ASA 5512-X no int vlan command!?
I don't have much experience yet with ASAs but I thought the int vlan command should be available? It's an ASA 5512-X with IOS 8.6(1)2, should I upgrade to the newest 9 version? Also, there are rj45 interfaces and SFP interfaces which are numbered Gi0/0 -5 and Gi1/0 - 5, how do I tell what numbers correspond to what interfaces? Thanks
"int vlan" is specific to the 5505 which has an integrated switch. The 5510 and higher use a subinterface and vlan command within the subinterface config mode. See the configuration guide section here:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1082576
Rear panel ports are numbersed as described in the hardware installation guide here:
http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/5500xguide/asa_overview.html#wp1069960
I don't have one in front of me but seem to recall they also have printed designations on the physical unit if you look closely.
Similar Messages
-
Configuring "Guest Wi-Fi" VLAN on ASA 5512
I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2. This vlan will provide access for wireless "guest" AP's in my network. I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network. Below is excerpt of what I think is the relevent config information. I'm trying to route guest traffic out my "outside" interface.
Obvious to me I'm missing another command in here. Any help would be greatling appreciated. If more the running-config is needed please advise. Thanks in advance!
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP at X.X.X.X)
access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
mtu guestwireless 1500
access-group guestwireless_access_in in interface guestwireless
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwirelessStripped out some config pertaining to crypto and credentials
--------------Config Below-----------------------------------
: Saved
ASA Version 8.6(1)2
hostname ASA
domain-name company.local
names
interface GigabitEthernet0/0
description ISP Interface
nameif outside
security-level 100
ip address ##.##.###.### 255.255.255.248
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
interface GigabitEthernet0/2
nameif inside-tempnet
security-level 0
ip address 172.29.0.252 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit inter-interface
object network NETWORK_OBJ_10.100.10.0_24
subnet 10.100.10.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any
access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24
access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu guestwireless 1500
mtu inside-tempnet 1500
mtu management 1500
ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup
nat (guestwireless,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside-tempnet_access_in in interface inside-tempnet
route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 0.0.0.0 0.0.0.0 inside-tempnet
http 172.29.0.0 255.255.255.0 inside-tempnet
http redirect inside-tempnet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside-tempnet
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles VPNConnect disk0:/vpnconnect.xml
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_VPN Connect" internal
group-policy "GroupPolicy_VPN Connect" attributes
wins-server none
dns-server value #.#.#.#
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value company.local
webvpn
anyconnect profiles value VPNConnect type user
tunnel-group "VPN Connect" type remote-access
tunnel-group "VPN Connect" general-attributes
address-pool ClientVPN-DHCP-Pool
authentication-server-group compnay.LOCAL LOCAL
default-group-policy "GroupPolicy_VPN Connect"
tunnel-group "VPN Connect" webvpn-attributes
group-alias "VPN Connect" enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
: end -
ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)
Hey all,
I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
Thanks!Hi,
The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
AM -
ASA 5512-X an out of date ASDM-IDM?
The cisco ASA 5512-X we have recently purchased comes with an out of date ASDM-IDM. It comes with version 6.6(1) which is not compatible with the asa version 9.1 is this normal?
I haven't opened a new one in the past couple of months but ASDM 6.6(1) is compatible with ASA software 8.6(1). That was the version most units were shipping with for a while as it was the initial release that introduced support for the 5500- X series.
If the box shipped new with 9.1 ASA software then the ASDM should be at least 7.1(1) - and the recommended version is 7.2(1). Reference.
It's easy enough to upgrade ASDM - just copy the file over and change the "asdm image" command to point to it.
(By the way, you'd get better visibility of a question like this in the Security - Firewalling forum.) -
I installed a new ASA 5512-X over the weekend for a client. Their backup ISP connection is DHCP based. I need to use the 'dhcp client route track' command on the interface, but it is not available. However according the all the documentation I am looking at and even the ASDM says it should be available.
This is the version of ASA and ASDM they are running:
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
I did upgrade to the latest ASA software, so has this command been removed? If I do a '?' in the interface, there isn't a 'dchp' option.
Any help would be appreciated. I really don't want to tell them they need to get a static IP address to resolve this issue.
