Cisco Firewall :: Can Traffic Shape To 200Mbps On ASA5510
May 30, 2012
I have ASA5510. It's include security plus license.I want to traffic shape to 200Mbps. But , I checked a CCO.CCO said that a shaping limit is 154400000. "Enables traffic shaping, where the average rate argument sets the average rate of traffic in bits per second over a given fixed time period, between 64000 and 154400000. "It's mean shaping limit 154400000 ?Can I shape to 200Mbps ?
View 2 Replies
ADVERTISEMENT
Jun 25, 2012
I have a asa 5510 with 8.x software and I want to reserve (i mean RESERVE not PRIORITIZE) traffic based on protocol, like if I have a 10Mbit I want to :
- give 3 Mb for smtp
- give 5 Mb to http/s whatever
- 2 Mb for other stuff.
Of course QOS won't do that, can you do that with ASA?
View 1 Replies
View Related
Dec 21, 2011
Recently I want to apply traffic shape on my ASA5520, but after entering the configure mode of policy-map, I couldnot find the shape command.. If I type the command, the device would notify me that there is no such command.. My version is 8.0(2),PS. Police command is working fine...
View 5 Replies
View Related
Apr 21, 2012
what are the values of Bc and Be?interface fast 0/0 traffic-shape group 101 500000
View 11 Replies
View Related
Mar 8, 2012
I have a Cisco 2821 with ios Version 12.4(21). On that router I have a WAN link that is 550mbit dual. The interface is 1000FD so i need to shape my output traffic to max 550mbit - otherwise my ISP policing is dropping the traffic.
I've looked at this document url... and i'm trying to use this interface command:traffic-shape rate
But the router wont accept rate value 550000000 that should be 550mbit in bits/s
Is it not possible to shape the traffic to 550mbit on the 2821 router?
View 10 Replies
View Related
May 1, 2012
I have configured policies to shape the traffic on the interface of cisco 7206 router. Now my managemet wants to configure these policies on time based ie policy should be applicable during specified time period onle. Is it possible? if yes how to configure it?
View 11 Replies
View Related
Sep 18, 2011
My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.
View 1 Replies
View Related
Sep 2, 2012
I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).
View 2 Replies
View Related
Apr 9, 2012
I would like to connect a second ISP link to our ASA 5510 to solely serve http traffic from our organization's employees (ie. web surfing). We currently have all employee traffic and two site-to-site VPN tunnels connecting to the internet from this firewall. I want to keep the tunnels as currently configured on the existing connection and split out http/https traffic from our staff onto a less costly link.
View 1 Replies
View Related
Nov 7, 2012
I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?
View 1 Replies
View Related
Mar 1, 2011
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
View 1 Replies
View Related
Dec 15, 2011
I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.
View 19 Replies
View Related
Oct 10, 2011
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
Below is a sanitized version of the config.
ASA Version 8.2(1)
!
hostname BOB
[Code].....
View 11 Replies
View Related
Jul 8, 2012
Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
[code]...
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.
View 19 Replies
View Related
Feb 13, 2011
I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.
View 6 Replies
View Related
Jul 9, 2012
Tried setting up a Shape Policy and it states its invalid. Worked fine on my 5520, just curious to know why its coming as invalid now
ciscoasa(config-pmap-c)# shape
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# shape ?
ERROR: % Unrecognized command
View 11 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Apr 17, 2013
Although this is not a common issue, we have experienced occasions where our internet utilization has been maxed out (slowing everyone else down). Utilizing some features in the ASA, such as Top Usage Stats, along with PRTG monitoring, have always tracked the culprit down to being a single user -- be it someone downloading movies to a portable device, or downloading ISO's. (And for some strange reason it seems to always be a wireless user.) We are using an ASA 5510 for our firewall, and I was wondering if its possible to prevent a single client from consuming a disproportionally large percentage of our internet bandwidth? If the ASA 5510 doesn't have the ability to do this on it's own, are there any recommendations for add-on solutions?
View 1 Replies
View Related
Jul 4, 2011
ASA5510 configuration, I would like to know if it is possible (and how) to forward traffic received on WAN port of the first ASA to the server in LAN on the other side of VPN tunnel:
Internet (IP 85.128.50.x) – ASA5510 (192.168.1.x) – VPN tunnel – ASA5510 – LAN (172.16.71.x)
I need to have IP 85.128.50.50 redirected to 172.16.71.15 through VPN?
View 1 Replies
View Related
Sep 12, 2012
I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?
View 14 Replies
View Related
Oct 1, 2011
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
View 5 Replies
View Related
May 2, 2013
We have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
View 10 Replies
View Related
Mar 10, 2011
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies
View Related
Nov 27, 2012
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
View 3 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Mar 20, 2011
I am quite new to WCS and preparing a demo for a client. I am also using WLC2125 with LAP1252s for this setup. Is it possible to modify the shape of the heatmaps of the APs? I know how to regulate TX power of the radios and all works great but how can I controll RF leakage outside the perimiter of the building? Is it possible to controll the RF so that it will not be going outside and same time giving a good coverage inside?
View 1 Replies
View Related
Jan 3, 2010
I am working at a client site that is an MPLS customer. The customer has an MPLS circuit that runs between their Main HQ and their Disaster Recovery site. I have been asked to analyze and report as well on the way the Qos Policy is written, and to provide any recommendations on how they can improve performance.There is a statement within the Qos Policy as it exists at each end on the 3825 routers. The statement is called "shape average percent". Here is the policy from one side:
policy-map QoS
class COS2_traffic
set dscp af31
shape average percent 12
bandwidth percent 13
[code]....
What does this statement mean and how is it different than the the "bandwidth percent" statement?
View 2 Replies
View Related
May 15, 2013
We currently "need" to shape certain services very specifically....we curently do this via routers for CE's (881's etc) i.e. 10Mb service, we need:
-class class-default
-shape average 9800000 40000 0
Some of our clients want to run firewalls as CE's that are unable to shape to this degree, so we are wanting to put an inexpensive switch in front of their CE to do the shaping for them(L2 - either per-port or per-vlan)...the ME3400 looks ok, but is quite expensive.
View 6 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related