i need upgrade two ASA5520 in failover. It´s has IOS 8.0(3) and ASDM 6.0(3).How is the correct procedure to upgrade two Firewalls?
Which is the optimal IOS to for upgrade and i not need make changes in config of ASA?
We have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out. If we are having no issues, is it best just to leave it as it is? I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.
View 1 Replies View RelatedUpgraded an ASA5520 from 7.x to 8.4 in one step? Release notes for 8.4 state that you can "...upgrade from any previous release directly to 8.4..." I've read the previous version release notes and see the various changes in NAT etc that 8.3 made.
View 3 Replies View RelatedWe are planning to upgrade IOS on a 5520 pair, from 7.2.4 to 8.2.4, and cause minimum outage. And according to the documentation, we can do the zero downtime IOS upgrade by failing over to the standby ASA and back.
[URL]
So, can during this process, can we go from 7.2.5 to 8.0.5 (last maintenance release), or do we have to move to 8.0.2 first ?
I am needing to upgrade the Flash card on our current ASA from 64mb to a 1GB card to make way from upgrading from 8.0 to 8.4. When i copy all the contents from the 64MB card through a card reader i am not getting the startup-config file copied over. I checked to make sure that all hidden files are shown, but i am not seeing it. I backed up the startup-config from the old 64mb card to a tftp server before switching the cards out. Is their something that i am missing?
View 4 Replies View RelatedI am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies View RelatedFollowing are the details of my current home network setup, I would like to hear more recommendations and drawbacks of this setup.ISP has provided with a Cisco DPC3825 DOCSIS 3.0 Gateway which has 4 Ethernet ports and a wireless networking but only 2.4 GHz.. This router is connected to the cable CPE box to internet. I have enabled the Firewall features of this router and disabled the Wireless network. This has also the DHCP server running. The Second router is a Cisco E3000 which supports 2.4 GHz / GHz wireless networking. Connection to gateway is made via the 1st Ethernet port of gateway and then to the Internet port of E3000 router. I have connected my wireless devices to E3000 with GHz wifi lan. This router also has the firewall activated and DHCP server running as well.Both routers have WEP2 Personal / AES security configured. Currently these two devices are on two different IP ranges ..etc gateway is 192.168.0.1 and e3000 is 192.168.1.1.The E3000 is primarily configured for my online video for TV (Panasonic Vireacast).
View 3 Replies View RelatedI currently have two laptops, a PS3, one desktop (technically two, but right now its not working, hoping to make it wired, but we will see), a smart phone and an Ipod touch. The first few are used the most though. I have the router currently downstairs in the kitchen in the corner (I know terrible place) unfortunately it was the only place beside the room upstairs, which tbh I don't know why we didn't do, which is still towards an end to the house. The middle most part of the house would be in between the kitchen and the dinning room on the first floor, although it doesn't have a great place for the coax jack to be installed. The other room would be mine upstairs. So the question is; is the router better off upstairs or down stairs. Also the router is a Linksys WRT54GS so its only G sadly. I'd like the best signal strength as possible spending the least amount of money as possible. Sadly I game (PS3,Laptop,Desktop) which also would make it awesome to have some of these wired, but theirs no great location to get the best of both worlds. If I had to choose it would be my desktop to be wired which is why my room for the router would be nice if its a good place for the signal.
View 7 Replies View RelatedI have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies View Relatedwhat is the optimal advanced settings for the ae2500 wireless adapter while gaming. I keep getting lag spikes with my games. Is there a always on option or like a gaming mode? If so what is it.
View 1 Replies View RelatedJust picked up the E4200 and used Cisco Connect to install. Wanted to know a few things?
-Windows 7, 64 bit
-E4200 router
-AE2500 adapter
1) How can I tell if its running at optimal configuration?
2) Before with my previous router (netgear) I didn't see my router in Device Manager. Now its under Network Infrastructure Devices. It lists the name of my router, under that it lists Microsoft Wireless Router Module??
3) Before with my previous adapter (belkin) I would see my Network Adapter in Device Manager. I see my network adapter listed, under that Realtek PCI (LAN), but now there is another new device? Microsoft Virtual WiFi Miniadapter??
Why are these Microsoft devices showing in Device Manager? Did they not get installed correctly?
I want absolute max throughput possible to be achieved in all focal points. We're all in internet related industries. Between gaming and web-development latency and throughput are major factors for us.
1) Garage (office). downstairs
2) Each bedroom x4. upstairs
3) Living room. downstairs
The fastest line we can get is Comcast 50mbdown/5up (Wideband).
I am looking for the best way to achieve wireless and wired performance for our setup.
Our gaming computers may be in our bedroom, and we also may bring it down to the office every now and then for LAN sessions. Most wireless will be happening downstairs with our laptops, but since we may do LAN sessions then hard wired latency may be important there too.
I dont know if placing one D-link DGL 4500 on the top floor would be enough; which I currently own. url...As far as I'm aware wireless signals transfer best top down. Would this wireless router be enough on top floor and that's it?
I have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
!
interface GigabitEthernet0/0
nameif internet
security-level 0
[Code]....
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
I have one firewall ASA5520, are very slow
View 3 Replies View RelatedI am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
View 5 Replies View RelatedWe want to use ASA5520 but both Firewall have different CPU. One has CPU Pentium 4 2400 MHz and another has Pentium 4 Celeron 2000 MHz. Can it be configured for replica / failover?
View 5 Replies View RelatedWe have 2 firewalls on PIX facing the Internet and connected to interface e1 (behind it) an ASA version 8.3 Both the PIX (Firewall facing) and the ASA are on the same subnet.
By using Routing statements and statics I have been able to reroute specific traffic to the ASA5520 version 8.3 Now I need to inverse the 2 devices. The ASA5520 will be facing the Internet and the PIX will be behind it.Unfortunately the ASA5520 is refusing to route the traffic to the PIX. The access-lists are open accordingly and a NAT on the ASA has been created.
i have my router connected to ISP then my router directly connected to my ASA5520....i use also ASA5520 as my DHCP Server and i was wondering with the DHCP Server function of ASA 5520 because if i use the ASA 5520 LAN ip ...all workstation will not be able to browse anything from the internet unless i use my ISP DNS IP which they gave me?
View 3 Replies View RelatedGet the following log message on secondary ASA console output when turning on the ASA failover function?
"Mate's service module (CSC SSM 6.6.1125.0) on slot 1 is different from mine (CSC SSM 6.6.1125.0)"
After that the secondary cannot join as a failover unit and shows in disabled status.We have the same model ASA & CSC module and each pair of them are in same firmware (CSC 6.6.1125.0 with ASA5520 8.4(4)1), when I shutdown both the csc modules, the ASA failover works fine.
I am using a squid proxy behind an ASA5520 firewall to collect the users to the internet. Squid is just necessary to log what is going on in order to find a quick solution when the internet slows down.
Considering that I have unlimited licenses and I would like to get rid of squid, I wonder if the ASA has some functionalities to track which websites are being used and how much traffic is generated. If there is not, I would like to know if Cisco offers a good product to replace Squid.
My customer had 2 asa5520 version:8.0(5)20 and LMS 4.0.1.Two Firewall are "unknow" on LMS, why ?Normally, LMS manages ASA with version 7 min.
View 1 Replies View RelatedAny limits on the number of IPSec sessions an ASA5520 can support over a DSL connection?
Currently, as we increase the number of IPSec VPN tunnels, our LAN switches connected to the DSL/ASA start seeing CRC/input errors. Tried different LAN ports for both DSL/ASA connections - same reults (CRCs and errors). Swapped ASA for PC running 1 IPSEC w/HD video and no issues.
VPN connection bandwidth demand 50% of DSL capacity, so not exceeding DSL bandwidth. Errors get so bad that all VPN sessions drop - sometimes VPN sessions re-establish while other instances a DSL modem reboot is required.
cause of LAN switch connections seeing errors with 4+ VPN sessions established on ASA across a DSL Internet circuit?
I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
View 15 Replies View RelatedI have a pair of brand new 5520s I am in the middle of commission. After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2). How can I turn these "Not used" interfaces into useable ones?
View 2 Replies View RelatedI have Cisco ASA5520 with a 8.4 code in GNS3. I have a problem pinging to the internet. On the ASA console, I can ping to outside world, but on vpc I cannot ping the outside world. But I can ping the ASA Inside interface and other VLANs, no problem. [code]
View 3 Replies View RelatedI have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
View 1 Replies View RelatedI've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
View 2 Replies View Relatedhow do I verify if CG-NMS is enabled on ASA5520. I just need to know if it's enable/install to be enabled and used?Cisco Adaptive Security Appliance Software Version 8.0(5)28..Device Manager Version 6.1(5)51
View 1 Replies View RelatedI have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
[code]....
I can no longer SSH to a primary active firewall. It had all of a sudden stopped working. However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.
I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*. I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.
version 8.2.(5)
model ASA5520
I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?
I'm trying to setup a zone behind my firewall with complete publicly routeable IP addresses for 3 servers. The reason I'm doing this is I am in the network setup stage of an OCS implementation, and OCS connections don't behave well with NAT.
My device is a ASA5520. I have an internal zone, and a dmz zone. These are done via standard NAT configurations.
My question is this:
Is it possible to setup connectivity to the outside with internal servers that have Public IP's directly on their NIC's? Another little detail of interest is that this ip space is seperate than the one that's on current Outside interface facing our ISP. However we own both address space.