I want to configure ASA 5510 with complete redundancy first time. I have already studied all material from cisco web site. but there are avalible alot of material. and i'm confused about the exact my requirment material.
This is current configuration:
active# sh running-config
: Saved
:
ASA Version 8.2(5)
[Code].....
I'm new to firewall using ASA 5510. How can I have a redundancy over two ASA 5510. Hardware load balancing and IP Load balancing, just like HSRP or GLBP. Below is my diagram.
[code]....
I have finally been able to reconfigure my BEFSR41 V3 Wired Router to properly support my small server environment. I would like to know if there is a way to make a complete Backup of the current configuration that should be restored to the router if it should become "reset" to factory defaults. This happened to me approximately a week ago, and it took several days, a couple of phone support calls, and quite a bit of"grief" and aggravation/frustration before I managed to get everything re-configured correctly. If it had been "Backed up" to a file, I could have restored it and been back up and serving websites in a few hours. Instead it took almost a complete week! Is it even possible to actually backup the router? Or... must I just print each screen to be sure I get it all?
View 4 Replies View RelatedI'm shortly going to move our stuff to a new data centre, where we have two network feeds - so there'll be two lengths of CAT 5 coming into the rack, for "first hop redundancy".I have something similar at our existing DC, but I'm simplifying the equation somewhat at the new DC, and using a simpler configuration that just uses two switches, rather than two switches and two routers. All of the servers will have public IP addresses.Now - the network guy at the new DC has confirmed that a simpler two switch configuration will work.
View 17 Replies View RelatedI have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside}) It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so...Basically this is the desired flow:
1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)
2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in [URL] and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)
3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).However, I do suspect that if I changed the route from default to static as such:
route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway) route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing. Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.
Here is the running-config:
ciscoasa# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name marcjacobs.lvmh
[code].....
I am attempting to set up FTP behind this new CISCO ASA 5510 we just bought. I haven't configured a cisco device in 5 years, so I am having issues., i think i am close. If I FTP from outside (fixed) IP it connects and takes the password but hangs on PASV and gives no data connection below is my configuration. It is simple since I seem to have the connection inside correct. and yes you can connect to the FTP server from inside without issue.
Code...
I have one Asa 5510 with base license. now we wish to add one back up ISP for VPN fail over, is this possible to configure backup ISP with this ASA 5510 and how ?
Check ASA features
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
Cisco asa up 3 hours 35 min
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
We have some users who use citrix outside corporate network through citrix web interface.These users are high priority users and we want to prioritize the citrix traffic. I want to make sure that my configuration will fullfill our requirements. Below is the configuration i was thinking to implement.:
ASA(config)# priority-queue outside
ASA(config-priority-queue)# exit
ASA(config)#access-list CTX-QoS extended permit tcp any 10.1.1.200
255.255.255.255 eq https
ASA(config)# class-map CTX-QoS-CMAP
ASA(config-cmap)# match dscp ef
ASA(config-cmap)# match access-list CTX-QoS
ASA(config-cmap)# exit
ASA(config)# policy-map CTX-QoS-PolicyMap
ASA(config-pmap)# class CTX-QoS-CMAP
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# exit
ASA(config)# service-policy CTX-QoS-PolicyMap interface outside
I have created the following config for an ASA 5510. I implemented a DMZ on it. Is this config as secure as I can get it. I want the web server in the DMZ to only be able to access port 80 and 1433 on the SQL box inside.
ASA Version 8.2(1)
!
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
BTW, the ASA is running version 7.0 (8) and I'm doing this through the command line.I've got a group of workers coming in a couple times per week that need wireless access to 1 printer on our network and internet access; I'll deny them access to the rest of our LAN.I've already configured an AP with WPA2 on a seperate subnet and put a router between it and our network. I've setup the router to apply an ACL to allow access to the printer's IP, deny to the rest of our main subnet, and permit everything else to go to our ASA 5510 that is serving as our gateway. From a laptop connected to the access point:I'm able to ping the printer's ipI'm not able to ping other workstations or our servers, as intendedI'm able to ping the ASA's inside interface The only part I can't seem to pull off is the final part of getting the ASA to translate the IP's from the new subnet to the outside interface.
So we have:
Laptop > Wireless AP > Router with ACL > Primary LAN > ASA5510 > internet
PAT is working fine for the primary LAN, but the laptop can't hit the internet.
i want to configure asa 5510 to send syslog messages to syslog server which i placed in my inside interface. also if enableing syslog will inrease the cpu utilization or memory? the necessary configuration parts?
View 1 Replies View Relatedcreating a DMZ with my current configuration. Most of my configuration has been through the ASDM as I am still learning. I'm looking for a good tutorial through the ASDM to get me on my way. What I need to accomplish is this:
I have an internal GIS server which needs to have a constant database connection to an remote GIS Server which is already configured. I've got a separate VLAN setup on my 3750 switch which connects to the DMZ configured port on my ASA with a security level of 50. My GIS server has been placed in the DMZ VLAN which is accessible from my internal clients. I have a /30 Internet block which is being used for Internet and VPN. I have a separate /28 block that I'm assuming I'll need for the DMZ to work properly.
