Cisco Switching/Routing :: How To Use DNS On ASA5505
Sep 25, 2012
I have an internal server that is running DNS. I have that server configured to foward out to OpenDNS. I am using OpenDNS to do web filtering for my internal network. It looks as if the relay is not working in the router and that it is not fowarding those dns requests from my internal DNS server and out to openDNS. I have went back and added the name-server option for 208.67.220.220 and 208.67.222.222 (OpenDNS), but that has not fixed my problem.
Here's my running config:
eep-asa(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname eep-asa
domain-name expertep.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 7 Replies
ADVERTISEMENT
Mar 17, 2012
i have the asa5505. the configuration of asa 5505 is:
: Saved
Code...
i analyzed this traffic i see problem with the nat- Asymmetric NAT rules matched for forward and reverse flows. where i made error?
View 0 Replies
View Related
Jul 3, 2012
An ASA 5505. Device boots to rommon #0> and stays there. The complete boot record follows:
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 507 MB
[Code]....
View 15 Replies
View Related
Jun 12, 2012
My first time programming a Cisco ASA - Anyways I''m trying to setup up Ethernet 0/6 to be a DMZ Connection When I add port 0/6 to DMZ it gives me an error saying "The IP Address X.X.X.X /Subnet Mask cannot overlap the subnet of interface outside"So my question is I have an outside connection already configured - How can I make a DMZ connection with the same subnet mask with a different IP?
View 1 Replies
View Related
Dec 26, 2011
How can i create an top 10 list of the most popular website that users connect to through the ASA Firewall.
i have enabled HTTP inspect, and setup an Syslog server (S plunk), that collects all HTTP entries in the log, but i don't know how, to create an top list in s plunk.(don't if it is possible)
is there a better way to do this ? e.g. URL filter with web scene or IPS
View 1 Replies
View Related
Mar 20, 2013
I have an internal DVR system that I am trying to share to the outside world. We recently put in an ASA5505 and I am having trouble getting the settings correct.I want to use an external IP to access the DVR system from anywhere and have my ASA5505 redirect the traffic to the internal IP address. I assume I need to use a NAT and a route policy however can not figure out how it would be.
View 11 Replies
View Related
Feb 2, 2012
I'm having an issue routing between vlans. I have vlan 1, and 2. I want to ping something on vlan 2, from vlan 1. I cannot ping from a computer on vlan 1 to a computer on vlan 2. I can ping each computer from the ASA 5505. I get an error on the ASA when I try to ping from the computers. The error is Failed to locate egress interface for UDP from voice:192.168.0.199/137 to 192.168.1.200/137. I can't understand why it even mentions IP 192.168. 1.200/ 137... I reset the unit configuring it from scratch and still no go. I have no given a static route to the out yet.. I need to get inter-vlan routing working first. [code]
View 13 Replies
View Related
Sep 1, 2012
We are finding the price for ASA 5505 to high and our clients are having problem securing budgets for these devices. We don't want to move to different vendors and we have a team of people we already know Cisco well.I have seen Cisco router 877 which have the ipadvance ios, is this the same as the ASA5505.We would like to offer our clients an alternative to ASA5505, but something which can do the same as a edge device but also protect the client from malicious attacks and has CLI.
View 1 Replies
View Related
May 23, 2012
I'm building the below network configuration:
WAN -------- ASA5505 ------<802.1q trunk>----- L3 switch -----<802.1q trunk>----- L2 switch w/ VLAN support
The following VLANs exist on the ASA and both switches: VLAN 10 (10.10.10.0/24), VLAN 11 (10.10.11.0/24), and VLAN 99 (10.10.99.0/24).
The ASA5505 performs the following functions: routing to/from the WAN, firewall, NAT, and DHCP for each VLAN. It has an interface on each VLAN (10.10.x.2) for a DHCP server.
The L3 switch provides inter-VLAN routing and layer 2 switching. The L2 switch provides layer 2 switching, with VLAN support.
What should the default gateway on the L3 switch be? Should I set the IP of the physical interface connected the L3 switch to the ASA5505.
View 8 Replies
View Related
May 20, 2012
I'm trying to configure an 1142N AP + 2960-S + ASA5505 with wireless, vlans and trunking with no success. DHCP is provided from my DHCP-server on the inside.
View 4 Replies
View Related
Apr 11, 2013
remote location on MPLS circuit terminated on a Cisco router that has Internet connectivity through Central Site router. We are installing a cable modem at the remote location that is to be used as the Primary Internet Connection but still be able to use Internet through MPLS if the cable Internet goes down. We want the failover/fallback to be handled automatically.
We have an ASA5505 for the cable Internet which then feeds into the ISPs modem.
At first I was thinking about getting a module for the remote router so the cable Internet could be terminated on the remote router as well but that introduces a single point of failure. I would also like to firewall both the MPLS and the cable Internet but if I do so on the ASA there is another single point of failure.
View 2 Replies
View Related
Jun 16, 2011
I have 1 network that I'm trying to make secure, and it needs to access 2 seperate networks. I tried using an ASA5505 that I had on the shelf to accomplish this but discovered that I had the basic license and that was prohibiting me from getting my connection to my 3rd network. I scrapped that idea and grabbed an old pix 501 off the shelf to bring my connectivity to my 3rd network online since the 3rd network is only passing ip traffic to a small group of servers on the outside I figure the 501 should be just fine.
So, here's the problem I am running into:My internal network is 10.10.16.0/16, I have a new domain controller with DHCP on it handing out addresses in the 10.10.16.0/24 range.External Network 1 is 192.168.16.0/24. The services I need from that network are primarily in 192.168.0.0 range, however there is a comcast router 75.123.123.123 (Changed of course) that provides high speed internet I need for my www traffic.External Network 2 is 10.1.1.0/16 I have about 4 servers I need to access on this network and that's it. This network has it's own domain and DHCP controller and I've been given a range of ip's to use on this network of 10.1.3.180-10.1.3.189 My switch is just a plane jane 3com switch with minimal management so I am attempting to use my ASA5505 to handle my layer 3 routing.
So here's my issue:ASA5505 (IN:10.10.16.1, OUT: 192.168.16.6): Passes traffic to External Network 1 and to the comcast router, no problem. All my computers on my 10.10.16.0/16 network have access to everything on 192.168.0.0/24 as well as getting full name resolution and www traffic across the comcast router. Can NOT access 10.1.1.0/16 no matter what. From inside the ASA or from on the inside LAN ports. It CAN ping the PIX 501 PIX 501 (IN:10.10.16.3, OUT: 10.1.3.180) Can ping EVERYTHING. Can ping 192.168.0.0/24, can ping 10.10.16.0/16 and can ping 10.1.1.0/16. Set to globally assign the other IP's in my range as addresses for outgoing traffic.Workstations (IN: 10.10.16.XXX DHCP, using 10.10.16.1 as gateway) Can only access everything on External Network 1. ZERO access to External Network 2. ATM I have both INSIDE and OUTSIDE ACL's wide open for both firewalls just to get connectivity going. I will be tightening it up after it is operational.Attached find a log file (Sensetive data removed of course) that contains the sh run and sh ver for both the ASA5505 and the PIX 501.
View 1 Replies
View Related
Sep 21, 2011
I have a new ASA5505 which I want to use for Remote Easy VPN. The device connects to the remote ends but I am not able to ping the remote network. The interface is new to me and I am not sure where to add the routes. The local network is 192.168.66.0/24. The remote network is 192.168.4.0/24
I am trying to connect the Remote (conf) to the Corporate (conf). I have done this many times but now the new ADSM interface is confusing. I added the commands as you indicated with no success. The ASA gave me an error when I had added nat (inside) 0 access-list nonat. I wouldn't allow me to enable the EasyVPN option while this command was on the configuration. Here are the cry isa and cry ipsec isa files as requested.
View 7 Replies
View Related
Sep 17, 2011
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
View 10 Replies
View Related
Jan 29, 2013
I am buying a Nexus 5K (N5K-C5548UP-FA) with the layer 3 card (N55-D160L3 - Nexus 5548 Layer 3 - Daughter Card).The switching capacity of it is 960 Gbps but I know I should expect less doing the Layer 3 function (it will only be used with static routing).What switching/routing capacity should I expect? How can I estimate it? What else should I consider?
View 1 Replies
View Related
Jan 11, 2012
we've had an issue with our network, we have 2 6509 connected with redundancy, which are connected with 2 x 4900 Switches, from which are connected to a ESX Chassis for visualization, the thing is that the ESX stopped working, and the 4900 switches, and the main core were suffering from overload, they hang on it very well, in order to stop the overload, one of the links to the ESX Chassis were disconnected from one of the 4900 switches. The CPU usage from the 4900 and the core(6509) went down below 40%, and then they started to migrate the virtual servers from the chassis to another 2 chassis that were added right after. They were actually working well, but suddenly the 6509 changed to the other supervisor after everything was OK. We were wondering what could have been the cause of this, maybe the virtual servers migrations, maybe the overload from the ESX ? We also had a few question, is there any need to reload the cores every few months as a planned task ? Because the cores have been up for more than 1 year. And also is there any kind of of tool to monitor the CPU status, or the status overall from the cores or the switches ?
View 3 Replies
View Related
Oct 18, 2011
I am facing an isssues with 7609 for LAN switching , based on LAN (VRRP/HSRP) feature.Actually we are having ES+ cards (on 7609) and we are using multiple groups(say 350 vrrp groups) running on the router . the routers are connected as router 1>>> mux(which is working as switches)>>> router2
my questing are
1. does their will be "multicast packets" (for VRRP/HSRP group) "from backup router to Master router", when in stable state( ie when Master and backup are already chosen) , or the packet from backup to master should be unicast.I know for sure, the packet from master to back is multicast packets denstination to Multicast IP packet and To MAC address.I am not sure but I think from backup to master it should be multicast
2. what is frequency of these packets( from backup to master)
3. As i have multiper group on a single interface ( we are using q-in-q), when the connectivity from router's is broken, then does all the groups will muticast their active roll in the lan sengment "at once" or it will be in a groups say 100 groups at once, and after few ms few 100's and sone ( as is on OSPF or RIP)
we are in between troubleshooting I hope we get the ans( Actul problem we are seeing in the router's that we have 2 ports on active routers and 2 ports on standby router , but we are not seeing muticast on 1 port on standby router where as all other 3 ports are seeing multicast packets) [code]
View 5 Replies
View Related
Sep 10, 2012
I would like to know if Catalyst WS-C3750G-48TS-E recognizes and understand Cisco VSS ( Virtual Switching System) . Is there a List available which tells us which Old Catalyst Switches or current switches understand Cisco VSS?
View 3 Replies
View Related
Jul 4, 2012
We are in the process of switching our infrastructure of our routing/firewalls/vpns over to cisco. We are switching our first location and one of the issues I'm struggling with is windows authentication pass-through for internally hosted web pages. Meaning, user inside our network has the 2921 as their default gateway, they try to access a web page that is hosted on the internal network but is secured with windows authentication. In the past, because they are logged into the domain internally, the website authenticates and loads. After switching to the Cisco, it asks for a password even though they are logged in.
Because its the web server that actually authenticates I'm not sure why the router isn't allowing that to happen, but I can't think of anything else that could be causing this behavior.
View 4 Replies
View Related
Apr 9, 2010
Does the nexus 7010 support virtual switching yet? All of the posts I have found from about a year ago say that it is going to be supported, but there were no dates listed. I heard the same thing from Cisco a while back, but haven't followed up with it.If it is supported finally are there any configuration guides available for it?
View 7 Replies
View Related
May 12, 2013
I have the following devices :
-1 VM Host
-2 Layer 3 switches
I would like to provide full redundancy for all vlans being used by VM Guests on the VM Host as well as the management vlan being used by the VM Host.I have created two LACP etherchannel connections on the VM Host. Each etherchannel from the host consists of 4 ports spanning a single NIC. One etherchannel connection goes to a trunked etherchannel connection on switch 1, and the other etherchannel connection goes to a trunked etherchannel connection on switch 2.Switch 1 and switch 2 have an etherchannel connection between them that carries all of the vlans in the topology.Vlan 2 is the managment vlan. Vlans 3, 4, and 5 are vlans that VM guest systems will be using for normal data traffic.
I intend to use switch 1 as the VRRP active router and spanning-tree root bridge for vlans 2 and 3.I intend to use switch 2 as the VRRP active router and spanning-tree root bridge for vlans 4 and 5.The spanning-tree configuration is using multiple spanning-tree with two instances. Instance 1 has vlans 2 and 3 associated and Instance 2 has vlans 4 and 5 associated. I would like to have this topology be fault tolerant to the point where if one of the etherchannel links between the host and one of the switches goes down, (for example, if switch 1 was powered off) traffic will be automatically redirected through the other functional link. I believe that my VRRP configuration would allow for a fairly quick failover of layer 3 services, but I am not certain that my design will be functional at a layer 2 level.
What I am uncertain about is how spanning-tree will converge. I am assuming that the virtual switch on the VM host will not be forwarding any BPDUs being sent by either switch. Would either of the links connecting to the host be considered a redundant link by either switch?Would the link between switch 2 and the host be inactive for all vlans in MST instance 1 during normal operation?Conversely, would the link between switch 1 and the host be inactive for all vlans in MST instance 2 during normal operation? Would all links remain active for ALL vlans? Would this mean that some traffic may travel through switch 2 to reach switch 1 instead of going directly to switch 1?
View 1 Replies
View Related
Jan 21, 2012
As per my understanding 6509 all slots are dual channel, so 9 slot * 40 per slot (20 g in and 20 g out) = 360 GB How cisco claim the 720 ?? What about the 6513 chassic switch fabric connection?
View 5 Replies
View Related
Aug 6, 2012
It is said that the switching fabric of WS-C3750X-24T-E is 160Gbps.Could any body tell me what is switching fabric, any relevance or difference from forwarding rate?,Is there any document to know how will the switch reach the 160Gbps full switching fabric performance?
View 5 Replies
View Related
Mar 21, 2012
I got Two Distribution Switches of Cisco 3750G. Each Distribution have two 3750G switches stacked. I also have one Cisco 3750V2 Access Switch connected to both Distribution. When I am checking for redundancy, I can only get redundancy test pass for one link not atall for other. If I have a link up with Distribution 1 only then its fine; but disappointment with Distribution 2 link. I can see that the switch priorities of Dist 2 is not correct ie. Master's priority is 10 and Member's is 15.
My question is that due to misconfigured priorities on Distribution 2 stack switches I am failing with redundancy if ONLY Dist 2 is up and Dist 1 is down.
View 4 Replies
View Related
Sep 20, 2012
I am seeing a strange situation on my 6500 switch?By having snmp walk on '1.3.6.1.4.1.9.9.109.1.1.1.1.3' (== cpmCPUTotal5sec), I came to know that there are two processor and the cpu util for switching processor is gone to 88 % and some time creeps to 99 %.
snmpwalk -v2c -c "removes" sw6500 '1.3.6.1.4.1.9.9.109.1.1.1.1.3'
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.3.1 = Gauge32: 12 (--- this is for CPU of Router Processor )
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.3.3 = Gauge32: 99 (--- this is for CPU of Switching Processor )
but when I do sh process cpu on the console, all looks normal as it shows cpu utilization of RP. why the value is so high on the switching processor ?
