Cisco Firewall :: Connection Failure In ASA 5520 Security Contexts
Mar 27, 2011
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
View 5 Replies
ADVERTISEMENT
Jan 31, 2012
In the latest code, is VPN still disabled when using contexts? If you use a 5520 as an ISP based firewall for customers, then what would be used for VPN access? Also how many contexts does a 5520 support, and would putting 2 interfaces into an etherchannel for inside, and 2 for outside work? Reason I ask about that, the inside and outside would connect to 2 different core routers. I would be for an MPLS setup.
View 5 Replies
View Related
Jan 28, 2013
I have a ASA 5510 with Security Plus License and when I looked at the devices a few days ago I had 2 contexts, however after configuring the Mgm port as a regular port the contexts show 0, why? I can not find any post on the internet where this issue has happen: here is the output from show ver:
Cisco Adaptive Security Appliance Software Version 7.0(8)
Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
[Code]......
View 3 Replies
View Related
Feb 5, 2012
We are going to deploy a active/active setup of 2 ASA 5585's. Here we will implement a concept of security zones through context's where different services will be firewall through a separate firewall context. will a security context consume 1 or 2 licenses because we are running in a Active/active setup? Right now I got completely confused when my manager asked me that question.I would say that we only use on security context license - but since we are running in a active/active setup - even though the other instance is standby - will it consume a context license? We are using ASA OS 8.4.x.
View 5 Replies
View Related
Jan 23, 2013
I have setup a 5515-X in transparent multi-mode and setup 5 security contexts with inside and outside ports, one admin and 4 others. The problem I have run into is setting up a management IP for each context. On one of my other transparent firewalls in production we were able to apply an IP to the security context (not interface) however the new firewall is running the latest software and this same functionality is not available. The only options for IP in context mode is IP AUDIT. So my next plan was to create sub-interfaces of the management interface and assign one to each context however the 5515-x does not allow sub-interfaces on the management interface. How I setup a management IP on each context?
Another interesting thing i read is that the managment IP assigned to a context (if i could figure out how to set it up), has to be in the same subnet as the data interface which if fine but it also says that the management interface should not be connected to the same switch as the data interface because of MAC address table update issues, meaning that i could not use a sub-interface of one of the already configured context ports.
View 3 Replies
View Related
Jun 1, 2011
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies
View Related
Jul 2, 2012
After upgrading an ASA5520 from 8.4(1) to 8.4(4.1) I ran into the following trouble:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.149.21/53 dst inside:192.168.37.123/53 [code].....
All the subnets mentioned above are connected via VPN.
View 6 Replies
View Related
Jul 4, 2012
I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5 Jul 05 2012 09:45:15 305013 monitoringsystem Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?
View 1 Replies
View Related
Mar 30, 2011
I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
View 2 Replies
View Related
Feb 21, 2011
Is it possible to route among contexts (I have 5 contexts) in the ASA without sending traffic to a fusion router (external router) to be routed. I am running ASA 8.3.
View 2 Replies
View Related
Mar 7, 2011
Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license. Does that mean I can download the security plus license? Or do I even need it on the 5520.
View 2 Replies
View Related
Jun 17, 2012
I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:
=================================
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.72
description VLAN 72
[code]....
(notice that they have the same security-level)I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.
View 9 Replies
View Related
May 6, 2013
I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.
View 3 Replies
View Related
Jun 4, 2013
What is the maximum number of contexts a pair of 5515Xs in HA mode can support?
I know each 5515X can have a max of 5 contexts, but does that mean in HA mode a pair can support 10 with license pooling?
View 8 Replies
View Related
Apr 19, 2011
Q1. I would like to confirm like how many total of contexts do I have by default when I purchase the ASA 5540 ? are they two contexts aside from the admin context or two contexts including the admin context?
Q2. can I configure the default box with High Availability using the default contexts?
View 3 Replies
View Related
Nov 10, 2011
On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
interface GigabitEthernet0/3.175
vlan 175
nameif Test175
security-level 30
ip address 172.30.175.1 255.255.255.0
[code]....
View 13 Replies
View Related
Mar 27, 2013
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
View 6 Replies
View Related
Feb 27, 2012
I have two 7609S routers each with a FWSM running 4.0( 8). I am licensed for 20 contexts.
Recently, I added a context for a new application and required access to a VLAN that already had an interface in another context.
The MAC address assigned to the interface in the new context was assigned the same MAC address as the interface in the previous context. This caused an application running through the first context to fail.
I know that on the FWSM I cannot hard code a MAC address to an interface in a context so how do I get around this problem caused by the duplicate MAC addresses?
View 1 Replies
View Related
Mar 26, 2012
I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
At the moment we can make the control connection but when we issue commands the connection times out.
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).
View 1 Replies
View Related
Jun 28, 2011
I am just designing a solution where a FWSM consists of 2 contexts initially and has a shared outside interface pointing to the 6500 switch. There are 3 subnets connected to each of the FWSM contexts. So if anyone wants to access these 6 subnets then a route would be needed pointing to the interface vlan of the shared interface on the switch. But that would not be enough to access the subnets.. I am sure we have to define static NATS to point them to the right context where these subnets reside.
The FWSM is running version 3.x code So say 1.1.1.0(shared), 10.10.0.0(inside1), 10.20.0.0(inside2) and 10.30.0.0(inside3) reside in Context 1 and 1.1.1.0(shared), 20.10.0.0(dmz1), 20.20.0.0(dmz2) and 20.30.0.0(dmz3) reside in Context 2 in each of the context we would have to make three static NATS
static(inside1,shared) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static(inside2,shared) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static(inside3,shared) 10.30.0.0 10.30.0.0 netmask 255.255.255.0
The same would go for context 2 as well
static(dmz1,shared) 20.10.0.0 20.10.0.0 netmask 255.255.255.0
static(dmz2,shared) 20.20.0.0 20.20.0.0 netmask 255.255.255.0
static(dmz3,shared) 20.30.0.0 20.30.0.0 netmask 255.255.255.0
By creating these NAT statements, would the outside users be able to access the subnets residing in the context?
View 1 Replies
View Related
Apr 3, 2013
if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
I found different information on the Cisco web, the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6 [URL]
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) [URL]
View 7 Replies
View Related
May 6, 2013
We are deploying the Cisco ASA 5585 in transparent mode with multiple contexts, the port-channel was configured to connect to the core switches using dot1q trunk. We are experiencing an issue which is the core switches are configured loop guard globally, therefore the port-channel connected to the firewalls will be put into inconsistent state when the failover happen, and the two firewalls' failover can not fulfill the failover at last.
I have two queries below:
1. Does the firewall allow the BPDU passing through when it is in standby mode, for example, secondary firewall is active for group 2 and standby for group 1. does the secondary firewall block the BPDU from the vlans under group1 ?
2. Can we disable the loop guard feature on the switch port-channel or is there any other way to solve this issue ?
View 1 Replies
View Related
May 12, 2013
We are currently looking at design models for a Multi-Tenancy solution.The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.
We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.
I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?
View 4 Replies
View Related
Apr 14, 2011
I have 2 sites connected with ASA 5520 Site-to-Site vpn. now I'm adding a 3rd location that will connect both original sites the config should be the easy part (I assume it is the same concept going to each of them) the question is more of a designconcept one: what are the hidden failure points, things i didn't think of etc - I must ensure this triangle function and avoid loops and other problems
View 2 Replies
View Related
Dec 12, 2012
I have a problem with the connections to the remote webservice passing through ASA 5520 firewall. Connections are usually interrupted in perod of half an hour in every few days.
This ASA 5520 firewall is only one firewall in a path to the remote webservice.
During the interruption I find the logs:
UTC: %ASA--4-419002: Duplicate TCP SYN from dmz1:x.x.x.x/.... to outside:y.y.y.y/p with different initial sequence number
Teardown TCP connection 28309406 for outside:y.y.y.y/p to dmz1:x.x.x.x/.... duration 0:00:30 bytes 0 SYN Timeout
How I could find root cause? Could it be solution implemetation of TCP State Bypass?
View 1 Replies
View Related
Oct 7, 2012
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies
View Related
Apr 9, 2013
Device Cisco ASA
Model:5520
OS 8.4(2)
I am not able to access the device via SSH .After connecting to teh console I have found that allowed SSh session are fully utilized with show resource usage command and the output is [code]
So I used show ssh session command to see who is using the sessions but in the output it has showed only one session and the output was [code]
I was wondering why it shows only one session above instead of showing all the 5 sessions which are utilized as confirmed by show resource usge command.We are usning some internal tool for ssh monitoring on device which is poling the device after a fixed interval for port 22 reachabilty .I dont think these tools are making any issue as this is secondary firewall and we are not facing any reachabilty issue for primary firewall.also we are using 10 min for idle ssh timeout.
View 13 Replies
View Related
Oct 25, 2011
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
View 5 Replies
View Related
Mar 30, 2013
As part of my business' PCI compliance regime, we are regularly scanned for vulnerabilities. Today we started getting notifications of failure on all of the QuickVPN ports (443, 60443) for the following:
Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12 CVE 2009-3555 Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.
Cisco, will you be issuing a firmware update to address this anytime in the near future? Presumably it effects all the other RV routers as well.
View 3 Replies
View Related
Dec 20, 2011
Yesterday I discovered the primary and secondary CAS were both in active state and reporting their fellow peer as dead (I did this using ./fostate.sh), causing authentication errors on the network. I had to stop the perfigo process on the primary one to restore service.
After closer investigation I have discovered that when I put my laptop on the same subnet as their eth2 interfaces (eth0, eth1 and serial are not used for heartbeat only eth2), I can ping the eth2 ip address for the primary device, but can't ping that of the secondary device. See configs and outputs below. I am also wondering why the secondary CAS shows its eth0 and eth1 interfaces as fake0 and fake1.
[root@CAS-SEC ~]# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:1F:29:5D:1C:6C
inet addr:172.29.254.10 Bcast:172.29.254.11 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11205 errors:0 dropped:0 overruns:0 frame:0
[code].....
View 2 Replies
View Related
Oct 16, 2012
What's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.
View 1 Replies
View Related
Jun 24, 2012
I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
View 1 Replies
View Related
May 30, 2013
We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?
View 6 Replies
View Related
