Cisco ASA active / standby Mac addresses

Similar Questions

• ASA (Active standby) site-to-Site VPN Question

  Hello

  I had the question as below

  Site A - 1 unit of VPN Netscreen firewall

  Site B - 2 units of ASA VPN firewall

  

  I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.

  Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.

  but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here

  Things that confuse me.

  (1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)

  (2) link failover and dynamic failover can be configured on the same interface?

  Please help in this case, configuring VPN from Site to Site with active configuration / standby.

  just to add to this,

  just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th

  so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected

  You can read more here

  https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759

• Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

  I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

  Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

  If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

  One way is not good and the other real harm.

• Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access

  Hello

  I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.

  So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).

  The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)

  I added some ACE for this in the ACL of VPN tunnel to divide.

  NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54

  And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.

  The network INTERIOR, I can connect to the server.

  

  Thanks in advance.

  Hello

  This is most likely a problem with NAT hair/U-turn hairpin.

  Will need to see the configurations or you would need to check yourself

  I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.

  So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.

  Then, you will need to check the output of this command

  See the race same-security-traffic

  You should see the command in the output below

  permit same-security-traffic intra-interface

  If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.

  Then, should ensure that dynamic PAT is configured for the VPN Clients.

  8.2 software (and below)

  You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0

  In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add

  NAT (outside) 1

  This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server

  Software 8.3 (and above)

  Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a

  network of the VPN-PAT object

  subnet

  dynamic NAT interface (outdoors, outdoor)

  Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.

  Hope this helps

  Let me know how it goes

  -Jouni

• Cisco ip to the mac address of a device?

  What command I can run in CLI, to get a mac address that is associated with a given ip address?

  Context: In order to access wifi, users will have to go through web authentication. To submit their credentials, we are able to see their ip address. We want router cli api query or something, to find a mac based on the IP address.

  Pointers?

  Yes, it's a very simple way to get it, in the past you could not even do this & Cisco added this feature only from code 7.5.x.

  If you cannot do a lot of filtering on, hope that Cisco will further improve it. If you need to live with these limitations at the moment :)

  HTH

  Rasika

• licenses for a cisco ASA active/passive pair AnyConnect SSL

  Hi all. I buy 2 5512 x ASAs is configured like a pair of active/passive as a VPN device. I need to purchase licenses for both devices anyconnect? Thank you

  Licenses AnyConnect Essentials (or premium) are combined on a cluster failover ASA. Reference

  So, buy once only the quantity and type of licenses you need based on your end users - not based on the number of ASAs - and they will be available at the ASA Active whether primary or secondary unit.

• ASA active / standby after failover

  ASA 5520 tipping very well. My problem is I want the ASA elementary school to become active after returning to the line. I can't find all the commands that provide the primary unit back to active after a failure, I know I can get it back manually, but to be really dynamic. Thanks for your help.

  Jake,

  You must configure a failover pre-emption group to accomplish this kind of behavior.

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1002608

  HTH

  Rgds

  Jorge

  Any useful message rate

• Cisco ASA 8.4.1 address Destination NAT?

  I have a situation where I have a deployed asa5505 8.4.1 running.

  The customer has a mail server existing which is located on their local network and has Port configured NAT for normal mail ports, etc. 25,110,993,587.

  It works very well for incoming mail and any jerky mail user off the external server or by visiting the webmail from outside the network.

  However when the users within the LAN to connect through the ASA test back entering the IP address on the external Interface of the ASA, they are unable to do so.

  I came up with the solution is split DNS.   well does he rely on users not changing their dns servers.

  I was wondering if it is possible to make a sort of NAT that rewritten traffic destined to the above ports on the external IP address to the internal LAN Ip instead.

  This is probably a stupid question, but I couldn't find an answer may I use the terms wrong to get one.

  In any case, I was hoping someone here could point me in the right direction.

  Thank you

  You can only configure DNS rewrite rewrite if you have static NAT 1 to 1, with static PAT as advised, rewriting DNS is not supported because with PAT static, it is potentially different internal IP mapping, so the DNS rewrite is not exactly at the right address.

• Error message 5545 ASA Cisco: % ASA-3-210007: READ allocate xlate failed

  Hello team,

  We have 2 firewall Cisco ASA, active failover / standby.

  the waiting for firewall, we see this error message "% ASA-3-210007: READ allocate xlate failed.

  This error message is related to the bug?

  Thank you for your help,

  Best regards

  Yunus Saleh

  Hi Younous,

  This error on the rescue unit could be associated with a problem of memory on the device or memory full on the device.

  IF these options are not confirmed, we can consider that your devices version is bug hit.

  https://Tools.Cisco.com/bugsearch/bug/CSCub94479/?referring_site=bugquic...

  BTW, you send us the "sh version" of your device.

