Export physical and logical details on ASA 5520 and 8.0 software
Hello...does anybody know if there is any way to export details of the physical and logical interface details (including interface descriptions) to Excel, PDF or and other format from the command line or ASDM?
Thanks,
John
Export directly in xls, xlsx or pdf - no.
The output of "show run interface" or "show interface" is pretty structured however and easily parsed by Excel - either manually or via a macro. See output below (you can omit the interface identifier to get all interfaces. I used one for brevity.)
One can build a script to log in, perform an arbitrary command logging the output to a file which can then be massaged to extract the information you want in a suitable format (csv, etc.). Once in Excel it can be saved as pdf if you're so inclined.
Of couse, some of the full-featured network management tools do a lot of this (and lots more) if you have them.
ASA-1# sh run int eth0/0
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224
ASA-1#
ASA-1# sh int eth0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0013.c480.6b50, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.224
14156274 packets input, 16095096189 bytes, 0 no buffer
Received 44764 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
8548524 packets output, 1006461151 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 64 collisions, 6 interface resets
95 late collisions, 627 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/125)
Traffic Statistics for "outside":
14156267 packets input, 15839536990 bytes
8548619 packets output, 820243613 bytes
39502 packets dropped
1 minute input rate 2 pkts/sec, 349 bytes/sec
1 minute output rate 2 pkts/sec, 425 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2 pkts/sec, 2091 bytes/sec
5 minute output rate 1 pkts/sec, 352 bytes/sec
5 minute drop rate, 0 pkts/sec
Similar Messages
-
HA between a Cisco ASA 5520 and a Cisco ASA 5525-X
Hi all!
we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
Best regards for all,You cannot make a 5520 establish failover with the mate being a 5525-X.
1. The configuration guide (here) states:
The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above. -
Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone
Hi,
I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
The scanario:
Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
Any help or advice is much appreciated.
Thanks.Hello Bernard,
What you are looking for is a Remote Ipsec VPN mode not a L2L.
Here is the link you should use to make this happen:)
https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
Regards,
Julio -
Inter VLAN Routing with ASA 5520 and Cat 2960
Hi there,
I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other. The attached screenshot shows the topology.
I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs. Any assistance would be greatly appreciated.
ROUTER CONFIG:
ciscoasa#
ciscoasa# show run
: Saved
ASA Version 8.3(1)
hostname ciscoasa
domain-name null
enable password ###### encrypted
passwd ###### encrypted
names
dns-guard
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
no nameif
security-level 100
ip address 10.10.1.1 255.255.255.0
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 100
ip address 10.10.20.1 255.255.255.0
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 100
ip address 10.10.30.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name null
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan30 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd enable inside
dhcpd address 10.10.10.101-10.10.10.253 vlan10
dhcpd enable vlan10
dhcpd address 10.10.20.101-10.10.20.253 vlan20
dhcpd enable vlan20
dhcpd address 10.10.30.101-10.10.30.253 vlan30
dhcpd enable vlan30
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
: end
SWITCH CONFIG
Switch#show run
Building configuration...
Current configuration : 2543 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
system mtu routing 1500
ip subnet-zero
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
vlan internal allocation policy ascending
interface GigabitEthernet0/1
description Port Configured As Trunk
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface GigabitEthernet0/29
interface GigabitEthernet0/30
interface GigabitEthernet0/31
interface GigabitEthernet0/32
interface GigabitEthernet0/33
interface GigabitEthernet0/34
interface GigabitEthernet0/35
interface GigabitEthernet0/36
interface GigabitEthernet0/37
interface GigabitEthernet0/38
interface GigabitEthernet0/39
interface GigabitEthernet0/40
interface GigabitEthernet0/41
interface GigabitEthernet0/42
interface GigabitEthernet0/43
interface GigabitEthernet0/44
interface GigabitEthernet0/45
interface GigabitEthernet0/46
interface GigabitEthernet0/47
interface GigabitEthernet0/48
interface Vlan1
ip address 10.10.1.2 255.255.255.0
no ip route-cache
interface Vlan10
no ip address
no ip route-cache
interface Vlan20
no ip address
no ip route-cache
interface Vlan30
no ip address
no ip route-cache
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
control-plane
line con 0
line vty 5 15
endciscoasa# capture cap10 interface vlan10
ciscoasa# capture cap20 interface vlan20
ciscoasa# show cap cap10
97 packets captured
1: 17:32:32.541262 802.1Q vlan#10 P0 10.10.10.101.2461 > 10.10.10.1.8905: ud
p 96
2: 17:32:36.741294 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
3: 17:32:36.741523 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
4: 17:32:37.539217 802.1Q vlan#10 P0 10.10.10.101.2462 > 10.10.10.1.8905: ud
p 98
5: 17:32:39.104914 802.1Q vlan#10 P0 10.10.10.101.2463 > 10.12.5.64.8906: ud
p 95
6: 17:32:41.738914 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
7: 17:32:41.739143 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
8: 17:32:42.544023 802.1Q vlan#10 P0 10.10.10.101.2464 > 10.10.10.1.8905: ud
p 93
9: 17:32:46.747352 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
10: 17:32:46.747580 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
11: 17:32:47.546633 802.1Q vlan#10 P0 10.10.10.101.2465 > 10.10.10.1.8905: ud
p 98
12: 17:32:51.739921 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
13: 17:32:51.740150 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
14: 17:32:52.544100 802.1Q vlan#10 P0 10.10.10.101.2466 > 10.10.10.1.8905: ud
p 98
15: 17:32:56.741859 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
16: 17:32:56.742088 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
17: 17:32:57.547396 802.1Q vlan#10 P0 10.10.10.101.2467 > 10.10.10.1.8905: ud
p 98
18: 17:33:01.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
19: 17:33:01.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
20: 17:33:02.547609 802.1Q vlan#10 P0 10.10.10.101.2468 > 10.10.10.1.8905: ud
p 97
21: 17:33:06.742774 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
22: 17:33:06.743018 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
23: 17:33:07.543337 802.1Q vlan#10 P0 10.10.10.101.2469 > 10.10.10.1.8905: ud
p 93
24: 17:33:10.375514 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
25: 17:33:11.114679 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
26: 17:33:11.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
27: 17:33:11.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
28: 17:33:11.864731 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
29: 17:33:12.546266 802.1Q vlan#10 P0 10.10.10.101.2470 > 10.10.10.1.8905: ud
p 98
30: 17:33:16.746497 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
31: 17:33:16.746726 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
32: 17:33:17.548403 802.1Q vlan#10 P0 10.10.10.101.2471 > 10.10.10.1.8905: ud
p 97
33: 17:33:21.744880 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
34: 17:33:21.745109 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
35: 17:33:22.545351 802.1Q vlan#10 P0 10.10.10.101.2472 > 10.10.10.1.8905: ud
p 95
36: 17:33:23.785558 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
37: 17:33:24.522464 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
38: 17:33:25.272568 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
39: 17:33:26.744926 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
40: 17:33:26.745154 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
41: 17:33:27.548708 802.1Q vlan#10 P0 10.10.10.101.2473 > 10.10.10.1.8905: ud
p 96
42: 17:33:31.749625 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
43: 17:33:31.749854 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
44: 17:33:32.550096 802.1Q vlan#10 P0 10.10.10.101.2474 > 10.10.10.1.8905: ud
p 97
45: 17:33:36.748343 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
46: 17:33:36.748572 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
47: 17:33:37.546251 802.1Q vlan#10 P0 10.10.10.101.2475 > 10.10.10.1.8905: ud
p 95
48: 17:33:41.745566 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
49: 17:33:41.745795 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
50: 17:33:42.547975 802.1Q vlan#10 P0 10.10.10.101.2476 > 10.10.10.1.8905: ud
p 97
51: 17:33:46.747855 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
52: 17:33:46.748084 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
53: 17:33:47.548403 802.1Q vlan#10 P0 10.10.10.101.2477 > 10.10.10.1.8905: ud
p 94
54: 17:33:51.747718 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
55: 17:33:51.747931 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
56: 17:33:52.547670 802.1Q vlan#10 P0 10.10.10.101.2478 > 10.10.10.1.8905: ud
p 97
57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
58: 17:33:56.750678 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
59: 17:33:56.750891 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
60: 17:33:57.563035 802.1Q vlan#10 P0 10.10.10.101.2479 > 10.10.10.1.8905: ud
p 97
61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
62: 17:34:01.752188 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
63: 17:34:01.752402 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
64: 17:34:01.995737 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
65: 17:34:01.995813 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
66: 17:34:01.995950 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
67: 17:34:01.996011 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
68: 17:34:01.996118 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
69: 17:34:01.996179 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
70: 17:34:02.551836 802.1Q vlan#10 P0 10.10.10.101.2480 > 10.10.10.1.8905: ud
p 98
71: 17:34:03.011306 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
72: 17:34:03.011367 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
73: 17:34:03.011443 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
74: 17:34:03.011489 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
75: 17:34:03.011550 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
76: 17:34:03.011596 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
77: 17:34:04.027037 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
78: 17:34:04.027082 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
79: 17:34:04.027174 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
80: 17:34:04.027250 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
81: 17:34:04.027311 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
82: 17:34:04.027357 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
84: 17:34:06.058514 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
85: 17:34:06.058605 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
86: 17:34:06.058651 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
87: 17:34:06.058712 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
88: 17:34:06.058758 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
89: 17:34:06.058819 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
90: 17:34:06.750907 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
91: 17:34:06.751151 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
92: 17:34:07.552751 802.1Q vlan#10 P0 10.10.10.101.2481 > 10.10.10.1.8905: ud
p 96
93: 17:34:11.752082 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
94: 17:34:11.752326 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
95: 17:34:12.553392 802.1Q vlan#10 P0 10.10.10.101.2482 > 10.10.10.1.8905: ud
p 96
96: 17:34:16.755438 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
97: 17:34:16.755682 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
98: 17:34:17.554811 802.1Q vlan#10 P0 10.10.10.101.2483 > 10.10.10.1.8905: ud
p 97
99: 17:34:21.751303 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
100: 17:34:21.751563 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
101: 17:34:22.552034 802.1Q vlan#10 P0 10.10.10.101.2484 > 10.10.10.1.8905: ud
p 95
102: 17:34:26.753989 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
103: 17:34:26.754218 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
104: 17:34:27.560334 802.1Q vlan#10 P0 10.10.10.101.2485 > 10.10.10.1.8905: ud
p 98
105: 17:34:31.755499 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
106: 17:34:31.755728 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
107: 17:34:32.563950 802.1Q vlan#10 P0 10.10.10.101.2486 > 10.10.10.1.8905: ud
p 95
107 packets shown
ciscoasa# show cap cap20
92 packets captured
1: 17:26:53.653378 802.1Q vlan#20 P0 10.10.20.101.1187 > 216.49.94.13.80: S 8
20343450:820343450(0) win 65535
2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
4: 17:27:55.593688 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
5: 17:27:58.555284 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
6: 17:28:04.564790 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
7: 17:29:06.504856 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
8: 17:29:06.504917 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
9: 17:29:06.505222 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
10: 17:29:09.467032 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
11: 17:29:15.476537 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
12: 17:30:17.417245 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
14: 17:30:20.378688 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
16: 17:30:26.388102 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
17: 17:30:28.721047 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
18: 17:30:34.222507 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
19: 17:33:43.156928 802.1Q vlan#20 P0 arp who-has 10.10.20.101 tell 10.10.20.1
01
20: 17:33:44.187002 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
21: 17:33:44.187047 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
22: 17:33:44.187261 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
quest
23: 17:33:44.187520 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
ply
24: 17:33:44.239016 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
25: 17:33:44.327360 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
26: 17:33:44.989740 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
27: 17:33:45.150611 802.1Q vlan#20 P0 10.10.20.101.6646 > 10.10.20.255.6646:
udp 236
28: 17:33:45.331312 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
29: 17:33:45.740943 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
30: 17:33:46.331892 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
31: 17:33:46.492131 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
32: 17:33:47.243502 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
33: 17:33:47.994501 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
34: 17:33:48.335050 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
35: 17:33:48.335141 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
36: 17:33:48.745658 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
37: 17:33:49.496861 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
38: 17:33:50.248812 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
39: 17:33:50.249300 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
40: 17:33:50.999170 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
41: 17:33:50.999246 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
42: 17:33:51.750342 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
43: 17:33:51.750418 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
44: 17:33:52.341336 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
45: 17:33:52.341474 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
46: 17:33:52.501576 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
47: 17:33:52.501652 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
48: 17:33:53.254183 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
49: 17:33:53.254320 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 204
50: 17:33:54.134361 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
51: 17:33:54.755118 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
52: 17:33:54.823535 802.1Q vlan#20 P0 10.120.2.198.1261 > 161.69.12.13.443: R
250934743:250934743(0) ack 2427374744 win 0
53: 17:33:54.823901 802.1Q vlan#20 P0 10.120.2.198.1262 > 161.69.12.13.443: R
3313764765:3313764765(0) ack 1397588942 win 0
54: 17:33:54.824618 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
55: 17:33:56.257448 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
56: 17:33:57.759833 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
57: 17:33:57.779729 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
58: 17:33:59.245394 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
59: 17:33:59.262178 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
60: 17:34:00.263780 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
61: 17:34:01.265382 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
62: 17:34:02.266908 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
63: 17:34:03.268540 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
64: 17:34:03.789189 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
65: 17:34:04.019591 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
66: 17:34:04.745933 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
67: 17:34:04.770757 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
68: 17:34:05.521991 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
69: 17:34:06.273209 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
70: 17:34:07.024367 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
71: 17:34:07.775518 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
72: 17:34:08.526706 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
73: 17:34:09.277939 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
74: 17:34:09.278061 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
75: 17:34:09.278702 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 204
76: 17:34:15.810489 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
77: 17:34:16.809726 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
78: 17:34:17.811222 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
79: 17:34:19.814349 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
80: 17:34:19.814380 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
81: 17:34:23.820682 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
82: 17:34:23.820788 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
83: 17:34:30.822924 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
84: 17:34:31.572892 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
85: 17:34:32.324079 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
86: 17:34:33.083079 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
87: 17:34:34.077007 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
88: 17:34:35.078639 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
89: 17:34:37.081584 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
90: 17:34:37.081706 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
91: 17:34:41.087809 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
92: 17:34:41.087840 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
92 packets shown -
Requisition and Order Details (Shipment, Receipt, Invoice and Payment Detai
Hi ,
Business want Requisition and Order Details i.e Shipment, Receipt, Invoice and Payment Details to be displayed in same screen, users want to avoid clicking on "Details" button povided on in the requisition line item on iProcurment Self Service screen to veiw deails.
This is to basically avoid too many mouse clicks.
If someone had implemented similar solution please provide steps to implement.
RegardsWe had a similiar requirement to help requisition approvers and we created a new custom page with the required info. It can help to seperate those items that only appear once per requisition compared to those that need to be displayed in a table for each req line.
The page is accessed by personalisation to add a new link (via adding an image item to the seeded page) -
Does ASA 5520 and 5510 support IDS?
Hi experts,
If so how to enable it?
Thanks a lot in advance.
Regards,You can purchase an AIP-SSM module for an ASA 5510 or 5520 to enable IDS/IPS functionality on the platform.
http://www.cisco.com/en/US/customer/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html -
Hi All
Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
Firewall (Primary)
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
DEO-FW-01 up 5 hours 1 min
failover cluster up 5 hours 1 min
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 001e.f762.bc44, irq 9
1: Ext: GigabitEthernet0/1 : address is 001e.f762.bc45, irq 9
2: Ext: GigabitEthernet0/2 : address is 001e.f762.bc46, irq 9
3: Ext: GigabitEthernet0/3 : address is 001e.f762.bc47, irq 9
4: Ext: Management0/0 : address is 001e.f762.bc43, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Here is the failover config
failover
failover lan unit primary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
Here is the Show failover output
Failover On
Failover unit Primary
Failover LAN Interface: SFO GigabitEthernet0/3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
failover replication http
Version: Ours 9.1(1), Mate Unknown
Last Failover at: 12:53:27 UTC Mar 14 2013
This host: Primary - Active
Active time: 18059 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface inside (10.10.16.1): No Link (Waiting)
Interface corporate_network_traffic (10.10.16.21): Unknown (Waiting)
Interface outside (193.158.46.130): Unknown (Waiting)
slot 1: empty
Other host: Secondary - Not Detected
Active time: 0 (sec)
Interface inside (10.10.16.2): Unknown (Waiting)
Interface corporate_network_traffic (10.10.16.22): Unknown (Waiting)
Interface outside (193.158.46.131): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : SFO GigabitEthernet0/3 (Failed)
Here is the output for the secondary firewall
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(5)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 1 min
failover cluster up 1 hour 1 min
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 0023.0477.12e4, irq 9
1: Ext: GigabitEthernet0/1 : address is 0023.0477.12e5, irq 9
2: Ext: GigabitEthernet0/2 : address is 0023.0477.12e6, irq 9
3: Ext: GigabitEthernet0/3 : address is 0023.0477.12e7, irq 9
4: Ext: Management0/0 : address is 0023.0477.12e3, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Here is the failover config
failover
failover lan unit secondary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
Here is the Show failover output
failover
failover lan unit secondary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
Failover On
Failover unit Secondary
Failover LAN Interface: SFO GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 160 maximum
failover replication http
Version: Ours 9.1(1), Mate Unknown
Last Failover at: 12:58:31 UTC Mar 14 2013
This host: Secondary - Active
Active time: 3630 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
Stateful Failover Logical Update Statistics
Link : SFO GigabitEthernet0/3 (up)
interface g0/3 on both are up via the No shutdown command. However I get the following error No Active mate detected
please could someone help.
