Cisco Firewall :: Configuring VLANs On 5515-X Is It Possible
Mar 29, 2013
I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).
I have a Cisco ASA 5515-x, setup as my router with a split-tunnel SSL VPN for remote users.. It works great, except when connected via VPN I can only access the same subnet the ASA and HP switch reside on. My VLANs provided via my core HP 5406zl L3 switch are inaccessible. This must just be a simple routing issue, but between Cisco and HP I can not wrap my head around it.
Comcast---> Cisco ASA (VPN) 10.20.28.1 ---> HP (vlans)-----> VLAN 1 10.20.28.254 (Works fine over VPN), VLAN 45 -10.20.45.254 (No access over vpn), VLAN 99- 10.20.99.254 (No access over vpn)
Intervlan routing works great, I can access VLAN 99 from VLAN 1 and vise-versa. I have a route on the HP switch for 0.0.0.0 0.0.0.0 10.20.28.1 for internet access. On the Cisco I have a static route of 10.20.0.0 255.255.0.0 10.20.28.254. I believe my issue is that the HP requires your default gateway to be your VLAN IP for the intervlan routing to work. With my split tunnel SSL VPN, I do not believe it uses the correct routes.
Where and what routes do I need to add so that I can access the other VLANs when connected via VPN?I have a test environment setup and I am going to start testing by disabling split tunneling to see if I can access the other VLANs.
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 188.8.131.52. and the IP of the inside interface is say - 184.108.40.206/24 on our router we have a static route sending 220.127.116.11/24 to next hop of 18.104.22.168 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
I use the cisco 871 router as a firewall to my home-office. I have configured two vlans for each seperate port. That is, FE0 configured as VLAN 10 ----> connected to Layer 2 Switch, FE1 configured as VLAN 20 ----> connected to another Cisco Layer 2 Switch,FE2 not in use, FE3 not in use and FE4 is connected to WAN.I got 100Mbps speed from the ISP, but I can see that I only get 50mbps even connected to VLAN 10 or VLAN 20.Does configuring two VLANs on Cisco 871 router divides the bandwidth (to Internet) into half?
I have a ASA 5515-X-IPS firewall and I want to communicate firewall through ASDM-IDM. Already done the below procedure;
•1. Connect cable to Management port. •2. Open browser and type https://192.168.1.1/asdmin and download the ASDM-IDM Launcher v1.5(55) and install my laptop(OS: windows 7) •3. Connect asdm-idm launcher we put IP Address: 192.168.1.1 and username, password enter.
Just whenever we login the wizard then the message shown “ Unable to connect the asdm manager”For your kind information we already setup jre6u7 java software.
I has 4 VLANs and I want a MAC address has access to a VLAN, but not to another.
I used ACLs, but this will block the access to the access point, How to get the mac address will have access to a VLAN, eg no other Vlan? I has 4 VLANs and I want a MAC address has access to a VLAN, but not to another.
I used ACLs, but this will block the access to the access point, How to get the mac address will have access to a VLAN, eg no other Vlan?
Is there a way through the CLI to have the ASA 5515-x power back on after a power failure? Currently, the only way to restore power is to press the power button. The X series does not have a power switch the same as the 5500 series.
As per my attached diagram, I have three switches (Cat 3560-E and couple of Cat 2960-G)
Each PC is on different vlan PC -1 on vlan 100 PC-2 on vlan 200
I need to connect PC-1 and PC-2 to the server. Server has no fixed vlan and can be changed.
1) can’t change PCs vlan assignment. 2) can’t add 2nd NIC in the server.
I’ve tried private vlan but it requires separate physical ports for host and/or community vlan and somehow it did not work. I could be wrong Trunking using dot1q enabled on port 2 on all switches and connection works fine (server to PC-1 or server to PC-2) by enabling switchport access vlan 100 or switchport access vlan 200. However I need port 5 on switch-1 to respond to vlan 100 and 200.
