Cisco Firewall :: ASA5510 With 2811 ISR?
May 26, 2012
I have a 2811 ISR configured to provide the following services to my network:
Internet access to LAN users Cisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)?
While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
View 5 Replies
ADVERTISEMENT
May 26, 2012
I have a 2811 ISR configured to provide the following services to my network: Internet access to LAN usersCisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations.Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)? While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
View 2 Replies
View Related
May 26, 2012
I have a 2811 ISR configured to provide the following services to my network:
Internet access to LAN users Cisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)? While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
View 3 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
May 4, 2012
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
View 4 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies
View Related
Apr 18, 2012
I try to implement the url filtering feature on a cisco 2811 router and whenever i enable the parameter map patterns the router retuns (after some time)
%Unable to compile obj regex.[code] The result is that the router blocks ALL webpages without giving a block page message.
View 2 Replies
View Related
Aug 11, 2011
I am pretty new to the configuration of a DMZ and I have the task of setting one up.I have a Cisco 2811 Router running Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3), 2 FE interfaces.One FE is connected to the WAN, with a loop back interface configured with the public IP for Internet access in the office.The other FE has 2 sub interfaces configured, one for data and the other for voice traffic.Users within the office are configured to use the data VLAN to access the internet through the WAN.
Now we are setting up some new services and we require to have DMZs setup.I want to setup 3 zones now that the different servers would reside in. How can i achieve this using the existing infrastructure I have?I have an idea to create more subinterfaces and assign them to the zones, but I am still not sure how this would play out. I have been on this for the whole day and unable to make significant progress.
View 5 Replies
View Related
May 17, 2011
I have attached a drawing of our network. We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns. I am trying to get one side up and running before I worry about redundancy and so forth. For this reason I have set all the HSRP priorities to 110 on the left 6509. I have HSRP running between the ISP routers and V LAN 101 of the 6509's. This works as I can ping yahoo and Google just fine from the 6509 switch. I can't get from my laptop connected to V LAN 23 to the internet.
It doesn't even attempt to NAT as there are no translations. I have public address assigned by my ISP configured between the ISP routers and my 6509 on V LAN 101. I then have the public address assigned to V LAN 100. I configured V LAN 100 on the switch and V LAN 100 on the FWSM with the IP address in the drawing. I have my NAT statements and route in my FWSM according to the drawing as well. On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers. I can reach anything on the inside of my network, including the old network addresses from V LAN 23.
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?
2. If I have to configure NAT at the FWSM, does this requires me to extend the public network down to the FWSM?
3. I'll take any examples you may have as I am stuck.
View 2 Replies
View Related
Jul 31, 2012
I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
View 3 Replies
View Related
Nov 2, 2011
I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together. I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH. In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider. I think I'm pretty close to getting this to work, but something isn't quite right. My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds. If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic. [code]
I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT. However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.
View 1 Replies
View Related
Nov 29, 2011
I'm looking into upgrading my WAN link to 100Mb via Fast Ethernet link. I'm waiting to hear from ISP about what exact technology they use, but according to my manager they will be coming in over fiber and then terminate to copper. I currently have 2811 in production with two T1 cards bundled together. 2811 has basic configuration with only 2 ACLs. I have ASA 5510 for NAT, Ipsec and other services. What router or networking device (layer 3 switch, such as 3560G perhaps??) should I use to accomodate 100Mb link? It seems that 2811 will not handle that kind of bandwith..In short the max recommended bandwidth limits for the 28xx series are as follows:
2801--2 Mbps
2811-4 Mbps
2821-8 Mbps
2851-12 Mbps
I don't want to create a bottleneck and am looking for appropiate solution to accomodate 100Mb link. Also, could ASA 5510 become a bottleneck in my scenario?According to Cisco docs ASA5510 can handle 300Mbps of firewall througput, but I'm not sure how it'd work in production...
View 1 Replies
View Related
May 31, 2013
Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.
View 9 Replies
View Related
Sep 20, 2011
I came across this site. I wanted to produce a better incoming ACL at home and work to prevent known bad sites
Here is their list of the Top 10 Global Spammers is out. The biggest surprise on the list is Korea, as it takes over the number one global spammer spot from China. With the improved high speed internet infrastructure in Korea and ease of network access, who knew Korea would be on the rise.
Here is the complete Global Spanner Top Ten List for the first quarter
[URL]
Korea
China
India
Russia
Turkey
Viet Nam
Ukraine
Brazil
Venezuela
Pakistan
When I sort the list, it is over 16k lines of ACL!
My question relates to what performance limits I would find.
Can I actually put that many lines in an ACL?
Will the router choke and do any other work
I have attached the sorted ACL list for you to review
Any of the following router lines will accept a list that large and still run acceptably?
2811
2911
3925
2945
View 1 Replies
View Related
Jan 7, 2012
I have a Cisco 2811 running Advance Enterprise v 15.1-2. I've just configured it using ccp for internet access (on 2 lines) and a firewall. The configuration is pretty much all default and I used the ccp wizard to create a 'medium-secure' firewall. I have 2 blocks of public IP addresses for my internal network and for the DMZ. The 2800 is configured as follows:
- 2 x default routes. one to each dialer.
- 6 zone pairs as follows:
- ccp-zp-self-out (seems to mostly work... I can ping any IP address from a console but not a hostname)
- ccp-zp-in-out (works fine, both interfaces seem to be in use)
- ccp-zp-in-dmz
- which by default set to ccp-permit-dmzservice
- which inspects ccp-dmz-traffic
- which matches group dmz_traffic and has a class map dmz-traffic
- cnc-zp-dmz-out which is set to ccp-inspect. (my own zone pair to allow systems in the DMZ zone to see the internet. This works fine.)
