Cisco Firewall :: Configure The ASA5510 In HA Mode?
Jun 4, 2012configure the firewall Cisco ASA5510 in HA Mode.Enclosed Network diagram.
View 14 Repliesconfigure the firewall Cisco ASA5510 in HA Mode.Enclosed Network diagram.
View 14 RepliesI got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies View RelatedI understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside. My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below. I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
|-------–---| |---------|
| Switch 1 |------| |
|-----------| | ASA5510 | |----------|
| | | (transp |---------| Router |
|-------–---| | mode) | |----------|
| Switch 2 |------| |
|-----------| |---------|
I am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?
View 2 Replies View RelatedI have 2xASA5510 with securityPlus license.i have configured 3 context and Active/Active Failover.Everything works fine. But also want to use rometeAccessVPN but couldn't fine anything for VPN. does it support VPN in multiple mode?
View 3 Replies View Relatedhow can I configure policy NAT on ASA5510. I would like to do the following;
9.1.1.9 NAT to 10.1.1.9
If source IP = 1.1.1.1
then NAT to = 10.2.2.9
the rest NAT to = 10.1.1.9
The issue is I want 1.1.1.1 NAT to 10.2.2.9 when access www.example.com. The rest NAT to current NAT.
I am using a fiber optic connection. I want to connect it directly to ASA5510. A WLC2504 will be connected to ASA and one Aironet AP will be deployed at first. (At this moment I am not using any Windows server but in near future I will need to deploy Windows Server 2003 in my corporate network) My questions are:
Can I configure ASA as DHCP server for my LAN?
Can I configure WLC as DHCP server for my LAN?
If we can configure both then what is the best practice from above two options? (I am new to Cisco stuff and first time user)
My customer had a spare ASA5510 bought a few years before with 5 x FE and security plus license with HA. Now they would like to buy a new ASA5510 to configure HA with the spare one, but now the ASA5510 comes with 2GE+3FE. Can the two FW work in HA?
View 4 Replies View RelatedIs it possible to configure bridge mode in asa 5505 if it is can u provide me a config.
View 1 Replies View RelatedI am new to cisco ASA. I need to configure ASA 5520 in transparent bridge mode. [code] I need to place the new asa firewall in transparent mode. How to configure the firewall in transparent bridgmode.
View 5 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedI am trying to get an ASA5510 working in transparent mode, multi-context. I am on revision 8.2.5, so there are no bridge groups (those are enabled in 8.4). I first set it to transparent mode, then set it to multi-context mode. I am doing trunking through the Ethernet0/0 to Ethernet0/1, and have two vlans on subinterfaces of each interface. These interfaces are in the 2nd and 3rd contexts, and all trunking between vlans is working correctly in transparent mode.
But I can't telnet or ssh to the ASA itself.
I have an IP address on the inside vlan interface in each context, and can ping tthe IP in context 2 and context 3. There is an IP also in the admin context, but I am unable to ping this. I have tried putting it in the same vlan as the 2nd context, and putting it on the management interface, but since there is a global IP only in transparent mode, I don't think the management interface is used (even though it is in the admin contexts included interfaces).
Since I can't connect to the ASA, I can't easily get the running config to post it here, even though that would likely
To summarize:
- transparent mode
- multi-context
- trunking (dot1q) through Eth0/0 and Eth0/1, so each interface has four sub-interfaces, each in its own vlan
- these VLANs are in each of the contexts except the admin context
- the IP of each conext is able to be pinged, but can't telnet or ssh to it
- telnet and ssh are setup for allowing a /16 subnet range access, in each context
- access-list is setup for permit ip any any and permit icmp any any on the inside and outside interface of each context
- all thru-traffic is passing correctly, but can't manage the ASA other than sitting at the console of it
What I'm going to try now is putting the admin context into one of the vlans in the trunk and see if I can use it that way.
I currently have an ASA5510 with 2 interfaces (outside and Inside) running remote VPN for clients and L2L VPN for a couple of sites. I have traffic entering the inside interface, matching interesting traffic, being wrapped up in IKE / IPSEC and sent out via the outside interface. All straightforward so far.Now I have a new VPN which is required to go over another interface and not the outside. The traffic comes in to the inside interface as normal and should be matched via ACL, encrypted and sent out th e new interface however the traffic is simply sent out of the outside interface and doesn't get any IKE headers. If I reconfigure the interface to be be the outside it does at least match the ACL, wrap it up nicely in IKE and try to get to get to the remote peer.My questions are why does this behaviour occur and why isnt the traffic marked interesting and sent out the new interface.I don't have any issues creating a new VPN if I want it to go external, I just add the required information to the outside_map but i need the traffic to be encrypted and sent over another interface. I not a huge fan of the GUI for this but I've tried both CLI and GUI with the same results.
View 2 Replies View RelatedWe have a main office and 4 remote offices (only showing 1 remote office in the diagram). We are using GRE over IPSec VPNs to the remote offices which terminate on the 2811 router in the main office. We are using the 2811 as it is the only device that we have that can terminate GRE. The 2811 router is connected to the outside switch and is configured with a public IP address. We also have a ASA5510 in the main office which is connected in the same manner and is used for Web, e-mail traffic etc.Both the main office and remote offices have a 10Mbps Internet connection.
We have an issue with voice quality between sites as we are finding it difficult to control bandwidth utilization in the main office. When users in the main office download web content it can saturate the 10Mbps Internet connection causing voice quality issues. We have configured outbound shaping on the branch routers to make sure that aggregate inbound traffic from all branches to the main office does not saturate the link but we cannot control traffic from the Internet.I understand that controlling inbound traffic from the Internet is difficult without controlling QoS on the ISPs side. Is there any way that can reserve inbound bandwidth to ensure that web traffic does not impact voice? Also in this design, which is the best place to configure outbound QoS from the main office?
I need to configure ntp on acs5.3 ,i dont know how to configure through gui mode,
View 1 Replies View RelatedI am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
We purchased some 3502e's and I was told we could set them up as automous ap's to do a site survey. however i haven't come across much online for instructions. i saw one post that mentioned downloading code for another ap model - i think a 1260, but we don't have rights for such a download.
View 11 Replies View Relateda customer got an 1552 outdoor AP in local mode and installed it at a building. It has to run as a Mesh AP (MAP). Now the AP connects one time to the WLC 5508 and started a download. After that, the AP never came back. Like we saw on the other installed 1552 RAP's, they all where in local mode.We configured all AP's to bridge mode, but the MAP could not join anymore.Is there a CLI command to change the mode on the AP itself?From the WLC it's not a problem, but for the AP CLI I cannot find sth.
View 1 Replies View RelatedI want to configure two AP WAP4410N in Bridge Mode and I don´t find the correct configuraction tips.
View 11 Replies View Relatedi forget the console admin password for acs 5.3 which is installed on vmware ,but am able to login through gui mode,so is it possible to change username and pwd for console administrator through gui.
View 1 Replies View RelatedI have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies View RelatedI want to achieve the following setup:
So basically I have a C877 and a Cisco ASA 5505 and I want to push the public IP of the ISP to the outside interface of the ASA so the Cisco 877 will only be responsible for ADSL and PPPoA. Don't ask me why I don' t use a modem/router instead. I know that is a waste to use the C877 in this way but I want to test the setup.
Right now the config of the C877 regarding ADSL and PPPoA looks like that ( I don't have the ASA connected yet, so all the PC are connected directly to the C877 right now):
interface ATM0 no ip address load-interval 30 no atm ilmi-keepalive pvc 0/35 encapsulation aal5mux ppp dialer dialer pool-member 1
interface Dialer1 ip address x.x.x.x 255.255.255.248 ip access-group OUTSIDEACL in ip nat outside ip inspect FWRule out ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication chap pap callin ppp chap hostname xxxxxxx ppp chap password 0 xxxxxxx ppp pap sent-username xxxxxx password 0 xxxxxxx
ip route 0.0.0.0 0.0.0.0 dialer 1
ip nat inside source route-map Nat interface Dialer1 overload
interface vlan 100 is my LAN configured with DHCP.
how I should configure the C877 to push the public IP to the ASA?
We have 2 offices in different countries both using the RV082 router. Currently both offices have an internet connection on WAN1 and that is working fine. We are adding a Point to Point circuit between the two offices, and my question is on the RV082 configuration on each side.
I was going to configure WAN2 in DMZ mode on each router, then connect the point to point circuit to the WAN2 port. On the China side, the DMZ IP will have to be a private address (192.168.177.1), while the DMZ port on the San Diego side will be a public IP. We need internal computers to be able to go to the internet normally through WAN1, but also go through WAN2 if they are trying to reach the other network. I will be adding routes on each RV082 for this.
Is there anything wrong with this configuration? Do I need to change the routers from Gateway to Router mode? Does it matter if the DMZ WAN2 port has a private IP address?
My apartment already has internet provided to all of the rooms, but I'm trying to set up my router as a wireless access point. I tried disabling DHCP on the router, but then I wasn't able to get any internet access at all. Does this device not support bridge mode?
View 5 Replies View RelatedI just received a Cisco Aironet 1130 AG wi-fi router to configure and when I entered the router through console, I am not able to get into config mode. It says:
[code]....
We have a RV120W Wireless-N VPN Firewall and we want to configure the router in brigde mode (transparent). Because we have another Firewall, use for filtering and default gateway on the LAN. The ISP provide IP address by DHCP, so we must connect the internet connexion to the WAN interface. But How can we do for connected the RV120W to our firewall? The router mode on the RV120w allows-it to make this configuration?
View 1 Replies View RelatedI'm trying to find a configure example detailing how AP sniffer mode and SE capability can be configured on a Cisco 3600 that is equpped with a WSSI. I came across the WSSI deployment guide which does not go into the detailed that I would like to know.I'm particularly after the flow details.WLC config guide 7.4 only discusses the legacy AP sniffer and SE configuration.
View 1 Replies View RelatedI'm trying to configure my WAG200G to work in bridge mode so that it can transfer my external IP address to my ISA server.My network map is very simple,Internet -- WAG200G -- ISA Server -- LANCan
View 7 Replies View RelatedI have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies View Related