Changes needed to make to the DHCP Server (AUSPDC) in order to get things working with the new switches.
1) Configure 3 new DHCP scopes on your DHCP server.
a) scope for 10.2.201.x/24 to serve LAN employees and give them a gateway address of 10.2.201.254.
b) a scope for 10.2.202.x/24 to serve WLAN employees and give them a gateway address of 10.2.202.254.
c) a scope for 10.2.203.x/24 to serve WLAN Guests and give them a gateway address of 10.2.203.254.
I just upgraded and decided to go with the VLAN configuration. None of my VLANS can get out to the internet or each other due to I think My ignorance in configuring the firewall.The PC's are getting proper IP address but they cannot get out or to the other VLANs. I tried to duplicate what is working for VLAN1 but it is not working.
We are trying to get Teamviewer to work on our WAN, from the log traffic from the PC's to our Cisco IronPort Web Filter it looks like the ASA Firewall is blocking the traffic. We have opened everything we can open on our Cisco IronPort Web Filter and I have a Cisco TAC case open and they said it appears the ASA Firewall must be blocking the traffic.
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Any conflict whit PAT to Static NAT?
We have one Cisco ASA5515 firewall, I configured ftp mode to passive, inspect ftp in service, use anoother public to do NAT with ftp server, and also configued ACL in outside interface, but I failed to access the ftp server from internet use that public ip address, no problem to acces the ftp server use its inside address in LAN.
I've got a little problem with my ASA 5515-X after upgrade from version 8.6 to 9.1.
I've got two 5515-X in A/S-mode and upgraded both as described on cisco's website (first standby-unit, failover, etc.). Everything worked just fine except pinging the ASA-interfaces themselfes. Before upgrade it was possible to ping from any subnet to the internal interface, but now it's not. If I'm on the router next to the ASA I'm able to ping, but every ping from behind that router fails. The ICMP-packets get into the ASA (counter on ACL raises up), but no reply is getting into the source.
The configuration fir ICMP was not changed and says "permit 0.0.0.0 0.0.0.0" for any ICMP on the internal interface. The router betwenn my subnet and the ASA has no ACL installed and - as said above - the ICMP gets obviously to the ASA but doesn't come back!?
I was purchase ASA5515-K9 (Without IPS Edition) firewall and this is run smoothly our network. But right now i want to IPS facilities. Can i have any licnese purchase and upgrade from ASA5515-K9 to ASA5515-IPS-K9 abd use IPS edition ?
I am working on translating configuration from a firewall named Joe box to ASA 5515. On Joe box, it has 5 continuous public IP addresses (xx.xx.xx.73 -77/29), first one as interface IP and others as alias, on the Internet-facing interface. I need to configure ASA 5515 in the same way, however it seems not simple.
- The way to configure sub interfaces on 5515 is by configuring V LAN. - The interface can hold xx.xx.xx.73/29 without a problem. - The first sub interface can have IP address xx.xx.xx.74 however with different mask(/16), as it doesn’t allow /29. - The second sub interface doesn’t allow to enter IP xx.xx.xx.75, saying "Failed to apply IP address to interface GigabitEthernet0.x, as the network overlaps with interface GigabitEthernet0. Two interfaces cannot be in the same sub net."
im changing the firewall 5510 to 5515, with ASA5510 the incoming and outgoing calls work perfectly, but when i active the 5515 the outgoing calls doesnt work, only the incoming calls work.
As you see on the topology,the flow of calls happens this way:
In the outgoing calls the phone forward the call to the PABX(172.17.3.4), and the PABX forward the call through the ISP LINK to SIP SERVER (10.140.131.208). The incoming calls occur in the reverse path.
ASA 5510 config: ASA Version 7.0(8) name 172.17.3.4 PABX dns-guard ! ! interface Ethernet0/1 [Code]...
Im changing the firewall 5510 to 5515, with ASA5510 the incoming and outgoing calls work perfectly, but when i active the 5515 the outgoing calls doesnt work, only the incoming calls work.
