VRF issue with Firewall in transparent Mode.

Similar Messages

• Boot issues with Win98. Safe Mode Boot only. Not all drives detected...

  Hello guys!  This is a great source of information and I've learned a TON browsing this place (on company time, hehe), but I've hit a road block that I can't maneuver around.  
  System Config
  Neo K8T Neo Fisr mobo
  Athlon64 3200+ CPU
  1 Gig Kingston RAM
  Ti4200 64 MB video card
  520 Watt Antec Power Supply (after getting schooled by Bas's great posts on the importance of PSUs, I found out my lame-o 350 watt (!!!!) PSU, errr, ain't gonna quite cut it.)
  Problem:
  Windows98 won't boot all the way to normal mode.  It only boots to safe mode.    Apparently a driver issue?
  Symptoms/Clues:
  - Only detects my Western Digital harddrive (and only after some finegling)
  - Wierdness with my 1.44 3.5" floppy (A:) drive.  At first the BIOS would tell me the A: drive was there, regardless of whether it was plugged in.  Then I plugged in the A: drive and Win98 in safe mode couldn't read from it.  Right now, I don't have my A: drive connected and it's not in my Boot Order sequence (hard drive only for now).
  - BIOS doesn't detect my new CD-ROM (SONY) drive at all.  Note, this is a brand new drive that was NOT on my old system.
  - I disabled the S.ATA controller.  (This was confusing because there's an option to disable some SATA thing under an "Integrated Peripherals" menu.  However, there's another setting to disable s SATA thing under a PCI Controller's menu.  Seemed vague to me,, but then it's been a while since I've done this sort of thing.)
  - I cleared the CMOS earlier because of wierdness were the system would hang on bootup and would ask me about starting a "Flash Recovery" process, upon which it would just sit there ( I left it running overnight once).
  Call for help
  Unfortunately I have no boot floppies, so I was hoping this was something I could fix without one, perhaps by changing some BIOS settings.  Maybe it's a RealTek Boot Agent thing?  
  Any help is appreciated!
  BamaBoy

  Im running win 98se with no real problems, and its doing so well that I still dont even feel like trying anything else..........
  I'd say RE-clear your c-mos , using the jumper, and unplugging the power for 5 seconds..... then reset your bios settings.......Also, maybe just reinstall the via 4-in1 chipset drivers...... I remember fiddling with some bios setttings before, like the acpi     by os or by bios etc.... that helped.....but its been awhile......The great thing about 98 is that you CAN tweak so much.......
  You can reinstall over itself also, which can help redetect the hardware, yyou should always have the 98 files on the hard drive so you dont need the floppy or cd...... So many things you can try....... Resolve yourself to trying as many as possible , its fun when you get it right........... My prob. is that I never remember what I did to fix stuff heheheheh.......good luck
  ps, the "flash recovery" thingy has to do with the realtek ethernet lan thingy....which you should disable in its bios.....I forgot how to get to it, I think F11 or something like that while it shows when you are booting....Then it will still ask when you boot, but wwont hang......

• Macbook Pro issues with WRT120 in 11n mode

   WRT120 in N mode have the following problems
  - When MBP wake from sleep, the wireless scan takes awhile (10s?) to find the router but doesn't connect. Forcing a connection to the router works.
  - Occurs on 2 MBPs. A 2011 model and a 2008 model
  - I can confirm the radio is in N mode by inspecting System Report->Wi-Fi->SSID->PHY Mode.
  - Security is WPA2 Personal with TK2 or AES
  Usability problem is bascially opening the MBP screen to wake up from sleep results in no network connection unless user force the connection.
  WRT120 running the latest firmware (v1.0.07 build 2 released in 6/28/2012)
  If I set to G mode (Mixed or B/G mode) with WEP. The wake from sleep scan finds SSID right away and connects perfectly quickly

  I'm running latest OSX Lion on both MPBs and there are no additional driver updates.
  The wireless chipsets are interesting.
  - 2008 MBP has a Atheros WiFi chip
  - 2011 MBP has a BroadCom WiFi chip
  - WRT120N has a Atheres chip
  There does seem to be quite a few problems with OSX Lion and WiFi connections. There are lots of online postings. This problem seems to be on Apple's end so I may have to wait for Mountain Lion to see if there is a fix.