TIA,
DanLooks like you are hitting bugID: CSCtq78280
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq78280
Pls open a TAC case to get the fixed on version 8.6.1(x). -
Hello,
We have recently implemented a new Cisco ASA 5512-X firewall replacing and old Cisco ASA 5505 Firewall.
We have a number of issues which we are encountering and have so far been unable to rectify. The config was copied visually across to the new firewall from the old so the majority of the config matches the old firewall. I have attached the config.
1. VOIP Phones not conencting to ntp uk.pool.ntp.org - Our VOIP network is on its own vlan inside the network. The phones were able to conenct to the ntp externally before the new firewall was inplace. I have tested numerous access rules but with no luck.
2. VPN - We have setup a site to site VPN between the new Firewall and a SonicWall. The SonicWALL is showing the following errors from our firewall
07/10/2013 12:38:24.192
Info
VPN IKE
Received IKE SA delete request
77.107.90.203, 500
164.40.213.246, 500
VPN Policy: New_VPN
6
07/10/2013 12:38:24.192
Warning
VPN IKE
Received notify. NO_PROPOSAL_CHOSEN
77.107.90.203, 500
164.40.213.246, 500
7
07/10/2013 12:38:24.160
Info
VPN IKE
IKE Initiator: Start Quick Mode (Phase 2).
164.40.213.246, 500
77.107.90.203, 500
VPN Policy: New_VPN
3. Firewall rules for outside coming in do not allow pointing to the NAT object of a device we have to use the internal network object instead.
Any help would be much appreciated.
Many Thanks
JamesNo, there is no web filtering feature build in to ASA5512-X, however you can configure ASA5512-X to send web traffic towards cloud based (Cisco ScanSafe) web filtering solution. You would need to purchase ScanSafe user base license.
-
Please gives sample configure VPN site to site on ASA 5512-x v.9.1!
Dear All,
Could you gave sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure.
my is use that i dont know to how to configure nonat.
i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_site2site.html
Best Regards,
HKHi,
The new configuration format for NAT0 / NAT Exemption / Identity NAT is the following
object network SOURCE-NETWORK
subnet
object network DESTINATION-NETWORK
subnet
nat (inside,outside) source static SOURCE-NETWORK SOURCE-NETWORK destination static DESTINATION-NETWORK DESTINATION-NETWORK
In the above
SOURCE-NETWORK contains the network on your side of the network
DESTINATION-NETWORK contains the network on the remote side of the L2L VPN
The NAT configuration presumes that you are using interfaces with the name of "inside" and "outside"
The reason you see 2 of each "object" in the NAT configuration is that there is no NAT performed for them. You would have option to do NAT for both source and destination but in this case we dont want that.
Depending how many source and destination networks we are talking about, this might need some modifying.
Hopefully this helps
- Jouni -
Changing the Native VLAN command?
Can someone please refresh me as to what the command is to change the Native VLAN for the entire switch? (IE: not just on the trunk, I mean the default native for the entire switch). Thanks
Hi
While on this topic. I have been trying to trunk to 2960 switches and can't seem to get a proper connection. I am using packet tacer. The 1st switch already has a trunk port going to a router and the router has port is trunked and has sub ints for each of vlans 2 and 3 and each sub trunk has respective native encap vlan configured. My management vlan is vlan 3. And I don't have an int vlan1 only int vlan 3. The router and the 1st siwtch work fine. But now I am trying to get another trunk port with second switch. I configured both ints for trunking using native vlan 1. Now the links are in up state but both ends are not leds green, one is orange. And I have only int vlan 3 as with other switch and ip in same subnet as managment ip but cannot ping. Strange thing vtp info can pass but no connection to other switch vlans and router etc, only local connectivity. Plz help, below is the configs of the rotuer and two switches. It is switch 1 that is giving me beans to connect to the rest.