Will give configuration of NAT for my internal users with 192.168.1.0/24 with single public IP.
I new to configure IOS version 8.3.
I'm working on getting a ASA 5510 set up and am having major difficulties. I'm really new to ASA and coming over from Microsoft ISA. Below is my configuration, how to get this all sorted out. As of nwo it doesn't appear that any traffic is going through whether it's incoming or outgoing. [code]
View 3 Replies View RelatedI've a problem with syslog logging on my Cisco ASA 5510 version 8.2(1). I need to:
- 1) log some ACL with warning level to log deny access.
- 2) log some ACL with informational level to log permit and deny access (notification level log only deny access and not permit access).
- 3) not log others ACL.
For 1), I configured the syslog server with warnings level and i enabled the logging rules with default level (syslog default level)
logging enable logging trap warnings logging host "interface" "host" . access-list "interface" extended permit ip any any log default.
For 2), I enabled the logging rules with specific level (informational).
access-list "interface" extended permit ip any any log 6 interval 300.
For 3), I disabled the logging rules.
access-list "interface" extended permit ip any any log disable
My problem is that the syslog logging level bypass the ACL logging level. Even if some ACL are configured with informational level, the ASA send only warnings logs to the syslog. I tried to configure the syslog default level to warnings, to remove the ACL and then put it back again with the specific logging level but I still have the problem.
when we are configuring ASA 5510 8.2(5) for Authenticating with ACS 5.X Server is not authentication fail error.
View 2 Replies View RelatedI have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.
View 12 Replies View Related I have Cisco 877-K9 router which sits behind an ASA 5510 FW. The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa. I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site. I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
What protocol the firewall configuration replicate and monitor the interfaces?
View 1 Replies View RelatedI have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
WebVPN
Anyconnect
Plug-ins
IPSEC tunnels
NAT
I have configured redundant interface on ASA 5510
interface Redundant1
description *** INSIDES NETWORK ***
member-interface Ethernet0/1 (This is a 1000Mbps Port)
member-interface Ethernet0/2 (This one is 100Mbps)
no nameif
no security-level
no ip address
[code]....
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
[code]...
It's transfer correctly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back. I issued this command again BW remain 100Mbps.
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
[ code]....
I did manually shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
View 5 Replies View Relatedconfigure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
[Code].....
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies View RelatedI had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
I have turned on the aaa command authorization without applying adequate privileges to the user. I can now log in through that user but the ASA 5510 displays an error :ASA 5510# show running-config
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed.
I am unable to make any configuration changes on the firewall. Is there any default user through which I can log in and disable the aaa authorization ? if not, how can I resolve this situation ?
I configure MHSRP at router Cisco 2901.
Router-B(config)#ip nat Stateful id 1Router-B(config-ipnat-snat)#redundancy SNAT1Router(config-ipnat-snat-red)#mapping-id 1 [code]...
when i write redundancy SNAT2 this error occur:
%Multi-redundancy entry not supported.
i have new project in hospital with the bellow product :
20 X WS-C2960-24TC-S
2 X WS-C3750X-48T-S
2 X WS-C2960S-24TS-S
i need to configure this switch in order to work first the 2 core switch for redundancy then each catalyst switch 2960 connected to the core with 2 uplink each uplink for each core switch that way i have rendundancy in the connection then i need one vlan ?i need to configure this switch to work perfectly with each other in best redundancy mode?
I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .
i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
View 3 Replies View RelatedI am not very experienced with Cisco networking.
Here is the situation.
Site A - headquarters 192.168.1.x
Site B - remote office 192.168.20.x
Site C - remote office 192.168.30.x
Site A - ASA 5510
Site B - ASA 5505
Site C - ASA 5505
Site-to-site VPN is established and works between A and B, A and C. Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.
I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.
Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels?
I will be installing a new ASA 5510 firewall on our SIP vlan to separate our voice traffic from the rest of the traffic. I'm trying to decide whether or not I should go with an active/active setup or an active/standby. Any insight on the best way to set this up? This install is going in from scratch, and I am going to be connecting to a 3750 switch stack. Should I pair up a link from each switch to each 5510 using etherchannels? Should I use 8.3 or 8.4? Most of the docs I've been able to find say it depends on this, that, or the other.
View 2 Replies View RelatedI have two ASA 5510 configured with site to site tunnel. on the both side of the ASA 5510 i have configured Redundancy links (terminated 2 ISP links) which is working fine.Now i need to configure Site to site vpn for the backup link. how to configure the site to site redundancy on both locations.
View 1 Replies View Related