  If your version is 'old' or connected to the version mentioned in the BUG system, is high suggests updating your device.

  In a law/stb Setup, are also "0 downtime" and updated easy both devices

  Let me know

  Matteo

  Please rate me if the post was beneficial for your solution / questions

• Anconnect Cisco ASA VPN deployment

  Hello

  I have a request for information about the deployment for the ASA who must support more than 10000 clients. I understand that several ASA would be necessary for her however I was wondering what can be typical design for this? The ASA multiple is configured as vpn cluster/load balancing, etc... ?

  I would if there is any design document for it. The current configuration is that a pair of ASA active / standby, I was wondering how to combine the total connection, if I need 15000 connections vpn; pairs of example 2 active / standby with vpn clustering/load balancing, etc... ?

  Thank you.

  You are right, that the vpn load-balancing is the technology, you need to deploy for this. With this, you can combine multiple devices to a cluster of load sharing. These devices may be different, for example two 5555 with two 5545 that would give you a total of 15000 VPN connections.
  Of course, you plan for failure of the device. So you can deploy 4 * 5555 and also if an ASA is lost you yet 15000 connections (well, at least based on the datasheet; I would not push the number of connections to the limit).
  You can also deploy these devices also as FO-systems for redundancy. 3 * 2 * 5555 would also give you redundancy.

  This is under the assumption that users connect to office even where the ASAs have one L2-connection to another which is necessary for the VPN load-balancing. If users connect through different places, then these ASAs cannot use VPN-load balancing, unless you have a L2 connection between the loacations.

  If you have multiple sites, you should also think about the shared license server that could save a lot of money if your users do not always use the same gateway.

  And last point: as much as possible for your AAA with a central RADIUS server set up to reduce the probability of a misconfiguration on ASAs multiples.

  Sent by Cisco Support technique iPad App

• Cisco ASA CX active / standby

  Hello friends

  One of my clients has a couple of ASA 5545 work quite well as active / standby failover. But the configuration that is not copied to the secondary unit is CX. Do you know how to get it? Please, do not hesitate to request further information, comment or document will be appreciated.

  Kind regards!

  The CX configurations are not part of the active reserve ASA replication.

  How to synchronize the configurations of CX is to use PRSM (first Security Manager - product under separate license, not the one provided with the CX) running on a virtual machine in device mode.

  Reference.

  Once you find out what pair CX with a PRSM "out of area", all configuration changes are deployed both to the pair.

• Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

  Hi Friend´s

  I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

  Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

  Best regards!

  It's the n: documentatio

   Does not support Active/Active or Active/Standby failover

  And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

• Procedure to upgrade (Active-Standby) ASA

  Hi all

  I just want to check if our upgrade scheduled SAA causes no problems during the procedure.

  Material: ASA5525-X

  Existing IOS: 9.1.2

  Update to: 9.4.2 (11)

  Setup: Active standby

  We intend to be upgraded the first start, after that, is the day before still will to resume after we force a failover him so that we can then pass the main firewall.

  Thank you very much!

  Yes, it's the process. I did it several times it it works perfectly when you follow the documented procedure.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

• Different permission on Cisco ISE Mac address format

  Dear all,

  I have problem with my Cisco ISE,

  It's design:

  ISE - Core switch - 3Com - PC user

  My case:

  Authorization is based on Active Directory, and Mac address

  The user with PC connecting to 3Com swtich Deny by ISE but is the Mac of the Format address is different with Cisco.

  Cisco MAC address format: XX

  3Com MAC address format: XXXX-XXXX-XXXX

  3Com switch type is TRICOM 4210 26 - PORT.

  Someone at - it experience with this? and how can change the mac address format in 3Com for user authorized by Cisco ISE.

  Note:

  Active Directory-based authorization is not problem with 3Com Switch.

  From my experience, produces different is mac address of a different size, so this case not only for 3Com Switch.

  Thank you

  Arika Wahyono

  Hello. Authentication using "work around the Mac address" is not a standard feature. The seller do differently. I do not think that this could work, but even if this is possible the solution will be not reliable because it is not standard basic.

• Cisco ASA 5510, ipsec vpn. What address to connect the client to

  Hello

  It's maybe a stupid question, but I can't find the answer anywhere.

  I used the ipsec vpn configuration wizard, I activated the external interface to access ipsec and went through SCW pools of addresses etc. When I try to connect with the cisco vpn client to my address of the external interface (of a remote host) I'm unable to connect. I scanned the interface for open ports, but there is not, I have to allow traffic to ipsec at this interface?

  Best regards

  Andreas

  No, once you have configured the access remote vpn ipsec, it will be automatically activated, and you should be able to connect to the ASA outside the ip address of the interface.

  Can you please share the configuration? and also which group name you are trying to access the vpn client?