I have a little problem creating a network infrastucture with an "inside", "dmz" and an "outside" network on my ASA5512-x 8.6(1).
I have have clients and servers with the networks 10.0.1.0/24, 10.0.2.0/24 until 10.0.12.0/24 on my inside interface. Then I have two servers 10.0.254.50/24 for SMTP and 10.0.254.70/24 for HTTPS in my dmz network. The outside interface is one static IP to the Internet.
I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?
I have purchased the ASA5512-K9 with the CX AVC and Web Security Essentials L-ASA5512-AW1Y as recommended by a Cisco pre-sales representative and my reseller for my environment. I had previously believed from the documentation on the Cisco site that all X generation models had the CX software included on them in the state that they are sold. Now in trying to configure the ASA5512, and with further reading of the setup documentation, I have discovered that I do not have the capability to access the CX functionality with this model 'as is', and this combination does not appear to be appropriate. It appears that the CX software module is not actually included on the ASA5512-K9 model, but rather only on the ASA5512-SSD120-K9 model.
If it is, should I exchange the ASA5512-K9 for an ASA5512-SSD120-K9 to get the combination of this subscription license and ASA model working. Am I correct in that the ASA5512-K9 model does not have a solid state drive on it already and so I can not download and install the CX software on it? As an alternative, is it possible to purchase a Cisco solid state drive seperately, plug it into the ASA5512-K9, download the CX software, and then install it on this new drive in the ASA5512-K9?
I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it. However, the Management Interface is not working. I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown. So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?
View 2 Replies View RelatedI have a new 5512-X with the built in IPS sensor. The firewall is running in transparent mode with the management interface being used for both the ASA and the IPS sensor. i.e. a single interface.
Both the IPS and the ASA are configured on the same network segment (172.29.25.252 for the firewall and 172.29.25.250 for the IPS).However the IPS module keeps going off-line whilst the firewall is fine. So CSM Health and Performance Manager keeps coming up with an error.
Now the interesting bit... If I SSH to the firewall and issue a session ips I get straight into the sensor.I can then ping something from the sensor - exit out and the sensor is visible on the network for a while.It then drops again.Is there a keep-alive that I need to configure to get this working properly?
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
View 4 Replies View RelatedIve migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
My ACL and nat rule is below. I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service.
access-list outside-in extended permit object tcp51413 any object outside nat (inside,outside) source dynamic all-inside-nat interface
I am in a non-admin context mode in ASA 5520 8.0 (5) and i m trying to add a new interface
GigabitEthernet1/2.4 172.19.4.1 255.255.254.0 manualGigabitEthernet1/2.6 172.19.6.1 255.255.255.0 CONFIGGigabitEthernet1/2.180 172.19.180.1 255.255.252.0 manualGigabitEthernet1/2.190 172.19.190.1 255.255.254.0 manualgvadc-fw/tgf# conf tgvadc-fw/tgf(config)# int ggvadc-fw/tgf(config)# int gigabitEthernet 1/2?
configure mode commands/options:1/2.180 1/2.190 1/2.4 1/2.6gvadc-fw/tgf(config)# int gigabitEthernet 1/2.168 ?ERROR: % Unrecognized commandgvadc-fw/tgf(config)#
what do i do?
Our external security department needs to scan, every three months, a computer behind the firewall. I need to create a simple NAT rule that will allow an ip address or subnet to the computers behind the ASA 5505. At the moment, we have a simple NAT rule which allow all network traffic to exit from inside to outside.
View 19 Replies View RelatedI am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?
View 2 Replies View RelatedI have created a simple static ip address by using this command:
interface Vlan1
nameif inside
security-level 100
[Code].....
But, no matter what, the I can't ping the static address or access the computer 10.2.1.2 from outside of the asa 5505. I have attempted to ping from inside of the asa 5505 or from another computer. I just does not work.
I also have created several rules that allows icmp traffic.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
What is the command for creating a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?
View 8 Replies View RelatedOur company has recently upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform. Needless to say the interface on the Cisco platform is much more complex and I don't have much experience working with firewalls. Our other IT guy is out of town and this is the first time I have worked on this setup.
I need to create the following access rule
I need to open port 4**0 to be allowed through the firewall from external ip address 10.XXX.XX.XXX only. Then forward port 4**0 to 10.XX.XX.XX port 80 tcp
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies View RelatedI've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View RelatedI am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
[code]....
Currently we have two inter-chassis FWSM redundancy. I would like to configure them for intra-chassis.
Both FWSM's are in slot 7 of 6509 switches and i want to take secondary out from one of the 6509 switch and insert in the slot 3 of primary switch.
I addedd the following commands in my primary switch.
There were commands already present for FWSM in primary switch
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1 2,3,777
to create intra-chassis redundancy i addedd the following command also there.
firewall module 3 vlan-group 1
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.
I have two control point, two firewall the second one is linked inside one DMZ from the first firewall route is good and inside the DMZ from first firewall I have servers too.so to be more clear we could call as IP for the DMZ from first firewall, Interface IP 1.1.1.1 that generate this DMZ with first firewall (netmask 255.255.0.0)
inside the DMZ I have an interface from second firewall with IP 1.1.1.5 and inside DMZ 1.1/16 I have servers too keep one test server with IP 1.1.1.3.The LAN passing the second firewall is 2.2.2.1 ever 16 bits of netmask (255.255.0.0) inside the DMZ generated from second firewall I have a machine with IP 2.2.2.9 that need to access in TCP services on machine 1.1.1.3
TCP packets from 2.2.2.9 pass the second firewall and arrive inside DMZ with net 1.1/16 and arrive to server with IP 1.1.1.3 defaul gateway (to answer to originating machine with IP 2.2.2.9) is 1.1.1.1 ASA interface 1.1.1.1 claim a missing related as it haven't mapped the connection that has passed on first firewall. I need only that 1.1.1.1 route packets to second firewall (who own net 2.2/16) avoiding to be trappen in missing related check
at start it was working! around 1 year ago we upgraded IOS to 8.4 and ever so late (one year) doing maintenance to a machine I discovered it was no longer talking with these server on net 1.1/16
I have found on cisco docs chapter 51 and TCP State Bypass before was working, is something that has changed inside ASA IOS 8.4 ?
I could not ping 8.8.8.8 and access internet after creating the VPN. Below is my setup and router configuration: [code] From the router 1941, i could ping up to 58.185.149.141 but not up to 58.185.149.140. Since i cannot ping 58.185.149.140, i suppose i cannot ping 8.8.8.8. I am sure 58.185.185.140 is there as i use another PC which is connected directed to the office network instead of through the router 1941, it could ping 58.185.149.140.For your info, the g0/1/0 is connected to the PC while g0/1 is connected to the office network.
View 2 Replies View RelatedI'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error..So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
I have a problem to create a VLAN with a Cisco 2801.,I need to have base ports FastEthernet 0 / 0 and FastEthernet 0 / 1, in the same VLAN.
Basically I'm trying to switch access redundacion, now I have redundant switches in which I have the servers, but if one of these switches fails, and,coincidentally is where I have connected the router, the server runs out of internet connection.,I idea is to connect the FastEthernet 0 / 0 to a switch, and FastEthernet 0 / 1, to the other switch,but I managed to have these two ports in the same vlan, in order to have a unique IP for both FastEthernet ports,As I can do this?. do is a lot of documents using the switchport command, but this command is not available in my router, I tried different IOS, and nothing.,currently I have the following IOS: c2801-adventerprisek9-mz.124-24.T6.bin
I am trying to configure a Cisco 871 router.I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
I have an ASA 5505 at each of three locations. We have VPN tunnels set up between the three sites. I am currently using a single ISP to control the traffic between the sites. I am adding a new ISP to the mix. The goal is to have any internet traffic routed to ISP 2 and all internal traffic routed to ISP 1.The ASA does not do policy based routing (mostly because it is a firewall, not a router). I need to configure a router that will accept the output of the ASA and route it according to the above rule. All incoming routing will be done through ISP 1. Any suggestion on the device and the methodology to set it up? I am planning on doing this in each location.
View 3 Replies View RelatedWe have observed WS-C4507R-E got rebooted while creating the L3 VLAN ( while No shut).Is there any known bug for below IOS ?cat4500-entservicesk9-mz.122-40.SG.bin,
View 4 Replies View RelatedI'm looking to see if it is possible to run a vPC between to vDC's on a single 7010? We have a Production setup that runs dual 7010's with vPC's between the chassis but in our lab we only have a single 7010 with a 32 port 10gig module. I was thinking that maybe we could create 4 vDC's on the 7010 and run a vPC between the vDC's.
View 2 Replies View RelatedI was reading the documentation of the Catalyst 4500-X for creating VSS and MEC (multichassis etherchannel).In the VSS specific part, it's written"Cisco Release IOS XE 3.4.0SG does not support Layer 3 MEC".
Can I still use VlanX interfaces ad route through them?In my setup I only have IP addresses assigned to vlanX interfaces (with some VRF-lite magic)[code] Does that sentence only mean that I can't have IP assigned directly to the MEC?
i am running c3640-is-mz.124-21.bin on a cisco router 3640. i am trying to create a monitor session in the CLI and everytime i type the command Router(config)#monitor session 1 interface ethernet2/1 % Invalid input detected at '^' marker. Router(config)#monitor session 1 interface ethernet2/1 ^% Invalid input detected at '^' marker. i get the error invalid input ?
View 10 Replies View RelatedWe have a 3560 switch running IOS universalk9-mz.150-1.SE3.bin.Recently, we saw two problems with this switch:-
1. if we try to enable subinterface on any routed interface , for eg. gig1/1, it says invalid input detected. It doesnt accept encapsulation command also. Following was done to enable subinterface:
int gig1/1
no ip address
int gig1/1.2000
ip address 1.1.1.1
under the gi1/1.2000 subinterface, it doesnt present the option of ip address.
2. we created a layer 2 vlan 2000 like: vlan 2000 When we do an exit after creating this vlan , it gives following error:-
%SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 2000: extended VLAN(s) not allowed in current VTP mode
I have inherited a PIX 525 environment and I need to document a lot of stuff to catch-up on what is going on. I was gathering IP address information and ran "show interface outside" and "show interface inside" and noticed the same IP assigned to both. I checked the MAC address and they are different. This IP is also listed as the Management IP. So I am sort of confused. What condition would warrant both the inside interface and outside interface along with the Management IP having the same IP?
The PIX and the hosts it comms it monitors do live in a VLAN controlled by a Brocade switch which also is our gateway out.