ASA 5510 8.3(2.25) Failover Pair AnyConnect Sessions not Idle-Timing Out

Hi guys,
I have an Active/Standby pair of ASA 5510's running 8.3(2.25) software that are showing AnyConnect sessions running at 10 days +.
The users in question are not connected...
I have configured the profile's policy to idle-timeout after 90 minutes.
Is this a bug?
Kind regards, Ash.

Similar Messages

ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enable

Hi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni

Connecting ASA 5510s to a DSL modem with a static IP range

I have DSL service with AT&T and I have a Motorola 3360 modem. We also have a /28 network of static IPs from AT&T. When I login using PPPoE on the modem it gets x.x.x.190 as it's address. Our range is 177-190. I have two ASA 5510s in an active/passive failover configuration with the Ethernet port of the modem and one interface of each of the ASAs on a dumb layer 2 switch.
I want to setup this DSL connection as a backup to our main Internet connection. I cannot figure out what setting on the DSL modem to use to make this happen. I know I cannot use PPPoE in a failover setting so I can't have the modem in bridged mode. There is some mode where it passes the 190 address to the connected device and when I plug in a PC directly to the modem and set it for DHCP it does get 190 as it's address. So do I configure the ASA interface as 190 with one of the other addresses as it's standby? What do I set my route on the ASA to for use of this connection? Can I then make use of these other static addresses when plugging other devices into the layer 2 switch?

Thanks for your prompt response. From your information, your network near the firewalls looks like this:
Your cable modem connects to your provider without any intervention from your equipment, and you are free to assign IP addresses from your assigned block. The cable ISP knows to route traffic to your block down to the layer 2 segment attached to the cable mode.
As you described, the Motorola 3360 DSL modem is an odd fish. I do not have personal experience with that device, but from internet searches that appears to be a model AT&T bundles with small business DSL service. The 3360 appears to have three modes:
--router mode where it uses a single public IP on the WAN side and issues IP addresses in the 192.168.1.x range on the LAN side. The modem performs the PPPoE function in this mode.
--hybrid mode where it gets a single public IP on the WAN side and then passes that through to one device connected on the LAN side. The modem performs the PPPoE function in this mode.
--bridge mode. A device on the LAN side must perform the PPPoE function.
Various links I found indicate folks with static IP address assignments from their ISP (usually AT&T) have difficulty getting those static IP addresses to work with the Motorol 3360 except in bridge mode.
To your original question, I'm guessing you match the configuration you performed on the cable modem side and use two of your static IPs for the ASA's. Howver, it's unclear if the additional IP addresses will work with 3360's odd behavior. If you have internet-exposed hosts (as shown in my simple drawing), try assigning some of the DSL static IPs to those hosts and test communications both ways -- host-->internet, internet-->host. If possible, test two hosts at the same time to verify the 3360 can handle multiple public IPs at the same time (one posting I found claimed it could only handle one public IP address at a time).

IPS modules in Cisco ASA 5510 Active/Standby pair.

All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
Sent from Cisco Technical Support iPad App

Ok, that is what I needed to know. The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure. The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running. If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality. This is not worth the $1000 extra per year to us.
Thanks for the responses though. That answers my questions.

Looking for Recommendation for Redundant or Backup ISP configuration: ASA 5510

Good Day,
Currently I have two ASA 5510's version 8.2(5) with the security plus license in my environment. These are configured to failover with the SAME ISP in the event of hardware failure. We are currently trying to introduce ISP backup configuration. I've already engaged ISP's for services, However, I was wonder what this configuration may entail additionally. Can anyone advise on a best practice/configuration in this regard?
I am trying to achieve high availability for services provided by another company location. Looking forward to any assistance that can be provided.
Thanks much.

Cisco has a whitepaper on setting this up. It's a bit dated but mostly applicable.
With an HA pair of ASAs, we typically setup a switch (or stack for higher availability) between the HA pair and upstream routers. Other than that, the whitepaper is followed.
The only significant issue is whether you have any incoming services exposed via public IP and don't have you own provider-independent address block. In that case, you need to account for how those services will be reachable in the event that your are using the address of your secondary provider. This usually involves some DNS changes or other such work.
Some people offload the whole setup to an external device like a FatPipe Warp appliance.

