Redundant Transparant ASA between Redundant Routed Links

Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all.  I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed.  From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall.  Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week.  The vendor took 3 weeks just to figure out how to aggregate routes to me!.
So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used.  Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences.  I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around.  Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
Any ideas appreciated!

why you don't use this design:
connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
Regards
V.

Similar Messages

  • DLSW Ethernet Redundancy Transparent Cache

    I have corrupt entries in the ethernet redundancy transparent cache. These are causing problems establishing new sessions.
    Can I clear the entries individually and how long does the cache take to time out?

    Hi,
    the "dlsw clear transparent circuit" was introduced with CSCdv16277, it is in ios 12.1(11.5) and higher, 12.2(6.4) and higher and it also rolled into 12.3.
    Please note the "circuit" option is hidden. you can not see it with the ? asking for help in the parser.
    in respect to the origin of the erroneous cache entries. They can be a bug on itself. But they also can be a result of a configuration not exactly like it should be.
    I would advice to open a case with the tac and have the configurations sanity checked.
    If this is something you can reproduce at will than we would certainly be very interested how you get into this state.
    Dlsw ethernet redundancy was quite modified a bit in the last 2 years. Depending on what version of code you run you might need to go to a higher level to pick up all the current maintenance.
    My personal few is a recent 12.2 image or even better a recent 12.3 image.
    thanks...
    Matthias

  • L2 and L3 Routed Link between 2 COREs

    Hi
    What is the difference between L2 (Dot1q) and L3 Routed Link between 2 COREs in term of Functionality 
    thanks

    Hello Ibrahim ,
    I will try to explain , 
    VLANs put tag on frames to ensure packet do not leave layer 2 broadcast domain and yet will reach to all ports part of that vlan ( as per tag ) .
    Layer 3 SVIs on other hand provides layer 3 reachability for vlans and hosts inside layer 2 vlan . To achieve this all layer2 vlan host provide with related layer 3 SVIs ip address as gateway .
    I hope you got it by now . 
    HTH
    Sunil Bhadauria 
    ! Kindly rate all helpful posts  and accordingly mark correct answers to help forum !

  • VPN between ASA and IOS router

    We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

    Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
    It should help fix any problems.
    HTH and please rate.

  • IPSec ikev2 between ASA and Cisco Router

    Hi,
    i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
    - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
    - Authentication with Certificats
    - integrity sha2
    I try a lot of configurations without success.
    Thanks for your help.
    Mic

    The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28800
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 28800
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 43200
    The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
    There are two (three) better options:
    Best option with very little needed configuration:
    Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
    Best option with a little stronger crypto but more configuration:
    Move to AnyConnect with IPsec/IKEv2. 
    Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
    For option 1) and 2) there is an extra license needed, but thats not very expensive.

  • Transparent pix between 2 vrf

    hi guys,
    This is the problem : I need to receive from a GigaEth both some multicast streams and a unicast control traffic to be filtered. So, on a 3750 there is a trunk vs data provider, and Interface Vlan X for mcast and Vlan Y for outside unicast in global space. Than a Vlan Z in a separate vrf for inside. Pix is connected on L2 port Vlan X for outside and on L2 port Vlan Z for inside. It doesn't run !!! It seems to be unable to resolve arp ...
    The actual 3750, will become in a short time a 650x sup 720B, but I am not sure if we have a better results.
    Any advice ?
    Thanks
    Maurizio

    To make this happen a FWSM module has to be installed in the Catalyst 6500 series switch. The FWSM features has the following features
    Layer 2 Firewall (transparent mode)
    Layer 3 Firewall (route and/or NAT mode)
    Mixed Layer 2 and Layer 3 firewall per FWSM
    Dynamic/static NAT and PAT
    Policy-based NAT
    VRF-aware NAT
    Destination NAT for Multicast
    Static routing support in single- and multiple security context mode
    Dynamic routing in single security context mode: Open Shortest Path First (OSPF), Routing Initiation Protocol (RIP) v1 and v2, PIM Sparse Mode v2 multicast routing, Internet Group Management Protocol (IGMP) v2
    Transparent mode supports static routing only
    Private VLAN
    Asymmetric routing supporting without redundancy by using asymmetric routing groups
    IPv6 networking and management access using IPv6 HTTPS, Secure Shell Protocol (SSH) v1 and v2, and Telnet

  • Using ASA 5510 and router for dual WAN Connections.

    Guys, neeed some help here:
    Context:
    1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
    2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
    3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
    4- A router will be deployed in front of the ASA to terminate internet links.
    5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
    Questions:
    How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
    Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
    Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
    Thanks
    Ndaungwe

    Hi,
    Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).
    http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
    Thx
    MS

  • Setup Transparent ASA

    Hi,
    I'm trying to get started on setting up my first Transparent ASA.
    I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below.
    Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup?
    Can I use ASDM if the Transparent ASA has an ip address?
    This 5512X has an IPS. Anyone who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.
    How is NAT setup differently (if at all) on a Transparent ASA?
    Are ACLs done any differently?
    Any help is apprciated. Examples or links are great.
    Thanks.

    You willl now use Bridge-Groups...
    It's especific to a bridge group ( The Ip address) and yes you will be able to ssh, telnet,ASDM to that Ip.
    NAT and ACL setup is the same thing.
    Here is a quick example I did
    interface bvI 10
    ip address 192.168.12.1 255.255.255.0
    no shut
    interface gigabitEthernet 0
    nameif outside
    no shut
    interface gigabitEthernet 0
    bridge-group 10
    interface gigabitEthernet 1
    nameif inside
    no shut
    bridge-group 10

  • Wireless connection lost between my router and printer (hp officejet 4620)

    My hp officejet 4620 printer has been working fine but now the wireless connection has been lost and I can't get the wireless connection back. The blue light for the wifi flashes blue. I can't get the connection back between the router and the printer because my wifi is actually working fine with my laptop. Any suggestions about what i can do to get the connection back so I can print again?
    Is it something I need to do on the printer screen or laptop to fix the problem?

    Have you powered off everything and power up again?  Power off printer and router.  Power on router and wait 2 mins.  Power up printer and see if it connects to your SSID.
    Say thanks by clicking the Kudos Thumbs Up to the right in the post.
    If my post resolved your problem, please mark it as an Accepted Solution ...
    I worked for HP but now I'm retired!

  • What's the difference between transport route and transport layer

    what's the difference between transport route and transport layer,Can somebody give me some explaination? thks in advance!

    Hi,
    Transport Layer in ABAP Workbench
        The Change and Transport System supports the distribution of development
        work on large projects across multiple SAP Systems.
        The packages in each development system are grouped into one transport
        layer.
        The transport layer determines whether objects are assigned to a local
        or transportable change request.
    Use
        Each of your SAP development systems is assigned a transport layer as
        its standard transport layer. If you use Extended Transport Control, you
        can assign different standard transport layers to certain clients.
        You can define at the most one consolidation target for each SAP System
    and transport layer.
    When you create a package, it is assigned the standard transport layer
    of the SAP System.
    If you want to assign a different transport layer to a package, you
    require the administration authorization for the Change and Transport
    System.
    The objects in a package automatically have the transport attributes
    defined for the corresponding transport layer.
    o   If a consolidation route originating in their SAP System is defined,
         then the objects are assigned to a transportable request, and
         transported into the consolidation target when it is released.
    o   If a consolidation route is not defined, the objects are assigned to
         a local request, and are not transported.
    Customizing settings are not assigned to a package. They have the
    transport attributes of the standard transport layer of the system or
    client.
    It is best to assign a package a standard transport layer for which a
    consolidation route originating in the development system is defined.
    To display and maintain the transport layers and routes, use the
    Transport Management System (transaction STMS).
    Only the system adminstrator can make changes.
    Caution:
         The tables TSYST, DEVL, TWSYS, TASYS are no longer productive as of
         Release 4.0A and cannot be maintained.
    Regards
    Ben

  • Redundancy management IP and Redundancy port IP unreachable issue

    Hi, all
    I got one interesting issue with wireless 5508 controller. we have ordered two WLCs, one is air5508-12-k9, Anther one is air5508-HA-k9.
    Now, we are going to form HA mode and HA box will become standby mode. One issue we are seeing now. after configuring redundancy management IP and Redundancy port IP to both WLCs. primary WLC are working well that we can ping it's all of IPs successfully, however standby WLC are not working well. even it can't ping itself. management IP has no problem.
    Problem is only for redundancy management IP and redundancy Port IP. One interesting thing is our switch can't learn redundancy port's MAC address even it's connecting and interface shows UP. Primary has no this issue.
    Has anyone have the same issue before or appreciate any suggestions and inputs.
    WLC 1
    (Cisco Controller) >show redundancy sum
                Redundancy Mode = SSO ENABLED
                    Local State = ACTIVE
                     Peer State = UNKNOWN - Communication Down
                           Unit = Primary
                        Unit ID = 7C:0E:CE:64:43:80
               Redundancy State = Non Redundant
                   Mobility MAC = 7C:0E:CE:64:43:80
    Redundancy Management IP Address................. 25.16.228.252
    Peer Redundancy Management IP Address............ 25.16.228.253
    Redundancy Port IP Address....................... 169.254.228.252
    Peer Redundancy Port IP Address.................. 169.254.228.253
    WLC 2 HA
    (Cisco Controller) >show redundancy sum
    Redundancy Mode = SSO DISABLED
         Local State = ACTIVE
          Peer State = N/A
                Unit = Primary
             Unit ID = 7C:0E:CE:4A:23:40
    Redundancy State = N/A
        Mobility MAC = 7C:0E:CE:4A:23:40
    Redundancy Management IP Address................. 25.16.228.253
    Peer Redundancy Management IP Address............ 25.16.228.252
    Redundancy Port IP Address....................... 169.254.228.253
    Peer Redundancy Port IP Address.................. 169.254.228.252
    Thank you so much indeed.

    thank you very much that makes sense, so I will need to change service port address ( maybe a class A or C ) or disconnect that port from the network ...
    thank you again very much your help is really appreciated

  • Transparent Partition Between ASO & BSO

    Hi,
    I am trying to define a Transparent Partition between an ASO (Source) & a BSO (Target) cube.
    My ASO cube has 16 dimensions, BSO has 12 dimensions. The matching 12 dimensions are identical.
    The data from the source should be taken from all levels of the 12 matching dimensions and Highest level data of the non matching dimensions.
    Is this doable?
    Is there any special syntax in partitions definitions?
    Appreciate your thoughts.
    Thanks,
    Ethan.

    Glenn,
    Thanks. It's working. I created the partition manually, kept void for all the 4 missing dimensions.
    When I have to write the script, I am not sure how to specify that in the script
    mapped targetAreaA ("Dim1") to (Void)
    mapped targetAreaA ("Dim2") to (Void)
    mapped targetAreaA ("Dim3") to (Void)
    mapped targetAreaA ("Dim4") to (Void);
    or
    mapped targetAreaA ("Dim1", "Dim2", "Dim3", "Dim4") to (Void, Void, Void, Void)
    Are these correct syntaxes?
    Appreciate your thoughts.
    Thanks,
    Ethan.

  • Modem router link down in a small network when I connect any mac with OSX

    With OS9 I have no problems at all the other machines are PCs, I try whith 2 diferent laptops, and 2 macmini and the internet connection throught a modem router link down inmediatly... and the modem try to connect many times automaticly, and connect for few minutes... after that being link down again... any ideas what the problem is? I think a protocol interference may cause this, but I don't know what really... thanks

    Start by changing the wireless names to SMB compatible names.. ie short, no spaces and pure alphanumeric. Make sure the HP is in range of the router.
    You can use the WPS setup via the utility main menu. There is no WPS button as such but apple has had to provide some way to handle this directly.
    http://store.apple.com/us_smb_78313/question/answers/readonly/does-the-airport-e xtreme-support-wifi-protected-setup/Q7JJ79KC7F2DTCYJP

  • Differences between rate routing and reference rate routings?

    Hello PP members:
    I would like to differences between rate routing and reference rate routings
    Thanks for your time,
    Thanks Again,
    Suren R

    Hi Mr.Suren,
    As explained by other friends Routing is used in Discrete manufacturing and Rate routing is used for REM-Repetitive manufacturing.
    In addional to these types SAP has given 2 more types
    1.Reference operation set -Used in Discrete manufacturing.
    2.Reference rate routing - Used in REM.
    If similar rate routing is been used for producing many materials,then instead of entering(these steps) in rate routing of each  material you create a refrence rate routing and you enter the work centres used and the other details.After saving you get a group counter number showing reference rate routing is saved with group XXXXXXXXX.
    When you are creating rate routing for a material say A ,after giving the name and plant details in the top you will be able to see an icon "copy from" and you can select the radio button for reference rate routing and give the group counter number. or else without giving it here you have got an option to select the reference rate routing after entering into the operation screen also.
    In that particular page in operation overview screen,there will be an icon copy,there you can click that icon and you can give the reference rate routing group counter number and very easily you can create rate routing for N number of material.
    Likewise you can use reference operation set while creating routing for a material in Discrete manufacturing.This basically reduces the time in creating routing or rate routing for materials in Discrete & REM respectively
    CA01,CA02,CA03-Create,Change,display (routing)  respectively.
    CA11,CA12,CA13-Create,Change,Display reference operation set Respectively.
    CA21,CA22,CA23-Create,Change,Display rate routing respectively.
    CA31,CA32,CA33-create,change,display reference rate routing resp.
    I hope this will help you.
    If useful reward your points.
    Thanks & regards
    Karthik.

  • Dieffrence between ALE (Application Link Enabling ) and EDI

    Dear Experts
    can you pls. explain me the dieffrence between ALE (Application Link Enabling ) and EDI (electronic data interchange)
    especially regarding transfer (transmission).
    Regards
    Marco
    Moderator message: please search for available information/documentation.
    Edited by: Thomas Zloch on Jan 25, 2012

    Dear Experts
    can you pls. explain me the dieffrence between ALE (Application Link Enabling ) and EDI (electronic data interchange)
    especially regarding transfer (transmission).
    Regards
    Marco
    Moderator message: please search for available information/documentation.
    Edited by: Thomas Zloch on Jan 25, 2012

Maybe you are looking for

  • Sharing object across 2 different web application

    Hello,      I do not know if this is a right place to ask this kind of question...      I have two different web applications running on 2 different tomcat servers.      One of them creates one object ( say myComplexClassObject) which is serializable

  • How to go with this problem

    Hi all I have a problem like this. Read a dictionary file . Search such a word which will have letter 'a' as its second letter , then remove the first two letters of the word. Now search the new word in the same dictionary file , if it is found..then

  • How do I retrieve my adobe products I already purchased?

    I bought Adobe Acrobat and my computer crashed.  How do I get it back on my new computer without buying it all over again?

  • Downgrade from Skype 7.0.0.102 to version with old...

    Skype recently auto-upraded to 7.0.0.102. The GUI changed. People in our office break furniture and tear their hair cannot do business, due to changed Skype GUI. How to downgrade to Skype version with old GUI? Solved! Go to Solution.

  • Call sap transaction from java

    can anyone tell me how to call SAP transaction from JCO, cheers Ajay