Cisco Firewall :: Cannot Use FTP Passive / Active Of ASA5505

Sep 12, 2011

Users cannot download some files from a FTP in a software over VPN Explanation users work with a program and inside the program they download claim (the software goes to the FTP and download the file)
 
But the program returns an error 3018 in FTPGET. If the user goes to the old PPTP VPN it works like a charm  so the problem is the Cisco VPN.
  
I cannot post my complete config but we use the filter vpn value to associate a special access-list to a user.
 
The user that has this problem has this as an access-list.
 
access-list 201 extended ip permit 10.250.128.0 255.255.255.0 192.168.202.0 255.255.255.0
 
I've made some research and i've added this info
 
policy-map global_policy
class inspection_default
Inspection ftp
 
Still doesn't work. 
 
I have to  add that normally the internal network is 2.0 and not 202.0 but since we have user with 2.0 at home we had to do this.
 
So when a user sends a request to 202. the cisco fowards it to the Juniper inside the network and it translate it back to 2.0 Also that is the ONLY thing that doesn't work.  The client can work all day on that program and it will work #1 exept when she does the claims
 
I am also been working on this VPN for 2-3 months without any problems.

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 Active / Passive Failed

Jan 12, 2012

i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
 
If the Active ASA goes down, the Standby ASA switch to Active.
 
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.

View 4 Replies View Related

Cisco Firewall :: ASA5505 For Passive FTP?

Apr 18, 2012

setting up ASA to allow passive FTP connection! I can get the FTP client to connect but it does not pull the directories. I have opened 21 and range of 55536-55566. I had some trouble gettting the range opened and saved. Normally with other small business routers (GUI) I make sure those ports are forwarded and ftp works.
 
Is the ftp inspection killing connection or is it my config?
 
ASA Version 8.4(2)
!
hostname ciscoasa
enable password vRLm0eRL2O14iLM6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Needed To Be Configured In HA Active / Passive

May 24, 2011

I have the following Setup, Two Cisco ASA 5520 needed to be  configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Interface Reconfiguration In Active / Passive Failover

Dec 20, 2011

Currently l have two ASA 5520's in a active/passive failover scenario.  Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching?  or could l possibly disable failover and reconfigure each ?

View 6 Replies View Related

Cisco :: What Is Active / Passive Port-channel

Feb 7, 2013

what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.

View 5 Replies View Related

Cisco WAN :: 5520 - Active / Passive ASA With Redundant ISP Connections

Apr 25, 2012

Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.

View 1 Replies View Related

Cisco Application :: ACE 4710 - Active / Passive Failover?

Nov 14, 2012

We have an ACE 4710 that has two web servers in an active/passive scenario.  The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again.  Is there are way to ensure that node one is not placed back into service if it becomes available again.
 
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;

View 5 Replies View Related

Cisco WAN :: 2921 - Network Design With BGP And Active / Passive ASA's

Mar 1, 2012

The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.
 
1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.
 
2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?
 
3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?
 
Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.
 
Additional Details/Requirements -
 
BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.
 
ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)
 
Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.
 
ISP's are not Symentrical, one is 50mbps and the other is 250mbps.
 
All NAT should take place at the ASA's
   
Additional Questions:
 
The routers that have gig etherswitches, can they run HSRP?
 
Should I be putting Layer 3 switches between the routers and the ASA's instead?
 
Where should I run my iBGP communication for the routers?

View 8 Replies View Related

Cisco Firewall :: ASA5505 Vlan1 Down Active Workstations

Feb 26, 2012

I have an ASA5505 where vlan1 (inside) and all associated ports (e0/1 - e0/7) are down.  Workstations on vlan 1 are online and working.  Vlan2 (outside) is up and running normally.  I tried to shut/no shut on the vlan.  I also rebooted the firewall.  No change.  Why vlan1 is down??  I've attached some config info and some troubleshooting.

View 5 Replies View Related

Cisco VPN :: 5512x Anyconnect Ssl Licensing For ASA Active / Passive Pair

Aug 7, 2012

I am purchasing 2 5512x ASAs to be configured as an Active/Passive pair as a VPN device. Do I need to purchase anyconnect licenses for both devices?

View 2 Replies View Related

Cisco Security :: Adding 3 Node ASA5510 / Active / Passive Cluster

Jul 25, 2012

we operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.

View 1 Replies View Related

Cisco Firewall :: ASA 5520s From Active / Standby To Active / Active

Jul 17, 2012

I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.

View 6 Replies View Related

Cisco Firewall :: ASA 5585X Active / Active Failover Group Inter Routing

Mar 20, 2012

I am looking at deploying a pair of 5585X's in an active/active multiple context state.  I am creating Mulitple contexts that need to be able to route to each other.  I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
 
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example. 
 
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2  in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
 
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover.  I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.

View 9 Replies View Related

Cisco Firewall :: ASA 5510 Configuration Modifications In Active / Active Mode

Dec 17, 2012

I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?

View 3 Replies View Related

Cisco Firewall :: ASA5520 - Active / Active Failover In Multiple Security Contexts With Dual ISP?

Jun 1, 2011

I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?

View 1 Replies View Related

Cisco Firewall :: 5520 - ASA Active / Active Failover And IPS Failure

Mar 30, 2011

I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
 
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
 
IPS soft is 6.0(4) and ASA soft is 8.0(3)
 
I have checked cisco doc and it is confusing to me. it says:  "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..

View 2 Replies View Related

Cisco Firewall :: ASA5585-X Active / Active Failover Using Etherchannel?

Dec 27, 2011

its possible to set up active/active failover using etherchannel on 5585s? 

View 1 Replies View Related

Cisco Firewall :: Passive FTP With A 5505

Jan 4, 2012

I have a few remote locations that use a Cisco 5505 to connect to my server through a VPN Tunnel. When they establish a connection through the tunnel they use FTP with the PASV command and successfully send and receive data. No issues. The same remote locations will connect to external FTP sites without a VPN tunnel and attempt to use FTP with PASV and the connection fails after the PASV command is issued.Also, when these sites connect to my FTP server all their internal addresses are configured with a Dynamic HIDE NAT. They don't use this NAT rule when they connect to other FTP sites.

The question is why would an FTP connection through a VPN Tunnel work with PASV, but on a non-tunneled connection the Cisco 5505 blocks the connection.I would think that the connection should drop in both scenarios. What makes the VPN Tunnel connection special to prevent the connection drop?  (I just learned about the fixup protocol with the group policy change to resolve the problem. So I can resolve the issue. But I'm interested in knowing why there is a discrepancy.)I did ask our network team and they thought it was somewhat strange too.

View 1 Replies View Related

Cisco Firewall :: Allow Passive Ftp Communication In PIX 6.3(5)106?

Nov 11, 2012

How can I allow passive ftp communication in PIX 6.3(5)106.

View 5 Replies View Related

Cisco Firewall :: How To Configure ASA5520 For Active / Active

Mar 17, 2013

How to Configure ASA5520 for Active/Active

View 8 Replies View Related

Cisco WAN :: 5520 - Connect Router To Passive Firewall?

Jan 28, 2013

I had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.

View 3 Replies View Related

Cisco Firewall :: 6500 - Passive FTP Through 2 FWSM Contexts Via VRF Instance

Mar 26, 2012

I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
 
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
 
At the moment we can make the control connection but when we issue commands the connection times out.
 
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
 
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
 
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
 
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).

View 1 Replies View Related

Cisco Firewall :: Monitoring ASA 5505 Firewall Active / Standby Pair Using SNMP?

Sep 7, 2011

How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
 
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?

View 1 Replies View Related

Cisco Firewall :: Users Behind ASA5505 Firewall Are Unable To Access Internet

Feb 24, 2011

I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.

When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.

The ASA5505 configuration is shown below.

hostname Firewall

interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA5505 Lose Configuration If Upgrade Firewall

May 17, 2011

i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.

View 2 Replies View Related

Cisco Firewall :: ASA5505 Can't Ping New Firewall On Inside Interface

Jul 14, 2011

I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

View 32 Replies View Related

Cisco Firewall :: Unable To Ping Internet IPs From ASA5505 Firewall

Jan 9, 2013

Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2  -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
 
1.  Internet  is connected to Juniper Ge0/0/0  via /30 IP.
 
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to  Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.

From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
 
Issue:

1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
 
Troubleshooting Done so far.
 
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3.  Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **

View 2 Replies View Related

Cisco Firewall :: ASA5505 Firewall Rule Not Blocking

Apr 1, 2013

I'm trying to troubleshoot an ASA5505.
 
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
 
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic.  I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did.  That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
 
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below.  However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
  
show ver 
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2) 
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"

[Code].....

View 4 Replies View Related

Cisco Switching/Routing :: 6509 Series Switches Support VSS Active-Active Chassis

Feb 7, 2012

The 6509 Series Switches support the scenario VSS Active-Active Chassis, I would like to setup both switch's as one virtual switch but working at the same time, not with Active - Stand By Chassis.
 
My plans it to create PortChannel accross both Switches 6509 in order to have 2 links one connected to one slot/switch and the other connected to slot/switch in the second 6509 for servers redundancy.

View 1 Replies View Related

Cisco Switching/Routing :: ASR1000 - Dual ISP Active / Active Connection On Single Router

Jun 10, 2012

I am working on a network which has two ISP connections (Active/Active) terminating on router (ASR1000). From the LAN side (6500 switch) all the traffic need to be route on ISP1 but some of the specific subnets like 10.250.0.0/16 need to be route on ISP2 connection.
 
I am planning to use PBR and NAT with route maps. any documents or refrences are provided.  
 
(access switches)---------(core switch)----------(routers)----------------(ISP1)
----------------------(ISP2) 

View 1 Replies View Related

Cisco WAN :: 4507 R - Active SUP Lost Connection And Standby Came Active

Apr 10, 2011

I faced one problem in our core switch 4507 R . Active sup lost connection and standby came active. We got lot of errors/alerts on console shown below. [Code] Also when I reloaded the switch with reload command only both sups got reloaded but I want to reload all the modules but reload command do not gives any options for that.

View 2 Replies View Related

Cisco VPN :: Active / Active ASA 5520 Remote VPN Access Limitations?

Sep 19, 2011

We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved