Cisco Firewall :: Migrate Two ASA 5520 Stateful From 8.0 To 8.4
Jul 7, 2011
We try to migrate two ASA stateful Active / Passive from version 8.0 to 8.4 but many of acl rules and Nat no longer working. We must go through the version 8.2? The release 8.4 changes everything and seems to me not too stable, it'sl best to stay in 8.2 or 8.3 !!!
I want to remove VPN configuration from the router and put VPN Configuration on Cisco ASA 5505.The scheme would be: ASA5505(vpn site-to-site) -> 887 -> INTERNET this for both sites.My problem is that I do not know what ip put on interface Outside of firewall. For example on Site A delete all VPN configuration from 887 and leave only ATM0.1 point-to-point, on intereface Outside of ASA put ip of loopback(of router 887) and as default route 85.34.2.XXX. Right?
I need to upgrade the compact flash of my ASA 5510 from 256MB to 512MB. A friend's recommendation was to buy a card reader, copy all of the data from the existing card and paste it to the new compact flash. I have a hard time believing that it's that straight forward.
Any safer, more foolproof way of migrating between flash cards?
I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration. Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden. For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why. Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.
I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1 Log into active/primary ASA Configure Multiple Context mode Reboot both devices Login to active/primary ASA
We have backup data center where I am now planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) . I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.
Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room
We have purchased a couple of Cisco 891 routers - both are running IOS 15.0(1) M5 licensed with advanced IP services (default). The literature for these devices on Cisco's website claims they support IPsec stateful failover on advanced IP services.
Our intention is to configure them with HSRP and IPsec stateful failover to provide a highly-available default gateway and VPN end-point.
I have configured HSRP and that seems to work fine. My problem is that I cannot configure IPsec stateful failover. The documentation that I have found implies that I need to configure inter-device redundancy on a particular HSRP group and use the physical IP addresses on the interfaces within that group to allow stateful failover communication between the routers however the routers do not recognise the 'redundancy' command in config mode...
I have 2 C2811 ISRs runnning c2800nm-advsecurityk9-mz.124-15.T17.bin and having on board: 1 Virtual Private Network (VPN) Module.is it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes? I get different infos from Cisco sources. url...All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
We are using the newest release of AD Agent (22.214.171.124.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = %ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot: [Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:126.96.36.199/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7 Type: NAT Subtype: Result: DROP Config: nat (inside10,outside) source dynamic LAN interface Additional Information:(code)
Two days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.
Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.