we operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.
View 1 RepliesI want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...
ASA1:
sh activation-key detail:
Serial Number: XXXXX
No active temporary key.
Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
[code]....
This platform has an ASA 5550 VPN Premium license.The flash activation key is the SAME as the running key.So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.
I have an ASA5510-BUN-K9 in this version:
###
Cisco Adaptive Security Appliance Software Version 8.0(3)6
Device Manager Version 6.0(2)
Compiled on Thu 17-Jan-08 17:42 by builders
System image file is "disk0:/asa803-6-k8.bin"
Hardware: ASA5510, 202 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
###
The question is what i need to add the CSC10 SSM with content filtering and url filtering to this version of ASA? Do I need more ram? Do I need more flash? Is this version compatible with the CSCSSM hardware? What licenses i need for 100 users?
what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.
View 5 Replies View RelatedUsers cannot download some files from a FTP in a software over VPN Explanation users work with a program and inside the program they download claim (the software goes to the FTP and download the file)
But the program returns an error 3018 in FTPGET. If the user goes to the old PPTP VPN it works like a charm so the problem is the Cisco VPN.
I cannot post my complete config but we use the filter vpn value to associate a special access-list to a user.
The user that has this problem has this as an access-list.
access-list 201 extended ip permit 10.250.128.0 255.255.255.0 192.168.202.0 255.255.255.0
I've made some research and i've added this info
policy-map global_policy
class inspection_default
Inspection ftp
Still doesn't work.
I have to add that normally the internal network is 2.0 and not 202.0 but since we have user with 2.0 at home we had to do this.
So when a user sends a request to 202. the cisco fowards it to the Juniper inside the network and it translate it back to 2.0 Also that is the ONLY thing that doesn't work. The client can work all day on that program and it will work #1 exept when she does the claims
I am also been working on this VPN for 2-3 months without any problems.
Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies View RelatedWe have an ACE 4710 that has two web servers in an active/passive scenario. The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again. Is there are way to ensure that node one is not placed back into service if it becomes available again.
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;
i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
If the Active ASA goes down, the Standby ASA switch to Active.
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.
The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.
1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.
2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?
3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?
Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.
Additional Details/Requirements -
BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.
ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)
Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.
ISP's are not Symentrical, one is 50mbps and the other is 250mbps.
All NAT should take place at the ASA's
Additional Questions:
The routers that have gig etherswitches, can they run HSRP?
Should I be putting Layer 3 switches between the routers and the ASA's instead?
Where should I run my iBGP communication for the routers?
I am purchasing 2 5512x ASAs to be configured as an Active/Passive pair as a VPN device. Do I need to purchase anyconnect licenses for both devices?
View 2 Replies View RelatedI have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View RelatedCurrently l have two ASA 5520's in a active/passive failover scenario. Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching? or could l possibly disable failover and reconfigure each ?
View 6 Replies View RelatedI have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies View RelatedI have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
View 1 Replies View RelatedI know that when you create a user account in active directory, the user's computer is also added to active directory. However, in what circumstance would you add a computer to active directory in which there are no user accounts created, or used ?For instance, my Linksys wrt54g router, on the main configuration tab has a space to name the router, which is appropriate called, "Linksys", and it has space to enter it's domain name, which if I named it, I guess it would be. LinksysRouter.**.local.Why add a router to an active directory domain ?Why add any other computer to an active directory domain with no users associated with it ?
View 11 Replies View RelatedI've got a fully working active directory with mandatory profiles. I'm looking into adding MS Office 2007. I have the disk and everything, but I'm wondering how to go about installing it. Must I go around each workstation installing it?
View 1 Replies View RelatedI am adding a failover asa to an a firewall that is already in production. They are both 5510's, they both have the same abount of ram, have the same code versions. Will there be any downtime while adding the secondary in?
View 2 Replies View RelatedMy web server is out of public IPs. I requested more from my ISP and I got a different range with a different gateway. How do I handle the configuration on my Cisco ASA? Without any configuration changes to the firewall I saw the traffic hitting it and being blocked. I added an access rule to allow the traffic. I added a virtual interface on the ASA. I added a virtual interface on the web server. Using "Packet Tracer" the traffic flows from the outside interface to the new virtual interface. But I'm unable to access my web server and I don't see any traffic on that IP reaching the web server.Using Cisco ASA 5510.
View 8 Replies View Relatedwe're currently evaluating how we can attach our web based business application to the AD Agent in order to perform Single Sign-On against it. Our users are connecting via VPN to an ASA 5510 which is configured to use our Active Directory for authentication. After access granted the users may access a web server with our business application and should be automatically logged-in there without having to re-type their credentials.
View 0 Replies View RelatedI have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies View RelatedI am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
View 3 Replies View RelatedI have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]
View 7 Replies View RelatedI have a Cisco ASA5510 firewall that has SSL Web VPN functionality and is utilizing AD Server as Authentication server for users.However, we have a policy to change password at certain point of time. Users in the office have no problem. They just login their PC and change password. Users outside of office is a pain when their password is expired. Is it posible for them to change their AD password thru VPN using Cisco Anyconnect?
View 2 Replies View RelatedI have a Cisco ASA5510 firewall that has SSL Web VPN functionality and is utilizing AD Server as Authentication server for users. However, we have a policy to change password at certain point of time. Users in the office have no problem. They just login their PC and change password. Users outside of office is a pain when their password is expired. Is it posible for them to change their AD password thru VPN using Cisco Anyconnect? If yes, can you show me how?
View 1 Replies View RelatedI am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?
View 2 Replies View RelatedI have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies View Related I need to upgrade a pair (active/standby) of ASA from 8.2.5 to 8.4.3 ... I have a script created to modify all NAT rules I need, and I have tested it in lab, and I think I'm good with it. Now, I want to figure out if there's a way to do this without an outage. Previously, when configuration were compatible between version, there was no problem. You could usually force secondary unit to be active, upgrade primary (rebooting), making primary the active again, and do the upgrade on secondary ... no outage at all
Now, as new software doesn't support old configuration, if I follow that process, as soon as I bring primary up with new software, it will try to get the configuration from the active one, which won't work ... Is there another option than having a short outage (turn off secondary acting as active, while primary is coming back with new software and configuration already changed?)
we had such kind of issue: while installing 2 SSM-4GE modules to 2 ASA 5540 (Active/Standby) the firewall is splitted. That's my step:
1) Turn off standby ASA and plug SSM-4GE module
2) Power it On After it was booted up failover relationships were broked and previously stabdby became Active appliance.
3) Turn off active ASA and plug SSM-4GE module
4) Power it On
After the it was booted up failover comes up and previously Active (on step 2) appliance became Standby. Everything is up and running now, but the issue was on step 2, I suppose becouse of distinct in hardware (when one ASA was on SSM reachest than another one). Still have no ideas why so happens and is there any way to plug SSM modules int ASA active/standby cluster without downtime.
I would like to know if it is possible to add a second router to my home network.
My son wants to use his Nintendo DS online but the device does not have WEP capability, it can only deal with the less secure WPA option.
I am not willing to drop my preferred WEP just to facilitate one device, but I do have a spare router and I am wondering if it were possible to hook the second router up and allow him to connect using WPA?
We recently upgraded a ASA 5505 with the security plus license to allow us to add a second subnet, but are having a few problems configuring the second subnet. The original subnet we have configured 10.1.1.0 is able to access the internet without any problems. However the new subnet 10.1.5.0 is unable to access the internet and when we ran a trace packet the nat config nat (inside) 1 0.0.0.0 0.0.0.0 is showing as the rule that drops the packet.
Additionally we have not been able to get the 2 subnets to talk to each other even though same-security-traffic permit inter-interface is configured. How to configure the subnet 10.1.5.0 to access the internet or to get the subnets to communicate. Below is a streamlined version of our current config.
!interface Vlan1nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0 ospf cost 10!interface Vlan2nameif outsidesecurity-level 0ip address 66.66.66.66 255.255.255.240 ospf cost 10!interface Vlan13nameif corporatesecurity-level 100ip
[Code].....
We are planning to upgrade the ASA license in an A/S pair by adding the ASA5500-SC-20= license. The ASA is 5545 and runs 8.6. According to documentation, after 8.3 version, the ASAs can share a license features and do not require the same license on both boxes. I run a test in GNS3 with 8.4(2) images and I saw that by adding the 'activation-key' command only on the primary unit did the job as the 'show activation-key' output shows. In order to be 100% sure would like to verify the following:
Putting the activation-key only on the primary unit is enough and there is no need to do anything elseIn case the primary unit is standby, again we have to put the actication-key command on the primary unit (I am asking this because the 'activation-key' command is not listed under the commands that are not replicated to the other unitk, but doesn't make sense to be replicated since the activation-key is 'tied' with the S/N of the device).
i need to know if i can integrate Single Sign On to my Cisco VPN Client v.5 with my Active Directory which run on windows 2008
View 2 Replies View RelatedI have an existing wireless working network with WIN 7 - 2 laptops, two desktop PC's. Can I add a security code/password without setting up a new network?
View 1 Replies View Related