Cisco Firewall :: Catalyst 6509E - Web Services Not Working
Mar 11, 2013
we have installed and implemented a FWSM on cisco catalyst 6509E and defined two virtual contexts.one of contexts work as datacenter firewall. initially it is configured to allow all traffic to datacenter VLAN. (permit any any) on test, it worked fine, except for one problem: all web services had degradation in performance, all server-client (non web) services worked very fine. additionally all https servies worked well.
Users connect to the web server bypassing the proxy, web services are expected to act just like other ones.
View 1 Replies
ADVERTISEMENT
Jun 6, 2013
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.With that in mind, whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
View 1 Replies
View Related
May 20, 2013
I've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.
-INSIDE to DMZ is working fine. (through ASA)
-INSIDE to OUTSIDE is working fine. (through ASA)
Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), what could be the cause?In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.
object-group network inside_subnet_all network-object object inside_subnet_a network-object object inside_subnet_b network-object object inside_subnet_c network-object object inside_subnet_d network-object object inside_subnet_e network-object object inside_subnet_f network-object object inside_subnet_g network-object object inside_subnet_.access-list OUTSIDE extended permit tcp any object host-11.1.10.40 object- group WWW-HTTPS access-list DMZ extended permit object SMTP object dmz_subnet any access-list INSIDE extended permit ip
View 1 Replies
View Related
Nov 7, 2012
I have to upgrade two Cisco Catalyst 6509E from Catos to IOS. I would want to know the requirements hardware or software for upgrading. Which are the recommended images I must download? From cat6000-sup32pfc3k9.8-4-5 to the latest stable version of IOS, is it recomended to pass to another previously version before?
I have viewed the following links,[URL]but, it doesn`t mention anything about that. The image below is the result of the "show version" command of one of our Cisco Catalyst.
WS-C6509-E Software, Version NmpSW: 8.4(5)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Aug 3 2005, 13:13:36
[code]....
View 2 Replies
View Related
Sep 9, 2012
Environment:
1. Core switch - Catalyst 6509e
vlans configured:
a. vlan 50 (wired clients)
[Code]....
here's the problem, wireless clients connected to WLAN guest keep getting DHCP leases from WLAN local 10.0.50.10 (scope 10.0.70.101 to 200)
View 11 Replies
View Related
Oct 21, 2012
I have Catalyst 6509 E with redudant SUP720-3B (and MSFC3) running 12.2(18)SXF6 IP Services Lan Only IOS (this IOS requires 512MB DRAM and 64MB of flash) SUP has 512MB DRAM (458720K/65536K) and 512MB sup-bootdisk:, but, there is65536K bytes of Flash internal SIMM (Sector size 512K).
My question is can I put 12.2(33)SXJ3 IP Services Lan Only IOS to this 6500 because this IOS requires 512MB DRAM and 512MB od flash?This is "sh ver" and "dir all-filesystems" of my 6500:
cat6500#sh verCisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF6, RELEASE SOFTWARE (fc1)Technical Support: [URL] Copyright (c) 1986-2006 by cisco Systems, Inc.Compiled Mon 18-Sep-06 23:59 by tinhuangImage text-base: 0x40101040, data-base: 0x42D90000
ROM: System Bo
View 6 Replies
View Related
Aug 30, 2012
We have LMS 4.1 - it was working perfectly for some time - it was rebooted and now the services don't start correctly. I manually started most of the services but the Daemon service will not start.
The main page comes up and after I log in - all the sections list an error
'License Server / Deamon Manager is down. Please check license.log for more information'.
View 3 Replies
View Related
Feb 6, 2012
I have a Dell Desktop Studio running Windows Vista Home Premium 64-bit SP2.Since I got my PC new, almost 3 years ago, I have regularly gotten a Windows error "Advanced Networking Services stopped working." Windows never finds a solution when I click on that option. I've always ignored the message because I do no networking, but now I want to set up a wireless network so I can stream to my TV.
View 7 Replies
View Related
Jan 22, 2012
I'm doing some L2 cleanups across mutliple 6509E environments and I've found something consistent that I can't find in documentation. On all my pairs of 6509s where I have FWSMs bundled (6509-A has FWSM-1 is Slot 1 and 6509-B has FWSM-2 in Slot 1) I also have a port channel 305. Obviously when I do a "show run" or "show int desc" I don't see anything in slot one. It's a service module. But the port channel is referencing ports 1/1-6. And it's all in service/up. I was about to delete this as I thought it was some leftover config (TEST 6509s) until I went and saw the same things on our PROD 6509s. Is it cosmetic? Necessary? Can I delete it as part of my audit cleanup? Don't want to mess with it even in TEST without some information. Nothing on google that's clear and I can't find anything on CCO.
#################################################################################
6509-1#sho etherch 305 summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
[code]....
