Design question around slicing up an ASA 5550 and distributing load

Similar Messages

• Site to site VPN between cisco asa 5550 and checkpoint r75

  Hi all ,
  below is cisco asa config for our customer end:
  crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
  What should i configure on checkpoint for first phase and second phase ?
  Regards,
  Suhail

  In checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there.  Phase II default is 28,800 so  you need to edit the parameter and change it to 3600.  the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
  Easy right?

• Design question - 1 source (sync) -- 2 receivers (sync and async)

  Hi All,
  What are the options available to design following scenario:
  Message (material update) sent to XI from 3rd party system, XI will update material synchronous calling BAPI in SAP, response will be sent back to 3rd party. The same message (material update) needs to be updated in SQL DB asynchronously.
  Do we need to use BPM for the above scenario (SystemA <> XI <> SAP and same message from SystemA -->XI --> SQL DB)???
  If I need to use BPM What are the steps to be used in BPM??
  Can we do this without BPM?? What is the procedure??
  Thx
  N@v!n

  Ahmad,
  I think that for 1:n scenarios, if you have synchronous receiver interfaces, you'll need BPM for that. That happens because XI wont be able to decide on which receiver response message will be actually mapped back to sender response. However, Im not sure it wont work for 1:2 scenario, if you have 1 sync and 1 async receiver interfaces. Theoretically, it could work. You'll have to test it in order to be sure. If you get "TOO_MANY_RECEIVERS" error then it is like I said, it wont process 1:n with sync interfaces.
  Kumar,
  as for the BPM, you dont have necessarily to have transformation steps inside BPM, you can normally perform mappings at interface determination runtime (given that your interfaces are unique for each send step inside BPM). The steps you really need inside BPM are:
  1. receive step in "open sync/async bridge" mode;
  2. send step in synchronous mode (for receiver RFC);
  3. send step in asynchronous mode (for receiver JDBC);
  4. send step in "close sync/async bridge" mode.
  Regards,
  Henrique.

• ASA 5550 RESET

  I have an ASA 5550 and the console port suddenly stopped allowing me to console and the management port no longer allows me to conole in. So that there is now question, The network cables and console cables work fine on other ASA's and network devices. I tried to reset the device by pushing the reset button but it doesn't appear to do anything, even after I reboot. Any help would be appreciated.

  Hello Marco,
  At this point it looks more like a hardware failure. Do you see the ASA lights green?
  If you don’t have console access you may need to get a replacement unit via TAC or your reseller.
  Regards,
  Juan Lombana
  Please rate helpful posts.

• Design question: Scheduling a Variable-timeslot Resource

  I originally posted this in general java programming, because this seemed like a more high-level design descussion. But now I see some class design questions. Please excuse me if this thread does not belong here (this is my first time using the forum, save answering a couple questions).
  Forum,
  I am having trouble determining a data structure and applicable algorithm (actually, even more general than the data structure -- the general design to use) for holding a modifiable (but more heavily read/queried than updated), variable-timeslot schedule for a given resource. Here's the situation:
  Let's, for explanation purposes, say we're scheduling a school. The school has many resources. A resource is anything that can be reserved for a given event: classroom, gym, basketball, teacher, janitor, etc.
  Ok, so maybe the school deal isn't the best example. Let's assume, for the sake of explanation, that classes can be any amount of time in length: 50 minutes, 127 minutes, 4 hours, 3 seconds, etc.
  Now, the school has a base operation schedule, e.g. they're open from 8am to 5pm MTWRF and 10am to 2pm on saturday and sunday. Events in the school can only occur during these times, obviously.
  Then, each resource has its own base operation schedule, e.g. the gym is open from noon to 5pm MTWRF and noon to 2pm on sat. and sun. The default base operation schedule for any resource is the school which "owns" the resource.
  But then there are exceptions to the base operation schedule. The school (and therefore all its resources) are closed on holidays. The gym is closed on the third friday of every month for maintenance, or something like that. There are also exceptions to the available schedule due to reservations. I've implemented reservations as exceptions with a different status code to simplify things a little bit: because the basic idea is that an exception is either an addition to or removal from the scheduleable times of that resource. Each exception (reservation, closed for maintenance, etc) can be an (effectively) unrestricted amount of time.
  Ok, enough set up. Somehow I need to be able to "flatten" all this information into a schedule that I can display to the user, query against, and update.
  The issue is complicated more by recurring events, but I think I have that handled already and can make a recurring event be transparent from the application point of view. I just need to figure out how to represent this.
  This is my current idea, and I don't like it at all:
  A TimeSlot object, holding a beginning date and ending date. A data structure that holds list of TimeSlot objects in order by date. I'd probably also hold an index of some sort that maps some constant span of time to a general area in the data structure where times around there can be found, so I avoid O(n) time searching for a given time to find whether or not it is open.
  I don't like this idea, because it requires me to call getBeginningDate() and getEndDate() for every single time slot I search.
  Anyone have any ideas?

  If I am correct, your requirement is to display a schedule, showing the occupancy of a resource (open/closed/used/free and other kind of information) on a time line.
  I do not say that your design is incorrect. What I state below is strictly my views and should be treated that way.
  I would not go by time-slot, instead, I would go by resource, for instance the gym, the class rooms (identified accordingly), the swimming pool etc. are all resources. Therefore (for the requirements you have specified), I would create a class, lets say "Resource" to represent all the resources. I would recommend two attributes at this stage ("name" & "identifier").
  The primary attribute of interest in this case would be a date (starting at 00:00hrs and ending at 24:00hrs.), a span of 24hrs broken to the smallest unit of a minute (seconds really are not very practical here).
  I would next encapsulate the availability factor, which represents the concept of availability in a class, for instance "AvailabilityStatus". The recommended attributes would be "date" and "status".
  You have mentioned different status, for instance, available, booked, closed, under-maintainance etc. Each of these is a category. Let us say, numbered from 0 to n (where n<128).
  The "date" attribute could be a java.util.Date object, representing a date. The "status", is byte array of 1440 elements (one element for each minute of the day). Each element of the byte array is populated by the number designation of the status (i.e, 0,1,2...n etc.), where the numbers represent the status of the minute.
  The "Resource" class would carry an attribute of "resourceStatus", an ordered vector of "ResourceStatus" objects.
  The object (all the objects) could be populated manually at any time, or the entire process could be automated (that is a separate area).
  The problem of representation is over. You could add any number of resources as well as any number of status categories.
  This is a simple solution, I do not address the issues of querying this information and rendering the actual schedule, which I believe is straight forward enough.
  It is recognized that there are scope for optimizations/design rationalization here, however, this is a simple and effective enough solution.
  regards
  [email protected]

• Basic Design Question - Firewall Router segment

  I'm at a new place and have to re-do the current lan.  Small office, 80-100 users. Existing setup is flat network, no QoS, no VLANs.  I have already replaced an older PIX with a new ASA (5525x) and added a DMZ.  
  I am currently trying to draw up a proposed design which currently will be single firewall, multiple VLans(user, server, voice, guest).  My question is regarding the link between core router(L3 switch, whatever) and firewall.   I'm thinking the correct setup is to have a seperate /30 subnet on the interfaces between the firewall and router as below, and then router will just have a default route of 0.0.0.0 0.0.0.0 10.1.100.2     Is this correct? 
  Internet-------Firewall-(10.1.100.2/30)----------------------------(10.1.100.1/30) --Router ----(10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, etc)                 
  Thanks,

  Your design is good. But as for the subnet between the core (router or L3 switch - switch preffered) and edge FW, i suggest something a little larger than a /30. Like a /28. You may want to add a standby FW in a few months or years, or a new WAN connection to that 'demarc' subnet' at some point. It's good practice to leave some romo for growth. Even if you dont forsee it right now.
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!
  - Always vote on an answer if you found it helpful

• Design questions - beginner

  Hello,
  I'm just getting started with BDB XML and the resources here have been very helpful. To play around with it, I imported 100,000 records from my relational db into BDB XML. I imported it as one document that sort of looks like this:
  <people>
  <person><name>John></name><age>22</age></person>
  <person>..</person>
  ...100k times
  </people>
  Querying this database using dbxml.exe has been extremely slow, even after using indexes. So, I have the following questions:
  1. Should I import it has a single document containing 100k children, or is it better to import it as 100k different documents?
  2. Are there any resources available for best practices in designing the XML database, especially from the PoV of a relational database designer?
  Thanks
  Amit

  Amit,
  Using the correct indexes and release 2.3.10 your performance should be reasonably good even with a single, large document. In general, it can be better to use individual documents, especially if you want to add/remove them individually. If there is no need to keep them as one document, I'd recommend using separate documents.
  Also, if you want better answers on tuning queries, you need to provide more information, such as the indexes you've declared and the queries you are using.
  Regards,
  George

• ISE Design Question

  I have few design questions regarding ISE v.1.0.4.573
  Do ISE 3395 gigabit ports support Link aggregation?  how can i utilize all 4 ports for uplink ?
  When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
  I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
  Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?
  Thanks for the help.
  Regards,
  Zohaib

  1. The current version does not support Link aggregation..
  2. They will use the same uplink to the network for heartbeat and synchronizing.
  3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
  4. They will use the same session.

• Web design questions (Was: A number of questions..)

  Ok so!
  What fonts are known to go well together when making banners or headers? I have been messing around with a lot of fonts and im really just looking for some new ones!
  I know this question really depends on the banner itself but what is a recommended size of a font when making a header? lets say 860x250 ?
  Are there any real kind of "must nots" when designing banners?
  When Placing text onto A banner where is the usual place you would see it? I know it changes from site to site but from just looking around a lot of text seems to be in the left bottom corner, is this a norm of some sort?
  Are there any known font combinations which would go together well when making a full webpage? As in fonts for the sidebar, content area, footer etc, any combinations?
  Thank you very much!

  You are asking design questions, but most web designers, including those who frequent this forum, have  no design expertise.
  Your questions are good, but  incomplete. The right typeface and size depends on the impression you are trying to create. For instance, you wouldn't want to use the typeface "Comic" for a website selling financial services.
  Many corporations have lengthy documents detailing their identity for graphic design and advertising. Such documents define which typefaces may be used where, and how. Assuming that you don't have such a document to work with for the creation of this web banner, think about the business, organization (or whatever) the website is for. Should it convey conservative dependability? Edginess? Family friendliness? The typefaces you choose should take such qualities into consideration.
  There's no definite answer to any of the questions you have asked. But that's OK. You should research websites that create the kind of impression you want to make and study how they accomplish it.

• ASA 5550 failover configuration

  I have two identical ASA 5550 firewalls that I need to set up for Active/Standby failover so I can then upgrade them with zero downtime.  I am running them in single, routed mode so I would have to configure failover for Active/Standby.  Can I do a cable-based configuration? The documentation states that is only available on the PIX 500 Security Appliance.  Going through the Support Community forums it appears I can.  Who is right?  If I can do cable-based configuration do I have to turn off the secondary ASA to do the inital configuration?  Thanks much.

  Hello James,
  Yes, you can do cable-based (if you mean connect the devices via a cable without a switch.. That will not be a problem)
  Cisco recommends use a switch between the units for troubleshooting purposes but it's not a MUST.
  Configuration wise, same procesure nothing different so just follow the regular process.
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• ASA 5550 V05 Active/passive one stop work

