Cisco Firewall :: Migrating To New ISP - ASA 5510
Jan 4, 2012
I currently have the following set up (excuse my quick drawing):
--------------Vendors VPN Router----
| ------Cisco 3000 VPN------ |
| | | |
Private Network-------ASA5510---------Pub Switch------Cisco Router 2x T1
I've been tasked with migrating to the new ISP, which provides us with Cisco ME-3400E switch and /26 public subnet. I currently have 15 static NATs and 14 L-2-L VPN tunnels configured in ASA. Is there a way to configure additional Outside int on ASA and use it to migrate the existing VPN tunnels and static NATs? I'm trying to avoid downtime and hope to do it step by step. I'm thinking about adding additional Public switch, so I can also migrate vendor's router and VPN concentrator, which need to be in parallel to ASA. Assuming that this is possible I'd would like to do the following:
1.Configure and connect additional Outside Interface on ASA - public IP address and ACLs
2.Connect it to additional "Public switch", which would be configured with public IP address and connected to new ISP's Cisco ME-3400E.
3.Migrate my VPN tunnels and static NATs.
4.Migrate vendors equipment/VPN concentrator
5.Update my global NAT pool
6.Shut down old ISP
View 13 Replies
ADVERTISEMENT
Jan 28, 2011
I have recently migrated from a PIX 515e to an ASA 5510. In the main this was successful. However, I have a number of L2L VPN's (all connecting to Cisco PIX 501 or 505). The majority of these VPN's are working fine. However, I have a couple of VPN's that are causing me a problem. It seems like the tunnel is established for anything between 10 minutes and 4 hours before going 'down'. I cannot initiate the tunnel again from the hub end (ASA 5510) of the VPN.However, if the remote end reboots the PIX, the tunnel is re-established.The ASA is running 8.3(1) and the remote PIX's will be running various versions of code but will all be 6.3(x). The strange thing here is that the majority of the sites are working and the config for each tunnel is identical other than the access-lists for interesting traffic and peer address.
View 7 Replies
View Related
May 7, 2013
for testing purposues i wanted to exchange a running ASA 5510 with a ASA 5505. I included the running configs from both the ASA 5510 and the new configured ASA 5505.
On the running ASA 5510 there is:
one interface for WEB
static IP xx.xxx.xxx.178
route 0.0.0.0 xx.xxx.xxx.177
[Code].....
View 1 Replies
View Related
Mar 5, 2013
I am currently migrating a netscreen firewall to a asa 5515 version 8.6 The issue is setting up the management connectivity.
basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.
so IP of management interface is say - 216.10.100.10. and the IP of the inside interface is say - 198.1.1.10/24 on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).
On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?
View 4 Replies
View Related
Aug 28, 2011
I am migrating my PIX configuration to ASA 8.4(2) with my old nat configuration.I don't want the traffic match ACL inside_outbound_nat_acl from inside interface with NAT [code]
when I configured "any" in "nat (inside,any)", I cannot type the "route-lookup" command but when I change like "nat (inside,outside)" then I can type the "route-lookup" command.so what's mean of "any" in this command?
View 10 Replies
View Related
Jun 13, 2012
I have ASA 5520 using ios 8.2(2)
I received a new ASA 5550 and want to transfert my config from 5520 to 5550
View 2 Replies
View Related
Jul 18, 2011
I am in the process of migrating my config from my PIX running 8.0(4) to my ASA5520 running 8.2(1). I have converted the config so that it is ready for the ASA. I noticed the "boot system flash:" and "asdm image flash:" command references the old PIX files. Do I need to update these or will they be updated when the ASA reboots with the new config?
View 2 Replies
View Related
Jun 6, 2013
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.With that in mind, whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
View 1 Replies
View Related
Jan 22, 2011
We are pulled the plug on our PIX 501 as its not letting us use all 100Mbit that our cable provider is now piping to us. I read the conversion guide but it made no mention of the 501's. Only the 515's or newer.The ASA5505 is putting up a little bit of a fight (This what I get for failing my CCNA??)After refusing to configure the LAN ip address to something other than what it was shipped with, I broke down and connected to the management console and forced an IP address on the LAN side. Now I reset my default config and everyone can get on the internet.Until the ISP cuts you off because you forgot to set your static IP. Oh, and by the way, they dont support Cisco gear.
When I attempt to assign the IP to the outside interface, it accepts without a hitch, but everything grinds to a halt. I cannot have this, as I have off-site users that operate with dedicated ports using Remote Desktop. I've attempted to set the IP via both ASDM and management console. I've tried setting a static route, but that doesnt give me any love either. Im running ASA Version 8.2(1) and ASDM Version 6.2(1)Once I get the static IP set and working properly, I can tackle moving the port configs.
View 10 Replies
View Related
May 29, 2012
we are running acs 4.2.0.124.16 on cisco appliance 1113.We need to uprade it to 4.2.1.15 which is the latest release.and need to know the dependencies whether any license required?
View 6 Replies
View Related
Feb 18, 2013
I need to migrate DFM alarm settings data from LMS 3.1 to LMS 4.2.3 and I want to use this method, [URL] , to extract the data from 3.1 and then inport it into 4.2.3.
I successfully performed it for IP settings, it was easy since the data format was the same.
But the format differs quite alot for Interface and Port data, here is an example:
export from LMS 3.1
IF-hostname/17 [Gi0/0.524] [10.55.254.3]; INTERFACE:;IF-hostname/17; MANAGED_STATE:;EXPLICITLY_UNMANAGED
export from LMS 4.2.3
INTERFACE:IF-hostname/17 MANAGED_STATE:MANAGED GigabitEthernet0/0.524
It looks like I have convert interface names, sort and delete stuff to make it look the same.
View 1 Replies
View Related
May 8, 2013
[URL] it mentions that migrating from NCS 1.1.2 to CPI 1.2 isn't possible.
How can I get around this?
View 3 Replies
View Related
Feb 12, 2013
I have NCS 1.0 with 100 devices support license installed. Now knowing it has reached end of sale, and also for the fact that Prime does cover devices like routers, i went ahead to the upgrade path via PUT (Product Upgrade Tool). Finally I received an email (OBA) advising my order is ready. This email included two items in the shipment,
L-N-PI12-100-M=
NCS 1.0 to Prime Infrastructure 1.2 Minor Upg 100 Device
L-PILMS42-100-M
Prime Infrastructure LMS 4.2 - 100 Device Upgrade Lic
When i click to the link in the same email to download the license, it only shows me one file which is L-PILMS42-100-M I tried using this file and installing on the NCS1.0 but it gives me error that this file is not a license file. The license name suggests me that it is not the license to be installed on the NCS. The file should be L-N-PI12-100-M=
View 5 Replies
View Related
Jun 11, 2012
I am replacing an old 4400 series WLC running version 4.0.179.11 to a new 5508 WLC running version 7.2.110.0.
We currently have 70 x 1131 Access points on the 4400 WLC.
With this upgrade, do i need to upgrade the old 4400 to version 6.0 so the AP's get an up to date IOS or can i directly migrate all AP's over to the new 5508 without any version incompatabilities on the AP's?
I am abit worried that the AP's are running a very old IOS on the 4400 v.4.0.179.11 to go straight to the new 5508 v.7.2.110.0.
View 3 Replies
View Related
Mar 11, 2013
I have a situation here where after migrating from PIX 6.3 to ASA 8.4, VPN connection from window server 2003 and 2008 fail to connect. Strangely, win7 or win 8 works perfectly well.
It failed due to
reason=DEL_REASON-IKE_NEG_FAILED
The diff we can see is win 7 is 32 bits and the server client version is 64bits.
View 1 Replies
View Related
Aug 7, 2011
I am migrating from Cisco 6509 IOS (12.2) to Nexus 7000 NX-OS (5.1(1)).I am looking for a equivalente NX-OS command for permit ipinip on IOS.
View 2 Replies
View Related
Apr 18, 2011
I have a 7.0.164.0 WCS that I am trying to upgrade to 7.0.172.0 In the system infrastructure we have three 4400-50 controllers with a total of about 90 access points (1231's, 1131's, 1142's, and 3500's) The server is a VM with 2GB of ram and about 4GB of free hard drive space (the WCS software is installed on the D: partition). The WCS installer goes through the initial setup and gets to the point of "Migrating Data" and basically stalls. I started the upgrade Friday at 11:30AM and finally killed it at about 9:00AM on Monday (almost 3 full days).
I then uninstalled the partial 7.0.172.0 installation, and also uninstalled the 7.0.164.0 installation. I then did a clean install of 7.0.164.0 and imported my backup. After i verified that everything was working correctly I then tried the 7.0.172.0 upgrade again. Currently its almost at 24 hours of sitting at "Migrating Data"
View 10 Replies
View Related
Jun 13, 2007
Is there any way to auto migrate my 3030 VPN configuration to an ASA platform?
View 3 Replies
View Related
Feb 5, 2013
We are currently upgrading from WISM-1's to individual 5508 WLC's. Is it possible to export the config from controller on the WISM to the 5508?
View 5 Replies
View Related
Jul 4, 2012
migration of an existing Sup720 configuration to a new Sup2T. At present we have a Sup2T chassis in the lab running 15.0(1)SY1 and a production Sup720 chassis running 12.2(33)SXI5.I've taken a copy of the production startup-config, renamed it to 'startup-config-BGFL_6509_MBAS-020712' and copied it to the bootdisk (and slave bootdisk) of the new Sup2Ts.I've then added the command 'boot config bootdisk:startup-config-BGFL_6509_MBAS-020712' in an attempt to boot from that config and have the Sup2T migrate it to the new config standards (particularly from a QoS perspective as mentioned here :[URL]
!
boot-start-marker
boot system flash bootflash:s2t54-advipservicesk9-mz.SPA.150-1.SY1.bin
boot config bootdisk:startup-config-BGFL_6509_MBAS-020712
...
