Cisco Firewall :: Use Multiple ISP Connection To 5510?
Feb 7, 2013
i've two cisco asa5510 with 4 FastEthernet interfaces each.They are connected as below:
[code]...
to three different ISP each of them! The 4rth interface of each of them, is connected to internal LAN network. Both Firewalls, offers VPN Services to ISP connections on Fa0/0
How can i achieve high availability for this scneario?is this possible to implement some HighAvailability and to offer the actual services to each of them, in case that the other firewall fail?What about using subintefaces? can i connect bothe ISP and Customers links on one or each of them, in case that firewall01 fails, all the services to be online on firewall02?
View 1 Replies
ADVERTISEMENT
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
Nov 9, 2011
I use a Cisco ASA 5510 with the AnyConnect VPN for remote workers. Now we want to give access to a select group of consultants who only need access to one sever and block everything else.
I was thinking this could be done by creating a separate AnyConnect Connection Profile on the ASA. From that new connection will come a new GroupPolicy with a ACL to only allow access to the one system. That GroupPolicy will point to the Radius Server looking for an account in a specific MemberOf group.
My question is - Could you explain how the ASA knows what Connection Profile to use when a user tries to authenticate? Does it automatically hunt down each Connection Profile until there is a username match via RADIUS in the Connect Profile?
View 1 Replies
View Related
Mar 26, 2013
I have an ASA5510 that is connected to outside for WAN, inside for LAN (10.22.254.0/24), and a iSCSI switch plugged into Ethernet 0/3 (10.22.244.0/24). I can ping the Eth0/3 interface (10.22.244.1) but I can't ping across that interface from WAN or LAN side.
START CONFIGURATION
ASA Version 9.1(1)
!
hostname ASA5510
[Code].....
View 7 Replies
View Related
Feb 27, 2013
I'm having a bit of trouble determining the best way to do this... I have 12 V LAN's set up (sub interfaces on a redundant group of two NICs) on my ASA 5510. On several of these, I want them to be able to access the internet but not access other V LAN's.
By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great. But if I create an ACL on the interface, this rule disappears. I can restore internet access by adding an "any to any" or "(this interface's sub net) to any" rule, but this seems to imply that it allows access to any v LAN. Do I have to create a set of "deny" rules for each V LAN, on each V LAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?
View 2 Replies
View Related
Jan 13, 2013
Whether it is possible to have same vlan on multiple interface on ASA 5510 and higher models ?
View 2 Replies
View Related
Dec 2, 2010
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
View 15 Replies
View Related
Oct 2, 2012
I have a few sites all running Cisco ASA 5510s. They all share the same asa (8.4(4)1) and asdm (6.4.9) version, but their configs differ significantly. I have a cold spare sitting in my office in the event we have a physical failure. Is there a quick and simple way I can load up multiple configs and then boot up the cold spare to then run the config from Site_A or Site_B? Just looking for a quick solution rather than doing a full restore should something fail spectacularly. Nice to say upon bootup, using confreg perhaps, to boot Site_A config rather than Site_C.
View 1 Replies
View Related
Oct 19, 2011
I am running a ASA 5510 in multiple context mode. IOS 6.4(2), ASDM 6.4(5)106.
In older ios/asdm versions it was possible to backup the configuration using ASDM.
In 6.4(5)106 i am missing this feature (see attachment)
Is it possible to backup a multiple context firewall using ASDM and above mentioned software versions?
View 3 Replies
View Related
Apr 8, 2011
can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies
View Related
May 15, 2013
I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do
route isp2 0 0 yy.yy.yy.yy 50
route isp1 0 0 xx.xx.xx.xx 31 track 1
route isp1 0 0 xx.xx.xx.xx 32 track 2
route isp1 0 0 xx.xx.xx.xx 33 track 3
the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?
View 1 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
Oct 10, 2012
I have a ASA 5510 at our corporate HQ that has one site to site VPN. I need to add 6 additional site to site VPN's to this ASA for our remote branches. How can I add them without affecting the existing site to site VPN? The 6 site to site VPN's will all have the same settings however these settings are different from the existing site to site that I already have set up. How can I set it up so the 6 additional VPN's use their own crypto map and all use the same settings?
View 1 Replies
View Related
Nov 11, 2012
Currently in our environment we have have two buildings with an ASA 5520 in each and a core stack of 3750's in each building. I am currently working on a network segmentation project and am thinking of adding another stack of 3750's in each building to add more redundancy to our network. This will allow our access layer switches to have a trunk to each stack and prevent an outage if one of the links or stacks were to go down.
My question is how I would set this up on the ASA end of things while using a common subnet and HSRP on the 3750's. I understand how to use HSRP and STP on the switches to achieve this on the 3750 end of things. I saw you can do etherchannel on the ASA with 8.4 but how does that work in a failover situation?
View 2 Replies
View Related
Dec 20, 2011
I have just put an ASA5510 in place and have the following setup:
Interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
[Code]....
I have connected my stations to an ESW540 inside of the Int Eth0/1 and am able to get ip addresses to the stations as well as DNS addresses. I cannot however connect to the outside connection in any way. From a computer connected to the ESW540 with a DHCP assigned IP address, I can ping the computer's IP, the ESW540's IP, and even 192.168.15.1. But I cannot ping the ip address from the Int Eth0/0, nor anything beyond 192.168.15.1.
From inside of the console of the ASA, I can ping all addresses of all ports as well as devices outside of the building and inside of ESW540.
View 6 Replies
View Related
Jan 31, 2012
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
View 7 Replies
View Related
May 17, 2012
My firewalls are running in multiple context mode.According to my troubleshooting, the problem happens because of the following things:
1- The host 10.15.5.100 do a telnet to 10.0.6.100 using the default gateway that is the context firewall C2;
2- The packet go to the C2 and is forward through the interface e0/0 (direct connected);
3- The packet is delivered direct to the host,without passthrough the context firewall C1;
4- The host receive the packet and return the answer to the source host 10.15.5.10 using the default gateway 10.0.1.10;
5- The packet is received by the context firewall C1 and is dropped with the reason Deny TCP (no connection) syn ack;
I think the the problem is on step 4, the context C1 receive a packet that didn't pass by it before. Am I right?
View 2 Replies
View Related
Sep 19, 2011
i have a 5510 with SDM 8.2.5 from clients connected to LAN i cant open a VPN connection! (using windows client L2TP or PPTP) there is not rules tho block this ports, why i cant connect?
my configuration:
FIREWALLP01# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MAIOR.local
enable password 28kg/dOQX80WtMHA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Oct 29, 2012
I have this box. I have few questions about it.
1) Will I be able to update firmware (from 8.2 to 8.3 or higher for example) without smarnet for ASA 5510? And what can not I do without smartnet?
2) I have only AIP-SSM-10 module to this asa 5510. is there a smartnet for it, too? And when I buy only module is there build in a 1 year subscription for IPS signatures?
3) If I have Cisco ASA 5510 base license, will my IPS on AIP-SSM-10 work?
4) Also I'm planning in a year buy one more 5510 with same module and put ther in failover. Will I really need Security Plus license for failover (Active/Standby)? For Active/Active I know that I need one, yes?
View 5 Replies
View Related
Oct 31, 2012
I had an experience this week of installing a 5510 ASA with 8.4.3, also tried 8.4.4(1) with the strange effect that I randomly was losing contact with the internet. The interface stayed up/up. no errors or what so ever on the interface. Reseat of the DSL wire no result. Reseat of the outside interface cable made it work again. And after some time lost connectivity again. It did not recover by itself so had to let someone do a reseat again and again and.... The outside was using DHCP client. A lease was given and an IP also. Nothing strange to find. Talked to the provider which could see the DSL and the DHCP lease. Finally I downgraded the firmware to 8.4.2 and the problem was solved.
output
interface Ethernet0/0
nameif outside
[Code].....
View 1 Replies
View Related
May 26, 2011
I am replacing an old Fw with a New ASA 5510 and I have a problem with a TCP Connection on My LAN InterfaceI joined a picture of what I want to do. [code] From the PC,I can Ping the Video Camera But I can't connect to it with HTTP.I don't understand, Packet Tracert allow the Http packet too. [code]
View 7 Replies
View Related
Aug 28, 2012
I got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.The clients have to connect to a webserver where they are doing some calculations.If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work. I created a policy which did not work for me. How to set connection specific timeout's? [code]
View 3 Replies
View Related
Jun 8, 2011
I am configuring a new ASA 5510 to replace a SonicWall and I have a problem with an HTTP Connection inside my LAN.PC from the LAN ( using ASA LAN interface as gateway) can't Connect to a Camera video Web Server (192.168.4.20) on Port 80 whereas I can Ping it.
ADSM logs show :
106015# Deny TCP (no connection) from ip1 to ip2 Flags RST on Interface LAN.The adaptive security appliance discarded a TCP Packet that has no Associated connection in the adaptive security appliance Connection table.
- I Enabled command "same-security-traffic permit intra-interface"
- HTTP inspection is disabled.
