Moving contexts between ASA firewalls

Similar Messages

• Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls

  Hello,
  How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
  There are no free modules on Catalyst 6500 to install a FWSM module.
  What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
  Thanks

  Hi Bro
  Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
  If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
  However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops

  Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
  Here is the Cisco switch port facing the ASA 5510 configuration:
  interface FastEthernet2/0/6
  description Trunk to ASA 5510
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 50
  switchport trunk allowed vlan 131,500
  switchport mode trunk
  switchport nonegotiate
  And here is the ASA 5510 port configuration:
  interface Ethernet0/3
  speed 100
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3.500
  vlan 500
  nameif outside
  security-level 0
  ip address X.X.X.69 255.255.255.0
  There is a default route on ASA to X.X.X.1.
  When I try to ping from ASA X.X.X.1 i get:
  Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
  Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
  I have also changed the ports on the Switch and ASA but the same error stays.
  Any thoughts?

  I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
  Maybe you should adjust the "speed 100"?  In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
  I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch.  Alternatively, have both sides set
     speed 100
     duplex full
  and see if things improve.
  -- Jim Leinweber, WI State Lab of Hygiene

• How to share security context between different application ?

  Hi all,
  I have two applications(ADF faces + BC, JDev 10.1.3.1) deployed into OAS 10.1.3.1.
  The two applications are :
  1) SalesApp -> main menu page = SalesMenu.jspx
  2) ReportApp -> main menu page = ReportMenu.jspx
  I want implement security using CustomLogin.
  The question is :
  How can I share security context between the applications ?
  What I mean is, from SalesMenu.jspx there is one menu item to jump into ReportMenu.jspx, and I want user no need to Login again, Login is once and the user is recognized in the two apps. How to achieve that ?
  Thank you for your help,
  xtanto

  Xtanto,
  actually you can't if these are separate J2EE application deployments. The session is not shared and thus the authentication is lost. I heard that OracleAs is planning to implement a feature that allows you to share the session and thus a context between two J2EE deployments. I am not 100 % sure this is the case and will check with OC4J Product Management
  Frank

• SNMP does not work on the standby ASA firewalls

  Hello Everyone,
  I have a pair of 5 pairs of active/standby ASA firewalls running 8.4.4(1)
  All the active firewall respond to the SNMP requests, but the standby firewalls do not. I'm using SNMP v3. The configuration of primary and secondary firewalls is replica of each other, apart from the ip addressess.
  I want the secondary firewall to respond to SNMP requests coming in from the monitoring server. Can someone please help ?
  Thanks,
  Rishi

  Assuming you can ping both firewalls, the problem is that the firewall pair shares the same config and therefore, the same SNMPv3 engineID. Some NMSs (e.g. WhatsUp Gold) do not support this and therefore only 1 firewall in the pair can be queried.
  Doesn't look like this has been fixed yet:
  Bug info: CSCtl88556 - ASA5520 failover pair has duplicate snmp v3 engine id

• How to pass the security context between different OC4J servers

  My problem is the following: it seems that there is no standard J2EE solution in a production environment with more than one J2EE application server products to pass the security context between different J2EE application servers.
  I have a distributed application on two different OC4J servers, let's say that we have the web layer (with servlets) deployed on a server instance Server1 and the EJBs deployed on a second OC4J server Server2. If an user is authenticated at the web tier (in Server1) it gets a Principal object. It seems that the same Principal object cannot be used for authorization in the second application server, Server2. This means that in the server Server2 the authentication should be done again. It means that it should be duplicated the mechanism for authentication on Server2 (together with the passwords, users, and so on), thing that is a clear disadvantage of this approach.
  Do you know if there is a specific OC4J solution for this approach?
  Thank you,
  Marinel

  I have a simmilar issue? Did you succeeded to find a solution?

• Change MTU for just one Site-to-Site VPN between ASAs?

          Hi -
  I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362.
  Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500.
  If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
  Thank you.

  I would not worry too much about UDP traffics.  I rather concentrate on TCP traffics because almost all of the issues will be TCP.
  Therefore, I would set the MSS value to 1362 or may be like 1300:   sysopt connection tcp-mss 1300
  That will solve most of  your issues.

• LR5 stopped moving files between folders

  Hi everybody,
  I've noticed today that my LR5 stopped moving files between folders, I select files I want to move and drag them over to a new location like I always did before with only difference is now nothing happends, no messages with errors, nothing... I tried to google it and couldn't find anything related to my problem.
  I'm using Windows 8 x64. I checked the permissions on all the photo folders and everything seems to be correct. I also run LR under admin rights, so there shouldn't be any OS related issues... in addition, it was working just fine till today.
  I hope you can at least point me in right direction to dig more info on the problem with my LR5.
  Thx!

  Hi everybody,
  I've noticed today that my LR5 stopped moving files between folders, I select files I want to move and drag them over to a new location like I always did before with only difference is now nothing happends, no messages with errors, nothing... I tried to google it and couldn't find anything related to my problem.
  I'm using Windows 8 x64. I checked the permissions on all the photo folders and everything seems to be correct. I also run LR under admin rights, so there shouldn't be any OS related issues... in addition, it was working just fine till today.
  I hope you can at least point me in right direction to dig more info on the problem with my LR5.
  Thx!

• It stopped sending mail and moving messages between folders, junk messages stopped being moved.

  Recently, Thunderbird stopped sending mail and moving messages between folders, junk messages stopped being moved.

  Further notes (different user, same problem):
  * This is a problem that started in Thunderbird 32
  * This involves both automatic (filter) moves and manual moves
  * This includes use of keys and hotkeys (the delete key, for example)
  * Restarting Thunderbird does seem to "reset" the problem... for a while. I notice the problem most when either I've been away from the computer/program for a while or when waking a laptop computer from a sleep or hibernation state.

• Moving apps between screens

  I'm having trouble moving apps between screens. I can move one app but then if I try and move another, I drag it off the side of the screen but the screen doesn't change. The only workaround I have is to move an app to the dock, change the screen with a swipe, then move the app out of the dock back onto the new screen. Is anyone else having this problem?

  I thought this was broken on my iPad after upgrading to iOS 4.2. After messing around, I found that if I move an icon around on the screen and hold it at the edge of the screen for a few extra seconds, with the edge of the icon slightly off the screen. Then the screen will change.

• Moving files between folders is very slow

  Hi, I have an iMac 2011. Processor: 2.7GHz Intel Core i5/ Memory 4GB
  OS X Yosemite, version 10.10.1
  After I change my OS from Mavericks to Yosemite, moving files between folders is very slow.
  For example, if I move one jpg file in Desktop to Pictures folder (or just any other folders like Trash), it takes about 3 seconds.
  When I was still using Mavericks, it made that Ding sound and transferred files right away. However, now, although it makes the Ding sound right away, the file is still there for 3 seconds.
  I tried to clean up my mac using many apps, but they never fixed this problem.
  I've also tried what I saw on this one thread. OS X File Transfers Very Slow
  Go->Connect to Server then type "cifs://server-address" but it says there is a problem and did nothing. (maybe different issue)
  Please help!

  There may be other issues, but you installed the "Genieo" or "InstallMac" ad-injection malware. Follow the instructions on this Apple Support page to remove it.
  Back up all data before making any changes.
  Besides the files listed in the linked support article, you may also need to remove this file in the same way:
  ~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
  If there are other items with a name that includes "Genieo" or "genieo" alongside any of those you find, remove them as well.
  One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
  If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, then you may have one of the other kinds of adware covered by the support article. Follow the rest of the instructions in the article.
  Make sure you don't repeat the mistake that led you to install the malware. Chances are you got it from an Internet cesspit such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
  In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
  Still in System Preferences, open the App Store or Software Update pane and check the box marked
            Install system data files and security updates
  if it's not already checked.

• Modification dates change when moving/copying between hard-drive and flash

  I use a flash drive to store most of my work-related documents on. That way, I have them when I'm at school (on a Windows XP computer) and at home on my Mac OS 10.3.9. I
  try to occasionally back-up my flash drive by dragging it's contents to my Mac. Copying in this direction USUALLY retains the appropriate modification date.
  However, if I move things from the Mac to the USB drive (I occasionally make changes to a file on the Mac when my flashdrive isn't handy), the modification date changes to the copy/move date. Is there a way around this? It alters the information about the file and sometimes makes a version look newer than another version of a document. When in reality, it’s older--it’s just been moved/copied and the date changed.
  I often move things back and forth for backup purposes, but if it keeps changing the dates on it’s own, it’s impossible to tell which is REALLY the
  most current copy/version.
  Is there a fix so that copying and moving files between volumes does NOT change the modification date of the file?
  Powerbook G4--12 in.--1.33 GHz   Mac OS X (10.3.9)  

  Hi, teacher. When my Lexar JumpDrive Secure is formatted as a MS-DOS volume so a PC can read it, the last-mod dates of files that I copy to it are changed to the date and time of copying. When it's formatted as a Mac OS Extended volume, the original last-mod dates are copied to it unchanged. Looks like you can thank Bill Gates for the inconvenience: apparently it's a DOS file system "feature". Don't you wish you could use Windoze all the time?
  On second thought, the files really are changed when you write them to a DOS volume, because the DOS file system has no place to store the metadata about your files that a Mac pays attention to and a Windoze box doesn't. So when you write Mac files to a DOS volume, that metadata — which is part of each Mac file — is simply discarded, causing the last-mod date to change.
  Message was edited by: eww

• Unable to print from HQ to Branch through the VPN tunnel between ASAs

  We have site to site VPN configured between ASAs. The VPN tunnel is up and running as desired except for one printer in the subnet. the users in the Hq cannot print in the branch office printer. I have allowed the ip protocols for the printer subnet but still it is not working. When I do a packet trac the traffic for the printer is allwed through the tunnel.
  Can anyone suggest what can be preventing from printing?

  When other printers in the same subnet can be reached, I would first control the IP-settings of the printer. In my experience it's most likely a wrong subnet-mask or gateway.

• Intel Macs & G5s: Problems when moving projects between them

  An earlier post* suggesting complete compatibility between the latest FCP in a G5 and in an Intel Mac may be in error.
  We are experiencing continuing crashes using our Intel Mac when we work on projects that were originally either imported or partially rendered in the G5.
  It has gotten to the point where we feel we must keep projects completely isolated from each other: Either it is a "G5 project" or it is an "Intel Mac" project. Moving projects back and forth between the two leads to problems such as:
  The Intel Mac does not recognize any renders done in the G5...
  The Intel Mac crashes when rendering 'G5' projects...
  The Intel mac crashes when compressor goes to work to export sequences to mpeg...
  The G5 works fine with Intel Mac-originated material: It is only in the Intel Mac where we have these problems.
  Both systems are up-to-the minute on their OS, security updates, and FCP versions. We are using variously 720p/30 from the JVC GY-100UA and 1080i/30 from the Sony Z1U.
  Our questions are:
  Is anyone else experiencing similar problems moving projects between a G5 and an Intel Mac?
  Is anyone moving projects between the two platforms and experiencing NO problems at all? That information would be just as valuable, and very welcome.
  Apple FCP development team: Is our experience unique or have you had other reports like this? Any idea what could be causing our problems -- and what we can do to fix them?
  * http://discussions.apple.com/thread.jspa?messageID=3604812&#3604812
  Intel MacPro Tower, 3gHz, 8mb   Mac OS X (10.4.8)   Also a G5 Tower, 2x2.5ghz, single core

  Scott,
  Welcome to the discussions!
  I have had no problems moving my G5 projects over to my MP.
  You can not move render files between machines.
  When you changed systems, did you use Migration Assistant to transfer your files over to your new Mac Pro? You might need to install from the disks in order to achieve native Intel performance. See if you installed Final Cut 5.1 on your G5 then it installed the PPC code... if you put that drive into your Mac Pro or used Migration Assistant to move the app over it is still the PPC code... When you install from the installation disk, Installer determines what system you are installing on (PPC or Intel) and that's what it installs. This goes for all of your "Universal Binary" apps...
  In the System Profiler app. under Software/Applications
  Final Cut Pro "kind" should be Universal on your MP.
  The FCP development team do not read these posts, only users do.

• New SourceFire IPS for ASA firewalls

  I am in the process of ordering numerous ASA firewalls up to the 5585X models complete with IPS
  I just found out that Cisco is now using SourceFire/Firepower for these, and is probably going to discontinue the old system.
  I don't see a whole lot of documentation on this new system, and many of the links on the Cisco website simply link back to the old Sourcefire company page. So I had some general questions
  1. How radically different is the new IPS/IDS system? Is it still based on signatures, threat ratings, etc.?
  2. Where can I go to find documentation on this? Any books? PDFs?
  3. How long has this been out? Has it been real-world tested?
  4. can I manage these IPS systems with IME, or do I need new software? What about ASDM?

  > I just found out that Cisco is now using SourceFire/Firepower for these, and is probably going to discontinue the old system.
  The legacy IPS is already announced for EOS/EOL.
  > 1. How radically different is the new IPS/IDS system? Is it still based on signatures, threat ratings, etc.?
  It's still mainly a signature-based system, more or less same as before. Expect an easier tuning and better defaults then before.
  > 2. Where can I go to find documentation on this? Any books? PDFs?
  Not that easy, Beside the infos on the cisco website the are also trainings like the SASAA 1.2 that start to integrate FirePower. But there it's only one topic of many.
  > 3. How long has this been out? Has it been real-world tested?
  As an IPS it probably deserves the status "real-worls tested". As a cisco-integrated system, well, I would say it's on the way.
  > 4. can I manage these IPS systems with IME, or do I need new software? What about ASDM?
  no IME any more! You use the FireSight Management-Center (appliance or VM). I heard that ASDM-integration is planned, but I wouldn't expect that anytime soon.