Cisco Firewall :: Configuration Updates To Standby ASA5510?

Aug 21, 2011

Is there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA?  I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1).  When I add static routes to the primary ASA the routes are not sent to the failover ASA.  Is this to be expected or do I have a bug? 

View 10 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5510 / Can't Communicate With Standby IP

Jul 29, 2012

I can no longer communicate with the standby IP address configured on the inside interface of a secondary ASA5510. Just a couple days ago I could snmp, http, ssh, and ping it.From the switch that is directly connected to the inside interface I'm getting unexpected results when viewing the the arp table. The switch is saying the IP address associated with the ASA's inside interface has mac address 0023.3353.bcc8 but the ASA is saying its inside interface mac address is 0023.33bb.8362?Furthermore when I issue the "sh mac address-table interface f5/46" command on the switch i see multiple macs on the interface that is connected to the inside interface of the ASA...
 
Unicast Entries
vlan   mac address     type        protocols               port
-------+---------------+--------+---------------------+--------------------
135    0023.3353.bcc8   dynamic ip                    FastEthernet5/46     
135    0023.3353.bdc8   dynamic ip                    FastEthernet5/46     
135    0023.3353.bec8   dynamic ip                    FastEthernet5/46     
135    0023.3353.bfc8   dynamic ip                    FastEthernet5/46 

View 1 Replies View Related

Cisco Firewall :: ASA5510 Active / Standby Failover Speed

May 11, 2011

I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?

View 1 Replies View Related

Cisco Firewall :: IPS Modules In ASA5510 Active / Standby Pair

Feb 6, 2012

I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?

View 3 Replies View Related

Cisco Firewall :: Active / Standby Fail Over Config On ASA5510

Apr 10, 2011

I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]

View 7 Replies View Related

Cisco Firewall :: ASA5510 With CSC Module - Pairing It For Active / Standby Mode For Failover?

Jan 22, 2013

I am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Active / Standby Configuration?

Sep 21, 2011

i have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
 
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
 
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.

View 1 Replies View Related

Cisco Firewall :: 5510 - ASA Active / Standby Configuration

Jun 4, 2012

I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.

View 5 Replies View Related

Cisco Firewall :: ASA 5550 Transparent Active / Standby Configuration

Dec 20, 2012

I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA: [code]My questions are the following:

1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
 
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
 
3. Which is the best method to add the second box without disrupting the active box?

View 3 Replies View Related

Cisco Firewall :: 5540 - Active / Standby ASA Failover Configuration Changes?

May 15, 2011

I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups.  Doing so obviously has a major impact on the current primary configuration.  My goal would be to minimize or eliminate network downtime during the interface changes.
 
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
 
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit.  Is there a set length of time the secondary unit can remain active without a failover peer?
 
see issues with operating the secondary unit in this manner while making changes to the primary unit?

View 1 Replies View Related

Cisco Firewall :: 6500 Setup In Active / Standby Fail Over Configuration

Feb 29, 2012

I have been having an annoying issue for the past few weeks with my ASA setup. We are using the ASA as our Remote Access Gateway and originally had it setup in a Active/Standby failover configuration using 2 x 5520 ASA's.The original setup of the devices was that the 2 x ASA were setup in a failover configuration, with both of them connecting back to the internal network via a 6500 device. Because of using failover I created a VLAN on the 6500 and put the two ports that connect the ASA's into that VLAN. I then configured the VLAN interface to be the EIGRP interface for the neighbour relationship to the ASA's.
 
The problem I am seeing is that the EIGRP neighbour relationship between the Active ASA and the 6500 keeps flapping. It occurs abour 4-5 times every day at randmon intervals. Sometimes the neighbour relationship will stay up for 6-7 hours, other times it flaps every 1-2 hours. I initially thought it was due to the failover configuration so I removed one of the ASA's and removed all of the failover configuration, but the EIGRP neighbour flapping problem still exisits. [code] Since removing the failvoer configuration I am thinking it could be a physical cable problem?

View 4 Replies View Related

Cisco Firewall :: 5510 Setup In Active / Standby Failover Configuration

May 8, 2012

We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.

View 1 Replies View Related

Cisco Firewall :: 3750s / Trigger Failover Without Standby Address Configuration?

Nov 13, 2012

I am trying to establish EIGRP neighborships with my inside switches (3750s) over the "Internal" interface, shown in green. The outside interface is g0/0 and don't worry, I've ensured EIGRP is not running there.The problem I'm having is that I need to monitor the "Internal" link so that if it goes down, the ASA triggers the failover to the secondary firewall connected to the other switch. I was told that the "secondary" keyword was what enabled this:
 
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.2.2 255.255.255.0 standby 10.10.2.3
 
This is fine since I am able to compare this config to the firewalls that are currently in production elsewhere in the environment and this is what's in use there. However, in order to run EIGRP all the way to the firewall and not rely on something else like HSRP for the inbound traffic, I'd like to run the corresponding links (Gi1/0/22) on the inside switches as routed ports (no switchport) so that I don't have to establish neighborships with SVIs or something like that. I want the routing to be done directly to the port, leaving the interfaces for failover and our DMZ set up as switchports, since those can be layer 2.It's saying the Internal interface has failed now, probably because it cannot send hellos through this, since it's a routed port on the switch side. I'm wondering if this simply is an impossible design, unless there's a way to track this interface and trigger a failover if it goes down using another method.a method that allows me to track that internal interface (Gi0/1) and trigger a failover if it goes down.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 8.0(5) Write Standby Causes Standby Interface Down / Up

Sep 22, 2011

last night I started upgrading our ASA5520 active/standby cluster. Because of lack of memory, I stopped the upgrade process and will continue when the memory modules have arrived... Currently I'm running 8.0(5) on both nodes (Version: Ours 8.0(5), Mate 8.0(5))Whenever I use the "write standby" command on the active ASA, the passive ASA seems to drop it links for a short while. [code]

View 4 Replies View Related

Cisco Firewall :: ASA5510 NAT Configuration

Apr 25, 2012

I have 30 IP cameras with a private IP address: 10.1.1.1 – 10.1.1.30. I have a Cisco ASA 5510 firewall. I want to be able to use one public IP address, example, 50.50.50.50
 
With a specific port to go to a different internal camera,
 Example
50.50.50.50:3001 should be NATTED to camera 10.1.1.1
50.50.50.50:3002 should be NATTED to camera 10.1.1.2
[code]....

How do I do this? I know how to create NAT… just not like this.

View 5 Replies View Related

Cisco Firewall :: ASA5510 Configuration Restore After Being Replaced By RMA

May 29, 2011

Have a 5510 in Routed mode, simple Static NAT to interface two networks (inside_1 is my private space, and outside_1 the larger intranet that hosts heavy traffic). outside_2 faces internet via pppoe just for VPN purposes.
 
It was operating fine for one year then one port broke (outside_2, internet), leaving no vpn. We followed RMA service replacement and the new unit came with upgraded SW (8.0.4) than the one the original config was created on (8.0.2).
 
To ease the replacement, I did downgrade the sw boot image. Then I did restore the config by tftp to the startup-config and then a reload. Everything seems to load fine.
 
Problem is that testing reveals some sort of issue: I can ping some of the intranet hosts but can't reach gateway, thus larger segment of hosts become unreachable. It seems as if the NAT mechanism can't find the next gateway where to hop. For debug practice, I've enabled all the icmp stuff so ping wasn't being blocked by the device.
 
Being given the fact that this config was up and running prior to the replacement, I've no reason to suspect any mysconfigured items (ie routes, NAT, access-list), but obviously I'm obfuscated and can't see what else I'm missing.
 
How is that possible that the PING only reaches certain hosts? Pinging to 10.15.5.90 works (Route is 0.0.0.0  0.0.0.0 to 10.15.5.126 (gw)), but pinging to the gateway itself doesn't (10.15.5.126) and even worse, hosts like 10.15.167.210 do not respond either.

View 2 Replies View Related

Cisco Firewall :: Implement A NAT Configuration After Having Upgraded ASA5510

Aug 17, 2011

I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
 
The upgraded NAT rule and access list works fine at allowing external access to a web server.
 
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
 
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.

View 8 Replies View Related

Cisco Firewall :: ASA5510 Static 1to1 NAT Configuration

May 21, 2012

We are replacing our EOL Watchguard X1000 Firewall(s) with Cisco ASA 5510 unit - ASA Version 8.4(3).  Following is the static NAT I have build and the corresponding access list.
 
nat (FW2Inside,FW2Outside) source static BW_XSP1_Private BW_XSP1_Public destinat
ion static BW_XSP1_Private BW_XSP1_Public

access-list FW2Outside_access_in extended permit tcp any object BW_XSP1_Public object-group DM_INLINE_TCP_1
 
Unable to access the server on the inside interface via the public NAT address. Can you point me in the right direction as to what I might be missing to make this work?

View 1 Replies View Related

Cisco Firewall :: ASA5510 / Specific Configuration About TCP Connection Or DNS To Setup?

