Cisco Firewall :: Moving From ASA 8.4(1) To 9.0(2)?
Mar 21, 2013
I need to move from ASA 8.4(1) to 9.0(2). Reading [URL] it seems to be a quite safe upgrade cause I do not have IPv6 ACL and I have only IKE v1. The following is not very understandable to me,No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
#
–Unified Communications
#
–VPN
#
You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security. Reading [URL] under 'Limitations and Restrictions' I find this point moving to 8.4(2), which I also dont understand,Currently in 8.4(2) and later, the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT. For example, if you enter the following twice NAT command that configures a PAT pool (object2) for fallback when the addresses in object1 are used up, you see the following error message:
hostname(config)# nat (inside,outside) source dynamic any object1 pat-pool object2
interface round-robin
ERROR: Same mapped parameter cannot be used to do both NAT and PAT.
ERROR: NAT pool allocation failed.
You can alter this command to make it PAT-pool only by removing object1; the PAT pool is used as the primary method, instead of as a fallback method:
hostname(config)# nat (inside,outside) source dynamic any pat-pool object2 interface
round-robin
(CSCtq20634)
Is there any other point I need to consider moving from ASA 8.4(1) to 9.0(2)?
View 6 Replies
ADVERTISEMENT
Sep 30, 2011
Is a protocol inspection or something like it that allow MSDTC flows avoiding to open a backward rule will all ports?
I have for FTP and other protocols as ICMP too but MSDTC ?
View 2 Replies
View Related
Mar 6, 2011
I have a customer moving from a 5505 to a 5510. They are currently running websense express, which monitors and filters traffic based off of a port mirror on the ASA. Can this function still be performed on the ASA5510? If so, I am having trouble figuring out the method.
View 6 Replies
View Related
Dec 29, 2011
Me to a 2951 router with fireawall featureset. Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to be typed in bur when i look at the ACL afterwards they are not what i typed in.
View 2 Replies
View Related
Feb 5, 2013
I need your opinion regarding moving of IDSM -2 and FWSM Module from 7613 to 6513 chassis.Currently these two modules are in 7613 and we are not using either of them now we have to configure them in 6513 chassis. As you can see from the figure that traffic of all 3 core router i.e 7613 go to 6513 - to proxy ISA 2004 - 6513 - to Internet.
There are also some network attached with 6513 and we want to move both of modules to 6513 so that NetworkA/B/C/D/E which are attached to 6513 can also be configured for FWSM and IDSM -2.
I have a query regarding this migration:Do we need license for these two modules again for 6513 chassis?
View 2 Replies
View Related
Jun 11, 2012
We have an ASA 5520 and it's inside interface is currently plugged into a fast ethernet port on a 3750. I have just bought a 1gig SFP module and have copied the fast ethernet port config to the gigabit port, but the port seems to be flapping
The port conf gi is this:
interface GigabitEthernet1/0/4
description Link to Inside ASA
switchport access vlan 2
switchport trunk encapsulation dot1q
View 1 Replies
View Related
Jan 4, 2012
I have recently moved, taking my PC (Windows Vista) from the UK to Norway. My Norwegian partner has a Wi-fi network set up in our new home via his cable TV service (Lyse) and I purchased a Netgear wireless network adaptor so I could get into this. It says I am connected to his network and I entered the correct network security key but I only get 'limited connectivity' which seems to not include internet access. 2 iPhones & 2 other laptops regularly network in so there is nothing wrong with the network per se. The trouble seems to be that mine is a desktop PC.
I had a LAN from home in my 'connections' so I deleted that (and deleted my UK broadband connection) and in the LAN settings box, I unchecked 'automatically detect' & and checked the proxy server box.
View 10 Replies
View Related
Jan 23, 2013
Currently I'm with a pure Cisco shop, running every LAN Switched infrastructure (even in the HQ datacenter) with PVST+, I'm noticing in the documentation I've read and labs I've created that RSTP is... great, and I've observed that even the uplinkfast functionality seems to be build in by just enabling rapid-pvst. Of course I'll propose a migration plan, document the network, diagram it entirely and provide effective steps to implement the change, but that's assumed from any get'go.