Router0
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
hostname RouterA
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username admin secret 5 $1$mERr$vPOtdREpWgzFVVY37SB2h/
ip name-server 0.0.0.0
interface Loopback0
description management
ip address 192.168.1.1 255.255.255.0
interface Loopback1
ip address 192.168.2.1 255.255.255.224
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.3.1 255.255.255.0
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.5.0.1 255.255.255.0
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.4.1 255.255.255.0
interface FastEthernet0/1
description management
no ip address
duplex auto
speed auto
interface Serial0/0
ip address 172.16.1.1 255.255.255.252
interface Serial0/1
no ip address
interface FastEthernet1/0
no ip address
duplex auto
speed auto
interface FastEthernet1/1
no ip address
duplex auto
speed auto
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 192.168.2.0
no auto-summary
ip classless
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit host 192.168.4.2
line con 0
line vty 0 4
access-class 1 in
password 7 08316C5D1A2E5505165A
login
end
Switch 0 (connected to Router 0)
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
hostname SwitchA
no logging console
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
ip name-server 0.0.0.0
username admin password 7 08651D0A043C3705561E0B54322E2B3C2B063137324232064274
spanning-tree portfast default
interface FastEthernet0/1
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
switchport access vlan 3
interface FastEthernet0/6
switchport access vlan 3
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
switchport access vlan 2
interface FastEthernet0/14
switchport access vlan 2
interface FastEthernet0/15
switchport access vlan 2
interface FastEthernet0/16
switchport access vlan 2
interface FastEthernet0/17
switchport access vlan 2
interface FastEthernet0/18
switchport mode trunk
interface FastEthernet0/19
switchport access vlan 2
switchport mode access
interface FastEthernet0/20
switchport access vlan 2
interface FastEthernet0/21
switchport access vlan 2
interface FastEthernet0/22
switchport mode access
interface FastEthernet0/23
switchport access vlan 2
interface FastEthernet0/24
switchport mode trunk
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
interface Vlan3
ip address 192.168.4.10 255.255.255.0
ip default-gateway 192.168.4.1
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit host 192.168.4.1
line con 0
line vty 0 4
access-class 1 in
password 7 08316C5D1A2E5505165A
login
line vty 5 15
login
end
Switch 1 (connected to Switch0) (This is the second switch which I cannot get connected to rest of network properly)
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname Switch
interface FastEthernet0/1
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
switchport access vlan 3
interface FastEthernet0/6
switchport access vlan 3
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
switchport mode trunk
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface Vlan1
no ip address
interface Vlan3
ip address 192.168.4.20 255.255.255.0
ip default-gateway 192.168.4.1
line con 0
line vty 0 4
login
line vty 5 15
login
end -
ASA 5512 - monitor power supply status via snmp oid
Device – ASA 5512 running 9.1(1).
Show version:
ASA-1# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.6(1)
Compiled on Wed 28-Nov-12 11:15 PST by builders
System image file is "disk0:/asa911-smp-k8.bin"
Config file at boot was "startup-config"
ASA-1 up 8 hours 38 mins
Hardware: ASA5512-K7, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
ASA: 2048 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Issue: looking for a snmp OID to poll power supply status (Inbuilt Power Supply - no redundant power supply in this scenario). Possibly what we see in show environment.
CSE analysis:
I tried using the OIDs belonging to CISCO-ENTITY-FRU-CONTROL-MIB , like cefcFRUPowerOperStatus and cefcFRUPowerAdminStatus but it didn’t return anything.
NOTE: I have done all the snmp walks from the Linux server. Do I doubt it’s something to do from the snmp manager side.
Couple of observations. The CISCO-ENTITY-FRU-CONTROL-MIB talks about the field replaceable power supplies, so I doubt if it’s going to return the value for inbuilt power supply.
Second, I noticed that there are snmp traps supported for power supply and threshold setting. See configuration below. Is it that only traps works for power supply and environment related details?
Snmpwalk on cefcFRUPowerStatusEntry returns nothing:
[root@tonbenso-eagle bin]# ./snmpwalk -v2c -c public 172.16.169.29 1.3.6.1.4.1.9.9.117.1.1.2.1
SNMPv2-SMI::enterprises.9.9.117.1.1.2.1 = No Such Object available on this agent at this OID
Snmpwalk on cefcFRUPowerOperStatus returns nothing:
[root@tonbenso-eagle bin]# ./snmpwalk -v2c -c public 172.16.169.29 1.3.6.1.4.1.9.9.117.1.1.2.1.2
SNMPv2-SMI::enterprises.9.9.117.1.1.2.1.2 = No Such Instance currently exists at this OID
Snmpwalk on cefcFRUPowerAdminStatus returns nothing:
[root@tonbenso-eagle bin]# ./snmpwalk -v2c -c public 172.16.169.29 1.3.6.1.4.1.9.9.117.1.1.2.1.1
SNMPv2-SMI::enterprises.9.9.117.1.1.2.1.1 = No Such Instance currently exists at this OID
[root@tonbenso-eagle bin]#
login as: root
I tried polling the ciscoEntityFRUControlMIB to see what all values it return. It just returned enterprises.9.9.117.1.3.1.0 = INTEGER: 2. Meaning cefcMIBEnableStatusNotification is FALSE (value 2). Meaning cefcModuleStatusChange, cefcPowerStatusChange, cefcFRUInserted, cefcFRURemoved, cefcUnrecognizedFRU and cefcFanTrayStatusChange are prevented from being sent.
