My customer had a spare ASA5510 bought a few years before with 5 x FE and security plus license with HA. Now they would like to buy a new ASA5510 to configure HA with the spare one, but now the ASA5510 comes with 2GE+3FE. Can the two FW work in HA?
View 4 RepliesI am looking into the possibility of using private vlan's for some dmz implementations however I do have what may be some very rudimentary questions. It seems straightforward how to configure the primary/secondary vlan configuration as well as associating them. However in my case I would be looking to configure the PVLAN on a 6500-vss platform acting as the router while all of the hosts which I would desire to have in the isolated vlan would be spread out across a number of older Cisco switches which only support "protected port" setup or Procurve switches all of which I do not have budget to replace with something newer. So in my scenario I would have a 6500 connected by trunk to multiple switches which only support a protected port setup such as a Procurve (top of rack) or a Cisco 2950. As the Procurve or 2950 would not support Private VLAN setup, do I then just configure the secondary vlan to be allowed across the trunk from the 6500, configure that vlan on the Procurve or 2950 (as vtp will not foward the info for the secondary vlan) and assign that vlan to the host port as well as setting it as a protected port and this will communicate just fine across the trunk to the router as well as stopping the protected port in top of rack switch 1 from being able to communicate to a protected port in top of rack 2,3,etc? If the above scenario is what needs to be done, do I just use a regular trunk or do I have to use a PVLAN trunk?
View 2 Replies View RelatedTrying to set up a stateful failover with two. asa5510
Here is what I have so far, tell me if this looks right. The ip address are set to 0.0.0.0 only for this discussion.
Config Primary Firewall:
config t
interface management 0/0 ip address 0.0.0.0 255.255.255.252 standby 0.0.0.0
interface eth 0/0
[Code].....
I have an ASA5510 and I would like to implement something like this: have two ports patched in and ready but only one active, the other one in standby (when the first one goes down the other port comes up and all the traffic goes down this way), all these on one physical box. So, it's basically like port failover on the same box.
View 1 Replies View RelatedI have a pair of ASA5510 currently running as a failover pair. For some reason we need to move one of the firewall to another site, is there any best practice on splitting up the failover pair then I can re-configure the secondary unit offline?
I'm thinking to power down the secondary unit, unplug it from the network totally then erase the configuration on the secondary unit on console so I can re-configure it. For the primary unit, I will disable the faiolver config by "no failover" on the primary unit. Is that necessarily all thing for splitting up the failover cluster?
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB(code)
I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies View RelatedDo I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also, interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.
In this case why to make tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface if name command to dis load devices and network by foolish tests?
I am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?
View 2 Replies View RelatedHow to configure ASA failover for 8.4.
View 1 Replies View RelatedI have 2 ASA5510-SSL50-K9, can I configure HA Failover ?
View 7 Replies View Relatedconfigure the firewall Cisco ASA5510 in HA Mode.Enclosed Network diagram.
View 14 Replies View Relatedhow can I configure policy NAT on ASA5510. I would like to do the following;
9.1.1.9 NAT to 10.1.1.9
If source IP = 1.1.1.1
then NAT to = 10.2.2.9
the rest NAT to = 10.1.1.9
The issue is I want 1.1.1.1 NAT to 10.2.2.9 when access www.example.com. The rest NAT to current NAT.
I am using a fiber optic connection. I want to connect it directly to ASA5510. A WLC2504 will be connected to ASA and one Aironet AP will be deployed at first. (At this moment I am not using any Windows server but in near future I will need to deploy Windows Server 2003 in my corporate network) My questions are:
Can I configure ASA as DHCP server for my LAN?
Can I configure WLC as DHCP server for my LAN?
If we can configure both then what is the best practice from above two options? (I am new to Cisco stuff and first time user)
How to configure a Cisco 857 on adsl for kingston comms in Hull United kingdom.it has a dynamic peer.we cannot get connectivity with the adsl (NO PPP Light) .Kingston have proved that the adsl is active on the phoneline.
View 2 Replies View RelatedI have setup ASA5510 in failover mode. I am planning to use this setup for clientless SSL VPN and have following questions.
1. Do I have to license both firewalls for SSL VPNs? These licenses are very expensive and why would I have to purchase it for secondary when I am not using it?
2. SSL vertificate for the firewall it self. Do I have to acquire one or two to ensure users don't get annoying message about self signed certificate? Cisco doesn't seem to have this discussion in any documents. However I found following URL discussing from somebody's experience. What's official statement from Cisco on this matter? [URL]
i am wanting to open up snmp on a pix 501 6.3 version. I am planning on doing it with the following configuration: [code]
I noticed you cannot specify RO on the snmp-server command with the older pix. I don't want this configuration to open up any write access to the pix. Is there a way to specify only read only for snmp
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View Relatedhow to configure VPN connection with failover on cisco Router 1841?
