Our cisco asa 5510 getting sometimes boot and sometimes not. sometimes LED on port comes back if boot and sometimes not. what are the parameter should be check to rectify problem.
View 3 Replies
We have setup new ip camera system and as per our vendor to access the camera from outside we need to open,TCP ports and in firewall and forward to our camera server.
Let say our public ip address is 207.114.111.22 and our local ip address for the camera is 11.11.1.30. We have cisco asa 5510.
I just finished implementing a VOIP install and I am trying to setup some softphones and in order to allow the softphones to work I need to open some specific ports for outbound. I am not a Cisco guy, I am a Windows Administrator that also has to maintain my Cisco infrastructure.
View 3 Replies View RelatedTrying to get port forwarding going using ASDM 6.4 on a Cisco 5510
I want to forward port 25/Smtp to 192.168.1.10
I have added all the rules as outlined in the link below. [URL]
But when running an open port checker on [URL]
It says the port is closed, I have noticed that under Access Rules under the Hits columns it says 52 ?
i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999
View 1 Replies View RelatedI got a situation here for Nat-ed IPs i configured. I expected to open some ports on the interface to allow certain traffics to pass through, yet there are some of them are failed. Down is my current config.
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq https
[Code]....
The only ports opened are 443, www, 3389 while ports domain, 5061,3478,3389. how to open domain, 5061, 3478, and 3389 ports on my ASA .
I have inherited an asa 5510 whit 4GE SSM module installed. The asa runs fine, but i can not use the 4GE SSM ports. Using ASDM or console i can get and configure the gigabitethernet1/x ports but i can not get traffic on it. The ping from the console to the ip address of the Gigabitethernet1/0 is successful. On switches or hubs connected to those ports i can not see the port's mac address. The two Internal-data0/0 and Internal-data1/0 are down and i can get they up. How to configure 4GE SSM or ASA internal-data ports.
View 8 Replies View Relatedenabling traffic between interfaces on the ASA 5510. Of course I have an outside interface E0/0 and an inside interface (E0/1) for normal operation. The idea was to enable one of the remaining interfaces on the 5510 to attach an internal network resource to for management in case we lost our switch. I am using E0/0 as the outside interface and the inside interface is E0/1. I am wanting to attached a management device on the same inside network IP address range for simplicity. I have E0/2 configured for the same security level (100) as the other inside interface and I also have enabled same-security-traffic permit inter-interface as well but I still cannot access the device on that port. Is there something else I am missing? I guess the best way to explain this is that I want ports E0/2 and E0/3 to act like a "switch" so to say...... The ASA 5505 lets you do this pretty easy but having trouble on the 5510.
View 4 Replies View RelatedWe have just acquired a cisco profile 42 video conferencing equipment and am required to open ports for SIP and H232, any pointers on hw that can be acquired i have a cisco ASA 5510, Some one told me to open port 16384 but i need pointers on how to do it becuase I already set an access list to any.
the config
Internet -> ASA 5510 -> Switch -> Profile 42 and other devices
I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports. For example
Source IP 10.10.4.69
Source Port 59886
Destination IP 8.8.8.8
Destination Port 59866
So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping. All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
View 3 Replies View RelatedIs there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
I have an 887VA-K9 which boots into ROMMON mode every time. It seems to have 3 tries at booting, then fails.
The entire console output from power-on is (blank lines removed):
System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 2009 by cisco Systems, Inc.
[Code].....
We just got a new ASA5510 (straight out of the box). I’m new to the Cisco but feel we followed the directions. We connect to the management port and have our workstation set to get an ip via dhcp. A cat5 is connected to the management port, that goes into a hub (tested to work) and a cat5 is connected from the hub to the workstation (tested to work). Nothing else is connected. The workstation does not get an ip address. (assigns APIPA) Both the 5510 and workstation have been rebooted.The workstation works otherwise. We have also connected both a crossover and straight through cable from the 5510 to the workstation. We have statically assigned an ip of 192.168.1.2 to the workstation and cannot ping the cisco (192.168.1.1).
View 2 Replies View RelatedI'm setting up a second exchange 2010 server at a DR location and have been experiencing some problems. The two sites are connected via a pair of ASA5510's using the point to point VPN. I want to rules out any possible VPN issues that may be blocking ports and wanted to see if there is an easy way to do this and simply allow all traffic without any restrictions between the two ASAs. I've attached the scrubbed configs here...Ewing is the primary site and DBSi is the DR site.
View 2 Replies View RelatedI'm finding some odd information from Cisco pages and non-Cisco pages also. What is the correct syntax for specifying boot images on a flash:/ of a switch? The differences is if you need the "/" or not as well as after the ";" fo you need to specify flash again.
View 2 Replies View Relatedwe have 55 of the 1841 routers here, and one of them always boots to ROMMON from a very cold (down 1 hour or more) start. The image on all 55 is c1841-ipbasek9-mz.124-24.T4.bin. 32 MB Cisco brand flash. Here's what's been done thus far:In ROMMON changed to 0x2102. Then 'reset' and the image boots fine. Change config-reg to 0x2102. Save config. Reload and image boots fine again. Wait an hour or more and boots to ROMMON.Boot from ROMMON to USBflash0: Format the CF then copy over the bin file. Change to 0x2102 and save. Reload and image boots fine again. Wait an hour or more and boots to ROMMON.Swapped CF with another unit. Again, works fine to reload, but shut down and restart an hour or more later and boots to ROMMON. Format this CF and copy over image while on router. Image boots fine. Wait an hour or more and boots to ROMMON.In each case of very cold start the configuration register has reverted to 0x0 {why it boots to ROMMON}Tried dx mode with 0x8001. Nothing seen that is unusual to me, but I'm not an expert by any means.It doesn't seem to a CF card problem, but could be a connection to the CF card and then something behind that.
Here is the output of diagnostic boot mode:
Cisco 1841 (revision 7.0) with 116736K/14336K bytes of memory.
Processor board ID FTX1231W0JA
2 FastEthernet interfaces
2 Low-speed serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
[code].....
I have a lightweight AP that boots into RoMmon, if i hold the reset button in for 10 seconds or so it will boot into the IOS and download the config from the controller but never registers. then once i reboot it it goes back to Romon unless i hold in the button again.
View 5 Replies View RelatedI have a client that is trying to use an ISP hosted web filtering and content management gateway, the ISP wants to use and L2L ISPEC VPN from the site to their gateway to control traffic. We got the tunnel up today with a test ACL for test client side devices to go down the tunnel, but they are blocking all traffic that isn't being scanned. The problem is they are on an ASA 5510 with 8.2.2. You cannot add tcp ports into the nonat ACL, it errors out when you try to apply the nat (inside) 0 access-list nonat statement. We can define ports to go down the VPN in the interesting traffic ACL with out issue, but there is no way to send just the web ports down the VPN, and allow other ports out the regular overflow interface NAT. I have been looking into 8.4 and seeing if it allows a policy NAT (twice NAT for the VPNs) to define a port on an IP range (IE: nat (inside,outside) source static WEBINSPECT WEBINSPECT destination static any any ) but define that as web ports only.I don't have a test ASA to use, but i'm guessing that l2l vpn will be by IP only and I can't define a port to tunnel.
View 8 Replies View RelatedInternet connection fails when desktop boots?I have a wireless internet router/modem. Netgear.The internet works fine via wireless for laptops, phones etc.Until i boot my desktop up that is connected via cable to the router it then drops the internet connection.The network is still showing as active but local only.If i open a browser it tells me that it cannot resolve the DNS server.if i switch the desktop off and reconnect the laptop it works.So its not the laptop or the router i have used a few different cables all the same.I'm using XP on desktop fairly fresh install with AVG antivirus and not much else on it but i have had the internet working since install so its some setting somewhere thats changed or needs setting up again.
View 9 Replies View RelatedI have just downloaded new software for sge2010p. I had tried to made an upgrade on some switches, but switches still boot with the old software.I have installed software 3.0.0.18 and boot 2.0.0.03. I have downloaded software 3.0.1 from cisco, put it on tftp and started an upgrade via switch web interface. I have checked that the active image is set to 1, and started the upgrade.Switch has downloaded soft from tftp, and reported that process has been finished without errors.After the restart switch have 3.0.0.18 software again. I have try to do this same on 4 different switches working in L3 and L2 mode - always with the same effect.Should I upgrade both images in the same time to get this work?
I have noticed, that the new firmware is located on image 2.
# show bootvar
Image Filename Version Date Status
----- --------- --------- --------------------- -----------
1 image-1 3.0.0.18 08-Nov-2009 16:21:37 Active
2 image-2 3.0.1.0 19-May-2011 13:05:53 Not active*
[Code] ...
