Is there any option available in any of the Cisco ASA55xx series model to install both csc-ssm and aip-ssm ips modules ? If, so is it advisable to install both ? Is the throughput of ips module has any dependency with the asa chassis throughput ?
View 1 RepliesI would like to understand someting about the behaviour of ASA with our traffic scenario and the management of tcp sessions.
1) In particular we noticed that we have connections with the flags Fin without any acknowledgement. The session is silent (the bytes counters aren't incremented) but it remains in the session table as an established connection with the idle timeout of an established conn.
We have about 20% (60K on 300K total) of conns in this state: at our eyes it seems to be an incorrect behaviour...
TCP OUTSIDE 62.149.128.151:110 INSIDE 10.254.158.12:61527, idle 0:11:36, bytes 433, flags UFIO
TCP OUTSIDE 17.151.0.200:443 INSIDE 10.254.229.94:52367, idle 0:01:25, bytes 4597, flags UfIO
TCP OUTSIDE 184.169.79.33:443 INSIDE 10.255.249.146:60143, idle 0:10:39, bytes 5590, flags UFIO
TCP OUTSIDE 157.55.235.158:80 INSIDE 10.170.37.102:62421, idle 0:00:53, bytes 1770, flags UfIO
2) On the connections considered as half -closed we have received an ack to the fin (r or R flag is present), we would like to set the idle timeout to a value lower than 5 minutes but we were not able to reach that result
timeout pat-xlate 0:00:30
timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
!
access-list timeoutClass extended permit tcp any any eq www
access-list timeoutClass extended permit tcp any any eq 8080
class-map timeoutClass
match access-list timeoutClass
class timeoutClass
3) And this type of conns with a Fin on both side that I'm not able to understand... with an ack on one of the side how can I have the other fin??
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51236, idle 0:11:28, bytes 10536, flags UfFIO
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51234, idle 0:12:22, bytes 9070, flags UfFIO
TCP OUTSIDE 88.40.119.73:36962 INSIDE 10.255.93.162:36875, idle 0:13:27, bytes 3562, flags UfFIO
Is it possible to install Content Security and Control (CSC) Modules on ASA 5505 ? Or only AIP SSC-5 Modules are the only modules that can be installed on ASA 5505s ?
View 3 Replies View RelatedI want to collect the logging messages about the saa5525x IPS events from devices to a server running a syslog daemon, and I have no necessary to collect any other logging messages about the firewall, how would I config the configuration logging?
View 1 Replies View Relatedi m looking for asa 5550 product.Part # ASA5550-BUN-K9 - Cisco ASA 5550 Appliance with SW, HA, 8GE+1FE, 3DES/AES
1) does 5550 contains built in CSC / IPS modules.? why i m asking because the "quick refrence guide " indicates that expansion slots are not available.
2) can asa 5550 natively protects natively against networks attacks against virus / worms etc with out CSC OR IPS MODULE.?
I will be using a cgr2010 and want to use the zone firewall option. Can i configure sub interfaces on the same main interface to be in different zones
View 1 Replies View RelatedI am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
View 3 Replies View Relatedunderstanding clear about new Cisco ASA 5515-x, 5525-x.I know that this device supports IPS which is included to this appliance without any additional modules.But can this box support IPS and content-filering (Cisco ASA CX or so..) in the same time.
The problem also in next. Can two ASA 5510 with diffrent modules (in one AIP-SSM and in other CSC-SSM) be in active/active failover design?
I want to disable the telnet option/feature on ASA 5510
i tried no telnet alone it wont work as i didnt configured any telnet at all.
How to configure ASA not to drop packets with ip option 7 (record route)? According to the docs, ip inspect ip option will drop all ip option packets except 0,1,and 20 (EOOL, NOP, or RTRALT):
"If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether the ASA is configured to allow these options, the ASA will drop the packet. "
Also, policy-map type inspect ip-options treats only these 3.
I have a pix 515, time to time the firewall start rebooting with invalid flash error I found erasedisk.bin in internet, after that i cant load pix532.bin ios file and others pix***.bin are not workingThe only file i am able to load is pix508.bin it,s start asking me activatin number before install I have a previous activation number ios version 5.3.2 but this number is not correct.
View 1 Replies View RelatedI want to kown if is posible install IOS 8.3(2) and asdm 6.3(1) in firewall 5505 wich has 512MB of RAM and 128MB of flash. I installed it but according to the cisco page it can´t. maybe could work bad ?
View 1 Replies View RelatedI have Cisco router 2800 IOS and Version is (c2800nm-spservicek9-mz.124-6T5.bin) (IOS Version 12.4(6)T5).I wnt to install firewall.
View 1 Replies View Relatedis there a easy to install SSL certificate on ASA, rather than enroll with a public CA? ASDM has a place to import certificates. Can I just upload a SSL certificate I got from my CA to ASA, withou setup CA enrollment? And if yes, how can I generate a SSL certificate request from my ASA 8.2?
View 2 Replies View RelatedI have a customer that has an asa5505 who purchased the ASA5500-SSL-25 license.He is now going to replace/upgrade to a 5510.Can he just install the license on the new ASA, providing that he gets some trade-in on the 5505.Does he have to purchase it all over again.
View 1 Replies View RelatedI'm installing a new pack of signature on my IOS Firewall. This is what I'm doing
1.- Upload the .pak file on the flash memory.
2.- Install the package with the command copy flash:IPS/IOS-S636-CLI.pkg idconf but when the insallation finish it doesn't bring any error but when I enter the command sh ip ips sig it says S0.0
We got this software from Cisco and we need to setup this in our network to manage the firewalls.Need to know this software is used to centrally manage the firewalls ?Also how i can i know how to setup this in our network?Assuming this software we will first install on server right? it can be windows server ?Second thing to know is what config changes we have to do on the existing and new ASA so that they can be managed centrally?Also Where i will get the documents that tell me how to setup/install this software?
