Cisco Firewall :: ASA 5585x - Create The Outside Interface On A Subinterface?
Oct 31, 2012
I have a circuit that will be delivered to a client next week and we are installing an ASA 5585x for them. They will have a circuit coming in with a few VLANs configured on it. One VLAN for the Internet and one for connectivity to another client.
So does the ASA allow you to create the "outside" interface on a subinterface?
I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.
ASA1(config)# sh ver Cisco Adaptive Security Appliance Software Version 8.2(2)4Device Manager Version 6.0(3) Compiled on Wed 03-Feb-10 14:17 by buildersSystem image file is “disk0:/asa822-4-k8.bin”Config file at boot was “startup-config” ASA1 up 1 day 18 hours Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHzInternal ATA Compact Flash, 128MBBIOS Flash Firmware Hub @ 0xffe00000, 1024KB
QoS on an MFR interface/subinterfaces. We have a remote site with two bundled T1's terminating on a 2951 router for a total bandwidth of 3072. The circuit is provided by Paetec and the subinterfaces are designated for internet and MPLS traffic respectively. The issue we are facing is with outbound voice quality. It seems that no matter how we apply QoS, either to the main MFR interface or the MFR subinterfaces, voice packets do not seem to be prioritized. We tried FRTS, which slowed the entire link down to a crawl, we tried applying a class map to the main interface as well as a service policy, none of which seemed to affect anything.
class-map match-all VOICE match ip dscp ef class-map match-any SIGNALING match ip dscp af31 match ip dscp cs3 (code)
Looking for a recommended code on the ASA 5585x firewall. We ran into a bug (CSCtr24705) on version 8.4.2 where it rebooted the primary firewall. The bug has to do with modifying an existing ACL that's part of a custom policy-map inside a service-policy. If we upgrade to 8.4.5 (which has the previous bug fix in it), there is another major bug (CSCud70273) where if you use the packet-tracer input command on an inside interface it causes problems too.
I don't understand why packet-tracer input would have a bug associated with it when it's been around for a long time and we use it on a daily basis for troubleshooting. Is there stable code for the 5585x to upgrade to without running into possibly a major bug? This is our core firewall so there are no VPN tunnels on it. It's setup in active/standby failover in routed mode.
I am wondering what is Latency value for Cisco ASA 5585X and 5555X . I can see on websites that it says "low latency firewall" but I dont see any value.
Looking to replace an "all-in-one" type firewall (UTM/Firewall, SSL VPN) with a cisco product - the issue i'm running into is that we have multiple ISPs plus WAN and DMZ - overall more than 5 ports on mid-range ASA devices - and from what i read, adding 4-port module precludes me from adding CSC module.
Is there an solution to that other than going for 5585-x model? (kind of over our budget, granted we need 2 for failover)
I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACl.
I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
Is it possible have Content Security and Control Security in a ASA 5585-X? I´m asking because the CSC-SSM is only supported in ASA 5540, 5520 and 5510 and I dont know how it feature ca be supported on a new ASA 5585-X.
I want to configure 5585x Active/Standby with 2 nexus switches utilizing VPC technology. New ASA 8.4 supports etherchannel so I want to plugin 2 cables from ASA1 to sw1 and sw2 and 2 cables from ASA2 to sw1 and sw2? Is this a valid design? how would I configure that? Any design document on that?
I'm trying to set up an 802.1 q trunk between my layer 3 switch and ASA5520. I understand I need to create a subinterface to accomplish this and have done so. However, the subinterface does not respond to pings, and when I attempt to run the packet tracer on the firewall itself, I get a message saying Flow is denied by configured rule. But the strange thing is it shows the output interface as "np identity ifc":
(The VLAN in question is VLAN2 192.168.2.3 is the VLAN2 address on the switch). The ASA config is as follows: ASA Version 8.2(5) <context> hostname context2 names ! interface GigabitEthernet0/0.2 nameif Inside0/0.2 [Code] ....
I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
I need urgent support on creating SSID as layer 2.We have cisco WLC2504 and 1602i access point. In our network we have in gate for guest.I want to create one ssid and bind with vlan only. We can not creat interface on WLC b/c of static IP.
Yesterday I was in one of our client premises configuring a WLC 5508 with software 7.2, went through the initial configuration wizard with no problem whatsoever, my issue began when trying to configure a ap-manager interface.In many WLC configuration guides cisco states that for 5508 it is not required to configure an ap-manager interface because the management will suffice, but then they put a side note recommending it's configuration for best practices and better performance. OK so I saw that in an earlier version document and now they do not make the recommendation but the still use the word required and for me that's still is not a limitation. I can't create the ap manager interface because when I put the VLAN ID it says the it is being used by another interface.