View 1 Replies
View Related
Jul 24, 2011
It is understood that sub-50 ms ERPS convergence can be achieved with certain HW/SW combinations.
1) What are the platforms supported (and with what FW/SW) has this been tested ?any results that can be shared?
2) Link failure detection in GigE on Copper is slower compared to GigE over "pure" Fibre; so no sub-50ms would be possible with Copper ring ports.is sub-50ms convergence achievable with "combo SFP ports" ?
View 1 Replies
View Related
Oct 8, 2012
Lucien is a customer support engineer at the Cisco Technical Assistance Center. He currently works in the data center switching team supporting customers on the Cisco Nexus 5000 and 2000. He was previously a technical leader within the network management team. Lucien holds a bachelor's degree in general engineering and a master's degree in computer science from Ecole des Mines d'Ales. He also holds the following certifications: CCIE #19945 in Routing and Switching, CCDP, DCNIS, and VCP #66183
View 1 Replies
View Related
Jan 17, 2013
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
View 12 Replies
View Related
Oct 7, 2012
I configure HSRP on Router 2951 as a primary router, and Router 2811 as backup router. But when I am switching off my Primary router the backup router is taking 2 mins to take over form primary router.
[code]....
View 4 Replies
View Related
Sep 13, 2012
Why Cisco implements so much switching capacity in their switches Obviously,16 Gbps of permutation performance is too much for the 8,8 Gbits (24*200+2*2000) needed by ports so why they put so many bandwidth?
View 3 Replies
View Related
Apr 11, 2012
The have around 80 staff and I think the current infrastructure is overkill for the size of the company. The current kit is old and they have no GB ethernet ports. They currently have:-
Core Switch:
1x Cisco c6509with a 48 port fast ethernet module (WS-X6248-RJ-45)
and an 8 port fibre module (WS-X6408A-GBIC)
I'm looking to replace this with something with 72 ethernet ports and 8 fibre ports
Access Switches:
2x 3500Replacement needs at least 48 ports and 2 fibre modules each
and 2x 5500Replacement needs at least 72 ports and 2 fibre modules each.
View 13 Replies
View Related
Jun 15, 2012
We are setting up a test lab in our DMZ. The path to the internet is basically like this. Anything past the firewall is irrelevant. For this lab lets assume it is vlan 300.
LAB SW ---> DMZ-SW ---> ASA FW ---> INTERNET
LAB IP Range = 172.16.300.0 /24
GW = 172.16.300.1 (On FW int)
Trunked all the way through.
I have an int vlan set up on the LAB SW. It is being trunked to DMZ SW. DMZ trunks it to ASA FW where there is a failover with a redundant switch.On the ASA the interface 0/2 is a subinterface 0/2.300 being used as the default gateway.
I have DHCP running in a specific range on the LAB SW and do get an ip address when plugged in. I cannot ping the default gateway on the ASA FW.The GW is defined using default-router command for 172.16.300.1 i.e. default-router 172.16.300.1?
We are running ospf on the firewall. There appears to be a pattern with ospf and a similar subnet setup elsewhere. I was wondering based off of this info would configuring ospf for 172.16.300.0/24 allow me to ping the GW from a client on the LAB SW.Secondly. I trunked 300 on the DMZ SW but I didnt add the vlan to the configuration. i.e. conf t <enter> vlan 300 <enter> Does this really matter? Or is having the vlan in the configuration only pertain to access mode on interfaces?
View 1 Replies
View Related
Mar 6, 2013
i cant find any difference in these two devices when i am trying to compare throughput.I need upgrade our new POP and there will be around 4900 MAC adresses in VLAN 150 and 130 MAC adresses in vlan 200.Uplink is 1 gig routed internet connection and there is 14 downlinks to separate villages.i found a few differences for eg stack interface on 3750x but i dont need it.
View 2 Replies
View Related
