Cisco Firewall :: Port 5061 Access On FWSM
Mar 14, 2012
We are running a FWSM and have created ACL's for a new Lync install. One of the rules needs to have port 5061 access from any source to our front edge server for communication. When looking at the logs I see a hit on the ACL but nothing ever actually connects.
One possible issue I see is possibly in the inspect:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
class class_sip_tcp
inspect sip
In the inspect sip this is only for port 5060. How do I set this up to allow port 5061?
View 1 Replies
ADVERTISEMENT
Jan 22, 2012
I'm doing some L2 cleanups across mutliple 6509E environments and I've found something consistent that I can't find in documentation. On all my pairs of 6509s where I have FWSMs bundled (6509-A has FWSM-1 is Slot 1 and 6509-B has FWSM-2 in Slot 1) I also have a port channel 305. Obviously when I do a "show run" or "show int desc" I don't see anything in slot one. It's a service module. But the port channel is referencing ports 1/1-6. And it's all in service/up. I was about to delete this as I thought it was some leftover config (TEST 6509s) until I went and saw the same things on our PROD 6509s. Is it cosmetic? Necessary? Can I delete it as part of my audit cleanup? Don't want to mess with it even in TEST without some information. Nothing on google that's clear and I can't find anything on CCO.
#################################################################################
6509-1#sho etherch 305 summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
[code]....
View 1 Replies
View Related
Mar 6, 2011
I need to enable Management access to FWSM using CA ssl certificate.
FWSM Version 3.2(5) in Cisco 6509 switch.
Got to know how to generate, import and export certificate but my query is how to get it applied to the management ip do i need to apply in the management interface.
View 1 Replies
View Related
Aug 15, 2011
I am having FWSM in active /standby mode deployed on two different cat 6k chassis. Unable to access the fwsm module from switch using ' session module mod_no processor 1 ", it throws error " % telnet connections not permitted from this terminal" Running Version 3.2.6 on fwsm, Cat 6k is running 12.2.33.SXH1,
switch#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
% telnet connections not permitted from this terminal
---------------------------------------------------------------------------
have allowed telnet on line vty, configuration on Line vty is simple allowing all transport protocols
line vty 0 4
exec-timeout 5 0
transport input all
transport output all
line vty 5 15
exec-timeout 5 0
transport input all
transport output all
View 3 Replies
View Related
Apr 24, 2012
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2
Switch Number: 2 Role: Virtual Switch Standby
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
View 2 Replies
View Related
Dec 10, 2011
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ?
configure mode commands/options:
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
View 3 Replies
View Related
Aug 15, 2012
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies
View Related
May 3, 2011
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
View 2 Replies
View Related
Dec 20, 2010
We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN). We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall. The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
[Code]....
because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work? Do I have to reconfigure my network and access-list? Do I need to add more ports between the 6509 and 3750? I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access.
View 4 Replies
View Related
Mar 26, 2011
I have a FWSM in my 6509, this firewall is managing three VLANs, one of which holds a file server. As you all know, FWSM do not support VPN like the ASAs and PIXs do. I have been trying to add remote access to this file server LAN all week. The only VPN device i have is a 2801 router.
first layout: VPN router behind FWSMstatic translation from FWSM LAN (private) to VPN WAN (public)default route was facing back at FWSMip address pool was to be NAT'd on the interface facing the FWSM the idea was that my VPN address pool would be NAT'd back to the FWSM on it's VLAN. since the FWSM was managing this VLAN and recognized the source IP of the translated address pool, i would have access to my precious file server.
second layout: VPN router fa 0/1 on a /30 with 6509 (public)VPN router fa 0/0 still on the same LAN as FWSM (private)address pool for VPN once again NAT'd to fa 0/0default route pointed to fa 0/1static route of FWSM LAN pointed to fa 0/0 this idea was to have more of a 'inside' and 'outside' interface on the VPN router. this too did not work, having used every trick in the book, i could still not ping anything on the FWSM LAN while VPN'd in the network (aside from the LAN interface on my router)
trace route was showing that the all routes were headed out fa 0/1 (default route) and all to my FWSM died. i really don't think my address pool is being NAT'd, though my route map statement applied to the NAT policy is permitting my VPN address pool.
I am new to VPN technology, one of those things that happened to land on my lap. how this layout could work? there are no good VPN Remote access walkthroughs for a situation like this (2801 allowing access to a FWSM controlled LAN)
View 2 Replies
View Related
Apr 1, 2013
Can any1 tell me wat is the difference between ASA-SM1 and FWSM.
View 2 Replies
View Related
Apr 10, 2012
I want to upgrade a pair of FWSM in active failover from 4.0(4) to 4.1(8) i just want to double check the process. i have tftp access to the primary at the minute. i cannot access the same tftp server with the standby. do i need flip over to the standby to be able to tftp the image across?
failover activehostname# changeto system
hostname# copy tftp://x.x.x.x/c6svc-fwm-k9.4-1-8.bin flash:image
hostname# copy tftp://x.x.x.x/asdm-622f.bin flash:asdm
hostname# reload
Once i have the images loaded i reload both at the same time?[URL]
View 4 Replies
View Related
Dec 17, 2011
I am planning for an VSS in Core but firstly I need to upgrade FWSM which is at 3.2 Ver to 4.0.4 (min release) I have checked software dependencies but not sure about Hardware Dependency on Fwsm and Chassis for Eg. Rommon Upgrade on Chassis.
View 7 Replies
View Related
Jun 26, 2011
I wanna upgrade FWSM Version 3.1(11) to latest 4.x version is this possible or i have to upgrade first to 3.2 and then to 4.x?
Is there any changes in configuration commands that i need to know? The version that 6500 running is s72033-advipservicesk9_wan-mz.122-18.SXF14.bin,an upgrade to 6500 is needed also?And if so what ios version will i put?Also which is the asdm supported version?
View 3 Replies
View Related
Jan 15, 2012
We recently deployed a FWSM on our 6503-e boxes (w/ sup720). NAT is working (PAT) but the issue I am seeing is private traffic from remote sites is not being allowed through the FW. I was able to get the remote site to ping the FWSM itself (inside address), but no hosts behind it. Maybe an ACL issue? Also when I turn off NAT on the remote end, I can than access everything (We are NATng on both ends). Im a routing guy by nature so I will defer this to the security guys out there.
Topology
Hosts (inside/10.15.25.0/24) > FWSM (outside/public IP) -> Core Router -> MPLS CLOUD -> Core Router (NATng) - > Hosts (192.168.1.0/24)
ACLs applied to inside/outside interface
FWSM# show access-list ATX-ALLOW-IN
access-list ATX-ALLOW-IN; 15 elements
access-list ATX-ALLOW-IN extended permit tcp any any (hitcnt=222)
[Code]....
View 3 Replies
View Related
Aug 14, 2011
We have a pair of 6500s with Sup720 running 12.2(33)SXI3. Each has an ACE-20 (s/w A2(2.0)) and FWSM (s/w v3.2(15)). We have reached a limit on the number of rules we can configure on the FWSM, and have determined that we shall upgrade to 4.1(5), with ASDM to 6.2(2)F. A question has been raised regarding the s/w on the ACE-20 modules. Do we need to upgrade them as well?
View 2 Replies
View Related
Oct 1, 2012
ASA code 8.3 and higher uses NAT objects and totally changes the NAT rule config. I am new to FWSM .... but was wondering if this comparable ? I am lookinig at upgrading FWSM 3.1(16) to a higher 4.1 version .... but have a feeling this could be a huge task if NAT config changes as with the ASA's
View 2 Replies
View Related
May 11, 2012
am trying to config a FWSM by ASDM 6.2f.there are formerly configured interfaces and new interfaces i created.when i add a new access rule it gets added only to all the old interfaces but not to the new ones i created.
1. what wrong with the new interfces i created?
2. whats the logic of auto adding a rule to "all" interfaces , the rules are incoming rules specific to interfaces or groups , why add the to the rule to "all" intefaces?.
View 3 Replies
View Related
May 22, 2013
We would like to decommission our FWSMs and upgrade to the ASA 5555Xs. This leads me to ask the following: What would be the most efficient way of doing this without any interruption to production? How to successfully accomplish this?
View 1 Replies
View Related
Oct 29, 2012
our FWSM (in 6509) is not coming up, when tried to sesssion up using "Session slot 1 proc 1" command,It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".
In "show mod" command output at Switch in IOS console: under Card Type Section: it is showing Model & Serial Number correctly, Under MAC address sectino: displaying some MAC address But in Online Diag Status, it showing "Unknown" for Module 1.
We tried re-seating in other slots, but of no use. Giving same error. Some of other forms are saying it is the issue with 128 Mb CF image problem, FWSM is no more reachable from 6509 IOS console. We even tried using FWSM console (using PC-Conse & LCP Console) but FWSM is not contactable.
View 1 Replies
View Related
Apr 13, 2011
I am having two dc switches with FWSM modules installed. DC switch1 FWSM (Ver 3.2(12) is wokring as active and Secondary DC switch2 FWSM (ver 3.2.(12) is in standby mode.
From yesterday I am trying to login primary FWSM, It is accepting my username and credentials but prompting again for username please refer below
DXB-DC1>session slot 5 p 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.51 Open. [code]
View 1 Replies
View Related
Feb 3, 2012
I have had a strange issue with a pair of FWSM's in 2 6500's, it seems there was a failover but both module's have been reset.
CAT1
Feb 03 17:08:46.525: %SNMP-5-MODULETRAP: Module 8 [Down] Trap Feb 03 17:08:46.522: SP: The PC in slot 8 is shutting down. Please wait ...Feb 03 17:09:01.525: SP: shutdown_pc_process:No response from module 8 Feb 03 17:09:11.382: %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Reset) Feb 03 17:10:56.093: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics...Feb 03 17:10:59.796: %SVCLC-5-FWVTPMODE: VTP
[Code]...
View 1 Replies
View Related
Jul 9, 2012
Can I upgrade FWSM 4.0.3 to 4.0.17 with Chassis IOS s72033-adventerprisek9_wan-mz.122-33.SXH4.bin ?
In chassis's slot we have ACE and FWSM slot also. if I will upgrade chassis it will reboot ACE too.I do not want to reload Chassis.
View 2 Replies
View Related
Sep 27, 2012
I'm running two C6509 Chassis with FWSM and ACE module install on each chasiss.I have no problem with session into 1 FWSM and 2 ACE modules.But 1 FWSM module can't be access by session command.As I understand two FWSM module status is OK, and working fine.When I tried to session into FWSM, I got these messages..
[code]....
View 2 Replies
View Related
Jan 11, 2010
I need to upgrade the fwsm image from 3.1(10) to 4.0(8). Can i do it directly from 3.1(10) to 4.0(8) ?Do i need to upgrade other image also along with Firewall version 4.0(8)?
[code]....
View 5 Replies
View Related
Jul 16, 2011
I think I got a strange behavior on a context of my WS-SVC-FWM-1 (on a Catalyst 6509 running IOS 12.2(18)SXF17a) that is running FWSM Firewall Version 4.1(3). This context sends these log messages every ten minutes:
Jul 17 2011 23:31:16: %FWSM-6-302010: 0 in use, 0 most used
Jul 17 2011 23:31:17: %FWSM-6-302010: 2245 in use, 107133 most used
[code]...
If I issue the "show conn" three seconds later the log message, the output I got is: FWSM# sh conn 1041 in use, 107133 most used
In another context on the same FWSM the log message sent every ten minutes is just this one:
Jul 17 2011 23:31:17: %FWSM-6-302010: 1358 in use, 72503 most used
Jul 17 2011 23:41:22: %FWSM-6-302010: 1590 in use, 72503 most used
In this case there is no the log message where the "in use" field and "most used" field are 0 (zero). why does the context send the message with the "in use" field and "most used" field 0 (zero).
View 1 Replies
View Related
May 17, 2011
I have attached a drawing of our network. We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns. I am trying to get one side up and running before I worry about redundancy and so forth. For this reason I have set all the HSRP priorities to 110 on the left 6509. I have HSRP running between the ISP routers and V LAN 101 of the 6509's. This works as I can ping yahoo and Google just fine from the 6509 switch. I can't get from my laptop connected to V LAN 23 to the internet.
It doesn't even attempt to NAT as there are no translations. I have public address assigned by my ISP configured between the ISP routers and my 6509 on V LAN 101. I then have the public address assigned to V LAN 100. I configured V LAN 100 on the switch and V LAN 100 on the FWSM with the IP address in the drawing. I have my NAT statements and route in my FWSM according to the drawing as well. On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers. I can reach anything on the inside of my network, including the old network addresses from V LAN 23.
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?
2. If I have to configure NAT at the FWSM, does this requires me to extend the public network down to the FWSM?
3. I'll take any examples you may have as I am stuck.
View 2 Replies
View Related
Dec 20, 2012
We run a 6500 with an FWSM with multiple security contexts as well as cascading contexts with a "shared V LAN" . There is a problem with regards to Linux machines and our shared network.
For example, we have three Linux machines in production, each in three separate V LAN's. For me to communicate to these boxes from one V LAN to another I must first ping the server. If I do not ping the server it will not bring up a connection like ssh or HTTP, etc. Below is the error I get from the FWSM that hosts the Linux server, but like I said once I ping the server the error goes away. We only have this problem with Linux machines, and it is a problem for all three of them. Is the FWSM having issues understanding something with all three Linux boxes? Below is the error I get at first, when I try to SSH from one V LAN to another V LAN with the Linux machine.
6 Dec 21 2012 16:33:54 106015 10.255.12.109 22 10.255.1.30 63000
Deny TCP (no connection) from 10.255.12.109/22 to 10.255.1.30/63000 flags SYN ACK on interface inside.
Below is what happens when I initiate a ping to the Linux Server and then ssh again. Notice it builds the connection with no problem after the ping. During the ping it builds the dynamic translation, and then when I ssh it builds the TCP connection. Do you know why this could be?
6 Dec 21 2012 16:35:08 305009 10.255.12.109 10.255.12.109
[Code]....
View 7 Replies
View Related
May 18, 2011
I have an FWSM running in multiple context mode running 3.2(18) code. I have 3 urls that I would like to block so I can't justify the cost of an external URL filtering server. I have found a way to filter individual URLs on the ASA but the same configuration does not seem to be available on the FWSM. At least not on my code. Any way to do this other than resolving the hostnames and blocking the current IP addresses?
View 1 Replies
View Related
Dec 20, 2012
I have 7604 router with FWSM module in module 3.First of all the FWSM CF has been damaged, not physically. I bought the new same compact flash (size, partnumber, etc.). Downloaded the software 3.2 for FWSM, and ASDM from Cisco website. I realized that the procedure of creating new CF for FWSM is quite diffucult: creating 1-5 partitions, where 1 - is MP, and 4th - application partition. According to cisco documentation - the default boot partition is the 4th, so I partitioned from 7604 the CF into 4 partitions (partition disk1: <1-4> maximum) and copied the software and ASDM to the 4th partition (disk1:3:). Removed the CF from the router and put it into the FWSM module.
View 1 Replies
View Related
Mar 24, 2011
We are in the process of building a new DC and would like to know which is the recommended version of code to run on the following:
Firewall Services Module
Cisco ASA5580, 5550, 5520
ACE module
View 4 Replies
View Related
Aug 29, 2012
There is a 6500 switch with fwsm. We have extended 2 vlans from the ISP into the FWSM. Also there are atleast 10 other vlans for our internal network. We would like say half of the internal vlans to go out of the 1st ISP vlan and the remaining half from the 2nd ISP vlan. Is there a way we can do this in the FWSM?
View 2 Replies
View Related
May 22, 2012
i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewall module 1 vlan group 10, 20. i need to have zero downtime.
View 2 Replies
View Related
