Cisco Firewall :: PIX 515E HSRP Gateway Failover Not Working
Feb 12, 2012
Turned up a new colo service last week using some PIX 515E firewalls and two Cat 2950 series switches. I have attached a diagram of the layout which I have used elsewhere with good success. Basically I have two switches connected together via port channel (2 ports). The colo facility gives me two HSRP enabled links, of which I plug one into switch A and the other in switch B. The PIxes are a failover pair with the primary plugged into the same switch A as the primary HSRP link.The backup PIX is plugged into the backup switch where the backup HSRP link is. When I unplug the primary HSRP link the PIX can ping the HSRP gateway still, but nothing beyond that. Nothing gets it to work until I plug the link back in.
The only thing I could see that might cause an issue is the 'ip verify reverse-path' command on the PIXes. But even the switches cannot ping out beyond the HSRP gateway. Just seems like all inbound routing stops. I am not sure what the colo facility has going on their side but it seems like they are using just some Cisco 6509s and doing HSRP between them. Seems pretty simple but so far this is proving un-usable as is.
The PIX BTW just uses a default route to the HSRP gateway.
View 3 Replies
ADVERTISEMENT
Nov 12, 2012
We have two Cisco 3560E layer 3 switches at the core of our network. The switches are configured as an HSRP pair and the clients on our network point to the HSRP address as their default gateway. So if CORE-A dies, then CORE-B will pick up the address and the default route for the clients will continue to be available.We also need to specify a few static routes on the core switch to allow us to get to specific networks. Is there a way to do this so that the routes failover in the same way that the default gateway does?
View 2 Replies
View Related
Mar 6, 2011
I am looking to change my Failover Int IPs on my PIX 515E Bundle, Cisco PIX Firewall Version 6.3(5)123 with the least impact on the network.
For example:
interface ethernet5 "state"
IP address 172.18.0.245, subnet mask 255.255.255.252
ip address state 172.18.0.245 255.255.255.252
failover ip address state 172.18.0.246
I want to change these lines to .....
interface ethernet5 "state"
IP address 172.18.0.185, subnet mask 255.255.255.252
ip address state 172.18.0.185 255.255.255.252
failover ip address state 172.18.0.186
View 3 Replies
View Related
Apr 16, 2012
Is there a way to wipe a 515e clean and get ride of the Failover Only license and just have a basic licesne loaded? I got this off of ebay and I guess I missed where it said Failover Only, and I would really like to use it.
View 2 Replies
View Related
Apr 2, 2011
Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.
My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?
I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.
Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.
View 3 Replies
View Related
May 21, 2012
I've been struggling to get ASDM (PDM) installed and running on my PIX 515e. The PIX IOS version is 7.2.4(30) The ASDM version I've copied to flash is 524.
I've followed the Cisco documentation verbatim, however I still cannot connect via the Java ASDM client or via http. When I try to connect via http, my PIX shows the following error: "tcp access denied by acl from..." I do not this this is a security (ACL) issue as I've tested after opening everything up and still no luck.
Here's my running config (w/ the relevant statements prepended with ">>>"):
show run
: Saved
:
[Code]....
View 14 Replies
View Related
Jan 3, 2012
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
-I can successfully ping the LAN from the PIX.
-I can successfully ping the Internet from the PIX.
-I can successfully ping the PIX inside_lan interface from the router
-I can not ping the outside interface from the router
-I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down. [code]
View 2 Replies
View Related
Aug 22, 2011
I need to redo the configuration on the new one?
View 11 Replies
View Related
Sep 6, 2011
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
View 3 Replies
View Related
Jan 27, 2011
i am trying to find out if it is possible to have a translation rule fail over to a second server if the primary is down on my cisco pix515e.so for instance having an external ip address of 82.x.x.x mapped to an internal ip of 10.x.x.1
If 10.x.x.1 is down then 82.x.x.x should be mapped to 10.x.x.2.The reason i am asking this is i also have 2 css11501 load balancers and would like to have our staging servers primarily sat on one with secondary connectioin to second, production on the other failing over to each other if one is down. The load balancers will be connected to different ports on the same firewall.
View 1 Replies
View Related
Mar 26, 2012
I have 2 C2811 ISRs runnning c2800nm-advsecurityk9-mz.124-15.T17.bin and having on board: 1 Virtual Private Network (VPN) Module.is it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes? I get different infos from Cisco sources. url...All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)
View 5 Replies
View Related
Sep 8, 2012
Below is a basic image of the HSRP and backup link setup for our LAN.
The virtual IP 192.168.178.50 resides on the primary router and fails over to the backup router. Internal default gateways for the switches are set to 178.50.
Switch1 is Layer3 and has two static default routes configured as:
ip route 0.0.0.0 0.0.0.0 192.168.179.50 track 1 - - - (interface line-protocol track)
ip route 0.0.0.0 0.0.0.0 192.168.178.50 2
And the primary router has a static route out 179.50 which tracks the interface (route goes down if interface is down), and a backup static route.
ip route (internal LAN) Gi0/1 track 1 - - - (interface line-protocol track)
ip route (internal LAN) Gi0/2 2
Everything works fine. If the primary router fails, Switch1 tears down the route across Vlan179, HSRP fails over the IP to the backup router and routing continues as normal. If the link across Vlan179 fails, the routers tear down the primary routes and again, things continue as normal.
The problem comes when the primary WAN link fails but the router remains up. This means the default route is still across Vlan179. Normally, Id set an IP SLA on Switch1 to track the WAN link BUT Switch1 only has the BASE IOS and the company wont pay for the Advanced IP IOS so I dont have IP SLA as an option.
How can I get the static default route to failover in the event that only the primary WAN link goes down?
View 12 Replies
View Related
Jul 11, 2012
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed. after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time . we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal
View 5 Replies
View Related
Jun 23, 2011
I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.
View 7 Replies
View Related
Feb 27, 2013
I have two Cisco ASA 5510s that I would like to configure in an active passive failover setup. The ASAs are at the top of our rack and handle all our routing. We have been only using one ASA unit with one line from our ISP connected to the WAN/outside interface of the ASA. We recently had our ISP setup two lines into our rack using HSRP. I do not know what equipment they are running upstream of our ASAs but it is HSRP so it should be a set of Cisco routers/switches. Originally I thought I could just connect the 2nd new line to our 2nd ASAs WAN/outside port and setup failover using a crossover cable between the ASAs. After doing this config I had problems accessing some of our IPs in the subnet that the HSRP is part of. If I disconnected the 2nd ASAs WAN/outside line everything was fine. After talking with my ISP they explained that I need to connect both of my lines into our L2 network and then from there into the ASAs. Currently below the ASAs I have two Catalyst 3560-X switches. They are connected together with an ISL trunk and ASA-1s inside network connects to switch-1 and ASA-2 to switch-2. One idea was to connect each of the HSRP lines to each of my current switches and then from the switches to the ASA's WAN/outside interface. Finally back down from the ASA's to the switches via the inside interface that we have currently. This kind of seems messy and a poor choice. The other idea is to get two switches that would sit above the ASAs and connect the HSRP lines to them with the switches connected together. They would then connect to the ASAs. I like this idea better but I don't like having to buy two more full switches for this. These switches would only use a couple of ports and only handle just the HSRP ISP lines to the ASAs. Putting in two more 3560-Xs would be a big waste of money and space for this. So I was thinking of using two Cisco SG200-08, 8 port gigabit basic managed switches for this.
View 5 Replies
View Related
Apr 25, 2012
I have pix 515e locate in office w/ IPSec VPN service ,that just for out of Office to access email
I wanna know how to config the VPN user thru the office Internet to access the web
Such I'm in china to access Facebook while I connected the VPN
View 0 Replies
View Related
Apr 18, 2012
we are planing to run HSRP on our Nexus 5ks (with L3 card) and we use VPC to connect the downstream UCS - Fabric Interconnects to the 5ks. I was wondering if the peer-gateway command is required under the vpc domain config? When you use HSRP with VPC, both the active and standby HSRP peers can forward layer3 traffic, isn`t that the same that peer-gateway would achieve?
View 1 Replies
View Related
Apr 17, 2012
I m a Network engineer in company, we have around 800 users in the office.Below is the details of my network infra.We have 4506 chasis with IOS version of 12.4 (44r) SG3HSRP is configured for redundancy.HSRP is configured on VLAN besis
The problem that HSRP is not working working properly, When my active VLAN goes down, Standby VLAN act as a Active VLAN but traffice is fail to route trought that VLAN and i m not able to ping another vlan from that VALN.
View 20 Replies
View Related
Apr 5, 2012
We have 2 access switches (3750s) that are both attached to a pair of Nexus 5548UPs with L3 cards over VPCs. Access switch (AC1) terminates our 4402 WLC. The WLC services 4 WLANs and connects to the access switch with a single trunked port. Access switch 2 (AC2) terminates an 1131AG lightweight AP. The WLAN is 10.1.1.0/24 on VLAN 300. Router 1 (R1) VLAN 300 IP is 10.1.1.2. Router 2 (R2) VLAN 300 IP is 10.1.1.3. R1 is the active router for VLAN 300. The standby IP for VLAN 300 is 10.1.1.1. The VPCs between both access switches and the router pair are functioning correctly and trunks are wide open (no pruning).
Wireless clients get a DHCP address from a server on another VLAN. Those addresses get handed out just fine.
Wireless clients can ping 10.1.1.3 (R2). They cannot ping 10.1.1.1 (standby address) or 10.1.1.2 (R1).
I took captures from the WLC and I see the ARP requests and replies from wireless clients to their gateway (10.1.1.1). I took another capture directly from the wireless clients themselves. From there, we see the ARP requests, but never the replies. If I create a static ARP entry on the client, it can ping the gateway just fine.
View 5 Replies
View Related
Jun 13, 2012
I have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.
View 1 Replies
View Related
Jan 16, 2013
Ive got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
theres a route to the inside net:
inside 172.16.0.0 255.255.0.0 172.16.163.1
and theres a translation:
static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
View 8 Replies
View Related
Nov 25, 2012
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
[Code]....
View 1 Replies
View Related
May 20, 2013
I have Pix firewall 515e on inside interface its has configured with IP 192.168.0.254.And Global Nating is configured.
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
I want i configured Global nating only for only specific IP address E.g 192.168.0.0-192.168.0.30 and 192.168.0.200-192.168.0.254?How i do this?
View 13 Replies
View Related
Oct 6, 2012
I have the following network.2 WAN links termination on my PIX 515e and all internal users connected to third interface.
Problem I am facing is that I have assign manual IP to users with some have full access to Internet while others have limited.
The users are changing their IP address while others are offline and I want to restrict them.
The only way I can think off is by binding IP to MAC as e.g ( Active wall software). But can it be done on PIX 515e and if so how?
View 11 Replies
View Related
Mar 24, 2011
Below is the config has done on my 881g but the dual NAT failover is not working.I have a easy vpn over NAT (easy vpn firewall: 10.10.10.2 behind the router).
1. After completed the config, I shut down the FastEthernet4, cleared the nat translations, found that nat translations are happening on to Cellular0 with error ( Incomplete ESP translations: 0 esp_conn=0x85A91FF0, hanging off nat entry 0x85A7D1D0)But still the easy vpn is not up as I am not able to ping the remote devices.
2. If I reboot the router then the nat translations are happening with no above error and easy vpn is up and I am able to ping the remote servers. Below is the config, what needs to be done to achieve the NAT failover and easy VPN up.
interface FastEthernet4 bandwidth 2048 ip address 206.206.206.2 255.255.255.240 ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer string gsm dialer-group 1 async mode interactive ppp chap hostname. [code]
View 5 Replies
View Related
May 1, 2012
We have 2 ACEs configured as Active/Standby. FT vlan is configured directly using a crossover cable , not using a switch for the FT vlan.ACE is setup in routed mode ,vlan 29 is client vlan and 28 is server vlan ,both are being trunked on ACE-- trunk 3750 switch.
When I shutdown the port on 3750 for the primary ACE , data connectivity wise ,primary ACE is down ,but the secondary is not taking over ,and also when I do sh ft group status on the secondary ACE,I see the status of STANDBY_HOT and the peer state: ACTIVE.
View 5 Replies
View Related
May 13, 2012
I have erased the Cisco image from my PIX 515E, and while i tried to load a new image its asking for activation key. I tried its old key. but no use.
View 1 Replies
View Related
Sep 5, 2012
I have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
[Code].....
View 3 Replies
View Related
Dec 15, 2011
\I just configure my PIX 515E with version 7.0(4) and having problems to get traffic out on eth0 (if name outside). There is no problems between different VLAN ,all VLANs are configure on eth1. It is also possible to accass services on VLAN 10 (DMZ) from outside. The only thing I see in syslog is "Built Outbound" and "Teardown".
View 11 Replies
View Related
Dec 30, 2011
I have a Pix 515E running PixOS version 8.0.4 with two interfaces, inside and outside.On the inside interface, I have a Redhat Enterprise Linux 5.4 64 bits machine as an NFS server version 4 (NFSv4).On the outside interface, I have three (3) Redhat Enterprise Linux 5.4 64 bits as NFS clients.I am looking for the exact UDP and TCP ports to be added to the ACL in order to accomplish
View 1 Replies
View Related
May 15, 2012
I need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?
View 1 Replies
View Related
Jun 30, 2011
I have an issue in the Cisco PIx 515e series. The IOS is 6.1(2).I have set sepecific access-list to allow incoming traffic to inside interface. But still the TCP 3-way handshaking is dropped here. [code]
View 6 Replies
View Related
Oct 22, 2012
What would be the access-list entry to allow protocol 97? I am setting up foreign-anchor controller and need to allow protocol 97.
View 1 Replies
View Related
