Cisco Firewall :: Catalyst 6509E / Migrating From FWSM To ASA Service Module (ASASM)?
Jun 6, 2013
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.With that in mind, whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
On the FWSM I would see the following under Network Objects:
Network Objects - JQ-Test - JQ-Test2 - JQ-Test3
Network Object Group + JQ Group - JQ-Test - JQ-Test2 - JQ-Test3
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
Network Objects - 10.1.1.1 - 10.2.2.2 - 10.3.3.3
Network Object Group + JQ Group - 10.1.1.1 - 10.2.2.2 - 10.3.3.3
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?
My company has acquired a Catalyst 6513 with a FWSM module installed on it. I have been reading lot of documentation on [URL], but still have some problems configuring the FWSM:
The 6513 has 10 SVIs configured, each of them with an IP address. These 10 SVIs are binded to 10 VLANs which I need to secure. These SVIs are used for routing all the Inter-VLAN traffic inside the switch. The documentation says it is recommended to use just one SVIs for connecting the switch to the FWSM, although you can use more than one using the command "firewall multiple-vlan-interfaces". I don't want to use this command because it seems a pretty more difficult configuration, since you have to use policy routing after using this command (or that is, at least, what documentation says).
When I try to "send" to the FWSM more than one VLAN that are configured as SVIs on the switch I get this error message:
"No more than one svi is allowed, command rejected."
If I delete the IP address of those SVIs, then I can to "send" those SVIs to the switch with no problem at all. But I need the SVIs to have IP address configured, since they are needed for routing Inter-V LAN traffic.
So, the question is: how can I route all the inter-VLAN traffic using just one SVI on the switch? Should I use the FWSM for inter-VLAN traffic routing?
I'm doing some L2 cleanups across mutliple 6509E environments and I've found something consistent that I can't find in documentation. On all my pairs of 6509s where I have FWSMs bundled (6509-A has FWSM-1 is Slot 1 and 6509-B has FWSM-2 in Slot 1) I also have a port channel 305. Obviously when I do a "show run" or "show int desc" I don't see anything in slot one. It's a service module. But the port channel is referencing ports 1/1-6. And it's all in service/up. I was about to delete this as I thought it was some leftover config (TEST 6509s) until I went and saw the same things on our PROD 6509s. Is it cosmetic? Necessary? Can I delete it as part of my audit cleanup? Don't want to mess with it even in TEST without some information. Nothing on google that's clear and I can't find anything on CCO.
################################################################################# 6509-1#sho etherch 305 summ Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only)
we have installed and implemented a FWSM on cisco catalyst 6509E and defined two virtual contexts.one of contexts work as datacenter firewall. initially it is configured to allow all traffic to datacenter VLAN. (permit any any) on test, it worked fine, except for one problem: all web services had degradation in performance, all server-client (non web) services worked very fine. additionally all https servies worked well.
Users connect to the web server bypassing the proxy, web services are expected to act just like other ones.
I want to migrate a Cat 6503-E VSS to Cat 6509E VSS. We plan to use the same supervisor that we have on the Cat6503E, for minimizing the configuration change on the Doing this, the vss link will need to be changed, due to the fact that the supervisor slot will change with the Cat 6509, slot 5 instead of 1.
Question: is there a way to just change the vsl-link interface on a existing VSS ?
I'm looking at upgrading our FWSM modules in our 6500's. They're the WS-SVC-FWM-1 modules.
We're running on version 3.2(12) at the moment and I'm looking to jump up to 4. Any recommendations around whether I should to go to 4.1(6) or 4.0(16)? There aren't any features in particular that I would need in 4.1 but want a good stable base to sit on for 12 months until I look at this exercise all over again.
I just got 2 Cat6504 Chassis and 2 ASASM pluged in them. show version from submodule ASA as follow:
SVC-APP-HW-3#show ver Cisco IOS Software, trifecta Software (trifecta-SP-M), Version 15.1(1)SY, RELEASE SOFTWARE (fc2)
[Code].....
I want to upgrade new OS for ASA to 8.5 (asa851-smp-k8.bin) but after copy this soft to the module, I can not "write" command or when I reload this box, everything was no changed. SVC-APP-HW-3#write startup-config file open failed (No such device)
Have spa module on 6509E experience that error: ! sh log | b crash SLOT 3: Aug 18 12:52:10 CST: %CARDMGR-2-ESF_DEV_ERROR: An error has occurred on Ingress ESF Engine: Control Store Parity Error SLOT 3: Aug 18 12:52:10 CST: %ESF_CRASHINFO-2-WRITING_CRASHINFO: Writing crashin fo to disk0:crashinfo.esf_20110818-175210 [Code]....
I have to upgrade two Cisco Catalyst 6509E from Catos to IOS. I would want to know the requirements hardware or software for upgrading. Which are the recommended images I must download? From cat6000-sup32pfc3k9.8-4-5 to the latest stable version of IOS, is it recomended to pass to another previously version before?
I have viewed the following links,[URL]but, it doesn`t mention anything about that. The image below is the result of the "show version" command of one of our Cisco Catalyst.
WS-C6509-E Software, Version NmpSW: 8.4(5) Copyright (c) 1995-2005 by Cisco Systems NMP S/W compiled on Aug 3 2005, 13:13:36
I have Catalyst 6509 E with redudant SUP720-3B (and MSFC3) running 12.2(18)SXF6 IP Services Lan Only IOS (this IOS requires 512MB DRAM and 64MB of flash) SUP has 512MB DRAM (458720K/65536K) and 512MB sup-bootdisk:, but, there is65536K bytes of Flash internal SIMM (Sector size 512K).
My question is can I put 12.2(33)SXJ3 IP Services Lan Only IOS to this 6500 because this IOS requires 512MB DRAM and 512MB od flash?This is "sh ver" and "dir all-filesystems" of my 6500:
cat6500#sh verCisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF6, RELEASE SOFTWARE (fc1)Technical Support: [URL] Copyright (c) 1986-2006 by cisco Systems, Inc.Compiled Mon 18-Sep-06 23:59 by tinhuangImage text-base: 0x40101040, data-base: 0x42D90000 ROM: System Bo
I am having issues (nothing new there) I have a bad IOS on a switch module, and the config is set to boot to that IOS, and as such I get a nasty boot loop, I am trying to figure out how to get into rommon but all the documentation I can find for this just says go into rommon and never tells me how to get there on a switch module that thinks it has a good IOS. (The IOS is for our normal service module but this one is an odd-ball switch)
can I install and Cisco WAAS and Cisco Prime Network Analysis Module (NAM) together on a single Cisco Service-Ready Engine (SRE) 910 module? Or it can only run 1 of the software?
I have some confusion about some hardware components. I watched the video datasheet of cisco routers and switches. In cisco 2901 and 2911 models of routers there is service module . What is meant by service module. what does it do ? If we buy a new 6500 switch, what are the components we get bydefault. Is there any special configuraton to be done for 6500 . like Sup engine config etc. What is the difference between ASIC and Sup engine ? In which slots, we need to insert Supervisor Engine ? does it vary with the model . (6503, 6505, 6509, 6513 etc).
Is there any risk to install an HWIC-2FE card into a production 3845 router while it is in a powered up state? Is it recommended to power it down first, then install it?
Using the new SUP-2T, need to clarify one query. If we are using the new SUP-2T in VSS mode, will the new ASA service module and NAM-3 are supported? From Cisco site, ASA module FAQ:
Q. Will the ASA Services Module support the Cisco Catalyst Virtual Switching System (VSS) at FCS?
A. Yes, depending on which supervisor you use. The ASA Services Module supports VSS either as a single firewall or as a failover pair of firewalls, when used with the Supervisor 720-10G (VS-S720-10G-3C and VS-S720-10G-3CXL). Transparent and multi- context modes also work with the VSS in this configuration. However, though the SUP 720-3B (WS-SUP720-3B and WS-SUP720-3BXL) is supported by the ASA Services Module, it is not capable of supporting the VSS. No reference to Supervisor-2T.
we are planning to implement a VSS solution with a 6500 series switches with sup 2T. We also need to include an ASA service module on the design, however the budget is not enough to buy two asa service modules. So i want to know if is possible run a VSS cluster, whit only one ASA service Module. and also i would like know what happens if the single ASA service module fails? can the switch cluster continue operating just as if there is not a firewall installed?
I am currently installing a NM-AIR -WLC 6 wireless module in a 2811 and its giving me the follwing errors below and status.I have checked the trouble shooting pdf and says might be possible hardware error. [code]
I have an ACE10-6500-K9 (Application Control Engine service module for Catalyst 6500) but I can't access it because I lost the admin password.I would like to know how to perform a Password Recovery Procedure on this device.Is it similar to the password recovery procedure on an ACE 4700 appliance?
Does ACE service module support SHA2(256) certificates? I see that private key generation defaults to SHA1 and does not provide any option, also the cipher suites in SSL parameters map do not show SHA2 options. Can it handle SHA2 in any software release? I am currently running A2(2.3) build 3.00
My ACE module ACE30-MOD-K9 crashed today, and at the show ver output i see "last boot reason: Service "cfgmgr" ".the curent version we running is Version A5(1.2) [build 3.0(0)A5(1.2).
After doing some research i found known bug that supposed to be fixed in this version: CSCtu36146
CSCtu36146—The ACE becomes unresponsive due to a configuration manager (Cfgmgr) process failure with the last boot reason: Service "cfgmgr."
we have approx. 70 Cisco 1941W routers deployed in our company. I used to be able to console into the internet wireless AP by issuing the below command:
service-module wlan-ap0 session
However lately this hasn't been working and AP just simply refuses connection. Here is what I have for Status. I have tried reseting the Service Module to no avail.
Router#service-module wlan-ap0 status Service Module is Cisco wlan-ap0 Service Module supports session via TTY line 67 Service Module is failed Service Module reset on error is disabled Service Module heartbeat-reset is enabled Service Module is in fail open Service Module status is not available
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 216.10.100.10. and the IP of the inside interface is say - 198.1.1.10/24 on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
I m planning to implement VSS in core but want some inputs on IOS as i have FWSM as a service module Core :- Ii am running 12.2(33)SXH2a on my Core 6509 and i checkd cisco sites and Fwsm release notes but it states only I-Train of IOS while mine is H-Train so can I directly upgrade to I-Train or I was thinking of SXH8b IOS.
I can access the ACNS with this config. The issue is that it will not cache anything when I enable WCCP on both ends. I am unable to set the gateway to the IP (even when static) to the WAN interface IP with the error Network Unreachable by content engine. If I address it within the 192.168.2.X network and gateway to 2.1, it locks up when cache is enabled. 192.168.0.5 (the external wan int) is unreachable as a gateway.
I've tried the unnumbered ip on the internal interface but then the service module won't accept an IP stating that the router side must have an IP set.
I had WCCP attempting to cache but timing out on everything without caching a thing. I want/need to understand the IP routing before I get ahead of myself.
I've been tasked with migrating to the new ISP, which provides us with Cisco ME-3400E switch and /26 public subnet. I currently have 15 static NATs and 14 L-2-L VPN tunnels configured in ASA. Is there a way to configure additional Outside int on ASA and use it to migrate the existing VPN tunnels and static NATs? I'm trying to avoid downtime and hope to do it step by step. I'm thinking about adding additional Public switch, so I can also migrate vendor's router and VPN concentrator, which need to be in parallel to ASA. Assuming that this is possible I'd would like to do the following:
1.Configure and connect additional Outside Interface on ASA - public IP address and ACLs
2.Connect it to additional "Public switch", which would be configured with public IP address and connected to new ISP's Cisco ME-3400E.
