Cisco Infrastructure :: Configure MAC Address On ASA 5520 Interface?
Aug 31, 2006I want to configure a MAC address on my asa 5520 interface.I ask you if exist a private MAC address range?
View 5 RepliesI want to configure a MAC address on my asa 5520 interface.I ask you if exist a private MAC address range?
View 5 RepliesWe already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies View RelatedI have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
object network obj-10.1.1.254
host 10.1.1.254
object network obj-10.1.1.254
nat (inside,outside) static 172.25.10.3
I want to also use nat (inside,backup) static 172.25.10.3
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
I am going to be updating the IOS on our Cisco ASA 5520 from verion 7.0(8) to 8.2(5). I am also going to setup AnyConnect. Are there any major changes in the 2 IOS versions that I need to be aware of or will the config work in either version? Also, we are currently using the Cisco VPN Client to connect to our network. Will that still work after the upgrade?
View 3 Replies View RelatedDevice config is shown as follows in application doing the discovery. Cisco ASA 5520. [code] Is there any new updated agent available for Cisco ASA 5520 that contains the oid ".1.3.6.1.4.1.9.9.109.1.1.1.1.8 "
View 4 Replies View RelatedI have three routers 811 (independent), and the interface cellular 0 resets in all three.
View 3 Replies View RelatedThere is a remote server that downloads info from a server here at HQ. When the dowloads start the rxload on the S0/0/0 interface jumps to 98 percent or so; rxload 250/255. I needed to limit the bandwidth utilization between the servers, so I added the below line to the LAN interface on the remote router.By adding the command, it reduced the download utilization -which is what I wanted.
access-list 185 permit ip host 10.6.27.1 any
!
int f0/0
traffic-shape group 185 10000 8000 8000 1000
Question:How would applying this to the LAN interface cause the download utilization (Coming from s0/0/0) to decrease?
We recently upgraded our bandwidth and I have to change the ip address on our ASA 5510. I just want to make sure that I am doing it right. All I will need to do is open up the ASDM and under confiugration go to interfaces and make the needed changes to the outside interface. Then under routing I will make the gateway IP change on the outside interface.
View 4 Replies View Relatedyesterday I tried to connect to our ASA 5520 using ASDM Launcher, which has alwasy worked before. For some reason ASDM Launcher is no longer working from both my Win XP desktop and Win XP laptop. I can open ASDM through the browser but not the launcher. Both desktop and laptop have Java 7 U 6. I'm not sure if I can back rev my Java.
View 4 Replies View RelatedWe bought Cisco Prime Infrastructure 1.2 appliance. The application seems to be pre-installed. I have gone through setup process. But I cannot connect/open web interface [URL].
View 10 Replies View RelatedWe have a Cisco 3825 router which does not work well with a DSL modem(ISP provided). I have configured the Gi0/0 port of the router to plug into this DSL modem but it does not ping to the ISP gateway. If we do a shut/no shut on the interface then it work fine for about 30 secs. Sometimes even for 1 hr. Then the packets drop and we cannot pass any traffic through this interface.Now, if the ISP connection is terminated on a computer it works fine. It works fine without dropping any packet. I have tried various options like using a straight/cross cable. I have tried to configure the interface negotiation for 100/full, 100/half, auto/auto and almost all the options. I have also tried to interconnect the devices using a L2 device like a HUB. Nothing works.
View 7 Replies View RelatedI bought a CCNA lab for doing practice.The lab kit is made of some 2600XM routers.These routers have only one "fast ethernet port 0/0".I don't understand how I can configure these routers whith: Static Routing, Defoulte Route etc etc if I have only one "fast ethernet port 0/0" and I don't have the "0/1 port" too.
View 5 Replies View RelatedSuppose a broadcasted IP packet reaches one of the integrated RJ-45 ports on a 2911 ISR G2, will it be possible to configure the router so that the other integrated RJ-45 ports, ESM/EHWIC modules installed on the router, as well as the MGF also recieve the packet? Technically, the router should act similar to a switch with the SRE behaving similar to a seperate machine connected via the MGF and other external machine connected to the ports of the router to recieve the broadcasted packet.
Also, if SNMP traps were generated from the router,Will it be possible to send the traps from the router via the MGF to the SRE installed on the router?
I've setup the WDS and Infrastructure AP according to Document ID: 68098
1. The Infrastructure AP is registered and active in WDS AP.However, any client device such as NB or PDA cannot obtain IP address.In WDS AP the client device is shown as authenticating all the time. What I missed? Or there is somethig else need to be set?
2.Can I configure the WDS AP alslo as Infrastructure AP?I mean, to be WDS and Infrastructure at the same time, broadcasting the SSID etc.?
I am troubleshooting interface resets on a 3660 connected to a 3550 over Fast Ethernet. I have hard coded both sides for full duplex and 100Mbit. The 3660 is incrementing interface resetes about 4-6 times a day and the 3550 is clean. I have noticed this in other similar configurations as well.
View 4 Replies View RelatedWe have several branch offices that only have a Cisco ASA 5505 connecting clients to the Internet, our main office and other networks. Some of the branch offices uses Site-to-Site VPN to connect to our main Office, other uses a VPN-service delivered by our ISP.
The networking is working fine, but we are having problems with figuring out how to handle dns lookups. I see that the ASA DNS Client can use conditional DNS forwarding, but it cannot act as a DNS server for our clients on the inside network.
We want to do the following:
- Default dns quires should use the DNS servers for the site's local ISP (some sites also uses dual ISP, so we are using DNS1 and DNS2)
- The domain name: company.local should use our main office DNS server (acces by Site-to-Site VPN or our ISP's VPN)
- The domain name: sitea.company.local should use our SiteA DNS server (acces by Site-to-Site VPN or our ISP's VPN)
etc...
We have solved the issue by using Windows DNS server's conditional forwarding for the branch offices that has a local Windows 2008 domain controller.
our branch office's that only have a Cisco ASA 5505 Security Applience?
I need to configure on a cisco catalyst 6509 two VACL. On cisco 6509 there are already two SPAN ports configured, there are problems configuring other two VACL?
These VACLs send traffic to a Traffic Analyzer (SIEM), there are particular configurations to facilitate the operation?
I have recently had to rebuild the cookie information for a cisco 877 series router due to it being erased by an electrical surge.
I've successfully got it running again by copying the cookies from an identical router (obviously changing the serial numbers and so forth so it passes its verification checks).
The last piece of information I need is the Chassis MAC Address. I don't want to use the one from another router since there will probably be conflicts.
I tried following this Field Note, even though it isn't specifically for my model and it didn't work.
[URL]
how I can get the mac address from the system somehow?
I'm trying to do configuration archiving in Prime Infrastructure 1.2 with a 5508 WLC (7.4).The job always fails (Admin -> Background Jobs) with the following error (see attachement):"SNMP: Failed to establish SNMP connection xxxx - Cause: Device is Unreachable. Check the ReadOnly community string." I double checked the SNMP credentials, they do match. For testing I also added a Public community just for the PI. Same result.Am I missing something?Is this not intended for Wireless Controllers?
View 5 Replies View RelatedI had the 2 circuits go down at the same time from our ISP and I had to power cycle the router and when it came back up I went from VA # 2 to now VA 3#....I know what is what but it is confusing for my counterpart and I can not remove the old entry for VA#1 and VA#2. [code]
View 3 Replies View Relatedwe just replace 6500 with N7K, after migration there're some device (server,pc,printer) change its ip address configuration (subnet and gateway) by it self. can N7K did it?
View 6 Replies View RelatedOne of our Cat5513 has been displaying a lot of the error message below:
%SYS-4-P2_WARN: 8/Invalid traffic from multicast source address 01:00:5a:52:4c:4d on port 8/58
The frequency of this is quite disturbing. What this error is about? Module no.8 is our Gigabit Ethernet WS-X5410. Can that multicast address be mapped to an IP address or unicast mac-addresS? How can i go about resolving this?
I have a 5520 VPN that is otherwise correctly configured for access (so I would say). It is in test (external IP x.x.x.10/22) running parallel on an external switch to a Check Point (x.x.x.4/22) that is the live setup.
I can tunnel consistently to the outside interface on its external IP from inside the network, which is probably natural since I'm inside the network making the attempt; however...
When attempting connection from somewhere outside the network, I generally do not get response from the device. If I connect/disconnect from the Check Point VPN first, then I can subsequently get a connection to the ASA. I did actually have one instance of non-massaged connectivity to the ASA, but there was nothing that I did in the configs that would allow me to claim credit for that instance.
So here's the question: Is there a timeout setting that makes the outside interface go to sleep or something? I'm still at the developmental stage where settings that would be obvious trip me up for hours. I verified the routes. the timeout configs are below; I believe they are all default..
arp timeout 14400
!
timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00
We have a block of addresses assigned to us by our ISP. We need to assign one of these addresses to a vendor we use for traffic to one of their internal devices. Lets say the address we gave them out of that block of addresses is 1.2.3.4
How do I add that address to the outside interface so that when traffic s sent to it that the traffic actually gets to the ASA as right now when we send traffic to that address it doean't make it to the ASA.
I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
Inside Interface
interface GigabitEthernet0/0.96
description L3 Interface - Informational Zone
vlan 96
[Code].....
Recently our network experience a Internal DoS attack. One internal server ( the network/security team doesnt have any access to the adninistration of these server) starts to send a lot of DNS bogus request to some DNS servers on the Internet. With sh conn detail we saw the IP of these server and blocked it with an ACL in the Internal ASA 5520 interface. After that, the server team disconnect the server, and made their job cleaning these infected device. Everything goes normal again....
Today, the same server starts again with the same problem. But a lot worst thant the first time. The ASA starts to drops packets in the internal interface, the overruns was increasing dramatically ( like 10000 per second), the asp-drop table shows the same amount of traffic than interface overruns in the ACL-Drop line , and the CNT blocks for 16xxx with sh blocks was in zero. The sh acess-list INSIDE shows near 9 million hints in the line that deny the DNS request from the server to the Internet. Again, we disconnect the server and the problem was solved by the server team.
It seems that our ASA cant handle in their internal interface the amount of traffic that these server send outbound. IS there anyway to raise the blocks in the firewall? What is the best way to deny the servers connections ( ACL, or MPF or threat detection maybe), and avoid the ASA interface overruns even when the server sends these large amount of request.
We currently have a setup where users connect to the inside of a firewall using the ipsec client. We are moving them to the anyconnect client but are unable to get it to work, we cannot even get a webvpn page on the inside.
When trying to connect with anyconnect the ASA reports an IKE initiator fail on the inside. and no tcp connection flag. We cannot get any response with Webvpn either I have tried using a different tcp port on webvpn but then the asa denies the traffic even though there are no rules denying.
i have a Problem with SNMP on the ASA Outside Interface. I want to monitor the Interface via SNMP (linkup, link down). I have a Active/Passive Cluster running on 8.4.2 and configured SNMP (v1) for Test on the Outside Interface. It's not that hard but when i try to test my Configuration with (peerless) SNMP Tester the Interface doesn't respond. Did i forget to configure something? Searched the forum but didn't find anything useful.
View 4 Replies View RelatedI have attached setup like this :- This is the same scenarios as ASA with Dual WAN setup. But my requirement is different. I have added in ASA and configure sla is asa, all working fine. When one link goes down traffic pass through backup route. my sal config is below:-
sla monitor 100 type echo protocol ipIcmpEcho 10.5.5.120 interface Link1
num-packets 3 frequency 10
sla monitor schedule 100 life forever start-time now
show runn routes are :-
route Link1 10.5.5.0 255.255.255.0 10.4.4.5 1 track 10
route Link2 10.5.5.0 255.255.255.0 10.6.6.5 254
Is there any way that i can implement track on 2nd link to destination? because may be after Link1 failure when backup route was it would be able pass traffic to destination, may be link failure between Link router and Destination. Can i monitor backup link if that is active and traffic can pass to destination when 1st Link1 will fail.
We have Cisco ASA 5520 firewall. ASA Version - 8.0(4). ASDM Version - 6.1(3). Firewall Mode - Routed.
We want to configure QoS for some subnets and enable policing such that they cannot use more than 1mb of bandwidth. I think we cannot create more than 1 policy for it. In that case i created a policy with QoS enabled and configured the Input and Output policing with Commited Rate of 1024000 bits/second. But it does not seem to work.
how can i create such policy in the ASA to limit certain subnets to 1mb bandwidth ?
i'm trying to configure an ASA with two ISP to be reached from internet for vpn access, the objective is that the user can use any of the Public address attached to ASA to connect to the company. Is this possible? i'm facing some problems because i can not use two different default routes (same AD) pointing to two different interfaces, this is the message that i receive "ERROR: Cannot add route entry, possible conflict with existing routes" and when i change the AD of one of the default routes i just can reach one ISP.
View 1 Replies View RelatedOn a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
interface GigabitEthernet0/3.175
vlan 175
nameif Test175
security-level 30
ip address 172.30.175.1 255.255.255.0
[code]....