Cisco Firewall :: Can Traffic Shape To 200Mbps On ASA5510

May 30, 2012

I have ASA5510. It's include security plus license.I want to traffic shape to 200Mbps. But , I checked a CCO.CCO said that  a shaping limit is 154400000. "Enables traffic shaping, where the average rate argument sets  the average rate of traffic in bits per second over a given fixed  time period, between 64000 and 154400000. "It's mean shaping limit 154400000 ?Can I shape to 200Mbps ?

View 2 Replies


ADVERTISEMENT

Cisco WAN :: Traffic Shape Per Policy (ASA5510 With 8.x Software)

Jun 25, 2012

I have a asa 5510 with 8.x software and I want to reserve (i mean RESERVE not PRIORITIZE) traffic based on protocol, like if I have  a 10Mbit I want to :
 
- give 3 Mb for smtp

- give 5 Mb to http/s whatever

- 2 Mb for other stuff.
 
Of course QOS won't do that, can you do that with ASA?

View 1 Replies View Related

Cisco Firewall :: ASA5520 8.0(2) Does Not Have Traffic Shape Feature

Dec 21, 2011

Recently I want to apply traffic shape on my ASA5520, but after entering the configure mode of policy-map, I couldnot find the shape command.. If I type the command, the device would notify me that there is no such command..  My version is 8.0(2),PS. Police command is working fine...

View 5 Replies View Related

Traffic Shape Group 101 500000

Apr 21, 2012

what are the values of Bc and Be?interface fast 0/0 traffic-shape group 101 500000

View 11 Replies View Related

Cisco WAN :: Shape Output Traffic 2821

Mar 8, 2012

I have a Cisco 2821 with ios Version 12.4(21). On that router I have a WAN link that is 550mbit dual. The interface is 1000FD so i need to shape my output traffic to max 550mbit - otherwise my ISP policing is dropping the traffic.
 
I've looked at this document url... and i'm trying to use this interface command:traffic-shape rate
 
But the router wont accept rate value 550000000 that should be 550mbit in bits/s
 
Is it not possible to shape the traffic to 550mbit on the 2821 router?

View 10 Replies View Related

Cisco WAN :: Configured Policies To Shape Traffic On Interface Of 7206 Router?

May 1, 2012

I have configured policies to shape the traffic on the interface of cisco 7206 router. Now my managemet wants to configure these policies on time based ie policy should be applicable during specified time period onle. Is it possible? if yes how to configure it?

View 11 Replies View Related

Cisco Firewall :: ASA5510 Allow Traffic From DMZ To LAN

Sep 18, 2011

My device has 3 interfaces configured: inside, outside, DMZ.  Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement.  I am having a few issues setting up DMZ > LAN access however.  The servers running on the DMZ need to send information to my LAN such as syslog traffic for example.  Will DMZ traffic be NATed or should this somehow be excluded?  Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa.  Are there any special statements I need to add to the ASA such as nat or ACLs to make this work?  My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.

View 1 Replies View Related

Cisco Firewall :: ASA5510 Not Routing Traffic To Internet

Sep 2, 2012

I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Separate Traffic By Protocol

Apr 9, 2012

I would like to connect a second ISP link to our ASA 5510 to solely serve http traffic from our organization's employees (ie. web surfing). We currently have all employee traffic and two site-to-site VPN tunnels connecting to the internet from this firewall. I want to keep the tunnels as currently configured on the existing connection and split out http/https traffic from our staff onto a less costly link.

View 1 Replies View Related

Cisco Firewall :: ASA5510 / Inbound Traffic Being Blocked

Nov 7, 2012

I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
 
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?

View 1 Replies View Related

Cisco Firewall :: Allowing Multicast Traffic To Pass Through ASA5510

Mar 1, 2011

I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?

View 1 Replies View Related

Cisco Firewall :: ASA5510 / Block HTTPS Traffic In CSC Module?

Dec 15, 2011

I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.

View 19 Replies View Related

Cisco Firewall :: ASA5510 - Traffic Between Multiple Inside Interfaces

Oct 10, 2011

I've been trying to figure this one out for quite a while.  I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones).  I have not been able to get any traffic between the interfaces.  With the current setup it was not a major problem.  With the new setup it will be a major problem.
 
Below is a sanitized version of the config.

ASA Version 8.2(1)
!
hostname BOB

[Code].....

View 11 Replies View Related

Cisco Firewall :: ASA5510 SMTP Traffic - Host Unreachable

Jul 8, 2012

Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
 
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
 
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 [code]...
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.

View 19 Replies View Related

Cisco Firewall :: ASA5510 - Redirect HTTP Traffic To Internal Proxy?

Feb 13, 2011

I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
 
Http Traffic will be routed like that : PC ->  WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.

View 6 Replies View Related

Cisco Firewall :: 5520 - ASA 8.6.1 Shape Command Invalid

Jul 9, 2012

Tried setting up a Shape Policy and it states its invalid.  Worked fine on my 5520, just curious to know why its coming as invalid now                  
      
ciscoasa(config-pmap-c)# shape
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# shape ?
ERROR: % Unrecognized command

View 11 Replies View Related

Cisco Firewall :: Difference ASA5510-BUN-K9 And ASA5510-Sec-Bun-K9

Jun 6, 2012

ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?