Mar 8, 2011

I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup? 

I just configured the ISP DNS :
 
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50

View 4 Replies View Related

Cisco Firewall :: ASA5510 - Common Criteria EAL4 Configuration

Jan 18, 2012

I'm trying to track down the installation and configuration procedures for the common criteria EAL4 evaluated ASA5510 but not having any joy.
 
The ASA Release 8.3.2 certification report [URL] identifies the required configuration documentation as the "Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Common Criteria Operational User Guidance and Preparative Procedures" but I can not find any reference to this on the Cisco web site.
 
So far I've only been able to locate the proceedures for the older 7.0 release. [URL]
 
How to locate the correct documentation needed to configure an ASA5510 to achieve the common criteria EAL4 evaluated configuration.

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Saving Configuration / Insufficient Memory

Oct 3, 2011

When I try to save the configuration it displays the following error.Is it due to insufficient memory?
 
MPF-ASA#wr mem
ERROR: % Unrecognized commandMPF-ASA(config)# wr memBuilding configuration...Cryptochecksum: 81c514b8 9e95ee97 8b512148 b31377a4
[Code]...

View 1 Replies View Related

Cisco Firewall :: ASA5510 / 1800 / 3825 - Routing Configuration

Aug 15, 2011

I try to setup a ASA5510, but without success. Actually, I have Cisco1800(192.168.96.1/21) from my ISP connected to a Cisco 3825 (via port with IP 192.168.96.2) all is working good. Now I want to insert a asa firewall between ISP router and 3825.
 
For that, I tried a more simple config :
ISProuter (192.168.96.1/21) ----  ASA outside port(192.168.96.2/255.255.255.248)  ASA INSIDE port (192.168.100.1/255.255.255.0) ---  a pc with IP 192.168.100.2, netsmask 255.255.255.0, gateway 192.168.100.1
From my ASA, I can ping 192.168.96.1.  but a "ping INSIDE 192.168.96.1" fail
from py pc, can ping 192.168.100.1, but not 192.168.96.1
Here, my ASA config :
 
ASA Version 7.0(8)host name cisco asa
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
[code]....

View 1 Replies View Related

D-Link :: DIR 825 - Firmware Updates And Configuration

Apr 4, 2011

Just bought three D-Links from abroad ( Canada) and now am in Mauritius. They are brand new and now going to set them up.

1) DIR-825 H/W : B1 F/W : 2.02NA
2) DNS-323 H/W : C1 F/W : 1.09
3) DWA-140 H/w : B2 F/H : 1.50

I already own a Beetel 220BX2 modem. I will be connecting :
1) my PC through the DWA-140
2) three Samsung Galaxy S
3) One LG phone (b/g)
4) Network Player (Yet to be bought)
5) Laptop

What are the steps to follow (Firmware updates, Configurations). I was planning to do VPN and to have each device have its own IP.

View 14 Replies View Related

Cisco :: LMS 3.2 / Error While Downloading New Updates Device Updates?

Sep 25, 2012

We have currently LMS 3.2 installed. We know have some new switches C2960-48PST-L that are not supported in CiscoView and Common Services.When trying an update in Software Center | Device Update, we receive an error message:Error while downloading package information from Cisco.com for the selected products. See the C:/PROGRA~1/CSCOpx/log/psu.log file for details.
 
The psu.log file shows the following:
[ Wed Sep 26 14:33:15 CEST 2012 ] INFO   [SecurityHandler : getCSProxyLogin]  : No proxy User Name configured
[ Wed Sep 26 14:33:15 CEST 2012 ] INFO   [SecurityHandler : getCSProxyHost]  : No proxy Host configured
[ Wed Sep 26 14:33:24 CEST 2012 ] INFO   [SecurityHandler : getCSProxyHost]  : No proxy Host configured
[ Wed Sep 26 14:33:24 CEST 2012 ] INFO   [SecurityHandler : getCSProxyPort]  : No proxy port confgured
[ Wed Sep 26 14:33:26 CEST 2012 ] INFO   [SecurityHandler : getCSProxyHost]  : No proxy Host configured
[ Wed Sep 26 14:33:26 CEST 2012 ] INFO   [SecurityHandler : getCSProxyPort]  : No proxy port confgured

[code]....

View 2 Replies View Related

TP-Link ADSL2+ Wireless :: TD-W8968 - Firmware Updates Overwritten Configuration

Apr 17, 2013

Region : UnitedKingdom
Model : TD-W8968
Hardware Version : V1
Firmware Version : TD-W8968_V1_130217

Having just updated the firmware I was surprised that it overwrote my configuration (WAN LAN & WiFi) settings.Is this normal for TP-Link firmware updates ?

View 3 Replies View Related

Cisco Firewall :: Getting ASA 5505 Firmware Updates?

Jun 19, 2011

We are a relatively new Cisco partner. We used to work with CDW and now we are buying from distribution and selling directly. We buy a lot of ASA 5505 units from D&H.
 
My question is, aside from the disc that comes with the unit where do we download the latest firmware image and management software? It appears you have to have a contract ID to get these through the Cisco website. Do we not get "car blanche" access as a Cisco partner to these resources?
 
Also doesn't the Cisco ASA 5505 at least come with a license for the latest firmware? Many ship with very old software and even old CDROMs.

View 2 Replies View Related

Cisco VPN :: Configuring Two ASA 5520s In Active / Standby Configuration?

Feb 12, 2012

I'm working on configuring two ASA 5520's in an Active/Standby configuration.  I've got almost everything the same between the two units for AnyConnect to work expect the following two items:

     AnyConnect Client Profiles
     AnyConnect Client Software
 
If I upload the software manually to the Standby unit I get warning about them not being in sync and on the active unit if I do a 'write standby' it does not copy the profile or software.

View 2 Replies View Related

Cisco Application :: Standby ACE-4710 Lost Its Configuration After Reload?

Oct 20, 2009

I have two ACE-4710 in active/standby mode, running code A3(2.2). Four contexts are configured. Both devices were functional without problem, until I reload the standby unit. After reload, the standby unit completely lost its configuration with exception of the FT vlan and the FT peer configuration in the Admin context... Both units recognized each-other and I can still ping the primary unit on the FT vlan, but nothing else. Contexts are lost and interfaces are shutdown! Nothing changed at the software level, both devices run exactly the same image and the same licences are installed (it worked well before the reload).
 
So, I decided to reconfigure the basics on the standby unit in order to trigger a config sync from the primary. And here arrives the problem : I reconfigure the FT vlan, the FT peer, I check the peer state and everything is OK.
 
Then, I try to ping the primary unit from the standby unit with success :
 
switch/Admin# ping 192.168.16.1
Pinging 192.168.16.1 with timeout = 2, count = 5, size = 100 ....
Response from 192.168.16.1 :  seq 1 time 0.000 ms

[Code]......

View 3 Replies View Related

Cisco Firewall :: Are Both ASA5505 / AIP SSM-10 Able To Receive OS Updates With Service Contract

Mar 8, 2013

I currently have 2 5505 SEC BUN as Primary/FO Firewalls and I am considering purchasing the ASA5510-AIP10-K9 for use as a dedicated IPS device.  Looking at url... I see that for service updates, CON-SU1-AS1A10K9 is available for this product, providing  "IPS Signature and Engine Updates" and "OS Updates."
 
It is my understanding that in the ASA5510-AIP10-K9 there are 2 OS:

1. ASA OS
2. AIP SSM-10 OS
 
My question is: Are both the ASA and AIP SSM-10 able to receive "OS updates" with this service contract? Essentially, I want to make sure that when I submit by budget, there isn't another contract that I also need.

View 8 Replies View Related

Cisco Firewall :: Difference ASA5510-BUN-K9 And ASA5510-Sec-Bun-K9

Jun 6, 2012

ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?

View 3 Replies View Related

Cisco Firewall :: Monitoring ASA 5505 Firewall Active / Standby Pair Using SNMP?

Sep 7, 2011

How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
 
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?

View 1 Replies View Related

Cisco VPN :: VPN Configuration On ASA5510 With Two WAN

Jul 9, 2012

how to configure IPSEC VPN, but unsuccessfully.At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink.

View 7 Replies View Related

Cisco WAN :: 3560G Layer 3 - Getting The Configuration For ASA5510?

Apr 19, 2013

I am currently working on my first ASA5510 configuration and am running into some issues. The ASA is running 8.2(5). The network setup is as follows:Layer 3 switch with 4 VLANs with ip routing enabled.All systems are pointing to the 3560 as their default gateway. ip route 0.0.0.0 0.0.0.0 10.20.100.30 (asa)The ASA is directly connected to the L3 switch on one of the VLANs. The other VLANs are not established on the ASA, but static routes have been created for them on the ASA.I am able to ping the ASA from the switches, etc.I am able to ping the switches from the ASA When connected to VPN Client to ASA, I am unable to reach anything behind it. When at the office, I am unable to reach the internet from the ASA.The following NAT configuration is in place on the ASA;
 
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved