I would like to have implementation of two ASA 5520 (in failover). Architecture Context
-The ASA are used as VPN concentrator only.In a first time ASA will be in charge to take in charge VPN IPSec Host-to-LAN connexion (with the IPSec VPN client) and I think VPN SSL anyconnect client will be setup in a near futur.
-We must define two categories of users (student and researcher), for each one we want define :
+ An IP address pool
+ ACL
+ Split Tunneling (only LAN traffic will go in the VPN tunnel)
-The ASA will perform authentification via RADIUS server (the radius server is linked with a LDAP server)
+ In the RADIUS server we want define the category of user (each one user is a student or a researcher)
-The VPN clients use the internal DNS to request LAN ressources.
-A timeout of the VPN if no traffic during 60 minutes
-The VPN user perform authentification with PSK (no certificate)
the RADIUS server software is IETF compatible (url...)The architecture is the following :
-One internet connexion
-A corporate firewall with 3 DMZ :
+ 1 DMZ Public ; which is connected the ASA "outside" interface (encrypted traffic)
+ 1 DMZ Private ; which is connected the ASA "inside" interface (uncrypted traffic)
+ 1 DMZ LAN ; there is some VLANs routed by 6500 routers.
-On the LAN there is the radius servers
-On the corporate firewall :
+The https and ipsec will be opened between the internet and the ASA
+The RADIUS traffic between ASA and the radius servers and the traffic between the pool VPN users and the LAN.
I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
I have a problem in understanding how LLQ is implemented in different platforms of Cisco.QoS should kick in only when there is a congestion in the link irrespective of queueing / scheduling (LLQ and CBWFQ).But in certain platforms like GSR and IOS-XR, LLQ is confiugred only with priority and police command not with "prioirity percent <value>" command. In priority and police command since policer is used, LLQ is always on even there is no period of congestion. Of course with police you can re-mark the exceed traffic to different marking but thats not the requirement in my case.
In platforms like 7206, LLQ is configured with "prioirty percent <value>" which works ideally only when there is a period of congestion. When there is no congestion, LLQ class can use scanvenge other classes as well.Would like to know is there any specific reason why there is a difference in the implentation of LLQ between different platforms of Cisco.
Just a few questions. We are looking to deploying Cisco ASA 5545 into a network. I have a couple of issues with designing the network correctly.
We need to be able to scale out to more hosts than a single VLAN, we would also be considering adding 4948E switch behind the ASA and potentially a stack in front.
The problems are:
1) If we have an outside stack of public 4948E (so we can connect some hosts outside the firewall, such as additional ASA's running in NAT mode) for VPN. Is this a reliable, recommended configuration? The reason being we need to have the ability to add other seperate ASA protected networks that we don't want going through the 5545 as it's going to quickly run it out of capacity. If I have the L3 switch stack in front I'm guessing we would have a small subnet to link upstream and then sub-subnetwork into two blocks, one on the inside interface and one on the L3 switch for the other hosts? Or would it be better to let the upstream provider do this, and then just get them to provide us with two smaller subnets rather than one big one? As below if we do L3 stack ourselves we would need to small subnets, one to communicate with upstream and one to link ASA subnets. This seems like a waste of IP's. I was wondering if I could use Internal IP space on the L3 > ASA link, but I thought that could be an issue for BOGONS list.
2) If I want to extend the inside network (Cisco ASA would not run NAT, just public IP's on the inside, routed to the outside interface of the ASA) there are two ways. Use the ASA to create subinterfaces/VLANs (but that would be routed via the ASA - may be a performance hit?) or use a L3 switch behind the ASA. How does one accomplish running L3 switch behind ASA properly?
I need implementation of the AirCap 3602i wireless access points. Is there a way to manually configure a AirCap 3602i to function without a WAN controller?, I have an older 4402 WAN controller that will upgrade to 7.0.235 firmware, since the AIrCap 3602i requires 7.2.X firmware, is there a workaround for this.
I have a network with four 6509s in a ring with 10Gb links. Two adjacent switches are at the home office, the other two at the DR site. The switches at each location are physically similar to each other with respect to what blades are in them. We went through an upgrade from SUP-720's to VS-SUP-720's recently, only at the DR site - basically a practice, with the home office conversion hopefully taking place next weekend.
We initially just brought up the two chassis separately, in non-VSS formation (stand-alone). So far, so good - everything was connected, all traffic was passiing, all links were up, everything was reachable: EVERYTHING worked. Then we made the conversion: step-by-step from the cisco.com page; create a virtual domain, make one switch switch 1, the other switch 2, create differently numbered port-channels on each 6509, add the SUP 10Gb links to the port-channel, do the conversion.
Here's where the trouble started. First of all, the two 10Gb links back to home office created a spanning-tree loop and we had to shut down one of the links. (Is there something that needs to be configured on those links to turn spanning tree on? Does VSS conversion turn stp off?) Secondly, though it worked while in stand-alone mode, the copper blade in the standby 6509 stopped passing traffic - it would take config, the links would come up, but you could not ping across those links. Interestingly enough, there was an access switch with links to each of the copper blades, and having them both up also caused a spanning-tree loop. adding a new port-channel and putting both links in it did nothing to alleviate the loop. This leads me to believe that stp is not working properly. I reiterate, that even though the loop occurred, nothing else plugged into that blade was pingable.
Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.
Just wanted to get a few answers in regards to VLAN implementation (thinking about doing this for a large network)...VLAN's always sound good on paper, but how hard/easy are they to implement to a live and running network?
1.) Have successfully implemented VLAN's into a production environment (e.g. placed servers, production, printers, etc. on separate VLAN's)?
2.) How much of a pain is it to do this? If you are on a 192.168.1.x subnet, do you have to re-IP all of your printers, switches, etc. This sounds like a lot of work – especially since re-IP’ing domain controllers is a royal pain.
3.) Have you seen much of a performance increase when implementing VLAN’s (i.e. chatty protocols and broadcasts?)
Nowadays my Company works with autonomous APs (AP1142 most of them.We have a WLC 5008 and I am working on the implementation project... So far so good.BUT, I have just realized that the Company didnt buy a second WLC (this project started 1 year ago and I wasnt an employee here yet...).If I transform all autonomous APs we have (around 25, locally and some of them remotes)... And then If I have a HW problem with our single WLC... those APs will continue working ?
I'm planning to separate voice and data traffic with two vlans. I have a COR switch catalyst 3750, a UC560 for VOIP with SIP trunk and SGE2000P as access switches. The thing is i had configured VLAN1 (data vlan) and VLAN8 (voice vlan), i've created the vlan 8 in the database on 3750 and let pass those vlans through a TRUNK port. In the SGE2000P configuration i've created the VLAN8 and the the ports as trunk for letting pass the two vlans for the PC and the IP phone. This works but some phones aren't registering, and for example i've unplugged a register phone and plug and doesn't registering anymore.
I'm looking to try and implement ipv6 HSRP on a series of IOS-XR Routers running 4.2.1 following on from successfully setting up IPv6 HSRP on a few cat6509s on VLAN Interfaces in other parts of the network. I have entered the "router hsrp" configuration menu and gone into the interface in question that I'm looking to setup with IPv6 HSRP. Unfortunately, there version 2 or address-family ipv6 commands are not available.
We are going to be expanding our Shoretel phone system in our HQ and I need to get QoS configured correctly. All of our offices are connected via MPLS and I need to make sure that we are sending QoS tagged traffic to our provider. The phones are tagged by the director, but there is other traffic for call control that needs to be tagged. I don't have access to our CPE router as it is managed by Sprint. The Sprint router is connected to our internal network. We have our data network running on (4) 3750x switches running 12.2(55) with IP feature set.
The problem is that many of these commands don't work on the 3750 (priority, bandwidth, match protocol, etc...) and the configuration assumes you are applying this to an outbound queue which is not supported on the 3750. I think I have to do this with policing, but I'm not sure what interfaces need to have this applied.
I am planning an implementation of VSS on our two 6509 switches, and would like some feedback on things to look out for, and any issues encountered by others that have done this already.
We have the 10Gig port installed on the Management blades, but not configured yet.
Main questions would be:
1: What kind of "down time" am I looking at for the migration? (Reboots, configuration reloads, etc.)
2: I will be saving the configurations on both devices before-hand, but how does the VSS migration "merge" the configurations of both devices?
3: L2 VLANS - we have some on one switch, others on the second switch. Will these be combined, or would this be a manual process?
Any other things of note that I should know about before planning this migration?
- Second question is about EIGRP, when I configure EIGRP on the main switch that is AVG with the following commands, will I also have to run the same commands on the second 4948 E too?
I need to implement LACP HP servers mostly DL 380 g7 with Intel based dual port with two types of Cisco equipment first scenario server connected to 3750x stack of 4 switch's .second scenario same server type connected to two Cisco Nexsus 5596 . My question regarding two type of connection.Is it possible to do active active ?Would it give fault tolerance ?With HP LACP implementation is there known issue or should i expect latency with such configuration?What is the maximal lag- channel group that is possible per type?
our company backbone is hp 5406, and desktop switches are hp 2510 currently we are working with ipv4.if we want to start use IPV6 for test environment, what’s things we need to enable in our backbone/regular switches.i mean for example if we want to set static IPV6 address for 2 servers and send ping between them, or even make new vlan with IVP6 subnet, and use it like regular vlan but with static ip's(until we got ipv6 dhcp).i have hp 5406 manual for IPV6 but i can't understand what i really need to do for start using IPV6.
I m planning to implement VSS in core but want some inputs on IOS as i have FWSM as a service module Core :- Ii am running 12.2(33)SXH2a on my Core 6509 and i checkd cisco sites and Fwsm release notes but it states only I-Train of IOS while mine is H-Train so can I directly upgrade to I-Train or I was thinking of SXH8b IOS.
I currently have ipV4 as the setting on my DIR-825. Other posts seem to want ipV6 which is more secure but is not possible with a DIR-825 Rev A1. I have two routers, a primary router (DIR-825 Rev B1) capable of ipV6 and a secondary router (DIR-825 Rev A1). If I implement ipV6 on the Rev B1 router but keep ipV4 on the secondary router, will this improve the security, or will it just mess things up so nothing works?Certain devices (cell phones and most Tablets) don't deal with ipV6 very well at all. The ones I have tested flat don't connect to the wireless network if the router is set at ipV6. Is ipV4 adequate for a Home/Small Business Network when trying to implement Remote Access and VPN?
One of my customer has raised a new requirement for implementation of short sequence number format support in PPP multilink header for Cisco MWR 2941 E1/T1 serial interface, whereas router is supporting long sequence number format.here is the output of "debug ppp negotiation" command:-Currently in the MWR debugging logs we can see that by default MWR is sending long sequence header format as below
I will be implementing a new firewall (cisco asa 5515x) on my existing 3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the implementation successfull. I will put my 3750x as my DMZ and my 2960s as my inside. The 3750x have multiple subnet and also the 2960s.which features and technologies i need to know on those 3 products. my 3750x and 2960s don't have any ACL defined and most common features are vlan, switchport, trunking, spanning-tree, stacking, vtp.how my asa knows that my 3750x/2960s have multiple vlans. my current connection right now on 3750x and 2960s is just through 6 ports i assigned as one trunk, below is my config [code]
my 2960s vlans are almost the same with my 3750x except vlan 160, 170, 192. but of course when i put this in asa, i have to segragate vlan for 3750x (192, 100, 110,160, 170) and 2960s (130, 150). for my 2960s connection to the asa and since this will have big bandwidth, i will use 3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2 ports on my asa (and trunk it) connecting to my 3750x. the one internet ports and my one management ports on my asa will stay like that.
I have configured SSL-clientless vpn on asa5520(8.2-asdm-6.4)It is working.Only problem is how to add pcs to the vpn.That mean like someone need to access pcs via vpn.Servers with url can add without any problem.is there anyway to add pc/servers with ip addresses?
we are trying to configure the vpn with our provider we are on Asa and the use Checkpoint , vpn seem to be established on phase 1 and phase 2 too.bur when i send ping packets seem to los on tunnel and other side do not see them.Asa is after a onother firewall and outside interface of this asa is nated on this perimeter firewall.
I'm trying to use a 5520 to test something but the bandwidth seems pretty low for the product I'm testing over it. Can anyone tell me if there is a bandwidth limitation by default? I'm seeing 1.5mb/s average with spikes to 6mb/s or so. On the ASA5550 I was seeing usage up to 80mb/s.
I'm trying to setup the SSL VPN portal:When I connect via HTTPS to the ASA5520 outside interface I get the login prompt and after successfully login it takes me directly to the Anyconnect client download (starts Anyconnect immediately) even though in the group policy is configured to not prompt the use to chose the post login and the post login is ste to go to Clientless SSL VPN Portal?
We have a several SonicWall TZ 190 establishing VPN tunnels with a ASA5520. Pericodically random VPN tunnels will drop and can not re-establish a connection. In order to re-establish the dropped VPN tunnel, our firewall folks manually drop all VPN tunnels connected to the ASA (they use to physically power cycle the ASA). They claim this is the only way to resolve the problem and since the SonicWall Life Time seconds for Phase 1 and 2 are set to 28800, they reset the tunnels every 8 hours. Additionally, they claim that SonicWall IPSEC is different that Cisco IPSEC which is the main problem. Hence they are requesting a SONICWAll VPN concentrator..
I have a Cisco ASA5520 that we are going to use to allow users to connect to our network via the Anyconnect client, I have authentication set up to validate against AD via LDAP, but was wondering if there were any way to set up the profile to check the PC before they log in....we do not want users using their home PCs to attach to our corporate network, only PCs that were issued to them by the company. Nothing is jumping out at me in the config, we are running some fairly old sofware on the boxes (ASA - v8.2(2), Anyconnect - v2.5.3046) I plan on upgrading the Anyconnect to v3.1 but will probably need to keep running the 8.2(2) version on the ASA due to support issues.
I have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
! interface GigabitEthernet0/0 nameif internet security-level 0
[Code]....
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