View 5 Replies View RelatedI need to configure the ACS 5.1 to meet the following requirement :-
1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential
2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.
I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.
We have purchased a couple of Cisco 891 routers - both are running IOS 15.0(1) M5 licensed with advanced IP services (default). The literature for these devices on Cisco's website claims they support IPsec stateful failover on advanced IP services.
Our intention is to configure them with HSRP and IPsec stateful failover to provide a highly-available default gateway and VPN end-point.
I have configured HSRP and that seems to work fine. My problem is that I cannot configure IPsec stateful failover. The documentation that I have found implies that I need to configure inter-device redundancy on a particular HSRP group and use the physical IP addresses on the interfaces within that group to allow stateful failover communication between the routers however the routers do not recognise the 'redundancy' command in config mode...
e.g.
(config)# redundancy inter-device
^
% Invalid input detected at '^' marker.
official or unofficial (official more preferable) guide about upgrading IOS from 8.2 to 8.4 on ASA 5520 model?
View 1 Replies View RelatedOur company is in the process of replacing our old firewall with a Cisco ASA since our old firewall can handle only 170 concurrent users and we are expanding fast. Can I know what are the considerations when selecting from the different models of ASA currently we are debating if we should buy a 5510 or a 5520 also can I know if cisco ASA also have a limitations on concurrent users online in a lan like our old firewall. By the way we are a Call Center company(going 500 seats) so we are using VOIP(Asterisk using SIP and IAX).
View 1 Replies View RelatedI need to configure two links (active and failover) on router 2911. Do I need DATA LICENSE to configure this with static router and route-map?
View 4 Replies View RelatedI have a ASA5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.Secondly request also they need failover over the ISP link.how we implement the same on ASA 5510.
View 0 Replies View RelatedMy customer is looking for cisco firewall which is equivalent to Fortigate 310B.
View 2 Replies View Relatedconfigure a router 1812 as failover, I walk with fixed ip internet link in Fe0 (need to determine the mac) and a dynamic ip link in FE1, other ports with a single vlan dhcp 172.20.16.1
I managed to do DHCP, connect to internet, to make nat vlan. But I could not do failover and load balance neither.
I was handed a firewall ASA 5520 but without external flash, I want to confirm that the ASA at least boot from rommon mode boot must have the external flash connected? I connected to power and I connect it by the console port it did not show any boot.Additionally I can confirm it is possible that you can connect a flash of a previous ASA model, say a 5510?
View 4 Replies View RelatedI currently have an ASA5510 with 2 interfaces (outside and Inside) running remote VPN for clients and L2L VPN for a couple of sites. I have traffic entering the inside interface, matching interesting traffic, being wrapped up in IKE / IPSEC and sent out via the outside interface. All straightforward so far.Now I have a new VPN which is required to go over another interface and not the outside. The traffic comes in to the inside interface as normal and should be matched via ACL, encrypted and sent out th e new interface however the traffic is simply sent out of the outside interface and doesn't get any IKE headers. If I reconfigure the interface to be be the outside it does at least match the ACL, wrap it up nicely in IKE and try to get to get to the remote peer.My questions are why does this behaviour occur and why isnt the traffic marked interesting and sent out the new interface.I don't have any issues creating a new VPN if I want it to go external, I just add the required information to the outside_map but i need the traffic to be encrypted and sent over another interface. I not a huge fan of the GUI for this but I've tried both CLI and GUI with the same results.
View 2 Replies View RelatedWe have a main office and 4 remote offices (only showing 1 remote office in the diagram). We are using GRE over IPSec VPNs to the remote offices which terminate on the 2811 router in the main office. We are using the 2811 as it is the only device that we have that can terminate GRE. The 2811 router is connected to the outside switch and is configured with a public IP address. We also have a ASA5510 in the main office which is connected in the same manner and is used for Web, e-mail traffic etc.Both the main office and remote offices have a 10Mbps Internet connection.
We have an issue with voice quality between sites as we are finding it difficult to control bandwidth utilization in the main office. When users in the main office download web content it can saturate the 10Mbps Internet connection causing voice quality issues. We have configured outbound shaping on the branch routers to make sure that aggregate inbound traffic from all branches to the main office does not saturate the link but we cannot control traffic from the Internet.I understand that controlling inbound traffic from the Internet is difficult without controlling QoS on the ISPs side. Is there any way that can reserve inbound bandwidth to ensure that web traffic does not impact voice? Also in this design, which is the best place to configure outbound QoS from the main office?
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies View RelatedCan I associate the non-root bridge model 1310 to the root bridge model 1400? Is there any problems on the configuration I need to be aware of?
View 7 Replies View RelatedI am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?