Pix Failover
Im trying to build out a new network and im looking for the most redundancy as possible :)
If you look at the attachment everything from my knowledge will work just peachy if I just connect the blue lines...The only problem is if the main top switch failed (not a link failure but a total shut off) I will need to make sure the main pix fails over to the secondary.
What I would much rather like is when the main switch failed I didnt have to have the pixs failover that there would be another link to handle this. Thats where the green lines come in..
Can someone get me on the right path here, ive looked into the tracking features on the pix but it seems to only work with two seperate ISPs etc.
thanks guys and gals
You should have some kind of redundancy. Unfortunately, there's no way that you can configure pix to be able to detect whether the switch behind it is dead or not and be able to route the traffic to another back up switch when the primary switch is dead. But you can configure redundancy for the pix itself by configuring the pix for failover. That way, when the primary pix goes down it will failover to the secondary pix. Please refer to the following URL for more details.
How Failover Works on the Cisco Secure PIX Firewall:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Similar Messages
-
Hi all,
I have some more question about HW and PIX failover.
What happens when I connect two PIXs..
one UR license and one FO license and my
FO PIX takes activity over and my PIX with UR license will be corrupted so that I will need to disconnect it completely to repair it? I know that when someone wants to use FO PIX standalone than PIX reboots per 24 hours cycle. How PIX determines that it is not used standalone? I think that when I switch off first PIX in pair so second PIX in pair with FO license will function standalone.
Could you give me some explanation?
BR
jlI guess you won't take magic as an answer? ;-)
I am assuming you are using Serial Failover, no?
So, when the PIX pair powers up, both units detect each other. If you then later remove the UR PIX from the mix, the FO will remain up and actively passing traffic indefinately. (Or almost so. At least until the next power outage). The licensing restriction only kicks in if the FO unit does not detect a UR unit at boot.
If this answers your question (I believe it does) please check the box so we can see one of those nice red checks :-)
Sincerely,
David. -
Software for managing SNMP Pix failover traps
Hi, we need to monitor pix failover with snmp. Going through the pix readme shows as example how to do with Cisco Works for WIndows. Is this the only cisco product that can manage this? We are using LMS, is there a way with LMS to monitor failover events?
Kurtis DurrettThanks!
The command originally didn't work by itself, but after come changes to the other SNMP configurations the traps were then received.
SNMP configurations below:
Switch#show run | inc snmp
snmp-server community (removed) RW 5
snmp-server trap-source Vlan411
snmp-server chassis-id (Removed)
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps envmon fan temperature
snmp-server host *.*.*.* (Removed) fru-ctrl envmon
Logging:
Switch#show run | inc log
service timestamps log datetime localtime
logging buffered 16384
logging trap notifications -
Pix Failover Configuration with 1 Public
Have 1 PIX 515e (6.3(3)) in production that is currently assigned ip 1.1.1.2 w/ a 255.255.255.248 mask. All of my remaining publically assigned ips are being used so I don't have a free ip for the standby ip on the outside interface. Can I just do the standbys on the inside, failover and stateful link and not worry about having the standby for the outside? I'll be using lan-based failover w/ a few ports vlan'd out on my 3560 for the failover and stateful links.
Hello David,
The Pix firewall is getting to end of life this month, on version 6.3 I don't think this is supported or what will be the behavior on this scenario, on version 7.0 and higher you can use the command:
no monitor-interface if_name
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1582411
And just monitor the other interfaces.
I hope this helps.
Regards,
Felipe. -
10Gig - GBIC module, can we connect?
Hi,
I have a PIX 535 firewall which has GBIC module and I need to connect to a Switch 2360 / 2960 which has 10 Gig SFP.
Can I connect using multimode fiber. Will it work?
Or is there any Speed configuration we can do to reduce 10 Gig to 1 Gig in the switch side?
Thanks & REgards,
Lenin. S
96207 45656Hi I beleive the PIX interface is fixed at 1GigE and with a 10GE SFP in the switch this configuration won't work, you need to ensure the devices are matched for the same speed and media type Multi Mode (MM) or Single Mode (SM).
I beleive the PIX GE interface is MM so you will need to install an MM 1GE SFP into the switch don't forget that you will also need a GigE Failover Link if you are using PIX Failover.
