Transparent firewall with failover with multiple contexts

Similar Messages

• Transparent mode/firewall mode in a multiple context asa5520

  Hello,
  Is it possible to have a transparent mode on CONTEXT_A and firewall/route mode in CONTEXT_B in a single ASA
  5520?
  thanks.

  Is there any document to support this? I would be getting my hands on a ASA pretty soon hope to test this feature out.
  -Hoogen

• Remote Access VPN Support in Multiple Context Mode (9.1(2))?

  Hi Guys,
  I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
  Multiple Context Mode New Features:
  Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
  New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
  Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
  New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
  Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
  Regards,
  Leon

  Hey Leon,
  According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
  Regards,
  Dennis

• Failure when FWSM in transparent mode with multiple contexts

  hi experts,
              We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
              Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
  thanks in advance.

  The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

• Problem with Failover FWSM (With Multiple Context)

  Dear All,
  I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
  i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
  i add this context in the active context.
  this is the error message when i try to add fwsm on mars.
  The first one;
  expect: spawn id exp3 not open
  while executing
  "expect -nobrace {<--- More --->} {
  send_user "\n"
  send -- " "
  exp_continue
  } {assword: } {
  s..."
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  the second:
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  and sometime:
  spawn ssh -c 3des -l siem-mars 10.x.x.x
  Connection timed out
  For Information :
  The FWSM Firewall Version 4.0(6)
  and,
  CSMAERS-200
  Product Version               :    6.0.6 ( 3368 )
  Data Package Version     :     35
  IPS Signature Version     :     454
  IPS Custom Signature Version     :     0
  Anyone can help me please...
  Thanks b4,
  Best Regards,
  Naga

  Hi Teck Yong Ng,
  I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
  In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
  Try to look at the port numbers.
  Regards,
  Bharath Kumar.K
  Message was edited by:
          Bharath Kumar K

• ASA 5520 with multiple contexts becomes unresponsive

  Hi all. We have encountered a perculiar problem with a pair of our ASA 5520 firewalls with 2 contexts(each context being active on different ASA). What we are seeing is that sometimes when we have a sudden increase of inbound traffic(mostly HTTP) towards servers behind the firewalls they seem to go bananas for the lack of a better expression.
  They become unaccessible via ssh and the traffic drops significantly. The problem is mitigated by disabling one of the monitored interfaces for failover(on one of the switches the firewall is connected to) so that both contexts become active on one firewall. After that the firewalls seem to come to their senses and we can enable the switch interface again but sometimes one of the pair needs to be rebooted to restore full funcionality.
  To us it seems like there is a problem with failover and contexts but we haven't been able to pin it down. The failover link isn't stateful and when we tested the failover it works fine both ways with each ASA taking up the full load when the other ASA of the pair is not available.
  Did anyone come across a similar situation with their firewalls?

  We are using ASA version 8.2(5).
  The configuration of the failover is:
  failover
  failover lan unit primary
  failover lan interface fail_int GigabitEthernet0/3
  failover interface ip fail_int x.x.x.x 255.255.255.252 standby x.x.x.x
  failover group 1
    preempt
  failover group 2
    secondary
    preempt
  Output of the "show failover":
    This host:    Primary
    Group 1       State:          Active
                  Active time:    399409 (sec)
    Group 2       State:          Standby Ready
                  Active time:    111 (sec)
                  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                    admin Interface out (x.x.x.x): Normal (Waiting)
                    admin Interface inside (x.x.x.x): Normal (Waiting)
                    admin Interface dmz4 (x.x.x.x): Normal
                    admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                    C1 Interface out (x.x.x.x): Normal (Waiting)
                    C1 Interface inside (x.x.x.x): Normal (Waiting)
                    C1 Interface dmz5 (x.x.x.x): Normal
                    C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                  slot 1: empty
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    398992 (sec)
                  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                    admin Interface out (x.x.x.x): Normal (Waiting)
                    admin Interface inside (x.x.x.x): Normal (Waiting)
                    admin Interface dmz4 (x.x.x.x): Normal
                    admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                    C1 Interface out (x.x.x.x): Normal (Waiting)
                    C1 Interface inside (x.x.x.x): Normal (Waiting)
                    C1 Interface dmz5 (x.x.x.x): Normal
                    C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                  slot 1: empty
  Stateful Failover Logical Update Statistics
          Link : Unconfigured.
  When I disabled the monitored interface it was always the same interface altough I believe the same effect could be achieved with disabling any of the monitored interfaces.
  As for memory and CPU when it happens I cannot access the units to get a reading but I asume it's through the roof. 
  The thing that troubles me more is that the situation persists when the load drops and I have to perform the solution from the first post. One would assume that with the drop of the load that both firewalls would start to behave normally.
  And I see that I haven't mentioned it before but when the load drops both units continue to handle traffic normally but I sometimes see as a side effect that I cannot SSH to one of the units. That unit usually has to be restarted.

