ASA 5585-X

Aug 29, 2012

Any document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..In the data sheet this information is not specified.

View 5 Replies View Related

Cisco Firewall :: 5585 - Getting ASA 8.4(2) ASDM-SSH Access From VPN?

Sep 21, 2011

I have a 5585 with version 8.4.2?I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following: -- addess assigned from the pool -- inside interface address in the ASA
1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.
group-policy pol1 attributes
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pol1_splitTunnelAcl


If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.

View 7 Replies View Related

Cisco Firewall :: CPU Usage Per Context On ASA 5585?

Jul 3, 2012

I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.

View 6 Replies View Related

Cisco Firewall :: 5585 - ASA Shared Licenses With 8.3?

May 2, 2011

Shared licensing of ASA?I have 2 ASA 5585 in cluster and I have to Implement SSL / VPN license  My question:Since I have a cluster in 8.3 version, can I use only one license VPN / SSL for two, without necessarily implement the Shared Server licenses and participant.

View 4 Replies View Related

Cisco Firewall :: ASA 5585-X Multicast Support?

Feb 23, 2011

Is it true, that the new ASA Platform 5585 does not support Multicast. Here on Page 7:[URL] because the old ASAs support Multicast.

View 2 Replies View Related

Cisco Firewall :: Visio Stencil For ASA 5585-X?

Aug 29, 2011

where I can get a visio stencil for a asa-5585-x.

View 3 Replies View Related

Copyrights 2005-15, All rights reserved