I have ASA 5550, i create 2 context in my ASA 5550. I create a NAT in context A and context B. But when i create NAT in context B i get another i get error message like this "static overlaps with global in another context". I have checked there is same nat translation in context A and context B. My question is : is same nat translation configuration not allowed in context A and context B"
View 4 RepliesI need your support for upgrading the Security context license on 5550, at present we have 5 Security context license installed in ASA but we want it to increased till 10 conctexts. I want to understand if we need to get addtional 5 Security context license or 10.
View 5 Replies View RelatedI'm having a problem with a context, I have two CISCO ASA 5550 (failover) and also we have the CISCO CSM to monitoring it, but since some weeks is showing a memory usage of 100% but then it drops until reach zero and then again the graphic goes up. This is the second time that the graphic shows this
I also check this on the CLI and i'ts fine because is showing the real percent, so my question here is why is showing this kind of behavior, I mean it was working fine before.
In the other hand I checked the secondary device and this is showing a 99% of used memory, but as the other one this graphic doesn't drop
I also checked via CLI and it says that it had the 99% memory used , Is there a way that i can put more memory on the context or what do you suggest that I can check on my firewalls.
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 4 Replies View RelatedI have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
View 2 Replies View RelatedI've been using packet-tracer for some time on and off with mixed results.
I'm running a multi context firewall with over 10 of the contexts sharing the same outside interface / network. All interfaces obviously have valid, unique IPs and also unique MAC addresses as mac-address auto is enabled in the system context.
This is an ASA 5550 running 8.3(2.10) interim so includes the fix for the well known packet-tracer classication failed bug.
So in theory, with firewall contexts on a shared interface the ASA should use the firewall MAC address to classify incoming traffic to the correct firewall and as far as I am aware, only fall back on using NAT to classify if the interface MACs are the same. In reality on my platform this doesn't seem to be happening and the classifier is using NAT to determine the destination context. I'm seeing this with live traffic (i.e. not generated by packet-tracer) in logs and can prove it by disabling certain NAT rules (there is some overlap with the IP addressing behind each firewall).
My question regarding packet tracer is this - in the above scenario with a shared outside interface, does packet tracer ALWAYS use NAT to determine the destination context? Or does packet tracer look up the MAC address of the ingress interface according to what context you are running packet tracer from? It appears that packet-tracer is using NAT in my case which could be just symptomatic of the potential bug I've described above rather than by design.
I am having issues getting this to work. For email, I have mail.xxx.xxx DNS'd to 165.165.165.165. I want it to come in to 10.1.0.31. It needs to go out a cluster of 10.1.0.31, 10.1.0.34, or 10.101.201.31 but look like it came from the 165.165.165.165 address. I have set up static NAT for the inbound. I have set up the global PAT with an ACL group of the 10.xxx addresses. I have set this same method up on an ASA with no issues but it doesn't want to work on the PIX 6.3. What am I missing?
no fixup protocol smtp 25
object-group service NewExchange tcp
port-object eq https
port-object eq smtp
[Code] ....
I'm receiving an error when trying to access a web server behind from one subinterface to another subinterface on an ASA access the public IP. I'm getting the following:
Global Static NAT Deny IP spoof from (61.X.X.X) to 201.X.X.X on interface Outside
Traffic dies at the firewall stating that the traffic is spoofed from the Global address (61.) to the static (201.) address. Both bound to the outside interface. When I create a static NAT on the firewall there is no problem; however when I'm patting against the firewall to the public IP I get the denies.
I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
Here are what I believe to be the relevant configs.
interface Ethernet0/0
description New 6mb circuit
speed 100
[Code]....
So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.
On my production environment I have a firewall with already two contexts defined (15% of CPU used) and I want to add a new one.
This context is going to use the same interfaces as the others contexts. When I will enable the context, can I have some sort of repercussion on these two context ?
I have two ASA 5510 in an Active/Active failover configuration; On the first ASA I have a license for five security contexts, on the second one I have the default two. On the pair I configured seven security contexts and everything works as expected; so far so good. Let's suppose now that the first ASA (the one with the license for 5 contexts) goes up in smoke; all the contexts migrate to the surviving firewall and life is still good. But what happens if, for some reason, I need to reboot the second ASA before the first one is repaired? My guess is that it will come up with just its own license for two contexts and that I will not be able to operate all my virtual firewalls.
View 2 Replies View RelatedWe have a Highly available VPN infrastructure across two data centers. We also use ACS 4.2 servers for authentication. The ACS servers are in teh same "cluster" in a Primary and Secondary fashion. Site A has primary ACS and primary ASA 5550 IPSec VPN termination. Site B has secondary ACS and redundant ASA 5550 IPsec VPN termination. We also use InfoBlox for DHCP IP address assignments. The two IPSec VPN Head end devices, ASA 5550s, they use different subnets for IP pools for the VPN Clients. Site A uses x.x.24.0 and Site B uses x.y.24.0. As indicated VPN clients authenticate using teh ACS 4.2 Radiius server. I can assign static IPs per user on the ACS server but this can only work for the primary site. Once static IP address is assigned on primary ACS for a user, this status will be replicated to the secondary ACS on Site B. When the Primary IPSec VPN Head End ASA or Internet fails on Site A, Clients on DHCP will work fine seemlessly via Site B. But for the static IP users, you have to change the Assigned Static IPs to match the subnet on Site B. How I can assign static IPs to clients via both Sites without manual intervention. Either via DHCP or ASA. I was trying to stay away from creating multiple Groups for VPN and also avoidng creating local ASA users because these options will not scale well as static user base increases. I need users to get a static IP address from Site A subnet when connected to Site A and get a static from Site B subnet when connected through Site B.
View 1 Replies View RelatedIs it possible to use 1 or 2 of the 4 gigabit ethernet ports from one ACE straight into the other ACE for redundancy? So ACE_01 gig0/4 to ACE_02 gig0/4.If so, is it a case of just having the layer 3 config instead of trunking etc..Also - is it possible to create a context within the same vlan as the Admin context?
View 4 Replies View RelatedI have a Cisco ASA running 8.2 in routed mode.The ASA has three interfaces, inside, outside and DMZ. They connect to the following three networks:
Inside: 10.1.1.0/24
Outside: 10.1.2.0/24
DMZ: 100.1.1.0/24
I have the following dynamic PAT configuration:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 100.1.1.1
nat control is turned off.
By my understanding any traffic from the inside to outside interface will be PATted to 100.1.1.1. However, communications between inside and the DMZ will not be PATted, and should work with no problems.This seems to be corroborated by this document: [URL]Which states:"The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues."EDIT: I may have misunderstood the above statement.I found this guide to configuring NAT/PAT: [URL]It states:"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.
I got a Global Implicit Rule problem with my Cisco ASA 5510. Here's my configuration : url...I created a PAT translation so that my web server (group LAN Network) could be accessed from the Internet.Although every rule seems to be ok, i got a "tcp deny access" when i try to telnet my public IP on port 80 (ping is ok).
Why is there only one Global Implicit Rule, and not one for each Interface (like in the older versions of ASA OS) ?
We're currently PATing everything from a particular subnet to the IP of an outside interface using our ASA5585 (dynamic PAT). We're experiencing pool exhaustion and therefore need to expand the global IP range. Any way of cutting over to the new range without dropping existing connections? For clarity, the current interface address is x.x.x.37/22 and the new PAT pool is x.x.x.114-6/22.
View 6 Replies View RelatedGot an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?
Verifying the operation of the ASA when configured with Global access rules. Does the global rule overide the interface security levels? According to the ASA order of operations, the interface specific rule get's processed first and then the global rules, but It does not say anything about interface security levels. Observing an ASA in production that has global rules configured I see that an interface with a security level of 50 that has no rules applied to it, passing traffic to the outside interface (security level 0) drops the traffic. Syslog shows that it hits the global access rule implicit deny. Does the implicit permit any to any less secure interface not apply?
View 7 Replies View RelatedWhat are the new features added or going to be available on the 8.5 release on the ASA. Would this release "finally" support VPN on multi security context mode.
By the sounds of things looks like every other major vendor supports this feature except Cisco.
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
View 6 Replies View RelatedI have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.
View 2 Replies View RelatedI am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
View 3 Replies View RelatedI am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
We have a pair of cisco Asa 5520 currently running multiple context mode. We wish to change to single context mode for following reasonWe will migrate infrastructure to hosted vendor . I was thinking of configuring site to site . Current Asa we pal to kee since wireless sits in our DMz and we have net screen that hosts tunnel for erp1. Is context change required for running site to site2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
View 22 Replies View RelatedI am looking to deploy a cloud/borderless network solution and cannot get my head around how the licenses (AnyConnect Mobile and essentials) will be applied in a multiple context deployment. Any correct documentation.
View 1 Replies View RelatedFirstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?
View 7 Replies View RelatedI have a ASA 5510 and planning to implement multiple context in a 2 tier security level and vrf-lite. meaning I have 2xASA facing the internet and below that a 2x3560 switch for our extranet and below that is another 2xASA for intranet. See diagram below. In this kind of network I want to know how it would impact the total throughput and resources of the ASA using multiple context?
INTERNET
| |
| |
2811A 2811B
| |
| | (OUTSIDE)
ASA_A-------ASA_B
| | (INSIDE)
| |
3560A---------3560B
| |
| | (INSIDE)
ASA_C--------ASA_D
| |
| | (OUTSIDE)
3560C----------3560B
| |
INTERNAL NETWORK
I have just joined a networks team and will be working on two fwsm versions 4.0(8) in two 6500 routers. Now the fwsms seem to be virtualised with multiple contexts. The server team want a new context setup for a group of servers behind a vlan. [code]
This context just seems to have two Vlans and a BVI interface. What is the function of this context and why we have 2 admin contexts?
Also another important question is on which 6500 do I create the new context? Is the admin context active on one 6500 just like other contexts and will sync across or do I have to create the new context on both 6500s.
I am trying to configure multi context on the 5520 ASA , how can i configure 1 outside and 1 inside for the 2 context or how to configure both outside from the same subnet and insides also from the same subnet , i did the below configuration but didn't work . [code]
View 4 Replies View RelatedI have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
View 1 Replies View RelatedWe already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls?
This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
Upgrading the License for a Failover using ASDM (No Reload Required) Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
•1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match. •
2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.•
3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
6. Click Apply. This completes the procedure.link: [URL]
But then I checked on the cisco web page that there are some license that need to reload I see this:
All models
#Downgrading any license (for example, going from 10 contexts to 2 contexts).#Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
[URL]
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?