Redundant Interfaces with Management0/0 on ASA5510
Readers,
Is it possible to configure redundant interfaces on the Management port?
Thanks,
Timothy
Timothy
normal ASA boxes just have a single management interface.. I really dont feel the need for redundancy here.. If you need one, you can get a failver ASA box, and build up redundancy..
in any case, you have other interaces like inside, through which you can enable management, like telnet, http etc, if required.. or any other DMZ interface (say network management DMZ)... its all flexible.. with all these, i really dont see any need for a redundant management port...
Hope this helps.. all the best..
Raj
Similar Messages
-
ASA Redundant interfaces with stack switches
Hi All,
we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack.
Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack.
for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html ).
So my question is :
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
I have attached the nw diagram,
Regards,
AshrafHello Ashraf,
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
Sure, you can. That's the whole purpose of the feature.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
It would make sense if that happens, as the status of the interface will be on a different state than up/up so failover to the other interface will be triggered,
Regards,
Julio -
Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
NAT on sub-interface with no internet access
Good morning,
Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
Config below
Router1#sh config
Using 5392 out of 262136 bytes
! No configuration change since last restart
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
version 15.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname A
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
logging buffered 51200 warnings
enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
enable password 7 06150E2C5F5B071E
aaa new-model
aaa authentication login default local
aaa session-id common
memory-size iomem 25
ip cef
ip dhcp excluded-address 10.10.36.1 10.10.36.25
ip dhcp excluded-address 10.10.36.200 10.10.36.254
ip dhcp pool DATA
network 10.10.36.0 255.255.255.0
default-router 10.10.36.1
dns-server 8.8.8.8 4.2.2.2
ip dhcp pool VOICE
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.10.36.4
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3112445314
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3112445314
revocation-check none
rsakeypair TP-self-signed-3112445314
crypto pki certificate chain TP-self-signed-3112445314
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
license udi pid CISCO2901/K9 sn FCZ1808C4L8
hw-module pvdm 0/0
username a password 7 1416111F05557C
username e privilege 15 password 7 1437455E0E2A25382525260B67
username c password 7 030B580E0701284F165B5C
username a password 7 01000709481E0808
redundancy
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address #.#.#.58 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.36.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
ip route 0.0.0.0 0.0.0.0 #.#.#.57
ip access-list extended LAN_NAT_POLICY
permit ip 10.0.0.0 0.255.255.255 any
access-list 23 permit 10.10.36.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
control-plane
mgcp profile default
gatekeeper
shutdown
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you hav
already used the username "cisco" to login to the router and your IOS imag
supports the "one-time" user option, then this username has already expire
You will not be able to login to the router with this username after you e
this session.
It is strongly suggested that you create a new username with a privilege l
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want
use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
password 7 13041406025D52
line aux 0
exec-timeout 0 1
no exec
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 094D4D1D105441
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp master
ntp server 10.10.36.1
end
Please I need a quick response
Thank you.Can you change the interface to outside interface in this command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
can you try this below command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
Regards
PrajithTR -
Redundancy Interface for Content Server Release 6.x
Third-generation Content Server is UCS C220 (Not Vmware).
I see from TCS Release 6.x Quick Start which cannot use LAN2.
I'm not sure. How to connect LAN for redundancy interface or not because it have many NIC card.
Dual 1-Gb Ethernet ports:
LAN1 (Arrow 7, left pointer)— Use this port to connect the Content Server to the network (also see Figure 3)
LAN2 (Arrow 7, right pointer)— Not usedHi,
The TCS server supports only single NIC in a deployment. That particular NIC value is used to generate the checksum, which needs to be passed along with the Release keys to bring up the content engine. That is the reason if you connect any other NIC to the network, the content engine will not start.
Also, when the release keys are generated on the license server, it uses the NIC with the lowest value (always the first NIC on the server).
I know its a complete waste to have so many NICs and use only one. But what can I say, thats the way Cisco designed the server..!!!
Regards,
-Deepti -
Reg. Redundant interfaces in ASA 8.0
Hi
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
Regards
AnkurYes Ankur,it is possible.
##snippet##
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 192.168.16.19 255.255.255.128
ospf network point-to-point non-broadcast
ospf message-digest-key 123 md5
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif null0
security-level 50
ip address 10.2.1.1 255.255.255.0
interface Management0/0
no nameif
security-level 0
no ip address
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address
interface Redundant1.1
vlan 32
no nameif
no security-level
ip address 1.1.1.8 255.0.0.0
Regards,
Sushil -
Hi everybody,
and thanks for a great forum!
I have one asa and two switches, i would like the asa set up with a redundant interface consisting of one physical interface in each switch (vlan trunked across the two switches). Now... Is it possible to set a preferred active physical interface in this redundant interface bundle? Is there a way to make sure the same interface is always active (both interfaces a working as intented), even after a reboot?
More specifically, i need this so i can decide where to establish my stp root, and always have the most optimal path (again ofcourse unless one interface fails).
CheersHi,
I see that you want to configure redundant interface on ASA and also need to ensure that same interface always remain active. Now, the interface which you will defined first using 'member-interface' command while configuring redundant interface will be the active one by default. If you already have it configured and you want to change the active interface, you can use following command:
To change the active interface, enter the following command:
hostname# redundant-interface redundantnumber active-member physical_interface
Now, if active interface goes down, second one will take over as expected.
Check this link for more info:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838
Hope this answers your question.
Sourav -
Hello,
We are looking at upgrading an aging firewall with a Cisco ASA. I have used the ASA before.
We would like to use the ASA in a colocation facility that will have a few site to site vpns. The ASA MUST be able to have redundant interfaces to our switches. Reading through ASA documentation this is possible. (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838) Can the ASA have redundant links to the same vlans? Will any of our configuration for VPN's, etc have to be setup twice?
ThanksThere are four types of redundancy that one can use on ASAs. The first one you cited, redundant interfaces on a single physical device is the least common in my experience.
The second is failover - when the ASA is mated is a failover ASA in a high availability configuration. This is the most common usage for customers requiring high availability (HA). That is the most common implementation and has been around since ASA 7.0 software (i.e. a good many years).
The third is to bond your interfaces from a given ASA (or sets of interfaces if you have an HA pair) into an Etherchannel. This has the added advantage of giving you potentially higher trhoughput. Etherchannel support was introduced in ASA software version 8.4(1).
The fourth and newest method is clustering. It was introduced just last fall in ASA 9.0 and is not very widely adopted just yet. It is primarily for high throughput requirements exceeding a single device's capacity but also gives the added benefit of redundancy.
None of them require you setup things twice configuration-wise. Some file operations (software upgrade, certificate management, VPN profiles (XML files)) need to be copied onto both members in a failover pair or all members in a cluster scenario.
Edit - there is a fifth type specific to VPNs whereby one can configure a secondary VPN gateway for clients, usually at a alternate site. That approach does require settting up everything separately on the ASAs. -
How do I use an audio interface with iMovie?
I'm trying to shoot a short clip of a musician playing. I want to use an interface with my higher end mics, and use iMovie '09 to shoot video. I have a Presonus Firebox as my interface. iMovie just doesn't seem to want to recognize it, nor record through it. This isn't something I can share to GarageBand because the timing between the video and audio has to be perfect. Any help?
ThanksJust buy the proper adapter cord, such as MiniDisplay port to HDMI for example. Plug it in and it will be automatically recognized. Use System Preferences > Displays to set options.
The display can Mirror your primary desktop or Extend the Desktop.
Regards,
Captfred -
Interface with Exchange server
Hi i nbeed to write a program to interface with ms exchange dose anyone have any sample code i can look at? i need to extract info such as appointments.
I'll be interested too. I'm writing a java app that would need to read and create calendar appointments, contacts and tasks. The java app is a CRM program, and its database becomes master for the exchange server that would replicate certain information coming from the CRM database/system.
rgds,
David -
I have an iTunes account set up long ago on my home pc. My pc at home is antiquated and I can't interface with my account to edit acc. Info. Now I have other devices, iPhone 4 and iPad. I need to reset email apple Id and pw from iPad. How? Should I just create new account? Don't want to lose 1500 songs.
Hey Frankgates!
I have an article here that can tell you how to do this:
Apple ID: If you forget your password
http://support.apple.com/kb/HT5787
Thanks for coming to the Apple Support Communities!
Regards,
Braden -
Does anyone have a suggestion for an alternative to iCal that will interface with the Cloud so it works on the iPhone and the Macbook? I find iCal to be poorly designed and not very efficient. I waste a lot of time entering information because you can't go to a specific day and enter information, nor can you navigate between months and add information on a specific date by clicking on the date. You can't easily scroll month-to-month and once you do by scrolling through nine months to get to where you want to be, you cannot enter information by clicking on a specific day in the month and entering information. I just called Apple and they verified that this is the way it works. You cannot go to a date and enter information, you keep getting thrown back to today and then you have to go into the calendar and change it manually on the screen. It is just not efficient.
APC, CyberPower are reliable.
Look for 1500VA. As example:
APC
http://www.amazon.co.uk/APC-Back-UPS-Pro-1500-Connector/dp/B0041MP81Y/
Cyperpower:
http://www.amazon.co.uk/Dell-CyberPower-Intelligent-LCD-1500VA/dp/B005DL5L50/ -
I have always been able to sync by plugging into my computer Mac OS 10.6.8 which does not interface with icloud. Now my iphone only wants to sync calander and contacts via icloud and will not sync when plugged in. Does any one else have this issue and or ideas?
Do you have the latest version of iTunes? If not, get it at:
http://www.apple.com/itunes -
Creation of Server Proxy for Message interface with External Defination
Dear All,
I am getting a problem while generating a server proxy for the inbound interface . The request message used in the inbound interface is a external definition which is uploaded using a XSD file. The XSD file was supplied by a third party which is having very high complex strucuture and used lot of abstract data types in the design. When i tried to generate the proxy in the R/3 system (Transaction SPROXY) for the inbound interface i am getting following error.
Interface uses external and internal message definitions
Message no. SPRX122 *
Diagnosis
In a message interface you can use messages from different sources:
Message types and fault message types edited in the Enterprise Services Repository
Messages imported into the Enterprise Services Repository (external definitions, RFC, IDoc)
In the current message interface, message types from different sources have been used. Since messages from these different sources must be handled differently during proxy generation, such a mixture of messages within a message interface is not possible.
System Response
The interface cannot be generated.
Procedure
Change the interface definition accordingly in the Enterprise Services Repository.
Please guide me, how to generate the proxy for the interface with external defination message. I could nt geneate manullay, because it is having very high complexity and its a big structure.
Is there is any way to generate the proxy for interface with external definition
Regards
VijayanandHi,
i. Import your message schemas from external definitions, or RFCs or IDocs from SAP systems. These definitions already contain data types.
ii. Create a message interface and reference the messages of the external definition, or the RFC or IDoc message.
Check this, it may help you
http://help.sap.com/saphelp_nw04/helpdata/en/3f/01623c4f69b712e10000000a114084/content.htm
REgards
Seshagiri -
Interface with multiple hard drives
I am looking to buy a Mac Pro later this year, although want to learn about everything now, so I am well educated when I buy it ^^
I was reading around http://macperformanceguide.com/Mac-LightingFast.html and it brought up a question. Right now I have a 170 GB MBP and a Time Capsule... If I were to get a Mac Pro with the proposed SSD Launch Drive and Hard Drive data drive, what would the interface be? Would it be similar to the interface with a time capsule, with different hard drives listed in the finder window? Or would it ask me to specify where to write? Or would I manually choose a 'default write to' on all my applications?
Thanks
BenBuy your own SSD, RAM and hard drives.
Mercury Extreme Pro 6G SSD
Mac Pro Memory
There are 4 internal drive bays, get it stock, skip getting an apple branded SSD they tend to not be best of class. All drives have to be 3.5" SATA or use an adapter to fit the sleds. Other than application preferences for where a media library is, default location for documents, scratch, and of course you can put your /Users/myaccount on a data drive.
My PCs have 1.2GB/sec of SATA bandwidth. Double the 600MB/sec that is shared by 4 SATA ports.
Macintosh Performance Guide Articles & Reviews
MacPerformance Blog
That link you have is over a yr old out of date and talking about early Intel X25s for one.
Maybe you are looking for
-
Which is better Function modules or Include programs?
Hi, I am working on an enhancement and it has lot of screens with a tree structure on the left. Now we are planning to have each screen to have its PAI/PBO and the processing logic to be in seperate include programs. However in our team we have debat
-
All the books I paid money for will not open in iBooks on my MAC. Mavericks will not let me uninstall iBooks, so I cannot uninstall and reinstall it on my Pro. I have deleted and re-loaded the books and they show in my library (as they always did),
-
Ipod Nano 6th gen USB problem with JBL 1000 Radio
My Ipod nano 6th generation will nt sync to my JBL Radio sytem through the USB Port. I am trying to download music from my Ipod to the hard drive on my JBL Radio. I have done this before with a different name brand player through the USB Port. The Na
-
17" studio display turns black
Hello, My 17" Studio Display turns black after I change my display-resolution. It wont change when I restart the computer. I can only startup in the save mode(holding the shift key at startup). It had problems before when I tried to start a game(zoo
-
In MIGO while trying to capture and post excise invoice for last 2 PO's i got the flow of Base value For this PO it is not flowing.... Please check excise base for the item is zero ! Message no. 4F121 BED, AED and SED for the excise item is zero Mess