I am using ASA5510, and I would like to know if we should reset the number of Hits for ACL ? Actually this number increase in front of each ACL. Is there any specific configuration ?
View 4 RepliesI am trying to find the part number for the Cisco SMARTnet Maintenance 8x5xNBD for the Cisco ASA5510-SEC-BUN-K9. I browse cisco website, tried dynamic config tool, forums etc but no luck.
1: How to know the part number for it.
2: Which tool can be used to find smartnet or other Maintenance details/partnumbers
3: Is there any specific tool other then Dynamic Config to generate BOM.
i allowed one of internal ip using static nat and public ip is 203.18.137.22 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 203.18.137.22? I have the cisco 5520 asa firewall.
View 6 Replies View RelatedI'm running into this issue on an ASA 5520 running version 8.2(2)9 and ASDM version 6.2(1).
I have an ACL denying traffic to a certain IP range and the logging level set to Debugging. The hit count is rising quite rapidly but when selecting "Show Log" the Real-Time Log Viewer opens with a value of 0x13d0ee2a in the "Filter By" field and no logs are ever shown.
Logging is enabled globally and Logging Filters on ASDM is set to Debugging as well.
how I can get the RTLV working?
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedI'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
After running for about one month, my SG200-08 hit 100% CPU and pings increase from under 1ms to 300ms. I purchsed the SG200-08 for home due to its support for IGMP snooping. I have a TELUS Optik TV service at home which uses the Microsoft Mediaroom platform and multicast on the local LAN. When the SG200-08 hits 100% CPU, my Cisco STBs start to exhibit multicast issues due to delayed or dropped IGMP messages. I recently upgraded the SG200-08 to firmware 1.0.6.2 hoping that it would fix the issue, but it hasn't worked. [code] Smoking latency graph of the SG200-08 ICMP response time. On May 1st the CPU spiked to 100% and the laency increased to 300ms. The problem has been occuring since I installed the SG200-08 with the CPU spiking to 100% about once a month. Rebooting the SG200 will clear the issue.
View 3 Replies View RelatedIs there any significance to the parameter "firewall-group" in the command
firewall vlan-group <firewall-group> <vlan-id>…<vlan-id>?
In other words is the series of commands
firewall switch 1 module 3 vlan-group 1,2
firewall vlan-group 1 100,101,102
firewall vlan-group 2 200,201,202
exactly equivalent to
firewall switch 1 module 3 vlan-group 3
firewall vlan-group 3 100,101,102,200,201,202
or
firewall switch 1 module 3 vlan-group 1,2,3
firewall vlan-group 1 100,200
firewall vlan-group 2 101,201
firewall vlan-group 3 102,202
All three of these options associate the same set of vlans to the FWSM but using different groupings. As far as I can tell, these groupings have no functional significance either on the switch side or the FWSM side. These are simply three different ways of specifying exactly the same thing? Am I correct?
My network has two connections to a third party via links on two seperate ASA , one in location A and one in location B. The link in location A is the primary connection and the other in location B should be used by only two terminals (term1, term2) in location B. ASA are running OSPF and are redistributing static routes as metric-type 1 in OSPF. In order to achive the aforementioned goal, I have configured a route-map on ASA location B, that sets the metric for the route towards the third party to a high value (100). This way, all routers, even those in site B prefer the exit through location A (metric about 24).
I have checked that my routers correctly have the route to the 3rd party through location A, and the OSPF database has records for the network from both locations.In location B, I have configured the following route-map (on 6509)
route-map PREFER-LOCAL-ROUTER permit 10
match ip address XXX
set ip next hop locationB-ASA
int vlanYYYY
ip policy route-map PREFER-LOCAL-ROUTER
[code]....
From the terminals (term1 and term2) I have tried a traceroute towards the 3rd party's subnet, but I don't get any match neither on the access-list nor on the route-map. Unfortunately I have no other way to test that my configuration is correct, since the application on the terminals, that should access the 3rd party network, is not currently running.
I also addedd the statements below to the access-list, because of the test with tracert:
permit icmp host term1 route_to_3rd_party 0.0.255.255
permit icmp host term2 route_to_3rd_party 0.0.255.255
Nothing changed...Is there something wrong with the above config? Is there a chance that there is a problem with the IOS, that simply doesn't show any hits?
How should I configure NX7000 to log acl's hits on a remote syslog server.
View 10 Replies View RelatedI am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
I have some tunnels which terminate to my home router. I'm allowing the other ends of the tunnels to use my voice setup. I need to prepend *67 to all called numbers which don't originate from my house. I don't want people calling my home number based on the caller-id number they see when someone across one of the tunnels calls.
So if 5008 calls 212-333-4444 I want it sent to my provider as *672123334444. If 5001 calls a number, I don't want it touched. Can I do this? I can use IOS or CUCM here.
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies View RelatedI have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies View RelatedI say the answer is ten. That means ten hosts can be behind the firewall and hit the internet. The eleventh doesn't get to go out. I'm being told by a coworker that the "10" in the part number refers to the number of IPsec VPN peers.
Who's right?
I say if you want an unlimited number of users on the inside to be able to get to the internet, you need the ASA5505-SEC-BUN-K9
Mfg. Part: ASA5505-SEC-BUN-K9
Mfg. Part: ASA5505-50-BUN-K9
Mfg. Part: ASA5505-BUN-K9
Cisco ASA 5505 10-User Bundle includes 8-port Fast Ethernet switch, 10 IPsec VPN peers, 2 Premium VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license ASA5505-BUN-K9
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies View RelatedIs there a cisco best practice on the maximum number of NAT statements on a Cisco ASA? We have a 5520 and a coworker is adding static NAT policies so a vendor can monitor around 1,029 nodes. The problem is each node inside is a 10.X.X.X and to keep the IPs from overlapping with other customers the vendor monitors they would like us to NAT to a 172.16.X.X scheme.
View 3 Replies View RelatedWhat is the max number of policies can ASA 5525X supports ? I dont find it in the datasheet.
View 5 Replies View RelatedOn my Pix515E ASDM console I quite often see large surges in the total number of connections. I would like to find a convenient way to see what (or who) is causing this.
The command Show Local gives the answers but it returns details of each connection and I can't see a way to omit the detail. Show Conn Count just gives the total. Ideally I would like to get a summary of the number of connections (TCP/UDP) for each inside host.
On a related matter I have used........
static (inside,outside) 12.34.56.00 2.34.56.00 netmask 255.255.255.0 tcp 400 100 udp 200 ..........to limit the number of connections to a subnet.This works and I see errors in the syslog when the limit is exceeded but when I change the limits and apply the changes, the syslog errors still show the previous limit being reached. How can I make changes to these connection limits take effect (without reloading the Pix)?
How can I find the serial number at Cisco PIX-515E ?
View 2 Replies View RelatedShowing Your firewall has a version number null which is not supported by ASDM 6.2(5). I received this error when trying to run asdm on my asa 5505. I upgraded image and asdm trying different versions. I used many different versions of java all to no avail.
View 4 Replies View RelatedHow many user accounts i can create to a Cisco ASA box? Say for example a Cisco ASA 5510 or Cisco ASA 5520?
View 5 Replies View Related I would like to order module card CSC-SSM with premium plus license but i don't know which part number with have : Plus license: Adds anti-spam, anti-phishing, URL blocking/filtering and content control
i saw part number ASA5510-CSC10-K9 but it standard license and it dont'have adds anti-spam, anti-phishing, URL Blocking/frltering and content.
Note;i use ASA 5510.
I have a faulty ASA5520 and I am not sure if I have a SMART net contract for it or not (I manage over 200+ ASAs). The problem is that the Serial Number sticker that is normally on the back of the ASA is missing. The ASA5520 is also faulty and doesn't power on so I cannot boot it up and run 'show ver' or similar. If I open the chassis there appears to be other Serial numbers on the Power Supply, and Motherboard etc but they do not seem to be the correct Chassis serial number i.e not in the right format, and if I put them into the Trade tool I get no results.
There must be another record of the serial numbers besides 1x sticker to the rear of the chassis that can fall off? How I can get the chassis serial when the device isn't booting. or (Cisco) is there a way to find the chassis serial number from the power or motherboard serial?
This is the second one of the new ASA 55.5X series appliances where I have seen this issue:When I SHOW VERSION, I can see the serial number displayed. However, this does not match the serial number from the sticker affixed to the outside of the chassis.This makes it confusing on opening TAC cases and for updating licenses.
