Cisco Live London

Are you attending Cisco Live London? If so, be sure to stop by the Cisco Designated VIP booth. I’ll be there representing CSC and would enjoy chatting with all attending members. It will be a great opportunity to talk about how we can continue building features and programs that will benefit you, our members.
Cisco Designated VIP booth location: Learning@Cisco Booth #G19
Cheers,
Dan

I am going to drop by!

Similar Messages

Cisco Ironport Suggestions

Hello, hope anyone could help me with this:
I have a customer who actually has an ironport 4255, with license for 1500 users, this device is currently failing performance because my customer has grown in users.
I´d like to know what device i must suggest my customer o what could be a solution.
Thanks a lot for your answers.

I'm not sure what to recommend in terms of new devices, but there are some great suggestions about avoiding performance bottlenecks in the 2013 "Tuning Cisco IPS" session from Cisco Live London which might help:
https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=6052&backBtn=true
-- Jim Leinweber, WI State Lab of Hygiene

Webauth url redirection fail with firewall between host and switch

Hi All,
I noticed some old posts (2012) on this specific issue (thanks Tarik) - this is exactly our problem. Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection
Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth. However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.
In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html
Cheers
Peter.

There is workaround i haven't tested which is available from 15.0 i think, which is the option to create svi's on your access layer switches for the guest/user vlans, without actually enabling routing between them, it sounds weird, but i have been told that this combined is a possible woraround, that will cause the switch to use the svi interfaces when responding with the SYN-ACK, thus not being sent to its ip default-gateway.

Discount L-PI12-1.5K-UP (LMS 2.x/3.x to Cisco Prime Infrastructure 1.2 Maj Upg 1500 Device)

Hello everyone,
Last month I was in London (Cisco Live 2013) I have spoken with a Cisco Prime (BU) Specialist. He told me verbally that there is currently a 75% discount for L-PI12-1.5K-UP. Can anyone confirm this and tell me what the part number is?
Thanks !
Gertjan Scharloo

you would need to contact your Cisco Partner/SE to be able to get those details.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Ask the Expert: C-Series Integration with Cisco Unified Computing System Manager

Welcome to the Cisco Support Community Ask the Expert conversation. This conversation is an opportunity to learn and ask questions about Cisco C-Series Integration with Cisco Unified Computing System® Manager (Cisco UCS® Manager) with Cisco experts Vishal Mehta and Manuel Velasco.
Cisco UCS C-Series Rack-Mount Servers are managed by the built-in standalone software, Cisco Integrated Management Controller (Cisco IMC). When a C-Series rack-mount server is integrated with Cisco UCS Manager, the IMC no longer manages the server. Instead you will manage the server using the Cisco UCS Manager GUI or Cisco UCS Manager command-line interface (CLI).
Cisco UCS Manager 2.2 provides three connectivity modes for Cisco UCS C-Series Rack-Mount Server management. The following are the connectivity modes:
Dual-wire management (shared LAN On Motherboard [LOM]): Shared LOM ports on the rack server are used exclusively for carrying management traffic.A separate cable connected to one of the ports on the Payment Card Industry Express (PCIe) card carries the data traffic.
SingleConnect (Sideband): Using Network Controller Sideband Interface (NC-SI), the Cisco UCS Virtual Interface Card 1225 (VIC1225) connects one cable that can carry both data and management traffic.
Direct Connect Mode: Cisco UCS Manager Version 2.2 introduces an additional rack server management mode using direct connection to the Fabric Interconnect.
Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in the TAC for the past 3 years with a primary focus on data center technologies such as Cisco Nexus® 5000, Cisco UCS, Cisco Nexus 1000V, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching and service provider.
Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past 3 years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000V, and virtualization. Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and CCNA® and VMware VCP certifications. Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center, under subcommunity, Unified Computing, shortly after the event. This event lasts through May 23, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Sebastian,
The different modes of connecting C-Series with UCSM come into play depending on the type of infrastructure you already have along with C-Series and NIC model.
Cisco UCS C-Series Rack-Mount Servers are managed by the built-in standalone software, Cisco Integrated Management Controller (CIMC) .
Powerful features provided by Cisco UCS Manager can be leveraged to manage C-Series server by integrating C-Series Rack-Mount Server with UCSM.
This not only gives you rich-feature set but also one management plane to operate UCS-B Series Chassis and UCS-C Series Rack Server.
You will manage the server using the Cisco UCS Manager GUI or Cisco UCS Manager CLI.
Cisco UCS Manager 2.2 provides three connectivity modes for Cisco UCS C-Series Rack-Mount Server management.
The following are the connectivity modes:
• Dual-wire Management (Shared LOM):
Shared LAN on Motherboard (LOM) ports on the rack server are used exclusively for carrying management traffic. A separate cable connected to one of the ports on the PCIe card carries the data traffic. Using two separate cables for managing data traffic and management traffic is also referred to as dual-wire management.
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_0100.html
This mode is recommended when you have C-Server which does not have or cannot support VIC 1225 card (such C-200 server)
• SingleConnect (Sideband):
Using Network Controller Sideband Interface (NC-SI), Cisco UCS VIC1225 Virtual Interface Card (VIC) connects one cable that can carry both data traffic and management traffic.
This feature is referred to as SingleConnect.
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_011.html
This most recommended Integration model when using FEX and VIC 1225 card
• Direct Connect Mode:
Cisco UCS Manager release version 2.2 introduces an additional rack server management mode using direct connection to the Fabric Interconnect.
This mode will eliminate the need for FEX module as Servers are directly plugged into the base ports of Fabric Interconnect
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_0110.html
Please let us know if you need more information. Thank you!
Thanks,
Vishal

Ask the Expert: Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI with Vishal Mehta and Manuel Velasco.
The current industry trend is to use SAN (FC/FCoE/iSCSI) for booting operating systems instead of using local storage.
Boot from SAN offers many benefits, including:
Server without local storage can run cooler and use the extra space for other components.
Redeployment of servers caused by hardware failures becomes easier with boot from SAN servers.
SAN storage allows the administrator to use storage more efficiently.
Boot from SAN offers reliability because the user can access the boot disk through multiple paths, which protects the disk from being a single point of failure.
Cisco UCS takes away much of the complexity with its service profiles and associated boot policies to make boot from SAN deployment an easy task.
Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco Nexus 5000, Cisco UCS, Cisco Nexus 1000v, and virtualization. He has presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE certification (number 37139) in routing and switching and service provider.
Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000v, and virtualization. Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and VMware VCP and CCNA certifications.
Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, under subcommunity Unified Computing, shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Evan
Thank you for asking this question. Most common TAC cases that we have seen on Boot-from-SAN failures are due to misconfiguration.
So our methodology is to verify configuration and troubleshoot from server to storage switches to storage array.
Before diving into troubleshooting, make sure there is clear understanding of this topology. This is very vital with any troubleshooting scenario. Know what devices you have and how they are connected, how many paths are connected, Switch/NPV mode and so on.
Always try to troubleshoot one path at a time and verify that the setup is in complaint with the SW/HW interop matrix tested by Cisco.
Step 1: Check at server
a. make sure to have uniform firmware version across all components of UCS
b. Verify if VSAN is created and FC uplinks are configured correctly. VSANs/FCoE-vlan should be unique per fabric
c. Verify at service profile level for configuration of vHBAs - vHBA per Fabric should have unique VSAN number
Note down the WWPN of your vhba. This will be needed in step 2 for zoning on the SAN switch and step 3 for LUN masking on the storage array.
d. verify if Boot Policy of the service profile is configured to Boot From SAN - the Boot Order and its parameters such as Lun ID and WWN are extremely important
e. finally at UCS CLI - verify the flogi of vHBAs (for NPV mode, command is (from nxos) – show npv flogi-table)
Step 2: Check at Storage Switch
a. Verify the mode (by default UCS is in FC end-host mode, so storage switch has to be in NPIV mode; unless UCS is in FC Switch mode)
b. Verify the switch port connecting to UCS is UP as an F-Port and is configured for correct VSAN
c. Check if both the initiator (Server) and the target (Storage) are logged into the fabric switch (command for MDS/N5k - show flogi database vsan X)
d. Once confirmed that initiator and target devices are logged into the fabric, query the name server to see if they have registered themselves correctly. (command - show fcns database vsan X)
e. Most important configuration to check on Storage Switch is the zoning
Zoning is basically access control for our initiator to targets. Most common design is to configure one zone per initiator and target.
Zoning will require you to configure a zone, put that zone into your current zonset, then ACTIVATE it. (command - show zoneset active vsan X)
Step 3: Check at Storage Array
When the Storage array logs into the SAN fabric, it queries the name server to see which devices it can communicate.
LUN masking is crucial step on Storage Array which gives particular host (server) access to specific LUN
Assuming that both the storage and initiator have FLOGI’d into the fabric and the zoning is correct (as per Step 1 & 2)
Following needs to be verified at Storage Array level
a. Are the wwpn of the initiators (vhba of the hosts) visible on the storage array?
b. If above is yes then Is LUN Masking applied?
c. What LUN number is presented to the host - this is the number that we see in Lun ID on the 'Boot Order' of Step 1
Below document has details and troubleshooting outputs:
http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-b-series-blade-servers/115764-ucs-san-tshoot-00.html
Hope this answers your question.
Thanks,
Vishal

Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco® NX-OS.
The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response.
Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Gustavo
Please see my responses to your questions:
Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
Now for Data Plane we have two types of traffic – Unicast and Multicast.
The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
Similarity: For both products, loop avoidance is possible due to VSL bit
The VSL bit is set in the DBUS header internal to the Nexus.
It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
This mechanism is used for loop prevention within the chassis.
The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
Differences: In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
For more details please see below presentation:
https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
DCI Scenario: If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
Let us know if you have further questions.
Thanks,
Vishal

Cisco ASA 5520 Crashinfo

I have cisco asa 5520 firewall in production sudenly yetserday firewall was reboted and crashinfo file was genetrated(check with command show crashinfo)
But unable to undersatand the terms
I want to know below thing regarding crashinfo
1) In asa where crashinfo file stores and file name(please share commnad for checking)
2) How to copy file from device to machine
3) How to read that file(any tool any software)

The crashinfo file ("show crashinfo") is plain text and along with the memory register contents there is a whole long list of other information - running-configuration, interface status and counters, etc. So you can look at it in any text editor or even on the ASA console itself.
As far as learning from it directly, there is plenty to learn and use without knowing the most detailed possible level of debug information.
If you want to see some of the tools that are available (and may include some of the crashinfo data), I'd recommend to you a Cisco Live presentation like BRKSEC-3020. You can download that and any other Cisco Live presentations here with a free registration.

Futures functionalities of Cisco Prime Infrastructure 2.2

Hello,
I don't find anything about this.
I need to know what are the changes of CPI 2.1 to 2.2.
Can someone help me?
Thanks
Regards.

Hi Ricardo
can I suggest you register at Cisco Live ( http://www.ciscolive.com/global/ ) and have a look at the videos and documents they have there. Lots of information.
From the few docs and vids that I have seen, PI 2.2 will have functionality for:
Layer 2 network topology, Enhanced coverage for DataCentre Infrastructure, QoS configuration profiles and more.
hope this gets you started.
cheers
Pierre

Simulator/Emulator for Cisco Nexus 7k, 5k

Do you guys know any good simulator or emulator for Cisco Nexus 7k or 5k ?

There aren't any at the moment. I have heard that Cisco has an internal one that is proprietary and not available to the public. Our only hope is to wait for the release of Cisco's VIRL aka Cisco Modeling Labs and hope that an NX-OS emulator will be included. However, when I was checking it out at this year's Cisco Live the current version did not have one :(
Thank you for rating helpful posts!

Will Cisco Unified Comms succeed against Lync?

When I first started my career in IT I specialized in Novell Netware which was a pretty good product and ruled the marketplace.
Microsoft released Windows NT which was vastly inferior to Netware 4.x but succeeded mainly because it looked like a desktop OS - no scary command line. Novell made some ill-advised decisions (WordPerfect) and now are just a footnote in history.
I am concerned that the same pattern will be repeated with Cisco UC and Microsoft Lync. Over the past year three of my customers have ditched Cisco in favour of Lync. This has not always been successful but seems to be a worrying trend. Has anyone else seen similar? - I first started working with Cisco (in the era of IOS 10.x) to get away from Microsoft. I need to make sure I have the required skills to keep me employed for the 20remaining years of my working life.

