Gigabit on ASA 5510
Hello
How would we go about setting up the speed of 1000 Mbps in an ASA 5510 with the license "security more?
That's what I want to say on any interface:
FW(Config-if) # speed?
options/commands in interface mode:
10 operation force 10 Mbps
Operation of the force 100 Mbps 100
automatic configuration of the speed to activate AUTO
Thank you.
Gabi
I thhink you should upgrede to 8.0 (3)
I have asa 5510 with security license.
Cisco Adaptive Security Appliance Version 7.2 software (3)
ASA5510(Config-if) #.
ASA5510 # conf t
ASA5510 (config) # int e0/0
ASA5510(Config-if) # spe
ASA5510(Config-if) # speed?
options/commands in interface mode:
10 operation force 10 Mbps
Operation of the force 100 Mbps 100
Operation of force 1000 Mbit/s 1000
automatic configuration of the speed to activate AUTO
Tags: Cisco Security
Similar Questions
-
IPS in ASA 5510 killing upload speed
I've recently updated by a circuit of ethernet metro 20 MB for a 100 Mb connection. My ASA 5510 severely limits the my download speed. I narrowed down it to the IPS module. If I stop to send traffic to the IPS, I get speeds of download between 50-85 Mbps. If I start sending through again, my download speeds are between 3-7 Mbps. In both cases, my speeds range between 70-92 MB/s, so it's really affecting only my upload speed. Is there anything I can do for my traffic IPS, so I can still use my modules and still take advantage of the speed upload huge we pay for?
Here is some info from my ASA:
I am matching all traffic:
allow traffic_for_ips to access extensive ip list a whole
Here is my policy and class parameters:
class-map inspection_default
match default-inspection-traffic
class-map-botnet-DNS
match eq field udp port
class-map ips_class_map
corresponds to the traffic_for_ips access list
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the preset_dns_map dns
class ips_class_map
IPS inline help
botnet-policy policy-map
botnet-DNS class
inspect the snoop-filter-dynamic dns
!
global service-policy global_policy
service-policy botnet-policy to the outside interfaceIf anyone has any ideas, I'd love to hear them. Thank you.
Created: May 13, 2011 18:49 created by: Chevrel, customer Aastha(AACHAUDH,265429) was experiencing slow download speeds (3-7 Mbps) on in ASA 5510 IPS module. Download the range of speeds between 70-92 MB/s
Used the workaround for the bug No. CSCsv69844 , i.e. to set the depth of Regex to 800000 (Please note that this workaround should not serve with the recommendation and approval of the ATC.)
-
Updated AIP-SSM-10 on ASA 5510
Hello
I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.
- What is the version of the software on the question of the ASA?
- When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
- AFAIK redefinition to wipe the device so I just reload the config after, right?
- I guess I can apply any update after going to E4?
- Can you give me links for this upgrade?
see you soon
Let me give some clarification on a few points:
2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device.
5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface:
For upgrades via the CLI:
Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):
6.2 (3) E4
7.0 (4) E4
You can go directly to each output.
Scott
-
Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!
------------------------------------------------------------
ASA 4,0000 Version 5
!
ciscoasa hostname
enable the encrypted password xxxxxxxxxx
XXXXXXXXXX encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 40.100.2.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.30.0.100 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa844-5 - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
network of the 10.10.0.78 object
Home 10.10.0.78
Nospam description
network of the 10.10.0.39 object
Home 10.10.0.39
Description exch
network of the 55.100.20.109 object
Home 55.100.20.109
Description mail.oursite.com
network of the 10.10.0.156 object
Home 10.10.0.156
Description
network of the 55.100.20.101 object
Home 55.100.20.101
Description
network of the 10.10.0.155 object
Home 10.10.0.155
Ftp description
network of the 10.10.0.190 object
Home 10.10.0.190
farm www Description
network of the 10.10.0.191 object
Home 10.10.0.191
farm svc Description
network of the 10.10.0.28 object
Home 10.10.0.28
Vpn description
network of the 10.10.0.57 object
Home 10.10.0.57
Description cust.oursite.com
network of the 10.10.0.66 object
Home 10.10.0.66
Description spoint.oursite.com
network of the 55.100.20.102 object
Home 55.100.20.102
Description cust.oursite.com
network of the 55.100.20.103 object
Home 55.100.20.103
Ftp description
network of the 55.100.20.104 object
Home 55.100.20.104
Vpn description
network of the 55.100.20.105 object
Home 55.100.20.105
app www description
network of the 55.100.20.106 object
Home 55.100.20.106
app svc description
network of the 55.100.20.107 object
Home 55.100.20.107
Description spoint.oursite.com
network of the 55.100.20.108 object
Home 55.100.20.108
Description exchange.oursite.com
ICMP-type of object-group DM_INLINE_ICMP_1
response to echo ICMP-object
ICMP-object has exceeded the time
ICMP-unreachable object
Exchange_Inbound tcp service object-group
EQ port 587 object
port-object eq 993
port-object eq www
EQ object of the https port
port-object eq imap4
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
object-group service DM_INLINE_SERVICE_1
will the service object
the purpose of the tcp destination eq pptp service
the DM_INLINE_NETWORK_1 object-group network
network-object, object 10.10.0.190
network-object, object 10.10.0.191
the DM_INLINE_NETWORK_2 object-group network
network-object, object 10.10.0.156
network-object, object 10.10.0.57
DM_INLINE_TCP_2 tcp service object-group
port-object eq www
EQ object of the https port
object-group service sharepoint tcp
port-object eq 9255
port-object eq www
EQ object of the https port
outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group
outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp
outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1
outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2
outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-649 - 103.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78
NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39
NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109
NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156
NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57
NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155
NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28
NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190
NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191
NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1
Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.10.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Telnet timeout 5
SSH 10.10.0.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
source of NTP server outside xxxxxxxxxx
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:40cee3a773d380834b10195ffc63a02f
: end
Hello
You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.