View 1 Replies
View Related
Sep 18, 2012
I have ASA 5505 ver, 8.4(1) I have configured 2 WAN links to
1. Outside1 - distance metric 50
2. Outside2 - distance metric 20
Currentry all traffic is passing thru Outside2 and it's correct, also s2s and ra VPN is also running on Outside2 ?My current case is to use Outside1 for webvpn services only. I can't use Outside2 becouse on 443 port other services are running, also I cant change webvpn port to other.
How can I match packets incoming to interface Internet1 from Interner side nad route them back thru Internet1 interface.
IPSLA is not a good solution becouse I need to have both WAN links used Now in routing table I have only onre record
S* 0.0.0.0 0.0.0.0 [20/0] via x.x.x.x, INTERNET2
for link with lower metric, but after some problems with provider for link Internet2 routing has changed for Internet1 and didn't change it back after resolving problem? how to create it for all traffic incoming for Internet1 interface from outside?
View 1 Replies
View Related
Jun 23, 2012
I have 3 ASA5520, 2 of them running as remote access VPN, 1 of the ASA as site to site VPN. There are 2 different ISP's which are used between them. Can I consolidate all these services in 1 ASA5520, relating to configuration and whether the ASA could handle these services together without performance degradation. I forgot to mention even e-mail service and Internet browsing is also though one of the ASA. I was just wondering whether the configuration will get messy or is there a different approach to go about it. The OS on ASA's is 8.3.
View 1 Replies
View Related
Feb 18, 2013
How to get DynDNS or some other public dynamic DNS services on the Internet working on ASA 5505?
View 2 Replies
View Related
Jan 3, 2013
I am trying to figure out if the new code for ASA SM 9.0(x) or 9.1 is compatible with CAT6500 but I could not find any document that explicity confirms the the INCOMPATIBILITY. This table from the Release notes is not quite clear.
[URL]
It says that code 8.5 is compatible with Cat6500 and version 9.X is compatible with R7600.So are the two different trains now, one for Cat6500 and one for R7600?
My real goal is to find the correct software versions (not interim) that provides compatilibity with Catalyst 6500 with Supervisor 2T and ASASM.
View 3 Replies
View Related
Nov 28, 2012
We have hosted spam filter service with 3rd party vendor. My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service. I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]
View 2 Replies
View Related
Nov 21, 2012
Do you know how to create a static nat from outside to inside and using services, this is a firewall 5545x
View 9 Replies
View Related
Jul 25, 2012
I have created Different extended access-list which allow/block some specific services like IP,TCP,UDP ,ICMP etc for certain source and destination . But now I have to allow/Block all/any type of services to a certain host from a extended access-list . How can I do it ?
View 4 Replies
View Related
Jul 20, 2011
I recently picked up a Catalyst 2960G and am trying to get SNMP management working over IPv6. I have the IP Address set to the local link, and can successfully ping and telnet to the switch (so the network can get traffic to and from the switch). However, SNMP packets just seem to disappear. I am running WireShark on my machine, and I see the packets go out to the proper IP, but nothing comes back. When I check "sho ipv6 traffic", I can see where there are UDP packets that are received, but, again, none going out. Also, when I run "sho snmp", all of the packet counts are 0.
Here are some relavant snipets from my "sho run":
interface Vlan1
no ip address
no ip route-cache
ipv6 enable
[code]....
View 5 Replies
View Related
Jan 28, 2013
Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit
class class-default
police 2000000 8000 exceed-action drop
int gi1/0/3
service-policy input rate-limit
still when I start download it goes to 10 mbps
View 12 Replies
View Related
Jul 25, 2011
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies
View Related
Aug 9, 2012
How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?There are no free modules on Catalyst 6500 to install a FWSM module.What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
View 1 Replies
View Related
Jan 28, 2012
Multicast is not working between our two datacenter, we have catalyst 2960S (two stacked) as the internal lan switch, and catalyst 3560E as the external switch, same configuration for both datacenters.The two sites are connected using metro, the external switch (3560) is doing qinq and encapsulate the data from the internal switch with the metro vlan (611).
IGMP snooping is disabled for all switches, although we prefer to enable it for the internal switches.For each datacenter there is a different firewall which also act as the router, we are using fortigate as the firewall.Following is the important configuration section:
Port 43 in the internal switch is connected to the external switch (both sites):
interface GigabitEthernet1/0/43
switchport mode trunk
load-interval 30
Port 3 in the external switch connected to the internal switch (both sites):
interface GigabitEthernet0/3
switchport access vlan 611
switchport mode dot1q-tunnel
no cdp enable
no cdp tlv server-location
no cdp tlv app
Port 8 on the external switch connected to the metro link (both sites) vlan 350 is the internet and 611 is the metro:
interface GigabitEthernet0/8
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 350,611
switchport mode trunk
vlan 611 on external switch:
interface Vlan611
ip address 192.168.168.2 255.255.255.0
no ip route-cache
no ip mroute-cache
View 6 Replies
View Related
Mar 28, 2011
I have a Cisco Catalyst 4507R+E (with Sup7-E) and two blades; one WS-X4748-RJ45V+E and one WS-X4648-RJ45-E.
When I connect a device to a port on the WS-X4748-RJ45V+E blade the port will not come up, show interface shows the status as "notconnect". When I connect the same device to the WS-X4648-RJ45-E blade the interface comes up.
The WS-X4748-RJ45V+E blade seems to have initialised okay, it appears in the output of "show module" as OK.
I get exactly the same effect on a second, identically configured Catalyst 4507R+E.
The software version is IOS XE 3.1.0SG, which according to the release notes supports the WS-X4748-RJ45V+E blade
View 2 Replies
View Related
Jul 8, 2012
I have Switch 6509E wich is the core of the network, and we have 4 llink form 4 ISPs, all the link will work at the same time?how can I confiugure the BGP , as I know if I configure bgp it will work with one ISP as an active link,if that link goes down it will automatically begin to work with other ISP. My question is that how can configure the network so that,some vlans work with one ISP, some vlans with the others and so on.If configure it with route map I will have to track every time to change the confiration if the links goes down, but I do not want to track it, Can I do anything with BGP to implement this task?The core of the network is Switch 6509E, intervlan routing is implemented on it, no dynamic routing is enabled.The firewall module installed on it the implementing the NAT processes.
View 7 Replies
View Related
Mar 18, 2012
is it possible to configure an IOS Firewall IPS on a Catalyst 3560? Which IOS version would I need if it were possible?
View 3 Replies
View Related
Jun 1, 2013
I am having two 6509E working in VSS and both are working fine. But the configuration register of command "remote command switch show boot" is 0x8000 which is different from that of RP (0x2102) .Now i want to change the value of configuration regsiter of SP to 0x2102.
View 1 Replies
View Related
Sep 20, 2012
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies
View Related
Aug 16, 2011
We want to provide an end to encryption service using an ACE02 in a CAT 6509E. This is covered in the ACE config guide so should be OK. The issue is that we want to include traffic inspection using an IDSM2 so we need to seperate the decrypt and encryption stages and send cleartext traffic to the IDMS2. The Security and Virtualization in the Data Center pdf page 18/19 suggests that it might be possible. The design depicted there though is only doing SSL termination, then sending the clear text onto a WAF, and onto IPS but it does say end-to-end encryption is also possible.So in essence what we want to do is have traffic from clients destined for the server farm decrypted by the ACE and sent to the IDS. We then want the traffic to return from the IDS to the ACE to be encrypted and sent onto the server farm.
View 1 Replies
View Related
Apr 30, 2012
I have a new 6509E with 2 sup 2T cards. The 10GE ports on both sup cards will connect to 2 5548s. Can i connect the management interface on the new 6509E to the old 6509 until i free up space to bring the line cards over?
View 2 Replies
View Related
Mar 4, 2013
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies
View Related
Jul 16, 2012
We have configured BGP on Cisco Switch 6509E, firewall module on the switch is making nat for all users,but users is not going to internet yet, I do not know hot to configure 6509E to give internet access to users.If I route default route to FWSM,then BGP will not work? If I route default route what is the meaning of BGP then?
I do not want to write static route because BGP should work (4 ISPs redundancy)
How to let users to go out to the internet throug BGP, but nat is being done on the firewall module on 6509, routing is beiing done on 6509,to to configure it?
View 4 Replies
View Related
Mar 5, 2012
simple question regarding WAN transit uplinks on a 6509E ad BGP. The Hardware configuration is:
Cisco 6509-E Chassis with enhanced Fan
WS-SUP720-3BXL
WS-X6748-GE-TX
Dual power supply and 1 G flash for Engine
I'm currently using both 1 gig uplinks on the SUP for my two carrier transit uplinks (BGP). I would like to add a third carrier transit uplink into my BGP. Can I utilize the 6748 for access to the SUP720 routing to expand my transit carrier uplinks? Any thoughts on options without having to go to a 10gig SUP720?
View 4 Replies
View Related
Jan 31, 2011
I've got a problem with a core 6509E and the multicast.A client has a system with cams for the physical security and they are connected to a vlan with this config:
interface VlanXip address 172.20.167.1 255.255.255.128ip helper-address 172.20.32.7ip pim version 1ip pim sparse-modeendThe thing is that we know that one server that shows the cams at the security office is flooding the network and the CPU CORE is over 95% always:
CPU utilization for five seconds: 99%/39%; one minute: 99%; five minutes: 99%
263 644650276 567873287 1135 51.99% 55.06% 55.35% 0 IP Input
[Code] ....
View 1 Replies
View Related
Dec 9, 2012
I have a couple of 6509-E combined in a VSS system. I need to upgrade them to support 8 (or 16 at max) 10G uplinks. I already used the two built-in VS-S720-10G fiber connectors for VSL links. Which Ethernet modules do you suggest to use? are there any related upgrades that I have to do?
supervisor used: VS-S720-10G
Chassis: WS-C6509-E
View 2 Replies
View Related
