New ASA 5515x failover setup
Just an architecture setup question. We have purchased two 5515x ASA firewalls. I will be setting them up in a stateful failover setup. I know this sounds like a basic question but here goes. I am thinking we should get the first one working on my network and then install the failover ASA once the first one is working properly....? Any thoughts?
Hi,
Yes, you can just configure the single ASA first with the configurations and after its configurations are finished install the Secondary unit.
Naturally while you are configuring the Primary unit you should already setup the interfaces with a "standby" IP address under the interface configuration.
After you have setup the Primary ASA and made sure that for each of its interfaces/subinterfaces you have a L2 connection through the connecting networking devices to the Secondary ASAs corresponding interfaces/subinterfaces, then you are ready to install the Secondary ASA to the network.
What you could do on the Secondary ASA is that you remove its default factory configuration and then configure "no shutdown" on each physical interface that you are going to use. Then you could configure the required Failover configurations using the multiple different "failover" configuration commands. (You wont need to configure the actual physical port separately, just need to enable it with "no shutdown", the "failover" commands should handle the rest) After the physical interfaces are configured up and the "failover" commands are set up on the Secondary ASA (and naturally the Primary ASA) then you could basically save the configuration on the Secondary ASA, power down the Secondary ASA, connect it to the network and boot it up. It should then sync the configuration from the Primary ASA after it has booted up and noticed the Active unit (Primary ASA) through the Failover link. So you should not really need to configure the Secondary ASA a lot since it syncs majority of the configurations from the Primary ASA. Naturally the above "failover" configurations are required so the Failover link can be formed for the sync.
I have had to do this a couple of times lately because of broken down ASAs in Failover pairs. Naturally I would suggest that you take backups of the Primary ASAs configurations before you start setting up the Failover environment so that incase of some error in the setup you still have the configuration. Some people have mentioned the other unit wiping the others configuration but it has not happened to me atleast.
Hope this helps and that I made any sense :)
- Jouni
Similar Messages
-
Upgrade from 8.2 to 8.6 for new ASA 5515X
Hello,
My customer has a rather complex configuration on an ASA 5510 running version 8.2
They are migrating to new ASA 5515X models which of course only version support 8.6
How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
The X series seems to be a great option for new deployments but what about replacements of existing older models?
Thanks for any ideas everyone!
ChrisHello,
I would say go to 8.4 From there you will have the same syntax.
There will be new commands and features on 8.6... That for sure but you are going to be on the same path.
Any other question..Sure ..Just remember to rate all of the helpul posts
Julio -
Move configure from old ASA to new ASA 5515x?
Dear All,
Could you let me know how can i move my configuration from ASA 5510 v.8.0 to the new ASA 5515-x V9.1.1?
i used copy running to TFTP and apply to the new ASA but it has some error like nat and Certificate.
could i export my certificate the old ASA and import to the new ASA, that are different version. Does has any solution without donwtime ?
Best Regards,
RechardRechard
I do not believe that there is a way to do the transition from old ASA running 8.0 to new ASA running 9.1 without some downtime. But is is possible to minimize the downtime. I have recently done a transition like that and it was not an easy one. As you have discovered if you attempt to copy the old config to the new ASA it will reject as invalid syntax much of the access lists and all of the nat.
The easier way to do the transition is to have an ASA running the old code with the old config and to upgrade that ASA to 9.1. In this process the 9.1 code should read the config from startup and will do a conversion to the new syntax. I have done this going from 8.0 to 8.4 and see no reason why 9.1 would be different. You then only need to check the accuracy of the conversion. And then you can take the converted config and load it on the new ASA. In my recent conversion we did not have an extra ASA with old code, the new ASA does not support the old version, and the downtime to do this on the existing ASA was not acceptable. So I took the access lists and nat and did a manual translation from old to new. I loaded the modified config on the new ASA and did some checking. We then just switched connections from old ASA to new ASA and the downtime was minimal.
HTH
Rick -
Cisco asa 5515x web user management
hi all,
i bought recently a new asa 5515x, i'm also new to it especially if i can have user login to internet before they can use the internet. my 5515 security license is a plus license. and also if that user management can be integrated with active directory 2008 r2.
thanks for any comment you may add.The ASA should be able to talk to your AD via either LDAP or Kerberos..
And yes, you need the CX to perform content filtering on the ASA itself, or you can look at the Ironport appliances or Cloud Web Security (scansafe) fir additional filtering options
Sent from Cisco Technical Support iPad App -
Help needed in ASA 5540 Cluster/Failover setup
Hello expert,
Currently we have two asa in our Datacenter setup as a Active/Standby failover setup and tested ie failover is working,(if one FW goes down), but what if a the uplink switches/links or backend switches go down, how does the active fw knows to failover ?
Current setup
| |
___|___ __|___
---| SW 1 |------------------------ | Sw2 |
| |
___|___ __|___
---| FW 1 |------------------------ | FW-2 |
| |
___|___ __|___
---| SW 1 |------------------------ | Sw2 |
In the above figure, FW1 is active and I have powerd off the uplink SW1, but the FW2 did not take over, and the same for backend switches, So how do I configure my FW's so that any of the uplink or back end switches go down, the Active should give its role to standby to forward the traffice from a different switch ie sw2 in case sw1 goes down.
Or Is there any mechanisim where I can monitor the interfaces ie uplinks or back end links etc ?
Your help is appreciated.
RegardsIt seems that you have LAN link directly connected between the boxes, so the unit will determine that Primary/Active has interfaces that are inactive and failover. You should read:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
This link gives you the failover triggers and failover actions. -
Need to add a new segment on a live ASA5520 with a failover setup running
Hi ,
how do I add a new segment on my ASA5520 that is currently on a lan based active/standby failover. ?
Will it trigger the failover if I add another interface and will be just as simple as unshutting a normal interface and adding an IP with the same configuration as the other interfaces for failover .
all of my existing segment has a redundant switch and for the new segment that I will be creating is just a straight forward with only 1 switch on the segment.
fw-inside-1# show run int
interface GigabitEthernet0/0
description OUTSIDE Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description APPS Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description DB Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
interface GigabitEthernet1/0
description OUTSIDE Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
description APPS Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
description DB Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/3 <<<<<<<<<<<<<<<<<< I will use this interface for the new segment.
shutdown
no nameif
no security-level
no ip address
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet1/0
nameif outside
security-level 0
ip address 10.50.5.10 255.255.255.0 standby 10.50.5.11
interface Redundant2
member-interface GigabitEthernet0/1
member-interface GigabitEthernet1/1
nameif apps
security-level 80
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
interface Redundant3
member-interface GigabitEthernet0/2
member-interface GigabitEthernet1/2
nameif db
security-level 90
ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2
fw-inside-1#
fw-inside-1# show run fail
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover polltime unit 5 holdtime 15
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.0.0.1 255.255.255.252
fw-inside-1#
Since I will not be having a redundant switch on the new segment I will use the below config
interface GigabitEthernet1/3
no shut
nameif
security-level 75
ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2
Then I will connect cables..
Please let me know if you have any suggestions or links.
RegardsYou should first configure your interface, then cable both units and after that no shut it on the ASA. Additionally you can remove your new interface from failover-monitoring as a precaution if somerhing goes wrong.
Sent from Cisco Technical Support iPad App -
New ASA generation support PBR or no & ISPs links redundancy
Please i need to know if the cisco ASA next generation specially ASA 5515X support PBR or no
If yes please tell me how to implement it , and if no then what is the solution here (any solution if possible please)??????
Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation, please if yes provide me how to implement it or give me any configuration example.Hi,
To my understanding there is still no official support for PBR on the ASA.
When I was at Cisco Live! 2013 London, they talked about PBR in one session and told it might be coming. On the other hand I heard from elsewhere that its not currently in the plans for ASA. I am not really sure what to believe.
To this date all the solutions related to dividing traffic between different ISP links has had something to do with NAT configurations on the ASA.
I have actually tested a setup on the original ASA5500 series devices with new software and have been able to select the outgoing interfaces of the traffic based on the source address using NAT. I have not implemented this in production environment as I dont know what will happen to it when I next upgrade the device maybe. I rather used methods that are officially supported than rig something to production network.
I am not sure exactly what kind of setup you are trying to implement. Using a 2 ISP setup where only 1 ISP link is active at a time is pretty basic I suppose. There you track the main ISP link and when it fails you move traffic to use the Secondary ISP.
When we implement Dual ISP setups for our customers we naturally have both links connected to our network in separate parts of the core network. Therefore the customer can keep the same public IP address space through both links. Though naturally in these cases the routers in front of the ASAs handle the Primary and Secondary connection routing and not any Cisco firewall. I have never configured an 2 ISP solution using ASA directly in a production enviroment. Its always been handled by the routers in front of the ASA.
So to answer in short, you should be able to configure a Dual ISP setup where 1 of the links is Active on pretty much any ASA model. To my understanding the ASA5505 is perhaps the only limitation but I am not 100% sure.
Here is one (old) basic configuration guide for Dual ISP setup with PIX/ASA
Naturally the NAT configuration format is different but it doesnt really play a big role in this setup
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
- Jouni -
Causing some network problem after connecting the new ASA to my network
Hi everyone,
Hope you can help on this issue.... It is strange to me...but may not be to you
Currently, I have a subnet connects to my primary network. All the internet travel thru a router there in turn thru a pair of ASA failover firewall (ie Subet -> router -> Subnet ASA -> Pirmary network ASA -> Primary network router -> Internet).
Now we try to setup a internet pipe so the subnet can go to internet by its own. So...for security purpose, we put another new ASA in between.the subnet and the new internet. This will be the first, and the old path to Interent would be the back up route.
NOW
I have not even make any route cahgnes on the router yet. What I did was to connect the new ASA to the subnet. Again, I do not change any routes, or any gateway settings on all the computers yet in the subnet!! I just connect the asa. That is it...please remember this.
However, problem happens. I have a application server in the same subnet.... that keeps kick out users. I also have continuous ping to it... I saw that the server has requesdted time out...it did not come back up until about 10 to 20 seconds later. The server, in fact, is a cluster server. Although I can ping the physical server, I cannot ping the virutal server.
In order to fix the problem, I really need to unplug the new ASA from the network, and reload the cluster server. Then it starts to work.
ANother symptom is that...people complaint the log on is obviously slower than usual.
May I ask why the new ASA will cuase this trouble?? Again, no routes on the router have been change. And all PCs in the subnet are still using old gateway, and did not nkow about the new ASA.
Any ideas would be great!! Very strange to me. Thank you very much for your help.
RiderfaizFirst guest would be proxy ARP.
Proxy ARP is enabled by default on the ASA. The new ASA might be proxy ARPing for whatever reason.
OR the new ASA might have been configured with an ip address that belongs to another device by mistake. -
Hi,
We are setting up a new ASA which is in multi context mode. I was wondering if it is possible to setup redundant failover and state links? I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links? For example, failover and state on ten1/0 as well as failover and state on ten1/1.
Hope I have explained my question well enough. If not I will try to explain better.
thanksI would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..
-
Hello,
We have a new ASA box configured and one of the user is using his IPad to connect to it.
It is asking for secret password while he trys to connect it.
ArunHi Marvin,
I am attaching the running config.
The user is from the group MDW(You can see it in the config).
