Cisco Firewall :: Can't Create Subinterface On ASA 5505?
Jul 11, 2012
I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.
ASA1(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)4Device Manager Version 6.0(3)
Compiled on Wed 03-Feb-10 14:17 by buildersSystem image file is “disk0:/asa822-4-k8.bin”Config file at boot was “startup-config”
ASA1 up 1 day 18 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHzInternal ATA Compact Flash, 128MBBIOS Flash Firmware Hub @ 0xffe00000, 1024KB
[code]....
View 3 Replies
ADVERTISEMENT
Oct 31, 2012
I have a circuit that will be delivered to a client next week and we are installing an ASA 5585x for them. They will have a circuit coming in with a few VLANs configured on it. One VLAN for the Internet and one for connectivity to another client.
So does the ASA allow you to create the "outside" interface on a subinterface?
View 2 Replies
View Related
Jul 24, 2012
on my Active/Stanby ASA5505 has Sec+ License(trial), I can't create more then 3 nameif interface however,
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited 17 days
Failover : Active/Standby 17 days
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled 17 days
AnyConnect Premium Peers : 2 perpetual
View 5 Replies
View Related
Jun 12, 2013
I have a production ASA 5505 that is working perfectly. I wanted to take a spare ASA 5505 and copy the running config to it so that I would have a backup unit that could be swapped out if the production unit went down.
Both units have security plus and running 8.2(1). The only difference is that the production ASA has 512MB of RAM while the backup ASA has 256MB. Also the backup has anyconnect and the production unit does not.
I copied the running-config to my tftp server and then copied the running config from my tftp server to the backup ASA as startup-config. After reload the device booted with an identical configuration to my production ASA, but after swapping out the units to test it, I have no access to the WAN or DMZ from my LAN. Swapping back to the production unit and all works as it should.
I printed out the running config from both devices and compared them line by line. They are identical except for the anyconnect line on the backup ASAs config file.
View 5 Replies
View Related
May 17, 2011
I have a customer an exisiting 5505 which connects to multiple sites for a site-to-site VPN. This firewall was not installed by myself originally I have just been asked to take a look now.The situation is that we now need to edit one of the existing site-to-site VPNs to include the remote sites expanded network. I have tried doing this through the ASDM and have found that I cannot add new network objects. I have tried creating a new network object group and then added the new networks from there but I am completely unable to add the new objects.I believe a picture tells a thousand words in this case so I have attached some images which show the problem. I have also tried going through the VPN wizard, this also does not allow me to add new network objects.
View 2 Replies
View Related
Nov 7, 2011
trying to configure our ASA 5505 (hence my request for the ASDM). However, I can go CLI if push comes to shove.
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks 2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?
View 1 Replies
View Related
Mar 20, 2012
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
[code].....
View 7 Replies
View Related
Apr 19, 2012
I'm trying via the ASDM to port forward http connections to a DVR for the purpose of viewing IP cams.I've tried via ASDM to create a public server but I'm not allowed to use my public IP address for the public Interface.I have only one public IP address available.Is there any way round this ? I would also like to know how I can enable NAT with PAT.I've tried setting the outside Interface for use with PAT but It keeps reverting to the setting for a range of external addresses.I'm not really used to the ASA cli yet , I'm getting there.If there's a workaround via the CLI , I'll take that route.
View 4 Replies
View Related
Mar 6, 2012
Just started using our ASA 5505 v8.2 (1) Trying to configure the ASA appliance to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).I have used a static NAT:
static (inside,outside) 100.100.100.2 192.168.1.28 netmask 255.255.255.255
access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389
When I view the logs it is reporting the following:Inbound TCP connection denied from 206.100.100.1 (external IP) to 100.100.100.2 /3389 flags SYN on interface outside.Been pulling my hair out with this one as I believe I have everything configured correctly.
View 5 Replies
View Related
Nov 28, 2010
My asa5505 frequency restart and create a crash-infor file.
View 3 Replies
View Related
Jan 31, 2013
I am in a non-admin context mode in ASA 5520 8.0 (5) and i m trying to add a new interface
GigabitEthernet1/2.4 172.19.4.1 255.255.254.0 manualGigabitEthernet1/2.6 172.19.6.1 255.255.255.0 CONFIGGigabitEthernet1/2.180 172.19.180.1 255.255.252.0 manualGigabitEthernet1/2.190 172.19.190.1 255.255.254.0 manualgvadc-fw/tgf# conf tgvadc-fw/tgf(config)# int ggvadc-fw/tgf(config)# int gigabitEthernet 1/2?
configure mode commands/options:1/2.180 1/2.190 1/2.4 1/2.6gvadc-fw/tgf(config)# int gigabitEthernet 1/2.168 ?ERROR: % Unrecognized commandgvadc-fw/tgf(config)#
what do i do?
View 2 Replies
View Related
Oct 23, 2011
On our ASA5520 we have three subinterfaces configured on our Gi0/1. Is it possible to configure a DHCP Server on one of these subinterfaces?
View 4 Replies
View Related
Apr 5, 2012
I'm trying to set up an 802.1 q trunk between my layer 3 switch and ASA5520. I understand I need to create a subinterface to accomplish this and have done so. However, the subinterface does not respond to pings, and when I attempt to run the packet tracer on the firewall itself, I get a message saying Flow is denied by configured rule. But the strange thing is it shows the output interface as "np identity ifc":
(The VLAN in question is VLAN2 192.168.2.3 is the VLAN2 address on the switch). The ASA config is as follows:
ASA Version 8.2(5) <context>
hostname context2
names
!
interface GigabitEthernet0/0.2
nameif Inside0/0.2
[Code] ....
View 3 Replies
View Related
Apr 23, 2013
I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?
View 3 Replies
View Related
May 27, 2011
I have two cisco ASA 5505 devices and two cisco switches plugged to ASAs in each office. I need to create a VPN tunnel between two offices.
-Network behind the ASA1 in office1 is 192.168.1.0/24 with DHCP server – 192.168.1.10
-Networks behind the ASA2 in office2 are 192.168.5.0/25; 192.168.5.128/26 and 192.168.5.192/26
All computers in office2 need to get IPs from DHCP server 192.168.1.10. I have switch in office2 with 3 VLANS and I can assign computers from different subnets to different VLANs.How can I archive this goal? Should I assign 3 IPs for ASA2 inside interface (192.168.5.1, ...5.129, ...5.193) as a default gateways for each subnet? Should I put dhcp helper address 192.168.1.10 on the switch for each VLAN?
View 4 Replies
View Related
Feb 21, 2013
we have a cisco asa 5505 and it working great .i want to create web server that only selected public ip address can access.
View 3 Replies
View Related
May 8, 2012
I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.
Specific error is: Code...
View 17 Replies
View Related
Apr 19, 2012
I have a 7200 router with a 12.2.(46a) IOS and I am trying to activate Netflow on a subinterface. From the documentation of Cisco, I should be able to do it since the ios 12.2.(14)S but the command is unavailable.
[URL]
I have tried also to enter the command in the subinterface directly but it doesn't recognize it.
View 2 Replies
View Related
Feb 7, 2013
I have an 861 that we are using for a test network and need to add static igmp addresses for multicast. We are using the router as a router on a stick with subinterfaces on the WAN link. I've looked everywhere to see how to add the static igmp addresses.
interface FastEthernet4
no ip address
no ip route-cache cef
[Code]....
View 0 Replies
View Related
Oct 10, 2011
I am currently working on a 1941w router. The problem that I am having is that I am unable to ping the switch that is directly connected to it and I am unable to ping from the switch to the router. If I take the address off of vlan 1 and move it to gi0/0.1 the pings work, but then client traffic on the wireless ap inside the 1941w fails.
Here is the releveant config off of the 1941w
version 15.0
no service pad
service timestamps debug datetime msec localtime show-timezone
[Code].....
View 3 Replies
View Related
Nov 19, 2012
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2) TREV is the network of this location.Company1,2,3 are remote locations.
: Saved
:
ASA Version 8.2(5)
!
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
[code]....
View 3 Replies
View Related
Nov 5, 2012
We have an environment where we terminate our DSL customers over PPPoE on a 7606-S MPLS PE router with RSP720. The PPPoE sessions are terminated on a GIG V2 interface of a SIP-400. Currently the IOS running on the device is c7600rsp72043_rp-ADVIPSERVICESK9-M, Version 12.2(33)SRD. The following is the current configuration used.
bba-group pppoe 7virtual-template 7
interface GigabitEthernet2/1/3.142647 accessencapsulation dot1Q 14 second-dot1q 2647pppoe enable group 7
interface Virtual-Template7 ip vrf forwarding TESTip address 10.10.10.1 255.255.255.252
In the above scenario everything works well.
However we had to upgrade the router IOS to 15.2(4)S Advance IPServicesk9 to support 4-byte ASN. After the upgrading we observed certain commands used to terminate PPPoE on the sub-interfaces not available on 15.2(4)S , although PPPoE on Gig and Ethernet with QinQ support is listed under 15.2S feature set.
View 1 Replies
View Related
Feb 26, 2013
I am suggesting an ASR1001 as a head end router for a small hub spoke WAN consisting of 4 branch sites connecting to the head via LES. 3 are 100mb, one is 30 mb. I will be connecting the LES circuits to a swithc and then trunking to the router. I would like to apply outbound shaping to these 4 subinterfaces on the router, and just want to check this is supported?
View 1 Replies
View Related
Jun 28, 2011
We have 2.5 Mbps connection from an ISP at our branch routers (1800 series)with single physical link terminated on FE0 but have two subinterfaces with separate subnets.
I have applied the following policy-map outbount under physical Interface FastEthernet 0. Show poliocymap output is as follows
Policy Map QoS-OUT
Class Email
priority 512 (kbps)
Class SQL
priority 512 (kbps)
Class File-Copy
police cir 1024000 bc 32000
conform-action transmit
exceed-action drop
Class CCTV
police cir 384000 bc 12000
conform-action transmit
exceed-action drop
But it seems that sometimes( not all the time ) the CCTV traffic seems to exceed the 384k and chokes the entire link(2.5 mbps).
View 4 Replies
View Related
Feb 29, 2012
I want to create a Dual DMZ in a ASA5510 however it is not like I used to in ASA5505?In ASA5505 I create a Outside, Inside and DMZ VLAN and there after add the interfaces into the VLAN.This way I can have two DMZ interfaces, but how do I do it in a ASA5510?
View 1 Replies
View Related
Oct 25, 2011
I need to be able to create vlans in my ASA 5510.
I can'T find anywhere to do this.
I've tried the "routers command" I know, like vlan databse and it does'nt work
Is there a way to "enable" vlan on a ASA 5510 ?
View 3 Replies
View Related
Feb 25, 2013
User want to create on 5 network , 100.x , 200.x , 210.x , 250.x , 220.x .at the ASA5510, no enough port for 5 network.So I want to create 4 vlans on eth 0/3. I can create vlan but i cannot run this command " switchport mode trunk" " "switchport trunk allowed vlan list" how can be done for that?
Actually i want to use like thisASA5510-----4 vlans on eth 0/3------switch----vlan200,vlan210,vlan250,vlan220.
View 1 Replies
View Related
Sep 8, 2012
I need to configure a subinterface eg g0/0.1 and g0/0.2 with a untagged VLAN for each subinterface on a Cisco 2821.
View 5 Replies
View Related
Dec 7, 2011
I need very Urgent Time based Bandwidth limit on subinterface in Cisco 3845 Router.At Present 3Mb input/output rate-limit of our one of the client now they need between 9:00 to 20:59 3 Mb and between 21:00 to 8:59 they need 9 Mb bandwidth, please see current b/w limit config of our client in my router subinterface.
interface GigabitEthernet0/1.12
description *** xyz ***
encapsulation dot1Q 12
ip address 10.11.12.13 255.255.255.248
rate-limit input 3072000 576000 1152000 conform-action transmit exceed-action drop
rate-limit output 3072000 576000 1152000 conform-action transmit exceed-action drop
Now how can i achive of my requrement to time based b/w limit.
View 5 Replies
View Related
Mar 17, 2011
I´m trying to configure a subinterface named Inside with vlan 1 but the interface stops work with this vlan.My switch is a Cisco and use the lan with vlan 1 too.If I change de vlan for other i.e vlan13 works fine. And all others vlans works fine too.Is there a problem to use the vlan 1?
My configuration is:
Cisco ASA:
interface gig0/3
no ip address
no security
no nameif
Interface gig0/3.1
vlan 1
nameif Inside
Securirity-level 100
ip address 10.x.y.x 255.255.224.0
The giga port of the swtich is configure to trunk model.
View 2 Replies
View Related
Mar 23, 2013
May I know the reason why we cannot create interface vlan on Cisco ASA 5510?
View 2 Replies
View Related
Sep 20, 2012
How to configure our ASA to nat our to internetconnections, at the moment the first work fine,
ISP1 NAT
ASA5510 LAN
ISP2 NAT
View 1 Replies
View Related
Sep 8, 2010
Successfully creating a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?I have spend hours now trying, but I'm still unsuccessful.What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.I have never had any trouble on any other firewall creating something like this, but the ASA is killing me.
View 10 Replies
View Related