Many thanksHello James,
You have configured the IPs on the interfaces incorrectly.
Let me point it out
failover
failover lan unit primary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
You are telling the Primary device use IP address 10.10.16.25 and the secondary firewall will be 10.10.26.26
Now let's see the configuration on the Secondary Unit?
failover
failover lan unit secondary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
On the secondary you are saying the primary IP will be 10.10.16.26 and the secondary will be 10.10.16.25
You have it backwards and based on the output I would say you configured it on all of the interfaces like that
So please change it and make it the same on all of the interfaces so both devices know the same thing ( which IP they should use when they are primary and secondary, this HAVE to match )
Hope that I could help
Julio Carvajal -
Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops
Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
Here is the Cisco switch port facing the ASA 5510 configuration:
interface FastEthernet2/0/6
description Trunk to ASA 5510
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 131,500
switchport mode trunk
switchport nonegotiate
And here is the ASA 5510 port configuration:
interface Ethernet0/3
speed 100
no nameif
no security-level
no ip address
interface Ethernet0/3.500
vlan 500
nameif outside
security-level 0
ip address X.X.X.69 255.255.255.0
There is a default route on ASA to X.X.X.1.
When I try to ping from ASA X.X.X.1 i get:
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
I have also changed the ports on the Switch and ASA but the same error stays.
Any thoughts?I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
Maybe you should adjust the "speed 100"? In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch. Alternatively, have both sides set
speed 100
duplex full
and see if things improve.
-- Jim Leinweber, WI State Lab of Hygiene -
Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem
Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
DanielWhat is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400 -
ASA 5520 intervlan routing at low speed
I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
ASA Version 8.4(2)
hostname ***
domain-name ***
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
dns-guard
interface GigabitEthernet0/0
nameif DMZ
security-level 50
ip address 10.2.5.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
interface GigabitEthernet0/1.100
vlan 100
nameif Devices
security-level 100
ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet0/1.101
vlan 101
nameif Common
security-level 100
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/1.102
vlan 102
nameif Design
security-level 100
ip address 10.2.2.1 255.255.255.0
interface GigabitEthernet0/1.103
vlan 103
nameif Ruhlamat
security-level 90
ip address 10.2.3.1 255.255.255.0
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
interface GigabitEthernet0/2.10
vlan 10
nameif HOLOGR
security-level 40
ip address 10.1.2.4 255.255.0.0
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address ***
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW
host 10.2.1.6
object network MAIL
host 10.2.5.5
object network TEST
host 10.2.1.85
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.0.88
network-object host 10.1.6.1
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object 10.2.0.0 255.255.255.0
network-object host 10.1.6.4
network-object host 10.1.1.57
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2080
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_6
network-object host 10.1.4.42
network-object host 10.1.4.234
network-object host 10.1.4.175
network-object host 10.1.4.217
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.14
network-object host 10.2.1.91
object-group network DM_INLINE_NETWORK_4
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
object-group service DM_INLINE_TCP_2 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_5
network-object host 10.2.1.14
network-object host 10.2.1.39
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.85
network-object host 10.2.1.31
network-object host 10.2.1.32
network-object host 10.2.1.40
network-object host 10.2.1.55
network-object host 10.2.1.35
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_3 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_7
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_9
network-object host 10.2.1.4
network-object host 10.2.1.3
object-group network DM_INLINE_NETWORK_2
network-object host 10.1.1.101
network-object host 10.1.6.1
network-object host 10.1.6.4
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object host 10.1.1.57
object-group network DM_INLINE_NETWORK_10
