My current network setup has pix 525 firewall and for IDS i have 4215 box.As the utilization is high i am buying new ASA5520 firewall.
My query is
1 My IDS is end of support should i buy an IPS moudle with the asa 5520.is it recommended?
2 Other than firewalling what are the default features supported in asa 5520 like vpn,content filtering etc.
I have implemented ASA 5520 as the main firewall. The outside interface is connected to a cisco router and the router is connected to an ISP. I want to make my security system more secure. Which product is the best as the internet gateway solution. Which licenses are required for this one and what is the,cost for each license. Where can I find the DMZ diagram recommended by cisco ?
View 1 Replies View RelatedLooking for a recommended code on the ASA 5585x firewall. We ran into a bug (CSCtr24705) on version 8.4.2 where it rebooted the primary firewall. The bug has to do with modifying an existing ACL that's part of a custom policy-map inside a service-policy. If we upgrade to 8.4.5 (which has the previous bug fix in it), there is another major bug (CSCud70273) where if you use the packet-tracer input command on an inside interface it causes problems too.
I don't understand why packet-tracer input would have a bug associated with it when it's been around for a long time and we use it on a daily basis for troubleshooting. Is there stable code for the 5585x to upgrade to without running into possibly a major bug? This is our core firewall so there are no VPN tunnels on it. It's setup in active/standby failover in routed mode.
We are in the process of building a new DC and would like to know which is the recommended version of code to run on the following:
Firewall Services Module
Cisco ASA5580, 5550, 5520
ACE module
I am doing a security assessment of an organization that uses 871/881 routers with the firewall features enabled. I see the following commands defining packet inspection done by the firewall software.
-ip inspect name inet-users tcp
-ip inspect name inet-users udp
-ip inspect name inet-users icmp
What I am trying to define is the inspect name "inet-users". It is obviously a constant defined by IOS as it is not defined anywhere in the configuration file like any other "variable" and does not generate an error.What does "inet-users" define? I'm assuming it is all users using the interface(s) where the inspect commands are used, but is that correct? The Cisco IOS manuals do not contain a reference to "inet-users" hence why I'm here asking.
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the fail over settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. [code]
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:%PORT_SECURITY-2- PSECURE_ VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?
url...For the New Firewalls i.e. 5512X , 5515X etc there seems to be integrated IPS and we don't need to order any extra license or part number to get the IPS features .
But for the 5585X It says 2Gbps for SSP10 engine but I have seen in the Dynamic Configuration Tool that SSP10 and IPS-SSP10 are different things . Which means that I will have to order 2 service engines SSP10 and IPS SSP10 to get the IPS features and if I only order SSP10 with that Chasis I will only get firewalling ?
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedWe are looking at providing an ISR 819 for one of our customers using FTTC & 3G for failover .. However, I cant seem to find any recommended throughput guidence for the device? We could be looking at up to 80Mbps via the ethernet interface and I just dont know if the device will cope?
View 4 Replies View RelatedI'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedI have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
I would like to perform vulnerability scan on Cisco switch and router.Is there any free vulnerability scan tool recommended for Cisco device ?
View 2 Replies View RelatedI currently have a 50Mbps Internet Connection provided by an ethernet handoff for hosting some webservers. We are looking at adding an additional 10Mbps Internetn connection and route BGP between the two. For the 50Mbps connection, i'm using a Cisco 2951 router. I also have another 2951 router to terminate the 10Mbps connection. Does these router have enough horsepower to fully route BGP?
View 1 Replies View RelatedI am lacking experience in BGP and now I am trying to figure out what should be the ideal and recommended design.
Scenario:
- Having two Internet Service Provider with two ASN
- Having one idenpendant IPv4 public address
- Having two Internet Cisco Router e.g. 2811
- Having two Cisco ASA Firewall e.g. 5510
Are there any recommendations for configuring the VM for the ACS 5.x? What are the required minimum CPU-Cycles to dedicate and also the minimum RAM to dedicate?
View 1 Replies View RelatedI am setting up a DMVPN between several dozen sites using 2800, 2900 and 3900 series ISRs. The DMVPN Design Guide recommends current 12.4 or 12.4T IOS, but the DG was last updated in July 2008. I cannot seem to find any recommendations newer than this. I'm hoping Cisco or the community can give me an updated recommendation.
View 5 Replies View RelatedMy wifi router recently busted and looking to upgrade. In doing some research, I think I've come to the conclusion of these specs:
-Up to 300 mbps
-10/100/1000 WAN and LAN
-Dual band
-a/b/g/n
Ideally, I'd like to stream my media content from the desktop to my PS3. I don't know if it's a bandwidth issue or my old router, but streaming non-HD movies would buffer like crazy. My RoadRunner connection is about 25 mbps down/1 mbps up. Not sure if the upload bandwidth is the culprit. I know there's not a huge use for 1000M WAN, but I guess I was looking towards the future. Am I overcompensating on the WiFi? My desktop has gigabit port.url...
I am currently at my parents house. They have a internet/phone package with Talk Talk, with the free D-Link DSL-2680 router (which is located at the front of the house). I've run a speed test on this and get almost 6Mbps download on the wired desktop.If I bring my laptop into the room and try it wirelessly I am getting the same sort of speed. However, if I walk 10 meters into the back of the house, I go down to 0.3Mbps.I am wanting my parents to be able to use their iPad in the living room at the back of the house as well as they could use their wired desktop in the front of the house.Is the D-Link DSL-2680 good enough? Do I need a wireless extender/bridge/whatever?
View 1 Replies View Relatedi have an DIR-655 Hardware Version: A4, with Firmware Version: 1.21.Its dated: 2008/11/13.Do i get any improvement updating? And in such case, which FW should i use? It must be rock solid!
View 3 Replies View RelatedI have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies View RelatedI have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies View RelatedOur Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)
I have two 5505's facing each other over 10meg dsl internet links with slow up links, I think that the uplink is around 768K and down is 10meg.Behind each ASA on each end sits a pbx they are using H.323 point to point trunk for connectivity to talk to each other one the g.729 codec. I've read a little on Qos and I'm wondering if GRE over IPSecis the way to configure this setup. I'm needing recomendations. There are is no qos at present configured and its not working well at times. There are only 5 phones at the remote site and 5 computers. The remote end only supports 3 vlans as well. I'm new to ASA.
View 1 Replies View RelatedIs there an official Cisco-Page with the always-up-to-date recommended NX-OS-Releases for the Nexus 5000, just as there is URL
If there is no such page: What Release can be recommended?
We got new N596 & N2232 this week, and are using L2-LAN only, no L3,no FCoE- or FC-Ports. The command 'vPC orphan-ports suspend' is the newest feature used, so 5.0(3)N2(1) would be the oldest possible release.
Before I install 5.1(3)N1(1a) and then have to do a distruptive downgrade to 5.0(3)N2(2b), I'd like to be assured that the new one is already recommended as mature enough.
I would like to know what tool do you use to create topology diagrams, since I need to create some for my thesisI know about MS Visio and Cisco stencils.Apart from this I have no experience with anything else.I need to draw some tunnels and arrows showing message flow as well as the topology itself.
View 2 Replies View RelatedWhat is the most recommended set up for my routers? I have 5 routers, 1 linksys ea4500 which will be my main, and 4 linksys e2500 as my access points... what i want is that they are all in the same network and only one ssid? Is it possible? what will be my wiring connections? can it be on series or all routers connected to 1 main router?
View 2 Replies View Related