Do the above values look correct? and why is the priority queue applied to the outside interface and not the inside? (or both). Also is this the part that ensures that the regular traffic does not choke the voice traffic?
class-map voip-class
match dscp ef
policy-map outsidemap
class voip-class
priority
service-policy outsidemap interface outside
Will the global policy remain which this interface policy taking priority?
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
My HO is connected to BOs over MPLS Links.The links are terminated on routers but i dont have access on those routers as it is maintained by the ISP.Behind of the HO router there is s 3560 switch. Can i configure this switch to prioritize some traffic over the WAN link to the BOs.
I am currently working on our Cisco voice platform at work.
Our Cisco firewall engineer has left and I have been given the task of looking after the firewalls as our Chief Exec seems to think that Cisco Voice is similar to Cisco ASA firewalls,
Are there any books/videos out that you can recommend to learn the about firewalls quickly.
I Do want know what could be best Device to prioritize Skype Traffic i mean should i implement it on Cisco 3560 or squid or Mikrotik according to my current scenario to get best result.Also do Let know how to Prioritize Skype Traffic in Cisco 3560 Switch
Trying to set-up a priority queue for Voice and Video traffic, below is the current ASA config. The WAN link is 6mb, trying to limit the Internet traffic to 4mb and save 2mb for the PQ, config belowTraffic just isn't hitting the PQ
priority-queue outside queue-limit 512 tx-ring-limit 200 ! class-map Video description Video match dscp af31
We have 2mb mpls network between three sites. Each site also has its own internet connection for hosting webserver and internal users to access internet. Each site has a few internal subnets. Each site currently has a 2800 series ISR.
1) Increase Internet connection to 10mbps and configure site-to-site VPNS in a mesh configuration so that each site has a vpn to each other site. This would create six vpn tunnels.
2) Configure so that only Exchange and VoiP traffic use the MPLS network under normal conditions. All other traffic (backup/misc apps) should be routed to use the Internet VPNs. If the MPLS fails of course we would like the Exchange and VoiP traffic to fail over to the VPN connections as well until the MPLS comes back up.
I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work. Error message from the Syslog deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in".I try a couple of ways to fix it but no luck.A partial config of my ASA 5505. [code]
We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
ASA Version 8.4(1) ! hostname xxxxxx enable password xxxxxx encrypted
We have 110mbps internet service. When we have the 5505 behind the cable modem, our speed drops to 55mbps or so. If we remove the 5505, we see the full 100mbps. I assume the 5505 can handle the speed; if so, what other things should I be looking at?As an aside, we used to have 50mbps wich worked fine, then the ISP upgraded to 60mbps and the through put dropped to 30mbps (It always seems to be half)
My understanding is for insight to outside we need global and NAT, and for outside to inside we need static and ACL? Traffic goes to high to low, I'm just start working with 5505 recently.
I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.
I have a Cisco ASA 5505 that I have configured. The outside interface is vlan 2 and the inside interface is vlan 1. Port 0 of the ASA is configured to be in vlan 2 and is connected to the ISP provided subnet. Port 1 is connected to my private LAN subnet. I have an additional router connected to Port 2 for guest connectivity. Port 2 is configured to be a member of VLAN 2 so that it can access the ISP provided subnet. From the device connected to port 2 I can ping the vlan 2 interface address of the ASA and from the ASA I can ping the Default gateway of the ISP provided subnet. For some reason the router on port 2 cannot ping the default gateway of the ISP provided subnet. If the vlan were working the same as a vlan in a switch, I would expect to be able to do this. why it is not working or what I can do to get it working?
I'm trying to allow SSH traffic from the Internet to my DMZ. I gave my remote guy my ip and he can see the ASA 5505 but not get into the DMZ. The outside is 70.165.19.137. The DMZ server is 192.168.60.2. I have the inside talking to the DMZ fine. [code]
I am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.
We have 10MB dedicated Internet BW and want to run VC device and due to heavy traffic and BW high utilization at peak hours, VC performance is not sufficient. We would like to reserve 2MB for VC device. How much possible to fix up this configuration in ASA5505 version disk0:/asa724-k8.bin [URL]
I have a Cisco 5505 with a 12Mbps feed. I want to reserve 2Mbps for RTP traffic. I followed the QoS guide here: url... The goal would be that any traffic destined for port 5000 through 5100 UDP or TCP from any IP to any IP on any interface.should always have 2Mbps available to it.
Is there any difference with traffic shaping capability on the 5510 as opposed to the 5505? is there anything the 5510 can do that the 5505 cant? with regards to TShaping?
I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. What I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]
I've setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841 connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the DHCP server. I have my ASA 5505 behind the 1841 in transparent mode (Vlan 1 for Outside and Vlan 1 for inside). The router config is good as when you connect a computer straight to the inside interface I get DHCP and can go to internet, no problems what so ever. But When you're trying to go through ASA isn't not working. if I add a ip any any statement to the access list it will work but having an "ip any any" in a access list is like having no firewall at all.
ciscoasa(config)# sh run : Saved : ASA Version 8.2(4) ! firewall transparent hostname ciscoasa enable password zmQ6OnxvsOOEDNAy encrypted
I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
When I try to ping there is no reply and the only log message is: 6 Aug 21 2012 09:00:54 302020 10.16.2.10 23336 10.105.11.6 0 Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
I trying to allow traffic between 2 inside interfaces with the same security level. VLAN1 and VLAN15. The are on different physical ports on the ASA. I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'. With this ASA version, I do not need NAT to allow this, correct?
I have ASA 5505 with base license. I like to install proxy server in my network.I configured below commands to forward my traffic to proxy server from my ASA.
If there is any configuration that i need to configure.And if possible send me the configuration guide to setup SQUID server. ( Actually it was set up by the 3rd party vendor)
I am currently troubleshooting a firewall policy on a ASA 5505. What command can enter in the CLI to enable live view of traffic been block and which traffic is been allow?In my experiences with other firewall vendors, other firewalls allow me to narrow down the source and destination, too. is there such thing on the ASA 5505?
I have ASA 5505 Firewall with security plus license, I configured two V LAN 1 and V LAN 5 as my inside V LAN for different sub net, i need to route the traffic between this two V LAN's through ASA. I configured
int vlan 1 nameif inside Security level 100 Ip address 172.16.100.1 255.255.255.0 [Code] .........
The problem is i am not able to ping other sub net, for ex my PC is in V LAN 1 not able to ping 192.168.22.1 ... For troubleshoot i type debug icmp trace while pinging other subnet
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4608 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4864 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5120 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5376 len=32
I am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description 305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers 172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved : ASA Version 7.2(3) ! hostname [redacted]
I have an ASA 5505 and I setup a port with a PC connected to monitor the LAN interface. I see all the traffic from the LAN going out and traffic coming back in no problem. What I do not see the the AOL Instant Messenger traffic at all. I have WireShark on the PC and I filter for AIM traffic and I see nothing.
I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99) When I check the NAT rule, it says: Type Source Interface AddressDynamic any outside outside.
So here's what I think I should do to give email access only to a segment of addresses of my inside network.
1) Create a network object for 62 machines that will represent my dhcp clients.I plan to use 192.168.0.65-192.168.0.126. So I will use address 192.168.0.64 with netmask 255.255.255.192. Then set DHCP server to service this address range.
2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:
How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?
3) Create an ACL which will Deny my DHCP range to talk to the outside.
4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).