Cisco Firewall :: Catalyst 6509E / Migrating From FWSM To ASA Service Module (ASASM)?
Jun 6, 2013
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.With that in mind, whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
View 1 Replies
ADVERTISEMENT
Nov 4, 2012
We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
On the FWSM I would see the following under Network Objects:
Network Objects
- JQ-Test
- JQ-Test2
- JQ-Test3
Network Object Group
+ JQ Group
- JQ-Test
- JQ-Test2
- JQ-Test3
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
Network Objects
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
Network Object Group
+ JQ Group
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?
View 1 Replies
View Related
Dec 20, 2007
My company has acquired a Catalyst 6513 with a FWSM module installed on it. I have been reading lot of documentation on [URL], but still have some problems configuring the FWSM:
The 6513 has 10 SVIs configured, each of them with an IP address. These 10 SVIs are binded to 10 VLANs which I need to secure. These SVIs are used for routing all the Inter-VLAN traffic inside the switch. The documentation says it is recommended to use just one SVIs for connecting the switch to the FWSM, although you can use more than one using the command "firewall multiple-vlan-interfaces". I don't want to use this command because it seems a pretty more difficult configuration, since you have to use policy routing after using this command (or that is, at least, what documentation says).
When I try to "send" to the FWSM more than one VLAN that are configured as SVIs on the switch I get this error message:
"No more than one svi is allowed, command rejected."
If I delete the IP address of those SVIs, then I can to "send" those SVIs to the switch with no problem at all. But I need the SVIs to have IP address configured, since they are needed for routing Inter-V LAN traffic.
So, the question is: how can I route all the inter-VLAN traffic using just one SVI on the switch? Should I use the FWSM for inter-VLAN traffic routing?
View 15 Replies
View Related
Jan 22, 2012
I'm doing some L2 cleanups across mutliple 6509E environments and I've found something consistent that I can't find in documentation. On all my pairs of 6509s where I have FWSMs bundled (6509-A has FWSM-1 is Slot 1 and 6509-B has FWSM-2 in Slot 1) I also have a port channel 305. Obviously when I do a "show run" or "show int desc" I don't see anything in slot one. It's a service module. But the port channel is referencing ports 1/1-6. And it's all in service/up. I was about to delete this as I thought it was some leftover config (TEST 6509s) until I went and saw the same things on our PROD 6509s. Is it cosmetic? Necessary? Can I delete it as part of my audit cleanup? Don't want to mess with it even in TEST without some information. Nothing on google that's clear and I can't find anything on CCO.
#################################################################################
6509-1#sho etherch 305 summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
[code]....
View 1 Replies
View Related
Mar 11, 2013
we have installed and implemented a FWSM on cisco catalyst 6509E and defined two virtual contexts.one of contexts work as datacenter firewall. initially it is configured to allow all traffic to datacenter VLAN. (permit any any) on test, it worked fine, except for one problem: all web services had degradation in performance, all server-client (non web) services worked very fine. additionally all https servies worked well.
Users connect to the web server bypassing the proxy, web services are expected to act just like other ones.
View 1 Replies
View Related
Aug 7, 2012
I want to migrate a Cat 6503-E VSS to Cat 6509E VSS. We plan to use the same supervisor that we have on the Cat6503E, for minimizing the configuration change on the Doing this, the vss link will need to be changed, due to the fact that the supervisor slot will change with the Cat 6509, slot 5 instead of 1.
Question: is there a way to just change the vsl-link interface on a existing VSS ?
View 3 Replies
View Related
Aug 24, 2011
I'm looking at upgrading our FWSM modules in our 6500's. They're the WS-SVC-FWM-1 modules.
We're running on version 3.2(12) at the moment and I'm looking to jump up to 4. Any recommendations around whether I should to go to 4.1(6) or 4.0(16)? There aren't any features in particular that I would need in 4.1 but want a good stable base to sit on for 12 months until I look at this exercise all over again.
View 5 Replies
View Related
Apr 15, 2013
We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
View 1 Replies
View Related
Mar 20, 2013
I just got 2 Cat6504 Chassis and 2 ASASM pluged in them. show version from submodule ASA as follow:
SVC-APP-HW-3#show ver
Cisco IOS Software, trifecta Software (trifecta-SP-M), Version 15.1(1)SY, RELEASE SOFTWARE (fc2)
[Code].....
I want to upgrade new OS for ASA to 8.5 (asa851-smp-k8.bin) but after copy this soft to the module, I can not "write" command or when I reload this box, everything was no changed. SVC-APP-HW-3#write startup-config file open failed (No such device)
View 2 Replies
View Related
Nov 28, 2012
Have spa module on 6509E experience that error:
!
sh log | b crash
SLOT 3: Aug 18 12:52:10 CST: %CARDMGR-2-ESF_DEV_ERROR: An error has occurred on
Ingress ESF Engine: Control Store Parity Error
SLOT 3: Aug 18 12:52:10 CST: %ESF_CRASHINFO-2-WRITING_CRASHINFO: Writing crashin
fo to disk0:crashinfo.esf_20110818-175210
[Code]....
View 1 Replies
View Related
Nov 7, 2012
I have to upgrade two Cisco Catalyst 6509E from Catos to IOS. I would want to know the requirements hardware or software for upgrading. Which are the recommended images I must download? From cat6000-sup32pfc3k9.8-4-5 to the latest stable version of IOS, is it recomended to pass to another previously version before?
I have viewed the following links,[URL]but, it doesn`t mention anything about that. The image below is the result of the "show version" command of one of our Cisco Catalyst.
WS-C6509-E Software, Version NmpSW: 8.4(5)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Aug 3 2005, 13:13:36
[code]....
View 2 Replies
View Related
Sep 9, 2012
Environment:
1. Core switch - Catalyst 6509e
vlans configured:
a. vlan 50 (wired clients)
[Code]....
here's the problem, wireless clients connected to WLAN guest keep getting DHCP leases from WLAN local 10.0.50.10 (scope 10.0.70.101 to 200)
View 11 Replies
View Related
Oct 21, 2012
I have Catalyst 6509 E with redudant SUP720-3B (and MSFC3) running 12.2(18)SXF6 IP Services Lan Only IOS (this IOS requires 512MB DRAM and 64MB of flash) SUP has 512MB DRAM (458720K/65536K) and 512MB sup-bootdisk:, but, there is65536K bytes of Flash internal SIMM (Sector size 512K).
My question is can I put 12.2(33)SXJ3 IP Services Lan Only IOS to this 6500 because this IOS requires 512MB DRAM and 512MB od flash?This is "sh ver" and "dir all-filesystems" of my 6500:
cat6500#sh verCisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF6, RELEASE SOFTWARE (fc1)Technical Support: [URL] Copyright (c) 1986-2006 by cisco Systems, Inc.Compiled Mon 18-Sep-06 23:59 by tinhuangImage text-base: 0x40101040, data-base: 0x42D90000
ROM: System Bo
View 6 Replies
View Related
Mar 9, 2007
how to configure FWSM module in cisco core switch 6500
View 2 Replies
View Related
Mar 11, 2013
I am having issues (nothing new there) I have a bad IOS on a switch module, and the config is set to boot to that IOS, and as such I get a nasty boot loop, I am trying to figure out how to get into rommon but all the documentation I can find for this just says go into rommon and never tells me how to get there on a switch module that thinks it has a good IOS. (The IOS is for our normal service module but this one is an odd-ball switch)
View 4 Replies
View Related
Jan 1, 2013
can I install and Cisco WAAS and Cisco Prime Network Analysis Module (NAM) together on a single Cisco Service-Ready Engine (SRE) 910 module? Or it can only run 1 of the software?
View 2 Replies
View Related
Dec 5, 2011
I have some confusion about some hardware components. I watched the video datasheet of cisco routers and switches. In cisco 2901 and 2911 models of routers there is service module . What is meant by service module. what does it do ? If we buy a new 6500 switch, what are the components we get bydefault. Is there any special configuraton to be done for 6500 . like Sup engine config etc. What is the difference between ASIC and Sup engine ? In which slots, we need to insert Supervisor Engine ? does it vary with the model . (6503, 6505, 6509, 6513 etc).
View 6 Replies
View Related
Jun 3, 2013
Is there any risk to install an HWIC-2FE card into a production 3845 router while it is in a powered up state? Is it recommended to power it down first, then install it?
View 3 Replies
View Related
Apr 12, 2012
Using the new SUP-2T, need to clarify one query. If we are using the new SUP-2T in VSS mode, will the new ASA service module and NAM-3 are supported? From Cisco site, ASA module FAQ:
Q. Will the ASA Services Module support the Cisco Catalyst Virtual Switching System (VSS) at FCS?
A. Yes, depending on which supervisor you use. The ASA Services Module supports VSS either as a single firewall or as a failover pair of firewalls, when used with the Supervisor 720-10G (VS-S720-10G-3C and VS-S720-10G-3CXL). Transparent and multi- context modes also work with the VSS in this configuration. However, though the SUP 720-3B (WS-SUP720-3B and WS-SUP720-3BXL) is supported by the ASA Services Module, it is not capable of supporting the VSS. No reference to Supervisor-2T.
View 2 Replies
View Related
Mar 10, 2013
we are planning to implement a VSS solution with a 6500 series switches with sup 2T. We also need to include an ASA service module on the design, however the budget is not enough to buy two asa service modules. So i want to know if is possible run a VSS cluster, whit only one ASA service Module. and also i would like know what happens if the single ASA service module fails? can the switch cluster continue operating just as if there is not a firewall installed?