Snmpwalk on ciscoEntityFRUControlMIB
[1]+ Stopped ./snmpwalk -v2c -c public 172.16.169.29
[root@tonbenso-eagle bin]# ./snmpwalk -v2c -c public 172.16.169.29 1.3.6.1.4.1.9.9.117
SNMPv2-SMI::enterprises.9.9.117.1.3.1.0 = INTEGER: 2
Object
cefcMIBEnableStatusNotification
OID
1.3.6.1.4.1.9.9.117.1.3.1
Type
TruthValue
Permission
read-write
Status
current
MIB
CISCO-ENTITY-FRU-CONTROL-MIB ; - View Supporting Images
Description
"This variable indicates whether the system
produces the following notifications:
cefcModuleStatusChange, cefcPowerStatusChange,
cefcFRUInserted, cefcFRURemoved,
cefcUnrecognizedFRU and cefcFanTrayStatusChange.
A false value will prevent these notifications
from being generated."
Found couple of bugs:
CSCty32558 – but then this is for 5585 and I see it is fixed in 8.4
CSCul90037 – New state
Show snmp-server oidlist:
http://www-tac.cisco.com/Teams/ks/c3/getLargeFile.php?srId=632222409&fileName=20141030-013905_ASA-show-snmp-server-oidlist.txt
Show tech:
Sh run | in snmp:
ASA-1# sh run | in snmp
snmp-server host asa 172.18.123.228 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps entity power-supply-presence power-supply-temperature -----à I was talking about this trap above
any help will be appreciated.Hi
I've got an ASA with redundant power supplies. An ASA5585. So I have the need to monitor them. :-) So how can we do it?
Also I've made a SNMP-Walk through the ASA v8.4(2)8 and it doesn't show up any ENV-MIB values. The
1.3.6.1.4.1.9.9.13 tree is not available. Are you shure it's available on the ASA?
Funny is also that the command "show snmp-server oidlist" from the 8.4 configuration guide is not available on the real CLI. I think the documentation guys were faster than the coders. ;-)
Kind regards
Roberto -
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
i have an Cisco ASA 5512 working as Firewall
We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
Now we have an extra internet connection ADSL 2MB connected to another ASA interface
I configure the ASA like this :
1- Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range )
2- Create Access rule say source (My computer ip) destination ADSL network range action accept
3- Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
4- Add static route say ADSL interface source ip my ip gateway ADSL router
This steps what I do but it doesn't work.
Thanks in advanceFYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
Either attach your config or paste the relevant config in post. -
Int vlan up while no port connected on the vlan
Hello,
Having a cat3750 stack (Layer2-Layer3, release 12.2.25SEB4), I would like to have an interface vlan up for administration reason with no port connected on this vlan?
Do you know a way to get it, wihout using loopback interface, i.e. having a switch port stat up while not beeing connected. (no keepalive nor L3 interface with no keepalive do not help me)
sh run int fas 3/0/24
Building configuration...
Current configuration : 170 bytes
interface FastEthernet3/0/24
no switchport
no ip address
no logging event link-status
no keepalive
no snmp trap link-status
power inline never
no mdix auto
end
sh run int vlan 1
Building configuration...
Current configuration : 96 bytes
interface Vlan1
description *** Management ***
ip address a.b.c.d 255.255.255.248
end
sh int vlan 1
Vlan1 is up, line protocol is down
sh int fast 3/0/24
FastEthernet3/0/24 is down, line protocol is down (notconnect)
Regards,Hello Glen,
Thank you replying so fast.
Here is some more information:
The switch is used as a router too.
It is reachable by a WAN router connected to this switch on an another vlan (vlan 9). The SVI for the management of this switch is on a dedicated vlan (vlan 1) but this is the only switch of this site.
The management of this switch isn't in the same vlan as the router.
