FAILOVER OF THE ASA
What is the reference of the item required to activate the failover of the asa?
you first need to safety over the license to enable failover if you run of ASA 5510, otherwise if you're running 5520's and higher then follow the steps in the example located here:
http://www.Cisco.com/en/us/customer/products/ps6120/prod_configuration_examples_list.html
Tags: Cisco Security
Similar Questions
-
I do a search in the search of the best solution for switching between two ASA and hoped that someone wants to point me in the right direction.
The situation is this, we got:
-Head Office 2:
Each is equipped with an ASA 5505
-10 branches
Each is equipped with a 887 integrated services router.
Each is BranchOffice must have a redundant VPN connection at the headquarters of these two, and they all need to use the first person as main and the other in high school. In case of failure, all branches need to use the second connection VPN going the second seat.
In my research, I'm looking for the best possible solution, with faster failover, but have no idea where to start my research.
I hope someone has a good answer for this one.
Thank you very much in advance,
Kind regards
Dwayne
I do not understand why people continue to use ASA devices for VPN endpoint. the ASA is NOT designed for complex VPN scenarios. It is designed for simple scenarios. In terms of VPN by using comparison, ASA is a person with a basic education while Cisco IOS is like a person with a college degree.
For the scenario, you will be much better using Cisco IOS routers everywhere, where you can implement the GRE/IPSec or DMVPN. Both cases will be sastify to your needs.
-
Licenses of the ASA, a license or two for a failover pair
I had two units ASA firewall configured as a failover pair. Now I need increases the SSL VPN license, do I need a licence for the ASA pair or two licenses, one for each unit. Can use a key of activation on both units?
One thing I know for sure, put the key on the Active unit, cannot synchronize the license to the standby unit.
Thank you very much in advance.
It depends on the version. The ASA 8.3 and later versions, you can share a single license through an HA pair.
-
Hello
I didn't send a CX module before. We are about to deploy firewalls 2xASA5585-X with CX (for STROKE and WSE) modules.
I'm sure I know the answer to this (I've deployed a lot of old OLD ASA with CSC modules in them, and I'm guessing that the CX module has the same).
1 will be the failure of the module CX trigger a failover event (fail-over active standby)? My guess is not?
2. If it is not and policy service is set to 'closed' this means that the client should perform a manual failover to the secondary/sleep to restore access, web - this correct?
Pete
Hi Pete,.
1 will be the failure of the module CX trigger a failover event (fail-over active standby)? My guess is not.?
Yes he custom of tipping your ASA, depends on configuration either will be allowed or close the traffic
In the area if ASA CX card fails, click permit traffic or close traffic. The narrow traffic option defines the ASA to block all traffic if the ASA CX module is not available. Permits for movement option sets the ASA to allow all traffic through, if not inspected, the ASA CX module is not available.
2 if it is not and the service policy is set to 'closed' this means that the client should perform a manual failover to the secondary/sleep to restore access, web - this correct? .When set to allow traffic CX failure, there is no need to manually failover your ASA firewall between HA
Step 8 check the ASA CX check this box traffic flow.
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/Quick_Start/CX/cx_qsg.html#wp49530
-
IPS modules in the ASA config for active/passive failover
Hey guys,.
We have two ASA in a situation of active/passive failover each with a module AIP-SSM-20 IPS.
These modules are intended to synchronize their configs like the ASA do? Alternatively, they each have a separate entity and each need to be configured separately?
Thanks for any help!
Each will have their own IP address, and each must be configured separately.
They will not communicate with each other and share no configuration.
You will need to make sure the config is changed in one of the other.
Monitoring station pull events from two sensors.
The SSMs rely on the SAA for the TCP state tracking so they will work very well in a design of failover ASA.
-
How can I get the engine working in the ASA 5505 Crypto
I bought a brand new ASA 5505 to connect to the Cisco 3640 and I can not yet set up the tunnel. I have tried to change the set of transformation to just but know luck. I recently put a VPN using DMVPN and Cisco 501 in a site-to-site, but it has been wondering what happens.
The router (3640 executes code 12.4) seems ok and I don't think I have a problem with the router with Cisco 501 great work.
This is a laboratory environment.
This is the function defined on the ASA 5505
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 3, restricted DMZ
Internal guests: 10
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
Peer VPN: 10
WebVPN peers: 2
Double ISP: disabled
Junction ports VLAN: 0
AnyConnect for Mobile: disabled
AnyConnect for Linksys phone: disabled
Assessment of Advanced endpoint: disabled
This platform includes a basic license.
This is a ping from 10.3.4.10 to 10.1.1.1. He said nothing about IPSEC or ISAKMP.
That's what I get when I do the: show crypto ipsec his
ASA5505 (config) # show crypto ipsec his
There is no ipsec security associations
ASA5505 (config) # show crypto isakmp his
There is no isakmp sas
Debug crypto isakmp 10
entry packets within the icmp 10.3.4.10 8 0 10.1.1.1 detail
I have worked on it for a week and don't really know if I have a bad ASA5505. Since the normal stuff like browsing the Internet works and I can ping to the outside and inside, I don't know what to think. See attachments.
"Do what you asked has worked.
Nice to hear that your problem is solved.
"My question is can I use the transform-set ESP-3DES-SHA instead of MD5?"
Of course you can.
Kind regards.
Please do not forget to note the useful messages and check "Solved my problem", if the post has solved your problem.
-
Rookie of the ASA 5505 - cannot ping remote site or vice versa
Hi, I am trying configure an ipsec to an ASA 5505 (8.4) for a Sophos UTM (9.2)
Internet, etc. is in place and accessible. IPSec tunnel is also but I can't pass the traffic through it.
I get this message in the logs:
3 August 5, 2014 22:38:52 81.111.111.156 82.222.222.38 Refuse the Protocol entering 50 CBC outdoor: 81.111.111.156 outside dst: 82.222.222.38 SITE has (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156Pointers would be good because it's the first time I tried this. Thank you.
Running config below:
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Description Internet Zen
nameif outside
security-level 0
Customer vpdn group PPPoE Zen
82.222.222.38 255.255.255.255 IP address pppoe setroute
!
boot system Disk0: / asa922 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
network obj_any object
subnet 0.0.0.0 0.0.0.0
the object of MY - LAN network
subnet 192.168.1.0 255.255.255.0
the object of THIER-LAN network
192.168.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.30.0_24 object
192.168.30.0 subnet 255.255.255.0
network of the THIER_VPN object
Home 81.111.111.156
THIER VPN description
service of the Sophos_Admin object
Service tcp destination eq 4444
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-protocol esp
object-group service DM_INLINE_SERVICE_1
ICMP service object
area of service-object udp destination eq
service-object, object Sophos_Admin
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
ESP service object
object-group service DM_INLINE_SERVICE_2
ICMP service object
service-object, object Sophos_Admin
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_4
service-object, object Sophos_Admin
the purpose of the echo icmp message service
response to echo icmp service object
outside_cryptomap list extended access allow object-group DM_INLINE_PROTOCOL_3 MY - LAN LAN THIER object object
outside_cryptomap_1 list extended access allow object-group DM_INLINE_PROTOCOL_2 MY - LAN LAN THIER object object
inside_cryptomap list extended access allow THIER-LAN MY - LAN object object DM_INLINE_PROTOCOL_1 object-group
outside_access_out list extended access allowed object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
outside_access_out list extended access allow DM_INLINE_SERVICE_1 of object-group a
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
inside_access_out list extended access allow object-group DM_INLINE_SERVICE_4 MY - LAN LAN THIER object object
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 722.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Access-group interface inside inside_access_out
Access-group outside_access_in in interface outside
Access-group outside_access_out outside interface
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 81.111.111.156
card crypto outside_map 1 set transform-set ESP-AES-128-SHA ikev1
outside_map map 1 set ikev2 proposal ipsec crypto AES
card crypto outside_map 2 match address outside_cryptomap_1
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 81.111.111.156
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2
FRP sha
second life 7800
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 7800
Telnet timeout 5
SSH enable ibou
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN group Zen request dialout pppoe
VPDN group Zen localname [email protected] / * /
VPDN group Zen ppp authentication chap
VPDN username [email protected] / * / password * local storedhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
enable dynamic filters updater-customer
use of data Dynamics-based filters
smart filters enable external interface
interface of blacklist of decline in dynamic filters outside
WebVPN
AnyConnect essentials
internal GroupPolicy_81.111.111.156 group strategy
attributes of Group Policy GroupPolicy_81.111.111.156
Ikev1 VPN-tunnel-Protocol
JsE9Hv42G/zRUcG4 admin password user name encrypted privilege 15
username bob lTKS32e90Yo5l2L password / encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 General-attributes
Group - default policy - GroupPolicy_81.111.111.156
IPSec-attributes tunnel-group 81.111.111.156
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the dns dynamic-filter-snoop preset_dns_map
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa #.Hello
Watching your sh crypto ipsec output... I can see packets are getting wrapped... average packets out of the peer 88.222.222.38 network and I do not see the package back from the site of the UTM 81.111.111.156 at the ASA... This means that the UTM Firewall either don't know the package or not able to get the return package... Exchange of routing is there... but you need to check LAN to another counterpart of site...
Please check the card encryption (it must match on both ends), NAT (exemption should be there @ both ends) and referral to the ends of the LAN...
I suggest you try with the crypto wthout specific port card... say source LAN to LAN with any port destination...
allow cryptomap to access extended list ip
-
Failover of the SAA does not work
I am trying to get 2 ASA to failover in the laboratory, but Im not having not successful:
Sho kentasa1 # fail
Failover on
Unit of primary failover
Failover LAN interface: GigabitEthernet0/3.1 failover (Failed - passage to the No.)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Watched 3 Interfaces maximum 250
failover replication http
Version: Our 7.2 (1), mate unknown
Last failover to: 10:21:00 GMT Sep 19 2006
This host: primary: enabled
Activity time: 1126090 (s)
slot 0: ASA5520 hw/sw rev (status 1.1/7.2(1)) (upward (Sys)
Management interface (10.0.10.10): Normal (pending)
Interface inside (10.254.0.2): no link (pending)
Interface to the outside (206.67.136.3): no link (pending)
Dmz (192.168.1.3) interface: no connection (not guarded)
Interface mtadmz (192.168.255.1): No. Link (unguarded)
Slot 1: vacuum
Another host: secondary - failed
Activity time: 0 (s)
slot 0: vacuum
Management interface (0.0.0.0): unknown (pending)
Interface inside (10.254.0.252): unknown (pending)
Interface to the outside (206.67.136.253): unknown (pending)
DMZ (192.168.1.253) of the interface: unknown (not guarded)
Mtadmz (192.168.255.253) of the interface: unknown (not guarded)
Slot 1: vacuum
Failover stateful logical Update Statistics
Link: failover GigabitEthernet0/3.1 (Failed)
Stateful Obj xmit rcv rerr xerr
General 0 0 0 0
sys cmd 0 0 0 0
time 0 0 0 0
RPC services 0 0 0 0
Conn TCP 0 0 0 0
Conn UDP 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical update queue information
Heart Max Total
Recv q: 0 0 0
Q xmit: 0 0 0
I went through the docs but I think Im doing everything right. Attached are the configs to see if I missed something. Thank you!
Bob
First of all, there is no failover Interface is in place. It should look like:
Failover LAN interface: FAILOVER of GigabitEthernet0/3 (top)
In addition, a sh int on your failover interface must show that it is to the top and to the top.
-Jon
-
The ASA for FW and IPS options with high availability
Question 1:
-----------
I'm looking for IPS solution for the customer and the verification of the ASA next part number;
ASA5540-AIP20-K9
(ASA 5540 appliance w / AIP-SSM-20, SW, HA, 4GE + 1FE, 3DES/AES)
What does AP mean here - what software?
In this case you have to buy a second unit (at the same price) for the recovery of?
(I wondered if ASA has also a cost - efficient as PIX failover solution-discounted price for the unit of failover).
If I choose the ASA VPN edition is it possible to add IPS inside module?
Hello
Q: what does AP means here - what software? In this case you have to buy a second unit (at the same price) for the recovery of?
The "ASA5540-AIP20-K9" is only for 1 unit of ASA, with function of software HA (active/active, active / standby). You can add/buy another unit to achieve HA/recundancy.
I think that the price of a unit all them is always the same, ASA has no unit to voluntarily make the function FO.
Q: if I choose the ASA VPN edition is it possible to add IPS inside module?
Large malicious Intrusion Prevention & mitigation program is included, as mentioned in the 'picture' 3 Security of the network to the VPN gateway"in:
http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd80402e3f.html
Rgds,
AK
-
Hello
I'm starting to read about ASA 55xx in Cisco's Web site. But after a good read, I have a few questions...
- In Cisco Docs on ASA55xx, I see the "Maximum simultaneous AnyConnect or VPN sessions without client" and "Maximum simultaneous site-to-site and VPN IPsec IKEv1 sessions" (e.g. 750 times): well, the concurrent sessions maximux are 750 + 750 (anyconnect + site to site), so I have to add both types of sessions? Or what are the maximum (of each type) concurrent sessions in ASA5520?
- So, at this point, if I want 750 AnyConnect Session and site to site 750 Session what license should I buy? ASA5500-SSL-750? ASA-VPN-1000? or whatelse?
- so, what are the license "shared"? Where and when do I need to buy?
Thanks in advance.
Good bye
The platform and required capabilities are allowed as indicated in the data sheet of the product:
Up to 750 AnyConnect and/or peer clientless VPN can be supported by each Cisco ASA 5520 by installing an essential element or a Premium AnyConnect VPN license; 750 VPN IPsec peers are supported on the base platform. Resilience and capacity VPN can be increased by taking advantage of the Cisco ASA 5520 clustering integrated VPN and load balancing features. The Cisco ASA 5520 supports up to 10 devices in a cluster, offering a maximum of 7500 AnyConnect and/or VPN without client peers or 7500 counterparts of IPsec VPN by cluster.
Resuming:
The ASA 5520 750 capacity VPN site-to-site is in the base license / product (part number ASA5520-BUN-K9 or ASA5520-K8 whther in function, you are eleigible to buy encryption strong (-BUN - K9) version)
The user AnyConnect required licenses depending on if you need Anyconnect Essentials or Premium. The Anyconnect data sheet describes the differences. Essentials is a license that allows customers to use the device at the same time up to 750. Premium (which cannot be loaded at the same time as Essentials) requires that the licenses to buy according to the prioritized by the user schema.
Shared licenses are shared between ASAs in a cluster (2 or more units configured together).
There is the concept of licenses in a failover cluster (2 units). It's automatic - i.e. the license numbers are additive and shared up to the capacity of the platform. ASA5500-SSL-750 part would be used in this configuration.
There is also the concept of a Premium Shared Server anyconnect. In this system, the shared server allocates licenses in 50 blocks of unity to the ars of cluster members they need. ASA-VPN-1000 part number you mention is used in this kind of configuration.
-
How to open the port 161 on the ASA and Cisco switches for monitoring of BB
Dear all,
I want to install BB to monitor snmptraps suffering of failure.
The newspaper shows BB cannot connect to all ports of the switch 161, and I even can't telnet to 161 XXX_17f for example.
My switches are Cisco C3550, C2950, etc. of the ASA.
Mon 7 Nov 15:43:03 2011 bbnet cannot connect to the server XXX_17f on port 161
Mon 7 Nov 15:43:03 2011 bbnet cannot connect to the server XXX_9f on port 161
Mon 7 Nov 15:43:03 2011 bbnet can't connect to XXX server on port 161
Thank you
Anson
no need to adjust anything in bb-hosts. If you have added setings in bb-hosts, delete them. Also remove associated in bbvar/logs log files. (otherwise, you'll have purple when you delete the SNMP, trap tags bb-hosts)
A column of trap will be that no show until the device sends a trap to BB.
-
How to plan the failover for the following scenarios in Flex-connect mode.
The following queries are against the AP high availability (no SSO failover or controller HA), which means that if a controller fails, the AP will be failover to the secondary controller that is in a different location than Geo. the AP will be to connect Flex with local switching and local authorization mode: in this scenario, here are my questions
1: if I have a SSID that has a set of interfaces that are connected to him, can I switch it on the other controller where there may be a single WLAN connected. ?
2:do, we need to subnet masks to match both ends?
3: if I have a SSID with open authentication, can I configure the SSID of the remote network without authentication?
4: can someone link me to the top with a document that explains the configuration of the case study of the flex-connect mode fail on scenarios.
Any help given would be really appreciated.
Thank you.
1: if I have a SSID that has a set of interfaces that are connected to him, can I switch it on the other controller where there may be a single WLAN connected. ?
The groups interface works only for centrally switch not locally
2:do, we need to subnet masks to match both ends?
See #1
3: if I have a SSID with open authentication, can I configure the SSID of the remote network without authentication?
If you configure an SSID with open authentication, then the all having APs SSID assigned to it will use. Open authentication is identical to no authentication.
4: can someone link me to the top with a document that explains the configuration of the case study of the flex-connect mode fail on scenarios.
Do a search on Google for 'FlexConnect deployment guide It will have links to failover.
-Scott
-
No access to the interface of the ASA by behind the other is
Hello
I am faced with the issue of not being able to access the interface of "dmz" behind the interface 'internet '.
Here is a brief description of the topology:
List entry on the internet access "," allows for 1xx.xxx.172.1 traffic.
No nat is configured between these interfaces.
The routing is OK because hosts on the DMZ network are accessible from the Internet.
The software version is 9.1 (3).
Security level of the interfaces is the same.
Security-same interface inter traffic is allowed.
Here's what packet trace says:
tracer # package - entry internet udp 7x.xxx.224.140 30467 1xx.xxx.172.1 det 500
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
identity of the 255.255.255.255 1xx.xxx.172.1Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
identity of the 255.255.255.255 1xx.xxx.172.1Result:
input interface: internet
entry status: to the top
entry-line-status: to the top
the output interface: NP identity Ifc
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: (headwall) No. road to hostPlease help me find the cause why asa is unable to find the path to its own interface.
Thank you in advance.
Hello
You will not be able to connect to an IP address of an interface ASA behind another ASA interface. It is a limit that has been there for Cisco firewalls as long as I can remember.
The only exception is when you have a VPN connection that is connected to an ASA interface, then you can connect through this VPN connection to another interface of the ASA. In this case the ASA will also require that you have the following command
access to the administration
Where is the name of the interface to which you are connected.
-Jouni
-
How to block ping the ASA 5506 outside interface?
I configured a Cisco ASA VPN configuration and Setup. Everything works fine. The SAA outside interface is to pings (on the internet) which is a threat to security. How to only block ping to the external interface without interrupting the functions of the ASA. I tried what follows, but does not seem to work.
outside the IP = 169.215.243.X
ASA 2.0000 Version 2
Access list BLOCK_PING refuse icmp any host 169.251.243.X echo-reply
Access-group BLOCK_PING in interface outside
You have set up the ACL is only for traffic that gets sent through the ASA, ASA traffic is controlled in different ways. For ICMP, you can refuse the rattling of the SAA and that allows all other ICMP with the following configuration:
icmp deny any echo outsideicmp permit any outside
It is also possible to ban all ICMP:icmp deny any outside
The 'truth' is probably somewhere between these two options. It's your choice. -
The ASA to use a different Port SSH
Please let me know if you have heard of this
Thank you
Dave
Dave,
According to my knowledge the ASA does not support this. Anthony we have a device before the ASA natting redirect some ther port at 22 of the SAA.
I hope this helps.
Kind regards
SOM
PS: Please check the issue as resolved if it is answered. Note the useful messages. Thank you.
Maybe you are looking for
-
Portege Z20t SSD - SATA m2 only highlighted?
I have a Z20t-B - 10 c with a 256 GB SSD Samsung MZNTE256HMHP, which is a module of 2280 SATA m2. I guess, I could replace it by any other module of 2280 SATA m2, as the new SanDisk X 400 1 TB (also named SD8SB8U - 1 T 00-1122 or SD8UB8U - 1 T 00-112
-
Replace a .pkg files?
Hello When I install a .pkg on my Mac, it basically puts a bunch of files in different locations, right?
-
Why do I have 2 routers on nerwork card with a switch, when a router is mine?
network map says that there is another router on my computer with a card switch.nework reading order my computer then a dlink router that is not mine then a switch then my router.the cisco router which is not mine said d-link international pte limite
-
II have a Pavilion laptop dv7, how can I put the material to run bluetooth?
I have a Pavilion dv7t-4100CTO s/n is the product number is CNF1072X7D ww183av. I am trying to upgrade the laptop to work with bluetooth devices. How can I do this?
-
Wrong Page number, printing on LaserJet M1212nf MFP
I recently bought a LaserJet M1212nf MFP. My computer running Windows 7. I am trying to print a document in Word that displays the page number and the number of pages at the bottom of the page (Page 1 of 3, Page 2/3, Page 3/3), that the document on t