Cisco Firewall :: ASA 5585 / SSP 40 - 10Gig Interface Needed For Log Server
Apr 26, 2013
We have deployed a few ASA 5585 SSP40 in our data centers to seperate different customer/security zones connected with 10Gig interfaces. Currently we have a dedicated log server attached to each ASA connected with a p2p 10Gig interface. While detailed log information is considered important I somehow have the gut feeling all this high end equipment and bandwidth is used a little too wasteful. I have little experience with these big firewalls and I have not yet seen the equipment in an attack situation, however I doubt a firewall could ever generate 10gig of log data, while doing the primary fire walling job at the same time. Looking at the typical packet size of a syslog message I don't even believe a 1 gig link could ever be saturated with pure syslog messages.
I have an issue with input errors, overruns, and input reset drops on the inside interface of an 5580-40 (v8.2.5: Transparent mode) The box is not stressed at all according to the 'show' commands in the Cisco troubleshooting performance document for PIX/ASA v8.2.5. Nothing stands out because is pretty much normal, nothing (processes, RAM, blocks, IO...) really being highly utilized. I have replaced the 10Gig card and that seemed to work because the rate of errors has gone down tremedously. The next step is to RMA the whole box.My question is what would be the cause of the inside interface to stop processing traffic (I say that because the syslog server stops receiving messages) for some periods of 30 seconds periodically throughout the day and clients lose their connections (ie Outlook, IBM Sametime, Oracle, MSSQL..etc). Can the issue be somewhere related to the overruns and input errors?
I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.
We are in the plan of implementing a new 10gig network. For this we have chosen the Nexus 5596 and 2232 pair. What are the transceivers/accesories I should order for connecting 10Gig servers of NC552SFP dual port NICs to the 2232 in High availability (NIC 1 to 2232PP 1 and NIC 2 to 2232PP 2). Should I order the FEX SFP+ uplink conector to conect 5k and 2232 also (or its aded to the Nexus box itself) ? Also, is it fine to have Nexus 2232 in floor 2 and Parent neus in Floor 3 (say seperatd by a max of 400meters)?
Our customer is experimenting really bad performance when running 10Gig traffic through FWSM on C6509. Test with1 Gig traffic are providing find result perfromance as expected in this document: url... I have made a simple drawing so everyone can understand the setup:
The issue is when running 10 Gig traffic between Netapp servers. This traffic is going though the FWSM and the perfomance are really bad: around 50 Mbit/sec. If the traffic is not going though the FWSM ther performance are around 900 Mbit/s.
The customer and I think that the issue is releated the buffer in the C6509 and the FWSM which has big trouble managing 10G to 1G traffic convertering between C6509 and FWSM 6 G etherchannel connection.
When running 10G traffic through FWSM the number of output drops are increasing as you can see on the output bellow. The last thing which is wired a is that the speed is showing 1000 Mbits and not 6000Mbits. [code]
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
I have a couple Dell R710 2U servers that came with the Dell quick rails. The rack I am trying to place them in is a 4-post open cabinet, but the depth of the posts are about an inch too short to allow the Dell quick rails to snap-lock to the square holes. Are there any 2U extenders I can attach to the back two posts of the cabinet to give the minimum length needed for the Dell quick rails to snap-lock? The extenders would also need to have the square holes.
I'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?
I have a spare ASA5505 w/Base License that we want to use as the router/firewall between our wi-fi network and our secondary internet connection. Currently we have a NetGear box as the router there and it is on its last legs. In order for the ASA w/Base license to be able to issue over 150 IP address via DHCP which license do I need to purchase for it.
I would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network) Those networks (10.132.0.0/16) come from the DMZ interface.
Does the 5585X supports BGP ? What if someone wants to use Antivirus + IPS feature in that . I have seen IPS modules for 5585X but looks like the antivirus module is not avaliable for 5585X
The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below?
Configuring an asa 5505 with 8.42 software.I need to access an https server on the inside via the outside interface. have moved the http server enable to port 10443.Tried to make a "network object nat rule"
I have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?
I am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
I want to configure Qos for 2 diffrent Vlan 2 , each vlan for 2 mbps bandwidth .(VLAN details VLAN 10 (10.10.x.x /24) and vlan 20(20.20.x.x/24) Is any difference regarding initials configuration B/w ASA 5520 and 5585
We are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?
We have installed 5585-x in active/active mode with transparent firewall. We have created two virtual sersors for vs1 and vs2 in IPS module and linked with ASA context C1(vs1), C2(vs2) and admin(vs0).
As firewall is working in transparent mode, we have bridge IP address for context C1 10.1.1.1 and for context C2 10.2.2.1.
I have added default routed for context C1 10.1.1.2 .It is in the outside of asa and SVI on switch.For the other context C2 10.2.2.2.
IP address range for the IPS module and what should be the gateway for IPS module.AS the traffic is coming from outside and going to inside interface of ASA.
I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..
We've just started with the ASA 5505. We do run a DHCP server on the inside interface, so it is in the same VLAN 1 as all of the clients. However, we cannot get it to work.We can't use DHCP Relay, as the ASA 5505 only allows to relay to DHCP servers in a different subnet.Or do we have to move the DHCP server to a different subnet. If so, how would we configure that scenario?
My internal network consists of Catalyst 3750 switches segmented into different VLANs. There is a default route on the layer 3 Catalyst switch sending all unknown traffice to the inside Internet of the ASA 5510. However, I'd like to have a separate VLAN for wifi guest access and send all of that traffic through one of the DMZ interfaces on the ASA 5510. I don't think you can have separate default routes based on VLANs on the 3750 switches so my only option is to make the ip address of the DMZ port the default gateway for all hosts on the wifi guest VLAN.
The problem I have is that I have a couple servers behind the inside interface that have services available to the public Internet via a NAT address on the outside interface. I want the guests on the wifi VLAN to have the ability to access the servers on the inside interface using the public address as well, but have not been able to come up with a solution yet.
Here is my config that pertains to this setup:
interface Ethernet0/0description Outside Interfacenameif Outsidesecurity-level 0ip address 76.47.10.x 255.255.255.224 rip send version 1rip receive version 1!interface Ethernet0/1description Inside Interfacenameif Insidesecurity-level 100ip address 192.168.17.1 255.255.255.0 rip send version 1rip receive version 1!interface Ethernet0/3description Wifi Guest Accessnameif DMZ2security-level 50ip address 192.168.60.1 255.255.255.0
I have a new 5585x with only basic ip information on it. I can't get the ASDM to load from any interface. Browser just says cannot load page. I upgraded to 9.1 and ASDM 7.11-52. (Also did not work before I upgraded) I can ping the managment 0 interface and can tftp data to and from it. Also unable to telnet to the management interface. [code]
Any document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..In the data sheet this information is not specified.
I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
Shared licensing of ASA?I have 2 ASA 5585 in cluster and I have to Implement SSL / VPN license My question:Since I have a cluster in 8.3 version, can I use only one license VPN / SSL for two, without necessarily implement the Shared Server licenses and participant.
