Cisco Firewall :: ASA5510 Version 8.4 Using 2 ISPs As Fail Over
Aug 9, 2011
I have a Cisco ASA 5510 and I am trying to set it up to be able to have it failover to the 2nd ISP connection if the 1st one ever went down. I think I need a nat statement that the "backup" connection will use when the 1st connection goes down, but I am unsure what the nat statement is supposed to be. I have added the commands that I am pretty sure that I need to add for the "backup" ISP connection. Attached are those commands, the interfaces that are set up, and the objects that are set up in the ASA.
Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.
We have a second ASA 5510 that is suppose to be a hot standby. I need to find out that, as a hot standby, does it have to have the same licenses as the ASA that it backs up. We purchased 50 SSL VPN licenses for that unit. If it fails over, we need to make sure the failover asa can allow SSL VPN connections.
I am a bit unclear as to the upgrade path I should take - I have 2 ASA 5510s in active/standby running 8.0(4)34 and would like to upgrade to 8.2.5. Do I need to first upgrade to 8.0.(5) before upgrading to 8.2.5, or can I just jump straight to 8.2.5?
I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]
I tried last night to upgrade the memory in my old 5510. It's about 5 years old and has the single memory socket. I followed the instruction included in the kit:
Mfr. Part#: ASA5510-MEM-1GB
I did wear an ESD wrist strap (genuine Cisco at that!) and ensured the memory was fully seated, the handles locked in.Upon restarting the ASA, for over 15 minutes, it stayed in mode: Power LED steady, Status LED flashing, other LEDs off. No response to attempts to SSL via Putty. I powered it off, verified the memory was indeed fully seated, and re-installed the original 256 MB module. It powered up normally in less than 5 minutes. Is there anything else to try before returning the memory? Tonight, I can try the same new memoy module and see if it works.
[code] I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base.I think I was wrong option selected in the process of upgrading, how should I do to be successful upgrade
I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900 If i configured with only one port 5900 or 3389, is't ok, i don't understand what 's the problem?
ASA5510> ASA5510> ena Password: *********************** ASA5510# show run : Saved
I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_loginwebvpn_portal.c:http_webvpn_kill_cookiewebvpn_portal.c:ewaFormSubmit_webvpn_loginewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_loginwebvpn_portal.c:http_webvpn_kill_cookie
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.
Currently we have a T1 for data connected to a 1721 Router that is connected to an ASA 5510. We would like to add a FIOS line for dedicated online backup. Is it possible to connect the FIOS router to the ASA and route the IP from our backup server to use the FIOS line and everyone else continue to use the T1?
I have been working on trying to get an IPAD using the built in VPN client to connect to an ASA5510 version 8.2(5). I have attached the debug from where I have gotten so far. Phase 1 is failing somewhere but the messages aren't real clear or at leat not to me. The ASA is acting as the local CA for the certificate. I inherited the config from another guy as he couldn't get it working and I have made some progress but still not luck in getting the tunnel to just come up. Access to resources will be next but I'd like to just see the ipad show connected.
Looking to replace an "all-in-one" type firewall (UTM/Firewall, SSL VPN) with a cisco product - the issue i'm running into is that we have multiple ISPs plus WAN and DMZ - overall more than 5 ports on mid-range ASA devices - and from what i read, adding 4-port module precludes me from adding CSC module.
Is there an solution to that other than going for 5585-x model? (kind of over our budget, granted we need 2 for failover)
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
have a PIC 515e connected to two ISPs via 2 interfaces. ISP1 is a 3.5Mbps aDSL line, and ISP2 is a 30Mbps business cable. I've confirmed the speeds by connecting the cabled directly into a laptop and using wget to download very large files from known-fast sites.
For admin reasons, I need to access two specific subnets using the slower ISP1. The rest of internet traffic should go to the much faster ISP2.
So I configure ISP2 as the default gateway, static routes for the two subnets to ISP1, set up NAT (PAT) and it all works like a charm. I've confirmed that ISP1 is used for only the two subnets, and ISP2 for everything else. CAPTUREs on the pix also confirm this. So far, it all works great.
But for reasons I don't understand, my max. download speed is 3.5 Mbps (the slow DSL). Using various speed tests and wget, I simply cannot get a download speed faster than my 3.5 Mbps DSL line.
Here is my config: interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full [Code]....
What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.
I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.
I am in the process of configuring a ASA 5510 to replace an older PIX. This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces. I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs. The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details. Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited). For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network. It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks.. Is there a way to get them both to operate ?
Network layout looks like this (IP ranges altered):
DMZ 22.214.171.124.0 Class C INTERNAL 10.0.0.0 Class C Outside 126.96.36.199 Class C Outside2 188.8.131.52 Class C
After applying it I could access the public IP (184.108.40.206) from the internal network, but I could no longer access the DMZ IP (220.127.116.11) from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.
I am setting up an ASA550 ver 7.2(3) - does this need upgrading?I have my ISP interfaces setup as primary and backup I have a static route pointing out:route primary 0.0.0.0 0.0.0.0 18.104.22.168 1 Question:Do I put the next static route to be route secondary 0.0.0.0 0.0.0.0 22.214.171.124 254 Will this set a high metric on the secondary route that will only take effect if the primary route is down? I assume I will need to have 2 sets of NAT rules to accommodate the dual ISP's
I need to know if the cisco ASA next generation specially ASA 5515X support PBR or no ?how to implement it? Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation.
Lately I encountered random Internet connection issues?My router is a Netgear Wireless ADSL Firewall Modem Router DG834 (Firmware V1.05.0) and my ISP, isn't the most reliable regarding bandwidth... All clients (max 3 at the same time) connect wireless.The problem is that the last few weeks my connections is very unstable, all clients lose the internet connection until you restart the router manually.I can't even connect to the webinterface (192.168.0.1), during the downtimes.
We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
I know I can use the RTR statement to determine when the primary ISP circuit goes down via this technote: url...My question can I assign static Nats on the backup ISP connection to the same inside servers in the dmz.?Example 10.1.1.11 is mapped to ISP1 ExternaIP of 126.96.36.199. Can it 10.1.1.11 also be mapped to ISP2's 188.8.131.52?This way I can get my DNS changed and my inbound traffic to servers in my DMZ on the asa 5510 running 8.0.3 code can continue to receive Inbound traffic.
Firstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?