All three of these options associate the same set of vlans to the FWSM but using different groupings. As far as I can tell, these groupings have no functional significance either on the switch side or the FWSM side. These are simply three different ways of specifying exactly the same thing? Am I correct?
We are deploying two Cisco 5585 in transparent mode and multiple contexts. they are running Active-Active fail over.
There are a lot of V LANs need to be added in the contexts, we are trying to use least contexts to fulfill.
ASA supports 8 bridge groups for each contexts, and maximum 4 interfaces for each bridge group.
We have assigned four interfaces in different V LANs , set two of them as a pair with one IP sub net and the other two interfaces are in another IP sub net.
For example :
Bridge group 1:
inside1 and outside1 -------> 192.168.1.0/24 inside2 and outside2 -------> 192.168.2.0/24
However, we can only make one sub net(V LAN pairs ) work when the BVI is set to that IP sub net. If the BVI set to 192.168.1.0/24, the inside1 and outside1, the other pair not work. If the BVI set 192.168.2.0/24, then only inside2 and outside2 work.
Since the BVI can only be assigned to either of the sub net, Is it possible to make both vlan pairs work ? Or we only can have one sub net in one bridge group ?
They have an ASA-5510 with version 8.2(5). They just upgraded their Internet bandwidth to 30 Mb both ways.If we do a speed test in front of the ASA, we get 28 Mb/s upload and download, with a ping of about 5 to 10 ms.If we go behind the ASA, the download is about the same, the upload is decreased to about 12 Mb/s and the ping goes to 260 ms The license is base, there are no additionnal function added to the firewall (no IPS). I've check the speed and duplex and everything is fine.There are no drops on the interfaces or rules of the firewall, no drops on the Interface of the ISP router either. All interfaces are configured at 100Mb full duplex.I saw a couple of discussions on this in the forums, but they don't seem to come up with anything and they look like they end in the middle of the whole story, like once the problem is solved, they don't update their discussion.
When a client connects to the device like: 192.168.2.215 there is no dns assigned. My devices are unable to access the internet unless I manually assign the dns in the local settings for that host.
I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.I do not see any debuging info in the logsI successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.
I am familiar with the PIX and ASA's. We have two Cisco 6509's with a FWSM installed in both. Our network is shown in the diagram. We use Blue Coat Packetshapers and Barracuda Proxy appliances. I plan on setting up HSRP on both 6509's for traffic coming from our ISP Cisco 2811's as well as use HSRP for our DMZ and internal network. I would like to setup the firewalls for statefull failover. We will be using PAT for our internal users and one-to-one static NAT for our DMZ.
Is it better to setup the firewall's as transparent or routed?
Since the firewall is built into the switch, how do I insert the Barracuda proxies? I can configure them as transparent or routed proxies.
Pix 515e 6.3.4..A web server on our DMZ is exposed for external access.There is an "A" record (webserver.yyy) on a public DNS for this public IP.This works fine for external users. url..Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(111.111.111.2) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.
1- Where does the request from an internal user to hit url is dropped?
2- what can be done to allow this type of connectivity in the PIX 515e device?
I'm configuring a Cisco 877 router as my firewall.My WAN IP will be assigned dynamically with DHCP. I will also get my default route from DHCP.I will need to configure ip inspection and packet filtering.I will need to configure NAT, I will eventually need to also configure a dial-up VPN.
ASA 5505 and DMZ and Base License,"For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network." Page 6-17.
This is exactly what I need. Mail server in DMZ, full access from internet to DMZ, and from inside network to DMZ, no access from DZM to inside network. If I good understand, this is possible with base license.
I successfully configure, internet Access for DZM and inside network, Mail server can be accessed from internet, as well as RDP on inside network. But I have problem to configure communication from inside network to DMZ. [code]
I have connected an ASA 5505 to an ADSL router that is able to assign the IP address and the also the DNS servers for the ISP for the outside interface. The ASA is loaded up with IOS "asa842-k8.bin"
I am using vpnclient with a hostname as oppose to an IP address to connect to a headend remote server. If I hardcode the DNS servers IPs in the "dns server-group DefaultDNS" I am able to resolve the hostname. If I then remove the IPs from the group and rely on the dhcp to assign them, when I try to resolve the name I have an error at the console "ERROR: % Invalid Hostname"
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version Cisco Adaptive Security Appliance Software Version 8.6(1)10 Device Manager Version 7.1(2) Baseboard Management Controller (revision 0x1) Firmware Version: 2.4 lbjinetfw# config t lbjinetfw(config)# ssh
I have a customer buys 12 x WISM and build up a mobility, when I add the final WLC to mobility, it prompts that there mobility group has reached the max of mobility member, but the total member is 23, according the configuration guide, it should be allow to 24 member, do I hit some bug? My using version is 7.0.98.0.
I have some problem to get working ACLs. The main purpose of this ACLs is to control what is going out from vlan to internet. (For example, i want that only my proxy can access to the web.) So, i use Cisco Packet Tracer and test new rules in lab without any problem.
interface Vlan1 ip address x.x.x.x x.x.x.x ip flow ingress ip flow egress ip nat inside [Code]...
But it doesn't work on my Cisco 1811w and i dont uderstand why and i'm not sure to have sufficient knowledge to aolve my problem by my own.
My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.
We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.
The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses. All other hosts should use PAT through x.x.x.13.
I say the answer is ten. That means ten hosts can be behind the firewall and hit the internet. The eleventh doesn't get to go out. I'm being told by a coworker that the "10" in the part number refers to the number of IPsec VPN peers.
Who's right?
I say if you want an unlimited number of users on the inside to be able to get to the internet, you need the ASA5505-SEC-BUN-K9
I am using ASA5510, and I would like to know if we should reset the number of Hits for ACL ? Actually this number increase in front of each ACL. Is there any specific configuration ?
Recently i bought asa 5505 to practice for my exams and i failed to connect to internet since my internet provider binds IP and mac for every users and supports only 6 group mac address (xx-xx-xx-xx-xx-xx) format. because asa 5505 has 3 groups (xxx-xxx-xxx) mac address they are unable to provide me the connection.So my question is how can i assign 6 group mac address to asa5505.
i wounder why i'm getting such log message whenever i'm trying to reach my remote site: No translation group found for tcp src outside XXXX dst dmz ZZZZ, i have a Cisco PIX515E firewall and that message is captured there, the traffic is going through a VPN tunnel (the VPN are up on both ends)
We are having ASA 5550 running on 8.0(5)23 IOS. We are having 2 failover groups group1 & group2. currently all contexts are on group1 & its active & Group2 is in BulkSync mode but from last 2 days the failover for group 2 is happning, i am not able to find anything in logs. Its happing daily from 2 days.
i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewall module 1 vlan group 10, 20. i need to have zero downtime.
I understand on older IOS codes If the same hsrp group number is assigned to multiple standby groups, it creates a non-unique MAC address. Is this true on newer codes like 12.2(52)SE for 3750 & 3560?
Is there a cisco best practice on the maximum number of NAT statements on a Cisco ASA? We have a 5520 and a coworker is adding static NAT policies so a vendor can monitor around 1,029 nodes. The problem is each node inside is a 10.X.X.X and to keep the IPs from overlapping with other customers the vendor monitors they would like us to NAT to a 172.16.X.X scheme.
On my Pix515E ASDM console I quite often see large surges in the total number of connections. I would like to find a convenient way to see what (or who) is causing this.
The command Show Local gives the answers but it returns details of each connection and I can't see a way to omit the detail. Show Conn Count just gives the total. Ideally I would like to get a summary of the number of connections (TCP/UDP) for each inside host.
On a related matter I have used........
static (inside,outside) 12.34.56.00 2.34.56.00 netmask 255.255.255.0 tcp 400 100 udp 200 ..........to limit the number of connections to a subnet.This works and I see errors in the syslog when the limit is exceeded but when I change the limits and apply the changes, the syslog errors still show the previous limit being reached. How can I make changes to these connection limits take effect (without reloading the Pix)?
Error message 305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.16/53 305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.166/53
[Code]....
I thought it needed a nat (c_dmz) command but I got the following error message
PIX(config)# nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0 nat 0 0.0.0.0 will be identity translated for outbound WARNING: Binding inside nat statement to outermost interface. WARNING: Keyword "outside" is probably missing.
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0 access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0
[Code]....
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
