I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code. It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it.
View 4 Replies
I have a Cisco ASA 5520 running 8.2.2 with the VPN Plus license. I am wondering what is the max number of sub-interfaces you can have on a physical interface. I know on the 5505 it was 20 sub-interfaces if you were running the Security Plus license. What is the magic number for the 5520. I have hit 20 sub-interfaces on gi0/1 interface and now I am starting to run into problems with sub-interface #21.
View 1 Replies View RelatedI Have an asa 5510 running code 7.2 configured with ssl vpn,ssl vpn users able to connect to to portal which i have configured with the required resources,but the thing is that these ssl users unable to upload files to cifs shared directory , although they have full access to the shared folder
View 0 Replies View RelatedI am trying to setup intervlan routing with a Cisco ASA 5510 and two 2960-S switches. The 5510 currently is using ASA Version 7.0(2) and has a base license. I tried to create a sub interface today based on some info I found regarding the routing piece and it didn't recognize the command. I'm thinking I may need to update the IOS code or the license on the firewall. I know the syntax was correct because I looked it up and found it in a Cisco document.
View 15 Replies View RelatedUnable to create VLAN interfaces in ASA 5510
View 1 Replies View RelatedWe are suffering an issue with ASDM 7.1(1) on a 5525-X with 9.1(1) software. In the Configuration --> Interfaces window, I can modify parameters on physical interfaces, I can modify parameter on subinterfaces, but I cannot create new subinterfaces or Etherchannels through ASDM.
When I create a subinterface, entering all parameters, interface name, vlan id, security level, etc., then I click on "Apply" button and nothing happens. It doesn't send anything to ASA. If I click on another window, ASDM ask for applying changes, I click on it, but nothing is applied and window doesn't change. It happens only when creating new interfaces. If I create them through CLI, then I can modify parameters without any problem.
I have tried re-installing java and I have tested with 6.31, 7.9, 7.11, 7.17 Java versions, from Windows XP, Windows 2003 Server and Windows 7 computers with same issue. Also with Linux Mint distro with IcedTea Java.
I have a ASA# here that refuses to load 8.x# code. I do not have an issue loading 7.x# code at all. When I power on the ASA# it does not pass the fsck#.
Loading /asa842-k8.bin#... Booting...Platform ASA5520# Loading...IO memory blocks requested from bigphys# 32bit#: 20848dosfsck# 2.11, 12 Mar 2005, FAT32#, LFN#
I have tried 8.0, 8.2, 8.3, 8.4 codes. I have also swapped RAM and flash.
i have an ASA 5520 running ver 8.4(1). have attached my interface config below and need to do the following, NAT traffic coming on GigabitEthernet0/2.101 to GigabitEthernet0/1, i.e. packets with destination 10.21.110.25 will be forwarded to 10.11.21.25, will a nat (Production,Advocate_MPLS) static ... statement work ?
------------------------------------------------------------------------
interface GigabitEthernet0/1
description Production
nameif Production
security-level 100(code)
We have an ASA 5520 which is in multiple context mode. We are trying to pass traffic from the outside interface to the dmz interface. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28 Inside Interface GigabitEthernet0/2 with 192.168.20.0/24 DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29 So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.
View 20 Replies View RelatedOur ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
View 4 Replies View RelatedI have a cisco ASA 5520 that i'm configuring.From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.I'd like to know how I can configure it in an ASA
View 7 Replies View RelatedI have two virtual interfaces on my ASA 5520:
GigabitEthernet0/1.338 172.30.0.81/28
GigabitEthernet0/1.345 172.30.0.129/28
I have the security levels for both set to 50 and in the ASDM I have checked off "Enable traffic between two or more interfaces which are configured with same security levels"
But now the need has arisen that we allow each subnet to be routable to each other for SMTP traffic, how can I accomplish this?
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
-static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10 access-list production_nat_static_1
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
One line of an ACL was changed on an ASA 5520 (primary) and a wr mem was issued to save the change. It appears that when the wr mem was executed, the interfaced on the standby ASA bounced. Configurations have been saved in the past without the result of what's in the log entry..