View 1 Replies
View Related
Jul 4, 2012
Currently trying to set up the above so that if an access service is not matched then it will go to the next one. Looking at the logs what happens is - our auth is set to AD so it matches that - then it isnt in the correct ext AD group and goes to default deny access.
Cant see how to get around this - the only continue command is in the advanced area of the auth - but i cant set up ext ad groups on the auth. How do i get this to move between access services if it doesnt match the ext AD.
View 3 Replies
View Related
Jul 23, 2012
We have an old Cisco 2600 series router, running a single T-1 line, AT&T is the carrier. Very standard stuff.
The T-1 works perfectly on the old router. Cisco 2600 with a WIC-1DSU-T1 card. We have a brand new 2911 router with a VWIC3-1MFT-T1/E1 card in it. The circuit runs 100% clean and trouble free on the old router. When I plug it into the new router, it shows up/up but has a massive number of errors on the line, and the circuit is not usable. There are no timing slips or anything like that.
I have another site using the same router and card with the same configuration on that T-1 and it works perfectly. Zero errors. This site (in a different city) is totally slammed with errors. We already replaced the T-1 card and still have the exact same issue.
I've actually been doing this a long time, and I've tried all of the usual things, adjusting line build out, changing clock source, checking and re-checking configs. Nothing seems to reduce the error rate.
I personally think it has something to do with the Smartjack. Like maybe their LBO is too high or too low, and the old router card was more/less sensitive than the new one?
This is a layer 1 issue and is not defective hardware or defective configuration. I am looking for T-1 insights or bugs/issues.
View 1 Replies
View Related
Feb 15, 2012
I used my Pix config to setup the ASA 5505.Everything seems to be right. I used ASDM to view settings and it seems right. I am missing something minor, but I am going blind looking at it.
I can remote into the network from outside, but internatlly I cannot get out of network. No internet or email is passing through.
: Saved
:
ASA Version 8.2(5)
!
hostname textasa
domain-name testcorp.com
enable password 579oWRzSY5syo9yt encrypted
passwd 579oWRzSY5syo9yt encrypted
[code]....
View 5 Replies
View Related
Jul 31, 2012
I have a 'Comcast Business Gateway' a friend gave me and I would like to use it instead of the regular gateway. The business gateway has extra Ethernet ports on the back where as the regular gateway just has one for your router. I plugged in the business gateway and I couldn't access the network. I used 10.1.10.1 which I thought was comcast's default but to no avail. I am not a tech so I am now stuck.The whole reason I am trying to do this is because the wireless routor is in the house, with a ethernet wire running to the shop. This distance is about 60 feet. I have the computer pluged into the wire but I can't get the printer or the other computer to connect to the wireless. I would like to connect the Business Gateway to the house wireless and then run the hard wire to the shop and connect another wireless router to the wire and run the shop on its own wireless. I tried one of the wireless extenders and it does not have enough juice.
View 1 Replies
View Related
Mar 6, 2011
When using my laptop, my mouse will at times not move. Also when typing, the curser will jump from where you are typing to other areas on the page (to the middle of other words, beginning, or where?
View 1 Replies
View Related
May 10, 2012
It was so much easier to transfer from xp to win7, but now that I upgraded both to win7 I can't just simply share it and transfer my files. I need to share 1 entire drive, what's the easiest way to do it.
View 4 Replies
View Related
Mar 12, 2011
Here's what I have so far which involves 3 computers:
PC1 has : Window XP w/ Linksys WRT54G w/ Linksys software installed
PC2 has : Windows 7 connected to router via cable
PC3 has : Windows XP connected to router via wireless
My goal is to make my new Windows 7 (PC2) the primary computer just like a server which handles the router and other stuff like printers, scanners, etc. I want to swap the Linksys WRT54G on PC1 to be on the new PC2 (Windows 7) so that the router can be configured and monitored on that machine.
My guess is that I just simply install the Linksys WRT54G's software to PC2 and make the necessary settings just like the XP machine (PC1) and I'm done. Do I need to UNinstall the router's software on the PC1 (XP) machine first? Do I disconnect my internet connection on my PC1 machine?....or do it really matter?