So I try to set active image via console command:
# boot system image-2
and again...
a# show bootvar
Image Filename Version Date Status
----- --------- --------- --------------------- -----------
1 image-1 3.0.0.18 08-Nov-2009 16:21:37 Active*
2 image-2 3.0.1.0 19-May-2011 13:05:53 Not active
"*" designates that the image was selected for the next boot
Finally i have tried to set the active image to "2" using console menu: I have set it like this:
Active Image
============
Unit ID Active Image Active Image after Reset
======= ============ ========================
1 Image 1 Image 2
and save..
[Code]
Where is the right place to set active image for 2. Is the "active image" settings only sets the firmware image which switch uses or configuration files too?
Base ethernet MAC Address: 00:0a:b7:07:35:80Xmodem file system is available. The system has been interrupted prior to initializing theflash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software:
flash_init load_helper boot switch: flash_initInitializing Flash...flashfs[0]: 3 files, 1 directoriesflashfs[0]: 0 orphaned files, 0 orphaned directoriesflashfs[0]: Total bytes: 3612672flashfs[0]: Bytes used: 1815040flashfs[0]: Bytes available: 1797632flashfs[0]: flashfs fsck took 3 seconds....done Initializing Flash.Boot Sector Filesystem (bs:) installed, fsid: 3Parameter Block Filesystem (pb:) installed, fsid: 4ô
Got a long lingering, year long issue that has spanned about 8 supervisor cards and a complete chassis swap. The 6509 acts as a ITN in our facility. The active sup card at random points of pipe usage boots into rommon mode, seriously inhibiting our company. I'm able to swap the 2 fiber pairs that we had going into the active supervisor card into the secondary and usually this works for another random amount of time, however, today it occured within minutes of hooking up the fiber links. Sitting there for about 5 minutes it booted into ROMMON. When this happens, I'm able to boot the sup card back to good status. Previous remedial actions, other than replacing sup cards/chassis, was checking the config register and making sure it was x2102. Previously, it was not, and we corrected and reloaded and it took, we thought this would fix the problem, until today.
[code]....
I was in the process of recovering a password on a nexus 5548 swith when it finally gets in to the boot mode.I think i lost all my bootloader code.How do i get it back on the switch
loader> load n5000-uk9.5.0.3.N2.1.bin
Error 27: Unrecognized command
how to restore my IOS on this device
indicate why my ethernet ports are in suspended state for some reason, i need an indication why this may be and what i can do to fix this issue. configuration below. I have a 7010 which i'm using to connect to two 5510's. I have one vPC connecting the two 5510's to the 7010. I have a vPC domain configured between the 5510's. and no issues at all. My Nexus 7010 port channel members are suspended for some reason.
Nexus 7010
vpc domain 100
role priority 100
peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive
!
interface Ethernet 3/1
[code]....
I'm fairly new to networking and need to migrate an old core to a new core. I have a 6509-e Switch that I had an RMA on one of my 720 sup cards. After receiving the sup card I swapped my slave out with the new one, expecting it to boot into ios. It booted into Roman. I tried to boot the image manually and it did the same thing. I also tried to boot from my flash and, again, booted into ROMmon.
Question: If i configure and change the boot to boot from image it tells me i need to reset or power cycle first. Will this reset the entire switch? As this is production I'd rather not.
I am at home now, but I can supply any logs/hardware model/configs tomorrow. I thought I would see if this is an easy fix.
I have to configure failover Active/Standby on my ASA 5510.I am wondering how i could do for the outside interface, i mean, actually the ASA1 outside interface is linked directly to our Internet router.So now if i have to add ASA2 connecting to that router i will need a switch between them.I have already a switch for DMZ & LAN.The thing is that i will have to allow 3 switchs ports to communicate with each others.
- 1 for ASA1--outside
- 1 for ASA2--outside
- 1 for Internet router
How could i isolate these 3 ports to make them communicate alone ? Should i use VLAN for that ?And if i use VLAN, will this require to make any change of configuration on my firewalls (ASA1 & ASA2) outside interface ?I am a bit lost with this, if i am correct i will not have to do some "vlan tagging" on the firewall itself ?
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
View 2 Replies View RelatedI m having 2500 series router. when i boot router automatically get into router(boot)> . how to solve?
View 6 Replies View RelatedI have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.
View 6 Replies View RelatedWe were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies View Related