View 3 Replies View Related

Cisco WAN :: Throttling Traffic Through ASA5510

Apr 17, 2013

Although this is not a common issue, we have experienced occasions where our internet utilization has been maxed out (slowing everyone else down). Utilizing some features in the ASA, such as Top Usage Stats, along with PRTG monitoring,  have always tracked the culprit down to being a single user -- be it someone downloading movies to a portable device, or downloading ISO's. (And for some strange reason it seems to always be a wireless user.)  We are using an ASA 5510 for our firewall, and I was wondering if its possible to prevent a single client from consuming a disproportionally large percentage of our internet bandwidth? If the ASA 5510 doesn't have the ability to do this on it's own, are there any recommendations for add-on solutions?

View 1 Replies View Related

Cisco WAN :: ASA5510 - Forward IP Traffic Through VPN?

Jul 4, 2011

ASA5510 configuration, I would like to know if it is possible (and how) to forward traffic received on WAN port of the first ASA to the server in LAN on the other side of VPN tunnel:
 
Internet (IP 85.128.50.x) – ASA5510 (192.168.1.x) – VPN tunnel – ASA5510 – LAN (172.16.71.x)
 
I need to have IP 85.128.50.50 redirected to 172.16.71.15 through VPN?

View 1 Replies View Related

Cisco VPN :: ASA5510 Can't Seem To Route Traffic To Both Interfaces

Sep 12, 2012

I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?

View 14 Replies View Related

Cisco VPN :: Tunnel Between ASA5510 And Pix Router Allows All Traffic?

Oct 1, 2011

We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
 
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
 
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our  other data center servers can be reached via the tunnel.....
 
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
 
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.

View 5 Replies View Related

Cisco VPN :: ASA5510 - Slow Traffic On IPSec Tunnels

May 2, 2013

We have many VPN tunnels back to our corporate office.  All of these tunnels are very slow (same with our client VPN's).  Our main firewall device at the corporate office is an ASA5510.  We have a 100 Mb/sec Metro Ethernet internet connection here.  We do not allow split-tunneling.

Our remote sites vary.  We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down).  The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.

To take an example.  On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms.  And I'm pinging back through another 100 Mb/sec connection.  If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100.  Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue. 

Right now, all my MTU's are just set to the default 1500.  Perhaps this is too high.  I used this site to check my max: [URL]
 
I did a few tests from behind several of my firewalls.  I pinged from a machine on one side of the tunnel to the firewall on the other end.  I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right?  The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)

So, do I just need to set my MTU values to the appropriate amounts?  I have tried changing the value, but I don't see any change in speed/performance.  But I also don't know if I need to reboot the firewalls after changing the MTU.  I know with Catalyst switches, you have to reload.  But I didn't see any messages about needing to reboot on the ASA's/PIX's.

View 10 Replies View Related

Cisco Firewall :: ASA5550 - Implement Traffic Shaping / Policing Primarily For P2P Traffic?

Mar 10, 2011

We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.

View 1 Replies View Related

Cisco Firewall :: Traffic Limit For Internet Traffic Usig ASA 8.2

Nov 27, 2012

I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation  
 
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is  applied to outside interface (called internet in my case)  for incoming traffic
  
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
  
service-policy Internet-policy-web interface Internet
 
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
 
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
 
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
 
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
 
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
 
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Cisco :: WLC 2125 Modify Heatmap Shape

Mar 20, 2011

I am quite new to WCS and preparing a demo for a client. I am also using WLC2125 with LAP1252s for this setup. Is it possible to modify the shape of the heatmaps of the APs? I know how to regulate TX power of the radios and all works great but how can I controll RF leakage outside the perimiter of the building? Is it possible to controll the RF so that it will not be going outside and same time giving a good coverage inside?

View 1 Replies View Related

Cisco WAN :: 3825 - What Does Shape Average Percent Mean In QoS Policy

Jan 3, 2010

I am working at a client site that is an MPLS customer.  The customer has an MPLS circuit that runs between their Main HQ and their Disaster Recovery site.  I have been asked to analyze and report as well on the way the Qos Policy is written, and to provide any recommendations on how they can improve performance.There is a statement within the Qos Policy as it exists at each end on the 3825 routers.  The statement is called "shape average percent".  Here is the policy from one side:
 
policy-map QoS
class COS2_traffic
set dscp af31
shape average percent 12
bandwidth percent 13

[code]....

What does this statement mean and how is it different than the the "bandwidth percent" statement?

View 2 Replies View Related

Cisco Switching/Routing :: Inexpensive 881 Switch That Can Shape?

May 15, 2013

We currently "need" to shape certain services very specifically....we curently do this via routers for CE's (881's etc) i.e. 10Mb service, we need:
 
-class class-default
-shape average 9800000 40000 0
 
Some of our clients want to run firewalls as CE's that are unable to shape to this degree, so we are wanting to put an inexpensive switch in front of their CE to do the shaping for them(L2 - either per-port or per-vlan)...the ME3400 looks ok, but is quite expensive.

View 6 Replies View Related

Cisco Firewall :: ASA5510 - Unable To Ping From User Desktop To Firewall Inside IP

Jun 11, 2012

I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to  FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
 
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA5510 Secondary Firewall Crashes After Upgrade To 8.4.1

Jun 29, 2011

I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
 
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?

View 7 Replies View Related

Cisco Firewall :: ASA5510 Firewall Transparent Mode

Sep 10, 2012

i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?

View 3 Replies View Related

Cisco Firewall :: ASA5510 Firewall Interface Speed

Jul 21, 2011

I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
 
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
 
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.

View 2 Replies View Related

Cisco Firewall :: Memory Upgrade Of ASA5510 Firewall

Feb 22, 2012

i have cisco ASA 5510 Firewall using  in my network, i have  planning  to upgrade the Flash  memory  from  256 mb  to  512 mb  and   the RAM  from 256 mb to  1GB.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved