Cisco Firewall :: ASA5510 Dual ISP And VPN On Backup
Dec 19, 2012
ASA5510 ios v8.4.I've setup dual ISPs and I'm trying to get ipsec VPN client access to work on the backup interface (outside-backup). The goal is to have outbound traffic on the inside subnet NAT'd through the main interface (outside) while inbound ipsec VPN clients connect and operate off of outside-backup.crypto map is applied to 'interface outside-backup,' however clients are unable to connect. If I switch the default route to go through outside-backup everything starts to work again.
View 1 Replies
ADVERTISEMENT
Dec 12, 2012
Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.
View 4 Replies
View Related
May 22, 2012
how can I setup that the backup connection will start but after 30s of icmp timeout the default gateway (tracket object - 192.168.1.1)
My configuration:
sla monitor 123
type echo protocol ipIcmpEcho 192.168.1.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.2.1 254
track 1 rtr 123 reachability
View 2 Replies
View Related
Sep 30, 2012
At the moment we want to connect the ASA on two seperate internet connections . We create one LAN interface and two WAN interfaces. Now we want to create nat rules nat our outgoing traffic. After some research and testing (on a 8.0(4) asa) we have it working.
But now we want to implemate it on our ASA, but it works a lot differerent. I can't create a nat pool (at the 8.0(4) i can assign the second interface to the existing pool) wit two interfaces,
View 1 Replies
View Related
Feb 29, 2012
I want to create a Dual DMZ in a ASA5510 however it is not like I used to in ASA5505?In ASA5505 I create a Outside, Inside and DMZ VLAN and there after add the interfaces into the VLAN.This way I can have two DMZ interfaces, but how do I do it in a ASA5510?
View 1 Replies
View Related
Dec 17, 2012
I'm looking for an example config of how to run dual ISPs while doing port fowarding for one of the publicly facing IPs. This is on 8.4 so
View 1 Replies
View Related
Jan 3, 2013
I have the need to configure a backup VPN, I have remote branches with cisco 800 routers that make a VPN to an ASA5510 in the main offices, but as a DRP I want to have a backup VPN to another site. I dont know if it is a failover configuration or backup VPN, how to start investigating.
View 2 Replies
View Related
Nov 22, 2010
I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing. The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
My first thought was to add the following crypto map to the configuration below: [code]
View 5 Replies
View Related
Mar 4, 2011
I have two ISP circuits and the following devices in hand:
1. Cisco ASA 5510
2. Cisco 2800 router
3. Cisco 3750 switch
I've finished a part of the configs on above equipments, please refer to the attached diagram.And I'm making a test in order to achieve the below features:
1. By default, packets from PC1 go out through ISP 1. Packets from PC2 go out through ISP 2
2. When ISP 1 is down, packets from PC1 changed its way to ISP 2 through the 2800 router. And when ISP 2 is down, Packets from PC2 changed its way to ISP 1 through ASA 5510.
View 2 Replies
View Related
Nov 2, 2011
We have an ASA 5510 with ~100 vpn lan2lan. Now we need to migrate to a new ISP, so we have connected a new asa interface to the internet. Default gw is still on old connection. We are trying to migrate vpn lan2lan using static routes, pointing ip of remote vpn gateway to new isp gateway. VPNs going up, but when they try to send traffic, I can see Rx counter growing up, but Tx remains 0.. I've tried with different vpn (old and completely new), and problem remains.
View 1 Replies
View Related
Jul 7, 2012
i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.
View 1 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
May 8, 2012
I am working with a client that currently has an ASA 5505 with two ISPs for failover using a tracked interface. I would like to configure logging so that the ASA will email us when the Primary ISP goes down and fails over to the backup. Here is what I have so far...
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
[code]....
The primary interface is Outside and the backup is obviously Backup
View 2 Replies
View Related
Jun 13, 2011
I'm having problems configuring an asa 8.2(1) with a backup isp. I followed the asdm instructions in this document: [URL]
I have my backup interface configured as DHCP and the static routes set. Pinging the gateway and other external IP address from the backup interfaces works normally. I have also tried configuring the backup interface as a static address but got the same results.
When removing the primary wan link, all traffic stops. When I ping a external DNS, I get these errors in the log: portmap translation creation failed for udp src inside: 192.168.13.23 dst backup:208.67.222.222_type 8, code0)
I though this type of error is related to a NAT problem, not sure where to look though.
View 4 Replies
View Related
Nov 21, 2011
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now. But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
My configuration is:
ASA Version 8.2(1)
!
hostname cisco
[Code].....
View 4 Replies
View Related
Jun 3, 2012
I installed a new ASA 5512-X over the weekend for a client. Their backup ISP connection is DHCP based. I need to use the 'dhcp client route track' command on the interface, but it is not available. However according the all the documentation I am looking at and even the ASDM says it should be available.