As you see on the topology,the flow of calls happens this way: In the outgoing calls the phone forward the call to the PABX(172.17.3.4), and the PABX forward the call through the ISP LINK to SIP SERVER (10.140.131.208). The incoming calls occur in the reverse path.
ASA 5510 config:
ASA Version 7.0(8) name 172.17.3.4 PABX dns-guard ! ! interface Ethernet0/1 description ***ISP SIP Network*** [Code]....
I'm starting my configuration and i created a test environment side by side with my production. i just run startup config and connected my ad-test.com AD host to it. i can ping ad-test.com from console, ok. but it can't get internet from inside environment
here's the config..............................
: Saved : Written by enable_15 at 07:56:40.638 UTC Mon Apr 15 2013 ! ASA Version 8.6(1)2
Why do my cli commands just scroll all the content rather than having to press space to show more? It is hard to type sh run and the entire config flays past rather than being to inspect it page by page.
We have 4 1142N LAPs that I want to divide between an internal wireless and a guest wireless network using the controller. Currently all of the APs are on an established internal network, but I want to migrate one over to a test guest network before buying more LAPs to augment the networks further. Currently the port connecting to the WCS from the 3560 switch is configured as an access port using VLAN 10. Whenever I make it a trunk port carrying VLAN 10 as well as the other ports we will be using for the guest and ap-manager networks, I lose connection with the controller. To me this implies that the port on the controller is configured as an access port as well. In the documentation I found for the controller it states that by default the ports are al configured to be trunks, but it appears as though something was changed by the previous tech. All of the APs are connected to other switches, not to the controller itself.
1) How can I get the port on the controller back to being a trunk port
2) Can I use the internal DHCP server for the guest network if the subnet is different than the management subnet, or will I have to use another external server and relay/proxy it through the controller to give guest clients IP addresses?
I have a 5515 ASA that has the webVPN configured on it and it is using active directory to authenticate. The client would like to set up groups in active directory and restrict access to those groups when they are connected to the webVPN. For example, they have a group in active directory that they only want to access their "web" interface. What is the best way to configure this on the asa?
I have two ASA 5515 configured as active / standby. I configured the failover and I checked for proper operation. But when I configured access rules and NAT, I realized that the failover does not work anymore: two interfaces, inside and outside, are "Unknow (Waiting)". The other LAN interface and management are "Normal (Monitored)." [code] It is possible that some access rule deny the communication between the two asa?
I am moving from ASA 5505 to ASA 5515 because we are maxing out the number of connections that the 5505 can handle. The 5515 runs version ASA 8.6(1)2 and ASDM 6.6(1) and the 5505 version is ASA 8.2(5) ASDM 6.4(5). On the 5505 I used e0/0, 0/2, 0/4 and 0/5 as outside port with teh switch ports feature but there is no switch port feature on the 5515. I have tried to set the ports individually to numerous public IP addresses that I have but I get an error that they subnet is already associated with another interface. How do I replicate the same setup on the 5515?
Worried about denial-of-service attacks. They have 11 vm's that share a connection and want to set it up so that there is a maximum amount of traffic allowed to hit each vm, so if there is a DDoS attack it will only affect that one VM instead of all the VM's on the same connection.
What is the best way to go about this from the ASA? This is behind a 5515 with asa code version 8.6. Is there a way to rate-limit by ip address?
We installed a new ASA 5515 about a month ago for the corporate office we also have 40 branch locations that feedback VOIP, camera, and Citrix to the corp location. Each of the branch locations have a separate DSL connection with a local provider and all of them are dynamic IP addresses.
The problem I have is that I cannot figure out a access rule to make the voip traffic work 100% of the time what ends up happening is five or six random locations change IP address's every day and I could not figure out how to create a access rule for that so I create a static route with that dynamic IP and then it will change a week or so later. That's a horrible security risk and a lot of manual work.