View 1 Replies
View Related
Mar 27, 2012
I am currently installing a NM-AIR -WLC 6 wireless module in a 2811 and its giving me the follwing errors below and status.I have checked the trouble shooting pdf and says might be possible hardware error. [code]
View 4 Replies
View Related
Dec 27, 2011
I have an ACE10-6500-K9 (Application Control Engine service module for Catalyst 6500) but I can't access it because I lost the admin password.I would like to know how to perform a Password Recovery Procedure on this device.Is it similar to the password recovery procedure on an ACE 4700 appliance?
View 2 Replies
View Related
Sep 1, 2010
Does ACE service module support SHA2(256) certificates? I see that private key generation defaults to SHA1 and does not provide any option, also the cipher suites in SSL parameters map do not show SHA2 options. Can it handle SHA2 in any software release? I am currently running A2(2.3) build 3.00
View 6 Replies
View Related
Dec 2, 2012
My ACE module ACE30-MOD-K9 crashed today, and at the show ver output i see "last boot reason: Service "cfgmgr" ".the curent version we running is Version A5(1.2) [build 3.0(0)A5(1.2).
After doing some research i found known bug that supposed to be fixed in this version: CSCtu36146
CSCtu36146—The ACE becomes unresponsive due to a configuration manager (Cfgmgr) process failure with the last boot reason: Service "cfgmgr."
View 2 Replies
View Related
Jul 25, 2012
we have approx. 70 Cisco 1941W routers deployed in our company. I used to be able to console into the internet wireless AP by issuing the below command:
service-module wlan-ap0 session
However lately this hasn't been working and AP just simply refuses connection. Here is what I have for Status. I have tried reseting the Service Module to no avail.
Router#service-module wlan-ap0 status
Service Module is Cisco wlan-ap0
Service Module supports session via TTY line 67
Service Module is failed
Service Module reset on error is disabled
Service Module heartbeat-reset is enabled
Service Module is in fail open
Service Module status is not available
View 3 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
Mar 5, 2013
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 216.10.100.10. and the IP of the inside interface is say - 198.1.1.10/24 on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
View 4 Replies
View Related
Jun 17, 2012
Any example of how to configure an sm-es2-16-p service module to route over an Cisco 2911?
View 2 Replies
View Related
Jun 8, 2011
I m planning to implement VSS in core but want some inputs on IOS as i have FWSM as a service module Core :- Ii am running 12.2(33)SXH2a on my Core 6509 and i checkd cisco sites and Fwsm release notes but it states only I-Train of IOS while mine is H-Train so can I directly upgrade to I-Train or I was thinking of SXH8b IOS.
View 2 Replies
View Related
Dec 12, 2011
I have a 2911 ISR and want to install a SM-ES2-24 Enhanced EtherSwitch Service Module.
Do I need to power down the router?
View 4 Replies
View Related
Jun 9, 2012
On 2921, how do you quite service-module session and get back to the router?
View 3 Replies
View Related
Oct 18, 2012
[code]....
I can access the ACNS with this config. The issue is that it will not cache anything when I enable WCCP on both ends. I am unable to set the gateway to the IP (even when static) to the WAN interface IP with the error Network Unreachable by content engine. If I address it within the 192.168.2.X network and gateway to 2.1, it locks up when cache is enabled. 192.168.0.5 (the external wan int) is unreachable as a gateway.
I've tried the unnumbered ip on the internal interface but then the service module won't accept an IP stating that the router side must have an IP set.
I had WCCP attempting to cache but timing out on everything without caching a thing. I want/need to understand the IP routing before I get ahead of myself.
View 1 Replies
View Related
Jan 4, 2012
I currently have the following set up (excuse my quick drawing):
--------------Vendors VPN Router----
| ------Cisco 3000 VPN------ |
| | | |
Private Network-------ASA5510---------Pub Switch------Cisco Router 2x T1
I've been tasked with migrating to the new ISP, which provides us with Cisco ME-3400E switch and /26 public subnet. I currently have 15 static NATs and 14 L-2-L VPN tunnels configured in ASA. Is there a way to configure additional Outside int on ASA and use it to migrate the existing VPN tunnels and static NATs? I'm trying to avoid downtime and hope to do it step by step. I'm thinking about adding additional Public switch, so I can also migrate vendor's router and VPN concentrator, which need to be in parallel to ASA. Assuming that this is possible I'd would like to do the following:
1.Configure and connect additional Outside Interface on ASA - public IP address and ACLs
2.Connect it to additional "Public switch", which would be configured with public IP address and connected to new ISP's Cisco ME-3400E.
3.Migrate my VPN tunnels and static NATs.
4.Migrate vendors equipment/VPN concentrator
5.Update my global NAT pool
6.Shut down old ISP
View 13 Replies
View Related