• Transparent firewall with CSC

  Hi,
  We will be deploying 1 firewall with IPS module and 1 transparent  firewall with CSC module. please refer to the diagram. is there any concern for this deployment? will it works?
  Please adviced.
  Thanks.

  Yes. Absolutely. No problem.
  -Kureli

• ACE with multiple context

  hi,
  i've 4 virtual context in my ACE configuration.it's possible to use the same real server in multiple context?2 context are configurated in one-arm mode
  and 2 in bridge mode.
  tks all
  Aghibear

  you could use one context as the default path - selecting this contect as the default gateway.
  Then the other context uses client nat to guarantee that the response comes back.
  I don't know if there is a specific example for what you want to do.
  You can check sample configs from :
  http://docwiki.cisco.com/wiki/Main_Page
  G.

• Botnet Filter with multiple Context Mode

  We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
  How should be the Botnet Filter configured in Multiple Context Mode?
  Thanks for any response in advance.

  sh run | grep dns
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  policy-map type inspect dns preset_dns_map
  inspect dns preset_dns_map
  ping update-manifests.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
  ping updates.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
  ASA Version 8.4(2)
  hostname DE-VM-TER-FW-02
  enable password 8Ry2Yj8765U24 encrypted
  passwd 2KFQnb6IdI.2KY75 encrypted
  names
  interface GigabitEthernet0/0.3207
  nameif TR_v207
  security-level 50
  ip address 10.28.6.60 255.255.255.248
  interface GigabitEthernet0/0.3208
  nameif TR_v208
  security-level 70
  ip address 10.28.6.68 255.255.255.248
  interface GigabitEthernet0/0.3209
  nameif TR_v209
  security-level 80
  ip address 10.28.6.76 255.255.255.248
  interface GigabitEthernet0/0.3210
  nameif TR_v210
  security-level 90
  ip address 10.28.6.84 255.255.255.248
  interface GigabitEthernet0/1
  nameif COLT
  security-level 0
  ip address 217.111.58.46 255.255.255.240
  interface GigabitEthernet0/3
  nameif T-COM
  security-level 0
  ip address 194.25.250.94 255.255.255.240
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  name-server 8.8.8.8
  object network COLT_dynamic_NAT
  subnet 0.0.0.0 0.0.0.0
  object network T-COM_dynamiy_NAT
  subnet 0.0.0.0 0.0.0.0
  object-group network DM_INLINE_NETWORK_1
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
  access-list COLT_access_in extended deny ip any any
  access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
  access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
  access-list T-COM_access_in extended deny ip any any
  access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
  access-list TR_3208_access_in extended permit ip any any
  access-list TR_3208_access_in extended permit icmp any any
  access-list TR_v207_access_in extended deny ip any any
  access-list TR_v210_access_in extended deny ip any any
  access-list TR_v209_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu TR_v208 1500
  mtu T-COM 1500
  mtu COLT 1500
  mtu TR_v207 1500
  mtu TR_v210 1500
  mtu TR_v209 1500
  ip verify reverse-path interface T-COM
  ip verify reverse-path interface COLT
  ipv6 access-list TR_v207_access_ipv6_in deny ip any any
  ipv6 access-list TR_v208_access_ipv6_in deny ip any any
  ipv6 access-list TR_v209_access_ipv6_in deny ip any any
  ipv6 access-list TR_v210_access_ipv6_in deny ip any any
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network COLT_dynamic_NAT
  nat (any,COLT) dynamic interface
  object network T-COM_dynamiy_NAT
  nat (any,T-COM) dynamic interface
  access-group TR_3208_access_in in interface TR_v208
  access-group TR_v208_access_ipv6_in in interface TR_v208
  access-group T-COM_access_in in interface T-COM
  access-group COLT_access_in in interface COLT
  access-group TR_v207_access_in in interface TR_v207
  access-group TR_v207_access_ipv6_in in interface TR_v207
  access-group TR_v210_access_in in interface TR_v210
  access-group TR_v210_access_ipv6_in in interface TR_v210
  access-group TR_v209_access_in in interface TR_v209
  access-group TR_v209_access_ipv6_in in interface TR_v209
  route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
  route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
  route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  telnet timeout 5
  ssh timeout 5
  no threat-detection statistics tcp-intercept
  dynamic-filter use-database
  dynamic-filter enable interface T-COM
  dynamic-filter enable interface COLT
  dynamic-filter drop blacklist interface T-COM
  dynamic-filter drop blacklist interface COLT
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map dynamic-filter-snoop
  service-policy global_policy global
  Cryptochecksum:7bbe975fb39e189e99d8878787a0037
  : end
  System Context
  dynamic-filter updater-client enable
  ​ Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured

• Explain about transparent mode, single mode, multiple context mode

  You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

  Great question. Hope the below helps:
  Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
  Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
  Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
  Hope this helps. Let me know if you have anymore questions!
  -Mike
  http://cs-mars.blogspot.com

• IDSM2 with FWSM with contexts

  Hiya,
  I'm not a Security guy so keep it simple!
  If deploying a FWSM with multiple contexts, and you have an IDSM-2 installed:
  Does the IDSM be split into contexts to match the FWSM contexts
  If not, does it monitor the backplane traffic and it does not matter or care about the multiple contexts.

  Hi .. by looking at your diagram .. I suggest to try placing the IDSM-2 so that traffic is inspected after the firewall policies have been checked otherwise you might end up inspecting traffic that will be blocked by the firewall anyway. You also need to create what is called boundary VLANs so that your IDSM bridges the traffic between the inline VLANs... Confused ..?
  It gets a bit "blue" when you try inspecting inline on a module. For example lets say you have Context1 with Interfaces VLAN10 (outside) and VLAN20 (inside). You would have to create another VLAN30 (boundary VLAN). You then need to allocate the devices ONLY ( not the ASA's interface ) from VLAN20 to VLAN30 ( Only change VLAN membership and not the IP scheme ). Next on one of the IDSM-2 sensing ports you need to create a VLAN inline pair ( it uses subinterfaces ) which bridges VLAN20 <-> VLAN30. In that way traffic to/from your inside devices will travers the IDSM-2 before reaching its destination
  I suggest you to create a test context, allocate the 2 VLANS, Create the VLAN inline pair on the IDSM-2 and test.. Once you are happy you can replicate the same configuration for the production contexts.
  Below a brief example what you need to do for each context
  sensor# configure terminal
  sensor(config)# service interface
  sensor(config-int)# physical-interfaces GigabitEthernet0/2
  sensor(config-int-phy)# admin-state enabled
  sensor(config-int-phy)# description INT1
  sensor(config-int-phy)# subinterface-type inline-vlan-pair
  sensor(config-int-phy-inl)# subinterface 1
  sensor(config-int-phy-inl-sub)# vlan1 52
  sensor(config-int-phy-inl-sub)# vlan2 53
  sensor(config-int-phy-inl-sub)# description pairs vlans 52 and 53
  sensor(config-int-phy-inl-sub)# show settings
  subinterface-number: 1
  description: VLANpair1 default:
  vlan1: 52
  vlan2: 53
  sensor(config-int-phy-inl-sub)# exit
  sensor(config-int-phy-inl)# exit
  sensor(config-int-phy)# exit
  sensor(config-int)# exit
  Apply Changes:?[yes]:
  I hope it helps ... please rate it if it does !!!

• Backup or redundant ISP with FWSM and security contexts...

  Hello guys,
  I am in a middle of a dessign problem. We have 2 ISP, and we have a FWSM running multiple contexts, my context that is receiving all the static translations for all my published servers is the one where i want to configure default gateway tracking (so it can go out to an "outside2" interface in case the primary fails) and use the second ISP link for internet access and static nat. Just the exact way the ASA works.
  I am not quite sure it works with FWSM.
  Thanks a lot!
  emilio

  Hello Emilio,
  You cannot configure SLA monitoring on the FWSM at this moment.
  Maybe in the future this great feature will be added to this modules.
  I know the 6500 supports it so you can try to set it up there.
  Regards,
  Julio

• ARE-1 creation with reference to multiple excise invoice

  Dear All,
  Please tell me how to create ARE-1 document with reference to multiple excise invoices which are having same sold to party and ship to party.
  Regards,
  Sagar Wairagade

  Hi,
  In J1IA101 enter the first excise invoice in the releavnt field  and hit enter and once this excise invoice is updated in the tab,excise invoice summary enter the next excise invoice in the same field as before and hit enter.In this manner you can enter as long as the sold to party and Export type are the same.

• How do i set up a slideshow with pictures from multiple iphoto libraries?

  How do i set up a slideshow with pictures from multiple iphoto libraries? One library is in my Macbook Harddrive, the other 2 libraries are in an external harddrive. Thank you!!

  You can't, simply. An iPhoto Slideshow can only draw from a single library, so you'll need to get all the images into one.
  Alternatives to iPhoto's slideshow include:
  iMovie is on every Mac sold.
  Others, in order of price:
  PhotoToMovie  $49.95
  PulpMotion  $129
  FotoMagico $99
  Final Cut Pro X $299
  It's difficult to compare these apps. They have differences in capability - some are driven off templates. some aren't. Some have a wider variety of transitions. Others will have excellent audio controls. It's worth checking them out to see what meets your needs. However, there is no doubt that Final Cut Pro X is the most capable app of them all. You get what you pay for.

• How to install when I keep getting the following massage  on windows 7 64 bit with or with firewall on and vwith or with virus protection on  here is post  This installation package could net be opened verify that the package exist and that you can access

  how to install when I keep getting the following massage  on windows 7 64 bit with or with firewall on and with or with virus protection on  here is post           " This installation package could net be opened verify that the package exist and that you can access"  same when trying to install quicktime

  I'd first try downloading an installer from the Apple website using a different web browser:
  http://www.apple.com/quicktime/download/
  If you use Firefox instead of IE for the download (or vice versa), do you get a working installer?