Cisco Firewall :: Synchronizing Two Firewalls In Two Different Location 5580

Jun 14, 2012

I have two firewalls in 2 different locations. They act as primary and secondary for my WAN connectivity. I would want a way to synchronize access-lists in both without manually replicating.(access list, NAT and Route)FW model cisco 5580

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: 5510 / Adding AIP Firewalls To Existing CSC Firewalls Setup?

Mar 3, 2011

I have a customer with active/standby on a pair of 5510's with the CSC modules. They were inquiring about the AIP/ASA, and since this would NOT work in their current setup, would getting a pair of 5510/AIP configured for transparent failover work placed in front fo the existing units? Would I need to have a switch placed between the AIP and CSC ASA's?  Or would I setup the ASA's for context based Active/Active failover to interconnect the ASA's to the existing units, but I still see a need for a switch.

View 1 Replies View Related

Cisco Firewall :: ASA-5580 / Unable To Ping Firewall

Apr 18, 2012

We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
 
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can  i change my inside security leval to 69 then i think it will ping.

View 1 Replies View Related

Cisco Firewall :: Firewall / Can ASR 1006 Replace ASA 5580

Oct 30, 2011

i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?

View 1 Replies View Related

Cisco Switching/Routing :: 1841 Not Synchronizing With 2960 Switch

Oct 22, 2012

I have a Cisco 1841 router connected to a Cisco 2960 switch.Users behind the router can't access the internet but when someone is directly connected to the switch with his PC and uses the IP Address found on the WAN port of the router, he's able to go on to the internet. [code]

View 4 Replies View Related

Cisco Firewall :: Cannot SSH / Telnet To ASA 5580

Oct 15, 2011

accessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.

View 5 Replies View Related

Cisco Firewall :: Cannot Activate Failover On Asa 5580

Sep 27, 2011

I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
 
But this is the message that I gettin:
 
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
 
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?

View 5 Replies View Related

Cisco Firewall :: ASA 5580 Arp Collision Errors?

Feb 11, 2012

I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
 
When i checked this MAC address in the same firewall it shows too many IP Addresses. What could be the reason ?

View 0 Replies View Related

Cisco Firewall :: 5580 - Can't Ping ASA Different Interfaces

May 23, 2012

We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
 
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
 
We are not doing any natting in firewall, for that we used the Load Balancer.

View 7 Replies View Related

Cisco Firewall :: ASA 5580-20 System LED Flashing Red

May 16, 2011

A customer's ASA is presenting the System LED flashing red.I have already analysed the show tech-support and show environment output: Found nothing, everythink seems OK.Cisco ASA 5580-20 - 8.2.1.Single appliance, no failover, multiple context and transparent mode.

View 5 Replies View Related

Cisco Firewall :: Upgrading ASA 5580 Cluster From 7.2 To 8.2

Aug 19, 2012

we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
 
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?

View 2 Replies View Related

Cisco Firewall :: Does ASA 5580 Support NAT-PT For IPv6

Mar 29, 2011

I want to ask that does ASA 5580 support the nat-pt for IPv6?

View 2 Replies View Related

Cisco Firewall :: ASA 5580 Command Itself Is No Longer Used

Mar 5, 2011

i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
 
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.

View 8 Replies View Related

Cisco Firewall :: ASA 5580-20 System LED Is Flashing Red?

Apr 8, 2012

In my ASA 5580-20 system LED is flashing RED how can i trobleshoot this.
 
I checked rarepanel everything is ok also i saw environment also showing ok

View 1 Replies View Related

Cisco Firewall :: Failover ASA 5580 Unsync With Active

Feb 19, 2012

I have encountered a problem in one of customer that the Active ASA 5580 is unable to sync with Standby Failover ASA. When Active is connected with FO and push the configs to it will not find the ethernet/Gig interfaces due to which the all the configuration were not applied and when the primary ASA the secondary is unable to respond.
 
When i attached console with the Standby ASA i have seen this error.
 
Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby.
 
For detail undestanding i am attaching the configs of primary and standby ASA. The KHI-DR-ASA-BB-01 is the standyby firewall.

View 2 Replies View Related

Cisco Firewall :: ASA 5580 With 4*10 GB Module Act / Act Failover Not Working

Jul 11, 2012

If we switch from primary to secondary firewall the interfaces on the secondary  go to state waitung than to failed. after awhile the secondary gives the control to the primary.
 
it seem that traffic passes the secondary firewall during this short failover time . we have several context created  on the firewall, Switch Ports checked , cabeling check everythink checked
  
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)         
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal

View 5 Replies View Related

Cisco Firewall :: ASA 5580 - Possibility To Generate Activation Key

Nov 23, 2011

We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key? Can we generate PAK or Activation Key using SO (service order) number?

View 1 Replies View Related

Cisco Firewall :: 5580 Failover Active And Standby

Dec 21, 2011

I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.

View 5 Replies View Related

Cisco Firewall :: ASA 5580 - Ping Allowed But Not Configured?

Apr 4, 2012

We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.

View 5 Replies View Related

Cisco Firewall :: 5580 Do Static Command Needed

Oct 3, 2011

The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below? 

View 1 Replies View Related

Cisco Firewall :: 5580 Need To NAT Addresses To Inside Servers

Jul 7, 2012

We are going to setup a L2L VPN with a vendor and they asked us to NAT a couple IP addresses for remote access to a couple of servers on our inside network. Our device is an ASA 5580 with version 8.1 and we have a handfull of public IP addresses for use if needed. The vendor's remote network is a public IP address but for this posting I will use 192.168.10.0. Our inside servers are 10.100.10.20 and 10.100.10.30. Because 10.100.10 is in use with another customer they asked us to NAT 10.77.97.20 and 10.77.97.30 to the two inside servers.

View 2 Replies View Related

Cisco Firewall :: 5580 - ASA Supports NAT In Bridge Mode?

Oct 31, 2011

Does ASA supports NAT in bridge mode? especially the 5580 series x??

View 1 Replies View Related

Cisco Firewall :: 5580 Not Pinging Virtual Interface

May 1, 2012

I have got new cisco ASA 5580 running 7.2(4) on it  when i am trying to configured Virtual interface on vlan 400 in  Gi0/0.400 to LBASE.now the problem is from my MZ zone 10.242.107.17 to Lbase virtual interface 10.242.103.1 iam not able to ping.

View 2 Replies View Related

Cisco Firewall :: Upgrading License For More Context ASA 5580?

Sep 13, 2011

This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
 
Upgrading the License for a Failover using ASDM (No Reload Required) Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.

•1.       On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match. •

2.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.•

3.       Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.

4.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.

5.       Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.

6.       Click Apply. This completes the procedure.link: [URL]
 
But then I checked on the cisco web page that there are some license that need to reload I see this:
 
All models

#Downgrading any license (for example, going from 10 contexts to 2 contexts).#Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
 
[URL]
 
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?

View 1 Replies View Related

Cisco Firewall :: ASA 5580 - Consider Maximum Throughput That Could Be Send?

Aug 31, 2011

I have a asa5580 with multiple interfaces. To replicate me databases to another site, I mainly use two interfaces on that firewall. Those interfaces have a steady pace, around 95%.
 
I am wondering when I should consider that the thoughput between those two interfaces is too much? Is there a good document that could explain me clearly why?
 
Also I want to be sure that I won't affect the normal traffic between the other interfaces. Is there a way to garantee certain traffic over others on an ASA? I don't have any router in me setup layer 3 role is perform by asa firewalls (static routes).

View 1 Replies View Related

Cisco Firewall :: Upgrade IOS On Failover Pair Of ASA 5580's?

Dec 6, 2012

Preparing to upgrade the IOS on a failover pair of ASA 5580's and was wandering what is gonna happen after I've upgraded the IOS on the standby unit and rebooted. How is the active unit going to react when it sees an IOS mismatch prior to me making the standby the primary and upgrading it's IOS ?

View 2 Replies View Related

Cisco Firewall :: ASA 5500 / 5580 Syslog Keeps Sending To Old Server

Oct 26, 2011

We use multiple ASA 5500/5580 cluster systems running  8.3 software versions.Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa). Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts. We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ..since we did this and redirected the syslog we see double traffic and spoofing errors on that context
 
a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)

b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic

c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.
 
We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system.I finally got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent. It looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action) as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog can find the behaviour in any buglists either way.

View 1 Replies View Related

Cisco Firewall :: Asa 5580 Clarification Regarding Show Local Host?