Unable to see interface on ASA 5510 Firewall

Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                x.x.x.x           YES CONFIG up                    up
Ethernet0/1                x.x.x.x           YES CONFIG up                    up
Ethernet0/2                unassigned      YES unset administratively down down
Internal-Control0/0        127.0.1.1       YES unset up                    up
Internal-Data0/0           unassigned      YES unset up                    up
Management0/0              192.168.1.1     YES CONFIG up                    up
Please suggest what could be the reason.
Regards
Pankaj

Hi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1
0: Ext: Ethernet0/0         : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1         : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2         : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3         : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0       : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik

Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.

Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
    static translation to 192.168.2.0
    translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
    static translation to 192.168.2.0
    translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA 5510 redudant interface

I have configured redundant interface on ASA 5510
interface Redundant1
description *** INSIDES NETWORK ***
member-interface Ethernet0/1 (This is a 1000Mbps Port)
member-interface Ethernet0/2 (This one is 100Mbps)
no nameif
no security-level
no ip address
interface Redundant1.10
vlan 10
nameif inside
security-level 100
ip address 192.168.1.168 255.255.255.0
redundant-interface redundant 1 active-member ethernet 0/1
Interface Ethernet0/1 ---- Connected to --- Primary Core Switch Interface Gi0/30
Interface Ethernet0/1 ---- Connected to --- Secondary Core Switch Interface Gi0/30
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: *** INSIDES NETWORK ***
        Available but not configured via nameif
        MAC address 7081.0570.e37d, MTU not set
        IP address unassigned
        8200483 packets input, 2109574889 bytes, 0 no buffer
        Received 99254 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        11878 L2 decode drops
        10309739 packets output, 9085407428 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 7 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (510/249)
        output queue (blocks free curr/low): hardware (510/244)
Topology Information:
        This interface, a , is connected
        with Ethernet0/0, a .
Control Point Interface States:
        Interface number is 8
        Interface config status is active
        Interface state is active
Redundancy Information:
        Member Ethernet0/1(Active), Ethernet0/2
        Last switchover at 13:54:02 IST Aug 15 2012
Then i have shutdown Primary core switch Gi0/30 Interface and Issued above command again
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: *** INSIDES NETWORK ***
        Available but not configured via nameif
        MAC address 7081.0570.e37d, MTU not set
        IP address unassigned
        8176236 packets input, 2102449428 bytes, 0 no buffer
        Received 98539 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        11682 L2 decode drops
        10278568 packets output, 9060503327 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 4 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (510/254)
        output queue (blocks free curr/low): hardware (510/255)
Topology Information:
        This interface, a , is connected
        with Ethernet0/0, a .
Control Point Interface States:
        Interface number is 8
        Interface config status is active
        Interface state is active
Redundancy Information:
        Member Ethernet0/2(Active), Ethernet0/1
        Last switchover at 13:45:10 IST Aug 15 2012
It's tranferd corectly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back.
I issued this command again BW remain 100Mbps
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: *** INSIDES NETWORK ***
        Available but not configured via nameif
        MAC address 7081.0570.e37d, MTU not set
        IP address unassigned
        8176236 packets input, 2102449428 bytes, 0 no buffer
        Received 98539 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        11682 L2 decode drops
        10278568 packets output, 9060503327 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 4 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (510/254)
        output queue (blocks free curr/low): hardware (510/255)
Topology Information:
        This interface, a , is connected
        with Ethernet0/0, a .
Control Point Interface States:
        Interface number is 8
        Interface config status is active
        Interface state is active
Redundancy Information:
        Member Ethernet0/2(Active), Ethernet0/1
        Last switchover at 13:45:10 IST Aug 15 2012
I did manualy shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
pls tell some one why it's not automatically transer active interface and speed ???

I remember that being there by design. Fail back or Preempt was not supported in case of Redundant interfaces and is actually not a good idea in terms of stability. You dont want the interface failover to happen again when the active interface comes back up. In order to force the 1000Mbps interface to be active, you can manually do so by the command 'redundant-interface 1 active
Hope that Helps
Zubair

ASA 5510 VPN Peer License Question

I just got a new ASA 5510 Base Model and I have some questions I would love some help on.
1) I was under the impression that the ASA 5510 could support 250 VPN Peers. When I do a show version on this new unit I am told VPN Peers are only 50. I would like to have more than 50 L2L VPN Tunnels and RA clients connected at one. Where did I mess up with this understanding?
2) I am running ASA Software Version 7.0(6) this is how it was shipped to me. I hear that 7.2 is the latest? Can I get this upgrade from Cisco?

