Cisco Firewall :: Migrate Standby ASA 5540 To Backup Data Center?
Oct 11, 2012
We have backup data center where I am now planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) . I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.
Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room
View 6 Replies
ADVERTISEMENT
Apr 4, 2011
We are planning to purchase an ASA 5505 for a VPN solution for one of our offices. The office has 50-60 user at peak load who would be connecting over the S2S VPN to the datacenter.
From a hardware standpoint, can the ASA 5505 handle this load. The licence is for unlimitedf inside hosts but what is the actual limit on this platform?
View 1 Replies
View Related
Nov 4, 2012
We will be moving to a new data center in the very near future and with them our WAN IP addresses will be changing. Any best course of action for changing the IP addresses throughout the firewall configuration? Would it be possible/suggested to export the running-config, make the neccessary changes, then import the config? I am familiar with the ASA 5510 only so far as changes are required. It is not something I work with on a regular basis.
View 5 Replies
View Related
Apr 13, 2011
I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.
View 1 Replies
View Related
May 15, 2011
I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups. Doing so obviously has a major impact on the current primary configuration. My goal would be to minimize or eliminate network downtime during the interface changes.
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit. Is there a set length of time the secondary unit can remain active without a failover peer?
see issues with operating the secondary unit in this manner while making changes to the primary unit?
View 1 Replies
View Related
Mar 21, 2011
We setup both site-to-site VPN and Remote Access VPN client on VPN 3005 Concentrator. We want to migrate all the configs to the new ASA 5540. Do you recommend that we migrate all the configurations for VPN client first before setting up the site-to-site VPN on the ASA or it does not make any difference?
View 5 Replies
View Related
May 7, 2012
I have one server-A(windows 2008) installed one application called"host front" which gives athentication to connect Linux(mainframe console) server (SERVER B).These 2 servers are bihind the firewall.If one internal user who has the athentication to logine server-B ,tried to login server A,will get the" username and password"screen and once they enter the username and password ,will get the server-B screen.But if somebody try to connet via MPLS(we need to test MPLS site customers) from outside via ASA 5540 ,to server-A will get the "username password" screen and once enter the credentials, after 1 minitue will get error"http server faild to send datas to the server" and will not move to server -B screen.
View 1 Replies
View Related
Jul 2, 2011
We are in middle of deploying WiSM2s on our network, from a design point of view i am confused on where to position the WiSM2s. We have 2 DCs and from best practice architecture view WLC should not be placed on the Data Center segment, but it seems that is the only option i have.
DCs host 6509s, i am planning to host 1 WiSM in each DC, all clients will be on seperate subnet. Do you foresee any issues with this deployment or any security issues? authentications are followed as per cisco recommendation, clients authenticated against AD through ACS so it is fairly secure.
View 3 Replies
View Related
Feb 22, 2012
How to trace firewall and load balancers placed in data center.
View 6 Replies
View Related
Oct 21, 2011
We have had this issue for a long time in our enterprise. I don't work all the time in networking. I did a CCNA a while ago. We used to have a network manager who set everything up but he left the company. Basically we have this issue that if you connect to Cisco L2TP Remote Access VPN you can't access any resources at our Data Center. Also if you connect directly to the LAN.
View 10 Replies
View Related
Sep 7, 2011
I have some doubts about the best solution for the design of a mini data center.In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?
View 13 Replies
View Related
Aug 4, 2011
we had such kind of issue: while installing 2 SSM-4GE modules to 2 ASA 5540 (Active/Standby) the firewall is splitted. That's my step:
1) Turn off standby ASA and plug SSM-4GE module
2) Power it On After it was booted up failover relationships were broked and previously stabdby became Active appliance.
3) Turn off active ASA and plug SSM-4GE module
4) Power it On
After the it was booted up failover comes up and previously Active (on step 2) appliance became Standby. Everything is up and running now, but the issue was on step 2, I suppose becouse of distinct in hardware (when one ASA was on SSM reachest than another one). Still have no ideas why so happens and is there any way to plug SSM modules int ASA active/standby cluster without downtime.
View 2 Replies
View Related
Jan 11, 2012
Any recommendations for top of rack switch for within our data centre.Dual power is a requirement, but bandwidth and through put will not be huge as such I have been looking atthe WS-C3560X-48T-L and the Nexus 3048.
View 1 Replies
View Related
Mar 2, 2012
I have some doubts about the best solution for the design of a mini data center.In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?
View 6 Replies
View Related
Feb 26, 2012
What are the list require for setting up Data Center for either University or Government?
View 4 Replies
View Related
Sep 22, 2011
last night I started upgrading our ASA5520 active/standby cluster. Because of lack of memory, I stopped the upgrade process and will continue when the memory modules have arrived... Currently I'm running 8.0(5) on both nodes (Version: Ours 8.0(5), Mate 8.0(5))Whenever I use the "write standby" command on the active ASA, the passive ASA seems to drop it links for a short while. [code]
View 4 Replies
View Related
Oct 8, 2012
Lucien is a customer support engineer at the Cisco Technical Assistance Center. He currently works in the data center switching team supporting customers on the Cisco Nexus 5000 and 2000. He was previously a technical leader within the network management team. Lucien holds a bachelor's degree in general engineering and a master's degree in computer science from Ecole des Mines d'Ales. He also holds the following certifications: CCIE #19945 in Routing and Switching, CCDP, DCNIS, and VCP #66183
View 1 Replies
View Related
Feb 21, 2013
I have a problem to solve in our data center, see attached drawing. HW: Our core switches consists of two stacked C3750 with ip routing. What I want to do is probably simple but I haven't been able to figure out the best method.
VLAN10 and VLAN20 should not be able to communicate with each other. (ACLs?)VLAN10 will have it's own default route/firewall. Both VLAN10 and VLAN20 should be able to send server backups to server in VLAN30. All 3 V LANs come in on a trunk from a pair of stacked C2960-S. I need it to be able to scale if we have 50 VLANs for instance, hopefully without long complicated ACLs. I've been considering VRF's, PBR but can't decide what's the simplest solution to this problem. I have never done this before so I would prefer to start off on the right foot.
View 1 Replies
View Related
Nov 20, 2012
Normally when we do HSRP with vPC on N7K the device will be Active/Standby in control plane but it will be Active/Active in data plane. In this case any traffic reach to standby device it can forward traffic directly to uplink which is not my desire. My goal is all traffic should pass through active (control plane) device in every case unless active device totally dead. So Is it possible for Nexus 7000 to be HSRP Active/Standby in Data Plane ?
View 4 Replies
View Related
Oct 26, 2011
We bought Cisco sup engine WS-SUP32-GE-3B for 6500 switches 2 nos for redundancy. I have connected 6 systems on each sup engine ports. How to clarify whether both sup engine will forward the data while one is Master and other is standby?
View 4 Replies
View Related
Jan 20, 2011
I have got a 1TB external HDD...I want to use this to backup my data (dokuments , pics , video) that are on 2 desktops and one laptop---
AS I understand the terminology a I won't have enough room to do image backups (these back up all info incl OS ??) as on pc is usingb 677 gb and the other 400 gb ---- and anyway I can re-install windows if anything goes wrong...
SO---am I able to do this-
1. connect the ext- HDD to PC running win 7 64 bit....create a folder called "win 7 64 bit" and then drag and drop filesand folders into that folder(or use windows backup..which i am unfamilar with)
2. then connect to PC running Vista 64 bit ..create a f�lder called "Vista 64 bit" and do as above....
3. Do the same for the laptop running win 7 32 bit
Am I right in assumming that because it's just data I can put info from different OS on to it without and conflicts when connecting it to different Pc's?
View 7 Replies
View Related
Apr 26, 2011
I'm about to install a new E1 onto my 3845 as backup line for my data network. We usually use VWIC2 cards since our infrastructure covers EU and US sites. But this time, I ran out of stock and so did my supplier. I have a VWIC-1MFT-G703 card here but not sure if it would work. What is the difference compared to the regular VWIC-1MFT-E1 ?
FYI, I run 12.4 T train release on my 3845s.
View 3 Replies
View Related
Oct 18, 2011
The customer has an existing ISDN30 - 8 channels backup circuit what was originally terminated to a C2611XM Now they required to replace this old router with a new one.The old router build:
CISCO2611XM - CISCO Dual 10/100 Ethernet Router w/ Cisco IOS IP, 32F/ 128D
CAB-E1-PRI - CISCO E1- ISDN PRI Cable, 10 Feet
NM-1CE1B - CISCO ^1-Port Channelized E1/ISDN-PRI Balanced Network Module
CAB-5-XOVER-3M - COMSTOR Crossover Cable RJ45-RJ45 - 3
The new what we would provide:
1 x CISCO2911/K9 - Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB 1 1 x S29UK9-15104M - Cisco 2901-2921 IOS UNIVERSAL 1 1 x HWIC-1CE1T1-PRI - 1 port channelized T1/E1 and PRI HWIC 1 1 x CAB-ACU - AC Power Cord (UK), C13, BS 1363, 2.5m 1 1 x CAB-E1-RJ45BNC - E1 Cable RJ45 to Dual BNC (Unbalanced) 1 Included: PWR-2911-AC Cisco 2911 AC Power Supply ISR-CCP-EXP - Cisco Config Pro Express on Router Flash 1 MEM-2900-512MB-DEF - 512MB DRAM for Cisco 2901-2921 ISR (Default) 1 MEM-CF-256MB - 256MB Compact Flash for Cisco 1900, 2900, 3900 ISR 1 SL-29-IPB-K9 - IP Base License for Cisco 2901-2951 1
View 2 Replies
View Related
Jan 10, 2012
I have a 1.5 TB USB hard drive attached to me E4200. Configuring it so that multiple computers have access and can read and write their files is quite simple. I've followed the instructions and had no difficulty.
My problem is this, after about a week's time has passed any file that has been on the hard drive for more than a week become undeletable. Any attempt to modify it or remove it pops up a message saying I need permission from a specific user (always the user that I am currently logged in as!) to perform the operation on the file.
When this starts to happen, the device is, otherwise, perfectly functional. I will still be able to create new files and delete any newly created files from the drive without difficulty even when those files are in the same directory as the files that the device will no longer let me edit. Examination of the file properties dialog shows that the files that the device refuses to allow me to delete are identical in every way to any new file that I create. Yet newly created files are removable but these older files ... are not.
I'm quickly coming to the conclusion that the HDD mounting feature of the device just doesn't actually work as advertised.
FWIW: all my computers are using Windows 7 with the latest build. I do access the device from these computers wirelessly.
View 9 Replies
View Related
Sep 11, 2012
what's required for the migration from Checkpoint R75-20 Splat install to the Cisco ASA firewall, links to documentation - step-by-step.
View 3 Replies
View Related
Dec 7, 2012
I have two router Cisco 887 with vpn site-to-site:
Site A:
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key ********* address 85.34.AAA.AAA
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
[code]....
I want to remove VPN configuration from the router and put VPN Configuration on Cisco ASA 5505.The scheme would be: ASA5505(vpn site-to-site) -> 887 -> INTERNET this for both sites.My problem is that I do not know what ip put on interface Outside of firewall. For example on Site A delete all VPN configuration from 887 and leave only ATM0.1 point-to-point, on intereface Outside of ASA put ip of loopback(of router 887) and as default route 85.34.2.XXX. Right?
View 12 Replies
View Related
Jul 7, 2011
We try to migrate two ASA stateful Active / Passive from version 8.0 to 8.4 but many of acl rules and Nat no longer working. We must go through the version 8.2? The release 8.4 changes everything and seems to me not too stable, it'sl best to stay in 8.2 or 8.3 !!!
View 3 Replies
View Related
Jan 23, 2013
I have configuration on PIX804 :
On Pix804
interface Ethernet2
nameif ins10
[Code]....
On PIX515T(804) in packet-tracert option no Phase 1 - Route-lookup and both static nat works fine. May I disable on ASA phase route-lookup, that it not send packet on wrong interfaces ?
View 2 Replies
View Related
Jun 22, 2011
I need to upgrade the compact flash of my ASA 5510 from 256MB to 512MB. A friend's recommendation was to buy a card reader, copy all of the data from the existing card and paste it to the new compact flash. I have a hard time believing that it's that straight forward.
Any safer, more foolproof way of migrating between flash cards?
View 8 Replies
View Related
Feb 24, 2012
I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration. Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden. For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why. Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.
[code]...
View 2 Replies
View Related
Dec 18, 2012
I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
View 1 Replies
View Related
Aug 12, 2012
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 4 Replies
View Related
Oct 28, 2011
I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
View 14 Replies
View Related