View 1 Replies
View Related
Jul 6, 2012
I have 2 computers hooked to a network, both have windows XP I want to get rid of the computer that the printer is physically connected to and move it to the other pc on the network?
View 2 Replies
View Related
Mar 6, 2012
So I have a current port-channel between two 6ks that I need to upgrade. There's too much traffic and the port buffers on the SUP7203B sort of suck. Microbursts are causing overruns like mad. Im going to move the 2x1gig port-channel to a 6724 and make it a 3x1gig port-channel. The switches carry production traffic across the link to the tune of about 400 meg during the lowest load time. Initially, I thought that I couldn't move the port channel without temporarily taking down the link but I think I have a workable solution now. Has anyone done this successfully before? Im curious what others have done. Also, to make matters worse, the existing port-channel is 'mode on' and I want to migrate to 'mode active' in the new channel
View 7 Replies
View Related
Mar 4, 2013
Today, we have a server running SNA that connects to router via the following. Vitrual Server --> Nexus 1000v ---->Nexus 7010 ---->2800 series router.We are trying to move server to new environment where it is Virtual Server ----> Nexus 1000v ----- Fabric Interconnect-----Nexus 55xx-----Nexus 7010-----2800 router.
View 2 Replies
View Related
Apr 18, 2012
I'm trying to export identity certificates from an ASA 5510 to 5520, I'm exporting in pkcs12 format and specifying a passphrase. When attempting to import to the 5520, I get "error import pkcs12 operation failed" from cli or asdm.
View 1 Replies
View Related
Aug 28, 2012
I am planning to move our WLC's (5508) from a branch site to HQ so that all branch site APs will just report centrally in the HQ. There are two WLCs working as Active/Standby. Plan is to move one then the other. I am not really inclined with wireless.
View 9 Replies
View Related
Aug 27, 2012
I had a home network with 2 laptops (one XP and one Vista) and 1 desktop (XP) configured through a Lynksys wireless router. There was already a Canon wireless network printer (with the Vista laptop set up as the "host" pc). This Vista laptop had to be on in order to print from any of the other 2 computers on the network. I then added another laptop (this one with Windows 7 64-bit OS) to the same home network (using workgroup), and I can print wirelessly from it in the same way (the older Vista laptop has to be on). The Vista laptop is hardly ever used since adding the new Win 7, and I would like to be able to print without having the Vista laptop on. How would I go about this? Do I have to delete the printer from the Vista laptop and re-install on the Win 7? It seems like there should be a way to let the router be the "print server," but I have no idea how to accomplish this. The WLAN settings on the printer all indicate the proper router settings from the initial setup. The printer is a Canon MX860.
View 8 Replies
View Related
Oct 4, 2012
I am moving a Windows Server to a new location. We currently have static IPs but are not using any of them so at the new location I requested no new static IPs. With that being said is there anything I need to worry about when I move? From what I have heard it should be a turn it on and go type of move.
View 1 Replies
View Related
Apr 21, 2011
Recently I have noticed that my browser, both firefox and chrome are loading rather slowly, as well as any type of streaming media, and downloads. I have performed spyware/adware checks and haven't come up with anything major. I am kind of at a loss as to where to begin to diagnose the problem. I had not installed anything new on my pc before this started. Also my laptop that is on the same network is running fine.
View 3 Replies
View Related
Feb 20, 2011
I've typed this question 4 times and keep losing signal so sorry if it appears multiple times, i have moved rooms and my laptop, toshiba satellite is now getting very weak signal. i bought a netgear usb adapter but it doesnt solve the problem much.
View 9 Replies
View Related
Jul 12, 2011
Moving into a new spot and some of the computer will be forced to go wireless. Is it better to have an adapter or an actual built-in PCi card?We play a lot of games, so that is my main concern, will we notice a big difference? The router that I am using is a WND3700 with latest firmware update.
View 3 Replies
View Related
Apr 2, 2013
We need to move some line cards around on our 4510. The top slots have a 24Gbps backplane while the lower slots are limited to 6Gbps. Poor planning on our part has left us with installing a 10Gb line card in one of the bottom slots. I'd like to move a couple of the cards up top, to the bottom.
My question is simply will the switch magically preserve the configuration for those cards and change the slot number for me or will I need to reconfigure the interfaces for those cards I move?
View 2 Replies
View Related
Jan 31, 2012
I am preparing to move two branch offices from a point to point T1 connection to Century Link Metro Ethernet.Currently my branch locations connect to my HQ 7204 router via a channelized DS3. I have a 4507R at HQ that I will connect the ME circuit to.We will also be moving our Internet connection on the ME circuit.Our service provider Clink will hand me a single Ethernet handoff for the Internet and branch office connections. For the first phase I will connect one branch office using ME. Once that is in place and tested we will move another office and so on. Then our final step is to move our web connection to the ME circuit.Each branch office has their own unique voice and data subnet. They each have a 2801 router and a 3560 switch. The routers are MGCP gateways with only one PSTN connection, a POTs 911 line on a FXO port.
So my questions are;
1 - Should I connect the ME directly in to the 3560 at the branch offices or use the Fa0/1 on the 2801? Fa0/0 is currently connected to the 3560.
2 - On my 4507R at HQ how will I configure the ME switch port? As a dot1q trunk port?
3 - Given that ME is basically a LAN connection will I have to re IP the branch office? HQ is 10.10.1.x/24. Branch is 10.10.166.x/24 (data) 192.168.166.x/24 (voice).
4 - On the 4507R will I need to configure a vlan interface for each branch subnet?
I attached two network diagrams. One represents our current topology (MEexisting) and the second represents the new ME circuit changes (MEprojected).
View 5 Replies
View Related
Jan 30, 2013
I would like to know if it's possible to change a master in a 3750 stack without rebooting it?I searched in Cisco documentation, in the forum, and I googled it but I didn't find anything.
View 3 Replies
View Related
May 8, 2012
I'm trying to move from a faulty SRP527 to SRP 547 - I tried a Restore from Backup, but it doesn't work.So start from fresh, and I'm having an issue trying to add a 2nd SSID to a VLAN...
I keep getting the error:
"FAILED! SSID 2 has joined another VLAN"
Except it hasn't... its not assigned to any VLAN...
View 2 Replies
View Related
Jan 8, 2012
Customer has ordered the following routers, which will go in three separate locations.
1. 3945 W/SPE150, IP Base Image
2. 3945 Voice Bundle, includes PVDM3-64 and (1) 2-port T1 MFT
3. 2911 IP Base Image.
If the customer wants to move the Voice image from the existing 3945 to the 3945/WSPE150, would he just need to contact Cisco Licensing, or would the customer have to pay for a software upgrade on the 3945/WSPE150?
Same scenario, except moving the Voice Image to the 2911 router.
View 5 Replies
View Related
Apr 4, 2011
I ve read, that Cisco routers/switches drop the entries of their ARP cache after 4 hours and of the MAC cache after 5 minutes (in the defaults).Question: What is the regular way, to update the MAC cache when moving to another location in the network?(Background: My device is a hand-held device, and we have problems to get access to it from a terminal server in another network, when connecting the hand-held device at different locations.) One approach is to send in a fix interval a arp-ping to the gateway, or trigger the ping by the interface-up.How do other devices handles this problem? (Or do they ignore it, because the most will stay on its location/port their whole live?
View 6 Replies
View Related
Feb 6, 2011
We have some Windows 7 clients that are running the 4.8 agent. NAC will process the user and move them to the trusted vlan. However, the agent stays open and appears to keep running/processing something. THe user can minimize the agent and work normally, and a reboot appears to fix the issue.
View 5 Replies
View Related
May 1, 2013
We are moving a small network of 3560 and 3750X switches from VTP Server and Client to VTP Transparent. I noticed the vlan database is stored differently depending on the VTP mode.
Is there any chance of losing vlan database on a given switch when moving from Server or Client to Transparent?
View 11 Replies
View Related