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_4 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_12
network-object host 10.2.0.11
network-object host 10.2.0.14
object-group service DM_INLINE_TCP_5 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_13
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_14
network-object host 8.8.4.4
network-object host 8.8.8.8
network-object host 10.1.1.1
object-group network DM_INLINE_NETWORK_15
network-object host 10.2.1.39
network-object host 10.2.1.57
object-group network DM_INLINE_NETWORK_16
network-object host 10.2.1.14
network-object host 10.2.1.6
access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
access-list Common_access_in extended permit icmp any any
access-list Common_access_in extended permit ip host 10.2.1.76 host ***
access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
access-list HOLOGR_access_in extended permit icmp any any log disable
access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
access-list test extended permit tcp any host 10.2.5.1 eq telnet
access-list test extended permit tcp any host 10.2.5.1 eq https
access-list test extended permit tcp host 10.2.5.1 any eq https
access-list test extended permit tcp host 10.2.5.1 any eq telnet
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered critical
logging trap warnings
logging asdm informational
logging from-address ***
logging recipient-address *** level critical
logging host Common 10.2.1.2
logging flash-bufferwrap
logging flash-maximum-allocation 8192
logging permit-hostdown
no logging message 106014
no logging message 313005
no logging message 313001
no logging message 106023
no logging message 305006
no logging message 733101
no logging message 733100
no logging message 304001
logging message 313001 level critical
logging message 106023 level errors
mtu DMZ 1500
mtu inside 1500
mtu Devices 1500
mtu Common 1500
mtu Design 1500
mtu Ruhlamat 1500
mtu HOLOGR 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
icmp permit any Common
icmp permit any HOLOGR
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
object network WWW
nat (Common,outside) static interface service tcp *** ***
object network MAIL
nat (DMZ,outside) static interface service tcp smtp smtp
nat (DMZ,outside) after-auto source dynamic any interface
nat (Common,outside) after-auto source dynamic any interface
nat (Devices,outside) after-auto source dynamic any interface
access-group Common_access_in in interface Common
access-group Design_access_in in interface Design
access-group Ruhlamat_access_in in interface Ruhlamat
access-group HOLOGR_access_in in interface HOLOGR
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 10.2.1.6 255.255.255.255 Common
snmp-server host Common 10.2.1.6 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
sysopt noproxyarp inside
sysopt noproxyarp Devices
sysopt noproxyarp Common
sysopt noproxyarp Design
sysopt noproxyarp Ruhlamat
sysopt noproxyarp HOLOGR
sysopt noproxyarp outside
sysopt noproxyarp management
service resetoutside
telnet 10.2.1.0 255.255.255.0 Common
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Common
dhcprelay setroute Common
threat-detection basic-threat
threat-detection scanning-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.1.4 source Common prefer
webvpn
smtp-server 10.2.5.5
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
: endHi Philip,
I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
https://supportforums.cisco.com/docs/DOC-1222
-Mike -
How to read Ibase and component details and save to a file in presentation
Hi Experts,
I am developing a report to download Ibase and Component details along with warranty and component details to presentation server.
So it is appreciated and rewarded If you provide any Standard FMS and any code done b4 by you to download the ibase and component details.
Thanks,
RajaHi Nithish,
Nice to see you again.
If you want to read the settypes information you can use following FM'S .
1. CRM_IBASE_COMP_GET_DETAIL - Read product_guid from this FM
2 . COM_FRGTYPE_READ_SINGLE - Read frgtype_guid by passing your settype_id as input.
3. COM_PR_SET_REL_READ_SINGLE_PR - Pass product guid from 1 and frgtype_guid from 2 to this FM and get fragment_guid.
4 . ZOM_XXXX_READ_MULTI - Pass the above guid to this FM and read all set type attributes.
Hope this helps.
Regards,
Nithish
2) How to get settype_id.inorder to pass to the FM COM_FRGTYPE_READ_SINGLE..
Note : And also can you help in updating the warrantu and Qualification relationship.
I mean how to pass the data to FM
CALL FUNCTION 'COM_PROD_MATERIAL_MAINTAIN_API'
EXPORTING
it_product = i_product
it_set = i_set
it_interlinkages = i_interlinkages(How to pass the data to this internal table)
Thanks in advance,
Raja -
Hello !
