Cisco Firewall :: Interoperability ASA5540 Routing And Nat With The Same Zones?
May 18, 2011
I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 192.0.0.200 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 192.0.0.200 to 192.0.0.20 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!
View 10 Replies
ADVERTISEMENT
Nov 8, 2011
Used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Contexts will route via a L3 switch.
View 3 Replies
View Related
Apr 3, 2013
I tried many different things to get the accurate answer for my issue. I wanted to know, will i face any connectivity or looping issue in the network if i connect Broacade SAN switch on a cisco 6500 switch.Also need to know to maintain a DATA DOMAIN which SAN switch is better? Cisco or other vendor.
View 2 Replies
View Related
Nov 7, 2012
My corporate internal network is currently fire walled by an FWSM module on a 6513 switch. We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN. Is it possible to support fire walling between these zones within a single security context? The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license. We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.
View 3 Replies
View Related
Sep 22, 2012
Does the Catalyst 3750-X (WS-C3750X-24T-L) and Allied Telesis AT-9924T url... switches work together without any issue? The two switches will be connected using the following modules: [code] The Allied Telesis switch is the core L3 switch currently being used, and the new Cisco switch to be purchased will be used for servers (single VLAN 100). It is planned to configure link aggregation between the switches. Because the Cisco switch is to connect only servers all ports except connected to Allied Telesis switch will be on a VLAN 100. I have checked the Cisco switch software configuration manual and could not find any word about GVRP protocol support. Does that mean the 3750-X will not be able to do VLAN trunking with Allied Telesis switch?
View 2 Replies
View Related
Mar 14, 2011
I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?
View 1 Replies
View Related
Sep 10, 2008
I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.
View 28 Replies
View Related
Mar 7, 2011
I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary. Here are the log messages I got:
Mar 8 15:11:08: %PIM-5-NBRCHG: neighbor 164.72.178.28 UP on interface Vlan150 (vrf default) Mar 8 15:11:08: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 164.72.178.28 on interface Vlan150 (vrf default)
Mar 8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.28 (Vlan150) isup: new adjacencyMar 8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) isup: new adjacency
Mar 8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) is down: K-value mismatch
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
What causes a K-value mismatch, and how to I rectify the situation?
View 1 Replies
View Related
Aug 6, 2012
I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
View 1 Replies
View Related
Jan 9, 2013
i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
so, here is my questions:
1. does ASA5540 support multi vlan?
2. does it support spanning tree protocol?
3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?
4. achive network redundancy
View 3 Replies
View Related
Jan 22, 2013
Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
They are going to be using it as a VPN concentrator primarily.
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?
View 2 Replies
View Related
Dec 21, 2011
Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code
View 4 Replies
View Related
May 10, 2011
I upgraded our ASA5540 to 8.4, THEN noted the increased requirements for Memory. I purchased the 2Gig upgrade, but when installing in the Primary unit today, noted that there were 4 slots. Slots 1/3 had 512Mb modules, so I installed the 2 x 1Gig modules in slots 2/4.
The ASA5540 came up clean, and it "sees" the entire 3Gig of memory.
My question: Is this a SUPPORTED configuration? All documentation I have read only mentions 2Gig of memory. Also, If I had FOUR x 1Gig memory modules, would the ASA5540 support the 4Gigs of memory?
View 1 Replies
View Related
Dec 12, 2011
We have ASA 5540 with 8.2 SW. We are trying to download a file (3 MB pdf) from https session which fails if done behind the firewall. In case, the client bypasses firewall, the file gets downloaded as usuall. Interesting thing here to note is that when client is behind the firewall, its takes a long time to download the file and the file size always 312 Bytes, of course its a corrupt file.
View 3 Replies
View Related
May 9, 2011
How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed
View 1 Replies
View Related
Dec 11, 2011
I have requirement received from one of my customer. the part number given as ASA5540-AIP40-K8, same time requesting for addition of another 4Port GE Module (i believe its SSM-4GE Module). Is any option to add this module in to the above specified model (ASA5540-AIP40-K8).
As per my understanding the ASA5540 have the option to add 1 additional module only, so if we AIP-SSM module, we don't have any free slot left with to add another SSM-4GE Module in the firewall.
i am not getting even the option to add SSM-4GE in the ASA5540-AIP40-K8
View 1 Replies
View Related
Feb 12, 2013
At the moment our whole company is equipped with Catalyst switches ranging from 2950, 2960 to some 3560G and 3750X (Cores). Now I'm thinking of replacing some of the old 2950s (which are only fast ethernet) with some Brocade 6430 or 6450s, since they're so much less in pricing.My concerns though are: will spanning tree work problem free, access lists still work and any other problems I could encounter with interoperability.According to Brocade most of these things should work fine, but I'm searching for some facts from people who are running a heterogenic Network with these two brands (even the same product lines).
View 4 Replies
View Related
Jun 13, 2012
I have an inside network using PAT to one outside address. Our DNS server is on another local, but outside address. I can't get the inside network to successfully get addresses.I have another inside address that just uses the wirewall and gets addresses just fine from the same server.I have the box checked in ASDN that enables DHCP on the inside interface and points to the correct DHCP server,PAT service is working properly if I use a hard coded address for a machine on the inside network.This is an ASA5540 with 8.3(2)
View 2 Replies
View Related
Feb 26, 2013
My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall. [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?
View 4 Replies
View Related
May 23, 2011
I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout". What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?
View 1 Replies
View Related
Apr 28, 2013
I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
I need to ping the 192.168.10.250 from the 192.168.5.55:
ASA Version 8.0(5)
interface GigabitEthernet0/1
nameif inside
[Code].....
View 2 Replies
View Related
Sep 23, 2012
We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have to do in ASA5540 .
View 4 Replies
View Related
Jul 5, 2012
I have a ASA5540 firewall set-up with an interface MTU of 1500.
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this. Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.
View 1 Replies
View Related
Jun 10, 2013
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA#
JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
View 5 Replies
View Related
Nov 16, 2011
how can i discover product actual part number from the device through console.I have a bought a cisco ASA5540-AIP20-K9 and i want to check either is the product is shipped us as a right product.And i want to check total BoM requriements from entering the ASA console through any CLI Command.Below My Cisco ASA BoM which i purchased.
ASA5540-AIP20-K9ASA 5540 Appliance w/ AIP-SSM-20, SW, HA, 4GE+1FE, 3DES/AES1CAB-ACUAC Power Cord (UK), C13, BS 1363, 2.5m1SF-ASA-8.3-K8ASA 5500 Series Software v8.31SF-ASA-AIP-7.0-K9ASA 5500 Series AIP Sofware 7.0 for Security Service Modules1ASA-VPN-CLNT-K9Cisco VPN Client Software (Windows, Solaris, Linux, Mac)1Included: ASA5540-VPN-PRASA 5540 VPN Premium 5000 IPsec User License (7.0 Only)1Included: ASA5500-ENCR-K9ASA 5500 Strong Encryption License (3DES/AES)1Included: ASA-AIP-20-INC-K9ASA 5500 AIP Security Services Module-20 included w/ bundles1Included: ASA-180W-PWR-ACASA 180W AC Power Supply1Included: ASA-ANYCONN-CSD-K9ASA 5500 AnyConnect Client + Cisco Security Desktop Software1CON-SU1-AS4A20K9IPS SVC, AR NBD ASA5540 w AIP-SSM-20,4GE + 1FE,3DES/AES1
View 6 Replies
View Related
Feb 1, 2013
I am adding a site in another time zone but keeping the same active directory and domain. the time zone issue if there are no servers in the other time zone?
View 1 Replies
View Related
Jan 14, 2012
I am having big problems trying to get what should be a rather simple configuration to work.I have a Cisco 2901 Router and have setup Zone Based Firewall on this.Traffic from the 192.168.223.x network does not pass through to the 192.168.1.x network.my traffic appears to disappear down the big bucket...Interesting I can ping machine on 192.168.223.0/24 network from the 192.168.1.0/24,So the static routes setup on the router on the 192.168.1.0/24 appear to be routing ok.
View 4 Replies
View Related
Apr 2, 2013
I have ASA5540 with 1000 SSL-VPN License, then I would like upgrade from 1000 to 2000. Which part I have to add between
L-ASA-SSL-1000=
L-ASA-SSL-1K-2500=
ASA5500-SSL-1000=
View 1 Replies
View Related
Jul 11, 2011
I meet a strange question about IPSec VPN between '' C3945 A---ASA5540 A----------Internet----------ASA5540 B---C3945 B "
I set ipsec vpn between ASA5540,and set Tunnel between C3945.the C3945 Configuration as follow:
C3945 A C3945 B
interface Tunnel10 interface Tunnel10
ip address 172.18.1.225 255.255.255.252 ip address 172.18.1.226 255.255.255.252
tunnel source 172.17.0.1 tunnel source 172.17.1.121
tunnel destination 172.17.1.121 tunnel destination 172.17.0.1
the strange issue is like that:
On C3945A : I can ping 172.17.1.121 with the source address 172.17.0.1,but can't ping 172.18.1.226
On C3945B : I can ping 172.17.0.1 with the source address 172.17.1.121,but can't ping 172.18.1.225
View 3 Replies
View Related
Sep 4, 2012
I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.) There is also a separate certificate server located on the inside LAN that is used for internal purposes. All client workstations have identity certs from this internal server.
We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.
I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA. The other one is only to identify the users. The ASA did allow me to import the internal CA cert.
View 4 Replies
View Related
Nov 26, 2012
I need to enable VPN-3DES-AES on an ASA5540. Show version provided this info below.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
[Code]....
This platform has an ASA 5540 VPN Premium license.After doing some poking around I came across a link to request a free license but when the email came it warned that the requested license was lower than one currently assigned to the serial number provided. I do not have any of the old license information since this was set up years ago and was way before my time with the company. How to enable the feature as well as maintaining my vpn premium license features.
View 2 Replies
View Related
Apr 15, 2011
We have a ASA5540 and we would like to shutdown the VPN service. To do so, we would like to warn people by sending a message prompt when they logged in using Anyconnect. Message are only working on DA that terminate but not on those who Continue. I have also tried the Checkandmsg fonction but it behave the same way.
View 2 Replies
View Related
Jun 17, 2011
I am trying to log every connection (Build, deny, etc).But for some reason I don't see them sh log.
[Code]...
View 2 Replies
View Related