Hi,
There a couple of points here which are a bit tricky - the first is the software versioning of PIX/ASA software. If we have a look at how it work in IOS (It would be useful if there was an equivalent paper for PIX/ASA...)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
The basic idea is that if you go from 7.0(1) to 7.0(2) you're getting more software fixes and less new features but if you go from 7.0(1) to 7.1(1) you're getting more major new features but less software fixes. On PIX/ASA there seems to be a fairly clear choice between stability and features. Don't forget that the 3 trains have releases independent of each other so it doesn't necessarily follow that the highest numbered release was the latest one, let alone the most stable one. Before 7.2(2) was released last November the latest release was 7.0(6) and we actually standardised on this because all releases above 7.0(6) were giving us issues (especially the 7.1 versions). We're trialling 7.2(2) at the moment and it seems to be as solid as 7.0(6) so that also looks like a good choice.
With that in mind we need to look at the feature sets of the various releases, and currently 7.2(2) gives you 250 maximum concurrent IPsec sessions whether or not you have the Security Plus license. I think this change happened during one of the 7.1 releases. If you only have 7.0 then you get 50 as standard and can upgrade to 150 if you have a security plus license. (With 7.2(2) you still need the security plus license to get failover and vpn load balancing - but not to get the 250 sessions.)
As to upgrading - it's possible 7.0(6) was actually the "latest" release when you purchased your box and unless you specified a particular version when you bought it this is what you normally get (you can ask for any version you like at no charge when you buy it initially). You really need smartnet for the ASA because the standard Cisco warranty is rubbish (90 days only and you wait 10 days for a replacement) so unless it's a test network you're pretty much forced to buy smartnet to be sure of a fast replacement (or any replacement at all after 90 days..) Also, the cost of a smartnet contract for a year if you only need NBD replacement is less than the cost of a one-off software upgrade AND you get to download any version you like for the year AND you can also log calls directly with the TAC.
So, I'd recommend buying a smartnet contract and then go through the release notes to find a suitable release to download - sounds like 7.2(2) might be what you need - at the very least you should be upgrading to get more sessions rather than sticking to 7.0 and buying a security plus license. (Because both the one-off upgrade and the security plus license are probably more expensive than smartnet!)
HTH - plz rate if useful
Andrew.

ASA 5510 not allowing some https traffic

I have 2 ASA 5510's in a failover bundle. I have a weird issue right now, where a site (https) is apparently getting blocked behind the firewall. If I browse to the site, it just spins, then says the page could not be displayed. I can ping the IP address, and I can browse to the http version of the page, but I cannot browse to the https site. If I plug into the DMZ on the outside of the firewall, I can see the page no problem. There is something in the ASA that is blocking it. We certainly allow 443 out, and use https heavily, all the time. It's just this one site, which is weird, because I know ASA's don't do deep packet inspection. Can anyone think of what would be causing this?

Well, we figured this out. It actually wasn't the firewall. It was DNS resolution. This particular site's DNS was all messed up. When I was on the DMZ, I changed to another DNS server, which hadn't updated yet. External DNS tests were all returning either no records or just the generic Network Solutions IP, which would give you a landing page. We used the hosts file to get around it until they fixed their DNS pointers.

ASA 5510 ACL Return Packet

Hi,
I've got a Problem with the ACL's on a ASA 5510 Cluster:
the connected Client cannot resolve DNS; the Log says:
%ASA-session-5-106100: access-list ACL-INSIDE denied udp inside/172.27.xxx.1(53) -> outside/192.168.xxx.8(59893) hit-cnt 1 first hit [0x932a8f72, 0x0]
(this must be the Return-Paket of the DNS-Query)
where 172.27.xxx.1 is the DNS-Server in the Inside-Network, and 192.168.xxx.8 is the virtual address.
I've got an Access-List which permits the virtual address "ip" to the DNS-Server.
The same Configuration on the Test-Machine (no Cluster) works!
(It's a active/standby single Context failover Config)
Could the Problem be caused by the Cluster?
Thank you
Karl