Does the counter of event buffer gets include the logical reads ?
Does the mertic buffer gets include the event of reading from undo buffer ?
Thanks and regards,
Pavel
Edited by: Pavel on Jun 27, 2012 3:08 AM
Edited by: Pavel on Jun 27, 2012 3:35 AM
Edited by: Pavel on Jun 27, 2012 4:13 AMHi,
buffer gets = number of times a block was requested from buffer cache. A buffer get always request in a logical read. Depending on whether or not a copy of the block is available in the buffer cache, a logical read may or may not involve a physical read. So "buffer gets" and "logical reads" are basically synonyms and are often used interchangeably.
Oracle doesn't have a special "undo buffer". Undo blocks are stored in rollback segments in UNDO tablespace, and are managed in the same way data blocks are (they're even protected by redo). If a consistent get requires reading from UNDO tablespace, then statistics counters will show that, i.e. there will be one more consistent get in your autotrace.
For more information and some examples, see a thread at askTom:
http://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:549546900346542976
Best regards,
Nikolay -
Older version of openssl in cisco asa 5520
Hi,
Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have to check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
Thanks,
SridharSridhar,
W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
Marcin -
Landscape Management and logical components
Hi
Can anyone please help me to fix the issue related to sap solution manager Landscape Management and logical components.
Actually here we have “Some software component versions are not covered by product instances” but it should be “All software components are covered by product instance”. Is it makes any problem while we do maintenance optimizer
Document attached for reference...
Thanks in advance
Regards
Kranthi.Hi Kranthi,
As mentioned by Daniel, after executing the Landscape verification, it will show all the missing product version and product instance. so just add it, it will add and show in LMDB.
In below screen of LMDB show all the product version and product instance add and automatically captured. not able to add the product version manually due to refresh job. all the related product details shown in Landscape verification.
After addition will able to find all the product in the LMDB and generate the MOPZ directly from LMDB with respective product version.
Rg,
Karthik -
AWR's buffer cache reads and logical reads
In AWR report under "Segments by Logical Reads" section, there is a total logical reads, I assume it is in unit of block. Under "IOStat by Function summary" section, it has buffer cache reads in unit of bytes. Shouldn't the number of logical reads x 8k (if the block size is 8k) = the number of buffer cache reads?
They are not equal, not even close, does anybody know why? ThanksHi,
buffer gets = number of times a block was requested from buffer cache. A buffer get always request in a logical read. Depending on whether or not a copy of the block is available in the buffer cache, a logical read may or may not involve a physical read. So "buffer gets" and "logical reads" are basically synonyms and are often used interchangeably.
Oracle doesn't have a special "undo buffer". Undo blocks are stored in rollback segments in UNDO tablespace, and are managed in the same way data blocks are (they're even protected by redo). If a consistent get requires reading from UNDO tablespace, then statistics counters will show that, i.e. there will be one more consistent get in your autotrace.
For more information and some examples, see a thread at askTom:
http://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:549546900346542976
Best regards,
Nikolay
Maybe you are looking for
-
Can I merge two Apple IDs? How do I get back to my original ID?
I have been using iTunes for years. I have my Apple ID for iTunes. When I purchased an iPhone, the setup person didn't ask me if I had an existing Apple ID. He created a new one. I want to use my original iTunes for all of my devices. What do I
-
Hi We are having this requirement , we want to develop a application using flex for adobe AIR runtime which will communicate with java in the desktop, we are not having any servers here, so flex application want to communicate with java classes with
-
Using Bex Query with cell definition with WEBI
Hi, Currently I am using a Bex query as a datasource for a webi, normally this works ok but I am having trouble with one particular query. This query has cell definitions defined in the query. When i import the query into WEBI I get an MDX error. Any
-
URL generation in POWL in SRM (Vendor empanlement Request)
Dear Experts, We have hosted our SRM Setup on Internet for Vendors. All links are working fine but the display link in POWL screen is opening up with "Internalserver url" Please let me know if we need to do some setting in POWL to make it call extern
-
Look & Feel problem one iview differs
Hi there, I have got a problem displaying one iview, one of the iviews in our portal uses a different background color. This color is not mentioned in the theme used within the portal. I checked the sap.useWebDynproStyleSheet parameter in the visual