View 5 Replies View RelatedI just installed a new ASA 5505 for an office with three internal subnets. The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own. How do I configure the ASA to allow all traffic between these three inside networks?
192.168.152.0
192.168.152.0
192.168.154.0
[code]....
Using ES2 enhanced etherswitch modules? Could not find out whether it functions identically as NM-16ESW or not. I do understand that ES3 module act like a separate device connected to the router chassis via internal interface and has its own configuration file and processor resources similar to older NME-16ES modules. What about ES2 card (e.g. SM-ES2-24)? Does it work as separate L2 switch connected to the router chassis via trunked internal interface or integrates to the router like the older NME-16ESW module did? Is it possible to turn its ports into the routed mode (no switchport) and use them for L3 forwarding with routing protocols such as OSPF?
View 2 Replies View Relatedhow many NM modules can be inserted into cisco 2821?
View 3 Replies View RelatedDoes cisco LMS v3.2 Support IPV6 in all modules ? We will be migrating from V4 to V6 in some time from now
View 1 Replies View RelatedI would like to know which 2T (like WS-X6848-TX-2T, WS-X6908-10g-2T,...) modules are supported with LMS Prime 4.1 and 4.2.
View 6 Replies View RelatedIn a 6500 or 7600 a 'show module' gives a run down on all the modules in the slots, their HW and SW versions and status. But I can't find a similar command in the ASR1006.
View 1 Replies View RelatedLooking for a show command to display the actual physical Ram modules inside a 2911 router. I believe they come with 2x ram slots and I need to know if it has 1 ram stick or 2.show version displays the total amount of ram, but not if its 2x128 or 1x256 etc.This is also production gear so I cannot open it up and have a look until the scheduled downtime.
View 3 Replies View RelatedI have a 6506 with SUP1 MSFC2, running IOS. [code] However, its not able to detect the switch module. [code]
View 6 Replies View RelatedI am facing some issue to activate ,SPA-5X1GE-V2 modules on ASR 1006.
View 1 Replies View RelatedWe had some issue with Datacentre ACE modules. Both primary and DR ACE modules got restarted in 16 hours difference. Unfortunately Syslog was not configured on the ACE and local logging got cleared after restart. The current IOS version is A2(3.2). The modules uptime was around 300 Days. Here is the log from 6509 switch during the restart. [code]
View 7 Replies View RelatedWe've recently bought a cisco asr 1001 Router and I have a number of interface slots. I want to populate these with fiber modules.
Which fiber modules are compatible? Are the regular SFPs ok to use or is there a special asr series of SFPs to use?
I have a plan to replace the old routers which are EOL/EOS and i configured the new routers(2921) and modules in Cisco configurator, But i'm stuck with IOS feature set.Old routers are running with IS-IS Protocol, which IOS feature i need to select under 2921 to get the IS IS feature.
View 2 Replies View RelatedI recently purchased a Cisco 5508 WLC and I'm looking to buy some SFP modules but can't find info on which ones would be compatible with the controller on Cisco's website . Is there any module that can support 10Gb as I have a 10Gb on the other end (switch end)?
View 6 Replies View RelatedI had already posted for voice modules for cisco 2811 but not able to find it. But here are a few questions regarding i
1. I am trying to configure a cisco 2811 with FXS ports . I am using an NM-HD-2V with a VIC3-2FXS. I am using the right modules. Also I believe we need PVDM mosules installed in the NM-HD-2V. We have PVDM-12 modules. Will that work or is 2811 compatible only with PVDM2-xx modules.
2. We are also trying to configure a cisco 2811 with PRI port. We plan to use an NM-HD-2V and a VWIC-1MFT-T1/E1. If they are correct and if we need only PVDM2-xx modules.
3. Also we are trying to configure a cisco 3845 with PRI and we plan to use the same as in 2811 that is NM-HD-2V, VWIC-1MFT-T1/E1. And here also we are not sure if we need only PVDM2-xx DSP modules.
I have a WS-C4510R+E with
Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 48 10/100/1000BaseT Premium POE E Series WS-X4748-RJ45V+E CAT1612L1JD
2 48 10/100/1000BaseT Premium POE E Series WS-X4748-RJ45V+E CAT1612L1JW
3 12 10GE SFP+ WS-X4712-SFP+E CAT1622L0SC
4 12 10GE SFP+ WS-X4712-SFP+E CAT1622L0RM
5 4 Sup 7-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7-E CAT1620L1UJ
6 4 Sup 7-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7-E CAT1620L1Z2
Can i add two WS-X4712-SFP+E and two 10 GE ethernet module also?
Is there 10GE ethernet module with WS-C4510R+E.
I've seen a lot of things I want to and need to fix to get our network more secure but my first order of business is Visio diagrams of the old network and projected diagrams of the new network when we move to our new DC next Saturday. I've made maybe 1 diagram on my own thus far and have edited a few. I want to create physical and logical diagrams but I'm not quite sure what to include and what not to include on either since I haven't seen a wealth of diagrams up to this point in my career.
1st question: Does anyone know where I can get visio stencils of IPS modules for ASA 55xx series? Didn't see them on Cisco's stencil site or with a google search
2nd question: Our network is setup like this... A stack of 3 3750s act as our "Core" and have a 2 port etherchannel to every layer 2 2960 switch (15) in the network. In a physical diagram, 30 links would make it a little busy, hell even 15 links represented as the etherchannels would be busy