ADC-5520-MGMT-FW01/stby# show logSyslog logging: enabled Facility: 22 Timestamp logging: enabled Standby logging: enabled Debug-trace logging: disabled Console logging: level errors, 1203060 messages logged Monitor logging: level errors, 1203060 messages logged Buffer logging: level errors, 17590658 messages logged Trap logging: level informational, facility 22, 450126258 messages logged Logging to management 10.5.3.214 Logging to management 10.142.20.214 Logging to management 10.218.3.31 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 464351755 messages loggedSep 21 2011 17:35:29: %ASA-1-709006: (Primary) End Configuration Replication (STB)Sep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface managementSep 21 2011 17:35:44: %ASA-1-105006: (Primary) Link status 'Up' on interface outsideSep 21
[code]....
We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections. We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?
View 1 Replies View RelatedI have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .
View 1 Replies View RelatedThe customer forgot the password for the ASA SSM-20 ips module installed in ASA 5520 Fw.show module in customer FW shows it up state. I brought it to our office teat bed. here it show
ASA1# sh module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1022K03A
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB101003C2
Mod MAC Address Range Hw Version Fw Version Sw Version
[code]....*-
what to do with this module in my test bed.I have to take it back to the customer site to use it in their ASA itself to troubleshoot.There it the status is up and i did use all the hw-module option but no use. The version is 5.0. This module is more than 5 years old and so far no one upgrade the image. ASA 5520 running 8.2.5.
I configured an Etherchannel two interfaces (Gi0/37 and Gi0/39) in a CiscoWS-C2960G-48TC-L, which is connected to an HP Blade, where they spend 2vlan (16 and 17). The point is that they got these interfaces on a trial and upload these were in sleep mode produces the following log.
Sep 1 16:04:38.649:% EC-5-CANNOT_BUNDLE2: Gi0/37 is not Compatible with Po1 and Will be suspended (trunk mode of Gi0/37 is dynamic, is Po1 trunk)
Sep 1 16:04:38.733:% EC-5-CANNOT_BUNDLE2: Gi0/39 is not Compatible with Po1
and Will be suspended (trunk mode of Gi0/39 is dynamic, is Po1 trunk
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
I am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.
View 3 Replies View RelatedI remember I did that one time on 2800 router with Gi0/0 and Gi0/1 to connect another port channel in 3560G switch. I have no way to try it in ISR G2 router like 2900 or 3900 now. I know the the ethernet switch module must support it. I wonder if the integrated interfaces support it or not.
View 5 Replies View RelatedIs it possible to to build a Layer 3 ether channel from two separate physical switches (layer3) that are trunked together?I know you can easily do this on a single switch and on stacked switches which I've done but in this case the customer have purchased two 3560X's which are not stackable yet want redundancy. The purpose of the etherchannel is to connect both switches to a private circuit provided by the hosted partner then route to the same setup in the DR location to different subnets.
View 4 Replies View RelatedI would just like to confirm if it is possible to create a 2x10G etherchannel on a 4948.
View 4 Replies View Relatedhow do I create a new security code
View 3 Replies View RelatedI need to update code on my 5400 class HP Procurve's,We think we have ID'd that as what we want to move to, any large # of 5400 and 3500's out in the world on that code, or on another code because they ID'd this as bad
View 8 Replies View RelatedI have 2 4402 WLC running 7.x.x.x code. I also have some 1510 Mesh- L WAPs that require an old version of code. I need 4.1.192.22M for those. Is it possible to bring up a 3rd controller running this old code with the other 2 4402's running modern code? What will break? I know that anchoring and mobility might get messed up. What are the other caveats?
View 2 Replies View RelatedI want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies View RelatedI have a new Dell laptop inspiron runningwindows7,I get a error message when I try to access folders on network computer, a classroom network.
View 6 Replies View RelatedI have a requirement to guarantee 100Mb of bandwidth over my WAN for a particular protocol.I've noticed on the 4507R (running 12.2(54)) that I am unable to config a class-map with "match port" (my protocol is not listed so i cant use match protocol").
So instead I've created an ACL with the source of the traffic I wish to guarantee. Next, I've created a policy-map, only to find that I am unable to specify "bandwidth".
tell me how I could create a QOS profile, on a 4507R with SupIVs running 12.2(54), in order to guarantee 100Mb to a specific subnet (or vlan, or ideally specific protocol).
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
View 3 Replies View RelatedIn our company we use the ACS 5.and i have a small problem, what we need to do is.create a profile that will allow SHOW RUNNING CONFIG but not configure terminal.i am investigating and im a littel bit lost i have created a new group but i dont see any option to put permissions.
View 1 Replies View Related