- ccp-zp-out-dmz (works fine. I can see my web server from any system outside my own network)
- ccp-zp-out-self (which, I guess allows anything permitted to get to the 2811)
Internet works from within the DMZ and in-zone. The outside can access my dmz servers. The inside can access most things on the outside using the firewall rules.
1) Although I have the zones set up to allow the same access from in->dmz as I do from out->dmz and out->dmz seems to work, I cannot seem to access anything in the dmz from the inside.
2) When setting up the firewall I ticked the box for 'allow PPTP clients to make connections from the inside' (or something like that). I cannot seem to make a PPTP connection from my workstation.
I have scoured the internet for guides, looked through these forums & the cisco configuration guides and experimented all day but still cannot figure this out.Do I need a special route between the inside and dmz? I have seem references to static routes on ASA firewalls but the command 'static (inside,dmz)...' does not work on a 2800 series router.
View 7 Replies
View Related
Mar 14, 2011
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
View 1 Replies
View Related
Mar 22, 2011
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?
View 3 Replies
View Related
Mar 8, 2013
I have a Cisco 2811 router and i want to experiment on the IOS firewall.The thing is, none of the commands that are proposed in online guides - like ip inspect, ip audit, etc. - seem to be working. I just get "unrecognized command" on a router that is supposed to support such features. I'm wondering if it has something to do with the IOS image.
My show version output is this:
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.3(11)T9, RELEASE SOFTWARE (fc3)
Technical Support: [URL]
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 13-Dec-05 08:24 by ccai
[code]....
View 5 Replies
View Related
Sep 13, 2012
we have ASA 5510 which we need to upgrade from 8.0(3) to 8.2.5. can we directly switch to 8.2.5 from 8.0(3) , if not what all versions we need to go from.
What all point needs to check before that following is show flash output.
97 14635008
Jan 01 2003 14:12:16 asa803-k8.bin 98 4096
May 14 2008 21:22:10 tmp 2 4096
Apr 20 2008 02:21:46 log 6 4096
Apr 20 2008 02:22:16 crypto_archive 99 6851212
[Code] .....
View 4 Replies
View Related
Sep 18, 2011
My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.
View 1 Replies
View Related
Oct 20, 2011
I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205. Have a new basic config, nothing special at this time. I just cannot seem to get from the inside to the outside. From the outside interface I can ping, so I have a good Internet connection. [code]
View 3 Replies
View Related
Apr 24, 2012
WE have a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface. I try to ping from a host in the DMZ to 8.8.8.8 and get this in the log 6Apr 25 201208:24:431100038.8.8.80172.10.1.1501Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1. [code]
View 14 Replies
View Related
Apr 5, 2012
I am having ASA5510 firewall which has 1GB RAM currently. I want to upgrade to 2GB. When I opened the box, I can see only 1 slot to insert the RAM. I searched in Cisco website and I got to know that I need to use 2 x 1 GB RAM. So, I need to have 2 slots to do that. But, I am having only 1 slot in the box.
View 5 Replies
View Related
Mar 30, 2011
We have an ASA5510 with a backup ISP connection protecting our corporate network. I also have a mail server and I would like to route SMTP traffic over the backup network. I realize that the ASA5510 does not support PBR, but I also know that I can use static NAT rules as a workaround to direct specific types of traffic over a particular interface (e.g. "static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0" and "static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0"). is it possible to use something similar to force a particular host to use a specific interface? I have tried to make this work on my own without success. Is it even possible?
View 5 Replies
View Related
Dec 5, 2012
I bought a Cisco ASA 5510 (P/N: ASA5510-BUN-K9) and i would like to know if i have to buy some license,What i mean is, for the basics, it still being necessary aquire some license?
View 3 Replies
View Related
May 31, 2011
We are about to upgrade our ASA's from 7.04 to 8.2. Obviously I will be opening a TAC case to assist with the upgrade and I will also be upgrading ASDM software at the same time. These production firewalls are paired with an active --> failover scenario and not active --> active. I had previously engaged cisco regarding the upgrade and they have recommended an upgrade path to ensure success. Also, I have a pair of test ASA's that I've gone through the upgrade process with - documenting the changes in commands and any changes in my config (I didn't notice any).So, the reason for my post is this: What are the gotcha's that you may have run into when upgrading your ASA's?These are fairly high visibility ASA's and any downtime due to the upgrade needs to be mitaged as much as possible.
View 1 Replies
View Related
Apr 24, 2012
We have an ASA5510 and I am getting absolutely no response from the console port. Not even a blip when I turn it on. If I leave the compact flash in the internal bay, I get Green Power, Amber Status, Amber Active and Green VPN when I start it up. The Flash LED flashes Green twice then goes out. If I move the compact flash to the external bay, all of the other lights remain the same as described above but the Flash LED goes to steady Green. How ever, there is still no response whatsoever from the console port. Have replaced the DIMM but that had no effect. This is a four (4) slot ASA5510 and I have just the one DIMM in slot P13 as described on a post I found. The power supply fan comes on as well as the two (2) fans that cool the heatsink. The other two (2) fans on the expansion module side do not come on.
View 1 Replies
View Related
Aug 17, 2011
We just switched to a 5510 from a PIX 515 last evening, and the only things that are not working are any services from the outside to the inside. Example: I am unable to connect to a RDP server on the inside from the outside. I've been looking at the config for the past five hours, but am unable to see my mistake. Running 8.2(1) People on the inside are able to get out.
domain-name aaaa.org
names
name 10.10.8.13 mailserver
name 10.10.8.12 video-conf
name 1.1.1.2 PubMail
name 1.1.1.3 VidCon
name 1.1.1.5 Ms-Aderson
!
[code] .......
View 6 Replies
View Related