The ACL configuration is fine, Nat is fine, so you should have problems,
Kind regards
Julio
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
ASA 5510 - display block URL Page
Dear,
I have Cisco ASA 5510, I have already configured Block_Sites using regular expressions and it works fine. I need to display a Page blocked for any one trying to access blocked sites. Example: I need to display page contains our company Logo and less it shows that "the Site is blocked.
I can do it on Cisco ASA 5510?
Thank you
No, the ASA alone cannot do. To do this, you need a will end UP with appropriate license or a proxy (such as the WSA).
-
Allow specific access through the Interfaces ASA 5510
Hi all
In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.
I have an ASA 5510:
WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).
Connected to the port E0/0 is a 2811 router
Connected to the port E0/1 is the (external) Internet
Connected to the port E0/2 is a 2821
(I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.
I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.
I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.
How can I set the ASA to allow traffic to flow between the two routers and their VLANS?
Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.
I think it is best that I put the links to the files of text here.
Thank you!
You must remove the following statements on the two routers:
-# ip nat inside source... overload
-for each # ip nat inside/outside interface, if they have configured.Remove ads rip of the networks that are not directly connected:
-2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
-2811: 199.195.xxx.0
-ASA: 128.0.0.0No way should be added to the routers, since he is the one by default, put in scene to ASA.
Check the tables of routing on routers and the ASA.
On ASA:
-Remove:
object-group network # PAT - SOURCE
# nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source-create objects of the networks behind the LAN router and enable dynamic NAT:
network object #.
subnet
NAT (inside, outside) dynamic interface-review remains NAT rules.
-to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.
-Disable rip on the outside interface.
-
How many interfaces in asa 5510
can someone pls tell me how many interfaces in asa 5510.and we can add more interfaces to it.
concerning
Assane
Hi assane,.
When you order the ASA5510, you can choose between (option Setup/Noo-Noo fixed to add more ports interface):
1 ASA5510 device comes with 3 x FastEthernet, more 1xmanagement port (FastEthernet)
ASA5510-BUN-K9: Cisco ASA 5510 Firewall Edition includes 3 Fast Ethernet interfaces, 250 peers IPSec VPN, SSL VPN 2 peers 3DES/AES license, or
2 ASA5510 comes with 5xFastEthernet, most 1xmanagement port (FastEthernet).
Cisco ASA 5510 Security Plus Firewall Edition includes 5 interfaces Fast Ethernet, 250 VPN IPSec peers, 2 peers of SSL VPN, high availability active / standby, 3DES/AES license
http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd802930c5.html
Rgds,
AK
-
Option of range &; ASA 5510 - a group of objects
Hello
I have 3 ASA 5510 s; two of them are in production and the 3rd is new. I inherited two in production and was trying to set up this 3rd by using some of the existing network object-group statements. The problem is that when I try to create a range of IP addresses in one of the groups of object; the range command is not available. One of the extracted statements from one of the ASAs production: network of the REMOTE object
range 62.77.130.14 62.77.130.208The two ASAs have the same image of worm (asa842-k8). Is there something I'm missing to enable the option in the range on the ASA News?
Thanks in advance,
~ sK
Hello
Are you sure that the ASA News started the new 8.4 (2) software?
There are
- object-group network
- accepts networks and addresses of host under it
- network of the object
- accept addresses from subnet, range and host under it
Configuring "network object" came available in 8.3 software. Before that in the software 8.2 and earlier than the 'object-group network' (and other types of groups of objects") exist.
Maybe you have several images start on the ASA News and its actually the old software still boot?
What does the ' running shoe see the?
If it lists both the command for old and new software then delete the old "system start" command, save the configuration and restart.
I hope that the above information was useful
-Jouni
- object-group network
-
How default context in plsu security edition asa 5510
Hi could someon pls tell me with the edition of security plsu asa 5510 it will support active/active failover. and she supports context with securiyt plsu edition. and how default context do we receive with edition of plsu security asa 5510.
concerning
Assane
Hello
By default, ASA5510 with Security Plus comes with default 2 security [email protected] / * / firewall. Context of maximum security, you can have (upgrade to) is 5.