View 8 Replies View RelatedI have an ASA 5520 running version 8.2(1) and I am having an issue with ASDM sessions.I can SSH into the ASA and have tried to clear the sessions but they do not clear as per below.
largoGW# sh asdm session0 dguselnx1 dguselnx2 dguselnx3 dguselnx4 dguselnxlargoGW# confi tlargoGW(config)# asdm disconnect 0largoGW(config)# asdm disconnect 1 largoGW(config)# asdm disconnect 2largoGW(config)# asdm disconnect 3largoGW(config)# asdm disconnect 4largoGW(config)# exitlargoGW# sh asdm session0 dguselnx1 dguselnx2 dguselnx3 dguselnx4 dguselnxlargoGW#
An interesting point: the host dguselnx is my linux based computer that I am using to SSH to the ASA. I do not connect via ASDM from this device so it is strange that the hostid for the asdm sessions is showing as my linux host and not my Windows laptop (that I am trying to connect via ASDM from).
I have a FWSM cluster that I exceeded the maximum number of static nat entries on. i migrated the connectivity off to a pair of PIX 535's that seem to be handling the adderess translation needs. however the number of NAT entries being required is increasing and being the PIX series wal EOL'd several years back..I need to replace them.. The static 1-1 nat entries cannot be summarized into network as the hosts that are being nat'd are scattered all over various micro subnets in the all 3 rfc1918 ipv4 address ranges and they are being manged directly by snmp and SNMP-trap and other services that prohibit the use of many-to-one nat. Is there a mknown maximum number of static 1-1 nat entries that can be defined on the ASA 5515-x, 5525=x and higher ASA firewalls? Say I wanted to be able to grow to 2500 or more static 1-1 nat entries. I am currently running 2010 1-1 static host nats currently.
View 1 Replies View RelatedWe are going to deploy a active/active setup of 2 ASA 5585's. Here we will implement a concept of security zones through context's where different services will be firewall through a separate firewall context. will a security context consume 1 or 2 licenses because we are running in a Active/active setup? Right now I got completely confused when my manager asked me that question.I would say that we only use on security context license - but since we are running in a active/active setup - even though the other instance is standby - will it consume a context license? We are using ASA OS 8.4.x.
View 5 Replies View Relatedurl...For the New Firewalls i.e. 5512X , 5515X etc there seems to be integrated IPS and we don't need to order any extra license or part number to get the IPS features .
But for the 5585X It says 2Gbps for SSP10 engine but I have seen in the Dynamic Configuration Tool that SSP10 and IPS-SSP10 are different things . Which means that I will have to order 2 service engines SSP10 and IPS SSP10 to get the IPS features and if I only order SSP10 with that Chasis I will only get firewalling ?
how can i discover product actual part number from the device through console.I have a bought a cisco ASA5540-AIP20-K9 and i want to check either is the product is shipped us as a right product.And i want to check total BoM requriements from entering the ASA console through any CLI Command.Below My Cisco ASA BoM which i purchased.
ASA5540-AIP20-K9ASA 5540 Appliance w/ AIP-SSM-20, SW, HA, 4GE+1FE, 3DES/AES1CAB-ACUAC Power Cord (UK), C13, BS 1363, 2.5m1SF-ASA-8.3-K8ASA 5500 Series Software v8.31SF-ASA-AIP-7.0-K9ASA 5500 Series AIP Sofware 7.0 for Security Service Modules1ASA-VPN-CLNT-K9Cisco VPN Client Software (Windows, Solaris, Linux, Mac)1Included: ASA5540-VPN-PRASA 5540 VPN Premium 5000 IPsec User License (7.0 Only)1Included: ASA5500-ENCR-K9ASA 5500 Strong Encryption License (3DES/AES)1Included: ASA-AIP-20-INC-K9ASA 5500 AIP Security Services Module-20 included w/ bundles1Included: ASA-180W-PWR-ACASA 180W AC Power Supply1Included: ASA-ANYCONN-CSD-K9ASA 5500 AnyConnect Client + Cisco Security Desktop Software1CON-SU1-AS4A20K9IPS SVC, AR NBD ASA5540 w AIP-SSM-20,4GE + 1FE,3DES/AES1