• Issue with Aperture full screen mode on HD 5870

  I have a very strange problem with Aperture, which may be linked to the HD 5870 and it's probably faulty drivers and would be very grateful if somebody with the same hardware could try this out if he/she can replicate this behavior:
  I have a brand new 6-core with the 5870 optional card using a dual display setup (ACD 23" and NEC PA241W).
  Whenever I enter full screen mode and activate the brushes, the image on the full screen monitor is reduced in size to about 70% of the full screen resolution. This also gets triggered, when I use the HUD display ("H" key) and lock the floating window on the browser display.
  It's a bit hard to describe, but anybody with the same or similar setup, please try this:
  - enter full screen mode in Aperture by hitting "F"
  - press "H" and lock the window using the small slider in the upper right corner
  - activate any of the quick brushes, like dodge or burn
  Is your image, which is displayed full screen on the main monitor, getting smaller in size or is it starting to flicker a bit, getting darker? If yes, we have a universal bug here.
  I could narrow the problem down in a sense, that it does not matter if either screen is hooked up using the DVI or the Mini-Display-Port. It also happens when I switch the main screen over to the other, so it's (fortunately) not a problem of my new NEC display, the ACD shows the same behavior.
  My best guess right now is some kind of bug in Aperture combined with a faulty driver of the HD 5870.
  Any help here is greatly appreciated.

  People have said that Aperture library benefits from, and should not be, on the boot drive, and placing on SSD or alternate drive, maybe RAID 0 in some cases.
  64-bit kernel mode helps overcome some of the limitations and obstacles when working with large data sets, which is why I always kept data off the system and placed on RAID 0 which does improve system responsiveness.
  If you have already done that and taken steps to optimize your storage layout hard to imagine it is a graphic driver.
  And I would limit removing caches to just Aperture's own, though can't hurt to clean out the system's, that is something that SuperDuper will do if you use it, as it doesn't copy those and just skips caches and temp files best rebuilt (but does not touch user caches).
  And a touch of Disk Warrior just for good preventative maintenance measure of course.

• CSA issue with firewall rule

  I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server.  On a DC we made an exception for the server to be connected on UDP 53 for DNS.  However, we are seeing the following messages below.  The port ranges from, so far, 30,000-65,000.  It seems odd that dns.exe would be accepting a connection as a server on all of those ports.  Has anyone seen this before or had this happen to them or is this normal?  Also, it is running OpenDNS.
  Thanks,
  Jay
  Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 208.67.220.220 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.

  You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.

• Issues with waking from "sleep" mode

  On a few occasions now and more often than not, after waking the computer from sleep - I get the Message "You need to restart your computer".
  Usually I have a few programs open, but not running and sometimes I have an external hard drive connected and mounted, though not always.
  Any advice or suggestions would be welcomed
  Thanks
  Tony

  Hi Eco,
  You are getting a Kernel Panic, which can be related to quite few things and only discoverable by eliminating all the options. Here's a few causes of Kernel Panics, bad RAM, peripheral driver conflicts, overheating and a few more obscure reasons that aren't worth mentioning now. The most common cause is RAM failure. Also, It's not unusual to have the hardware test come up with no faults when there clearly are faults.
  Do a web search Kernel Panics and see what further info you can come up with. There is a good explanation on the Mac support site, but you can find some better info from other sources.

• Issue with firewall

  The firewall doesn't seem to be working properly. When set to “Set access for specific services and applications” Any software that should get added to the list isn't doing so.
  So i added them manually and to test it out had Safari on "block incoming connection" but it is still able to connect.
  Is there something i'm doing wrong?

  MaR13,
  Welcome to the Forums! From what I take on it is if you open Safari then the firewall allows you to use it, what blocking inbound connections does is stop someone outside of your computer from starting Safari and navigating it to a hostile site. Same goes for other such apps.
  Some light reading:
  http://www.macworld.com/article/131116/2007/12/firewall.html
  http://www.macworld.com/article/132558/2008/03/connect2504.html
  Hope that helps,
  Weston

• ASA 5510 in Transparent Mode-Guidelines.

