Client has an ASA5505 anchoring an MPLS network. One of their branch offices is experiencing frequent circuit outages due to theft of copper lines. I am looking at an 881G with wireless aircard as a backup solution and creating a VPN tunnel to the ASA but am unsure about how to handle routing on the ASA. There will already be a route for the branch subnet for the MPLS network.
View 2 Replies
I have an issue where we have a single ASA5505 [soon to be active/standby with single ISP] connecting to HQ where there are 2 x Cisco 2821's. Each 2821 router has it's own connection to the internet running BGP and each router is setup to terminate IPSEC VPN's from the ASA. The ASA has a backup VPN configuration with no IP SLA configuration to track if the Primary IPSEC endpoint is alive. Keep alives are set and the VPN does failover to the backup.When the primary 2821 internet connection fails the ASA fails over to the backup 2821 and everything works a dream. However when the primary internet link re establishes to the primary 2821 the ASA does not fail back to the primary 2821 it stays on the backup 2821 and all is broken as the remote site starts forwarding traffic out the BGP default route - which is back via the primary connection...How do I fix this so that the ASA tracks the IP of the primary router to failback without manual intervention - clearing isakmp and ipsec sa's?The other issue is the ASA does not allow traffic to be orignated from the 2821 end of the VPN. You have to establish traffic from behind the ASA for the IPSEC sa to be created.
View 1 Replies View RelatedSeeking Hardware and configuration support.,Our Firm had acquired another company and from IT point of view management wants to link both offices to share data and application,Both companies will be linked with Redline Outdoor Wireless. Fortunately both companies are using different IP,ranges. what configuration is required to interlink both companies,Wireless provider suggested to terminate wireless link on 1841 Router and LAN connection to Layer3 Switch,Our Current Setup.Internet-----------Router----------Firewall-----------switch,internet router : 2600,firewall : cisco ASA 5510Switch : 3560users : 300servers : 10
View 3 Replies View Relateddlna server of ea4500 does not supports time seeking? No rewind? I have tryed to plug usb-flash with video files for testing before buying an external HDD and... REALLY no time seeking?
View 3 Replies View RelatedI have a Cisco 2851 (c2800nm-advipservicesk9-mz.124-25d.bin) Router configured with one site-to-site vpn. Is it possible to configure a failover vpn tunnel on this router?
View 8 Replies View RelatedI can't get the internal 3G modem on my HP2510p with Windows 7 Professional 32 bit working. So far I've downloaded and installed the following:-
HP Broadand Wireless Modules - Sierra Wireless Inc
HP Connection Manager - Hewlett Packard
HP Wireless Assistant - Hewlett Packard
Qualcomm Gobi Driver Package for HP - QUALCOMM
but it's still saying 'no dial tone' and not reading that it has a 3G modem. If I've downloaded anything, how I can uninstall it.
I have 2 PIX 525, which one of them, step and active failover mode the other PIX 525, leaving this off, do not know what happened may have been a power outage, but in any case I can turn it back on? And the other question I have is if I can import a configuration that I have saved on my computer. i have the PIX device manager.
View 11 Replies View RelatedWhat I currently have is a Cisco 891W Router as well as two ISP's (both with dynamic IP's) in. I'm currently just running one of my modems into the 891 through the FE8 port and then if for some reason I have an internet failure switching the ISP modems. What I'm wondering is if there is a fairly simple way to configure (and attach) both modems to this router and then set it up to handle this failover automatically?
View 1 Replies View RelatedI discover an issue with my CISCO ASA 5550 because I'm looking at the vlans that I have configured and some vlans on the Stand by device had not an IP address configured, checking the configuration of the failover
View 2 Replies View Relateddoes cisco 2811 support?if no, can i make it work for BGP?also, i want to know the configuration of bGP for twoo ISPs for link failover.it will be google if u tell me step by step approach for configuring it
View 1 Replies View Relatedsample configuration for internet failover . i have 2 ISPs with one coming in thought a serial cable and another through internet and would wish one take over after the other has failed .The router is Cisco 1921 .
View 4 Replies View Relatedi have the asa5505 with asa8.4.5 and asdm 6.4.2. my asa work like site to site vpn with the other asa5505. i would be love that monitoring status of VPN. i enabled on asa logging, i puted address of smtp server, receipent email, source email, the problem is because my smtp server require authentication, TLS. how set configuration on asa5505?
configuration of logging for send notification on email.
Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.
VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA Inside Interface - 172.20.58.13/30
3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13
3750 Switch Interface connected to VPN router - 172.20.58.21
VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router. Our responsibility is to just to make sure the tunnel comes up.
1) Create a static NAT on the ASA for Public to Private IP of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?
2) What would the access list look like on the ASA?
3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?
Firewall Access: The following information pertains to access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be
allowed:
permit esp host 208.224.x.x any
permit gre host 208.224.x.x any
permit udp host 208.224.x.x any eq isakmp
permit udp host 208.224.x.x any eq non500-isakmp(code )
I buyed a dell inspiron 1525 laptop. I am looking to buy a wwan card for the same. some wwan cards and where i can buy? I looked into some wwan cards on ebay but i don't want to end up buying non-compatible card.
View 4 Replies View RelatedWe have ASA running code 8.0.4 with Active/Standby for quite long time. Today when we gave the command wri standby it started sync the config to standby ASA but waited forever.when we checked the show failover, we got the following result.
This host: Secondary - Active
Active time: 1928633 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface PERIMETER-MGMT (10.12.8.1): Normal (Not-Monitored)
Interface OUTSIDE (86.36.xx.xx): Normal (Waiting)
[code].....
When we console to Standby ASA and tried to save (wri mem), we got the following error and also please note the hostname has become default...?
ciscoasa(config)# wri memory
Building configuration...
Command Ignored, Configuration in progress...
[FAILED]
and when we tried to give following command we got this error:
ciscoasa(config)# copy running-config startup-config
Source filename [running-config]?
%Error reading system:/running-config (Configuration temporarily locked)
ciscoasa(config)#
I see here the standby ASA IPS module is down, but can that issue cause not sync the config backup and writing to nvram (save config)..?
I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups. Doing so obviously has a major impact on the current primary configuration. My goal would be to minimize or eliminate network downtime during the interface changes.
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit. Is there a set length of time the secondary unit can remain active without a failover peer?
see issues with operating the secondary unit in this manner while making changes to the primary unit?
Our servers are hosted at the Main site, site office A access to the Main site for Internet and servers. We are thinking NextG to take over when the link between sites goes down.
To start with, what is the configuration for 3750 at Site A and the Main site:
1) Trunking for both switches
2) Routing
3) the automatic failover configuration for the switch at Site A.
I would like to configure a cisco ASA5505 IPSEC VPN. I used the wizard and tried to connect to the outside .. does not work .. The network is configured in this manner: - ADSL router with public address and internal address 192.168.2.1 -> firewall interface inside and outside 192.168.2.2 192.168.3.1 (my network is 192.168.3.0). I used a VPN to the pools ranging from 192.168.4.1 to 192.168.4.100.
INTERNET ----- ROUTER ------ ASA5505 -------LAN
What should I change? there could be problems between the router and firewall?
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies View RelatedI am trying to establish EIGRP neighborships with my inside switches (3750s) over the "Internal" interface, shown in green. The outside interface is g0/0 and don't worry, I've ensured EIGRP is not running there.The problem I'm having is that I need to monitor the "Internal" link so that if it goes down, the ASA triggers the failover to the secondary firewall connected to the other switch. I was told that the "secondary" keyword was what enabled this:
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.2.2 255.255.255.0 standby 10.10.2.3
This is fine since I am able to compare this config to the firewalls that are currently in production elsewhere in the environment and this is what's in use there. However, in order to run EIGRP all the way to the firewall and not rely on something else like HSRP for the inbound traffic, I'd like to run the corresponding links (Gi1/0/22) on the inside switches as routed ports (no switchport) so that I don't have to establish neighborships with SVIs or something like that. I want the routing to be done directly to the port, leaving the interfaces for failover and our DMZ set up as switchports, since those can be layer 2.It's saying the Internal interface has failed now, probably because it cannot send hellos through this, since it's a routed port on the switch side. I'm wondering if this simply is an impossible design, unless there's a way to track this interface and trigger a failover if it goes down using another method.a method that allows me to track that internal interface (Gi0/1) and trigger a failover if it goes down.
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
I'm planning to replace my flaky minipcie wifi and I need advice about the antenna.My laptop has two sets of antenna, one for 3G WWAN and the other is for normal wifiAccording to the labels, both is "Main" and "Aux". The card that I'm planning to get is an Intel 5300 which has 3 antennas.Since the normal wifi only has two antennas, can I use the 3G WWAN as a third antenna? If yes, should I plug in the "Main" or the "Aux"? If no, Should I buy those additonal antennas in Ebay for the 3rd one?
View 2 Replies View Relatedi have the asa5505. the configuration of asa 5505 is:
: Saved
Code...
i analyzed this traffic i see problem with the nat- Asymmetric NAT rules matched for forward and reverse flows. where i made error?
We have had an ASA5505 for close to two years. About a year ago, we added a second ISP ("BOB") which became our primary and our old one (SBC) became our backup. I successfully modified the config for this and it's been working well.
Now we're changing our primary ISP to Comcast and getting rid of BOB, so right now we actually have 3 ISPs coming into our building.
I removed the BOB interface and routes, then added an interface for Comcast using an IP address from the range they provided as well as a static route to the gateway they provided - everything is analagous to the previous interfaces and routes, but it doesn't work. If I physically disconnect the Ethernet cable going to the Comcast cable modem, then the ASA does fail back to the SBC interface as expected. If I put the BOB interface & route back in there, it works again through BOB.
If I connect a PC to the Comcast cable modem and use an IP/Gateway they provided, the Internet connection *does* work. Using this same exact IP info in the ASA doesn't work.
Is there some other configuration item besides interfaces and static routes that I should be modifying? Is there some way I can dig deeper into the ASA to see exactly what is failing?
We have an ASA5505 that we need to enable hairpinning on.... In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using
static (inside,outside) outside_ip inside_ip netmask 255.255.255.255
static (inside,inside) outside_ip inside_ip netmask 255.255.255.255
In 8.4, if I use object nat, the hairpin functionality works perfectly,
object network obj-insideip
nat (inside,inside) static publicip
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
nat (inside,inside) source static private_object public_object destination static public_object private_object
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
I teach in a High School and we've got about a 300 node MS Windows Network. Two MS2003 File Servers act as my DNS/WINS/DHCP servers. We have been using a WATCHGUARD FIREBOX III to act as the router/gateway between the outside external address and my internal (10.0.0.1) gateway address. All p.c's inside the network are routed to one of the Servers (10.0.0.2 or 10.0.0.4) for DNS/WINS/DHCP addressing. The servers point to 10.0.0.1 for gateway.
We are trying to replace the Watchguard Firebox with a CISCO ASA 5505 (eventually we'd like to implement VPN). When I connect the CISCO ASA, I get no internet passthrough at all.
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
View 12 Replies View RelatedI have a two fiber connection from our Central Office(6513) to Remote office (6509). I have a requirement that on the remote office if one of the fiber goes down, the second fiber should work as a failover. I am planning to use SUP720-3B SFP to connect to the CO.
Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G5/2? or Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G6/2? I am running EIGRP between sites. Any sample config.
sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"
I'd like to get a new WWAN card for my Dell XPS 1340 - currently there is 5530, though now I would like to put 5550 or 5560. I have read couple of threads on dell forums, other forums regarding the drivers availability and compatibility, however I haven't noticed any for 1340. Even though mentioned cards are not officially available for this model?
View 2 Replies View RelatedI just got a new Latitude E4200 with a Dell Wireless 5530 3G/UMTS/WWAN card. I installed Win7 and now I cannot locate a 3G/WWAN software (the drivers are working fine, but I just cannot find the software that allows me to connect with the Vodafone 3G/WWAN network). I am using the "Dell Mobile Broadband Card Utility" software on my D830 (5520 card; also on Win7), but I cannot find that software or its successor for the 5530 card.
View 4 Replies View RelatedThere are two issues which are testing my resolve.
1) Bad Cryptochecksum Ignored error
2) Unable to boot to a save startup-config file.
I want to take the configuration from one ASA 5505 and move it to another ASA 5505. I copied the startup-config file from an ASA 5505 running asa821-k8.bin to an ASA running 8.222-k8 to flash using tftp. I set the boot config parameter on the new asa to flash:/startup-config which is the location of the startup file. If I use copy run start command, I over write the startup file. When I copy the startup configuration to the running configuration I get a Bad Cryptochecksum Ignored error and the startup file does not copy over to the running file. How can I resolve this issue?
I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network.
View 15 Replies View RelatedI am trying to configure a trunk between the above two devices. I like to have vlan11 on ASA. Then I like to connect a host to my switch, and have it communicate with other devices in VLAN 11 or other vlans that reside on the ASA. Below is the config that I currently have.
ASA:
ciscoasa# show run interface Ethernet0/1
!
interface Ethernet0/1
[Code].....
