Cisco Firewall - Contexts

Hi All
I hope you can help with a number of questions I have around our existing Cisco firewall and the use of Contexts.
We have a router with an inside interface eg A.A.A.A connected to a L2 switch then to a Cisco 5550 firewall. The link in place between the switch and the firewall is a trunk.
The firewall is running in routed context mode already with just 1 context in place (besides admin).
The existing context has a number of logical interfaces assigned to it with incoming traffic to the firewall using a certain vlan on a sub interface 1.182. Sub interface 1.182 is a member of a redundant logical interface on the incoming physical interface 0/0.
There is a route in place on the router forwarding all traffic to an IP address on the firewall within context 1 – eg A.A.A.254 on logical interface 1.182
The problem is that we would now like to create another context on the firewall (context 2).
I’d like to know the best way to complete this task – whether I can re-use the existing incoming logical interface 1.182 that is used in Context1 or whether to create another sub interface eg 1.183 or alternatively use a completely different physical interface on the firewall and add another Ethernet connection to the switch.
If I can use the same logical interface used in Context 1, from what I have already read then I would need to make sure that the MAC address on the new context interface is different to the MAC in context 1 ?
Can I assign a different IP address to this shared logical interface within my new context2 ? and does it need to be in the same subnet as already used between the router and the firewall ie A.A.A.A.x – I would suspect so.
Also I guess I would need to put another static route on the router directing my required traffic to my IP address within Context 2?
Please could someone help with some guidance? The problem that I have is that I naturally want to avoid causing any upset to the existing Context1 and how it currently receives its traffic.
thanks

If you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. Reference.
It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk.

Similar Messages

  • Port Forwarding Cisco firewall

    Hi,
    In Cisco Firewall 2900 seires
    trying to use port forwarding
    but not communication please help me.
    Reg
    Manoj.

    : Saved
    : Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
    name 10.10.70.X.40 FinalPdf
    name 201.256.x.x Youfinalip
    interface Ethernet0/0
    nameif YOUB
    security-level 0
    ip address 201.256.x.x.254.82 255.255.255.248
    interface Ethernet0/2
    nameif inside
    security-level 100
    ip address 10.10.70.X.1 255.255.255.0
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service ftp tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq 14147
    object-group service any tcp-udp
    port-object range 1 65535
    object-group service DM_INLINE_TCP_1 tcp
    group-object ftp
    port-object eq ftp-data
    access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
    access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_access_in extended deny object-group TCPUDP any any eq domain
    access-list inside_access_in extended permit ip any any
    access-list YOUB_mpc extended permit ip any any
    access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
    access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
    pager lines 24
    logging enable
    logging emblem
    logging asdm-buffer-size 512
    logging buffered debugging
    logging trap debugging
    logging history debugging
    logging asdm debugging
    logging device-id hostname
    logging debug-trace
    logging ftp-bufferwrap
    logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
    logging class auth trap emergencies asdm emergencies
    mtu YOUB 1500
    mtu SIFY 1500
    mtu inside 1500
    mtu WAN 1500
    mtu management 1500
    ip verify reverse-path interface YOUB
    ip verify reverse-path interface inside
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    asdm location Testpdf 255.255.255.255 inside
    asdm history enable
    arp timeout 14400
    global (YOUB) 1 interface
    global (SIFY) 1 interface
    nat (inside) 0 access-list EXEMPT
    nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
    static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
    access-group YOUB_access_in in interface YOUB
    access-group inside_access_in in interface inside
    route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
    route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
    route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
    route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 100
    type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
    num-packets 3
    frequency 10
    sla monitor schedule 100 life forever start-time now
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    track 1 rtr 100 reachability
    telnet timeout 5
    ssh scopy enable
    ssh 10.10.70.X.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted
    class-map YOUB-class
    match access-list YOUB_mpc
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    description ftp
    class inspection_default
      inspect dns preset_dns_map
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect ftp
    class class-default
      ips inline fail-open
    policy-map YOUB-policy
    class YOUB-class
      ips inline fail-open sensor vs0
    service-policy global_policy global
    service-policy YOUB-policy interface YOUB
    smtp-server 10.10.70.X.18
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
    : end

  • Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

    Hello,
    I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to  read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails.  What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers.  I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
    Thanks,
    Jeff Mateo
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password GFO9OSBnaXE.n8af encrypted
    passwd GFO9OSBnaXE.n8af encrypted
    hostname morrow-pix-ct
    domain-name morrowco.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 12.42.47.27 LI-PIX
    name 172.20.0.0 CT-NET
    name 172.23.0.0 LI-NET
    name 172.22.0.0 TX-NET
    name 172.25.0.0 NY-NET
    name 192.168.10.0 CT-DMZ-NET
    name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
    name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
    name 199.191.128.105 web-dns-1
    name 12.127.16.69 web-dns-2
    name 12.3.125.178 NY-PIX
    name 64.208.123.130 TX-PIX
    name 24.38.31.80 CT-PIX
    object-group network morrow-net
    network-object 12.42.47.24 255.255.255.248
    network-object NY-PIX 255.255.255.255
    network-object 64.208.123.128 255.255.255.224
    network-object 24.38.31.64 255.255.255.224
    network-object 24.38.35.192 255.255.255.248
    object-group service morrow-mgmt tcp
    port-object eq 3389
    port-object eq telnet
    port-object eq ssh
    object-group network web-dns
    network-object web-dns-1 255.255.255.255
    network-object web-dns-2 255.255.255.255
    access-list out1 permit icmp any any echo-reply
    access-list out1 permit icmp object-group morrow-net any
    access-list out1 permit tcp any host 12.193.192.132 eq ssh
    access-list out1 permit tcp any host CT-PIX eq ssh
    access-list out1 permit tcp any host 24.38.31.72 eq smtp
    access-list out1 permit tcp any host 24.38.31.72 eq https
    access-list out1 permit tcp any host 24.38.31.72 eq www
    access-list out1 permit tcp any host 24.38.31.70 eq www
    access-list out1 permit tcp any host 24.38.31.93 eq www
    access-list out1 permit tcp any host 24.38.31.93 eq https
    access-list out1 permit tcp any host 24.38.31.93 eq smtp
    access-list out1 permit tcp any host 24.38.31.93 eq ftp
    access-list out1 permit tcp any host 24.38.31.93 eq domain
    access-list out1 permit tcp any host 24.38.31.94 eq www
    access-list out1 permit tcp any host 24.38.31.94 eq https
    access-list out1 permit tcp any host 24.38.31.71 eq www
    access-list out1 permit tcp any host 24.38.31.71 eq 8080
    access-list out1 permit tcp any host 24.38.31.71 eq 8081
    access-list out1 permit tcp any host 24.38.31.71 eq 8090
    access-list out1 permit tcp any host 24.38.31.69 eq ssh
    access-list out1 permit tcp any host 24.38.31.94 eq ftp
    access-list out1 permit tcp any host 24.38.31.92 eq 8080
    access-list out1 permit tcp any host 24.38.31.92 eq www
    access-list out1 permit tcp any host 24.38.31.92 eq 8081
    access-list out1 permit tcp any host 24.38.31.92 eq 8090
    access-list out1 permit tcp any host 24.38.31.93 eq 3389
    access-list out1 permit tcp any host 24.38.31.92 eq https
    access-list out1 permit tcp any host 24.38.31.70 eq https
    access-list out1 permit tcp any host 24.38.31.74 eq www
    access-list out1 permit tcp any host 24.38.31.74 eq https
    access-list out1 permit tcp any host 24.38.31.74 eq smtp
    access-list out1 permit tcp any host 24.38.31.75 eq https
    access-list out1 permit tcp any host 24.38.31.75 eq www
    access-list out1 permit tcp any host 24.38.31.75 eq smtp
    access-list out1 permit tcp any host 24.38.31.70 eq smtp
    access-list out1 permit tcp any host 24.38.31.94 eq smtp
    access-list dmz1 permit icmp any any echo-reply
    access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
    access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
    access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
    access-list dmz1 permit ip any any
    access-list dmz1 deny ip any any
    access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
    access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
    access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
    access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
    access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
    access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
    .0
    access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
    55.255.0
    access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
    access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
    access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
    access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
    access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
    access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
    access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
    0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
    5.0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
    access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
    access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
    0
    access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
    .248.0
    access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
    access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
    access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
    access-list in1 permit tcp host 172.20.1.21 any eq smtp
    access-list in1 permit tcp host 172.20.1.20 any eq smtp
    access-list in1 deny tcp any any eq smtp
    access-list in1 permit ip any any
    access-list in1 permit tcp any any eq smtp
    access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
    access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
    access-list in2 deny ip host 172.20.1.82 any
    access-list in2 deny ip host 172.20.1.83 any
    access-list in2 permit ip any any
    pager lines 43
    logging on
    logging timestamp
    logging buffered notifications
    logging trap notifications
    logging device-id hostname
    logging host inside 172.20.1.22
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside CT-PIX 255.255.255.224
    ip address inside 172.20.8.1 255.255.255.0
    ip address DMZ 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ctpool 192.168.220.100-192.168.220.200
    ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
    pdm history enable
    arp timeout 14400
    global (outside) 1 24.38.31.81
    nat (inside) 0 access-list nat0
    nat (inside) 1 CT-NET 255.255.0.0 2000 10
    nat (DMZ) 0 access-list nat0-dmz
    static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
    static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
    static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
    static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
    static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
    static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
    static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
    access-group out1 in interface outside
    access-group dmz1 in interface DMZ
    route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
    route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
    route inside CT-NET 255.255.248.0 172.20.8.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server ct-rad protocol radius
    aaa-server ct-rad max-failed-attempts 2
    aaa-server ct-rad deadtime 10
    aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 173.220.252.56 255.255.255.248 outside
    http 65.51.181.80 255.255.255.248 outside
    http 208.65.108.176 255.255.255.240 outside
    http CT-NET 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community m0rroW(0
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
    crypto dynamic-map dyn_map 20 match address vpn-dyn-match
    crypto dynamic-map dyn_map 20 set transform-set 3des-sha
    crypto map ct-crypto 10 ipsec-isakmp
    crypto map ct-crypto 10 match address vpn-ct-li-gre
    crypto map ct-crypto 10 set peer LI-PIX
    crypto map ct-crypto 10 set transform-set 3des-sha
    crypto map ct-crypto 15 ipsec-isakmp
    crypto map ct-crypto 15 match address vpn-ct-li
    crypto map ct-crypto 15 set peer LI-PIX
    crypto map ct-crypto 15 set transform-set 3des-sha
    crypto map ct-crypto 20 ipsec-isakmp
    crypto map ct-crypto 20 match address vpn-ct-ny
    crypto map ct-crypto 20 set peer NY-PIX
    crypto map ct-crypto 20 set transform-set 3des-sha
    crypto map ct-crypto 30 ipsec-isakmp
    crypto map ct-crypto 30 match address vpn-ct-tx
    crypto map ct-crypto 30 set peer TX-PIX
    crypto map ct-crypto 30 set transform-set 3des-sha
    crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
    crypto map ct-crypto client authentication ct-rad
    crypto map ct-crypto interface outside
    isakmp enable outside
    isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
    de
    isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
    onfig-mode
    isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
    de
    isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
    de
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash md5
    isakmp policy 30 group 1
    isakmp policy 30 lifetime 86400
    vpngroup remotectusers address-pool ctpool
    vpngroup remotectusers dns-server 172.20.1.5
    vpngroup remotectusers wins-server 172.20.1.5
    vpngroup remotectusers default-domain morrowny.com

