ASA Redundant Interfaces
Hi everybody,
and thanks for a great forum!
I have one asa and two switches, i would like the asa set up with a redundant interface consisting of one physical interface in each switch (vlan trunked across the two switches). Now... Is it possible to set a preferred active physical interface in this redundant interface bundle? Is there a way to make sure the same interface is always active (both interfaces a working as intented), even after a reboot?
More specifically, i need this so i can decide where to establish my stp root, and always have the most optimal path (again ofcourse unless one interface fails).
Cheers
Hi,
I see that you want to configure redundant interface on ASA and also need to ensure that same interface always remain active. Now, the interface which you will defined first using 'member-interface' command while configuring redundant interface will be the active one by default. If you already have it configured and you want to change the active interface, you can use following command:
To change the active interface, enter the following command:
hostname# redundant-interface redundantnumber active-member physical_interface
Now, if active interface goes down, second one will take over as expected.
Check this link for more info:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838
Hope this answers your question.
Sourav
Similar Messages
-
ASA Redundant interfaces with stack switches
Hi All,
we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack.
Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack.
for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html ).
So my question is :
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
I have attached the nw diagram,
Regards,
AshrafHello Ashraf,
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
Sure, you can. That's the whole purpose of the feature.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
It would make sense if that happens, as the status of the interface will be on a different state than up/up so failover to the other interface will be triggered,
Regards,
Julio -
Hello,
We are looking at upgrading an aging firewall with a Cisco ASA. I have used the ASA before.
We would like to use the ASA in a colocation facility that will have a few site to site vpns. The ASA MUST be able to have redundant interfaces to our switches. Reading through ASA documentation this is possible. (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838) Can the ASA have redundant links to the same vlans? Will any of our configuration for VPN's, etc have to be setup twice?
ThanksThere are four types of redundancy that one can use on ASAs. The first one you cited, redundant interfaces on a single physical device is the least common in my experience.
The second is failover - when the ASA is mated is a failover ASA in a high availability configuration. This is the most common usage for customers requiring high availability (HA). That is the most common implementation and has been around since ASA 7.0 software (i.e. a good many years).
The third is to bond your interfaces from a given ASA (or sets of interfaces if you have an HA pair) into an Etherchannel. This has the added advantage of giving you potentially higher trhoughput. Etherchannel support was introduced in ASA software version 8.4(1).
The fourth and newest method is clustering. It was introduced just last fall in ASA 9.0 and is not very widely adopted just yet. It is primarily for high throughput requirements exceeding a single device's capacity but also gives the added benefit of redundancy.
None of them require you setup things twice configuration-wise. Some file operations (software upgrade, certificate management, VPN profiles (XML files)) need to be copied onto both members in a failover pair or all members in a cluster scenario.
Edit - there is a fifth type specific to VPNs whereby one can configure a secondary VPN gateway for clients, usually at a alternate site. That approach does require settting up everything separately on the ASAs. -
Reg. Redundant interfaces in ASA 8.0
Hi
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
Regards
AnkurYes Ankur,it is possible.
##snippet##
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 192.168.16.19 255.255.255.128
ospf network point-to-point non-broadcast
ospf message-digest-key 123 md5
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif null0
security-level 50
ip address 10.2.1.1 255.255.255.0
interface Management0/0
no nameif
security-level 0
no ip address
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address
interface Redundant1.1
vlan 32
no nameif
no security-level
ip address 1.1.1.8 255.0.0.0
Regards,
Sushil -
Redundant Interfaces with Management0/0 on ASA5510
Readers,
Is it possible to configure redundant interfaces on the Management port?
Thanks,
TimothyTimothy
normal ASA boxes just have a single management interface.. I really dont feel the need for redundancy here.. If you need one, you can get a failver ASA box, and build up redundancy..
in any case, you have other interaces like inside, through which you can enable management, like telnet, http etc, if required.. or any other DMZ interface (say network management DMZ)... its all flexible.. with all these, i really dont see any need for a redundant management port...
Hope this helps.. all the best..
Raj -
ASA Redundant/Dual Connections to the SAME ISP
Is it possible to connect two ports on an ASA to the same ISP for physical port redundancy? I know it's possible to connect to two different ISPs with different subnets, but in this case it would be the same ISP, same subnet. I'm expecting the answer to be 'no' and that I'd have to bring up a 'cold spare' interface should the primary interface go down. The ASA model is either 5520 or 5512-X, and I'd have to go get the software versions if anyone would like that information.
You can't give two ports an IP from the same subnet in the same context no.
But you could either -
1) use etherchannel
or
2) use the redundant interface feature where you use two ports but only one is active and if it fails the other takes over with the same IP address
Jon -
ASA redundant design questions
Hi, thanks for your time and knowledge.
I have a topology like below in data center and plan to have a full redundant topology. Currently Primary/Scondary/ASA and another core switch at HQ are running EIGRP. Especially ASA is redistributing all IPsec tunnels (around 70 branches) and remote VPN (10.254.50.0/24) to EIGRP. Blue line is internal and red line is for DMZ, in terms of internal vlans, they are running through EIGRP which means that
default gateways for internal vlans are all primary/secondary through HSRP (Virtual IP)
however for DMZ vlan, it is terminated to ASA interface. for example, from server's perspective, default gateway is not primary/secondary switch, but ASA dmz interface. so servers in DMZ are recognizing Primary/Secondary as L2 switch.
Question 1) According to my research, I need to have HSRP between two switches ====== ASAs. Is it right? I can't run EIGRP? If I can't run EIGRP between four devices, I need to make a lots of static route in ASA for branch offices (70 subnet) and remote VPN user (1 subnet)
Q2) I like left topology because I don't need to setup redundant interface and less cables. Especially I don't need another IPS sensor (If I choose right topology, I need one more IPS sensor). Also, we don't have VSS between Primary and Secondary (jut trunk) Do you see any problem with left topology? I am ok for couple minutes of downtime due to device failure.
Q3) Both ASA inside/DMZ/outside ip address should be identical? except failover interface? i.e inside of interface ip is 10.254.5.4 now. then this will be both inside IP for Active/Standby? or I need different ip address for all interfaces?
Thanks.What are your devices? Router/switches/ASAs? Your pictures are kind of cut off so it hard to understand your topology.
You need to have two Layer3 devices to run HSRP one will be Primary and one would be Standby. You should be able to run EIGRP on all the devices. -
VPN ASA inside Interface and ip pool are one same Subnet
Hi Everyone,
I have configured RA VPN full tunnel.
Inside interface of ASA is
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
Need to know is it good design to have both on same subnet?
When i access the Switch connecting to VPN ASA inside interface via--https://10.0.0.2
which has IP 10.0.0.2 while using Remote VPN connection to ASA it does not work gives error
message as below
Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK on interface outside
Current NAT config is
nat (inside,outside) source dynamic any interface
Regards
MAhesh
Message was edited by: mahesh parmarHi Mahesh,
It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
I would suggest changing the VPN Pool first and then configuring this
object network LAN
subnet 10.0.0.0 255.255.255.0
object network VPN-POOL
subnet
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
In the future it would be best if you changed your current Dynamic PAT configuration to this
nat (inside,outside) after-auto source dynamic any interface
We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
- Jouni -
SVC WebVPN (clientless) uses IP pool addressing or ASA inside interface IP
I'm trying to design something which requires ASA to uniquely assign one IP per clientless VPN user. it seems like all these web requests coming through the ASA are proxied via the ASA's inside IP for the source address of the Web request. Does ASA proxy requests through it by changing the VPN client request IP's from a POOL configuration. Or is it always going to use the ASA inside interface IP? Assuming a two NIC configuration (inside/outside)
NOTE: I'm not talking about AnyConnect, IKEV1/2 client based VPN's. I'm specifically talking about the client-free login connection method.
thx in advance,
WillHi Will,
Pls move your thread to here
https://supportforums.cisco.com/community/6001/vpn
HTH
Rasika -
Redundancy Interface for Content Server Release 6.x
Third-generation Content Server is UCS C220 (Not Vmware).
I see from TCS Release 6.x Quick Start which cannot use LAN2.
I'm not sure. How to connect LAN for redundancy interface or not because it have many NIC card.
Dual 1-Gb Ethernet ports:
LAN1 (Arrow 7, left pointer)— Use this port to connect the Content Server to the network (also see Figure 3)
LAN2 (Arrow 7, right pointer)— Not usedHi,
The TCS server supports only single NIC in a deployment. That particular NIC value is used to generate the checksum, which needs to be passed along with the Release keys to bring up the content engine. That is the reason if you connect any other NIC to the network, the content engine will not start.
Also, when the release keys are generated on the license server, it uses the NIC with the lowest value (always the first NIC on the server).
I know its a complete waste to have so many NICs and use only one. But what can I say, thats the way Cisco designed the server..!!!
Regards,
-Deepti -
Why do we configure the Redundant Interface in CSS Public Face
Hi,
I have a question : Why do we configure the redundant interface in a CSS facing the public side of a CSS.
I understand the need for the interface in the server side though. Please refer to the URL below;
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_810/redundgd/vipredun.htm#wp1063393this is not a requirement if your vips belong to the public vlan subnet.
But if your vip addresses are from a different subnet, then the upstream router needs a route pointing to the CSS redundant interface ip.
Gilles. -
Ability to ping redundant interface IP address
Hi,
I have this setup for our content switches.
Primary F/W --> Primary CSS --> Local Switches
| |
| |
Secondary F/W --> Secondary CSS --> Local Switches
This is the relevant configuration.
Primary CSS
circuit VLAN4
ip address 192.168.76.4 255.255.255.0
ip virtual-router 4 priority 101 preempt
ip redundant-interface 4 192.168.76.254
Secondary CSS
circuit VLAN4
ip address 192.168.76.5 255.255.255.0
ip virtual-router 4 priority 90
ip redundant-interface 4 192.168.76.254
The problem is that the Secondary F/W can not ping the redundant interface IP address via the secondary path when all devices are in normal mode.
Is this normal?
The ping is occuring for firewall failover checking.
Thanks,
Benit should work.
Your diagram does not display very well, so I don't know where are the | links.
What should be the path of traffic from secondary firewall redundant-interface ?
Is the traffic going to 1 CSS and being bridge to the 2nd CSS ?
If that's the case, you need the command 'ip uncond-bridging' on both CSS to force CSS to bridge first and then route.
Regards,
Gilles. -
CSS redundant-interface ping response
Hi,
I just wan't to make a simple question:
Should the css11151 respond to ping requests made to a redundant-interface?
If yes, what can be the reason for the redundant interface, not being responding to ping requests?
Thanks in advance,
Regards,
LRHi,
Did you ever find solution to the issue.
I have 11503 and I have same problem, I cannot ping the redundant-interface address from the directly connected switch.
It works for first few seconds when the CSS reboots or interface bounces then stops.
Any ideas?
Thanks -
CSS redundant interface and DNS server
We're attempting to implement a pair of CSS's using redundant ASR and GSLB where the CSS's act as DNS servers.
But I'm not sure if the 2 features are compatible. The CSS's answer DNS queries to their direct interface but not the redundant interface.
Does anyone have any suggestions or work-arounds? We're running version 8.20.
TIA,
DanDan doing some research I can see that the option to configure redundant-interface to resolve dns queries is not included on CSS 11500 series, this from the documentation.
On the document for CSS 11000 series that I provided before shows:
Configuration Requirements and Restrictions
The following requirements and restrictions apply to the configuration of this feature.
â¢You can configure this feature only on Cisco 11000 series CSSs (not 11500)
If I look at the redundant-interface configuration on old CSS 11000 series I see the option for dns:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v6.10/configuration/advanced/guide/VIPRedun.html#wp1067528
Look at this line:
dns-server - Keyword that enables the CSS to respond to DNS queries destined for the redundant interface IP address. For more information, see the "Configuring a Redundant Virtual Interface to Respond to DNS Requests" section.
On new CSS 11500 series this option is not available:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1067528
I am trying to find if there is any workaround but so far semms that is expected to miss this feature on CSS11500. -
ASA 5505 Interface Security Level Question
I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: endHi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
Maybe you are looking for
-
Probably a stupid question, but humor me.
My MacBook Pro is currently on its way here, and odd little questions keep popping into my head. The latest of which being: Should I worry about the MagSafe magnets messing with my Nano? When using my iBook, I tend to keep my iPod on the left side of
-
How to include case stmt in group by clause
Hi i have a question, How do i include a case statement in the group by clause? For example: Select (case when x.ctry is null then y.ctry else x.ctry end) as coo, sum (x.in_amt) from tbl1 x, tbl2 y where x.id = y.id group by (case when x.ctry is null
-
Can't change RAM configuration without ConstantSecure complaints
Basically we bought a T400 off ebay and wanted to up the RAM from 2 X 2gb sticks, to 2 x 4gb sticks. As soon as we change the RAM we get "binary modules which failed authentication: TRSF" , which prompts you to go into bios, and bios says something
-
Slowly but surely..finally approved for BofA
I'm new to this forum, but I have been following for several years. I really want to thank everybody for sharing their experiences and advice. I hope that my story will help others just the same as you have all helped me...n I'd like to apologize ahe
-
Export keynotes to iCloud so that presentations retain their images/fonts?
I am trying to use my Cloud to grab at presentations when I need them during lunch meetings, but the fonts and images become distorted. Is there a way to save the keynote and preserve the images?