Here's the thing, James.
Since 2011, I've noticed the slide of "quality" by Cisco, from the (lack of) QC in IOS codes to the accuracy of documents published by Cisco. It's a worrying trend.
Last year, over at Cisco Live (Melbourne) 2014, one of the speakers told the audience that Cisco has shifted a lot of their developers to help improve Jabber. I was shocked when he said SHIFTED. Shifted from WHERE? Now I'm really scared.
And here's the thing, integrating Jabber to CUCM requires someone with PhD in Deep Space Navigation. As I've mentioned above, documentation is really bad. And then you start throwing systems integrator who knows nothing about the product, the complexity and end-users/company now quietly feel they've been ripped off. By the time they get the systems up and running (at all and if not fully), it's already outdated and needs heaps of patching, upgrade, etc. And by the way, due to the (technical) delays we (system integrators) forgot to get the system into maintenance contract so now client cannot download anything. Really bring bad news to Cisco.
Will UC beat Lync? Depends on who wins in a "race to the bottom". MS needs another cash-cow. If led right, they just might gain traction. Cisco has a few years of "lead" from the race. MS is still trying to replace/get over Steve Balmer's very destructive "stacking" policy.
Interesting, though.
By the way, our organization operates both. So far, we are observing more people going to Lync than Jabber.

Cisco 3945E Maximum Throughput Potential

Hi,
Am looking at purchasing a router that is capable of serving a WAN bearer at up to 1Gbps. The 3945E has had good reviews as a high throughput router but the datasheets suggests performance of 350Mbps. It also states that additional performance can be ensured by adding SPE modules. Does anyone know whether the 3945E could achieve up to 1Gbps with SPE modules?
If the 3945E can't achieve such performance, I would appreciate alternative model suggestions. The key features I am after are:
IPV4 and IPV6 support
L2tpV3 support
BGP
IP SLA
1Gb Copper Connections on-board with capability of at least 4 Ports
Regards
Mike

Have you looked at the new 4451-X ISR?
Supposedly the same pricing as the 3945E, but with 1-2gpbs+ performance.
Also with very low impact when turning on features in comparision with the older ISR routers.
I saw a presentation about it on Cisco Live Virtual.
Edit: Sigh.. replying to a necro thread. :(

How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
Jorge

Hi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni

New ASA generation support PBR or no & ISPs links redundancy

Please i need to know if the cisco ASA next generation specially ASA 5515X support PBR or no
If yes please tell me how to implement it , and if no then what is the solution here (any solution if possible please)??????
Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation, please if yes provide me how to implement it or give me any configuration example.

Hi,
To my understanding there is still no official support for PBR on the ASA.
When I was at Cisco Live! 2013 London, they talked about PBR in one session and told it might be coming. On the other hand I heard from elsewhere that its not currently in the plans for ASA. I am not really sure what to believe.
To this date all the solutions related to dividing traffic between different ISP links has had something to do with NAT configurations on the ASA.
I have actually tested a setup on the original ASA5500 series devices with new software and have been able to select the outgoing interfaces of the traffic based on the source address using NAT. I have not implemented this in production environment as I dont know what will happen to it when I next upgrade the device maybe. I rather used methods that are officially supported than rig something to production network.
I am not sure exactly what kind of setup you are trying to implement. Using a 2 ISP setup where only 1 ISP link is active at a time is pretty basic I suppose. There you track the main ISP link and when it fails you move traffic to use the Secondary ISP.
When we implement Dual ISP setups for our customers we naturally have both links connected to our network in separate parts of the core network. Therefore the customer can keep the same public IP address space through both links. Though naturally in these cases the routers in front of the ASAs handle the Primary and Secondary connection routing and not any Cisco firewall. I have never configured an 2 ISP solution using ASA directly in a production enviroment. Its always been handled by the routers in front of the ASA.
So to answer in short, you should be able to configure a Dual ISP setup where 1 of the links is Active on pretty much any ASA model. To my understanding the ASA5505 is perhaps the only limitation but I am not 100% sure.
Here is one (old) basic configuration guide for Dual ISP setup with PIX/ASA
Naturally the NAT configuration format is different but it doesnt really play a big role in this setup
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
- Jouni

ASA VPN QUESTION

Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#

Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month.

Cisco Live London

Similar Messages

Maybe you are looking for