I'm swapping out a PIX, IOS 6.3 with an ASA 5520 v8. The PIX has the following 2 commands in it's config:
multicast interface outside
multicast interface inside
These commands do not exist on the ASA. I do not wish to enable multicast routing. What commands on the ASA are equivalent to the multicast commands on the PIX?
I can't seem to find where in ASDM (6.4.1), can we configure IGMP forwarding? ASA5520(config-if)# igmp forward interface outside The ASDM doc reference does not seem to be correct pointing to:configuring Stub Multicast Routing
Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Multicast > IGMP.
#Step 2 In the Multicast pane, check the Enable Multicast routing check box.
#Step 3 Choose MForwarding.
which generates:
ASA5520(config-if)# mfib forwarding
We are experiencing some issues with the Apple TV and WLC. We currently have a Apple TV and iPhone same sub net connecting via Lightweight AP (different sub net) which connects to a Cisco3750 running IP Base. This connects to WAN routers managed by third party over a WAN and connects to far end Managed routers, these connect to other Cisco3750 IP Base and onto a 2504 Wireless LAN controller. We have used the the following document for WLC configuration; [URL]
We turn on Multicast globally, with IGMP snooping enabled also enable Multicast Multicast under controller (only option available on 2504) and give the device M Cast address 239.21.1.150 . The P2P blocking action is disabled. Going to Monitor Multicast we can see the Report for 224.0.0.251 and MGID. However the issue is at the Sender Receiver side the iPhone cannot see the Airplay on the iPhone that should be seen if the end to end stream is working. My focus is now on the Cisco3750's, although I do not totally understand why the device needs Multicast enabled as the Multicast Join and Group Traffic is encapsulated in the CAP WAP Tunnel is it not? Anyway I have enabled the only option "ip multicast routing distributed" and under the V LANs that connect to WLC and AP the only option available is the "ip pim passive" there is no "ip pim sparese-dense mode"
I am sure the WLC is configured correctly, but I suspect that this will not work due to the IP Base image on the 3750's not being able to run full multicast or we need to use uni cast for this solution that the 2504 does not support.
we have 5 sites connected with a combination of direct fiber and Service Provider Ethernet. The equipmet consists of 3750 stacks with IP Services. Currently each site runs full EIGRP and is a EIGRP neightbor to all the other sites. Everything is working fine right now.
We would like to upgrade the R5 site to a 3750x stack with IP Base (cheaper than IP Services) and configure it as EIGRP Stub. My concern is with the following statement in the IOS command reference guide.
Note Multi-access interfaces, such as ATM, Ethernet, Frame Relay, ISDN PRI, and X.25, are supported by the EIGRP Stub Routing feature only when all routers on that interface, except the hub, are configured as stub routers.
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
I have a LAN with multiple VLANs connected through Catalyst 3750 with IP Base image. In IP Base the router only supports PIM stub multicast (no PIM multicast routing),But I have an ASA connected to the internal router and to the internet router.Asa supports PIM multicast routing and can act as PIM RP. With this configuration, is there a way to configure an internal multicast network? That is a multicast server in one internal vlan (VLAN 1) and multicast clients in VLAN 2. Both VLANs connected to the C3750 router.
View 3 Replies View Relatedi just want to administor cisco ASA5520 and cisco router mpls 1900 can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server,My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
View 2 Replies View RelatedWe have small which I'm looking to implement and have built this on GNS3.
We have:
Router A in site 1
Router B in site 2
Router C in site 3
Router A and B are connection via a point to point 100M link and from Router C we have a 2 point to point one of which is 5Mpbs and going to Router A and Router B.
For Router C to reach Router A network it will go via Router B and these are 100M connection. When the link between Router A and B goes down. Router C should update and start using the 5m route.
For some reson, the routes are not updating. I have to do 'clea ip eigrp ne' for the routes to update and if I reload the routers all works well, it seems the problem is intermittent.
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies View RelatedWhy do we need MP-BGP (and not BGP) to exchange multicast prefixes between multicast domains?
View 2 Replies View RelatedI try to pass multicast traffic between two vrf on the same 3750 switch. I have IP services IOS and sdm template routing.
here is my config:
ip routing
!
ip vrf vpn2
rd 1:1
mdt default 232.1.1.1
route-target export 1:1
route-target import 1:1
[code]....
Now I'm stuck - I don't know what to do to pass multicast traffic. Do I have any chance to run this config on 3750 chassis?Perhaps "Configuring Multicast VPN Extranet Support" document will be useful, but it concerns Catalyst 6500? [URL]
I am looking to implement 25 Cisco 3750 switches with IPBASE image at the edge, across many cabinets. I understand I am limited to EIGRP Stub on the 3750 switches (with IPBase) and cannot acheive funding to upgrade to IPServices. Though I am not fully aware on the limitations, in terms of what I am trying to acheive.
Broadly speaking I want to install 2 x 3750 switches at the edge, with point-to-point links to two 6500 core switches (at the data centre) and then have HSRP interfaces on the 3750's, tracking the up links to the core switches. I am presuming this will be the best solution to ensure reliability.My 6500 switches run EIGRP and have many VLANs and other L3 networks advertised, which will need advertising to the 3750 switches. I would be looking to advertise two or three HSRP networks on the 3750 switches, up to the core switches.At the moment, the entire network is Layer 2 (VLANS + STP).
how to configure EIGRP across the 3750 switches and 6500 switches to allow for the 3750's to see the whole network and also advertise back up it's directly connected (HSRP) networks to the core. At the moment, after configuration, none of the switches see each other as EIGRP neighbours but can ping the L3 addresses on each end.
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies View RelatedIs it true, that the new ASA Platform 5585 does not support Multicast. Here on Page 7:[URL] because the old ASAs support Multicast.
View 2 Replies View RelatedI need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.
View 2 Replies View RelatedWe have an ASA-5540 (8.4(1)) The inside interface faces a few multicast receivers. The outside interface faces the multicast source.All of the ASA multicast documents I've download describe very simple network designs, such as a single segment on the ASA inside.Our PC hosts that will be multicast receivers are a couple router hops away from the ASA inside interface. I'm not sure what the best way is to configure multicast on the ASA.Should I configure the ASA with PIM routing and a static RP address (plus the ACL to allow the multicast source traffic in) since the receiver hosts are a couple hops away? I think I understand the IGMP joins are for a local PIM router, so configuring as a Stub Multicast router wouldn't work? The two Cisco routers between the host and the inside ASA interface already have PIM, a static RP address, and IP PIM Spare-Mode configured.
View 1 Replies View RelatedI have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
!
interface GigabitEthernet0/0
nameif internet
security-level 0
[Code]....
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
We have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out. If we are having no issues, is it best just to leave it as it is? I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.
View 1 Replies View RelatedI have one firewall ASA5520, are very slow
View 3 Replies View RelatedI am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
View 5 Replies View RelatedWe want to use ASA5520 but both Firewall have different CPU. One has CPU Pentium 4 2400 MHz and another has Pentium 4 Celeron 2000 MHz. Can it be configured for replica / failover?
View 5 Replies View RelatedWe have 2 firewalls on PIX facing the Internet and connected to interface e1 (behind it) an ASA version 8.3 Both the PIX (Firewall facing) and the ASA are on the same subnet.
By using Routing statements and statics I have been able to reroute specific traffic to the ASA5520 version 8.3 Now I need to inverse the 2 devices. The ASA5520 will be facing the Internet and the PIX will be behind it.Unfortunately the ASA5520 is refusing to route the traffic to the PIX. The access-lists are open accordingly and a NAT on the ASA has been created.
i have my router connected to ISP then my router directly connected to my ASA5520....i use also ASA5520 as my DHCP Server and i was wondering with the DHCP Server function of ASA 5520 because if i use the ASA 5520 LAN ip ...all workstation will not be able to browse anything from the internet unless i use my ISP DNS IP which they gave me?
View 3 Replies View RelatedGet the following log message on secondary ASA console output when turning on the ASA failover function?
"Mate's service module (CSC SSM 6.6.1125.0) on slot 1 is different from mine (CSC SSM 6.6.1125.0)"
After that the secondary cannot join as a failover unit and shows in disabled status.We have the same model ASA & CSC module and each pair of them are in same firmware (CSC 6.6.1125.0 with ASA5520 8.4(4)1), when I shutdown both the csc modules, the ASA failover works fine.
I am using a squid proxy behind an ASA5520 firewall to collect the users to the internet. Squid is just necessary to log what is going on in order to find a quick solution when the internet slows down.
Considering that I have unlimited licenses and I would like to get rid of squid, I wonder if the ASA has some functionalities to track which websites are being used and how much traffic is generated. If there is not, I would like to know if Cisco offers a good product to replace Squid.
Upgraded an ASA5520 from 7.x to 8.4 in one step? Release notes for 8.4 state that you can "...upgrade from any previous release directly to 8.4..." I've read the previous version release notes and see the various changes in NAT etc that 8.3 made.
View 3 Replies View RelatedMy customer had 2 asa5520 version:8.0(5)20 and LMS 4.0.1.Two Firewall are "unknow" on LMS, why ?Normally, LMS manages ASA with version 7 min.
View 1 Replies View RelatedAny limits on the number of IPSec sessions an ASA5520 can support over a DSL connection?
Currently, as we increase the number of IPSec VPN tunnels, our LAN switches connected to the DSL/ASA start seeing CRC/input errors. Tried different LAN ports for both DSL/ASA connections - same reults (CRCs and errors). Swapped ASA for PC running 1 IPSEC w/HD video and no issues.
VPN connection bandwidth demand 50% of DSL capacity, so not exceeding DSL bandwidth. Errors get so bad that all VPN sessions drop - sometimes VPN sessions re-establish while other instances a DSL modem reboot is required.
cause of LAN switch connections seeing errors with 4+ VPN sessions established on ASA across a DSL Internet circuit?
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
View 1 Replies View RelatedOur customer is using multicast in their internal network for their IP video deployemnt. Internallt on the network everything is working great.
We have two folks in management who want to be able to view the live multicast video feeds of the cameras remotely. I have tried to accomplish this using the Cisco VPN client. Although VPN connectivity is good (we can ping the individual cameras) they are unable to view the live multicast feeds. I enabled multicast globally on the ASA and the inside interface and get the same results.
Is there a way for the ASA to support the remote IPSec VPN client to view the multicast strams?
WAN1 <-> LAN traffic
WAN2 <-> LAN traffic
WAN1 <-> WAN2 traffic?
Say, it is set DISABLED, what is / isn't blocked?
It reads: Multicast Pass Through IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.
I have a 3560 with IP base that is acting as a true EIGRP stub router today. It advertises local routes to the upstream service provider router and receives a default route.
Now I want to connect a 3900 ISR as a voice gateway. The 3560 does not seem to be advertising any routes to the 3900. Ok the EIGRP stub doc says this:
Only specified routes are propagated from the remote (stub) router. The router responds to queries for summaries, connected routes, redistributed static routes, external routes, and internal routes with the message "inaccessible." A router that is configured as a stub will send a special peer information packet to all neighboring routers to report its status as a stub router.
# Any neighbor that receives a packet informing it of the stub status will not query the stub router for any routes, and a router that has a stub peer will not query that peer. The stub router will depend on the distribution router to send the proper updates to all peers.
I guess I don't understand why the stub advertises local routes to the upstream ISP router but does not seem to advertise routes to the 3900. Does the stub identify the ISP router as the distribution router somehow, thus differentiating it from the 3900? If so, how is this done?
show ip eigrp neighbor detail on the 3900:
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
[Code].....
I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
View 15 Replies View Related