This is the version of ASA and ASDM they are running:
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
I did upgrade to the latest ASA software, so has this command been removed? If I do a '?' in the interface, there isn't a 'dchp' option.
View 2 Replies
View Related
Jun 12, 2013
I have a production ASA 5505 that is working perfectly. I wanted to take a spare ASA 5505 and copy the running config to it so that I would have a backup unit that could be swapped out if the production unit went down.
Both units have security plus and running 8.2(1). The only difference is that the production ASA has 512MB of RAM while the backup ASA has 256MB. Also the backup has anyconnect and the production unit does not.
I copied the running-config to my tftp server and then copied the running config from my tftp server to the backup ASA as startup-config. After reload the device booted with an identical configuration to my production ASA, but after swapping out the units to test it, I have no access to the WAN or DMZ from my LAN. Swapping back to the production unit and all works as it should.
I printed out the running config from both devices and compared them line by line. They are identical except for the anyconnect line on the backup ASAs config file.
View 5 Replies
View Related
Apr 5, 2011
I would like to setup backup ISP in our ASA5510. Right now the the firewall has for default gateway following command:
"route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" i am changing this to route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ...so i can setup sla monitoring. As soon as i do the above command and remove the original "route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" from asa then internet connection drops. Right now asa interface Ethernet0/0 has main isp configured and configuring interface Ethernet0/3 as backup. interface Ethernet0/3 name if backup security-level 0 ip address 114.324.321.34 255.255.255.252 no shut global (backup) 1 interface.
route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ( Right now in firewall i have" route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 " ) route backup 0.0.0.0 0.0.0.0 115.283.212.23 20 track 2
track 1 rtr 1 reach ability
track 2 rtr 2 reach ability
sla monitor 1type echo protocol ipIcmpEcho 114.324.321.33 interface outside sla monitor schedule 1 life forever start-time now sla monitor 2type echo protocol ip Icmp Echo 115.283.212.23 interface backup sla monitor schedule 2 life forever start-time now. Also our firewall has site to site vpn and 1 main ip configured for exchange and remote access.
View 4 Replies
View Related
May 4, 2012
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
View 4 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies
View Related
Sep 13, 2011
I need to implement the backup between two sites I have router 2800 which is having a point to point connectivity with the far end.At the far end there is no router ,only one firewall is there on that firewall one access-list is there to allow the traffic .To implement the back up link i have created a site to site vpn .But the problem is as soon as the tunnel is establised .For the time being i have removed by site to site config from both firewall.
View 7 Replies
View Related
May 29, 2012
ow to backup Cisco ASA-5510 from a Linux server via TFTP?I do know how to backup a switch or a router. Basically creating an access list such as:
access-list 55 remark PERMIT hosts requesting TFTP access
access-list 55 permit host 172.16.0.27
and allowing access to
tftp-server nvram:startup-config 55
all this inside the router or the switch. From the Linux box just running a simple command such as:
tftp 172.16.0.3 -c get startup-config newbackup.conf
where 172.16.0.3 is the IP address of the switch and newbackup.conf is the name of the config file stored on the Linux machine.So, how do I do that with an ASA box? how to backup ASA from inside it.
View 1 Replies
View Related
Jan 28, 2013
I'm working on setting up a backup link for our ASA 5505 and I've followed these directions: [URL]
The backup ISP gives us a dynamic address, however, when I enable the backup ISP's interface on the ASA, my vpn tunnels drop. As soon as I disable the backup interface, the tunnels come back up. I'm attempting to configure this across one of these tunnels, so obviously this is an issue, as is the fact that other people need the tunnels as well. I'm not sure what I did to make this happen, but I've been over the config many times and can't see anything different from the instructions in the link above.
I thought it might be trying to route traffic across the backup interface, but my primary interface is tracked and has SLA running on it, so I would assume it wouldn't roll over onto the backup interface.
View 1 Replies
View Related
Nov 15, 2011
On our cisco 3750 switches we can take config backups with the archive command. After every "write mem" it rights the config to our backup server. We would like to do this also for our asa 5520 with version 8.2(2). I also searched in the command reference guide, but I can't seem to find the proper command to do it.
View 2 Replies
View Related
Feb 20, 2011
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
View 12 Replies
View Related
Oct 29, 2012
I have 5505 license with default 10 user license, want to increment the remote vpn user to 50 user license;will it be on yearly basis.Another question, can we purchase security plus license for configuring the failover config ,as well support the 50 user license on the same..
View 3 Replies
View Related
Feb 15, 2012
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com
[code].....
View 2 Replies
View Related
Nov 3, 2011
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
View 1 Replies
View Related