  Hello,
  I have a client, that got 2x ASA 5550 V05 and they were configured to act as active/passive but some months ago they had problems with them, so they remove them from the network.
  Recently, I went there, and saw that one of the firewall (the one that was as passive) is not working, when I connect via console and reboot it I don't even see nothing, the boot starts, but suddenly, nothing shows up.
  The things is that the client wants to get back to use the ASAs, so is there any way to fix that?
  As an alternative we were thinking in acquire another ASA, to configure the two as active/passive again, the ASA that its working is:
  ASA 5550 V05 ; Cisco Adaptive Security Appliance Software Version 7.2(4) ; Device Manager Version 5.2(4) ; 8 Ports GB ( 4+4) ; asa724-k8.bin
  My question is, I need an exactly the same model ASA?
  I was thinking in put one ASA5555-2SSD120-K9. That would work?
  Or should I try anything else? I don't have many skills with ASA specially troubleshooting it.
  Thanks in advance

  Hi Diogo,
  The issue related to failed firewall could be related to a hardware issue, you may get some outputs from console session when the ASA is booting up. Try to boot up the firewall again, if this doesn´t work then you should open a TAC case so they can help you replacing the firewall(the ASA needs to be under an active contract).
  Regarding ASA model and failover, both firewalls must be the same model(hardware).
  See the below requirements for failover to work:
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#req
  Regards,
  Harvey.
  Please rate if this is correct answer.

• ASA 5550 Transparent Active/Standby Configuration

                     Hello guys!
       I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA:
  Primary ASA:
  interface GigabitEthernet1/3
  description LAN Failover Interface
  media-type sfp
  failover
  failover lan unit primary
  failover lan interface failover GigabitEthernet1/3
  failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
  Secondary ASA:
  interface GigabitEthernet1/3
  description LAN Failover Interface
  failover
  failover lan unit secondary
  failover lan interface failover GigabitEthernet1/3
  failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
  My questions are the following:
  1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
  2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
  3. Wich is the best method to add the second box without disrupting the active box?
  Thanks in advance guys!

  Hi Nephtali,
  1. The aswer is no, it can be different.
  2. You can optionaly add statefull failover config.
  3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
  Link to a config example:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg
  Regards
  Mariusz

• Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question

  Hello there:
  Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
  Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
  We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
  We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
  We have several 10GB connections to servers.
  We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
  No ip phones, no POE.
  Inter-VLAN connectivity/throughput and security are priorities.
  Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
  Thank you.

  If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job.  If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers.  These memory buffers get swamped when servers do non-stop traffic. 
  Ideally, Cisco recommends the Nexus solution to connect servers to.  One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
  In a DC environment, if you have a lot of VM stuff, then stick with Layer 2.  V-Motion and Layer 3 don't go hand-in-hand.

• Design Question for table - related columns

  Hi,
  I have some design question about table I am working on.
  Here are the sample fields in the table,
  process_begin_date
  process_approved_by
  process_signed_by
  process_monitor
  process_communication
  the same way I have around 10 groups, for ex
  other_begin_date
  other_approved_by
  other_signed_by
  other_email
  other_something
  Question: Is good have all 50 fields in the same table? or any better idea?

  Hi,
  Number of columns should not be any issue, but, proper normalization may be better for your design and scalability. If you can explain what you are storing in this table, you might get help if you need to have more than 2 tables in this particular scenario.
  If all these fields are related to a single entity, probably this single table is already normalized and needs not to be replaced by two tables.
  Salman

• LDAP design question for multiple sites

  LDAP design question for multiple sites
  I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
  Currently we have 3 sites with different NIS domains.
  Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
  1. 3 LDAP servers + replica for each sites.
  2. Single username and password for every end user cross those 3 sites.
  3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
  So the questions are
  1. Should I need to have 3 domains for LDAP?
  2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
  3. How to make auto map work on LDAP as well as mount local home directory?
  I really appreciate that some LDAP experta can light me up on this project.

  Thanks for your information.
  My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
  So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
  I would like to migrate NIS to LDAP.
  I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
  Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
  On location Y, userA's home directory will mount FilerY:/vol/user/userA.
  So the mount drive is determined by auto_user map in NIS.
  In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
  So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
  But the username and password will be the same on three sites.
  That'd my goal.
  Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
  It would be appreciated if some LDAP guru can give me some guideline at start point.
  Best wishes