Cisco Firewall :: Active IPS Feature In ASA5500-X?
May 5, 2013
Should we active IPS feature in ASA 5500-x by useing license?in the 5500-x ordering guide:IPS is only sold as ASA-IPS combo SKUs i.e., one cannot add IPS service as an option on top of ASA SKU. For example, if IPS service is desired on ASA 5515-X appliance, the relevant SKU is ASA5515-IPS-K8 or ASA5515-IPS-K9.But my customer has actived it by using the ASA5525-IPS-SSP on ASA5525-K9.
View 2 Replies
ADVERTISEMENT
Jul 17, 2012
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies
View Related
Mar 3, 2013
Does any one advise the current ASA 5510 is going to EOS ?
View 1 Replies
View Related
Mar 20, 2012
I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
View 9 Replies
View Related
Dec 17, 2012
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
View 3 Replies
View Related
Jun 1, 2011
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies
View Related
Mar 30, 2011
I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
View 2 Replies
View Related
Dec 27, 2011
its possible to set up active/active failover using etherchannel on 5585s?
View 1 Replies
View Related
Mar 17, 2013
How to Configure ASA5520 for Active/Active
View 8 Replies
View Related
Oct 31, 2011
Using any computer and AnyConnect, I can connect to our network via ASA5500. But when I use Cius or iPAD, I always get a No License error message.
View 3 Replies
View Related
Feb 24, 2013
ASA-5510, inside, outside, and some DMZ.Some services published with Static NAT - no problem.Now we need to add a second outside connection, with a second provider.Internet navigation only through the first provider (default gateway to the provider router "A").I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.
View 6 Replies
View Related
Feb 4, 2012
Recently i have configured ASA5550 with 2 Contexts in Transparent mode. Traffic can pass through a single Firewall context but through both contexts it couldn't.
View 0 Replies
View Related
Mar 2, 2012
I would like to schedule automatic backups of our ASA5500's OoO-hours:
1. SSH from secure server and create _FULL_ backup - what would be the CLI command(s) ?
2. SCP from secure server and retreive file(s) - what is the location of the file(s) ?
View 12 Replies
View Related
Jul 17, 2012
It's a problem about access ASA5500 Firewall mangement port. The customer request access ASA5500 by entering the default IP address https://192.168.1.1 to monitor data tracffic in Windows 7. But after entering the default IP in IE, no any page appear.
But that way can access ASA5500 magement port successfully in Windows XP. What the different between Windows 7 and Windows XP? Is there any way or any patch can access ASA5500 manemeng port in Windows 7?
View 4 Replies
View Related
Dec 26, 2011
I have a large quantity of ASA5520's and ASA5540's that need to be quickly assessed and RTV'd (if need be) if they are found to be upgraded ASA5510's.
My concern is because of this recent release-note by Cisco: [URL]
Is there a way to check the amount of DIMM slots on a unit through console or do I have to physically check each and every one?
View 2 Replies
View Related
Sep 19, 2011
I was wondering if it is needed to license the IPsec VPN clients in the ASA5500 firewalls...I know that you have license the SSL VPN peers (AnyConnect). I am almost sure that for the IPsec you don't have to.
View 1 Replies
View Related
Jan 10, 2012
I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
[Code]...
View 7 Replies
View Related
Sep 20, 2012
I would like to know about asa 5500-x. Does it supports application visibility and granular control for different applications. Moreover bandwidth control based on different users and different applications
View 1 Replies
View Related
Mar 6, 2011
We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
View 3 Replies
View Related
Jul 27, 2011
I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...
View 2 Replies
View Related
Feb 13, 2012
What is the best way to deploy the IOS firewall feature?I have a Cisco 1841 router running 12.4.
View 4 Replies
View Related
Aug 26, 2011
I'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
My Second Query
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:Traffic from these sub-interfaces should be NATTed to outside interface when going to internetBut, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.
View 3 Replies
View Related
Feb 16, 2012
I have upgraded ASA5550 version from 7.2(4) to 8.4(2).
On version 7, I am used to "names" command, like this:
names
name 107.25.1.10 Picard
name 107.25.2.20 Administrativa
By addition, when configuring acls it was very usefull, for example:
access-list inside_access_out line 15 extended permit udp host Picard host 107.25.4.61 eq snmp
On version 8, I have verified that names replacement is no more available:
ASA(config)# access-list outside_access_in permit ip host ?
configure mode commands/options:
A.B.C.D Source host IP address
View 5 Replies
View Related
May 31, 2013
I would like to knwo if i have dual ISP feature with my ASA 5520 licence? With ASA 5505 i can see Dual ISP feature but with ASA 5520 it's not!
View 3 Replies
View Related
Nov 16, 2011
i am going to implement a ASA5505 in one of my offices. I would like to use web filtering feature on it. Will it cause any performance degradation in ASA? will it utilized more memory?
View 1 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Dec 21, 2011
Recently I want to apply traffic shape on my ASA5520, but after entering the configure mode of policy-map, I couldnot find the shape command.. If I type the command, the device would notify me that there is no such command.. My version is 8.0(2),PS. Police command is working fine...
View 5 Replies
View Related
Dec 29, 2011
Me to a 2951 router with fireawall featureset. Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to be typed in bur when i look at the ACL afterwards they are not what i typed in.
View 2 Replies
View Related
Nov 11, 2011
In Cisco ASA Firewall 5510 does the feature content filter come built in?
View 1 Replies
View Related
Jan 19, 2012
At this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.
View 1 Replies
View Related
Jun 26, 2012
In Cisco ASA Firewall 5510 does the feature content filter come built in?
View 3 Replies
View Related
Oct 9, 2011
I have an ASR1001 installed and I want to implement the firewall feature set.The current license level is IPbase and I have the firewall feature installed. The firewall feature shows acive, Not in use. I have tried to activate it without success. My question is: do I need to get a license for advipservices or adventerprise to activate the firewall feature set?
View 5 Replies
View Related
Feb 10, 2013
I am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup
INFO: Sending test message to fcaccam@example.com...
ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33)
ERROR: Failed: CONNECT_FAILED(33)
View 1 Replies
View Related