    Amit,
    I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
    I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
    Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

  • CSM 3.1, problem with adding a new firewall context

    Hi,
    when trying to add and deploy a new firewall context I get this error message " Please create the interface roles on devices".
    Could you please advice me on this issue?
    Thank you,
    Trond

    You probably need to go under the system context and create the interface and also allocate vlans to it in CSM before you configure the context itself.
    I hope it helps.
    PK

  • Cisco Firewall ASA 5510 series configuration

    Hellow folks i am persuing final year project .. then., i am having cisco firewall ASA5510 series and un-managable switches 2 and related system as 20..what kind of configuration can i  build up for the security protection to the following systems which i have..please...
    guide me and help us in our platform...
    This topic first appeared in the Spiceworks Community

    Hi satish,
    1. First thing make sure that the encryption domains are correct. like -like on both ends
    2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well
    2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something
    HTH
    Kishore

  • Connecting a cisco firewall through putty using powershell

    Hi,
    I have to write a powershell script to connect to a cisco firewall and execute network commands.
    my code is written as mentioned below-
    function plink
      [CmdletBinding()]
      PARAM
        [Parameter(Mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string] $remoteHost,
        [Parameter(Mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string] $login,
        [Parameter(Mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string] $passwd,
        [Parameter(Mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [string] $command)
      & D:\PLINK.EXE -ssh $remoteHost -l $login -pw $passwd $command
      return
    $remoteHost = "*****"
    $login = "****"
    $passwd = "******"
    $command= "enable"
    plink -remoteHost $remoteHost -login $login -passwd $passwd -command $command
    from above script im able to login to a firewall but I am not able to enable the firewall.
    Can anyone help me and provide me ways to enter the command "enable" and its password to enable firewall using powershell.  

    Hi Plas,
    Please try the script below, which add the cmdlet "Invoke-Expression":
    function plink
    [CmdletBinding()]
    PARAM
    [Parameter(Mandatory=$True)]
    [ValidateNotNullOrEmpty()]
    [string] $remoteHost,
    [Parameter(Mandatory=$True)]
    [ValidateNotNullOrEmpty()]
    [string] $login,
    [Parameter(Mandatory=$True)]
    [ValidateNotNullOrEmpty()]
    [string] $passwd,
    [Parameter(Mandatory=$True)]
    [ValidateNotNullOrEmpty()]
    [string] $command)
    $ExePath = "D:\PLINK.EXE"
    $CLine = "-ssh $remoteHost -l $login -pw $passwd $command"
    Invoke-Expression "$ExePath $CLine"
    $remoteHost = "*****"
    $login = "****"
    $passwd = "******"
    $command= "enable"
    plink -remoteHost $remoteHost -login $login -passwd $passwd -command $command
    If there is anything else regarding this issue, please feel free to post back.
    Best Regards,
    Anna Wang

  • Ipad vpn to cisco firewall

    I use Cisco Firewall (pix501) to Cisco Firewall (pix515) VPN to run off site offices.  I am now attempting to connect to my network with an iPad air.  What is needed to connect an iPad air to the Cisco Firewall (pix515)?

    Jags@GSC wrote:
    It appears that my pix515 running at ver 7 might be the issue.
    You didn't bother to mention that you had an issue.  You still haven't explained what you "issue" is. Maybe you should try contacting Cisco support.

  • Througput towards 5555x from 68k for Firewall contexts

    If you were connecting a 5555x to a 6500, would you use a single port channel with 8 uplinks, or two 4 port etherchannels, with one representing the "out" and one representing the "in"
    I intend to use ten or more contexts, and in the past have done this with a FWSM, which had a 6 gig etherchannel on the chassis backplane.  I imagine that using one etherchannel would be similar to the FWSM approach.
    Would there be any benefits in using 2 ether channels with a concept of in and out? If so why.  Any design insight at the physical layer would be appreciated.
    Or further to this - would you use 6 ports and keep 1 or 2 ports dedicated for the failover and state interfaces, rather than run these interfaces as sub-interfaces that traverse the switching infrastructure. - Update - have to use 6 links, not 8:
    •If you use an EtherChannel interface for a failover or state link, then to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover link. To alter the configuration, you need to either shut down the EtherChannel while you make changes, or temporarily disable failover; either action prevents failover from occurring for the duration.
    •Although you can configure failover and failover state links on a port channel link, this port channel cannot be shared with other firewall traffic.
    I have attached a small diagram to explain the physical / logical differences. (6 interfaces total - as this would be dedicated failover link scenario)

    Hi Nick
    The Cisco recommendation was always to use an even number of ports in the etherchannel because this worked better with their load balancing algorithm but I'm not sure how relevant this is nowadays.
    So leaving that aside personally I would use just one etherchannel between the firewall and the switch.
    The issues with using two that I see are firstly unless your traffic patterns are 50/50 in terms of traffic going to and coming from the firewall you are not going to utilise the links evenly. For example an FTP request is small but the resulting download could be very large and a fair number of applications work like this.
    Which would mean one etherchannel could be very heavily utilised, if not oversubscribed, while the other one could be just ticking along.
    Secondly if you use two etherchannels a single port failure could have a much more pronounced effect on throughput especially if the etherchannel is the one being utilised more because of traffic direction.
    You don't gain any extra redundancy from having two separate etherchannels so I personally can't see any advantages to it but that doesn't mean there aren't any so happy to discuss if you feel there are.
    Obviously whichever you use spread the ports across modules for maximum redundancy.
    I should say though that I have never done this where I needed that much throughput to a firewall other than using an FWSM which as you say does not have these concerns.
    Edit - I assumed when you referred to in and out you were referring to traffic direction and it was not related to contexts. if I have misunderstood please clarify.
    Jon

  • Cisco Firewall Module 6509

    Hi there,
    I'm encountering a problem uploading a file when passing through the firewall module using a .NET application. Without passing through the firewall module, it only takes about 3 seconds for a 1mb file, however when passing through the firewall module, it takes around 1 minute or more. What settings can be done to resolve this issue?
    The file upload is done via a .NET 2.0 desktop application, and uploading to the server, which is running on IIS port 80.

    Hi Bro
    I don't think this is a FWSM issue, but then again you never know :-) There could be few possibilities,
    a) Is there QOS / MFP configured in your FWSM context?
    b) Is your FWSM overloaded e.g. CPU/Memory Utilization?
    c) How big are these uploaded files (>100Mb)? This is because the FWSM backplane is 5.5Gbps.

  • Cisco firewall rate limited syslogs and MARS

    We're getting a ton of informational packets (tcp build / teardown) from firewalls here.  I can kill this at the source (drop to "notification" level, filter out the build / teardown events, etc.) but would rather not throw this stuff away (good clues in an investigation).
    I can filter this on the MARS side so rules don't fire, but that doesn't address the performance hit at the firewall, or the traffic on the network.
    I can rate limit at the firewall - if I do will MARS be able to parse this out properly - i.e if there's a rule that fires on a 100 count for example, and a firewall that's set to rate limit a certain event to, say, every 200 instances of the event, and single syslog shows up at MARS with rate limited information in the packet, will the MARS rule fire?
    hope this makes sense - thanks

    What kind of firewall are you running?  ASA?  FWSM?  Something else?
    If you're running an ASA, the ideal solution would be to implement Netflow Secure Event Logging (NSEL).  This feature uses Netflow v9 to handle security event logging along with traffic flow data.  Using NSEL can provide performance improvements over syslog, both on the ASA, and on your network. 
    Part of the configuration process includes a command to disable the redundant syslog types already handled by NSEL.  Many of those are the same types of logs you mentioned (buildups/teardowns, etc).  It's very simple to configure - you can read more about it here, in the ASA 8.2 CLI Configuration Guide:
    Configuring Network Secure Event Logging (NSEL)
    If you're running a FWSM, the same option isn't available.  Instead, you might want to reconsider disabling some of the log types that aren't really providing much benefit relative to the load.  In fact, Cisco themselves recommend disabling some of the more unimportant (but frequent) log types.
    From the "Cisco SIEM Deployment Guide", one of the "Smart Business Architecture" design guides (emphasis mine):
    At logging level Informational, Cisco recommends disabling the following messages, as they are of little interest for SIEM analysis:     305010: The address translation slot was deleted     305011: A TCP, UDP, or ICMP address translation slot was created     305012: The address translation slot was deletedTo disable these messages, use the following configuration commands:     no logging message 305010     no logging message 305011     no logging message 305012For more aggressive tuning, you may also consider disabling the following messages:     302014: A TCP connection between two hosts was deleted     302016: A UDP connection slot between two hosts was deletedIf dynamic Network Address Translation (NAT) is not configured on the appliance, message 302013 (for TCP connection slot creation) can also be disabled.
    So, that's at least 6 possible log types that can be disabled with no impact: 302013, 302014, 302016, 305010, 305011, and 305012.  And that's straight from Cisco's own documentation.
    Now, to expand on that ...
    - if 302016 (UDP teardown) can be disabled, why not 302015 (UDP create)?
    - similarly, what about 302020 and 302021 (ICMP)? Disable those as well?
    Final list:
    302013
    302014
    302015
    302016
    302020
    302021
    305010
    305011
    305012
    In the end, though, only you can determine which options are acceptable for your environment.
    Note: all 3020xx log types listed are disabled automatically during the NSEL configuration process.

  • Standard Operating Procedure For Cisco Firewall

    Hi,
    i want to ask it is cisco have a SOP about Firewall because i want to create SOP for my company.

    My post above includes a link at the word "here". Sometimes thay can be hard to see in the posts. Here's the link:
         http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng

  • Natting in cisco firewall ASA

    Hi,
    Currently I was facing a problem on how do i do a internal natting for my network.
    how do I nat my vlan 116 to vlan 200 in my firewall asa?
    Source                        Natted                     Destination
    192.168.116.0/24  -> 192.168.200.0/24  ->   192.168.102.0/24
    attached was my diagram and appreciate if someone can give me some guideline.

    Hello,
    The link below will help you for any NAT scenario you want.
    https://supportforums.cisco.com/docs/DOC-9129

  • Convert configuration of Juniper to Cisco Firewall

    Can somebody help me to convert the following config of Juniper router to cisco ASA
    set interfaces ge-0/0/0 description xxxxxxxxxxx
    set interfaces ge-0/0/0 vlan-tagging
    set interfaces ge-0/0/0 mtu 4000
    set interfaces ge-0/0/0 no-gratuitous-arp-request
    set interfaces ge-0/0/0 unit 1 arp-resp unrestricted
    set interfaces ge-0/0/0 unit 1 proxy-arp
    set interfaces ge-0/0/0 unit 1 vlan-id 1
    set interfaces ge-0/0/0 unit 1 family inet address X.X.X.X/25
    set interfaces ge-0/0/0 unit 255 vlan-id 255
    set interfaces ge-0/0/0 unit 255 family inet address X.X.X.X/30
    set interfaces ge-0/0/1 description TUNNEL
    set interfaces ge-0/0/1 vlan-tagging
    set interfaces ge-0/0/1 mtu 4000
    set interfaces ge-0/0/1 no-gratuitous-arp-request
    set interfaces ge-0/0/1 unit 1 arp-resp restricted
    set interfaces ge-0/0/1 unit 1 proxy-arp unrestricted
    set interfaces ge-0/0/1 unit 1 vlan-id 1
    set interfaces ge-0/0/1 unit 1 family inet address X.X.X.X/25
    set interfaces ge-0/0/2 description to-xxxxxxxxxx
    set interfaces ge-0/0/2 vlan-tagging
    set interfaces ge-0/0/2 mtu 4000
    set interfaces ge-0/0/2 unit 556 vlan-id 556
    set interfaces ge-0/0/2 unit 556 family inet address X.X.X.X/30
    set interfaces ge-0/0/2 unit 558 vlan-id 558
    set interfaces ge-0/0/2 unit 558 family inet address X.X.X.X/30
    set interfaces vlan unit 1 proxy-arp unrestricted
    set routing-options static route X.X.X.X/32 next-hop X.X.X.X
    set routing-options static route X.X.X.X/32 next-hop X.X.X.X
    set routing-options static route X.X.X.X/32 next-hop X.X.X.X
    set routing-options static route X.X.X.X/32 next-hop X.X.X.X
    set routing-options static route X.X.X.X/32 next-hop X.X.X.X
    set routing-options static route X.X.X.X/30 next-hop X.X.X.X
    set routing-options static route 0.0.0.0/0 next-hop X.X.X.X
    set protocols rip receive both
    set protocols rip group xxxxxx neighbor ge-0/0/0.1
    set policy-options policy-statement RIP-export term a from protocol direct
    set policy-options policy-statement RIP-export term a from protocol rip
    set policy-options policy-statement RIP-export term a then accept

    hello
    what's the mean of the following command and what's the equivalent on cisco 
    unit 1 arp-resp unrestricted
    no-gratuitous-arp-request
    unit 1 proxy-arp
    set interfaces vlan unit 1 proxy-arp unrestricted
    the problem if we activate the proxy arp on asa cisco 5525 X didnt work and i note that the proxy arp is enabled by default
    below all juniper configuration
    set interfaces ge-0/0/0 description Test
    set interfaces ge-0/0/0 vlan-tagging
    set interfaces ge-0/0/0 mtu 4000
    set interfaces ge-0/0/0 no-gratuitous-arp-request
    set interfaces ge-0/0/0 unit 1 arp-resp unrestricted
    set interfaces ge-0/0/0 unit 1 proxy-arp
    set interfaces ge-0/0/0 unit 1 vlan-id 1
    set interfaces ge-0/0/0 unit 1 family inet address 10.10.132.1/25
    set interfaces ge-0/0/0 unit 255 vlan-id 255
    set interfaces ge-0/0/0 unit 255 family inet address 192.168.2.2/30
    set interfaces ge-0/0/1 description Test2
    set interfaces ge-0/0/1 vlan-tagging
    set interfaces ge-0/0/1 mtu 4000
    set interfaces ge-0/0/1 no-gratuitous-arp-request
    set interfaces ge-0/0/1 unit 1 arp-resp restricted
    set interfaces ge-0/0/1 unit 1 proxy-arp unrestricted
    set interfaces ge-0/0/1 unit 1 vlan-id 1
    set interfaces ge-0/0/1 unit 1 family inet address 10.10.132.129/25
    set interfaces ge-0/0/2 description to-BB
    set interfaces ge-0/0/2 vlan-tagging
    set interfaces ge-0/0/2 mtu 4000
    set interfaces ge-0/0/2 unit 556 vlan-id 556
    set interfaces ge-0/0/2 unit 556 family inet address 10.1.6.90/30
    set interfaces ge-0/0/2 unit 558 vlan-id 558
    set interfaces ge-0/0/2 unit 558 family inet address 10.1.6.134/30
    set interfaces vlan unit 1 proxy-arp unrestricted
    set routing-options static route 208.226.76.25/32 next-hop 10.10.132.101
    set routing-options static route 24.201.44.122/32 next-hop 10.10.132.101
    set routing-options static route 216.150.170.90/32 next-hop 10.10.132.101
    set routing-options static route 42.220.13.162/32 next-hop 10.10.132.101
    set routing-options static route 81.247.181.14/32 next-hop 10.10.132.101
    set routing-options static route 10.1.6.128/30 next-hop 10.1.6.89
    set routing-options static route 0.0.0.0/0 next-hop 10.1.6.133
    set protocols rip receive both
    set protocols rip group Group1 neighbor ge-0/0/0.1
    set policy-options policy-statement RIP-export term a from protocol direct
    set policy-options policy-statement RIP-export term a from protocol rip
    set policy-options policy-statement RIP-export term a then accept

  • Guide to chose Cisco Firewall Device.

    Hi!
    I would like know about the Firewall Device selection. We are mid-sized business with 5 Servers and 15 Switches network. We are planning to have a web server/database server in house. I need guidance to choose a firewall device that can protect our network and still public can access our web server securely.
    Your help comments really appreciated.
    Thanks,

    Hi,
    Mostly firewall device achieve those processes. You may concern other topics. DDOS attacks, Botnet filter, VPN capability.
    Such as ASA firewall split their interfaces by security-level. It cannot permit traffic from lower security-level to higher security-level except you permit special traffic.

  • Admin Context - Do i need to assign interfaces for Mgmt?

    I am building out 2 virtual firewalls using contexts in an active/active F/O pair, and would like to know if it is necessary to assign at least one interface to the admin context?
    My other contexts will have outside, inside, DMZ and stateful F/O interfaces.  And i plan on administering these contexts by SSH to the inside of one of the active Firewall contexts.
    Also from what i am reading i see the system/admin context does AAA, Syslog, F/O config, interface allocations, etc.  So, in the Firewalls I assume i dont need to configure AAA, syslog, etc.  Is this a correct statement?
    Thanks,
    Mike

    We do not assign interfaces to admin context but to do assign interfaces to other context from admin. So innitially you get only admin context from where you allocate interface/resources to other contexts.
    Here are the links for ref-
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
    Thanks
    Ajay

Maybe you are looking for

  • Frame 8 crashes when showing all conditional text

    When I try to Show ALL conditions in my Frame 8 file, Frame crashes. I just recently installed CS4 on my system, but other than that, nothing has changed. I have had no problems with conditional text and this file before. Wondering if anyone has had

  • The back case of the ipod

    ok so i was given a used ipod nano and i was cleeaning it off and it looks liike the back cover is semi coming off. Is there a way to take it off and re put it on??? If so please let me kno

  • Phone number does not display in Lync Contct Card on mobile devices

    Good day for all! I faced with strange issue with Lync Contact card on mobile devices. We have installed Lync Server 2013 (with last CU (December 2014)) and Exchange server 2010 SP3 (Rollup 4) All lync enabled users have filled AD attribute telephone

  • Can I install After Effects only?

    Hi all.  I just upgraded from CS3 Production Premium to CS4 Design Premium and I want my After Effects back.  I still have the disk for the CS3 Production Premium so if I pop it in, can I install just After Effects?  Thanks! Jesse

  • Proxy Settings with UserID/PWD

    Our corporate network uses a uid/pwd validation when going through the proxy. How do I set that up in Creator? I can't access the Update Center since I don't see any way to enter them. Thanks.