Cisco ASA 5520 Failover with DMZ

Similar Messages

• Cisco ASA 5520 traffic between interfaces

  Hello,
  I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
  ciscoasa# ping esx_management 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  ciscoasa# ping home_network 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Thank you in advance.

  Hi,
  Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
  I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
  packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
  I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
  I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
  Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
  Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
  Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
  Static Identity NAT
  static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  OR
  NAT0
  access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
  nat (home_network) 0 access-list HOMENETWORK-NAT0
  Hope this helps
  - Jouni

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Cisco ASA 5505 Failover issue..

  Hi,
   I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login  by console i found out that the failover has been disabled .So again I connected  to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.

  Please find the logs...
  Secondary Firewall While Sync..
  cisco-asa(config)# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 06:01:10 GMT Apr 29 2015
  This host: Secondary - Sync Config 
  Active time: 55 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): No Link (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Active 
  Active time: 177303 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  =======================================================================================
  Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
  cisco-asa# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:06:12 GMT Apr 29 2015
  This host: Secondary - Active 
  Active time: 44 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): Normal (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Not Detected 
  Active time: 0 (sec)
  slot 0: empty
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  ==========================================================================================
  After Active firewall got rebootted failover off,whole network gone down.
  cisco-asa# sh failover 
  Failover Off 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ===========================================================================================
  Primary Firewall after rebootting
  cisco-asa# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:17:29 GMT Apr 29 2015
          This host: Primary - Active
                  Active time: 24707 (sec)
                  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
                    Interface outside (27.251.167.246): Normal (Waiting)
                    Interface inside (10.11.0.20): Normal (Waiting)
                    Interface mgmt (10.11.200.21): Normal (Waiting)
                  slot 1: empty
          Other host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: empty
                    Interface outside (27.251.167.247): Unknown (Waiting)
                    Interface inside (10.11.0.21): Unknown (Waiting)
                    Interface mgmt (10.11.200.22): Unknown (Waiting)
                  slot 1: empty
  cisco-asa# sh failover history
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:43 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:29 GMT Apr 29 2015
  Negotiation                Just Active                No Active unit found
  06:17:29 GMT Apr 29 2015
  Just Active                Active Drain               No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Drain               Active Applying Config     No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Applying Config     Active Config Applied      No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Config Applied      Active                     No Active unit found
  ==========================================================================
  cisco-asa#
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Primary
                 Active         None
  Other host -   Secondary
                 Failed         Comm Failure             06:17:43 GMT Apr 29 2015
  ====Configuration State===
  ====Communication State===
  ==================================================================================
  Secondary Firewall
  cisc-asa# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (down)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ecs-pune-fw-01# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Secondary
                 Disabled       None
  Other host -   Primary
                 Not Detected   None
  ====Configuration State===
  ====Communication State===
  Thanks...

• Cisco ASA 5520 Crashinfo

  I have cisco asa 5520 firewall in production sudenly yetserday firewall was reboted and crashinfo file was genetrated(check with command show crashinfo)
  But unable to undersatand the terms
  I want to know below thing regarding crashinfo
  1) In asa where crashinfo file stores and file name(please share commnad for checking)
  2) How to copy file from device to machine
  3) How to read that file(any tool any software)

  The crashinfo file ("show crashinfo") is plain text and along with the memory register contents there is a whole long list of other information - running-configuration, interface status and counters, etc. So you can look at it in any text editor or even on the ASA console itself.
  As far as learning from it directly, there is plenty to learn and use without knowing the most detailed possible level of debug information.
  If you want to see some of the tools that are available (and may include some of the crashinfo data), I'd recommend to you a Cisco Live presentation like BRKSEC-3020. You can download that and any other Cisco Live presentations here with a free registration.

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Older version of openssl in cisco asa 5520

  Hi,
  Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have  to  check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
  Thanks,
  Sridhar

  Sridhar,
  W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
  You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
  In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
  Marcin

• Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

  I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
  home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

  Hi,
  Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
  Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

• Cisco ASA 5520 Traffic monitoring

  Hello ,
  We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
  Thanks a lot

  Hi,
  I dont think the ASA alone can give you a really clear picture of the real time situation.
  It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
  My ASDM version is 7.1 but it should be there in your version also.

• What is the Cisco ASA 5520's VPN ustility like?

  Hi, I have a Cisco 3015 VPN concentrator, the Web admin tool is really good. We are getting a 2 Cisco 5520 soon in failover mode and I wondered if I should move my site-to-sites to the ASA 5520 and if so how good it the tool for the ASA VPN's as I not seen it yet?

