Cisco Firewall Module 6509
Hi there,
I'm encountering a problem uploading a file when passing through the firewall module using a .NET application. Without passing through the firewall module, it only takes about 3 seconds for a 1mb file, however when passing through the firewall module, it takes around 1 minute or more. What settings can be done to resolve this issue?
The file upload is done via a .NET 2.0 desktop application, and uploading to the server, which is running on IIS port 80.
Hi Bro
I don't think this is a FWSM issue, but then again you never know :-) There could be few possibilities,
a) Is there QOS / MFP configured in your FWSM context?
b) Is your FWSM overloaded e.g. CPU/Memory Utilization?
c) How big are these uploaded files (>100Mb)? This is because the FWSM backplane is 5.5Gbps.
Similar Messages
-
Ciscoworks Firewall Module Support
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
We are using Firewall Modules in our Cat6500(s) (WS-SVC-FWM with FWSM 4.0(4)) to provide centralized firewall services to our users. I have been asked if there is any support for these blades in Ciscoworks. I don’t think these types of blade services have been integrated into Ciscoworks yet. We have the same issue with our wireless blades (WiSM)
I’m mostly interested on the ability to backup context configurations from the Firewall blades.
LMS 3.2 with RME 4.3.1 among others.
Thanks for any information.
Jorge A JilesThe answer is yes, RME 4.3.1 support configuration management with the WS-SVC-FWM
Please refer to this link for a complete list of supported devices and modules.
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html
However, there is a enhancement bug opened as well that I think you will be interested in based on
the ability to backup context configurations from the Firewall blades.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl65838
CSCsl65838 Bug Details
Multicontext Firewalls should have ALL contexts archived from admin
Symptom:For firewalls that support multiple contexts, RME does not archive all the context configs if just the admin context IP is in the seedfile.
Conditions:Firewalls that support multiple contexts.
Workaround:Manage each context configuration as an individual, separate device in RME.
Further Problem Description:This capability should be added to RME so that the customer is not required to have IP reachability to each context and individually put that context into RME.All the contexts can be accessed from the Admin context by changeto context system. Then either fetch the configs from the file system (dir) or changeto each context and get its config. -
Dual Cat6k with Firewall module scenario
Hi All,
Does anyone have design guides for Core Cat6k L2/L3 network with Firewall modules in two different chassis ?
Thanks,
PrafulTry:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008048e64c.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide_chapter09186a00801c589c.html -
ASN Traffic Cisco Ace10 Module
Hello Everyone,
I have a problem here.
I trying configure ASN traffic loadbalance, but doesn't works.
Explanation: I have one Cisco Catalyst 6509 and onde Cisco Ace10 module, in my context "PanWEB" i have the interfaces above:
interface vlan 4(rservers interface)
bridge-group 10
no normalization
no icmp-guard
access-group input all-access
nat-pool 1 172.17.3.254 172.17.3.254 netmask 255.255.255.255 pat(used for others aplications in this context).
service-policy input Access
service-policy input VIP
no shutdown
interface vlan 82(VIP interface)
ip address 10.96.202.4 255.255.255.0
alias 10.96.202.5 255.255.255.0
peer ip address 10.96.202.6 255.255.255.0
no normalization
no icmp-guard
access-group input all-access
service-policy input Access
service-policy input VIP
no shutdown
interface bvi 10
ip address 172.17.2.199 255.255.0.0
peer ip address 172.17.1.199 255.255.0.0
no shutdown
I trying to configure ASN traffic because my application needs original client IP, NAT is not a option in this scenario, my configuration is:
rserver host PANVCTXP308B
ip address 172.17.2.218
inservice
rserver host PANVCTXP308C
ip address 172.17.2.224
serverfarm host SF-PAN-CITRIX
transparent
rserver PANVCTXP308B 80
inservice
rserver PANVCTXP308C 80
inservice
sticky ip-netmask 255.255.255.255 address source sticky_citrix
serverfarm SF-PAN-CITRIX
class-map match-all SLB_CITRIX
2 match virtual-address 10.96.202.10 tcp eq www
policy-map type loadbalance first-match SLB_CITRIX
class class-default
sticky-serverfarm sticky_citrix
policy-map multi-match VIP
class SLB_CITRIX
loadbalance vip inservice
loadbalance policy SLB_CITRIX
loadbalance vip icmp-reply active primary-inservice
If i try to establish a telnet session(telnet 10.96.202.10 80) i see the SYN packet passing through the ACE and going to the real server, but, the server do not response the SYN packet.
I done a capture in the server using wireshark and could see that the IP address of the destination is the VIP and not the rserver ip address , this is a problem? Why can not I have the SYN + ACK from the server?
Thanks a lot!
RafaelHi Kanwaljeet,
BVI interface was already created before this inplementation, i only created interface vlan 82 for add a VIP address in a different subnet, i took the configuration.
The server receive the connection(SYN) with correct ip address from client(10.93.7.25) but, the destination ip adress is 10.96.202.10(VIP Address) and not rserver ip adress, server do not response the packet, to the client, and i see a timeout in the client browser, i do not see SYN ACK.
Topology example:http://3.bp.blogspot.com/_Tdhn-HYCK18/SKGWUzrw0gI/AAAAAAAAAjk/2wR4mjAOn3g/s1600/ASN-simple.gif
http://snippets101.blogspot.in/2008/08/asymmetric-server-normalization-on.html -
Firewall Module with Confiugured HSRP switches
Hello ,
We have implemented HSRP configuration between the core switches for 20 VLANs, as the following:
HSRP Configuration for switch 1;
Interface Vlan4
Description âVLAN Descriptionâ
Ip address 192.168.8.2 255.255.255.0
Standby 5 ip 192.168.8.1
Standby 5 timer 5 15
Standby 5 preempt
HSRP Configuration for switch 2;
Interface Vlan4
Description âVLAN Descriptionâ
Ip address 192.168.8.3 255.255.255.0
Standby 5 ip 192.168.8.1
Standby 5 timer 5 15
Standby 5 priority 50
Standby 5 preempt
Now, Only on the active core switch we have inserted a firewall Module to protect VLANs communication to each other while we dont have firewall on the standby switch. Im planning to implement firewall only on one switch if the VLAN fail the traffic will be diverted on the second switch without firewalling.
Would you please assist me on Firewall configuration when i have HSRP running as per my config.
Regards,HSRP provides two servicesIP redundancy and a Virtual IP (VIP) address. Each HSRP group may provide either or both of these services. Cisco IOS firewall stateful failover uses the IP redundancy services from only one HSRP standby group. It can use the VIP address from one or more HSRP groups. Use the following task to configure HSRP on the outside and inside interfaces of the router.
http://cisco.com/en/US/products/ps6441/products_feature_guide09186a00806106ea.html#wp1149287 -
dear
we are having firewall module in datacenter switch which is not in production i have a task to configure now there are total 80 server which are in difftrent zone
so plz help me how to connfigure using multi context & any documentation to refer and configure
thanksManaging Security Contexts
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg.html
Regards,
Arul -
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
Monitoring the Cisco ACE module with SNMP
We use 2 redundant Cisco ACE loadbalancer in our datacenter
The models are ACE20-MOD-K9 with software A2(2.0)
Does anybod know how to monitor the environment (cpu, memory) of such a module with snmp?
We were not able to find an applicable MIB for that module.
The CISCO-PROCESS-MIB.oid (ftp://ftp.cisco.com/pub/mibs/oid/CISCO-PROCESS-MIB.oid) seems not to reflect the correct oid's.
What are the correct oid's for cpu and memory?
Where can I find a detailed documentation for snmp-monitoring the cisco ace module?
thanksHi Patrik,
to monitor the ACE I use these two MIB's:
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
Example for CPU:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
cpmCPUTotalEntry 1.3.6.1.4.1.9.9.109.1.1.1.1
The resource usage and other interesting things you will find with a MIB browser.
Achim -
Port Forwarding Cisco firewall
Hi,
In Cisco Firewall 2900 seires
trying to use port forwarding
but not communication please help me.