With license upgrade of security Plus, you might have active/active and active / standby (choose one to run at any time) high availability services.
http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd802930c5.html
Rgds,
AK
-
How to activate IP accounting or capture packets in Cisco ASA 5510 (8.2)
Hi all
Please help me for activation
IP accounting packets or capture in Cisco ASA 5510 (8.2).
Thank you
Solene
Hi Eric,.
Create a list of access with the source destination ip address and/or tcp/udp ports
can use it
CAP_NAME access-list ACL_NAME buffer 12345bytes INT_NAME capture interface
You can check capture
See the capture?
Name Capture PASSWORD
| Output modifiers
Take care
PaulC
-
ASA 5510 - tips for setting up - no internet
Hi all
I'll set up an ASA 5510 for the first time using the GUI.
I put 0/0 0/1 and outside as inside.
I set up outside with the static WAN address, and it is connected to my ISP.
But I can't do everything Internet works on the inner harbor. I've read elsewhere, I need to add a static route. Can someone please advise?
You must place a default route to carry traffic from inside to outside. Use the GUI to place a static route 0.0.0.0 0.0.0.0 for the ip address of your next hop ip of the connection to the ISP.
Sent by Cisco Support technique Android app
-
Automatic update AIP-SSM-10 and ASA 5510 (Beginner)
I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?
Thank you!
Jeremy
Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm
And it is also on my site, with a tar of scripts to:
http://www.LHB-consulting.com/pages/apps/index.html
Good luck.
-Lisa
-
Hi all,
I have a new BGP configuration that consists of two asa 5510 and two routers 2911 in the back. My question is: do asa 5510 support BGP?
Thank you.
Hi Sotiris,
Unfortunately, the ASA does not support BGP (you can peer through the ASA but the ASA cannot be a peer BGP itself). The following link has a list of supported on the SAA routing protocols:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/route_overview.html
-Mike
-
ASA 5510 Configuration. How to set up 2 outside the interface.
Hello
I have Cisco ASA 5510 and the desktop, I want to create a new route to another (external) router to my ISP.
The workstation I can Ping ASA E0/2 interface but I cannot ping the router ISP B inside and outside of the interface.
I based my setup on the existing configuration. which so far is working
interface Ethernet0/0
Outside of the interface description
nameif outside
security-level 0
IP 122.55.71.138 address 255.255.255.2
!
interface Ethernet0/1
Inside the interface description
nameif inside
security-level 100
IP 10.34.63.252 255.255.240.0
!
interface Ethernet0/2
Outside of the interface description
nameif outside
security-level 0
IP 121.97.64.178 255.255.255.240
!Global 1 interface (outside)
global (outside) 2 interface (I created this for E0/2)
NAT (inside) 0 access-list sheepNAT (inside) 1 10.34.48.11 255.255.255.255 (work: router ISP inside and outside interface E0/0)
NAT (inside) 2 10.34.48.32 255.255.255.255 (work: E0/2 router ISP on the inside interface only but cant outside ping).
Route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (work)
Route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (the new Road Test)
Router ISP, that a job can ping and I can access the internet
interface FastEthernet0/0
Description Connection to ASA5510
IP 122.55.71.139 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
the interface S0/0
IP 111.54.29.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 122.55.71.139 111.54.29.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0FAI 2
interface FastEthernet0/0 (SAA can ping this interface)
Description Connection to ASA5510
IP 121.97.64.179 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
interface E0/0 (ASA Can not ping this interface)
IP 121.97.69.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 121.97.64.179 121.97.69.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 E0/0CABLES
ASA to router ISP B (straight cable)
Router ISP in the UDI (straight cable)
Hope you could give some advice and the solution for this kind of problem please
Hello
Are you able to ping the router IP of the interface of the device of the ASA? If so, try a trace of package on the device of the SAA for traffic to the IP address of the router.
Thank you and best regards,
Maryse Amrodia
Maybe you are looking for
-
I was forced to reinstall windows... After this, Thunderbird was gone and I was forced to reinstall as well. Now, I've lost my email, the message accounts and contacts. How can I get that?
-
Someone has complained for a long time about it... nothing has been done to address this problem? HOW DO YOU KNOW WHEN THE SYNCHRONIZATION IS SUCCESSFULLY COMPLETED? solved.
-
How to enter the menu of the BIOS of the Qosmio G30
How to enter my BIOS (Qosmio G30) esc? F2? F1? Thank you... Derk (Janie)
-
Cumulative Update 9 is stable? are there major problems with UR9 I share with partners / customers?
-
If I partition a drive with a BONE top, is it deleted?
Can I create a partition on an internal hard drive - which has Windows XP on it, but does not destroy the operating system? I wanted to install a dual-boot (a Vista OS). I have a laptop with Vista Home Premium 64-bit. I thought I can get out my inter