Unable to see interface on ASA 5510 Firewall

Similar Messages

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• Multiple gateways for different Traffic on ASA 5510 firewall

  Hello,
  My network atthe moment is set up as:
  WAN, with three sites
  Site 1
  Site 2
  Site 3
  Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
  All sites connect to the WAN using Cisco routers or switches.
  All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
  I am interested in the ASA 5510 with six interfaces.
  Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
  Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
  (a) the type of traffic, say HTTP from users behind the firewall; or
  (b) the IP addresses of the host (i.e. users' PC versus the servers)
  Any assistance is welcome.
  Kind regards,
  IT@C

  yes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
  HTH, pls rate!

• Unable to access public ip from branch vpn (Cisco ASA 5510 Firewall)

                     Hi,
  As per the above diagram
  in Head office -  able to access public ips
  In Branch office - unable to access public ips only accessing head office servers and internet is shared from head office.
  please see the below configuration in Branch office router:
  access-list 1 permit any
  access-list 100 remark ****** Link to Firewall-HO1 ******
  access-list 100 permit ip 10.21.211.0 0.0.0.255 172.16.35.0 0.0.0.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 172.16.35.0 0.0.0.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 172.16.35.0 0.0.0.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 host 78.93.190.226
  access-list 100 permit ip 10.21.111.0 0.0.0.255 host 78.93.190.226
  access-list 100 permit ip any any
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 172.0.0.0 0.255.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 172.0.0.0 0.255.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 172.0.0.0 0.255.255.255
  access-list 101 permit ip host 10.21.211.51 any
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq pop3
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq smtp
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq pop3
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq smtp
  access-list 102 permit ip 10.21.211.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 101
  Thanks for your valuable time and cosiderations

  any1 can help me ?

• ASA 5510 FireWall Problem

  Hi All
  After some advise and direction
  Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
  called http://partners.highnet.com/login/  ip address 62.233.82.181.
  Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
  to any website and brings back the details
  However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
  on checking the ASA under Home TAB       -       Firewall Dashboard    -    and then under     -      Top 10 protected Servers under SYN attack we are receiving the below error.
  Rank        Server IP-Port           Interface     Average          Current                    Total                           Source IP (Last Attack Time)
  5
             62.233.82.181:80
        INSIDE
              0
                   0
                          8
                            192.168.254.130 (1 mins ago)
  I have tried rebooting the ASA firewall (Still did not resolve).
  I have also  disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection  (Still did not resolve).
  Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
  Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
  Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
  So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
  If you can help or advise it is much appreciated.

  Hi,
  Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
  On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
  packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
  You could maybe also try to generate TCP SYNs directly from the ASA
  ping tcp 62.233.82.181 80
  And see if the server replies
  - Jouni

• SSH on Outside interface on ASA 5510

  Hi All,
  I need the ssh access on my ASA outside interface and have added
  ssh ipremoved 255.255.255.255 outside
  access-list acl_outside extended permit tcp host ipremoved any eq 22
  but this is the log i get from ASA
  Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
  Cisco Adaptive Security Appliance Software Version 8.2(5)
  Device Manager Version 6.4(5)
  can someone please help me
  many thanks
  cheers..

  many thanks for the quick reply
  my connection is something like below
         Site A                                                                                   Site B
  PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA
  Site to Site IPsec VPN
  Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage
  I have allowed the acl on site A ASA for the PC to go i can see the hit count on it
  The  reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B  ASA i can change the peer IP to new IP and reestablish the VPN
  many thanks for the help
  cheers

• AIM-SSM interfaces and ASA 5510

  All, can anyone explain if and how routing works between the ASA and the IPS card?
  1)Is the single NIC in the IPS card for management purposes only?
  2)Is the IP address configured in the card's setup process for this one NIC?
  3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?
  Thanks
  Jonathan

  The IPS card has 3 interfaces.
  The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.
  The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.
  The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,
  The management interface is for management only.
  The IP Address configured during setup is only for this management interface.
  As for routing between the ASA and the SSM, this is completely up to the user.
  All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.
  The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.
  When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.
  Some scenarios:
  1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.
  The SSM can then communicate only to that one machine.
  2) A secure network for managing the security devices that is NOT routable to/from other networks.
  In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.
  The SSM would only be able to communicat with the management box, and the ASA management port.
  The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.
  SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.
  (NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)
  3) A secure network that IS routable to/from other networks.
  Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.
  NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)
  4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

• ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

  Hi,
  As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.
  And rest users we have to block excluding Mails.
  Please help.
  Thanks,
  Regards,
  Hemant Yadav 

  login as: Rakh
  [email protected]'s
  password:
  Type help or '?' for a list of available commands.
  FAST-HQ-ASA> en
  Password:
  Invalid password
  Password: ***********
  FAST-HQ-ASA# show rum
                      ^
  ERROR: % Invalid input detected at '^' marker.
  FAST-HQ-ASA# show run
  : Saved
  ASA Version 8.3(1)
  hostname FAST-HQ-ASA
  enable password 7tt1ICjiO2a2/Hn2 encrypted
  passwd U8oee3lIrDCUmSK2 encrypted
  names
  interface Ethernet0/0
  description ASA Outside segment
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 62.173.33.67 255.255.255.240
  interface Ethernet0/1
  description VLAN AGGREGATION point
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1.2
  description INSIDE segment (User)
  vlan 2
  nameif INSIDE
  security-level 100
  ip address 192.168.172.1 255.255.255.0
  interface Ethernet0/1.3
  description LAN
  vlan 3
  nameif LAN
  security-level 100
  ip address 192.168.173.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network INSIDE
  subnet 192.168.172.0 255.255.255.0
  object network LAN
  subnet 192.168.173.0 255.255.255.0
  object network MAIL-SERVER
  host 192.168.172.32
  object network DENY-IP-INTERNET
  range 192.168.172.121 192.168.172.200
  object-group service serBLOCK-INTERNET tcp
  port-object eq www
  object-group network BLOCK-IP-INTERNET
  network-object object DENY-IP-INTERNET
  access-list 102 extended permit icmp any any time-exceeded
  access-list 102 extended permit icmp any any echo-reply
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https
  access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET
  access-list BLOCK-WWW extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  mtu LAN 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INSIDE
  nat (INSIDE,OUTSIDE) dynamic interface
  object network LAN
  nat (LAN,OUTSIDE) dynamic interface
  object network MAIL-SERVER
  nat (INSIDE,OUTSIDE) static 62.173.33.70
  access-group OUTSIDE-IN in interface OUTSIDE
  access-group BLOCK-WWW out interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh 192.168.172.37 255.255.255.255 INSIDE
  ssh 192.168.173.10 255.255.255.255 LAN
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username Rakh password EV9pEo1UkhHJSbIW encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d
  : end
  FAST-HQ-ASA#

• WiSM, unable to see Interface after adding.

  We have an up and running WiSM, for about 9 months.  It resides in a 6509 chassis.
  I needed to add a new interface for another subnet (previous one was getting over ran, and we have a new project)
  I went through the process of adding the interface.  I ensured it was active.
  At present, from the 6509 I am unable to ping the interface's IP, but I am able to ping that networks gateway.
  From the WiSM, I am able to ping the interface's IP, but unable to ping the gateway.
  I was not the original configurator of the WiSM and the 6509 build.  That person is no longer around.
  On the 6509 I have ensured that the :  show interface trunk shows the VLAN in question.
  I have searched numerous times, and I feel like there is just some nefarious item I am missing on the creation of new Interfaces between the WiSM and 6509.
  Any input would be appreciated.
  Thanks

  Have you double checked the vlan tag, subnet mask, etc for the new interface on the WLC?  Usually when you cannot ping an interface on the WLC (although pings are the lowest priority) it is a configuration error on the above, or the trunk not allowing that interface, etc.
  Thanks,
  Lee

• Wanting to see logging for ASA 5510 Permits

  I have a rule which permits traffic to a web server and logging is enabled.  But when I go to syslog I am only seeing traffic which has been
  denied.  What needs to change to be able to see the logged traffic on permit rules?  Thanks.

  You might have logging globally set to something higher priority than 6 (e.g., 5 or lower numerically). What are you using to display syslog?
  You can see the ACE hits using the command line by the following:
  To display the hit counters and a timestamp value for an access list, use the show access-list command
  in privileged EXEC mode.
  show access-list id_1 [...[id_2]] [brief]

• Unable to configure Outlook with ASA firewall and IWSVA

  Dear Sir,
  We are unable to configure MS outlook in our network  which is having IWSVA proxy and cisco ASA 5510 firewall.
  snapshot of outlook error details are attached for your reference.
  In our network L3 is behind IWSVA which is behind cisco ASA 5510.
  when we change following NAt rule and ACL incoming rule it works fine
  nat (inside,outside) source static any interface unidirectional
  nat (inside,outside) source static obj_Proxy interface unidirectional
  access-list 100 extended permit ip any any
  access-list inside_access_in extended permit ip object-group Proxy_Server any
  all required ports are allowed in IWSVA also please tell me if we have to make any changes in IWSVA like mapping ports etc.
  Thanks in advance
  Regards:
  Anand Singh Dhouni

  Hello Anand,
  I already replied to you on the other post, Please mark this as answered so we can focus on one ticket and avoid duplicates.
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• ASA 5510 redudant interface

  I have configured redundant interface on ASA 5510
  interface Redundant1
  description *** INSIDES NETWORK ***
  member-interface Ethernet0/1 (This is a 1000Mbps Port)
  member-interface Ethernet0/2 (This one is 100Mbps)
  no nameif
  no security-level
  no ip address
  interface Redundant1.10
  vlan 10
  nameif inside
  security-level 100
  ip address 192.168.1.168 255.255.255.0
  redundant-interface redundant 1 active-member ethernet 0/1
  Interface Ethernet0/1 ---- Connected to --- Primary Core Switch Interface Gi0/30
  Interface Ethernet0/1 ---- Connected to --- Secondary Core Switch Interface Gi0/30
  Then... i issue following command and its OK!
  ASA5510# show interface redundant 1 detail
  Interface Redundant1 "", is up, line protocol is up
    Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
          Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
          Input flow control is unsupported, output flow control is off
          Description: *** INSIDES NETWORK ***
          Available but not configured via nameif
          MAC address 7081.0570.e37d, MTU not set
          IP address unassigned
          8200483 packets input, 2109574889 bytes, 0 no buffer
          Received 99254 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          11878 L2 decode drops
          10309739 packets output, 9085407428 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 7 interface resets
          0 late collisions, 0 deferred
          0 input reset drops, 0 output reset drops, 0 tx hangs
          input queue (blocks free curr/low): hardware (510/249)
          output queue (blocks free curr/low): hardware (510/244)
    Topology Information:
          This interface, a , is connected
          with Ethernet0/0, a .
    Control Point Interface States:
          Interface number is 8
          Interface config status is active
          Interface state is active
    Redundancy Information:
          Member Ethernet0/1(Active), Ethernet0/2
          Last switchover at 13:54:02 IST Aug 15 2012
  Then i have shutdown Primary core switch Gi0/30 Interface and Issued above command again
  ASA5510# show interface redundant 1 detail
  Interface Redundant1 "", is up, line protocol is up
    Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
          Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
          Input flow control is unsupported, output flow control is off
          Description: *** INSIDES NETWORK ***
          Available but not configured via nameif
          MAC address 7081.0570.e37d, MTU not set
          IP address unassigned
          8176236 packets input, 2102449428 bytes, 0 no buffer
          Received 98539 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          11682 L2 decode drops
          10278568 packets output, 9060503327 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 4 interface resets
          0 late collisions, 0 deferred
          0 input reset drops, 0 output reset drops, 0 tx hangs
          input queue (blocks free curr/low): hardware (510/254)
          output queue (blocks free curr/low): hardware (510/255)
    Topology Information:
          This interface, a , is connected
          with Ethernet0/0, a .
    Control Point Interface States:
          Interface number is 8
          Interface config status is active
          Interface state is active
    Redundancy Information:
          Member Ethernet0/2(Active), Ethernet0/1
          Last switchover at 13:45:10 IST Aug 15 2012
  It's tranferd corectly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT  redundant interface no revert back.
  I issued this command again BW remain 100Mbps
  ASA5510# show interface redundant 1 detail
  Interface Redundant1 "", is up, line protocol is up
    Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
          Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
          Input flow control is unsupported, output flow control is off
          Description: *** INSIDES NETWORK ***
          Available but not configured via nameif
          MAC address 7081.0570.e37d, MTU not set
          IP address unassigned
          8176236 packets input, 2102449428 bytes, 0 no buffer
          Received 98539 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          11682 L2 decode drops
          10278568 packets output, 9060503327 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 4 interface resets
          0 late collisions, 0 deferred
          0 input reset drops, 0 output reset drops, 0 tx hangs
          input queue (blocks free curr/low): hardware (510/254)
          output queue (blocks free curr/low): hardware (510/255)
    Topology Information:
          This interface, a , is connected
          with Ethernet0/0, a .
    Control Point Interface States:
          Interface number is 8
          Interface config status is active
          Interface state is active
    Redundancy Information:
          Member Ethernet0/2(Active), Ethernet0/1
          Last switchover at 13:45:10 IST Aug 15 2012
  I did manualy shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
  pls tell some one why it's not automatically transer active interface and speed ???

  I remember that being there by design. Fail back or Preempt was not supported in case of Redundant interfaces and is actually not a good idea in terms of stability. You dont want the interface failover to happen again when the active interface comes back up. In order to force the 1000Mbps interface to be active, you can manually do so by the command 'redundant-interface 1 active
  Hope that Helps
  Zubair

• ASA-5510-k8 vs ASA-5510-k9

  Hello all!
  I was wondering if anyone new the difference out there between an ASA5510-k8 and k9. Is this a software or hardware version. If I was using 2 ASA's in failover/standby environment those the 2 need to match or can these be different. Any feedback would be helpful Thanks.

  Hi Edwin,
  Please see below the information ref to 5510 licensing (gives you the differences between K8 &K9) and Active/standby failover implementation requirements for ASA...
  Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, 3DES/AES license
  ASA5510-BUN-K9
  Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, DES license
  ASA5510-K8
  Cisco ASA 5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, Active/Standby high availability, 3DES/AES license
  ASA5510-SEC-BUN-K9
  Licensing Requirements for Active/Standby Failover
  The following table shows the licensing requirements for this feature:
  Model
  License Requirement
  ASA 5505
  Security Plus License. (Stateful failover is not supported).
  ASA 5510
  Security Plus License.
  All other models
  Base License.
  Prerequisites for Active/Standby Failover
  Active/Standby failover has the following prerequisites:
  •Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
  •Both units must have the same software configuration and the proper license.
  •Both units must be in the same mode (single or multiple, transparent or routed).
  Below are the  links for reference..
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
  hth
  MS

• DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

  Hi Guys,
  I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
  The Design :
  Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
  ||
  ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
  ||
  Switch
  ||
  LAN
  Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
  I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
  I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
  Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
  Thanks,
  Aj.

  Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
  All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
  1) what RProtocol r u using?
  a) It's OSPF
  2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
  a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
      (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
      (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
  3) are your tunnels config correctly? try show crypto ipsec sa
  a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
  4) on your hub'spoke do a debug ip icmp
  a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
  I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
  Additional to the info above, Please also note :
  I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
  So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
  From HUB router I'm able to ping clients behind Spokes.
  Does that give any Ideas ?
  Thanks in Advance.
  Aj.

• Reset ASA 5510 back to MFG Settings - Please help??

  A network engineer was in the middle of setting up a customer ASA 5510 Firewall and left. We don't know the IP/UN/PW.
  Is there a way to hard reset the firewall back to manufacture settings?
  Thanks in advance.

  Hi,
  The easiest thing would be to do a password recovery, as described here:
  http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131
  Then you can simply reset the password and carry on where he left off.
  HTH
  Andrew.