Cisco Firewall :: ASA Version 8.6.1 NAT To Exchange 2010 Cluster?
Feb 26, 2013
We have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
I think that our users are at the largest capacity for attachments, twice in the past week one of our users did not received important emails because of the attachment size limit. The problem is that the sender thinks we got it b/c there is no bounce back and we have no record of the email being sent. my question is how do i increase the attatchment size for incoming emails?
I have a CAS array for Exchange 2010 configured to loadbalance on my Cisco ACE 47XX. My question is: Can I run a mixed VMware cluster version 3.5 and 4.1 on my ACE? I am experiencing is dropped RPC connections and I was wondering if that could be the cause of it or maybe I am misconfigured something on the ACE
Another question:Should I seperate the two cluster versions on their own serverfarm and than loadbalance the farms? What I mean is serverfarm 3.5 and serverfarm 4.1 and than loadbalance them.
i am working on a project with 2 security ASA's 5520 with Microsoft ISA/TMG-2010 Server having 2 DSL's my question is regarding the designing issue where should i connect the 2 DSL's using ISA/TMG-2010..
We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb.
Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput.
a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
I have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?
I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1 channel-group 1 mode active no nameif
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version Cisco Adaptive Security Appliance Software Version 8.6(1)10 Device Manager Version 7.1(2) Baseboard Management Controller (revision 0x1) Firmware Version: 2.4 lbjinetfw# config t lbjinetfw(config)# ssh
last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
"Multiple sessions per tunnel are not supported"
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units. And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1 Log into active/primary ASA Configure Multiple Context mode Reboot both devices Login to active/primary ASA
We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:
[URL]
I'm looking to do this with smtp so I added these lines to the config:
Ok so the mail flows to the Barracuda using a static 1:1 NAT configuration and then gets delivered from the Barracuda to the Exchange server. I want to implement active sync (Direct Push) for Windows mobile devices. They need to communicate with mail.domain.com over port 443. The problem is I want mail to continue to flow to the Barracuda, but direct Direct Push traffic to the Exchange server.I cnow I can't implement two 1:1 NAT mappings from the same external hostname to 2 different servers.
We have a ASA 5510 which was running 8.0.2, we recently upgraded it to 8.2.5 and since the upgrade remote users for exchange 2007 are not able to download any large email attachments(over or close to 1MB). This is only happening to Outlook anywhere users or OWA users who are connecting to the exchange server using https(443) externally. If the same users connects internally they do not face any issue. When i check the logs on ASA i am gettings lots of RESET-O and RESET-I entries. Looks like the connection between the client and the server gets reset.
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. [code]
Our ASA 5510 has been in place for nearly two years, we never have any issue what so ever with it. All along the ASA has been using the default policy. Lately, we beeen getting email deferred in our Barracuda Spam firewall. Google quickly reveals that ESMTP does not play nice with Barracuda witch i disabled eventhough we haven't had any issue with it before. However, the issue remains, we still getting email deferred in the barracuda.
While doing more troubleshooting on the ASA, I constated when issue the command show local-host + IP of the Barracuda, there is an IP address in outside of the interface that can get up to 96 UDP port 53 connections with the Barracuda, this connection never get lower than 20! However, when checking the default setup for the Barracuda, i have the values below:
Incoming SMTP Timeout: 20 Message per SMTP Session : 8 Maximum SMTP Error SMTP Session: 2 Maximum Connection per Client 30m:40
My question is if that ASA show up to 96 DNS session with an outside host to my barracuda, won't that push the barracuda to play email deferred timeout ? Should I change the barracuda default setting? Or should i change the connections limits for the Barracuda in the ASA?
I know that I've run into this before but I can't remember the fix. I have a 5510. The 3 interfaces involved are INSIDE, OUTSIDE, and GUEST. Corporate users are allowed to put their iPhones on the Guest network, but the problem is that their Exchange ActiveSync stops working. It is tied to the external DNS name of the OWA server (we'll say webmail.abc.com). So the users are funneled out one public IP on the OUTSIDE interface and are trying to communicate with the outside of the OWA server, which is NATed to another public IP on the same outside interface. What do I need to do on the ASA to allow users on the guest network (behind the GUEST interface) to access the mail server using its public IP (behind the INSIDE interface)
I picked up a rather nasty bit of malware which resulted in a format and installation of Windows Ultimate 64, all well now except i cant get the wireless to work, downloaded assorted drivers from the dell support directory but to no avail, so questions are-:am i missing something obvious (windows function button for wireless does nothing)what is the correct driver for the N5040 and are there any tricks in getting it to work.
We have a setup where clients on the internal network send/receive their emails through Microsoft Outlook client, while the Exchange server is hosted on the internet, outside the organization.The clients are connected to a Cisco switch, behind an ASA5510 Firewall. The Firewall is connected to an internet router, with double NAT (On the ASA and Router).
the outlook clients disconnect from the Exchange server, sometimes for hours, and then reconnect again. During these disconnections, the same client PCs are able to browse the internet normally. There are no restrictions for the traffic going from the inside to the outside. During the disconnections, if we try to connect using a public IP bypassing the ASA & router,.
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
I have an ASA 5505 with the base license,When I setup the DMZ interface I had to add the deny access to the inside VLAN. The DMZ works fine with WiFi on it, but user's iPhones can't get email unless they turn WiFi off.Is there a simple way to allow HTTPS traffic through the DMZ interface to our internal Exchange server which is NAT'd on the 5505's external IP?
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 216.10.100.10. and the IP of the inside interface is say - 198.1.1.10/24 on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
