I'm testing upgrading an ASA from 8.2.5 to 8.4.4. During the the upgrade, it change all of my ACL host entries to objects. But I noticed that the keyword "host" is still a valid option when creating an ACL.
I'm trying to understand why this change is made during the migration.
My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.
We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.
The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses. All other hosts should use PAT through x.x.x.13.
I'm working with ASA 5520s. how to add network objects via CLI. I know I could easily do it using ASDM, but I like to learn the hardway first. How do I add the subnet mask for a network object when creating via CLI? [code] That sets up the hosts with IP addresses, but how do I add the subnet mask?
I am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?
when I migrated the ASA config from 8.2 to 8.3, in all groups the group members has been replaced by the IP address object. However, the "name" for this object has been migrated, but there is the "object network name" configuration missing.
What I can do now is that I can open the new created object in the ASDM, search for the object with this IP address and then enter the object name I had before. When I apply the config, ASDM then creates the object and replaces all affected objects in all groups, by replacing the object group memeber "network-object host hostname" with "network-object object hostname".
Do you know if there exists an automated way, which checks all the groups for members "network-object host", creates the "object network" and replaces the "network-object hosts" with "network-object object" within the group? As long we have a lot of groups which contains partially > 50 members?
I have a customer an exisiting 5505 which connects to multiple sites for a site-to-site VPN. This firewall was not installed by myself originally I have just been asked to take a look now.The situation is that we now need to edit one of the existing site-to-site VPNs to include the remote sites expanded network. I have tried doing this through the ASDM and have found that I cannot add new network objects. I have tried creating a new network object group and then added the new networks from there but I am completely unable to add the new objects.I believe a picture tells a thousand words in this case so I have attached some images which show the problem. I have also tried going through the VPN wizard, this also does not allow me to add new network objects.
I use tracking objects aroung the organization where I work to monitor WAN and VPN connections and add/remove routes based on the state of the object. I'm having 2 locations that are constanty going up and down and I've been troubleshooting and monitoring for the last few weeks without finding anything. I've been incrementing the timeout for the SLA and it seems like this is working a little (less overall drops) but the drops still occur. Our ISP reports no issues and we see no issues internally on the circuits. Just out of curiosity could this be some kind of IOS bug or hardware malfunction? The router logs are full of these:
Mar 21 16:18:33: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down Mar 21 16:18:38: %TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up Mar 21 17:24:14: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down Mar 21 17:24:19: %TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up
The IOS version of the router I took these from is 151-4.M6 advanced IP services and it's a 2821 router.
I'm trying to add an extended ACL (120) to an 800 series router (887) using Network Objects to allow the management user IP range full access to IP services and restricted access to email only for standard user IP range. However as soon as I apply the ACL to the outbound of my Vlan no matter what is in the ACL my PC looses internet connectivity. I've tried adding an explict allow for my IP address and still no access so I'm thinking possible a NAT issue, please have a look at my attached config and let me know what you think. Would I be better trying to control data flow with ZBF? I want to restrict standard users to email access only during the work day with web access and IM access after hours along with blocking all P2P programs for standard users at any time. Management group will have unrestricted access to all IP protocols. My original plan was to use time based ACL's!
Any way of doing named objects or object groups for ACLs on the ASRs? (1000 series in this case.) I'm setting up an ASR with a zone-based firewall and writing out all the addresses, ports and protocols for the ACLs associated with the various zones is creating huge, unwieldy ACLs in the config.
Any detailed knowledge about Cisco ACS 5.1 and Windows AD interaction? I wonder why does Cisco ACS domain account must have permission to create/delete domain objects. This fact does really surprided me, because to my mind Cisco ACS only reads domain structure, and does not make any changes.
Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.
I have a cisco 1841 router , and i want to configure zone based firewall on it. But the document of zone based firewall only said that "after 12.4(6)T" can support zone based firewall. I use the ios " c1841-ipbasek9-mz.124-15.T9.bin ", but it can't support ZFW. What kind of ios support ZFW. for example: ipbase, ent base, ip service ,advent etc.
Any limits on the number of IPSec sessions an ASA5520 can support over a DSL connection?
Currently, as we increase the number of IPSec VPN tunnels, our LAN switches connected to the DSL/ASA start seeing CRC/input errors. Tried different LAN ports for both DSL/ASA connections - same reults (CRCs and errors). Swapped ASA for PC running 1 IPSEC w/HD video and no issues.
VPN connection bandwidth demand 50% of DSL capacity, so not exceeding DSL bandwidth. Errors get so bad that all VPN sessions drop - sometimes VPN sessions re-establish while other instances a DSL modem reboot is required.
cause of LAN switch connections seeing errors with 4+ VPN sessions established on ASA across a DSL Internet circuit?
If the 5510's support active/active ha. There is conflicting info. on the datasheet stating otherwise.
[URL]. As business needs grow, customers can install a Security Plus license, upgrading two of the Cisco ASA 5510 Adaptive Security Appliance interfaces to Gigabit Ethernet and enabling integration into switched network environments through VLAN support. This upgrade license maximizes business continuity by enabling Active/Active and Active/Standby high-availability services.
I am going to update my Windows Small Business Sercer 2003 to 2011.I currently have an ASA 5505 with the IPS installed on it. I am reviewing the migration procedures from Microsoft. Within the procedure it asks if the firewall or router supports UPnP. Does my ASA 5505/IPS support UPnP?
Does ASA 8.3 support MAC address filtering, I want to allow a single specific laptop to login to the ASA 8.3 firewall (for management) from anywhere on the internet, I know I can do it through VPN but I want a simple MAC address access list or something......
A customer recently purchased an ASR 1001 under the impression it could replace their old 3662 router and ASA 5505. The ASA is configured for their SmartFilter proxy server (N2H2), and I am having a heck of a time finding any documention on how to configure this. I found the following: To use SmartFilter with Cisco IOS firewall, install the SmartFilter componentsand use the IFP plugin (off-box). To configure the Cisco IOS for SmartFilter,use the Cisco document Firewall N2H2 Support located on the Cisco Web site,[URL]Well, I found the Firewall N2H2 Support document [URL], but the ip inspect command doesn't seem to work on the ASR. Is there any way to make this work or does the ASA have to stay in line?...
I know the 5510 & 5520s support the CSC-SSM module for Content Filtering (Anti-Phishing, Anti Spam, URL filtering, Anti-Spyware & Antivirus), but what about content filtering for the ASA5525-K9.The problem that I have is that I need a firewall that supports up to 1 Gbps Maximum Firewall Throughput and to support 250 users with Content Filtering described above.I'm using the following doc for sizing and came across the ASA5525-K9 for 1 Gbps, but not sure about the Content filtering: url...
Does the ASA 5505 will allow the addition of a 2nd external link to its configuration? I know the device is capable of Redundant or Backup ISP Links, but that’s not what I need. I will have two different links for two different purposes. Currently we are using the ASA 5505 just for Internet access, so only the ISP link is connected, very basic configuration. We are planning a connection to a client’s global (MPLS) network and we need to be protected against any traffic coming from that network, ergo we need to use a firewall for connection to that external link.Now with the final configuration the Internet traffic must keep being routed to the ISP link, and some other traffic must be routed to the new external link. Can the ASA 5505 be configured for this scenario?
We have a new 50/10MB Comcast Deluxe connection we are trying to set up in our environment. We have a single static IP and the Comcast provided SMC-3DG router/modem has been set to "bridge mode" by Comcast. This is then plugged into one of the interfaces and that interface has the static IP defined on it with a default route to the Comcast provided gateway IP. I wired the 2851 into our layer 3 switch, set up some static routes on the 2851 back to our existing subnets and everything traffic-wise is flowing between our existing subnets and this new router.
Since the default route on our layer 3 switch is defaulted to our older 2811 router (that I'm intending on replacing with this 2851), I set up a static route on our layer 3 switch to guide all traffic for speedtest.net and comcast.speedtest.net out to the 2851 router. Doing speed tests show 12 MB down, .5 MB up. Connecting a laptop directly to the Comcast SMC modem and setting it's IP to the static IP shows full speeds again, so the issue has to be with our configuration/equipment.
Can a Cisco 2851 support this 50mb Comcast connection and do I just have it configured wrong? Or do I need a different router altogether? At first I tried the 2811 but that had slow speeds, so I figured the 2851 with twice the throughput would do a better job but for some reason it is not currently. I have played with duplex settings (100, full, half, auto) and nothing changed. I updated the 2851 to the latest 12.4 firmware and also no change.