Pix Failover

Im trying to build out a new network and im looking for the most redundancy as possible :)
If you look at the attachment everything from my knowledge will work just peachy if I just connect the blue lines...The only problem is if the main top switch failed (not a link failure but a total shut off) I will need to make sure the main pix fails over to the secondary.
What I would much rather like is when the main switch failed I didnt have to have the pixs failover that there would be another link to handle this. Thats where the green lines come in..
Can someone get me on the right path here, ive looked into the tracking features on the pix but it seems to only work with two seperate ISPs etc.
thanks guys and gals

You should have some kind of redundancy. Unfortunately, there's no way that you can configure pix to be able to detect whether the switch behind it is dead or not and be able to route the traffic to another back up switch when the primary switch is dead. But you can configure redundancy for the pix itself by configuring the pix for failover. That way, when the primary pix goes down it will failover to the secondary pix. Please refer to the following URL for more details.
How Failover Works on the Cisco Secure PIX Firewall:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Similar Messages

  • PIX Failover and HW.

    Hi all,
    I have some more question about HW and PIX failover.
    What happens when I connect two PIXs..
    one UR license and one FO license and my
    FO PIX takes activity over and my PIX with UR license will be corrupted so that I will need to disconnect it completely to repair it? I know that when someone wants to use FO PIX standalone than PIX reboots per 24 hours cycle. How PIX determines that it is not used standalone? I think that when I switch off first PIX in pair so second PIX in pair with FO license will function standalone.
    Could you give me some explanation?
    BR
    jl

    I guess you won't take magic as an answer? ;-)
    I am assuming you are using Serial Failover, no?
    So, when the PIX pair powers up, both units detect each other. If you then later remove the UR PIX from the mix, the FO will remain up and actively passing traffic indefinately. (Or almost so. At least until the next power outage). The licensing restriction only kicks in if the FO unit does not detect a UR unit at boot.
    If this answers your question (I believe it does) please check the box so we can see one of those nice red checks :-)
    Sincerely,
    David.

  • Software for managing SNMP Pix failover traps

    Hi, we need to monitor pix failover with snmp. Going through the pix readme shows as example how to do with Cisco Works for WIndows. Is this the only cisco product that can manage this? We are using LMS, is there a way with LMS to monitor failover events?
    Kurtis Durrett

    Thanks!
    The command originally didn't work by itself, but after come changes to the other SNMP configurations the traps were then received.
    SNMP configurations below:
    Switch#show run | inc snmp
    snmp-server community (removed) RW 5
    snmp-server trap-source Vlan411
    snmp-server chassis-id (Removed)
    snmp-server enable traps fru-ctrl
    snmp-server enable traps entity
    snmp-server enable traps envmon fan temperature
    snmp-server host *.*.*.* (Removed)  fru-ctrl envmon
    Logging:
    Switch#show run | inc log
    service timestamps log datetime localtime
    logging buffered 16384
    logging trap notifications

  • Pix Failover Configuration with 1 Public

    Have 1 PIX 515e (6.3(3)) in production that is currently assigned ip 1.1.1.2 w/ a 255.255.255.248 mask.  All of my remaining publically assigned ips are being used so I don't have a free ip for the standby ip on the outside interface.  Can I just do the standbys on the inside, failover and stateful link and not worry about having the standby for the outside?  I'll be using lan-based failover w/ a few ports vlan'd out on my 3560 for the failover and stateful links.

    Hello David,
    The Pix firewall is getting to end of life this month, on version 6.3 I don't think this is supported or what will be the behavior on this scenario, on version 7.0 and higher you can use the command:
    no monitor-interface if_name
    http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1582411
    And just monitor the other interfaces.
    I hope this helps.
    Regards,
    Felipe.

  • 10Gig - GBIC module, can we connect?

    Hi,
    I have a PIX 535 firewall which has GBIC module and I need to connect to a Switch 2360 / 2960  which has 10 Gig SFP.
    Can I connect using multimode fiber.   Will it work?
    Or is there any Speed configuration we can do to reduce 10 Gig to 1 Gig in the switch side?
    Thanks & REgards,
    Lenin. S
    96207 45656

    Hi I beleive the PIX interface is fixed at 1GigE and with a 10GE SFP in the switch this configuration won't work, you need to ensure the devices are matched for the same speed and media type Multi Mode (MM) or Single Mode (SM).
    I beleive the PIX GE interface is MM so you will need to install an MM 1GE SFP into the switch don't forget that you will also need a GigE Failover Link if you are using PIX Failover.
    Chris

  • PIX/ASA Failover conditions

    I have a asa cluster in active/standby mode with lan cable connected for stateful failover. I want to know about the condtions when the box fails over to the other. One parameter should be the hello timers going between the failover interfaces.
    Does this failover happen when the inside or outside interface of the primary asa goes down.

    What type of Firewall is it? What version.
    For PIX 7.2 for example I would look at the configuration guide
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html
    In particular look at the section entitled "Failover Actions" for active/standby. These is a nice table of failover conditions there.
    Similar for otehr PIX/FWSM/ASA

  • Cisco Pix 515 failover how to know the cause of the fail

    Hello All,
    We have 2 units 515 in failover configuration.
    From the last Thursday we are having problems in our pixs.
    The primary unit fail and then the standby works.
    We need to know what is the real cause of the problem.
    We have configured logging and when we check the syslog messages we can´t find anything important.
    Our version is 6.3(5).
    Can anybody help us?
    If you need more information, please tell me.
    Thanks in advance.
    Martin.                  

    Hello Gurpreet,
    Our failover system is working only with the failover cable, not with netwaork cable.
    High CPU is occuring in primary unit. The high cpu usage was after the issue.
    One thing, disconnecting for a seconds the cable for interfece "inside" (this cable connects th firewall to our network) the failover runs again ok. We can´t understand it.
    Here is the sh interface
    Thanks again.
    Martin
    FWPERIMETRO(config)# sh interface
    interface ethernet0 "inside" is up, line protocol is up
      Hardware is i82559 ethernet, address is 000b.bef7.56c5
      IP address 172.17.4.122, subnet mask 255.255.252.0
      MTU 1500 bytes, BW 100000 Kbit full duplex
    165844 packets input, 2811391461 bytes, 0 no buffer
    Received 947714 broadcasts, 0 runts, 0 giants
    1294 input errors, 0 CRC, 0 frame, 1294 overrun, 0 ignored, 0 abort
    165698 packets output, 4122450665 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software (128/128)
    output queue (curr/max blocks): hardware (128/128) software (971/1189)
    interface ethernet1 "internet" is up, line protocol is up
      Hardware is i82559 ethernet, address is 000b.bef7.56c6
      IP address 195.55.225.98, subnet mask 255.255.255.240
      MTU 1500 bytes, BW 100000 Kbit full duplex
    20253 packets input, 6232273 bytes, 0 no buffer
    Received 1830 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    22281 packets output, 2876208926 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    <--- More --->
    input queue (curr/max blocks): hardware (128/128) software (8/128)
    output queue (curr/max blocks): hardware (2/115) software (0/1)
    interface ethernet2 "failover" is up, line protocol is down
      Hardware is i82558 ethernet, address is 00e0.b606.92d7
      IP address 192.168.254.253, subnet mask 255.255.255.252
      MTU 1500 bytes, BW 10000 Kbit half duplex
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    31 packets output, 320148 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    31 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software (0/0)
    output queue (curr/max blocks): hardware (0/10) software (0/1)
    interface ethernet3 "dmz-2" is up, line protocol is up
      Hardware is i82558 ethernet, address is 00e0.b606.92d6
      IP address 195.76.142.185, subnet mask 255.255.255.248
      MTU 1500 bytes, BW 100000 Kbit full duplex
    1179 packets input, 2703322420 bytes, 0 no buffer
    Received 2074 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    720 packets output, 4209917559 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    <--- More --->
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software (1/101)
    output queue (curr/max blocks): hardware (0/42) software (0/1)
    interface ethernet4 "wandas" is up, line protocol is up
      Hardware is i82558 ethernet, address is 00e0.b606.92d5
      IP address 10.132.0.18, subnet mask 255.255.255.0
      MTU 1500 bytes, BW 100000 Kbit full duplex
    164402 packets input, 1499053954 bytes, 0 no buffer
    Received 411 broadcasts, 0 runts, 0 giants
    267 input errors, 0 CRC, 0 frame, 267 overrun, 0 ignored, 0 abort
    159201 packets output, 1116228713 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software (128/128)
    output queue (curr/max blocks): hardware (0/128) software (0/49)
    interface ethernet5 "dmz" is up, line protocol is up
      Hardware is i82558 ethernet, address is 00e0.b606.92d4
      IP address 172.23.4.2, subnet mask 255.255.255.0
      MTU 1500 bytes, BW 100000 Kbit full duplex
    16067 packets input, 942162666 bytes, 0 no buffer
    Received 2108 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    <--- More --->
    13916 packets output, 494350387 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    input queue (curr/max blocks): hardware (128/128) software (6/79)
    output queue (curr/max blocks): hardware (0/65) software (0/1)

  • Failover 520 PIX , Primary loses communication with secondary

    I have 520 PIX running in failover fashion using a Serial cable for failover heartbeat. Primary loses communication with secondary for no obvious reason and it gives a jerk on LAN for connectivity. When I boot primary first and then secondary, I can see that status on primary for failover is normal. After sometime, maybe like an hour or two hours later, somehow primary loses communication with secondary and in the process, it stops responding on LAN for 15-30 seconds. After this, th status for secondary on show failover command changes to testing and it stays as testing. This thing is happening on both boxes regardless which ever I make primary. I see the cable status as normal on both firewalls. What could be the reason for losing communication within two fireboxes. I am thinking to replace the serial cable with a new cable. I will appreciate if anyone can give me suggestions for troubleshooting this problem. Thanks.

    Hi,
    Any syslog messages that you can capture may be helpfull. What does the show cpu usage says on the pix? Is there any network infrastructure change that you made? When the PIX looses connection to the secondary, what does both the pixen show? which one stays active, or if both of them becomes active?
    Thanks
    Nadeem

  • ASA 5505 ISP Failover (PPPoE/DHCP)

    Hello,
    I have 2 WAN uplinks:
    The primary is VDSL (PPPoE) - very fast, and I have a static IP + /29 subnet 'assigned' to me.
    The secondary is DSL (DHCP) - slower
    What I'm trying to do is setup ISP failover on my ASA 5505 with security plus licence... and the way I have it currently setup 'half-works'. If the primary goes down - the primary route is removed from the routing table and the secondary route is 'inserted'. I have the NATs setup so I have internet access and all seems well. The problem however is when the primary ISP comes online again, the ASA doesn't switch back over. It maintains the backup route until I manually switch it (by temporarily disabling the backup ISP switch port).
    This is what I did to configure it:
    config t
    sla monitor 10
    type echo protocol ipicmpecho x.x.x.x interface outside-primary
    frequency 5
    exit
    sla monitor schedule 10 life forever start-time now
    track 1 rtr 10 reachability
    route outside-primary 0 0 x.x.x.x 1 track 1
    route outside-backup 0 0 y.y.y.y 2
    nat (inside,outside-primary) after-auto source dynamic any interface
    nat (inside,outside-backup) after-auto source dynamic any interface
    Have I missed anything? Is there a better way to set this up? I noticed in the ADSM if you edit an interface there seems to be the ability to set tracker IDs, SLA IDs, etc - but couldn't really find anything on google that helped.
    Any assistance would be greatly appreciated.
    Thanks!
    Robert

    Hi Robert,
    you need this command:
    no ip verify reverse-path interface outside_primary
    Problem:
    SLA monitoring does not work after the ASA is upgrade to version 8.0.
    Solution:
    The problem is possibly be due to the IP Reverse-Path command configured in the OUTSIDE interface. Remove the command in ASA and try to check the SLA Monitoring.
    For reference:
    http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
    https://supportforums.cisco.com/blog/150001
    HTH
    "Plz don't forget to choose correct answer and rate help full answer "

  • Download Speed on PIX 515E is Pretty Slow

    Hello, I have a PIX 515E set up between our office switch and our Comcast Business Router and the download speeds are not as fast as they should be. We are paying for 30 down 30 up but it's more like 10 down 30 up. I plugged in a computer directly into the router and got 30/30 so I know its not a comcast issue. I think it might be the low amount of memory on the PIX because its running at 109 out of a total 128mb. The PIX has a site-to-site VPN tunnel with a remote ASA 5520 firewall. The inside/outside ports are both auto/auto. The running config is only 161 lines.
    Here's some information about the PIX 515E...
    Version 8.0(4)
    ASDM 6.1(3)
    Memory 128MB
    Here is the running config..
    Result of the command: "show running-config"
    : Saved
    PIX Version 8.0(4)
    hostname --------------------
    domain-name -----------------
    enable password -------------------------
    passwd --------------- encrypted
    names
    name 1.1.1.1 Data-Center-Firewall    #### Outside Address Changed
    name 10.0.0.0 Data-Center-Subnet
    dns-guard
    interface Ethernet0
    nameif inside
    security-level 100
    ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254
    interface Ethernet1
    nameif outside
    security-level 0
    ip address 2.2.2.1 255.255.255.252   #### Outside Address Changed
    interface Ethernet2
    description LAN/STATE Failover Interface
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name -------------
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service http8080 tcp
    description http8080
    port-object eq 8080
    object-group service DM_INLINE_TCP_1 tcp
    port-object range 50000 50100
    port-object eq 990
    access-list outside_access_in remark ip, tcp/990
    access-list outside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.5 object-group DM_INLINE_TCP_1
    access-list outside_access_in extended permit icmp any any
    access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    failover
    failover lan unit primary
    failover lan interface failover Ethernet2
    failover lan enable
    failover key *****
    failover replication http
    failover mac address Ethernet0 001e.f732.008f 000d.28f9.628f
    failover mac address Ethernet1 001e.f732.0090 000d.28f9.6290
    failover link failover Ethernet2
    failover interface ip failover 10.10.10.10 255.255.255.252 standby 10.10.10.20
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image flash:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list ACL-VPN
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 2.2.2.5 10.10.1.102 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
    route inside 10.10.0.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.0.0 255.255.255.0 inside
    http 10.10.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    service resetoutside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map MAP-VPN 1 match address ACL-VPN
    crypto map MAP-VPN 1 set pfs
    crypto map MAP-VPN 1 set peer Data-Center-Firewall
    crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA
    crypto map MAP-VPN 1 set security-association lifetime seconds 28800
    crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000
    crypto map MAP-VPN interface outside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 10.10.1.0 255.255.255.0 inside
    telnet 10.10.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.10.0.0 255.255.255.0 inside
    ssh 10.10.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *
    class-map class_ftp
    match port tcp eq ftp-data
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    class class_ftp
      inspect ftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:b795d4f5f5da3d8283d452ba857d5534
    : end

    Please check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.
    Inside/outside are both set to auto/auto at
    Check for the processes usage of the cpu of the pix.
    CPU is running at 2%
    Process:      tmatch compile thread, PROC_PC_TOTAL: 2, MAXHOG: 8, LASTHOG: 8
    LASTHOG At:   19:01:15 EST Dec 31 1992
    PC:           26b616 (suspend)
    Process:      tmatch compile thread, NUMHOG: 2, MAXHOG: 8, LASTHOG: 8
    LASTHOG At:   19:01:15 EST Dec 31 1992
    PC:           26b616 (suspend)
    Traceback:    26b616  26bdb9  26ec89  1182b3
    Process:      Dispatch Unit, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
    LASTHOG At:   09:25:12 EDT Jul 18 2012
    PC:           130114b (interrupt)
    Traceback:    100178  12edd0c  9771e5  8c0e66  927164  928996  8ec3f5
                  8ec7ed  79d35e  2780c3  1182b3
    Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
    LASTHOG At:   12:27:25 EDT Jul 18 2012
    PC:           130114b (interrupt)
    Traceback:    100178  d870cb  13016b3  15cf68  e91a6f  e9118b  abfcea
                  a7cb2e  a7daeb  18d800  5ae9a9  5a6aa0  5a7272  5a75e5
    Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 7, LASTHOG: 7
    LASTHOG At:   12:34:10 EDT Jul 18 2012
    PC:           5ae903 (suspend)
    Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 7, LASTHOG: 7
    LASTHOG At:   12:34:10 EDT Jul 18 2012
    PC:           5ae903 (suspend)
    Traceback:    5ae903  5a6aa0  5a7272  5a75e5  5ad3d5  1182b3
    Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 5, LASTHOG: 5
    LASTHOG At:   12:37:47 EDT Jul 18 2012
    PC:           f4078b (suspend)
    Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 5, LASTHOG: 5
    LASTHOG At:   12:37:47 EDT Jul 18 2012
    PC:           f4078b (suspend)
    Traceback:    f40be2  130f41e  aab54d  aac3b0  5a6c2e  5a7272  5a75e5
                  5ad3d5  1182b3
    Process:      IKE Daemon, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
    LASTHOG At:   23:07:40 EDT Jul 19 2012
    PC:           1b6dd0 (interrupt)
    Traceback:    100178  1b8a31  1baaeb  6438d7  12efc6f  64250b  653fe9
                  654b78  1182b3
    Process:      IKE Daemon, PROC_PC_TOTAL: 347, MAXHOG: 31, LASTHOG: 30
    LASTHOG At:   16:01:55 EDT Jul 23 2012
    PC:           654bab (suspend)
    Process:      CTM message handler, PROC_PC_TOTAL: 346, MAXHOG: 27, LASTHOG: 27
    LASTHOG At:   16:01:55 EDT Jul 23 2012
    PC:           2087ec (suspend)
    Process:      IKE Daemon, NUMHOG: 693, MAXHOG: 31, LASTHOG: 27
    LASTHOG At:   16:01:55 EDT Jul 23 2012
    PC:           654bab (suspend)
    Traceback:    1182b3
    Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
    LASTHOG At:   17:23:30 EDT Jul 23 2012
    PC:           130003b (interrupt)
    Traceback:    100178  13008b8  f5a0cd  f5ac32  f5ae40  f60828  f617c1
                  d38a0d  aab50b  aac14a  5a6c2e  5a7272  5a75e5  5ad3d5
    Process:      Dispatch Unit, PROC_PC_TOTAL: 227, MAXHOG: 432, LASTHOG: 35
    LASTHOG At:   17:37:03 EDT Jul 23 2012
    PC:           278207 (suspend)
    Process:      Dispatch Unit, NUMHOG: 227, MAXHOG: 432, LASTHOG: 35
    LASTHOG At:   17:37:03 EDT Jul 23 2012
    PC:           278207 (suspend)
    Traceback:    278207  1182b3
    Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1901, MAXHOG: 8, LASTHOG: 7
    LASTHOG At:   17:44:20 EDT Jul 23 2012
    PC:           118ed5 (suspend)
    Process:      Unicorn Admin Handler, NUMHOG: 1901, MAXHOG: 8, LASTHOG: 7
    LASTHOG At:   17:44:20 EDT Jul 23 2012
    PC:           118ed5 (suspend)
    Traceback:    118ed5  b2d032  f5a80d  f5ac0a  f5ae40  f607e5  f617c1
                  d38a0d  aab50b  aac14a  5a6c2e  5a7272  5a75e5  5ad3d5
    CPU hog threshold (msec):  5.120
    Last cleared: None
    Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.
    Interface Ethernet0 "inside", is up, line protocol is up
      Hardware is i82559, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address __________, MTU 1500
        IP address 10.10.1.1, subnet mask 255.255.255.0
        60862937 packets input, 29025667892 bytes, 0 no buffer
        Received 1371 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        68515603 packets output, 44084404472 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/1) software (0/47)
        output queue (curr/max packets): hardware (0/67) software (0/1)
      Traffic Statistics for "inside":
        60997029 packets input, 28080179952 bytes
        68553614 packets output, 43104566708 bytes
        29544 packets dropped
          1 minute input rate 63 pkts/sec,  30371 bytes/sec
          1 minute output rate 64 pkts/sec,  16557 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 91 pkts/sec,  45254 bytes/sec
          5 minute output rate 93 pkts/sec,  56181 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Ethernet1 "outside", is up, line protocol is up
      Hardware is i82559, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address ___________, MTU 1500
        IP address ___________, subnet mask 255.255.255.252
        67730933 packets input, 44248541375 bytes, 0 no buffer
        Received 4493 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        60418640 packets output, 29310509840 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/1) software (0/39)
        output queue (curr/max packets): hardware (0/42) software (0/1)
      Traffic Statistics for "outside":
        67782987 packets input, 43276611710 bytes
        60562287 packets output, 28342787997 bytes
        206651 packets dropped
          1 minute input rate 57 pkts/sec,  14273 bytes/sec
          1 minute output rate 61 pkts/sec,  30258 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 89 pkts/sec,  54426 bytes/sec
          5 minute output rate 87 pkts/sec,  45115 bytes/sec
          5 minute drop rate, 0 pkts/sec
    enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.
    Not sure how to do that.

  • Mac address table on a PIX

    What am i missing?
    pixfirewall# show mac-address-table
                       ^
    ERROR: % Invalid input detected at '^' marker.
    [EDIT: karat is under the A in mac ]
    pixfirewall# sh ver
    Cisco PIX Security Appliance Software Version 8.0(4)
    Device Manager Version 6.1(3)
    Compiled on Thu 07-Aug-08 19:42 by builders
    System image file is "flash:/image.bin"
    Config file at boot was "startup-config"
    pixfirewall up 175 days 11 hours
    Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
    Flash E28F128J3 @ 0xfff00000, 16MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    0: Ext: Ethernet0           : address is 000d.28f9.62a5, irq 10
    1: Ext: Ethernet1           : address is 000d.28f9.62a6, irq 11
    2: Ext: Ethernet2           : address is 000d.8810.a620, irq 11
    3: Ext: Ethernet3           : address is 000d.8810.a621, irq 10
    4: Ext: Ethernet4           : address is 000d.8810.a622, irq 9
    5: Ext: Ethernet5           : address is 000d.8810.a623, irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces  : 6
    Maximum VLANs                : 25
    Inside Hosts                 : Unlimited
    Failover                     : Disabled
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    Cut-through Proxy            : Enabled
    Guards                       : Enabled
    URL Filtering                : Enabled
    Security Contexts            : 0
    GTP/GPRS                     : Disabled
    VPN Peers                    : Unlimited
    This platform has a Restricted (R) license.
    Serial Number: 807234146
    Running Activation Key: 0x6ab205ba 0x986d4239 0xf56523af 0x76f3d58b
    Configuration last modified by enable_15 at 12:58:08.130 EDT Thu May 16 2013
    pixfirewall# show mac-address-table
                       ^
    ERROR: % Invalid input detected at '^' marker.

    Hi,
    Command Modes The following table shows the modes in which you can enter the command:
    Command Mode
    Firewall Mode
    Security Context
    Routed
    Transparent
    Single
    Multiple
    Context
    System
    Privileged EXEC
    Source:
    http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1448364
    - Jouni

  • Link to configuration convertor tool from PIX to ASA

                       Hi,
    I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
    Regards,
    Masood

    hello again,
    this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
    Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
    here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
    no shut
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
    no shut
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
    no shut interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
    no shut
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
    no shut
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
    no shut
    and the STANDBY:
    failover
    failover lan unit secondary
    failover lan interface failover Ethernet0/3
    failover key *****
    failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
    Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
    so how does it works with the failover configuration?
    can you please advise on how I go about the followings:
    1- configure failover before I past the PIX config onto the ASA?
    2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
    Please advise.
    Regards,
    Masood

  • PIX Firewall 525 can not start

    Hi,
    Today my colleague add 2 lines of access-list to our PIX 525.  After 10 minutes, my firewall was rebooted and until now can't start.  The booting process as listed below.
    The questions are :
    1. What is my OS version? Flash?
    2. How to remove those 2 lines (reset the config to default)?
    3. How to solve the issue?
    Thanks,
    Andy
    Booting process
    ================
    Rebooting..þ
    Wait.....
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  00  00   8086   7192  Host Bridge
    00  07  00   8086   7110  ISA Bridge
    00  07  01   8086   7111  IDE Controller
    00  07  02   8086   7112  Serial Bus         9
    00  07  03   8086   7113  PCI Bridge
    00  0D  00   8086   1209  Ethernet           11
    00  0E  00   8086   1209  Ethernet           10
    Cisco Secure PIX Firewall Embedded BIOS Version 4.3
    Wait...ndeavor Board, Boot Block BIOS
    +------------------------------------------------------------------------------+
    |          System BIOS Configuration, (C) 2000 General Software, Inc.          |
    +---------------------------------------+--------------------------------------+
    | System CPU           : Pentium III    | Low Memory           : 638KB         |
    | Coprocessor          : Enabled        | Extended Memory      : 255MB         |
    | Embedded BIOS Date   : 08/25/00       | Serial Ports 1-2     : 03F8 02F8     |
    +---------------------------------------+--------------------------------------+
    Cisco Secure PIX Firewall BIOS (4.0) #39: Tue Nov 28 18:44:51 PST 2000
    Platform PIX-525
    System Flash=E28F128J3 @ 0xfff00000
    Use BREAK or ESC to interrupt flash boot.
    Use SPACE to begin flash boot immediately.
    Reading 1528320 bytes of image from flash.
    256MB RAM
    System Flash=E28F128J3 @ 0xfff00000
    BIOS Flash=am29f400b @ 0xd8000
    mcwa i82559 Ethernet at irq 11  MAC: 0006.5336.8129
    mcwa i82559 Ethernet at irq 10  MAC: 0006.5336.8128
                                   ||        ||
                                   ||        ||
                                  ||||      ||||
                              ..:||||||:..:||||||:..
                             c i s c o S y s t e m s
                            Private Internet eXchange
                            Cisco PIX Firewall
    Cisco PIX Firewall Version 6.2(1)
    Licensed Features:
    Failover:           Enabled
    VPN-DES:            Enabled
    VPN-3DES:           Disabled
    Maximum Interfaces: 8
    Cut-through Proxy:  Enabled
    Guards:             Enabled
    URL-filtering:      Enabled
    Inside Hosts:       Unlimited
    Throughput:         Unlimited
    IKE peers:          Unlimited
    An internal error occurred.  Specifically, a programming assertion was
    violated.  Copy the error message exactly as it appears, and get the
    output of the show version command and the contents of the configuration
    file.  Then call your technical support representative.
    assertion "addr < sfmm_chip_size" failed: file "sfmm.c", line 254
    No thread name
    Traceback:
    0: 802decd5
    1: 8007a8ce
    2: 800769bb
    3: 80078223
    4: 8007635e
    5: 800017d5
    6: 800758ab
    7: 80120ed6
        vector 0x00000003 (breakpoint)
           edi 0x8007a887
           esi 0x000000fe
           ebp 0x7ffffcb8
           esp 0x7ffffcac
           ebx 0x8007a5a3
           edx 0x000003fd
           ecx 0x0000000a
           eax 0x00000042
    error code n/a
           eip 0x802dffac
            cs 0x00000008
        eflags 0x00000046
           CR2 0x00000000
    Stack dump: base:0x7ffffc2c size:64, active:64
    0x7ffffd2c: 0x00020000
    0x7ffffd28: 0x807f2828
    0x7ffffd24: 0xfffe0000
    0x7ffffd20: 0x00000300
    0x7ffffd1c: 0x800769bb
    0x7ffffd18: 0x7ffffd48
    0x7ffffd14: 0x00000001
    0x7ffffd10: 0x00000002
    0x7ffffd0c: 0x800762f4
    0x7ffffd08: 0x804a849c
    0x7ffffd04: 0x00000020
    0x7ffffd00: 0x805100c0
    0x7ffffcfc: 0x7ffffd48
    0x7ffffcf8: 0x8007a887
    0x7ffffcf4: 0x000000fe
    0x7ffffcf0: 0x8007a5a3
    0x7ffffcec: 0x8007a8ce
    0x7ffffce8: 0x7ffffd18
    0x7ffffce4: 0x80317cd4
    0x7ffffce0: 0xffffffff
    0x7ffffcdc: 0x80078163
    0x7ffffcd8: 0x807f2828
    0x7ffffcd4: 0xfffe0000
    0x7ffffcd0: 0x805100c0
    0x7ffffccc: 0x000000fe
    0x7ffffcc8: 0x8007a5a3
    0x7ffffcc4: 0x8007a887
    0x7ffffcc0: 0x802dec68
    0x7ffffcbc: 0x802decd5
    0x7ffffcb8: 0x7ffffce8
    0x7ffffcb4: 0x00000046
    0x7ffffcb0: 0x00000008
    0x7ffffcac: 0x802dffac *
    0x7ffffca8: 0x00000042
    0x7ffffca4: 0x0000000a
    0x7ffffca0: 0x000003fd
    0x7ffffc9c: 0x8007a5a3
    0x7ffffc98: 0x7ffffcac
    0x7ffffc94: 0x7ffffcb8
    0x7ffffc90: 0x000000fe
    0x7ffffc8c: 0x8007a887
    0x7ffffc88: 0x00000003
    0x7ffffc84: 0x80004779
    0x7ffffc80: 0x7ffffcb8
    0x7ffffc7c: 0x802c4deb
    0x7ffffc78: 0x7ffffc98
    0x7ffffc74: 0x7ffffd48
    0x7ffffc70: 0x00000001
    0x7ffffc6c: 0x000000fe
    0x7ffffc68: 0x8007a5a3
    0x7ffffc64: 0x7ffffd48
    0x7ffffc60: 0x80120ed6
    0x7ffffc5c: 0x00000007
    0x7ffffc58: 0x7ffffcac
    0x7ffffc54: 0x80002d70
    0x7ffffc50: 0x7ffffc80
    0x7ffffc4c: 0x7ffffcac
    0x7ffffc48: 0x80002ab0
    0x7ffffc44: 0x00000040
    0x7ffffc40: 0x7ffffc80
    0x7ffffc3c: 0x74656720
    0x7ffffc38: 0x7ffffe28
    0x7ffffc34: 0x2c737261
    0x7ffffc30: 0x8007a887
    Nested traceback attempted via interrupt.
    Traceback output aborted.
    Rebooting..þ

    Urgent help!!!

  • Upgrading from PIX to ASA 5512X

    Hi everyone,
    We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below. If anyone could help out I would GREATLY appreciate it! Thank you in advance!
    ASA1:
    : Saved
    : Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
    ASA Version 8.6(1)2
    hostname dallasroadASA
    enable password **** encrypted
    passwd **** encrypted
    names
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 70.x.x.x 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 172.18.1.1 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 172.18.2.21
    name-server 172.18.2.20
    object network WS_VLAN2
    subnet 172.17.2.0 255.255.255.0
    object network WS_VLAN3
    subnet 172.17.3.0 255.255.255.0
    object network WS_VLAN4
    subnet 172.17.4.0 255.255.255.0
    object network WS_VLAN5
    subnet 172.17.5.0 255.255.255.0
    object network WS_VLAN6
    subnet 172.17.6.0 255.255.255.0
    object network WS_VLAN7
    subnet 172.17.7.0 255.255.255.0
    object network WS_VLAN8
    subnet 172.17.8.0 255.255.255.0
    object network WS_VLAN9
    subnet 172.17.9.0 255.255.255.0
    object network WS_VLAN10
    subnet 172.17.10.0 255.255.255.0
    object network WS_VLAN11
    subnet 172.17.11.0 255.255.255.0
    object network WS_VLAN12
    subnet 172.17.12.0 255.255.255.0
    object network WS_VLAN13
    subnet 172.17.13.0 255.255.255.0
    object network WS_VLAN14
    subnet 172.17.14.0 255.255.255.0
    object network WS_VLAN15
    subnet 172.17.15.0 255.255.255.0
    object network WS_VLAN16
    subnet 172.17.16.0 255.255.255.0
    object network DR_VLAN2
    subnet 172.18.2.0 255.255.255.0
    object network DR_VLAN3
    subnet 172.18.3.0 255.255.255.0
    object network DR_VLAN4
    subnet 172.18.4.0 255.255.255.0
    object network DR_VLAN5
    subnet 172.18.5.0 255.255.255.0
    object network DR_VLAN6
    subnet 172.18.6.0 255.255.255.0
    object network DR_VLAN7
    subnet 172.18.7.0 255.255.255.0
    object network DR_VLAN8
    subnet 172.18.8.0 255.255.255.0
    object network DR_VLAN9
    subnet 172.18.9.0 255.255.255.0
    object network DR_VLAN10
    subnet 172.18.10.0 255.255.255.0
    object network DR_CORE_SW
    host 172.18.2.1
    object network dallasdns02_internal
    host 172.18.2.21
    object network faithdallas03_internal
    host 172.18.2.20
    object network dns_external
    host 70.x.x.x
    object network WorthStreet
    subnet 172.17.0.0 255.255.0.0
    object network DallasRoad
    subnet 172.18.0.0 255.255.0.0
    object-group network DALLAS_VLANS
    network-object object DR_VLAN10
    network-object object DR_VLAN2
    network-object object DR_VLAN3
    network-object object DR_VLAN4
    network-object object DR_VLAN5
    network-object object DR_VLAN6
    network-object object DR_VLAN7
    network-object object DR_VLAN8
    network-object object DR_VLAN9
    object-group network WORTH_VLANS
    network-object object WS_VLAN10
    network-object object WS_VLAN11
    network-object object WS_VLAN12
    network-object object WS_VLAN13
    network-object object WS_VLAN14
    network-object object WS_VLAN15
    network-object object WS_VLAN16
    network-object object WS_VLAN2
    network-object object WS_VLAN3
    network-object object WS_VLAN4
    network-object object WS_VLAN5
    network-object object WS_VLAN6
    network-object object WS_VLAN7
    network-object object WS_VLAN8
    network-object object WS_VLAN9
    object-group network dallasitnetwork
    network-object host 172.18.2.20
    network-object host 172.18.2.40
    object-group protocol tcpudp
    protocol-object udp
    protocol-object tcp
    object-group network dallasroaddns
    network-object host 172.18.2.20
    network-object host 172.18.2.21
    object-group service tcpservices tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq ssh
    object-group network remotevpnnetwork
    network-object 172.18.50.0 255.255.255.0
    access-list L2LAccesslist extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
    access-list NONAT extended permit ip any 172.18.50.0 255.255.255.0
    access-list inside_inbound_access extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
    access-list inside_inbound_access extended permit ip object-group dallasitnetwork any
    access-list inside_inbound_access extended permit object-group tcpudp object-group dallasroaddns any eq domain
    access-list inside_inbound_access extended permit ip host 172.18.4.10 any
    access-list inside_inbound_access extended deny object-group tcpudp any any eq domain
    access-list inside_inbound_access extended deny tcp any any eq smtp
    access-list inside_inbound_access extended permit ip any any
    access-list outside_inbound_access extended permit tcp any host 70.x.x.x object-group tcpservices
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnaddresspool 172.18.50.0-172.18.50.255
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static dallasdns02_internal dns_external
    nat (inside,outside) source static faithdallas03_internal dns_external
    nat (inside,outside) source dynamic any interface
    nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
    nat (inside,outside) source static DallasRoad DallasRoad destination static WorthStreet WorthStreet
    access-group outside_inbound_access in interface outside
    access-group inside_inbound_access in interface inside
    route outside 0.0.0.0 0.0.0.0 70.x.x.x 1
    route inside 172.18.0.0 255.255.0.0 172.18.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    ldap attribute-map CISCOMAP
      map-name  VPNALLOW IETF-Radius-Class
      map-value VPNALLOW FALSE NOACESS
      map-value VPNALLOW TRUE ALLOWACCESS
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server LDAP protocol ldap
    aaa-server LDAP (inside) host 172.17.2.28
    server-port 389
    ldap-base-dn DC=campus,DC=fcschool,DC=org
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password ****
    ldap-login-dn CN=fcsadmin,CN=Users,DC=campus,DC=fcschool,DC=org
    server-type microsoft
    ldap-attribute-map CISCOMAP
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 172.17.11.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
    crypto map outside_map 10 match address L2LAccesslist
    crypto map outside_map 10 set peer 71.x.x.x
    crypto map outside_map 10 set ikev1 transform-set myset
    crypto map outside_map 10 set reverse-route
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 65535
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 172.18.0.0 255.255.0.0 inside
    ssh 172.17.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy NOACCESS internal
    group-policy NOACCESS attributes
    vpn-simultaneous-logins 0
    vpn-tunnel-protocol ikev1
    group-policy DfltGrpPolicy attributes
    dns-server value 172.18.2.20
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
    password-storage enable
    group-policy DallasRoad internal
    group-policy DallasRoad attributes
    dns-server value 172.18.2.20 172.18.2.21
    password-storage enable
    default-domain value campus.fcschool.org
    group-policy ALLOWACCESS internal
    group-policy ALLOWACCESS attributes
    banner value Now connected to the FCS Network
    vpn-tunnel-protocol ikev1
    username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
    tunnel-group remoteaccessvpn type remote-access
    tunnel-group remoteaccessvpn general-attributes
    address-pool vpnaddresspool
    authentication-server-group LDAP
    tunnel-group 71.x.x.x type ipsec-l2l
    tunnel-group 71.x.x.x ipsec-attributes
    ikev1 pre-shared-key ****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:fd69fbd7a2cb0a6a125308dd85302198
    : end
    ASA2:
    : Saved
    : Written by enable_15 at 09:27:47.579 UTC Tue Mar 12 2013
    ASA Version 8.6(1)2
    hostname worthstreetASA
    enable password **** encrypted
    passwd **** encrypted
    names
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 71.x.x.x 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 172.17.1.1 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa861-2-smp-k8.bin
    ftp mode passive
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 172.17.2.23
    name-server 172.17.2.28
    object network mail_external
    host 71.x.x.x
    object network mail_internal
    host 172.17.2.57
    object network faweb_external
    host 71.x.x.x
    object network netclassroom_external
    host 71.x.x.x
    object network blackbaud_external
    host 71.x.x.x
    object network netclassroom_internal
    host 172.17.2.41
    object network nagios
    host 208.x.x.x
    object network DallasRoad_ASA
    host 70.x.x.x
    object network WS_VLAN2
    subnet 172.17.2.0 255.255.255.0
    object network WS_VLAN3
    subnet 172.17.3.0 255.255.255.0
    object network WS_VLAN4
    subnet 172.17.4.0 255.255.255.0
    object network WS_VLAN5
    subnet 172.17.5.0 255.255.255.0
    object network WS_VLAN6
    subnet 172.17.6.0 255.255.255.0
    object network WS_VLAN7
    subnet 172.17.7.0 255.255.255.0
    object network WS_VLAN8
    subnet 172.17.8.0 255.255.255.0
    object network WS_VLAN9
    subnet 172.17.9.0 255.255.255.0
    object network WS_VLAN10
    subnet 172.17.10.0 255.255.255.0
    object network WS_VLAN11
    subnet 172.17.11.0 255.255.255.0
    object network WS_VLAN12
    subnet 172.17.12.0 255.255.255.0
    object network WS_VLAN13
    subnet 172.17.13.0 255.255.255.0
    object network WS_VLAN14
    subnet 172.17.14.0 255.255.255.0
    object network WS_VLAN15
    subnet 172.17.15.0 255.255.255.0
    object network WS_VLAN16
    subnet 172.17.16.0 255.255.255.0
    object network DR_VLAN2
    subnet 172.18.2.0 255.255.255.0
    object network DR_VLAN3
    subnet 172.18.3.0 255.255.255.0
    object network DR_VLAN4
    subnet 172.18.4.0 255.255.255.0
    object network DR_VLAN5
    subnet 172.18.5.0 255.255.255.0
    object network DR_VLAN6
    subnet 172.18.6.0 255.255.255.0
    object network DR_VLAN7
    subnet 172.18.7.0 255.255.255.0
    object network DR_VLAN8
    subnet 172.18.8.0 255.255.255.0
    object network DR_VLAN9
    subnet 172.18.9.0 255.255.255.0
    object network DR_VLAN10
    subnet 172.18.10.0 255.255.255.0
    object network WS_CORE_SW
    host 172.17.2.1
    object network blackbaud_internal
    host 172.17.2.26
    object network spiceworks_internal
    host 172.17.2.15
    object network faweb_internal
    host 172.17.2.31
    object network spiceworks_external
    host 71.x.x.x
    object network WorthStreet
    subnet 172.17.0.0 255.255.0.0
    object network DallasRoad
    subnet 172.18.0.0 255.255.0.0
    object network remotevpnnetwork
    subnet 172.17.50.0 255.255.255.0
    object-group icmp-type echo_svc_group
    icmp-object echo
    icmp-object echo-reply
    object-group service mail.fcshool.org_svc_group
    service-object icmp
    service-object icmp echo
    service-object icmp echo-reply
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object tcp destination eq imap4
    service-object tcp destination eq pop3
    service-object tcp destination eq smtp
    object-group service nagios_svc_group tcp
    port-object eq 12489
    object-group service http_s_svc_group tcp
    port-object eq www
    port-object eq https
    object-group network DALLAS_VLANS
    network-object object DR_VLAN10
    network-object object DR_VLAN2
    network-object object DR_VLAN3
    network-object object DR_VLAN4
    network-object object DR_VLAN5
    network-object object DR_VLAN6
    network-object object DR_VLAN7
    network-object object DR_VLAN8
    network-object object DR_VLAN9
    object-group network WORTH_VLANS
    network-object object WS_VLAN10
    network-object object WS_VLAN11
    network-object object WS_VLAN12
    network-object object WS_VLAN13
    network-object object WS_VLAN14
    network-object object WS_VLAN15
    network-object object WS_VLAN16
    network-object object WS_VLAN2
    network-object object WS_VLAN3
    network-object object WS_VLAN4
    network-object object WS_VLAN5
    network-object object WS_VLAN6
    network-object object WS_VLAN7
    network-object object WS_VLAN8
    network-object object WS_VLAN9
    object-group network MailServers
    network-object host 172.17.2.57
    network-object host 172.17.2.58
    network-object host 172.17.2.17
    object-group protocol DM_INLINE_PROTOCOL
    protocol-object ip
    protocol-object udp
    protocol-object tcp
    object-group network DNS_Servers
    network-object host 172.17.2.23
    network-object host 172.17.2.28
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list outside_access_in extended permit object-group mail.fcshool.org_svc_group any object mail_internal
    access-list outside_access_in extended permit tcp object nagios object mail_internal object-group nagios_svc_group
    access-list outside_access_in extended permit tcp any object faweb_external object-group http_s_svc_group
    access-list outside_access_in extended permit tcp any object netclassroom_external object-group http_s_svc_group
    access-list outside_access_in extended permit tcp any object blackbaud_external eq https
    access-list outside_access_in extended permit tcp any object spiceworks_external object-group http_s_svc_group
    access-list L2LAccesslist extended permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.0.0
    access-list inside_inbound extended permit object-group TCPUDP object-group DNS_Servers any eq domain
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL host 172.17.15.10 any inactive
    access-list inside_access_in extended permit tcp object-group MailServers any eq smtp
    access-list inside_access_in extended permit tcp host 172.17.14.10 any eq smtp
    access-list inside_access_in extended deny object-group TCPUDP any any eq domain
    access-list inside_access_in extended deny tcp any any eq smtp
    access-list inside_access_in extended permit ip any any
    access-list vpn_access extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnaddresspool 172.17.50.1-172.17.50.255
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-66114.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static mail_internal mail_external
    nat (inside,outside) source static netclassroom_internal netclassroom_external
    nat (inside,outside) source static faweb_internal faweb_external
    nat (inside,outside) source static spiceworks_internal interface
    nat (inside,outside) source static blackbaud_internal blackbaud_external
    nat (inside,outside) source dynamic any interface
    nat (inside,outside) source static WorthStreet WorthStreet destination static DallasRoad DallasRoad
    nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
    route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    ldap attribute-map CISCOMAP
      map-name  VPNALLOW IETF-Radius-Class
      map-value VPNALLOW FALSE NOACESS
      map-value VPNALLOW TRUE ALLOWACCESS
    dynamic-access-policy-record DfltAccessPolicy
    network-acl vpn_access
    aaa-server LDAP protocol ldap
    aaa-server LDAP (inside) host 172.17.2.28
    ldap-base-dn DC=campus,DC=fcschool,DC=org
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password Iw@FCS730w
    ldap-login-dn CN=VPN Admin,CN=Users,DC=campus,DC=fcschool,DC=org
    server-type microsoft
    ldap-attribute-map CISCOMAP
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 172.17.0.0 255.255.0.0 inside
    http 172.18.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
    crypto map outside_map 10 match address L2LAccesslist
    crypto map outside_map 10 set peer 70.x.x.x
    crypto map outside_map 10 set ikev1 transform-set myset
    crypto map outside_map 10 set reverse-route
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 65535
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    telnet 172.17.0.0 255.255.0.0 inside
    telnet 172.18.0.0 255.255.0.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 172.17.0.0 255.255.0.0 inside
    ssh 172.18.0.0 255.255.0.0 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access management
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption aes256-sha1 aes128-sha1 3des-sha1
    webvpn
    group-policy NOACCESS internal
    group-policy NOACCESS attributes
    vpn-simultaneous-logins 0
    vpn-tunnel-protocol ikev1
    group-policy ALLOWACCESS internal
    group-policy ALLOWACCESS attributes
    banner value Now connected to the FCS Network
    vpn-tunnel-protocol ikev1
    username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
    tunnel-group 70.x.x.x type ipsec-l2l
    tunnel-group 70.x.x.x ipsec-attributes
    ikev1 pre-shared-key FC$vpnn3tw0rk
    tunnel-group remoteaccessvpn type remote-access
    tunnel-group remoteaccessvpn general-attributes
    address-pool vpnaddresspool
    authentication-server-group LDAP
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:b599ba0f719f39b213e7f01fe55588ac
    : end

    Hi Derrick,
    I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...
    here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:
    nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp
    nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp
    then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.
    you did:
    nat (inside,outside) source dynamic any interface
    would also work with object nat:
    object network INSIDE_NETWORKS
    subnet ...
    nat (inside,outside) dynamic interface
    Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)
    If you don't put the no-proxy-arp, your NAT configuration will cause network issues.
    also to be able to pass pings through ASA, add the following:
    policy-map global_policy
    class inspection_default
      inspect icmp
    The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...
    hope that helps,
    Patrick

  • Solution on Link Failover for Hosted Webserver

    Hi,
    One of my customer has Web based application which is hosted over internet on IP provided by ISP. Challange is in case, the ISP link fails webserver is not available. Customer is planning to add one more link from different ISP. How do I Load balance both this links and have webserver being accessible from any of the link in case of link failover.

    Assuming that we have a webserver hosted by us on our internal network as 192.168.1.1 and we map it to pix outside interface ip address x.x.x.x as follows:
    static (inside,outside) x.x.x.x 192.168.1.1 netmask 255.255.255.255 then any traffic from outside world hitting to x.x.x.x will directly be routed to 192.168.1.1. Hence, we use port forwarding as follows:static (inside,outside) tcp interface 80 192.168.1.1 80 so that only the port 80 traffic destined to x.x.x.x should be forwarded to 192.168.1.1 and not all the traffic. And you can also do by change the ISP cable to your device and reconfigure it .

Maybe you are looking for

  • Zenvplus hang and can't connect to

    guys, i have my zen v plus for 6 month and everythig's okay but 3 days ago, i got it stuck at zen v plus logo. when i try to connect it to my pc, it can't connect please help me .. what should i do ... thanks Hardi

  • Does the Communications API work with Studio 4

    I just installed Studio 4 along with the JDK. The Java version that I am running now is: java version "1.4.1_02" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_02-b06) Java HotSpot(TM) Client VM (build 1.4.1_02-b06, mixed mode) Running

  • CashU payment problem

    Hello i tried recharging my account with CashU payment method right now and it couldnt load up right on time. i also make use of other browser hoping its from my computer but i guess there is a problem with the skype website redirecting me to cashu h

  • Create contract with Purchase Requisition reference using BAPI

    Hi friends! I need some help here to create a contract with reference to some purshase requisition. I found BAPI_CONTRACT_CREATE to do this, but I have no idea how to do to create with reference to pruchase requisition. Anyone can give me a sample co

  • What could cause it?

    I've been watching a video on my ipad... and the last 7 minutes are blank, just a black screen and no audio, yet on itunes it's there with all the audio and video, My question is, what happened?