And I wonder if there is a way to have a SVI up just for the management process of this switch, without using a loopback interface.
WAN router is on vlan 9 and I would like to have the switch management IP'address on vlan 1.
Vlan 1 IP network is a subnet of the network routed by the WAN router (managed by an operator).
Regards, -
Asa-5512-x no connectivity to internet
I am going from a pix-515e to asa-5512-x. I used the wizard for the initial setup. I then set the interfaces the same, objects, nat rules, routes, ACLs the same as in the 515e (except for the outside interface ACL where you use the inside address now, rather than the outside...and you have a global deny rule for all interfaces) .
I take the cables from the inside / outside interface from the 515e, plug them into the 5512x and nada...
Computers on the inside can't get out. I see egress failures on the ASDM monitor from the inside to outside. I don't see any traffic coming in on the outside interface to the inside as I do on the ASDM of the 515e.
ASA Version 9.1(5)
hostname ASA-5512-X
domain-name mydomain.com
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 98.xxx.xxx.xxx 255.255.255.224
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.0.1.242 255.255.252.0
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa915-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.42
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object webserver-inside object-group web-ports
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static webserver-inside webserver-outside unidirectional
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 2
route inside 172.20.0.0 255.255.0.0 10.0.0.1 1
route inside 172.21.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.0.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymousAt a quick glance the config looks pretty clean (please do use ssh and not telnet though)
Since you replaced one box with another, have you checked that your upstream (Outside) device is reachable from the ASA itself? (i.e can you ping your default gateway at 98.xxx.xxx.xxx 2 )
I've sometimes seen cases where we had to ask the ISP to clear their ARP cache when changing out firewalls. -
ASA 5512 8.6(1) failover via Management0/0
I am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only
ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
Does anybody know if this is indeed the case or if I am just missing something?
Thanks
Joerg GrauHi,
I think this is what you are looking for
Management Port Configuration ChangesThe ASA 5500-X Series introduced a shared management port for firewall and IPS services.,There are certain caveats to follow during migration from the ASA 5500 Series.• The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.• The shared management port cannot be used as a part of a high availability configuration.If the ASA management port (M0/0) on the ASA 5500 Series appliance was being used as a data port, the configuration associated with that port should be moved to one of the gigabit data ports numbered above G0/3.
Source:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html
Though I guess you have to take into consideration when we compare the old ASA5500 Series and the new ASA5500-X that the new series actually has 2 more physical interfaces than all previous corresponding models had.
Though it still might feel a waste of a Gigabit interface in a sense.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
- Jouni -
ASA 5512-X version 9.1 multiple contextes supported?
Hi All,
could soumeone please let me know if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
I found different information on the Cisco web, the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html#wp1188797
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
thanks in advance
Best Regards
FrankHi,
you find the information in the ASA Configuration Guide section "Licensing Requirements for Multiple Context Mode"
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html#wp1188797
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030
Licensing Requirements for Multiple Context Mode
ASA 5512-X No support.
Best Regards
Frank
Maybe you are looking for
-
Time Capsule vs. samba-client (Fedora)
I've been using a 1GB Time Capsule for various things, including backing up my Linux server using the samba-client package. This had all been working well... until last night's scheduled backup. +Note: "Type40" is the name of my Time Capsule (either
-
MacBook won't detect Toshiba 1T external hard drive
I just upgraded my operating system on my MacBook Pro and now my laptop won't detect my Toshiba 1T external hard drive, even though I've been using it before. Any ideas?
-
Elements 9 saved file "cannot open because it is the wrong type of file"
I have Windows XP. I just purchased Photoshop Elements 9. I open a raw, tiff or jpg image in Elements 9, make changes to it and then save it as a tiff or jpg. About a third of the time the icon for the saved image appears as a file and not a thumbna
-
Issue with SM21 entries.
Hi Gurus, I am facing soem prblems with the entries in SM21 of my BW server. I can see only the following entry what ever be the Date and Time i specify. 04:32:29 DIA 001 010 ALEREMOTE A0 3 Breakpoint reached 04:32:29 DIA 00
-
Global key shortcut to play next track while working in another program...
Is there a key combo that will play the next track regardless of what program you are working in? I know command arrow will do that, but itunes must have focus for that to work. Senerio - I am working in pages and the track playing is not a favorite,