I used Capture feature on the Ingress Interface, I joined the Logs and a part of my ASA Running Config.
View 3 Replies
View Related
Jan 28, 2012
we have installed an asa 5510 with 3 interfaces : dmz (web server 172.20.0.59;application server 172.20.0.58; server mail 172.20.0.157), inside (lan) and outside (connected to a router for internet connexion). the problem is that the connexion internet is slow in the inside (lan). our dns is in the ouside with ip address x.x.x.60 ( the dns have translated addresse to inside and dmz 172.20.0.60). the router connected to our IPS have x.x.x.33 (our default gateway for internet). there is a simple switch between firewall and router. the inside interface of the asa is connected to catalyst cisco 6509 (the interface gigabit of the 6509 is configured to auto speed and duplex). the asa have base lisence.here is the configuration of the asa and the output of commandes show interfaces (inside, outside), show asp drop , show perform.
firewall# show run
ASA Version 8.2(1)
!
hostname firewall
domain-name xxx.xx
enable password dgft12ghkHKM123Z encrypted
passwd dgft12ghkHKM123Z encrypted
names
[code]...
View 3 Replies
View Related
Jun 23, 2011
I have an ASA-5510 in a location that loses connectivity to the wan gateway after anywhere from five to fifteen minutes. At first I thought that the unit might be defective, but I replaced it with an ASA-5505 with similar results. A reload of the ASA-5510 will restore connectivity for the next quarter hour.
Here's the version information on the 5510:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
[Code].....
View 1 Replies
View Related
May 4, 2011
I am using ASA 5510 and I have a specific problem with Http Connection to receive a video Flow ( RSTP protocol ) in the LAN. Some Pc users (192.168.1.133,in the log) with ASA Lan Interface as gateway can ping the Camera but don't receveive the video flow.Some Pc users (192.168.1.116,in the log) using another gateway can ping and receive the video flow. I used Whireshark to capture traffic between camera and Pc using the 2 gateway. I joined Logs with this message.It seems to be a problem of TCP segments on the ASA, I try to changed some TCP options but it's still the same:- Disable Force Maximum Segment Size- Enable Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Second.
View 7 Replies
View Related
Jan 3, 2012
so i have a ASA 5510. The ASA is Connect with the Internet through PPOE DSL MODEM
The outside Interface get an IP. The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online) But the HOST do not connect to the Internet because the DNS Server is timed out
Code...
View 10 Replies
View Related
Apr 26, 2011
I am trying to telnet to my asa 5510 from the core swith,however i received the below msg,how enable it?
172.30.1.100 is the inside interface of the asa
CITYCORE#telnet 172.30.1.100Trying 172.30.1.100 ... % Connection refused by remote host
CITYCORE#
View 8 Replies
View Related
Oct 25, 2011
I am managing a firewall setup with some ASA 5510's.One of the rules I have in the ACL list is to allow or deny (By disabling the rule) access to certain subnets.
I have a 3rd party vendor that from time to time need access to specific servers in the infrastructure, but I want to keep a certain level of control when they can access them and especially when they can not.
I know it works fine, I have done several tests to verify when they can connect and when they can not. But, now comes the tricky part, if they are already connected (Remote desktop) to the system, and I disable the rule, they are STILL!!! connected. It seems the firewall does not terminate the active session / cconnection when I disable the rule allowing them access..
View 3 Replies
View Related
Apr 10, 2011
Using Cisco ASA5510 Security Plus (Post May 2010) with 8.2(1)
I was trying to limit the number of internet IP Address that can initiate Remote Access VPN connection to the firewall. I have plan to only allow internet IP Address from few ISPs for control.
However, blocking AHP, ESP, ISAKMP, NON500-ISAKMP, and IPSec Over TCP Port Assigned in the firewall outside interface doesn't work. But it works by putting the ACL in the router before the firewall. It seems that the firewall have a "hidden" process VPN first before user entered ACL (or explicit rule), similar to Checkpoint FW's implied rule. How to get around it?
View 4 Replies
View Related
Apr 2, 2011
Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.
My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?
I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.
Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.
View 3 Replies
View Related
Oct 15, 2011
Our client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
View 5 Replies
View Related
Nov 28, 2012
Version: Cisco ASA 5510 8.4(4)1
I've installed cisco asa 5510.
When I "show local-host all detail connection "
Normal situation:
105 myfailover:10.255.255.2/0 NP Identity Ifc:10.255.255.1/0,
idle 0s, uptime 1D14h, timeout 2m0s, bytes 18196822
But I got this output ( timeout - )
[URL]
View 0 Replies
View Related