  The VPN capabilities of the ASA are very similar to that of the concentrators. Much of the management interface will have the same look and feel on both appliances. Migrating your L2L VPNs is a matter of preference and will depend on your topology. For me, I prefer to terminate my L2L VPNs into a DMZ and use the ASA to permit/deny traffic into my LAN.

• Cisco ASA 5520s in Cluster Outside interface stops sending traffic

  Hi,
  We are running a Pair of ASA 5520s in active/standby mode.  In the last couple days the active device will just stop communicating on the outside interface.  Because the rest of the interfaces are still up,  it will not fail over, so we have to fail it manually.  The secondary unit works and passes traffic correctly.  We then reboot the Primary. 
  Then after some undetermined time,  it happens again and we have to manually fail it the other way,  reboot the affected ASA and wait for it to happen again.
  We have a case with TAC but they have not been able to figure this one out.  Has anyone else seen this behavior?
  This is the version info:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.3(1)100
  Thanks

  Hi,
  There are various possibilities on the ASA device which might be causing this issue:-
  1) Block depletion
  2) Memory depletion
  Other things might be related to the external ISP as well.
  Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
  If you can share the output , i can have a look at it otherwise you can open a TAC case.
  Thanks and Regards,
  Vibhor Amrodia

• Cisco ASA 5520 Crashing, Odd LED's Lit

  I'm having issues with an ASA 5520. We have it setup with another in Active/Standby failover.
  The ASA's act normally in their respective states, then after about 2 hours the primary ASA
  looks as though it's having hardware issues. The power LED is unlit, the Active and Status LED's
  are lit with what looks like green and amber, and the VPN LED is lit with green. All of the
  physical ports become unusable and lose power, even the console port. Upon power cycle the
  ASA boots, will load into primary state, and after another couple hours will crash again. Any help
  or suggestions are greatly appreciated. Thank you in advance.

  I'm having issues with an ASA 5520. We have it setup with another in Active/Standby failover.
  The ASA's act normally in their respective states, then after about 2 hours the primary ASA
  looks as though it's having hardware issues. The power LED is unlit, the Active and Status LED's
  are lit with what looks like green and amber, and the VPN LED is lit with green. All of the
  physical ports become unusable and lose power, even the console port. Upon power cycle the
  ASA boots, will load into primary state, and after another couple hours will crash again. Any help
  or suggestions are greatly appreciated. Thank you in advance.

• Cisco ASA 5520 (asa 8.2) hairpinning

  Hi All,
  We have a ASA 5520 (redundant) in our network which we are using for different customers. For every new customer we create a new VLAN and place their servers in this VLAN. On the ASA we create a new subinterface for every customer which is connected to the corresponding VLAN.
  Most customers get a private ip-range (e.g. 192.168.x.x/24) on which they should configure their servers. Because most customers don't need to be to access eachothers server all VLAN interfaces have the same security-level of 50. I haven't enable the "same-security-traffic permit inter-interface" option, so traffic between those interfaces is blocked, as expected.
  Some customers (e.g. customer A) need public webmail of smtp access to there servers. So we use both NAT and PAT to make that happen.
  So, recently we've got a customer (customer B) who placed their webservers behind our ASA. Because we didn't want to use NAT statements all the time, we dediced to configure a public /29 subnet on their VLAN. Because the website on this customer's servers need to be visible for everybody, we've lowered the security-level of this VLAN interface to 40 (instead of 50) and applied some ACL's. So other customers (e.g. customer A) are also able to reach the websites of customer B. So everything is just working fine.
  Now, customer A decided that they want to run their website on their own servers as well. So, I created a static PAT for TCP 80. So the website is accessible from the outside world. But.....customer B is not able to reach customer A's website on the translated address. So, I've created a second PAT (using the same public address) but this time to customer B's interface. But still, we're not able to reach customer A's website.
  I've also enabled the "same-security-traffic permit intra-interface", but still the website is unreachable to customer B.
  Here's a small drawing of the situation:
  The ip-addresses are, of course, not real.
  Can anybody place help me with this issue?

  That's a very cool command that I didn't know about.
  I see that the packet is drop at phase 7 (NAT-EXEMPT).
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: DROP
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x74455b60, priority=6, domain=nat-exempt-reverse, deny=false
          hits=61, user_data=0x744558f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=Cust_B_LAN, mask=255.255.255.240, port=0
          dst ip=Cust_A_LAN, mask=255.255.255.0, port=0, dscp=0x0
  Result:
  input-interface: Cust_B
  input-status: up
  input-line-status: up
  output-interface: Cust_A
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I seemed that I had a nonat rule messing the communication between these interfaces. After removing it, the traffic was flowing just fine.
  Thanks for your support.
  Ron