Chris -
PIX/ASA Failover conditions
I have a asa cluster in active/standby mode with lan cable connected for stateful failover. I want to know about the condtions when the box fails over to the other. One parameter should be the hello timers going between the failover interfaces.
Does this failover happen when the inside or outside interface of the primary asa goes down.What type of Firewall is it? What version.
For PIX 7.2 for example I would look at the configuration guide
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html
In particular look at the section entitled "Failover Actions" for active/standby. These is a nice table of failover conditions there.
Similar for otehr PIX/FWSM/ASA -
Cisco Pix 515 failover how to know the cause of the fail
Hello All,
We have 2 units 515 in failover configuration.
From the last Thursday we are having problems in our pixs.
The primary unit fail and then the standby works.
We need to know what is the real cause of the problem.
We have configured logging and when we check the syslog messages we can´t find anything important.
Our version is 6.3(5).
Can anybody help us?
If you need more information, please tell me.
Thanks in advance.
Martin.Hello Gurpreet,
Our failover system is working only with the failover cable, not with netwaork cable.
High CPU is occuring in primary unit. The high cpu usage was after the issue.
One thing, disconnecting for a seconds the cable for interfece "inside" (this cable connects th firewall to our network) the failover runs again ok. We can´t understand it.
Here is the sh interface
Thanks again.
Martin
FWPERIMETRO(config)# sh interface
interface ethernet0 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.bef7.56c5
IP address 172.17.4.122, subnet mask 255.255.252.0
MTU 1500 bytes, BW 100000 Kbit full duplex
165844 packets input, 2811391461 bytes, 0 no buffer
Received 947714 broadcasts, 0 runts, 0 giants
1294 input errors, 0 CRC, 0 frame, 1294 overrun, 0 ignored, 0 abort
165698 packets output, 4122450665 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (128/128)
output queue (curr/max blocks): hardware (128/128) software (971/1189)
interface ethernet1 "internet" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.bef7.56c6
IP address 195.55.225.98, subnet mask 255.255.255.240
MTU 1500 bytes, BW 100000 Kbit full duplex
20253 packets input, 6232273 bytes, 0 no buffer
Received 1830 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
22281 packets output, 2876208926 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
<--- More --->
input queue (curr/max blocks): hardware (128/128) software (8/128)
output queue (curr/max blocks): hardware (2/115) software (0/1)
interface ethernet2 "failover" is up, line protocol is down
Hardware is i82558 ethernet, address is 00e0.b606.92d7
IP address 192.168.254.253, subnet mask 255.255.255.252
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
31 packets output, 320148 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
31 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/10) software (0/1)
interface ethernet3 "dmz-2" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b606.92d6
IP address 195.76.142.185, subnet mask 255.255.255.248
MTU 1500 bytes, BW 100000 Kbit full duplex
1179 packets input, 2703322420 bytes, 0 no buffer
Received 2074 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
720 packets output, 4209917559 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
<--- More --->
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (1/101)
output queue (curr/max blocks): hardware (0/42) software (0/1)
interface ethernet4 "wandas" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b606.92d5
IP address 10.132.0.18, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
164402 packets input, 1499053954 bytes, 0 no buffer
Received 411 broadcasts, 0 runts, 0 giants
267 input errors, 0 CRC, 0 frame, 267 overrun, 0 ignored, 0 abort
159201 packets output, 1116228713 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (128/128)
output queue (curr/max blocks): hardware (0/128) software (0/49)
interface ethernet5 "dmz" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b606.92d4
IP address 172.23.4.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
16067 packets input, 942162666 bytes, 0 no buffer
Received 2108 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
<--- More --->
13916 packets output, 494350387 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (6/79)
output queue (curr/max blocks): hardware (0/65) software (0/1) -
Failover 520 PIX , Primary loses communication with secondary
I have 520 PIX running in failover fashion using a Serial cable for failover heartbeat. Primary loses communication with secondary for no obvious reason and it gives a jerk on LAN for connectivity. When I boot primary first and then secondary, I can see that status on primary for failover is normal. After sometime, maybe like an hour or two hours later, somehow primary loses communication with secondary and in the process, it stops responding on LAN for 15-30 seconds. After this, th status for secondary on show failover command changes to testing and it stays as testing. This thing is happening on both boxes regardless which ever I make primary. I see the cable status as normal on both firewalls. What could be the reason for losing communication within two fireboxes. I am thinking to replace the serial cable with a new cable. I will appreciate if anyone can give me suggestions for troubleshooting this problem. Thanks.
Hi,
Any syslog messages that you can capture may be helpfull. What does the show cpu usage says on the pix? Is there any network infrastructure change that you made? When the PIX looses connection to the secondary, what does both the pixen show? which one stays active, or if both of them becomes active?
Thanks
Nadeem -
ASA 5505 ISP Failover (PPPoE/DHCP)
Hello,
I have 2 WAN uplinks:
The primary is VDSL (PPPoE) - very fast, and I have a static IP + /29 subnet 'assigned' to me.
The secondary is DSL (DHCP) - slower
What I'm trying to do is setup ISP failover on my ASA 5505 with security plus licence... and the way I have it currently setup 'half-works'. If the primary goes down - the primary route is removed from the routing table and the secondary route is 'inserted'. I have the NATs setup so I have internet access and all seems well. The problem however is when the primary ISP comes online again, the ASA doesn't switch back over. It maintains the backup route until I manually switch it (by temporarily disabling the backup ISP switch port).
This is what I did to configure it:
config t
sla monitor 10
type echo protocol ipicmpecho x.x.x.x interface outside-primary
frequency 5
exit
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability
route outside-primary 0 0 x.x.x.x 1 track 1
route outside-backup 0 0 y.y.y.y 2
nat (inside,outside-primary) after-auto source dynamic any interface
nat (inside,outside-backup) after-auto source dynamic any interface
Have I missed anything? Is there a better way to set this up? I noticed in the ADSM if you edit an interface there seems to be the ability to set tracker IDs, SLA IDs, etc - but couldn't really find anything on google that helped.
Any assistance would be greatly appreciated.
Thanks!
RobertHi Robert,
you need this command:
no ip verify reverse-path interface outside_primary
Problem:
SLA monitoring does not work after the ASA is upgrade to version 8.0.
Solution:
The problem is possibly be due to the IP Reverse-Path command configured in the OUTSIDE interface. Remove the command in ASA and try to check the SLA Monitoring.
For reference:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
https://supportforums.cisco.com/blog/150001
HTH
"Plz don't forget to choose correct answer and rate help full answer " -
Download Speed on PIX 515E is Pretty Slow
Hello, I have a PIX 515E set up between our office switch and our Comcast Business Router and the download speeds are not as fast as they should be. We are paying for 30 down 30 up but it's more like 10 down 30 up. I plugged in a computer directly into the router and got 30/30 so I know its not a comcast issue. I think it might be the low amount of memory on the PIX because its running at 109 out of a total 128mb. The PIX has a site-to-site VPN tunnel with a remote ASA 5520 firewall. The inside/outside ports are both auto/auto. The running config is only 161 lines.
Here's some information about the PIX 515E...
Version 8.0(4)
ASDM 6.1(3)
Memory 128MB
Here is the running config..
Result of the command: "show running-config"
: Saved
PIX Version 8.0(4)
hostname --------------------
domain-name -----------------
enable password -------------------------
passwd --------------- encrypted
names
name 1.1.1.1 Data-Center-Firewall #### Outside Address Changed
name 10.0.0.0 Data-Center-Subnet
dns-guard
interface Ethernet0
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254
interface Ethernet1
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252 #### Outside Address Changed
interface Ethernet2
description LAN/STATE Failover Interface
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name -------------
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http8080 tcp
description http8080
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object range 50000 50100
port-object eq 990
access-list outside_access_in remark ip, tcp/990
access-list outside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.5 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit icmp any any
access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet2
failover lan enable
failover key *****
failover replication http
failover mac address Ethernet0 001e.f732.008f 000d.28f9.628f
failover mac address Ethernet1 001e.f732.0090 000d.28f9.6290
failover link failover Ethernet2
failover interface ip failover 10.10.10.10 255.255.255.252 standby 10.10.10.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ACL-VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 2.2.2.5 10.10.1.102 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.10.0.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.0.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP-VPN 1 match address ACL-VPN
crypto map MAP-VPN 1 set pfs
crypto map MAP-VPN 1 set peer Data-Center-Firewall
crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA
crypto map MAP-VPN 1 set security-association lifetime seconds 28800
crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000
crypto map MAP-VPN interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.255.0 inside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
class-map class_ftp
match port tcp eq ftp-data
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class_ftp
inspect ftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b795d4f5f5da3d8283d452ba857d5534
: endPlease check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.
Inside/outside are both set to auto/auto at
Check for the processes usage of the cpu of the pix.
CPU is running at 2%
Process: tmatch compile thread, PROC_PC_TOTAL: 2, MAXHOG: 8, LASTHOG: 8
LASTHOG At: 19:01:15 EST Dec 31 1992
PC: 26b616 (suspend)
Process: tmatch compile thread, NUMHOG: 2, MAXHOG: 8, LASTHOG: 8
LASTHOG At: 19:01:15 EST Dec 31 1992
PC: 26b616 (suspend)
Traceback: 26b616 26bdb9 26ec89 1182b3
Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 09:25:12 EDT Jul 18 2012
PC: 130114b (interrupt)
Traceback: 100178 12edd0c 9771e5 8c0e66 927164 928996 8ec3f5
8ec7ed 79d35e 2780c3 1182b3
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 12:27:25 EDT Jul 18 2012
PC: 130114b (interrupt)
Traceback: 100178 d870cb 13016b3 15cf68 e91a6f e9118b abfcea
a7cb2e a7daeb 18d800 5ae9a9 5a6aa0 5a7272 5a75e5
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 7, LASTHOG: 7
LASTHOG At: 12:34:10 EDT Jul 18 2012
PC: 5ae903 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 7, LASTHOG: 7
LASTHOG At: 12:34:10 EDT Jul 18 2012
PC: 5ae903 (suspend)
Traceback: 5ae903 5a6aa0 5a7272 5a75e5 5ad3d5 1182b3
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 12:37:47 EDT Jul 18 2012
PC: f4078b (suspend)
Process: Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 12:37:47 EDT Jul 18 2012
PC: f4078b (suspend)
Traceback: f40be2 130f41e aab54d aac3b0 5a6c2e 5a7272 5a75e5
5ad3d5 1182b3
Process: IKE Daemon, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 23:07:40 EDT Jul 19 2012
PC: 1b6dd0 (interrupt)
Traceback: 100178 1b8a31 1baaeb 6438d7 12efc6f 64250b 653fe9
654b78 1182b3
Process: IKE Daemon, PROC_PC_TOTAL: 347, MAXHOG: 31, LASTHOG: 30
LASTHOG At: 16:01:55 EDT Jul 23 2012
PC: 654bab (suspend)
Process: CTM message handler, PROC_PC_TOTAL: 346, MAXHOG: 27, LASTHOG: 27
LASTHOG At: 16:01:55 EDT Jul 23 2012
PC: 2087ec (suspend)
Process: IKE Daemon, NUMHOG: 693, MAXHOG: 31, LASTHOG: 27
LASTHOG At: 16:01:55 EDT Jul 23 2012
PC: 654bab (suspend)
Traceback: 1182b3
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 17:23:30 EDT Jul 23 2012
PC: 130003b (interrupt)
Traceback: 100178 13008b8 f5a0cd f5ac32 f5ae40 f60828 f617c1
d38a0d aab50b aac14a 5a6c2e 5a7272 5a75e5 5ad3d5
Process: Dispatch Unit, PROC_PC_TOTAL: 227, MAXHOG: 432, LASTHOG: 35
LASTHOG At: 17:37:03 EDT Jul 23 2012
PC: 278207 (suspend)
Process: Dispatch Unit, NUMHOG: 227, MAXHOG: 432, LASTHOG: 35
LASTHOG At: 17:37:03 EDT Jul 23 2012
PC: 278207 (suspend)
Traceback: 278207 1182b3
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 1901, MAXHOG: 8, LASTHOG: 7
LASTHOG At: 17:44:20 EDT Jul 23 2012
PC: 118ed5 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 1901, MAXHOG: 8, LASTHOG: 7
LASTHOG At: 17:44:20 EDT Jul 23 2012
PC: 118ed5 (suspend)
Traceback: 118ed5 b2d032 f5a80d f5ac0a f5ae40 f607e5 f617c1
d38a0d aab50b aac14a 5a6c2e 5a7272 5a75e5 5ad3d5
CPU hog threshold (msec): 5.120
Last cleared: None
Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.
Interface Ethernet0 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address __________, MTU 1500
IP address 10.10.1.1, subnet mask 255.255.255.0
60862937 packets input, 29025667892 bytes, 0 no buffer
Received 1371 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
68515603 packets output, 44084404472 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/47)
output queue (curr/max packets): hardware (0/67) software (0/1)
Traffic Statistics for "inside":
60997029 packets input, 28080179952 bytes
68553614 packets output, 43104566708 bytes
29544 packets dropped
1 minute input rate 63 pkts/sec, 30371 bytes/sec
1 minute output rate 64 pkts/sec, 16557 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 91 pkts/sec, 45254 bytes/sec
5 minute output rate 93 pkts/sec, 56181 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet1 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address ___________, MTU 1500
IP address ___________, subnet mask 255.255.255.252
67730933 packets input, 44248541375 bytes, 0 no buffer
Received 4493 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
60418640 packets output, 29310509840 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/39)
output queue (curr/max packets): hardware (0/42) software (0/1)
Traffic Statistics for "outside":
67782987 packets input, 43276611710 bytes
60562287 packets output, 28342787997 bytes
206651 packets dropped
1 minute input rate 57 pkts/sec, 14273 bytes/sec
1 minute output rate 61 pkts/sec, 30258 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 89 pkts/sec, 54426 bytes/sec
5 minute output rate 87 pkts/sec, 45115 bytes/sec
5 minute drop rate, 0 pkts/sec
enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.
Not sure how to do that. -
What am i missing?
pixfirewall# show mac-address-table
^
ERROR: % Invalid input detected at '^' marker.
[EDIT: karat is under the A in mac ]
pixfirewall# sh ver
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
pixfirewall up 175 days 11 hours
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 000d.28f9.62a5, irq 10
1: Ext: Ethernet1 : address is 000d.28f9.62a6, irq 11
2: Ext: Ethernet2 : address is 000d.8810.a620, irq 11
3: Ext: Ethernet3 : address is 000d.8810.a621, irq 10
4: Ext: Ethernet4 : address is 000d.8810.a622, irq 9
5: Ext: Ethernet5 : address is 000d.8810.a623, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Restricted (R) license.
Serial Number: 807234146
Running Activation Key: 0x6ab205ba 0x986d4239 0xf56523af 0x76f3d58b
Configuration last modified by enable_15 at 12:58:08.130 EDT Thu May 16 2013
pixfirewall# show mac-address-table
^
ERROR: % Invalid input detected at '^' marker.Hi,
Command Modes The following table shows the modes in which you can enter the command:
Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System
Privileged EXEC
Source:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1448364
- Jouni -
Link to configuration convertor tool from PIX to ASA
Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masoodhello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood -
PIX Firewall 525 can not start
Hi,
Today my colleague add 2 lines of access-list to our PIX 525. After 10 minutes, my firewall was rebooted and until now can't start. The booting process as listed below.
The questions are :
1. What is my OS version? Flash?
2. How to remove those 2 lines (reset the config to default)?
3. How to solve the issue?
Thanks,
Andy
Booting process
================
Rebooting..þ
Wait.....
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10
Cisco Secure PIX Firewall Embedded BIOS Version 4.3
Wait...ndeavor Board, Boot Block BIOS
+------------------------------------------------------------------------------+
| System BIOS Configuration, (C) 2000 General Software, Inc. |
+---------------------------------------+--------------------------------------+
| System CPU : Pentium III | Low Memory : 638KB |
| Coprocessor : Enabled | Extended Memory : 255MB |
| Embedded BIOS Date : 08/25/00 | Serial Ports 1-2 : 03F8 02F8 |
+---------------------------------------+--------------------------------------+
Cisco Secure PIX Firewall BIOS (4.0) #39: Tue Nov 28 18:44:51 PST 2000
Platform PIX-525
System Flash=E28F128J3 @ 0xfff00000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1528320 bytes of image from flash.
256MB RAM
System Flash=E28F128J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
mcwa i82559 Ethernet at irq 11 MAC: 0006.5336.8129
mcwa i82559 Ethernet at irq 10 MAC: 0006.5336.8128
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
Cisco PIX Firewall
Cisco PIX Firewall Version 6.2(1)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 8
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
An internal error occurred. Specifically, a programming assertion was
violated. Copy the error message exactly as it appears, and get the
output of the show version command and the contents of the configuration
file. Then call your technical support representative.
assertion "addr < sfmm_chip_size" failed: file "sfmm.c", line 254
No thread name
Traceback:
0: 802decd5
1: 8007a8ce
2: 800769bb
3: 80078223
4: 8007635e
5: 800017d5
6: 800758ab
7: 80120ed6
vector 0x00000003 (breakpoint)
edi 0x8007a887
esi 0x000000fe
ebp 0x7ffffcb8
esp 0x7ffffcac
ebx 0x8007a5a3
edx 0x000003fd
ecx 0x0000000a
eax 0x00000042
error code n/a
eip 0x802dffac
cs 0x00000008
eflags 0x00000046
CR2 0x00000000
Stack dump: base:0x7ffffc2c size:64, active:64
0x7ffffd2c: 0x00020000
0x7ffffd28: 0x807f2828
0x7ffffd24: 0xfffe0000
0x7ffffd20: 0x00000300
0x7ffffd1c: 0x800769bb
0x7ffffd18: 0x7ffffd48
0x7ffffd14: 0x00000001
0x7ffffd10: 0x00000002
0x7ffffd0c: 0x800762f4
0x7ffffd08: 0x804a849c
0x7ffffd04: 0x00000020
0x7ffffd00: 0x805100c0
0x7ffffcfc: 0x7ffffd48
0x7ffffcf8: 0x8007a887
0x7ffffcf4: 0x000000fe
0x7ffffcf0: 0x8007a5a3
0x7ffffcec: 0x8007a8ce
0x7ffffce8: 0x7ffffd18
0x7ffffce4: 0x80317cd4
0x7ffffce0: 0xffffffff
0x7ffffcdc: 0x80078163
0x7ffffcd8: 0x807f2828
0x7ffffcd4: 0xfffe0000
0x7ffffcd0: 0x805100c0
0x7ffffccc: 0x000000fe
0x7ffffcc8: 0x8007a5a3
0x7ffffcc4: 0x8007a887
0x7ffffcc0: 0x802dec68
0x7ffffcbc: 0x802decd5
0x7ffffcb8: 0x7ffffce8
0x7ffffcb4: 0x00000046
0x7ffffcb0: 0x00000008
0x7ffffcac: 0x802dffac *
0x7ffffca8: 0x00000042
0x7ffffca4: 0x0000000a
0x7ffffca0: 0x000003fd
0x7ffffc9c: 0x8007a5a3
0x7ffffc98: 0x7ffffcac
0x7ffffc94: 0x7ffffcb8
0x7ffffc90: 0x000000fe
0x7ffffc8c: 0x8007a887
0x7ffffc88: 0x00000003
0x7ffffc84: 0x80004779
0x7ffffc80: 0x7ffffcb8
0x7ffffc7c: 0x802c4deb
0x7ffffc78: 0x7ffffc98
0x7ffffc74: 0x7ffffd48
0x7ffffc70: 0x00000001
0x7ffffc6c: 0x000000fe
0x7ffffc68: 0x8007a5a3
0x7ffffc64: 0x7ffffd48
0x7ffffc60: 0x80120ed6
0x7ffffc5c: 0x00000007
0x7ffffc58: 0x7ffffcac
0x7ffffc54: 0x80002d70
0x7ffffc50: 0x7ffffc80
0x7ffffc4c: 0x7ffffcac
0x7ffffc48: 0x80002ab0
0x7ffffc44: 0x00000040
0x7ffffc40: 0x7ffffc80
0x7ffffc3c: 0x74656720
0x7ffffc38: 0x7ffffe28
0x7ffffc34: 0x2c737261
0x7ffffc30: 0x8007a887
Nested traceback attempted via interrupt.
Traceback output aborted.
Rebooting..þUrgent help!!!
-
Upgrading from PIX to ASA 5512X
Hi everyone,
We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below. If anyone could help out I would GREATLY appreciate it! Thank you in advance!
ASA1:
: Saved
: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
ASA Version 8.6(1)2
hostname dallasroadASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 70.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.18.2.21
name-server 172.18.2.20
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network DR_CORE_SW
host 172.18.2.1
object network dallasdns02_internal
host 172.18.2.21
object network faithdallas03_internal
host 172.18.2.20
object network dns_external
host 70.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network dallasitnetwork
network-object host 172.18.2.20
network-object host 172.18.2.40
object-group protocol tcpudp
protocol-object udp
protocol-object tcp
object-group network dallasroaddns
network-object host 172.18.2.20
network-object host 172.18.2.21
object-group service tcpservices tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq ssh
object-group network remotevpnnetwork
network-object 172.18.50.0 255.255.255.0
access-list L2LAccesslist extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list NONAT extended permit ip any 172.18.50.0 255.255.255.0
access-list inside_inbound_access extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list inside_inbound_access extended permit ip object-group dallasitnetwork any
access-list inside_inbound_access extended permit object-group tcpudp object-group dallasroaddns any eq domain
access-list inside_inbound_access extended permit ip host 172.18.4.10 any
access-list inside_inbound_access extended deny object-group tcpudp any any eq domain
access-list inside_inbound_access extended deny tcp any any eq smtp
access-list inside_inbound_access extended permit ip any any
access-list outside_inbound_access extended permit tcp any host 70.x.x.x object-group tcpservices
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.18.50.0-172.18.50.255
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static dallasdns02_internal dns_external
nat (inside,outside) source static faithdallas03_internal dns_external
nat (inside,outside) source dynamic any interface
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
nat (inside,outside) source static DallasRoad DallasRoad destination static WorthStreet WorthStreet
access-group outside_inbound_access in interface outside
access-group inside_inbound_access in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.x 1
route inside 172.18.0.0 255.255.0.0 172.18.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
server-port 389
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=fcsadmin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 71.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.18.0.0 255.255.0.0 inside
ssh 172.17.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy DfltGrpPolicy attributes
dns-server value 172.18.2.20
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
password-storage enable
group-policy DallasRoad internal
group-policy DallasRoad attributes
dns-server value 172.18.2.20 172.18.2.21
password-storage enable
default-domain value campus.fcschool.org
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
tunnel-group 71.x.x.x type ipsec-l2l
tunnel-group 71.x.x.x ipsec-attributes
ikev1 pre-shared-key ****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fd69fbd7a2cb0a6a125308dd85302198
: end
ASA2:
: Saved
: Written by enable_15 at 09:27:47.579 UTC Tue Mar 12 2013
ASA Version 8.6(1)2
hostname worthstreetASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 71.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.17.2.23
name-server 172.17.2.28
object network mail_external
host 71.x.x.x
object network mail_internal
host 172.17.2.57
object network faweb_external
host 71.x.x.x
object network netclassroom_external
host 71.x.x.x
object network blackbaud_external
host 71.x.x.x
object network netclassroom_internal
host 172.17.2.41
object network nagios
host 208.x.x.x
object network DallasRoad_ASA
host 70.x.x.x
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network WS_CORE_SW
host 172.17.2.1
object network blackbaud_internal
host 172.17.2.26
object network spiceworks_internal
host 172.17.2.15
object network faweb_internal
host 172.17.2.31
object network spiceworks_external
host 71.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object network remotevpnnetwork
subnet 172.17.50.0 255.255.255.0
object-group icmp-type echo_svc_group
icmp-object echo
icmp-object echo-reply
object-group service mail.fcshool.org_svc_group
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service nagios_svc_group tcp
port-object eq 12489
object-group service http_s_svc_group tcp
port-object eq www
port-object eq https
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network MailServers
network-object host 172.17.2.57
network-object host 172.17.2.58
network-object host 172.17.2.17
object-group protocol DM_INLINE_PROTOCOL
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DNS_Servers
network-object host 172.17.2.23
network-object host 172.17.2.28
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit object-group mail.fcshool.org_svc_group any object mail_internal
access-list outside_access_in extended permit tcp object nagios object mail_internal object-group nagios_svc_group
access-list outside_access_in extended permit tcp any object faweb_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object netclassroom_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object blackbaud_external eq https
access-list outside_access_in extended permit tcp any object spiceworks_external object-group http_s_svc_group
access-list L2LAccesslist extended permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list inside_inbound extended permit object-group TCPUDP object-group DNS_Servers any eq domain
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL host 172.17.15.10 any inactive
access-list inside_access_in extended permit tcp object-group MailServers any eq smtp
access-list inside_access_in extended permit tcp host 172.17.14.10 any eq smtp
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list vpn_access extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.17.50.1-172.17.50.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static mail_internal mail_external
nat (inside,outside) source static netclassroom_internal netclassroom_external
nat (inside,outside) source static faweb_internal faweb_external
nat (inside,outside) source static spiceworks_internal interface
nat (inside,outside) source static blackbaud_internal blackbaud_external
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static WorthStreet WorthStreet destination static DallasRoad DallasRoad
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
network-acl vpn_access
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password Iw@FCS730w
ldap-login-dn CN=VPN Admin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.0.0 255.255.0.0 inside
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 70.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 172.17.0.0 255.255.0.0 inside
telnet 172.18.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.17.0.0 255.255.0.0 inside
ssh 172.18.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group 70.x.x.x type ipsec-l2l
tunnel-group 70.x.x.x ipsec-attributes
ikev1 pre-shared-key FC$vpnn3tw0rk
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b599ba0f719f39b213e7f01fe55588ac
: endHi Derrick,
I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...
here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp
then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.
you did:
nat (inside,outside) source dynamic any interface
would also work with object nat:
object network INSIDE_NETWORKS
subnet ...
nat (inside,outside) dynamic interface
Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)
If you don't put the no-proxy-arp, your NAT configuration will cause network issues.
also to be able to pass pings through ASA, add the following:
policy-map global_policy
class inspection_default
inspect icmp
The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...
hope that helps,
Patrick -
Solution on Link Failover for Hosted Webserver
Hi,
One of my customer has Web based application which is hosted over internet on IP provided by ISP. Challange is in case, the ISP link fails webserver is not available. Customer is planning to add one more link from different ISP. How do I Load balance both this links and have webserver being accessible from any of the link in case of link failover.Assuming that we have a webserver hosted by us on our internal network as 192.168.1.1 and we map it to pix outside interface ip address x.x.x.x as follows:
static (inside,outside) x.x.x.x 192.168.1.1 netmask 255.255.255.255 then any traffic from outside world hitting to x.x.x.x will directly be routed to 192.168.1.1. Hence, we use port forwarding as follows:static (inside,outside) tcp interface 80 192.168.1.1 80 so that only the port 80 traffic destined to x.x.x.x should be forwarded to 192.168.1.1 and not all the traffic. And you can also do by change the ISP cable to your device and reconfigure it .
Maybe you are looking for
-
Zenvplus hang and can't connect to
guys, i have my zen v plus for 6 month and everythig's okay but 3 days ago, i got it stuck at zen v plus logo. when i try to connect it to my pc, it can't connect please help me .. what should i do ... thanks Hardi
-
Does the Communications API work with Studio 4
I just installed Studio 4 along with the JDK. The Java version that I am running now is: java version "1.4.1_02" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_02-b06) Java HotSpot(TM) Client VM (build 1.4.1_02-b06, mixed mode) Running
-
Hello i tried recharging my account with CashU payment method right now and it couldnt load up right on time. i also make use of other browser hoping its from my computer but i guess there is a problem with the skype website redirecting me to cashu h
-
Create contract with Purchase Requisition reference using BAPI
Hi friends! I need some help here to create a contract with reference to some purshase requisition. I found BAPI_CONTRACT_CREATE to do this, but I have no idea how to do to create with reference to pruchase requisition. Anyone can give me a sample co
-
I've been watching a video on my ipad... and the last 7 minutes are blank, just a black screen and no audio, yet on itunes it's there with all the audio and video, My question is, what happened?