Reg
Manoj.: Saved
: Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
name 10.10.70.X.40 FinalPdf
name 201.256.x.x Youfinalip
interface Ethernet0/0
nameif YOUB
security-level 0
ip address 201.256.x.x.254.82 255.255.255.248
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.70.X.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq 14147
object-group service any tcp-udp
port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
group-object ftp
port-object eq ftp-data
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list YOUB_mpc extended permit ip any any
access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging device-id hostname
logging debug-trace
logging ftp-bufferwrap
logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
logging class auth trap emergencies asdm emergencies
mtu YOUB 1500
mtu SIFY 1500
mtu inside 1500
mtu WAN 1500
mtu management 1500
ip verify reverse-path interface YOUB
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm location Testpdf 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (YOUB) 1 interface
global (SIFY) 1 interface
nat (inside) 0 access-list EXEMPT
nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
access-group YOUB_access_in in interface YOUB
access-group inside_access_in in interface inside
route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 100 reachability
telnet timeout 5
ssh scopy enable
ssh 10.10.70.X.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map YOUB-class
match access-list YOUB_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description ftp
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
ips inline fail-open
policy-map YOUB-policy
class YOUB-class
ips inline fail-open sensor vs0
service-policy global_policy global
service-policy YOUB-policy interface YOUB
smtp-server 10.10.70.X.18
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
: end -
Hi All
I hope you can help with a number of questions I have around our existing Cisco firewall and the use of Contexts.
We have a router with an inside interface eg A.A.A.A connected to a L2 switch then to a Cisco 5550 firewall. The link in place between the switch and the firewall is a trunk.
The firewall is running in routed context mode already with just 1 context in place (besides admin).
The existing context has a number of logical interfaces assigned to it with incoming traffic to the firewall using a certain vlan on a sub interface 1.182. Sub interface 1.182 is a member of a redundant logical interface on the incoming physical interface 0/0.
There is a route in place on the router forwarding all traffic to an IP address on the firewall within context 1 – eg A.A.A.254 on logical interface 1.182
The problem is that we would now like to create another context on the firewall (context 2).
I’d like to know the best way to complete this task – whether I can re-use the existing incoming logical interface 1.182 that is used in Context1 or whether to create another sub interface eg 1.183 or alternatively use a completely different physical interface on the firewall and add another Ethernet connection to the switch.
If I can use the same logical interface used in Context 1, from what I have already read then I would need to make sure that the MAC address on the new context interface is different to the MAC in context 1 ?
Can I assign a different IP address to this shared logical interface within my new context2 ? and does it need to be in the same subnet as already used between the router and the firewall ie A.A.A.A.x – I would suspect so.
Also I guess I would need to put another static route on the router directing my required traffic to my IP address within Context 2?
Please could someone help with some guidance? The problem that I have is that I naturally want to avoid causing any upset to the existing Context1 and how it currently receives its traffic.
thanksIf you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. Reference.
It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk. -
Cisco Firewall ASA 5510 series configuration
Hellow folks i am persuing final year project .. then., i am having cisco firewall ASA5510 series and un-managable switches 2 and related system as 20..what kind of configuration can i build up for the security protection to the following systems which i have..please...
guide me and help us in our platform...
This topic first appeared in the Spiceworks CommunityHi satish,
1. First thing make sure that the encryption domains are correct. like -like on both ends
2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well
2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something
HTH
Kishore -
Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP
Hello Dears,
I'm trying to implement Cache loadbalancing through Cisco ACE Module.
I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
I'm afraid that I have a problem in the returned traffic PBR.
can anyone help please.
ThanksHi Ibrahim
I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
msfc---vlan 265---ACE--vlan 264----CE farm
interface vlan 265
description Interface_With_MSFC_SUBS_2_INTERNET
ip address 168.168.1.52 255.255.255.248
access-group input PERMIT_ALL
service-policy input L3L4_PM
no shutdown
ip route 0.0.0.0 0.0.0.0 168.168.1.50
ip access-list extended HSDPA_2_CACHE
permit tcp 168.168.0.0 0.0.255.255 any eq www <<<-- wrong
ip access-list extended Internet_2_CACHE
permit tcp any eq www 168.168.0.0 0.0.255.255 <<<---wrong
interface Vlan 265
description Interface_With_ACE
ip address 168.168.1.50 255.255.255.248
route-map INTERNET_2_HSDPA permit 10
description "PBR for Response HTTP Traffic"
match ip address Internet_2_CACHE
set ip next-hop 168.168.1.52
route-map HSDPA_2_INTERNET permit 10
match ip address HSDPA_2_CACHE
set ip next-hop 168.168.1.52
regards
Andrew -
Can you Connect Cisco switch modules for to N2K?
I have not seen anything about connecting Cisco Switch modules for Blade Chassis to fex. Does anybody now if you can do that?
thank you.thank you Lucien.
I think you got a right name for N2Ks, a NIC card extender. In my opion N2K should be able to support Blade switches. Not every company has just rack mount servers, most enviroment is mixed. In my case, I run out ports on N5K, but plenty available on N2K. I want add two more blade centers with gig switch modules in them. now I have to buy a N5K!!!. I'm sure Cisco can make N2K to support switches too. -
Firewall Module with HSRP switches
Hello ,
We have implemented HSRP configuration between the core switches for 20 VLANs, as the following:
HSRP Configuration for switch 1;
Interface Vlan4
Description âVLAN Descriptionâ
Ip address 192.168.8.2 255.255.255.0
Standby 5 ip 192.168.8.1
Standby 5 timer 5 15
Standby 5 preempt
HSRP Configuration for switch 2;
Interface Vlan4
Description âVLAN Descriptionâ
Ip address 192.168.8.3 255.255.255.0
Standby 5 ip 192.168.8.1
Standby 5 timer 5 15
Standby 5 priority 50
Standby 5 preempt
Now, Only on the active core switch we have inserted a firewall Module to protect VLANs communication to each other while we dont have firewall on the standby switch. Im planning to implement firewall only on one switch if the VLAN fail the traffic will be diverted on the second switch without firewalling.
Would you please assist me on Firewall configuration when i have HSRP running as per my config.
Regards,The transparent firewall feature greatly simplifies deployment in the data center for protecting hosts. The transparent firewalls also fit into existing networks with no Layer 3 changes and transparently pass Layer 3 traffic from routers, allowing interoperability with IP services such as Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), Gateway Load Balancing Protocol (GLBP), Multicast, and non-IP traffic such as Internetwork Packet Exchange (IPX), Multiprotocol Label Switching (MPLS), and bridge protocol data units (BPDUs).
-
HP J4853A and Cisco SFP Module 100BASE-FX
Hello Everyone!
Will HP J4853A and Cisco SFP Module 100BASE-FX modules be compatible?
Thank you!This is the output from sh interface:
GigabitEthernet0/1 is down, line protocol is down (notconnect)
Hardware is Gigabit Ethernet, address is f029.2950.8119 (bia f029.2950.8119)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Auto-duplex, Auto-speed, link type is auto, media type is 1000BaseLX SFP
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
As you can see the switch detects SFP as 1000BaseLX SFP, however it is 100Base FX
Maybe you are looking for
-
I am locked out of my internal hard drives.
Sorry if I am breaking protocol. This question is for V.K. Ihad been locked out of my internal drives with the exception of my start updrive. All the drives icons had a small lock on them. You had posted how tounlock them. run the following commands
-
I tried to add upgrade but when I put the icon into my Applications there appears a white x on the icon after I have downloaded the upgrade. Sometimes a statement like; You do not have permission to use upgrade? (error message)
-
How to use RIPEMD-160 with CL_ABAP_MESSAGE_DIGEST
Hi *, I want to generate a RIPEMD-160 hash value with CL_ABAP_MESSAGE_DIGEST . I wrote a short test report ( see below ) and with e.g. SHA512'. or MD5 the logic works fine. But it dosn't work with RIPEMD-160 . In the system there is loaded / integrat
-
How to save files to memory card on Nokia 6131
Now that I have a new memory card that works, isn't there a way to set as default saving all images, videos, etc. to the memory card, rather than to the phone memory? I found nothing in the User Guide about this.
-
Confusion with Membership and Billing
I currently have Creative Cloud (Student and Teacher Edition) installed on my laptop for about a year now. I downloaded it through free subscription offered on a website, with a redemption code (thanks to an agreement between my college and Adobe.) F