  Dear all,
  I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
  let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
  1. static routes.
  2. object-groups.
  3. ACLS.
  4. URL-filter (Websense).
  5. IPS . ( i doubt this )
  6. have 3 data and 1 Mgmt interfaces.
  7. syslog.
  8. SNMP
  I'm sure point 5 and 6 will have issues, need to confirm.
  need to confirm this by EOD,
  ( 5 hours more).
  thanks in advance.
  Shukla.

  Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
  in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
  ACLs can be configured normally
  syslog as well
  obgect groups as well
  Address translation is inherent when a firewall is configured for routed mode. Beginning with
  ASA 8.0, address translation can be used in transparent mode as well
  Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
  Does not support QoS.
  Inspects Layer 2 and higher packet headers
  as long as u can use
  policy-map global_policy
  then u can integrate with IPS if u mean AIP-ssm modul
  transparent also known as a Layer 2 firewall or a stealth firewall, because its
  interfaces have no IP addresses and cannot be detected or manipulated. Only a single
  management address can be configured on the firewall
  In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
  your firewall supports more than two interfaces from a physical and licensing standpoint, you
  can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
  configured, the firewall does not permit a third interface to be configured.
  Some platforms also support a dedicated management interface, which can be used for all
  firewall management traffic. However, the management interface cannot be involved in
  accepting or inspecting user traffic
  Configure a management address:
  Firewall(config)# ip address ip_address subnet_mask
  The firewall can support only a single IP address for management purposes. The address is
  not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
  accessible from either of the bridged interfaces.
  The management address is used for all types of firewall management traffic, such as Telnet,
  SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
  A transparent firewall can also support multiple security contexts. In that case, interface IP
  addresses must be configured from the respective context. The system execution space uses
  the admin context interfaces and IP addresses for its management traffic
  You do not have to configure a static route for the subnet directly connected to the firewall
  interfaces. However, you should define one static route as a default route toward the outside
  public network
  i wish i covered all ur questions
  good luck
  if helpful Rate

• Cisco ASA 5512 Transparent mode

                     Hi all - hope this is the right place to ask this question-
  I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
  I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
  I have the interfaces set up thusly:
  interface GigabitEthernet0/0
  nameif UnTrustedNetwork
  security-level 0
  interface GigabitEthernet0/1
  nameif TrustedNetwork
  security-level 100
  interface Management0/0
  nameif ManagementAccess
  security-level 100
  ip address 192.168.X.Y 255.255.255.0
  management-only
  I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
  other networks, like 10.6.X.Y, etc.
  I thought the point of a Management interface was that you could set things up in such a way that the Management interface
  was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
  (at least not in transparent mode, for NAT you obviously would have to)
  I tried to add a static route entry to 10.6.X.Y , but
  when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
  How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

  transparent firewall is configured differently from routed mode.
  here's a basic config required:
  firewall transparent               (erases the current config; does not require a reboot)
  interface BVI1
  ip address 192.168.10.10 255.255.255.0
  interface GigabitEthernet0
  nameif outside
  bridge-group 1
  security-level 0
  interface GigabitEthernet1
  nameif inside
  bridge-group 1
  security-level 100
  route outside 0.0.0.0 0.0.0.0 192.168.10.254
  route inside 10.0.0.0 255.0.0.0 192.168.10.100
  I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
  The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
  Hope that helps,
  Patrick

• Transparent Mode

  Rather unconventional design that i am trying to test with transparent mode firewall.... attached diagram
  Clients [VLAN 100] connected on L3 Switch with SVI as default gateway
  Firewall using one physical port which is sub-interfaced with INSIDE-100 and OUTSIDE-200 interfaces
  What's working
  - ICMP when initiated from L3 Switch SVI to Client VLAN 100 works fine as i can see traffic through firewall
  What's not working
  - Packet inspection when ICMP initiated from Client 10.x.100.10 to Client 10.x.100.20 does not go through firewall 
  As L3 Switch is holding arp and mac, client to client will work. This is where i would like transparent firewall to be the bump and have all client to client traffic go through the firewall. Note the default gateway for the clients is on the L3 switch which cannot be changed. 
  Will appreciate your comments. I will rather not want to go the routed mode path and test to see if any solution with transparent mode works.