=====================================================================================
sh run
: Saved
ASA Version 8.2(5)
hostname nmtasav001
domain-name internal.XXX.com
enable password xxx encrypted
passwd xxx encrypted
names
name 10.4.5.5 NetflowAnalyzer
name 10.4.5.6 Challenger
name 10.4.237.0 Net-10.4.237.0 description ASA Client VPN
name xxx Net-xxx description Hosting
name 10.4.4.50 mtcdnsw001
name 10.4.4.51 mtcdnsw002
name xxx nmtasav001-outside
name 172.16.0.0 Net-172.16.0.0
name 192.168.0.0 Net-192.168.0.0
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.4.1.20 255.255.255.224
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address nmtasav001-outside 255.255.255.0
interface GigabitEthernet0/2
nameif lab
security-level 100
ip address 192.168.105.193 255.255.254.0
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server mtcdnsw001
name-server mtcdnsw002
domain-name internal.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj-SSL-pool
network-object 10.2.31.0 255.255.255.0
object-group network obj-inside-LAN
network-object 10.4.1.0 255.255.255.224
object-group network INTERNAL-DNS
network-object host mtcdnsw001
network-object host mtcdnsw002
object-group network Net-PrivateRFC1918
network-object 10.0.0.0 255.0.0.0
network-object Net-172.16.0.0 255.240.0.0
network-object Net-192.168.0.0 255.255.0.0
access-list mngmt-in extended permit ip any any
access-list INSIDE_nat0_outbound extended permit ip any 192.168.105.194 255.255.255.254
access-list INSIDE_nat0_outbound extended permit ip any 10.2.31.0 255.255.255.0
access-list no_nat extended permit ip 10.2.31.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list no_nat extended permit ip any 10.0.0.0 255.255.255.0
access-list tcp_bypass extended permit tcp host 10.4.4.38 any
access-list DAP-Test extended deny ip 10.2.31.0 255.255.255.0 host Challenger
access-list MDW-Contractors extended permit ip Net-10.4.237.0 255.255.255.0 Net-xxx 255.255.224.0
access-list MDW-Contractors extended permit udp Net-10.4.237.0 255.255.255.0 object-group INTERNAL-DNS eq domain
access-list MDW-Contractors extended deny ip any object-group Net-PrivateRFC1918
access-list MDW-Contractors extended permit ip Net-10.4.237.0 255.255.255.0 any
access-list MDW-ST-TEST extended permit ip any any inactive
access-list MDW-ST-TEST2 standard permit host xxx
pager lines 24
logging enable
logging asdm informational
flow-export destination INSIDE NetflowAnalyzer 2055
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu lab 1500
mtu management 1500
ip local pool IPPool 192.168.105.194-192.168.105.195 mask 255.255.254.0
ip local pool TestPool 10.0.0.1-10.0.0.254 mask 255.255.255.0
ip local pool OUTSIDE-TEST 10.2.31.2-10.2.31.254 mask 255.255.255.0
ip local pool MDW-Contractors 10.4.237.206-10.4.237.210 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list no_nat
nat (OUTSIDE) 1 Net-10.4.237.0 255.255.255.0
access-group mngmt-in in interface management
route OUTSIDE 0.0.0.0 0.0.0.0 xxx 1
route INSIDE 10.0.0.0 255.0.0.0 10.4.1.4 1
route INSIDE Net-172.16.0.0 255.240.0.0 10.4.1.4 1
route INSIDE Net-192.168.0.0 255.255.0.0 10.4.1.4 1
route INSIDE Net-xxx 255.255.224.0 10.4.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Default Success"
dynamic-access-policy-record Employees
user-message "Employees DAP Good"
network-acl DAP-Test
aaa-server Internal_LDAP protocol nt
aaa-server Internal_LDAP (INSIDE) host 10.4.4.40
nt-auth-domain-controller 10.4.4.40
aaa-server CryptoCard protocol radius
aaa-server CryptoCard (INSIDE) host 10.4.5.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server INTERNAL_AD protocol nt
aaa-server INTERNAL_AD (INSIDE) host 10.4.4.40
nt-auth-domain-controller 10.4.4.40
aaa-server AD_LDAP protocol ldap
aaa-server AD_LDAP (INSIDE) host 10.4.4.38
server-port 389
ldap-base-dn ou=xxx,dc=internal,dc=xxx,dc=com
ldap-group-base-dn ou=xxx,dc=internal,dc=xxx,dc=xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapquery@xxx
server-type microsoft
aaa-server BlackShield protocol radius
aaa-server BlackShield (INSIDE) host 10.4.4.253
key *****
authentication-port 1812
accounting-port 1813
aaa-server BlackShield (INSIDE) host 10.4.4.254
key *****
authentication-port 1812
<--- More --->
accounting-port 1813
aaa-server Hosting-LDAP protocol ldap
aaa-server Hosting-LDAP (INSIDE) host xxx
server-port 636
ldap-base-dn ou=People,dc=xxx,dc=xxx
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password *****
ldap-login-dn cn=VPN,ou=Auth Accounts,dc=xxx,dc=xxx
ldap-over-ssl enable
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.105.192 255.255.255.255 lab
http Challenger 255.255.255.255 lab
http 10.0.0.0 255.0.0.0 lab
http 10.0.0.0 255.0.0.0 INSIDE
http Net-192.168.0.0 255.255.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map lab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map lab_map interface lab
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=nmtasav001
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 17ffe14e
308201d7 30820140 a0030201 02020417 ffe14e30 0d06092a 864886f7 0d010105
05003030 31133011 06035504 03130a6e 6d746173 61763030 31311930 1706092a
864886f7 0d010902 160a6e6d 74617361 76303031 301e170d 31313132 30393132
34363231 5a170d32 31313230 36313234 3632315a 30303113 30110603 55040313
0a6e6d74 61736176 30303131 19301706 092a8648 86f70d01 0902160a 6e6d7461
73617630 30313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
8181009a 6917bd8f e740f061 92d7a6fe 93407ac8 0449a07d 65da57c8 ce4954d4
2260f2b5 ab4df14c 5ad4c326 83a5d44f 61c1fcf1 4b297cfd 99b5d476 1c448acf
1939e5aa 8b994aba 4a6cd5ee dc9add18 92677696 773d581c 3b8bc39b 3257c32c
cf1288d2 9a2addce 76b3fd5c 90207513 c4f2c662 771dfbe7 4b6ce8a3 5ec886a4
3ec27d02 03010001 300d0609 2a864886 f70d0101 05050003 8181008e 36d02573
df2277dd d0902fa8 83b6efb1 183c3df1 2d305cd8 c3eb6c15 f21534e1 12252077
f9d92978 7477cd70 b0e5cf6a db9401ea b02b1ece ace0ed55 7b84bddc cb86e9af
306c1033 ed52c294 ea59a284 0e6f63e6 d1c6f3c8 ace8b8ba 158e38a1 2923cbc2
27895b29 549ce80a 66170c58 b4e493d5 879c44d5 860ed20d 96d05d
quit
crypto isakmp enable OUTSIDE
crypto isakmp enable lab
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh Net-192.168.0.0 255.255.0.0 INSIDE
ssh 10.0.0.0 255.0.0.0 lab
ssh Net-192.168.0.0 255.255.0.0 lab
ssh Challenger 255.255.255.255 lab
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.4.4.35 source INSIDE prefer
ssl trust-point ASDM_TrustPoint0 lab
webvpn
enable OUTSIDE
csd image disk0:/csd_3.5.841-k9.pkg
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 4
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 5
svc enable
group-policy RSA-TEST internal
group-policy RSA-TEST attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec
default-domain value internal.xxx
group-policy DfltGrpPolicy attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value internal.xxx
group-policy GroupPolicy4 internal
group-policy GroupPolicy4 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-filter value MDW-Contractors
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy EmployeeGrpPolicy internal
group-policy EmployeeGrpPolicy attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc webvpn
default-domain value internal.xxx
webvpn
url-list value Challenger
group-policy OUTSIDE-REMOTEACCESS internal
group-policy OUTSIDE-REMOTEACCESS attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec svc
default-domain value internal.xxx
username user1 password spqkEUN2dW2Uq2B3 encrypted
username user2 password CiPqkZGHO77wSa/e encrypted privilege 0
username user2 attributes
vpn-group-policy RSA-TEST
username xxx password xxx encrypted
username neteng password xxx encrypted privilege 15
username neteng attributes
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OUTSIDE-TEST
authentication-server-group INTERNAL_AD
secondary-authentication-server-group CryptoCard use-primary-username
tunnel-group CompanyOwnedComputer type remote-access
tunnel-group CompanyOwnedComputer general-attributes
address-pool OUTSIDE-TEST
authentication-server-group INTERNAL_AD
secondary-authentication-server-group BlackShield use-primary-username
default-group-policy EmployeeGrpPolicy
tunnel-group CompanyOwnedComputer webvpn-attributes
group-url https://xxx/employees enable
tunnel-group MDW type remote-access
tunnel-group MDW general-attributes
address-pool MDW-Contractors
authentication-server-group Hosting-LDAP
authorization-server-group Hosting-LDAP
default-group-policy GroupPolicy4
tunnel-group MDW webvpn-attributes
group-url https://xxx/mdw enable
tunnel-group OUTSIDE-REMOTEACCESS type remote-access
tunnel-group OUTSIDE-REMOTEACCESS general-attributes
address-pool OUTSIDE-TEST
default-group-policy OUTSIDE-REMOTEACCESS
tunnel-group OUTSIDE-REMOTEACCESS ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group RSA-TEST type remote-access
tunnel-group RSA-TEST general-attributes
address-pool TestPool
default-group-policy RSA-TEST
tunnel-group RSA-TEST ipsec-attributes
pre-shared-key *****
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
authentication-server-group (INSIDE) Internal_LDAP
default-group-policy GroupPolicy2
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy global_policy global
service-policy tcp_bypass_policy interface INSIDE
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8ebf55bf0eac5187d701d62352d57e6f
: end
nmtasav001# -
Hi Everyone,
I am setting up new ASA for testing purposes.
So far it has single interface Active which is management.
I can ssh to ASA fine but ASDM is not working.
sh run http shows
sh run http
http server enable
http 172.31.20.0 255.255.255.0 management
sh run ssh
ssh 172.31.20.0 255.255.255.0 management.
Regards
MAheshHi Julio,
sh run ssl foed not sjow any output
show flash | include asdm
111 16280544 Jun 29 2011 12:10:58 asdm-645.bin
sh run asdm
no asdm history enable
sh ver shows
up 2 days 2 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is e8b7.483d.0d68, irq 9
1: Ext: GigabitEthernet0/1 : address is e8b7.483d.0d69, irq 9
2: Ext: GigabitEthernet0/2 : address is e8b7.483d.0d6a, irq 9
3: Ext: GigabitEthernet0/3 : address is e8b7.483d.0d6b, irq 9
4: Ext: Management0/0 : address is e8b7.483d.0d6c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Regards
MAhesh -
Cisco ASA 5505 Failover issue..
Hi,
I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login by console i found out that the failover has been disabled .So again I connected to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.Please find the logs...
Secondary Firewall While Sync..
cisco-asa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): No Link (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
=======================================================================================
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
cisco-asa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
After Active firewall got rebootted failover off,whole network gone down.
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
===========================================================================================
Primary Firewall after rebootting
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
This host: Primary - Active
Active time: 24707 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): Normal (Waiting)
Interface mgmt (10.11.200.21): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
cisco-asa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:29 GMT Apr 29 2015
Negotiation Just Active No Active unit found
06:17:29 GMT Apr 29 2015
Just Active Active Drain No Active unit found
06:17:29 GMT Apr 29 2015
Active Drain Active Applying Config No Active unit found
06:17:29 GMT Apr 29 2015
Active Applying Config Active Config Applied No Active unit found
06:17:29 GMT Apr 29 2015
Active Config Applied Active No Active unit found
==========================================================================
cisco-asa#
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 06:17:43 GMT Apr 29 2015
====Configuration State===
====Communication State===
==================================================================================
Secondary Firewall
cisc-asa# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Thanks... -
Hi i have a question, I'm trying to back up my iPhone to iTunes but it says restore from backup or setup up as new device. if i setup as new device will everything be deleted? if yes then how would i back it up without anything being deleted
Following is a link to instructions on how to backup (either via iTunes and via iCloud) http://support.apple.com/kb/HT1766
-
Remote Desktop Connection to ASA 5515x
Hi Guys,
I have ASA 5515x and it has already Internet Connection since my firewall is not "production". So right now I'm trying to configure a Remote Session just for a test and eventually I was not able to connect from it. I followed the instructions from technotes but still Remote Connection dropped. Here's my sample configuration on my firewall, btw I also configured a service policy rule and ACL just to make sure if I can able to access the Server inside my network but Session also dropped.
Feel free if you guys have any inputs on my concern. Thanks a lot.
nat (inside,outside) source static 1.1.1.1 2.2.2.1
access-list 110 extended permit tcp host 3.3.3.1 host 2.2.2.1 eq 3389
CiscoASA(config)#class-map rdpmss
CiscoASA(config-cmap)#match access-list 110
CiscoASA(config-cmap)#exit
CiscoASA(config)#tcp-map mss-map
CiscoASA(config-tcp-map)#exceed-mss allow
CiscoASA(config-tcp-map)#exit
CiscoASA(config)#policy-map rdpmss
CiscoASA(config-pmap)#class rdpmss
CiscoASA(config-pmap-c)#set connection advanced-options mss-map
CiscoASA(config-pmap-c)#exit
CiscoASA(config-pmap)#exit
CiscoASA(config)#service-policy rdpmss interface outside
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtmlThe service-policy is not needed in this scenario. But your ACL has to use the real address of the internal server:
access-list 110 extended permit tcp host 3.3.3.1 host 1.1.1.1 eq 3389
And is the ACL bound to the outside interface?
access-group 110 in int outside
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Hi,
Im having two datastores A and B. Whole datastore is replicated in two-way replication scheme.
My question is what are the steps to be taken if Im adding a new table to this setup.
After adding the new table in both the datastores, replication is not happening for the new table.
Do I need to do a duplicate operation on one of the card after creating a new table in the other?
Regards
PratheejHi Pratheej,
Please confirm my understanding that you are using legacy replication (CREATE REPLICATION as opposed to CREATE ACTIVE STANDBY PAIR). For legacy datastore level replication, when you create a new table in a replicated datastroe it is created as 'EXCLUDED" (i.e. as if it had existed at the time you created the replication scheme but you had explicitly EXCLUDED it. Hence to get that table into replication you need to 'ALTER TREPLICATION ... INCLUDE ...'.
If you are adding multiple tables you can do them all in one 'hit' so in steps 5 and 7 you would do all the tables at the same time hence only one duplicate is needed regardless of the number of tables being added.
If you were to use ACTIVE STANDBY PAIR replication then you could do this much more easily using DDL Replication.
Chris
Maybe you are looking for
-
Failed to load extension com.NAI.SysCallExt
In system preferences, I made 'cd' my startup disk. Now, when I try to override and startup from hard disk, computer screen ends up with a black box in middle of screen. command-v yields text that includes this statement several times in yellow: "Fai
-
Linking Documents from Documentum to SAP transactions
Hello Everyone, I have been working on integrating SAP and Documentum for retreiving documents stored in Documentum from SAP. I have been searching on SDN for a while and was not successful in finding a proper solution to my problem and hence this ne
-
WebCenter Content Architecture
Hello everyone, I just need an advice on how to solve a particular client's document management requirement. Need help on a good (if not best) architecture for their case. In a nutshell, they have satellite/offsite branches that can receive documents
-
Dear all, I hope someone can help me as I am a bit confused. We are implementing ECC 6 Automotive OEM Best Practice. The customer has a number of SD requirements which I do not seem to find anywhere in the pre configured scenarios. Furthermore, I am
-
Socket implementation in MIDP1.0
Hi, Is socket implementation optional in MIDP1.0? If it optional, which OEMs implement sockets in their phones? I looked over Sprint API and they support StreamConnection and DatagramConnection, which is a part of socket connection. Although SocketCo