Cisco Firewall :: Pix 525 Configuration - Regular Or Redundant Interface
Feb 14, 2012
I am configuring a pix 525,i just found out how to activate the subinterface on it so that's good,the box has a primary unit and secondary unit, both are connected from G0 to redundant switches,if i do a show failover, it says it's using the serial based lan failover, which is fine by me,however, do i need to create a single, regular interface.. or a redundant interface?,i.e. if i create a regular subinterface, will failover still apply to this interface?,or for failover to work, do i need to create a redundant interface (with a redundant id)? i do not seem to have the option to create a subinterface when adding a redundant interface.
View 7 Replies
ADVERTISEMENT
Aug 14, 2012
I have configured redundant interface on ASA 5510
interface Redundant1
description *** INSIDES NETWORK ***
member-interface Ethernet0/1 (This is a 1000Mbps Port)
member-interface Ethernet0/2 (This one is 100Mbps)
no nameif
no security-level
no ip address
[code]....
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
[code]...
It's transfer correctly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back. I issued this command again BW remain 100Mbps.
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
[ code]....
I did manually shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
View 1 Replies
View Related
Oct 16, 2011
i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?
View 1 Replies
View Related
May 8, 2011
I have two ASA 5540s, ver 8.4 configured in Active/Standby failover.I am also using the redundant interface feature for my Inside interface. Gig0/0 is the active primary and Gig0/1 is standby.
I will activate failover monitoring of the Inside interface using the monitor inside command.
My question concerns the failover monitoring of the redundant interface. If the gig0/0 connection were to fail would the Gig0/1 interface become Active, AND simultaneously result in a full device failover?
Or, does Gig0/1 of the Inside interface redundant pair simply become active and not change the Inside interface device failover state? Thus NOT resulting in a device failover.
View 1 Replies
View Related
Feb 24, 2012
Does OSPF work between a VSS L3 MEC & an ASA Redundant Interface? Both 6509 are in VSS and a L3 MEC is formed to the ASA.Both ASA ports are a part of a L3 Redundant Interface. Please note there is only a single ASA in this topology. [code] Now, the OSPF neighboring does occur and go into the FULL state on this device, however soon enough, the state enters INIT/DROTHER state.But as soon as I disconnect the physical connection 6509(Standby) The OSPF adjacency goes into FULL mode.
View 5 Replies
View Related
Jul 2, 2011
I have attached a pdf of an example of a FWSM configuration with shared interfaces. Now what I dont get is (please refer to the link) url...Is there any difference between the natting that they have done on page B-4 on Context A.as opposed to configuring a static NAT for processing traffic to correct context nat(inside,outside) 209.165.201.0 10.1.2.0.The other question is on page B-2 (diagram) Context A has a customer A network linked to the inside interface. Is it possible to put a default route towards that "Network 2" cloud and restrict traffic from the 6509 switch towards the context A?
View 5 Replies
View Related
Mar 19, 2013
We are running ACE 20 modules in highly available active / standby (all active contexts on one module) mode. Currently they are on A2 (2.4) version. We are going to upgrade them to A2 (3.6a). The question is that how ling can we run them in two different SW levels? In otherwords can we have few days between upgrading both modules?
View 1 Replies
View Related
Mar 9, 2012
I have two switch SG300-10 that need to be interconnect togheter with a simple redundant "cable fail safe" configuration.My idea is use the two uplink copper port of the first switch, connected to the two uplink copper port of the second switch.
How to create a working setup configuration? The first setup that i need, is with only one VLAN1 for all ports,
The second setup is with the VLAN1 assigned to the ports 1-2-3-4 of all the two switch, (linked togheter by uplink ports)
and the VLAN2 assigned to the ports 5-6-7-8 always linked togheter with the same uplink ports.
Is possible use the two uplink port at the same time, as cable fail safe? or use a uplink port 1 for the first group and the second uplink port for second group?
I need to use this configuration for audio cobranet transport, and i need to test the correct configuration for the primary and secondary audio stream, if can work togheter on the same VLAN or i need to separate the two stream, from start to the end.
View 1 Replies
View Related
Feb 19, 2012
have 2 inside networks:
object network INSIDE_10.6
subnet 10.6.0.0 255.255.0.0
object network INSIDE_192.168
subnet 192.168.0.0 255.255.255.0
I grouped these 2 into 1 object-group:
object-group network INSIDE
network-object object INSIDE_10.6
network-object object INSIDE_192.168
Public IP address used for PAT:
object network PAT
host 152.x.x.x
I used the following statement to create Dynamic PAT to public IP address:
object network INSIDE_10.6
nat (any,any) dynamic PAT
object network INSIDE_192.168
nat (any,any) dynamic PAT
Is that correct? Also I'm using one public address to PAT both inside networks. Is there any dvantage of using 2 different ones, so each inside network would be PAT to its own address?
View 1 Replies
View Related
Jun 18, 2011
I have already raised this discussion on "LAN, Switching and Routing" group. But I guess this is the right group for my queries. So I am sending my queries in this group again.
We are using CSS 11503 with one 16FE line card. We have connected 3 servers with redundant link. So FE1-2 in Server1, FE 3-4 in Server2 and FE5-6 in Server3. Our system team has configured APA in their servers as they are using HP-Ux.
1) Do we need to do any configuration at line card.
2) Do we need to do ether-channel at loadbalancer end. if yes, can you share me any cisco doc on how to do it.
View 1 Replies
View Related
Oct 2, 2012
I have a ASA 5510, it does webfilter using regular expression. [URL]
I block ".facebook.com" and it was successfull. But somehow other users is using https to access to FB. how do i filter HTTPS?
View 5 Replies
View Related
Dec 4, 2012
I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
View 1 Replies
View Related
Feb 24, 2013
I have a two fiber connection from our Central Office(6513) to Remote office (6509). I have a requirement that on the remote office if one of the fiber goes down, the second fiber should work as a failover. I am planning to use SUP720-3B SFP to connect to the CO.
Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G5/2? or Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G6/2? I am running EIGRP between sites. Any sample config.
sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"
View 4 Replies
View Related
Apr 2, 2012
I've recently switched to an ASA 5510 on 8.4(3) coming from a Checkpoint NGX platform (let's say fairly quickly and without much warning ). I have a couple questions and they're kind of similar so I'll post them up. I've read docs about regex and creating them both via command line and ASDM, but the examples always seem to include info I don't need or honestly something I don't understand yet (mainly related to defining classinspect maps). If someone could provide a simple example of how to do these in ASDM that would be useful in understanding how regular expressions are properly configured. So here we go.
I know this is basic but I need to make sure I understand this properly - I have a single web server (so this won't be a global policy) where I need to allow access to a specific URL pathfile and that's it. So we'll call it est estfile.doc. Any other access to any other path should be dropped. What's the best way to do this in ASDM (6.4)? I think if I saw a basic example for this I could figure out next few questions but I'll post them as well just in case.
I have another single public web server (again this won't be a global policy) where I'd like to specify blocking file types, like .php, .exe., etc... again a basic example would be great.
Lastly, and this is kind of related, but we have a single office/domain and sometimes we get spam from forged addresses appearing to be from our domain. On Checkpoint I used to use its built-in SMTP security server and could define if it received mail from *@mydomain.com to drop it because we would never receive mail externally from our own domain name. I saw something similar with ESMTP in ASDM and it looks kind of like how you set up the URL access mentioned above. Can I configure this in ASDM as well, and if so how?
View 1 Replies
View Related
Jan 31, 2011
i have cisco asa 5510 as firewall, i was trying to block some site using the link provided below
[URL]
and its working fine, but the problem i am having, when i go to download attachment from hotmail its not downloading, from gmail and other mails its
View 13 Replies
View Related
Oct 10, 2011
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
policy-map global-policy
inspection_default
inspect pptp
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30
172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz
172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
View 7 Replies
View Related
Oct 20, 2012
i use ASA 5510 and i want to block some urls :
-192.168.2.70 to 79 allow every thing
-192.168.2.80 to 89 : block facebook , myspace, twiter,
-192.168.2.90 to 99 : block facebook , myspace, twiter, youtube , dailymotion
-192.168.2.100 to 199 deny everting
View 1 Replies
View Related
Mar 3, 2011
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
View 6 Replies
View Related
Dec 27, 2011
We have an ASA 5505 and I want to block www.facebook.com for all users on the inside network. I followed the instructions laid out in Cisco support document ID 100513 using regular expressions with MPF but am running into some problems.
[URL]
Once the configuration has been changed based on these instruction www.facebook.com is blocked. However I can't access any other websites except my Google News home page comes up just fine for some reason.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 4nJloDG8uYd8w4D3 encrypted
names
!
interface Vlan1
[code]....
View 18 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
May 9, 2012
i have a 1841 cisco router and i recently purchased a 1 port HWIC wan interface card. My problem is that I cannot see the interface in my config file. Is there something i am missing?
View 8 Replies
View Related
Aug 3, 2009
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
View 4 Replies
View Related
Jul 15, 2012
I am using 6500 with VPN Accelerator on this device. I have a dozen other VPN connections GRE and IPSEC to routers and ASA and other Juniper Firewalls.
They all work perfectly.The error I get is map_db_find_best did not find matching map (Never seen this error be for) [code]I can't put the whole config for security reasons.
View 5 Replies
View Related
Aug 26, 2011
Is this this possible to set up two as a redundant pair as you can do with say a pair of 5510s?
View 3 Replies
View Related
Mar 6, 2011
My customer is running an ASA5505 with 8.3 code.
The have a somewhat flaky proxy between their inside LAN and the firewall. I'd like to have a configuration as follows:
LAN > Proxy > VLAN 1 (eth0/2) on ASA
and
LAN > VLAN 1 (eth0/3) on ASA
So that in the event of Proxy failure (let's just say it loses power) the eth0/3 interface will kick in.
This appears to be easily configured according to the documentation:
"The following example creates two redundant interfaces:
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# interface redundant 2
hostname(config-if)# member-interface gigabitethernet 0/2
hostname(config-if)# member-interface gigabitethernet 0/3"
But these commands don't seem to be available on a 5505.
View 7 Replies
View Related
Oct 21, 2012
I have two 5505 ASA. I would like to know can I make two 5505 failover redundant with active standby setup?
View 11 Replies
View Related
Jun 10, 2013
we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack. Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack. for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document [URL]
So my question is :
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
View 1 Replies
View Related
May 28, 2013
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
View 2 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
Mar 18, 2013
I've got a ASA 5550 firewall interface failover issue. (File attached).
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall), It failed to failover. but when I shut down the Gi 1/12 of the Core 1 switch, The firewall failover very well.
I followed this guide but I was not able to failover. [URL]
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down, it can failover ? Code...
View 6 Replies
View Related
Mar 5, 2012
who to configure the interface of cisco 7606 router. As it is not getting up by doing normal configuration like "no shut"? iterface and line protocol both are down.
View 1 Replies
View Related
Jun 15, 2012
My customer they do not want change their real server IPs. So I need setup one interace (one armed) for them on ACE4710. Who had this sample configuration? (CSS has this but it seems to be not compitable with ACE)
View 4 Replies
View Related
Sep 30, 2012
Having a problem configuring my new 1941 Router. The 0/0 interface is attached to my broadband and gets it's ip via dhcp, the 0/1 interface is connected to my lan and has a dhcp pool. My problem is that the 0/0 interface does not appear to be getting any dns servers. So i have either missed something or need to add the dns servers manually to my dhcp pool. Below is my config,
[code]...
View 3 Replies
View Related