Router#sh bootvar
BOOT variable = bootflash:s2t54-advipservicesk9-mz.SPA.150-1.SY1.bin,1;
[code]....
View 5 Replies
View Related
Sep 28, 2011
One of my clients has an older 3745 running IOS 12.3 and we are looking at replacing it with a new 3945 that runs IOS 15.0. This router is also configured with CME. Is it possible to migrate the current 12.3 config to load on the new 15.0 IOS? This will be my first encounter with 15.0 so I don't know what I am up against at this time. I am just hoping I don't have to retype all the ephone config, dial-peers, etc
View 2 Replies
View Related
Dec 4, 2012
We have 2 separate ACS 4.0 servers installed on windows 2003 server(2 separate location) Both these servers are Integrated with Cisco WLSE and Corporate AD.
Now, we are planning for Migrating to ACS 5.4 on VmWare ESXi 5.1. And need to Integrated with Cisco WLSE and Corporate AD.
Can we import the datas from 2 x ACS 4.0 server to this new Single ACS 5.4 vmware server?
View 7 Replies
View Related
Apr 15, 2011
We have the acs server which has the ssl certficate(certifcate authority) running in acs 3.2 windows version for eap-tls enduser authentication.
We want the same to be migrated to acs 4.2(appliance) application. I have tried in different ways to push the certificate but i couldn't.
I have tried Thru System Configuration --> ACS Certificate Setup --> Install ACS certificate --> Download certficate file In that i have mentioned the FTP server IP address, credentials, path and file name
But if i submit the request its giving the directory not found or credentials wrong.
In FTP logs its showing like this
Apr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 PASS welcome2acsApr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 230 User logged inApr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 FTP: Login successfulApr 15, 2011 19:41:55 Session 4, Peer
[Code].....
View 2 Replies
View Related
Oct 9, 2012
I have two link on two edge routes from same ISP for Active/Standby. I am using the private AS and ISP provided IPs, now i got own Public IPs and AS number. I want to publish my IPs and migrate the AS number from private to Public. But currently i do not want migrate my device IPs. just want to publish network and ASN.
current config is :-
Router 1
router bgp 64530
no synchronization
bgp log-neighbor-changes
[Code].....
View 12 Replies
View Related
Feb 26, 2013
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
View 9 Replies
View Related
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
Jun 22, 2011
I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.
View 6 Replies
View Related
Apr 24, 2012
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies
View Related
Oct 20, 2012
I would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.
View 23 Replies
View Related
Nov 15, 2012
I am quite new to firewall, in my company one asa 5510 firewall is there.I configured inside, outside, dns, dhcp and nating.I need to config bandwidth limit (1Mbps) for inside port and I restruct like facebook, youtube and pornsites..And I heard that some subscription is required, really is it required?
View 1 Replies
View Related
May 21, 2013
I have an ASA 5510 in a live environment. Up til a short while ago I could access this via the ASDM and ssh. However I can no longer connect to it via eithier. When I access It via SSH I get a disclaimer saying the following
*** You have entered a restricted zone! Authorized access only!!! Disconnect immediately if you are not authorized user! ***
It then cuts me off.
When I try to access the ASDM I get the following
The firewall is running all its services without a problem and I can ping the device without any issues. Also none of the config (to my knpowledge has been changed). I set up a console session and http server enable is still there with
http 192.168.200.0 255.255.255.0 inside
View 4 Replies
View Related
Nov 21, 2011
I have just configured identity firewall on our ASA 5510.I have 3 nodes that authenticates against Active Directory, using the Windows Server 2008 R2 builtin Network Policy Server: A laptop, a stationary PC, and a Android Phone. All 3 nodes are authenticated using the same user/password.
Now, in ASDM -> Monitoring -> Properties -> Identity -> Users, I can see two of the nodes with my user name attached to it, namely the laptop and the stationary PC.But not the Android phone.
Then it dawned on me. To set up the ADAgent properly, you have to apply 2 group policy entries. Unfortunately, those 2 entries are applied to the Computer Configuraton part of the Group Policy.This means that your COMPUTER has to be a member of your domain for USER IDENTITY to work.So my Android phone and other nodes not a member of the AD Machine Store will never be detected by identity rules, and can roam the network free.
View 2 Replies
View Related
May 14, 2012
I'm trying to install an ASA 5510 transparent firewall using ASA version 8.4(3)9 but I don't understand how traffic will ever pass through my firewall if both interfaces are on the same sub net(V lan) as the host and it's default gateway? The reason I'm doing this is were installing UAG (or Direct Access) and the UAG appliance need to have public IP's but still be behind a firewall (see attached diagram).
Looking at the documentation (which all seems to be for 5505's running 8.2) it almost seems like i need to have the transparent firewall 'in-line' to the ISP router?, but this router services another IP address range on another v lan for other (routed) firewalls (not shown on diagram) so putting it 'in-line' is not possible. Surely this can't be the case can it? If not how is it supposed to be cabled up and configured so packets go through the firewall?
View 3 Replies
View Related