Mar 28, 2012

we are observing the no. of conn thru asa 5580 is getting increased and one a fine day it will stop sending/receiving traffics.firewall# show conn count 1900000 in use, 2000008 most used As per the datasheet of this asa, the max conns permissible is 2 million (20 lacs). and the output shows that currently 1900000 connections are there and 2million+8 connections are most used.when i run " show local-host | include host|count/limit ", below are the outputs showing for max connections..
 
local host: <172.x.x.x>,
    TCP flow count/limit = 35857/unlimited
    TCP embryonic count to host = 25
    UDP flow count/limit = 0/unlimited
local host: <DC01>,    TCP flow count/limit = 306/unlimited    TCP embryonic count to host = 8    UDP flow count/limit = 736807/unlimited
local host: <DC02>,    TCP flow count/limit = 246/unlimited    TCP embryonic count to host = 2    UDP flow count/limit = 582010/unlimited
local host: <172.y.y.y>,    TCP flow count/limit = 1/unlimited    TCP embryonic count to host = 0    UDP flow count/limit = 308412/unlimited
 
These are the top 4 connections, i wonder should we consider only the tcp flow count or udp as well ?

View 4 Replies View Related

Cisco Firewall :: 5580 - ASA Transparent Mode With Trunk Interfaces?

Jun 15, 2011

We have a 5580 that we want to connect to each of our 7K's as an internal firewall.  To minimize hassle, we will setup the ASA in transparent mode.I have been working on this all day today and have run into a stopping point.  If I put vlan 20 on a subinterface on Te7/0 which will connect to N7K_1 it works great.  When I try to put that same vlan on Te7/1 which connects to N7K_2, I get an error that says the vlan is already assigned to another interface.Our local Cisco SE told us that this would work.
 
My problem is that not all of our servers/systems are dual homed to both 7K's so I have to be able to get this to work because of potential asymmetric routing issues that we will be dealing with.How to get the 5580 to work in this configuration and can you share your config with me ?Using the redundant interface command isnt an option because I need for both interfaces to be able to route over both 7K's at all times.

View 3 Replies View Related

Cisco Firewall :: 5580 To Create Syslog Entries When Someone Connects Via HTTPS / SSH

Mar 13, 2011

Is it possible for a Cisco ASA 5580 to create Syslog entries when someone connects via HTTPS or SSH to it. I need to obtain information from Syslog when someone does this.

View 5 Replies View Related

Cisco VPN :: 5510 / 5540 / 5550 / 5580 - Series Firewall L2L And Client VPN

Feb 17, 2011

I want to privatize the outside interfaces of my ASA firewalls however I need a public IP address bound to an Interface to support L2L and client VPN (using the Cisco client software). What I'd like to do is route to the firewall privatized outside interface and have a DMZ interface with a public IP address on it for VPN peering. Ideally this would allow me to build rules on the outside interface limiting communication to the DMZ interface to IPSEC only. Thus VPN tunnels would traverse the outside interface and terminate on the DMZ interface giving me granular control of the peers and protocols allowed to the each the DMZ interface.  

Platforms: ASA 5510, 5540, 5550, 5580 
Versions: 7.2(4)33, 8.2(2) 

View 1 Replies View Related

Cisco Firewall :: 5580-40 - Input Errors / Overruns And Reset Drops On 10Gig Interface?

May 10, 2012

I have an issue with input errors, overruns, and input reset drops on the inside interface of an 5580-40 (v8.2.5: Transparent mode)  The box is not stressed at all according to the 'show' commands in the Cisco troubleshooting performance document for PIX/ASA v8.2.5.  Nothing stands out because is pretty much normal, nothing (processes, RAM, blocks, IO...) really being highly utilized.  I have replaced the 10Gig card and that seemed to work because the rate of errors has gone down tremedously.  The next step is to RMA the whole box.My question is what would be the cause of the inside interface to stop processing traffic (I say that because the syslog server stops receiving messages) for some periods of 30 seconds periodically throughout the day and clients lose their connections (ie Outlook, IBM Sametime, Oracle, MSSQL..etc).  Can the issue be somewhere related to the overruns and input errors?

View 2 Replies View Related

Cisco Firewall :: Asa 722 Asdm Location Command After Upgrade

Sep 3, 2008

Before running firmware asa722-k8.bin and asdm-522.bin ASDM "asdm location" config lines were created when we created a network object. After the upgrade to asa722-k8.bin and asdm-522.bin this dissapeared.We recently upgraded to asa724-k8.bin and asdm-524.bin which brought those config lines back.So if "asdm location" is needed, if not can we make sure those lines wont pollute the config file?

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved