Cisco Firewall :: Creating Subinterface In ASA 5520?
Jan 31, 2013
I am in a non-admin context mode in ASA 5520 8.0 (5) and i m trying to add a new interface
GigabitEthernet1/2.4 172.19.4.1 255.255.254.0 manualGigabitEthernet1/2.6 172.19.6.1 255.255.255.0 CONFIGGigabitEthernet1/2.180 172.19.180.1 255.255.252.0 manualGigabitEthernet1/2.190 172.19.190.1 255.255.254.0 manualgvadc-fw/tgf# conf tgvadc-fw/tgf(config)# int ggvadc-fw/tgf(config)# int gigabitEthernet 1/2?
configure mode commands/options:1/2.180 1/2.190 1/2.4 1/2.6gvadc-fw/tgf(config)# int gigabitEthernet 1/2.168 ?ERROR: % Unrecognized commandgvadc-fw/tgf(config)#
what do i do?
View 2 Replies
ADVERTISEMENT
Apr 5, 2012
I'm trying to set up an 802.1 q trunk between my layer 3 switch and ASA5520. I understand I need to create a subinterface to accomplish this and have done so. However, the subinterface does not respond to pings, and when I attempt to run the packet tracer on the firewall itself, I get a message saying Flow is denied by configured rule. But the strange thing is it shows the output interface as "np identity ifc":
(The VLAN in question is VLAN2 192.168.2.3 is the VLAN2 address on the switch). The ASA config is as follows:
ASA Version 8.2(5) <context>
hostname context2
names
!
interface GigabitEthernet0/0.2
nameif Inside0/0.2
[Code] ....
View 3 Replies
View Related
Apr 23, 2013
I am having an issue where I can't get to external network sources via my sub interface which is attached to a 192.168.10.X VLAN I created to for Guest wireless traffic. The internal interface is a 10.5.X.X network. I can get out the external interface, but anything that we have A records for such as our mobile iron server that we can hit from the outside via https and an external IP can't be hit from the subinterface at all. Would this be a DNS rewrite issue or inspection problem?
View 3 Replies
View Related
Jan 24, 2013
We have a 3560 switch running IOS universalk9-mz.150-1.SE3.bin.Recently, we saw two problems with this switch:-
1. if we try to enable subinterface on any routed interface , for eg. gig1/1, it says invalid input detected. It doesnt accept encapsulation command also. Following was done to enable subinterface:
int gig1/1
no ip address
int gig1/1.2000
ip address 1.1.1.1
under the gi1/1.2000 subinterface, it doesnt present the option of ip address.
2. we created a layer 2 vlan 2000 like: vlan 2000 When we do an exit after creating this vlan , it gives following error:-
%SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 2000: extended VLAN(s) not allowed in current VTP mode
View 6 Replies
View Related
Nov 3, 2011
I am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?
View 2 Replies
View Related
Aug 2, 2011
Our company has recently upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform. Needless to say the interface on the Cisco platform is much more complex and I don't have much experience working with firewalls. Our other IT guy is out of town and this is the first time I have worked on this setup.
I need to create the following access rule
I need to open port 4**0 to be allowed through the firewall from external ip address 10.XXX.XX.XXX only. Then forward port 4**0 to 10.XX.XX.XX port 80 tcp
View 9 Replies
View Related
Feb 13, 2013
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error..So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
View 2 Replies
View Related
Mar 17, 2011
I´m trying to configure a subinterface named Inside with vlan 1 but the interface stops work with this vlan.My switch is a Cisco and use the lan with vlan 1 too.If I change de vlan for other i.e vlan13 works fine. And all others vlans works fine too.Is there a problem to use the vlan 1?
My configuration is:
Cisco ASA:
interface gig0/3
no ip address
no security
no nameif
Interface gig0/3.1
vlan 1
nameif Inside
Securirity-level 100
ip address 10.x.y.x 255.255.224.0
The giga port of the swtich is configure to trunk model.
View 2 Replies
View Related
Jul 11, 2012
I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.
ASA1(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)4Device Manager Version 6.0(3)
Compiled on Wed 03-Feb-10 14:17 by buildersSystem image file is “disk0:/asa822-4-k8.bin”Config file at boot was “startup-config”
ASA1 up 1 day 18 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHzInternal ATA Compact Flash, 128MBBIOS Flash Firmware Hub @ 0xffe00000, 1024KB
[code]....
View 3 Replies
View Related
Oct 31, 2012
I have a circuit that will be delivered to a client next week and we are installing an ASA 5585x for them. They will have a circuit coming in with a few VLANs configured on it. One VLAN for the Internet and one for connectivity to another client.
So does the ASA allow you to create the "outside" interface on a subinterface?
View 2 Replies
View Related
Oct 23, 2011
On our ASA5520 we have three subinterfaces configured on our Gi0/1. Is it possible to configure a DHCP Server on one of these subinterfaces?
View 4 Replies
View Related
Jan 11, 2012
I'm running a IPSec VPN between a 5520 ASA and a 2811 router. The ASA has a static IP and the router has a DHCP interface.The VPN seems to work fine once I get done clearing old SAs, but each new IPSEC SA creates a new ISAKMP SA on the router? There are multiple subnets that need to create multiple IPSEC SAs. Eventually I can clear the older ISAKMP SAs and get all the traffic on one ISAKMP SA, but until I clear older SAs, new associations won't form. Why the router (initiator) would keep creating new ISAKMP SAs and not use an established one? Using PSK, aggressive mode and no PFS. ASA has another dynamic crypto map with lower priority than this one. Using FQDN for identity on the router. ASA version 8.2(5) and IOS is 12.4(20)T1.
Must be something I'm not understanding. The ASA says no established SA and drops the new SA attempt until I clear older ISAKMP SAs out of the router. Interesting, the first few IPSec SAs form when the tunnel initially comes up. I assume the initial requests are getting cached and work immediately after the first ISAKMP SA forms, but subsequent IPSec SA attempts will fail. Once all subnets are talking with 1 ISAKMP SA, rekeys don't cause any problems. Since the router subnets have to instantiate the new IPSec SAs, this is a real pain to go through anytime the WAN/VPN fails.
View 1 Replies
View Related
May 3, 2011
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
View 4 Replies
View Related
Mar 23, 2012
Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
My ACL and nat rule is below. I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service.
access-list outside-in extended permit object tcp51413 any object outside nat (inside,outside) source dynamic all-inside-nat interface
View 3 Replies
View Related
Mar 7, 2012
Our external security department needs to scan, every three months, a computer behind the firewall. I need to create a simple NAT rule that will allow an ip address or subnet to the computers behind the ASA 5505. At the moment, we have a simple NAT rule which allow all network traffic to exit from inside to outside.
View 19 Replies
View Related
Jan 15, 2013
I have a little problem creating a network infrastucture with an "inside", "dmz" and an "outside" network on my ASA5512-x 8.6(1).
I have have clients and servers with the networks 10.0.1.0/24, 10.0.2.0/24 until 10.0.12.0/24 on my inside interface. Then I have two servers 10.0.254.50/24 for SMTP and 10.0.254.70/24 for HTTPS in my dmz network. The outside interface is one static IP to the Internet.
View 7 Replies
View Related
Mar 22, 2012
I have created a simple static ip address by using this command:
interface Vlan1
nameif inside
security-level 100
[Code].....
But, no matter what, the I can't ping the static address or access the computer 10.2.1.2 from outside of the asa 5505. I have attempted to ping from inside of the asa 5505 or from another computer. I just does not work.
I also have created several rules that allows icmp traffic.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
View 1 Replies
View Related
Jul 20, 2011
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
View 2 Replies
View Related
Jan 13, 2009
What is the command for creating a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?
View 8 Replies
View Related
Oct 27, 2011
Currently we have two inter-chassis FWSM redundancy. I would like to configure them for intra-chassis.
Both FWSM's are in slot 7 of 6509 switches and i want to take secondary out from one of the 6509 switch and insert in the slot 3 of primary switch.
I addedd the following commands in my primary switch.
There were commands already present for FWSM in primary switch
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1 2,3,777
to create intra-chassis redundancy i addedd the following command also there.
firewall module 3 vlan-group 1
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.
View 1 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Apr 19, 2012
I have a 7200 router with a 12.2.(46a) IOS and I am trying to activate Netflow on a subinterface. From the documentation of Cisco, I should be able to do it since the ios 12.2.(14)S but the command is unavailable.
[URL]
I have tried also to enter the command in the subinterface directly but it doesn't recognize it.
View 2 Replies
View Related
Feb 7, 2013
I have an 861 that we are using for a test network and need to add static igmp addresses for multicast. We are using the router as a router on a stick with subinterfaces on the WAN link. I've looked everywhere to see how to add the static igmp addresses.
interface FastEthernet4
no ip address
no ip route-cache cef
[Code]....
View 0 Replies
View Related
Oct 10, 2011
I am currently working on a 1941w router. The problem that I am having is that I am unable to ping the switch that is directly connected to it and I am unable to ping from the switch to the router. If I take the address off of vlan 1 and move it to gi0/0.1 the pings work, but then client traffic on the wireless ap inside the 1941w fails.
Here is the releveant config off of the 1941w
version 15.0
no service pad
service timestamps debug datetime msec localtime show-timezone
[Code].....
View 3 Replies
View Related
Nov 19, 2012
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2) TREV is the network of this location.Company1,2,3 are remote locations.
: Saved
:
ASA Version 8.2(5)
!
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
[code]....
View 3 Replies
View Related
Nov 5, 2012
We have an environment where we terminate our DSL customers over PPPoE on a 7606-S MPLS PE router with RSP720. The PPPoE sessions are terminated on a GIG V2 interface of a SIP-400. Currently the IOS running on the device is c7600rsp72043_rp-ADVIPSERVICESK9-M, Version 12.2(33)SRD. The following is the current configuration used.
bba-group pppoe 7virtual-template 7
interface GigabitEthernet2/1/3.142647 accessencapsulation dot1Q 14 second-dot1q 2647pppoe enable group 7
interface Virtual-Template7 ip vrf forwarding TESTip address 10.10.10.1 255.255.255.252
In the above scenario everything works well.
However we had to upgrade the router IOS to 15.2(4)S Advance IPServicesk9 to support 4-byte ASN. After the upgrading we observed certain commands used to terminate PPPoE on the sub-interfaces not available on 15.2(4)S , although PPPoE on Gig and Ethernet with QinQ support is listed under 15.2S feature set.
View 1 Replies
View Related
Feb 26, 2013
I am suggesting an ASR1001 as a head end router for a small hub spoke WAN consisting of 4 branch sites connecting to the head via LES. 3 are 100mb, one is 30 mb. I will be connecting the LES circuits to a swithc and then trunking to the router. I would like to apply outbound shaping to these 4 subinterfaces on the router, and just want to check this is supported?
View 1 Replies
View Related
Jun 28, 2011
We have 2.5 Mbps connection from an ISP at our branch routers (1800 series)with single physical link terminated on FE0 but have two subinterfaces with separate subnets.
I have applied the following policy-map outbount under physical Interface FastEthernet 0. Show poliocymap output is as follows
Policy Map QoS-OUT
Class Email
priority 512 (kbps)
Class SQL
priority 512 (kbps)
Class File-Copy
police cir 1024000 bc 32000
conform-action transmit
exceed-action drop
Class CCTV
police cir 384000 bc 12000
conform-action transmit
exceed-action drop
But it seems that sometimes( not all the time ) the CCTV traffic seems to exceed the 384k and chokes the entire link(2.5 mbps).
View 4 Replies
View Related
Sep 8, 2012
I need to configure a subinterface eg g0/0.1 and g0/0.2 with a untagged VLAN for each subinterface on a Cisco 2821.
View 5 Replies
View Related
Dec 7, 2011
I need very Urgent Time based Bandwidth limit on subinterface in Cisco 3845 Router.At Present 3Mb input/output rate-limit of our one of the client now they need between 9:00 to 20:59 3 Mb and between 21:00 to 8:59 they need 9 Mb bandwidth, please see current b/w limit config of our client in my router subinterface.
interface GigabitEthernet0/1.12
description *** xyz ***
encapsulation dot1Q 12
ip address 10.11.12.13 255.255.255.248
rate-limit input 3072000 576000 1152000 conform-action transmit exceed-action drop
rate-limit output 3072000 576000 1152000 conform-action transmit exceed-action drop
Now how can i achive of my requrement to time based b/w limit.
View 5 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