  Okay so lets discuss the use of subinterface from ASA point of view first.
  the subinterface with vlan in transparent mode is only used for carrying traffic from one interface and pass it on to other interface. It doesn't exactly work like switch where traffic received on one vlan will be only passed in same vlan. To avoid the confusion Cisco now term it as BVI. Where you can keep two separate vlan under same BVI. What this does it say I have following configuation on ASA
  interface gi0/1.100
     vlan 100
     nameif inside
    bridge-group 10
  interface gi0/1.200
    vlan 200
    bridge-group 10
    nameif outside
  So this BVI interface bridges between vlan 100 and 200. It means if traffic is coming from vlan 100, ASA switches vlan 100 with vlan 200 and forwards the traffic
  so there points to remember
  1) transparent firewall is a switch with two interface with layer 2 capability.
  2) transparent firewall cannot be used for routing
  3) transparent firewall cannot do U-TURN of traffic (if you will do a "same-secuirty traffic permit intra-interface " it will give you error)
  Now coming to the topic of discussion.
                                                                    vlan 200, vlan 100                           
                   client 1 (vlan 100)------  switch  -----------------------gi0/1 ASA
                 10.x.10.100 /24)                 |               trunk
                                                            |
                                                            |                            
                             client 2 (vlan 200)  10.x.10.200/24
  okay now 10.x.10.100 has to ping 10.x.10.200
  1) Client find the destination is same network. So no question of default gateway coming into picture.  client 1 will try to find mac address of client 2. Hence it will send an arp broadcast
  2) Switch receives  arp broadcast on vlan 100. Switch sends this broadcast to all interface which is in vlan 100 (this is important). On the trunk link switch will add vlan tag 100 in broadcast mac address.
  3) ASA will receive  this broadcast and since it is mac with vlan tag 100, it it will mark it in inside interface.
  here ASA will have the information
  inside mac address of client
  4) Now since it is BVI, so ASA will simply change the broadcast mac with vlan 200.
  5) When the switch will get this brodcast, since it has received it from vlan 200. So it will forward it out of all interface with vlan 200.  (This is where in Amar's case since there is no interface in vlan 200, ARP dies here.)
  6) Client 2 will now receive arp broadcast opens it and finds it related to it.
  This procedure will be repeated since client 2 also needs client 1 mac address.
  Any other questions?

• Problems with Firewall settings

  Hello,
  I'm having some odd issues with Firewall. Clicking on "Security", causes me to get the pinwheel. It eventually loads, but it's very slow. I also have issues when I turn on the Firewall, I allow connections for screen sharing, but Back to My Mac shows Orange and that it may have issues. I also have issues with DVD sharing when I have also allowed CD/DVD sharing in the options. Everything revolved around Security/Firewall. Is there anything I can do to diagnose these issues? I have a Time Capsule as my router.
  Thanks.
  I did look and Console and I do see this error sometimes when I click on the Security preferences tab:
  2/4/10 3:24:17 PM System Preferences[91476] Could not connect the action resetLocationWarningsSheetOk: to target of class AppleSecurity_Pref
  2/4/10 3:24:17 PM System Preferences[91476] Could not connect the action resetLocationWarningsSheetCancel: to target of class AppleSecurity_Pref
  Message was edited by: theBigD23

  I have a Time Capsule. I don't think that has anything turned on. I have the default settings. I know of other uses with Time Capsule with the exact same problem.

• Any compatibility issues with IE8 for STVN 2.1 Orgchart?

  Hi Experts,
  Just curious if there are any issues with running IE8 compatibility mode for Nakisa STVN 2.1 Orgchart?
  Thanks,
  Michael Dinh

  Hi Michael,
  IE8 Compatibility Mode is fine for use with STVN2.1 applications. As Stephen said, IE7 and IE8 are certified for SVSN3.0 but IE6 support has been discontinued.
  Best regards,
  Luke

• Firewall Transparent Mode with IPS

    Dear All,
  I have network setup shown below
  Router --- Firewall Transparent Mode --- cisco layer 3 switch
  I am planning to implement ips. Which is the right place to put the IPS
  IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramod

  Hello,
  If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
  you can use the IPS in inline and promiscuous mode.
  In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
  And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
  Thanks.

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin