I have an ASA5505 where vlan1 (inside) and all associated ports (e0/1 - e0/7) are down. Workstations on vlan 1 are online and working. Vlan2 (outside) is up and running normally. I tried to shut/no shut on the vlan. I also rebooted the firewall. No change. Why vlan1 is down?? I've attached some config info and some troubleshooting.
View 5 Replies
Users cannot download some files from a FTP in a software over VPN Explanation users work with a program and inside the program they download claim (the software goes to the FTP and download the file)
But the program returns an error 3018 in FTPGET. If the user goes to the old PPTP VPN it works like a charm so the problem is the Cisco VPN.
I cannot post my complete config but we use the filter vpn value to associate a special access-list to a user.
The user that has this problem has this as an access-list.
access-list 201 extended ip permit 10.250.128.0 255.255.255.0 192.168.202.0 255.255.255.0
I've made some research and i've added this info
policy-map global_policy
class inspection_default
Inspection ftp
Still doesn't work.
I have to add that normally the internal network is 2.0 and not 202.0 but since we have user with 2.0 at home we had to do this.
So when a user sends a request to 202. the cisco fowards it to the Juniper inside the network and it translate it back to 2.0 Also that is the ONLY thing that doesn't work. The client can work all day on that program and it will work #1 exept when she does the claims
I am also been working on this VPN for 2-3 months without any problems.
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies View RelatedRecommend a low-cost Cisco-branded router/firewall for a clinic with perhaps 10 user workstations? We're looking for something that will support attaching a static VPN to a data center.
Currently we're using a Cisco RV082 in our office, but there might be a device which is more appropriate for the next office we connect to the data center. On the data center side we're using a Juniper SSG5.
I'm completely illiterate with Cisco appliances but I'm taking care of an ASA 5505 that is configured as a firewall and it has been working for the last years. All of the sudden we are experiencing intermittent connection problems from the workstations. You can be browsing the internet and suddently you'll get a server not found error but you refresh it and it works. This is also intermittent, out no apparent reason it will start working normally again.
I am seeing a bunch of errors like this in the logs:
4 Mar 25 2013 14:34:49 106023 66.235.119.5 69.70.15.61 Deny icmp src outside:66.235.119.5 dst inside:69.70.15.61 (type 8, code 0) by access-group "inbound" [0x0, 0x0]
[Code].....
I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
View 3 Replies View RelatedI have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies View RelatedI have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
its possible to set up active/active failover using etherchannel on 5585s?
View 1 Replies View RelatedHow to Configure ASA5520 for Active/Active
View 8 Replies View RelatedIt is my understanding that the FWSM for the 6500 series switches uses a 6 port Etherchannel on the backplane to communicate with the 6500 series switch.Can you shutdown vlan1 on the switch and still communicate with the FWSM? I was under the impression that you could not (although I am looking at a config with it shutdown)
View 1 Replies View RelatedHow I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies View RelatedI've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View RelatedInternet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
adding/removing/re-adding a workstation to a domain and Active Directory. We use DHCP at work for our addressing scheme. The problem I had when naming a new workstation the same as the one I am replacing on the domain was that I noticed the new pc with that same computer name as the previous pc was still trying to use the IP address that was assigned to the workstation before by dhcp, so the new workstation was not showing it assigned an IP address. I would try pinging the computer name but there was no reply because it was still showing the ip address of the computer disconnected that had the same name.
- remove the faulty workstation from the domain to workgroup, then restart
- then from Active Directory do I need to reset the Computer name
- then do a ipconfig /release on faulty workstation that has been removed from the domain to release the leased ip address in dhcp
- then disconnect the faulty PC and connect the PC I am using to replace the previous PC
- Name this workstation the same as the one I just disconnected and removed from the domain
-Add this PC to the domain and restart
You are appointed as a system administrator for a large company which has its own computer intranet hosting 150 workstations and around the same number of users. Write few points explaining the roles you would expect to take on as part of your new employment in terms.
View 2 Replies View RelatedI had when naming a new workstation the same as the one I am replacing on the domain was that I noticed the new pc with that same computer name as the previous pc was still trying to use the IP address that was assigned to the workstation before by dhcp, so the new workstation was not showing it assigned an IP address. I would try pinging the computer name but there was no reply because it was still showing the ip address of the computer disconnected that had the same name.
View 2 Replies View RelatedI have an office server set up to about 10 computers. We hired 4 new people and had to set up their computers on our network. Set up was easy and quick as usual. But when I was done, the other computer users, and even the new ones were complaining about not being able to access the DEFCON5 (name of our server) folder to get what they needed.
Basically the only workstations that show up when I click Network are the computers I added the other day, and the computer that is used more than any other computer (the CEO's). We can still access the files by typing the location as \DEFCON5****** and find what we need. But not everyone at my office is computer savy (no body is) and I would like to not have to keep running around and showing everyone this.
The 6509 Series Switches support the scenario VSS Active-Active Chassis, I would like to setup both switch's as one virtual switch but working at the same time, not with Active - Stand By Chassis.
My plans it to create PortChannel accross both Switches 6509 in order to have 2 links one connected to one slot/switch and the other connected to slot/switch in the second 6509 for servers redundancy.
I am working on a network which has two ISP connections (Active/Active) terminating on router (ASR1000). From the LAN side (6500 switch) all the traffic need to be route on ISP1 but some of the specific subnets like 10.250.0.0/16 need to be route on ISP2 connection.
I am planning to use PBR and NAT with route maps. any documents or refrences are provided.
(access switches)---------(core switch)----------(routers)----------------(ISP1)
----------------------(ISP2)
At the company I work for, there are a few "network drives" to which employees are given access so that any mutual file stored thereon may be shared between and edited on demand. Not the best model, I know.Went to the server room a few minutes ago and found that "network drives," (P:), (L:) and (M:) seem to be invisible. Back at my workstation, I opened My Computer and saw all three on my screen.
View 3 Replies View RelatedI have an office server set up to about 10 computers. We hired 4 new people and had to set up their computers on our network. Set up was easy and quick as usual. But when I was done, the other computer users, and even the new ones were complaining about not being able to access the DEFCON5 (name of our server) folder to get what they needed. Basically the only workstations that show up when I click Network are the computers I added the other day, and the computer that is used more than any other computer (the CEO's). We can still access the files by typing the location as \DEFCON5****** and find what we need. But not everyone at my office is computer savy (no body is) and I would like to not have to keep running around and showing everyone this.
View 1 Replies View RelatedWe are having several workstations that are momentarily losing connection to our Windows Server 2008 machine that hosts their Documents etc.It seems like a momentary disconnection and not everyone has complained although I'm guessing that unless you are trying to locate a file etc at that moment you might not notice.Here is the error message I see in the event logs on the server:
-Source: srv
-EventID: 2012
-Level: Warning
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.So, where would you guys start with something like this? Either my HP Procurve 1800-24G doesn't have much in the way of error logs, or I don't know where to look.Would you start with changing port on the switch, changing network cable or do you think it's more likely to be something on the server itself?
I faced one problem in our core switch 4507 R . Active sup lost connection and standby came active. We got lot of errors/alerts on console shown below. [Code] Also when I reloaded the switch with reload command only both sups got reloaded but I want to reload all the modules but reload command do not gives any options for that.
View 2 Replies View RelatedWe have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
View 1 Replies View RelatedI'm trying to get a catalyst going for remote management using cisco network assistant.I've basically, enabled telnet;
enable conf t line vty 0 15 password {password}
login
exit
gave it an IP;
int vlan1 ip address {IP} {Subnet}
no shutdown
exit
[code]...
and write mem to save it all. I can ping, telnet and access cisco network assistant from inside the network perfectly. But the problem I'm having is accessing it from outside, can't even ping the device. I can ssh to other servers behind the network just fine. There is no firewall in place at the moment, the provider's drop is plugged in gige port 1?
In default mode the ASA 5505 is setup with two Vlan's, one inside and one outside. Vlan1 is the default inside VLan, with IP 192.168.1.1. I would like to change the subnet of Vlan1 tot 192.168.10.1, but when I do, no Ethernet port is assigned to Vlan1 anymore (was 0/1 - 0/7). What I have done is;
#config t
(config)#interface vlan 1
(config)#ip address 192.168.10.1 255.255.255.0
But after that, no Ethernet port is within Vlan1, so I tried the following to assign one (port 0/1);
#config t
(config)#interface 0/1
(config)#switchport access vlan 1
(config)#no shut
But nothing happends when monitoring (#show run) interface 0/1 (no Vlan assigned)
I have a WRV210 router setup with WPA personal-AES encryption...SSID is turned on. The issue is that workstations lose connectivity to the internet and to a mapped network drive on the server. When this happens I find that the wireless status shows "connected", along with excellent signal strength. It never happens when logging on, just after so many minutes. The simple remedy is to repair wireless connection but we would like to not have to resort to this behavior every day. Further, I found that within the repair connection sequence that deleting the address resolution protocol table, brings the internet and the ability to access a mapped network drive back. I even used a program called arpfreeze to assign static ip's to the arp table and I still had to repair wireless connection. It does not matter where the workstations are placed, whether sitting 50 feet away or 5 feet from the router, the workstations lose the ability to access internet and mapped drive while showing "connected" and excellent signal strength. Otherwise, we are looking at running ethernet cables through the building (Not easy).
View 5 Replies View RelatedWe have a number of sites running Cisco 881 routers. A few of the sites are connected by IPSec VPN tunnels that have been configured using Cisco CCP without any issues until now. On one location I can ping from a workstations on Site1 to Site2, however I cannot ping from the same workstation on Site2 back to Site1.
Here is a strange behavior. If I have a continuous ping going from Site1 - Site2 and then start a continuous ping from Site2 - Site1 then I get a response until I stop the ping from Site1 - Site2. Site 1 has approximately 5 successful tunnels with absolutely no issues.
Here is some site specific Info:
Site1
Cisco 881 running Version 15.0(1)M7
crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp key ThePreShareKey address XXX.YYY.ZZZ.232 crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toXXX.YYY.ZZZ.232set peer XXX.YYY.ZZZ.232set transform-set [code]......
Site 2
Cisco 881 running Version 15.2(3)T1
crypto isakmp policy 2encr 3desgroup 2crypto isakmp key ThePreShareKey address TTT.UUU.VVV.224
[code].....
For additional troubleshooting I established a VPN tunnel from Site2 to our office Site3 with no issues at all. Site3 happens to be one of the VPN tunnels that connects to Site1 with no issues. I have seen a number of articles on this on the net and gone through the troubleshooting steps of an article such as [URL]. The tunnel is confirmed as up when I have done all my troubleshooting.