rou-ara27-rz-12/act/pri# sh run access-group
access-group ACL-INSIDE in interface inside
access-group inside_access_out out interface inside
access-group ACL-OUTSIDE in interface outside
rou-ara27-rz-12/act/pri# show access-
rou-ara27-rz-12/act/pri# show access-list ACL-INSIDE
access-list ACL-INSIDE; 11 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended permit icmp any any object-group ICMP-HARMLOS (hitcnt=0) 0x1a753992
access-list ACL-INSIDE line 1 extended permit icmp any any echo (hitcnt=0) 0xc4ed471c
access-list ACL-INSIDE line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xd14f0043
access-list ACL-INSIDE line 1 extended permit icmp any any unreachable (hitcnt=0) 0x92b03f68
access-list ACL-INSIDE line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xaa821c16
access-list ACL-INSIDE line 2 extended permit ip object VPN-NET object-group DM_INLINE_NETWORK_3 log debugging interval 300 0x658c9759
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 172.27.0.0 255.255.0.0 log debugging interval 300 (hitcnt=0) 0xc31eaf76
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x34d68ea6
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ2$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x7df14a53
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x1aa12e0c
access-list ACL-INSIDE line 3 extended permit esp object VPN-NET object DMZ_III log debugging interval 300 (hitcnt=0) 0x2d7346ad
access-list ACL-INSIDE line 3 extended permit esp 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x2d7346ad
access-list ACL-INSIDE line 4 extended deny icmp any any log informational interval 300 (hitcnt=0) 0x2bcd80f1
access-list ACL-INSIDE line 5 remark CleanUp Rule with raised log level
access-list ACL-INSIDE line 6 extended deny ip any any log notifications interval 300 (hitcnt=0) 0x932a8f72
rou-ara27-rz-12/act/pri#

ASA 5510 context base configuration in HA Mode with two different subnet

Hi
Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
interface Ethernet0/1
no nameif
security-level 0
no ip address
interface Ethernet0/1.101
description INSIDE1
vlan 101
nameif INSIDE1
security-level 90
ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
interface Ethernet0/1.102
description INSIDE2
vlan 102
nameif INSIDE2
security-level 80
ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
interface Ethernet0/3
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover replication http
failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

Hi Sanjeev,
If it is a context based configuration that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA-5510-k8 vs ASA-5510-k9

Hello all!
I was wondering if anyone new the difference out there between an ASA5510-k8 and k9. Is this a software or hardware version. If I was using 2 ASA's in failover/standby environment those the 2 need to match or can these be different. Any feedback would be helpful Thanks.

Hi Edwin,
Please see below the information ref to 5510 licensing (gives you the differences between K8 &K9) and Active/standby failover implementation requirements for ASA...
Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, 3DES/AES license
ASA5510-BUN-K9
Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, DES license
ASA5510-K8
Cisco ASA 5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, Active/Standby high availability, 3DES/AES license
ASA5510-SEC-BUN-K9
Licensing Requirements for Active/Standby Failover
The following table shows the licensing requirements for this feature:
Model
License Requirement
ASA 5505
Security Plus License. (Stateful failover is not supported).
ASA 5510
Security Plus License.
All other models
Base License.
Prerequisites for Active/Standby Failover
Active/Standby failover has the following prerequisites:
•Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
•Both units must have the same software configuration and the proper license.
•Both units must be in the same mode (single or multiple, transparent or routed).
Below are the links for reference..
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
hth
MS

Upgrade firewall software in failover pair

I need to upgrade two firewalls (in failover pair) remotely. Could somene tell me what is the way to go forward? Do I need to worry about licenses and stuff?
Thanks,
Kashish

Since you are running dynamic routing protocols, the routing instand is only active on the primary active firewall, not both. That's the reason why you can't access the tftp server on the standby unit.
What you can do is upload the image to the primary active ASA, then failover the firewall to the secondary standby ASA. Once the secondary ASA becomes the Active ASA, then you can upload the image to this ASA.
Since you can only access the active unit, once you have configured the boot system with the new image, and save the config, then you can reload the ASA one at the time.
Reload the secondary after you have uploaded the image, this will cause failover to the primary. Monitor the status of secondary by issueing "show failover", and once the secondary is up, and the software has been upgraded, then you can reload the primary active unit.

Multiple gateways for different Traffic on ASA 5510 firewall

Hello,
My network atthe moment is set up as:
WAN, with three sites
Site 1
Site 2
Site 3
Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
All sites connect to the WAN using Cisco routers or switches.
All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
I am interested in the ASA 5510 with six interfaces.
Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
(a) the type of traffic, say HTTP from users behind the firewall; or
(b) the IP addresses of the host (i.e. users' PC versus the servers)
Any assistance is welcome.
Kind regards,
IT@C

yes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
HTH, pls rate!

ASA 5510 8.3(2.25) Failover Pair AnyConnect Sessions not Idle-Timing Out

Similar Messages

Maybe you are looking for