I am in the process of staging a couple of two new Cisco ASR 1004's which are located at two locations with a WAN link in between. I need to set up connectivity between servers plugged directly into each ASR router across the WAN link. The ASR has 16 gig interfaces (gi0/0/0 - gi0/0/7 and gi0/1/0 - gi 0/1/7), and a management interface (gi0). I have connected the WAN link to gi0/0/0 and put an ip address on it. The servers will be plugged into the remaining gig interfaces. I tried to create an SVI (vlan interface) in an attempt to create an L3 interface to support routing to these servers but these routers don't allow SVI's to be created. how to put these server connected ports on a vlan and to create an L3 interface to provide routing to them?
I have a question regarding mlppp and bonding mpls T1 circuits. For the longest time we have been able to get by on one T1 circuit coming into our 3845 router. Well this T1 has now become congested and they are wanting to add bandwidth to this T1. We connect to the phone company via an MPLS T1 currently. So now it appears as though we are going to purchase another MPLS T1 circuit and bond the two T1's together. The way our network is currently set up, we utilize the same AS number on all of our remote routers regardless of location. Keep in mind I don't have any sort of mlppp set up at this moment, so unfortunately I can't post any configs. I'm just questioning the design portion and how to go about doing this.
Here is where my dilemma begins........
For every MPLS circuit we order on the remote end, we specifiy an IP for the remote router itself and one for the provider to assign to their equipment (the bgp neighbor statements). Now granted i'm no BGP extraordinaire, not even a novice really, but I don't understand how I am going to bring two T1 circuits into the same router (basically with 2 pairs of IP's). In order to bond the two T1's together, i'll need to create a multilink interface and assign an IP to that, but yet I still have 2 SETS of ip addresses. And if that isn't enough of a dilemma, I also need to spedify a neighbor statement in order for my AS to bind to the adjacent provider AS, but yet I have two IP addresses for that as well.
I have got a wireless project with WLC main office and have 10 sites where ap's are there and ap's getting registerd .we need 4 ssid in all branches same .
ssid guest ssid scanner ssid user vlan 600 main office for scanner 192.168.1.0 in branch vlan 600 for scanner but ip is 172.16.1.0
and bgp is running . And customer is asking me not to edit the ip range or vlan or create new vlan . but in wlc am not able to create branch network 172.16.1.0 range interface and vlan 600 as vlan 600 i already created for scanner main office 192.168.1.0 So is there a way to do that .
Temprarly one site i did like created vlan 610 in branch no ip . And in main office interface vlan 610 given another ip range . and i created interface in wlc . from branch i can connect the ssid and getting ip . But they dont want to create any aditional vlan or another network . Customer dont have a smartnet contract . They recently baught 2 wlc 5508 and 40 ap 1142.
The swtich is configured and going to operate in L3 mode. All ports are still assigned to the default VLAN ID 1. I have created several new VLAN's. Once I configure and aplly an IP Interface to a certain VLAN the swtich becomes inaccessable right away. I am pretty sure I am not pulling my own VLAN under my connection. Every port is inaccessable. I have to pull the power plug and restart the swtich with its saved configuration. Even when I add another IP interface to the default VLAN 1, same issue. I have tried lot's of things, but can't get it to work properly. I have just upgraded to the latest firmware.
I have configured dozens of SG300 swtiches which is very easy. This one does not work with me.
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80 Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53 Pix(config)#access-group outbound in interface inside
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall), It failed to failover. but when I shut down the Gi 1/12 of the Core 1 switch, The firewall failover very well.
I followed this guide but I was not able to failover. [URL]
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down, it can failover ? Code...
I'd like to add an RDP to the vpn portal page on our 5585x. Looking for the rdp plugin in the 5585x download area but there is no page for Remote access plugins. Would the plugin be the same as any of the 5500 ASAs? Could I just download the rdp_09.11.2012.jar file from the 5505 download area?
Starting a project where they customer has ASA 5585X with SSP40 with 10K SSL Premium Lic and ACS5.1.The cust wants IPSec, and Anyconnect Client terminations. The number of users will be close to 6000 and will scale.Due to the huge scale of users, i am not able to finalize a design. Have the following doubts.
1. Will ACS have any issues in supporting a database this huge. OR is it better to go with the AD/LDAP integration.
2. What is the best way to allocation IP address. Does ACS 5.1 support dynamic allocation form an IP pool.
I have been browsing through the forum, couldnt find anything concrete.
I have a 7200 router with a 12.2.(46a) IOS and I am trying to activate Netflow on a subinterface. From the documentation of Cisco, I should be able to do it since the ios 12.2.(14)S but the command is unavailable.
[URL]
I have tried also to enter the command in the subinterface directly but it doesn't recognize it.
I have an 861 that we are using for a test network and need to add static igmp addresses for multicast. We are using the router as a router on a stick with subinterfaces on the WAN link. I've looked everywhere to see how to add the static igmp addresses.
interface FastEthernet4 no ip address no ip route-cache cef