Cisco Firewall :: ASA5510 Setup Layout - Does This Work
Apr 9, 2012
I am planing to implement an ASA55100 in our network.I've never worked with an ASA5510 device, so i am not quiet sure how to place it correctly.The idea is the following:Current SituationNetwork with wireless access, everybody who's connected to the Wifi can access the resources.SSID = JUFCorp Desired Situation Network with only internet access, separate SSID -> JUFGuest Is this possible with this layout?PS: when i configure the ASA, i couldn't find an option where i can enter a default gateway. Is this supposed to be like this?So right now i can only access the management port when i'm in the same subnet.
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www access-list 101 deny tcp host 10.0.2.2 any access-list 101 permit tcp any any
route-map proxy-redirect permit 101 match ip address 101 set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
Recently implemented an ASA5510 and I cannot setup RDP access. I've browsed these and other forums and tried all the suggestions that I've been able to find and still no luck.
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50
I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
Alright, first off a little background. Im recent IT graduate (last spring) but not yet working in the field in any official capacitance. Its been about a year and half since I had my last Cisco class. Right now Im in the beginning process to work with locally own retailer setup a network infrastructure for IP camera and in the future VoIP, about 45 50 total IP devices when the project is complete.Nothing has been purchased yet but I have some candidates and a network layout planned, thought this is the first time Ie setup network of this type in the real world.Right now I looking at Netgear and LG/Ericsson (previously SMC, Nortel) switchesHavent gotten to the router yet and VoIP will come later.For either brand there would be one 1000MB 24 port switch and three 100MB switches, all of them 24 port and all will have PoE on all ports.[CODE]
I am looking to start a proposal for the smallish business I work for. We have about 65 devices on the network with ~ 12 being VOIP phones. Currently our network consists of 2 cisco 2950's and a bunch of daisy chained consumer 5 port switches. I would like to get a couple of 48 port 2960S or 3XXX series catalysis' and run drops to all the devices. It's an older brick building with beamed 15 foot ceilings. It has a couple of semi-enclosed office spaces, with one large space for all the developers and designers. The plan I have involves running a cable tray down the length of the office and run drops off of the main run. I would like to be as cheap as possible with the cable tray, but it seems like all the trays I have seen are about ~50-100 dollars per 10' (not including mounting hardware). Seems extremely expensive for basically wire baskets.
Time to check the network layout attached in the PDF. This design is regarding a new redundant DC being built (hypothetically only) but I need to know if I've connected this in the right way/ if its possible with the equipment listed and how I've put them together. [CODE]
My current switch layout at work is very basic and offers no redundancy. I'd like to at least setup redundant core switches, so that if any of my switches would to fail, it would result in a smaller number of systems affected.
Current Core Switch: HP Procurve 3500yl-48G (3500yl-24G as cold spare) Internet Switch: 3com (forget model) User distribution switches: 9 Planet 10/100 Layer 2 Managed switches, and 2 Dell Powerconnect 5448 Server switches: 5 Procurve 2810-24Gs (1 in each server rack)
In addition, we have 50+ site to site VPNs using different 192.168.x.x subnets across 2 different VPN concentrators, several routers, and a pair of MPLS's.My first step to improve speed and reliance was to reconnect the user switches. The old distribution switches were daisy chained, and all users 120 users were on a single 1GB port on the core switch, and if switch 2 of 11 failed, I'd have 10 switches knocked out of the network. I've since connected them directly to the core switch, and the users have noticed the improvement.
I'll try to get a diagram, but it's basically a large hub and spoke. Each and every switch is connected directly to the single core switch. All of the internet sources are connected directly to the 3com and are on separate VLANs which are then connected to the core via a trunk, which then handles the routing. Currently, I'm using less than half of the ports on the current core switch, so I should still have enough ports on the 24G to at least maintain the critical systems. Each server switch is trunked to the core, as is the internet switch, but the user network is not (but probably should be). Instead they are connected via simple untagged uplinks.
I absolutely cannot afford new equipment right now, so whatever I do will require reusing existing equipment. I'd very much like to increase the bandwidth from the server switches to the core if at all possible. Is there an easy way to configure and Active-Active setup that would improve bandwidth? Or would It be active-passive and require a 2 port LAG on the 48 port (for speed), and a 3rd port for the 24 port (for redundancy).
NOTE: With any luck, we'll be dropping our analog phone system and replacing it with VOIP sometime within the next year. So I should be getting some extra budget to replace the distribution switches with POE. Until then, I'll have to live with my crappy Planets.
I am running a /24 network in Active Directory with my ASA acting as gateway and firewall. Standard interfaces (Ethernet 0/0 as outside, Ethernet 0/1 as inside)
As of now I have no VLans set up, but I need to setup wireless Internet access for guests... I need directions on how to setup a Vlan with its on DHCP for these aguests... I can then make sure that my APs can be pointed to the same VLAN... I am not familiar with CLI, have generally used ASDM. I am currently running ASDM 6.3(1) on an ASA with version 8.3(1).
This is something I need to do quickly as we are expecting 20-40 "guests" shortly, and I don't want them to use our internal DHCP server addresses.
I have setup ASA5510 in failover mode. I am planning to use this setup for clientless SSL VPN and have following questions.
1. Do I have to license both firewalls for SSL VPNs? These licenses are very expensive and why would I have to purchase it for secondary when I am not using it?
2. SSL vertificate for the firewall it self. Do I have to acquire one or two to ensure users don't get annoying message about self signed certificate? Cisco doesn't seem to have this discussion in any documents. However I found following URL discussing from somebody's experience. What's official statement from Cisco on this matter? [URL]
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
I have an RV180W which acts as my gateway using nat and recently purchased a DPQ3925 router from optimum with 5 static ip addresses. How do i configure my server and desktops's with this information?
I want to setup my HP printer to work as wireless peripheral. stand alone. I have my local router working correctly but cannot make HP software to also work by connecting the printer. It seems I need to find WPA security passphrase.
Im trying to make a ACE+caching setup work. Ace is running A5(1.2)Content types considered static (like images, stylesheets and javascripts) should be fetched from caches instead of servers.Content from the caches that can be compressed should be compressed by the ACE (stylesheets and javascripts).I am classifying traffic into * static, not compressable (content should be fetched from caches but is already compressed - this class will hold .jpg, .gif, .png, .ico and others - but for this experiment the class is defined with only (a never to be hit) content type .xico* static, compressable (content should be fetched from caches but can be compressed by the ACE - this class will hold .css and .js but for this experiment is defined only with (never to be hit) content types .xjs and .xcssother For statistics purpose I have included a catch all class for everything else (which shold be send to servers) - class-default is configured but will not be hit in this example because of the catch-all class I configured.Since both "STATIC" classes include only content types that has been renamed to content types not used in the real world, I will not expect any hits on those and since WWW.SITENAME.COM:80_STATIC_COMPRESSABLE is the only class configured for compression I expect that nothing will be compressed since there wil be no hits on this class.
This is how it looks in the configuration:
class-map type http loadbalance match-any WWW.SITENAME.COM:80_STATIC_NOT_COMPRESSABLE 10 match http url .*.xico class-map type http loadbalance match-any WWW.SITENAME.COM:80_STATIC_COMPRESSABLE 10 match http url .*.xjs 20 match http url .*.xcss class-map type http loadbalance match-any WWW.SITENAME.COM:80_DEFAULT 10 match http url .*
[code]....
Questions are: Why do I see things being compressed when there is only being accounted hits in a compression:off class ?Why does enabling compression in one class (never being hit) cause hits in other clases to be compressed ?
I have a WRVS4400N setup as a main router for one of our bays. For wired connections it is working with no problems. When I first installed it it ran fine for wireless as well. I was trying to get WDS to work and at some point the wireless stopped working. My laptop can no longer connect to it and often cannot see it when doing a scan for networks. I have already checked that it isn't a problem with the laptop, that there are not other networks causing interferance, and even tried resetting to default configs.
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?
I tried to set up Tenda W311R as a repeater to increase the coverage. I have done the following, but still it cannot get Internet access:Set up WDS with the same channel and use the same encryption as the Linksys router; Disable the DHCP in the W311R;From the wireless point of view, I can see the Tenda router, but no Internet access.
we have ASA 5510 which we need to upgrade from 8.0(3) to 8.2.5. can we directly switch to 8.2.5 from 8.0(3) , if not what all versions we need to go from.
What all point needs to check before that following is show flash output.
My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.
I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205. Have a new basic config, nothing special at this time. I just cannot seem to get from the inside to the outside. From the outside interface I can ping, so I have a good Internet connection. [code]
WE have a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface. I try to ping from a host in the DMZ to 8.8.8.8 and get this in the log 6Apr 25 201208:24:431100038.8.8.80172.10.1.1501Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1. [code]
I am having ASA5510 firewall which has 1GB RAM currently. I want to upgrade to 2GB. When I opened the box, I can see only 1 slot to insert the RAM. I searched in Cisco website and I got to know that I need to use 2 x 1 GB RAM. So, I need to have 2 slots to do that. But, I am having only 1 slot in the box.
