Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update from Cisco expert Mynul Hoda on configuration and troubleshooting ASA 5500/PIX 7.0 and FWSM. Mynul is one of the lead engineers in High Touch Technical Support (HTTS) based in San Jose, California where he has been working as a senior Security/VPN support engineer for more than five years. He routinely provides escalation support to his own team and other security support teams, provides training, boot camps and answers customer questions on the Networking Professionals Connection e-community. He writes and reviews documents on the Cisco.com web site and maintains and updates training materials for Security boot camp. His areas of expertise are troubleshooting & configuring Security/VPN technologies like AAA, Firewall, IDS, PPTP, IPSEC, MPLS/VPN etc. Mynul is the author of "Cisco Network Security Troubleshooting Handbook" http://www.ciscopress.com/bookstore/product.asp?isbn=1587051893&rl=1), which is a comprehensive Troubleshooting Guide for Cisco Network Security Products like ASA, FWSM, ACS, AAA, IPSEC VPN etc.
Remember to use the rating system to let Mynul know if you have received an adequate response.
Mynul might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 30, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
Does the ASA5510-SEC-BUN-K9 edition comes with two devices i mean two boxes active and standby, or you need to buy two ASA5510-SEC-BUN-K9?
Hi There !
Thanks for joining the "Ask the Expert" event and asking the first question.
The answer to your question is that "YES" ASA5510-SEC-BUN-K9 edition comes with both Primary and secondary unit (in total 2 units). So, you just need one ASA5510-SEC-BUN-K9, not two for having Active/Active or Active/Standby setup.
Hope this answers your question !
I dont agree with your response.
I think you need to order TWO of these bundles to get the function you need.
I would happily stand corrected - www.cisco.com is not at all clear and my channel distributor tells me you need 2....
who is right and can we feed this clarification into the web site please to save others worrying about this....
Thanks for the follow-up. I am communicating with the Product team to get this cleared up and then will make suggestion to them to make it more clear on CCO document.
Please stay tuned.
Thanks for being patience on this. Yes, your channel partner is correct, this includes only on ASA 5510. One other information pointed out by the product team is that you cannot setup Active/Active with ASA 5510, only Active/Stanby is supported.
Please, take a look at this -
Please, take a look for the model comparison information:
Please, let me know if you have any follow-up questions.
im currently implementing IPS using AIP-SSM-10 with ASA 5510, and i have problem with ASA, with currently disabled IPS function, i keep received complain about blocked/slowed connection to oracle server, using port 8000 from remote-office host, i traced with syslog and received large number message related with the oracle server IP address.
diagram of the network is bit like this:
________ ________ _____________
|oracle| |switch| |ASA 5510 |
| ROUTER |
| REMOTE | ------ | Router |
| USER | -------------
and the syslog message sounds like:
302013: Built inbound TCP connection 1662347 for OUTSIDE:192.168.5.52/1311 (192.168.5.52/1311) to inside:192.168.10.206/8000 (192.168.10.206/8000)
302014: Teardown TCP connection 1662345 for OUTSIDE:192.168.5.52/1310 to inside:192.168.10.206/8000 duration 0:00:00 bytes 542 TCP FINs
302013: Built inbound TCP connection 1662345 for OUTSIDE:192.168.5.52/1310 (192.168.5.52/1310) to inside:192.168.10.206/8000 (192.168.10.206/8000)
302014: Teardown TCP connection 1662343 for OUTSIDE:192.168.5.52/1309 to inside:192.168.10.206/8000 duration 0:00:00 bytes 539 TCP FINs
302013: Built inbound TCP connection 1662343 for OUTSIDE:192.168.5.52/1309 (192.168.5.52/1309) to inside:192.168.10.206/8000 (192.168.10.206/8000)
106015: Deny TCP (no connection) from 192.168.5.52/1302 to 192.168.10.206/8000 flags FIN ACK on interface OUTSIDE
302014: Teardown TCP connection 1662338 for OUTSIDE:192.168.5.52/1308 to inside:192.168.10.206/8000 duration 0:00:00 bytes 538 TCP FINs
106015: Deny TCP (no connection) from 192.168.5.52/1301 to 192.168.10.206/8000 flags FIN ACK on interface OUTSIDE
106015: Deny TCP (no connection) from 192.168.5.52/1298 to 192.168.10.206/8000 flags FIN ACK on interface OUTSIDE
106015: Deny TCP (no connection) from 192.168.5.52/1303 to 192.168.10.206/8000 flags FIN ACK on interface OUTSIDE
can you help me, cause i'm completely stuck on this problem...
All this is saying is that connections are getting built up and tearing down immediately. This may or may not be an issue on the ASA and from the syslog, its not possible to draw any conclusion.
I have looked at the config and saw that you have assigned security level 0 on every interface and then permitted inter-interface communication. Can this be changed? Can you please change the interface inside to 100 and see if that makes any difference?
Capturing sniffer on the source of the destination point to see if the servers/clients are indeed sending the FIN to tear down the connections so quickly. To me, its problem somewhere else than the ASA.
As you have configured the Transparent FW, you should have the same security level. So, please ignore the first suggestion.
However, please follow the 2nd suggestion about taking the sniffer traces for analysis.
Hi Mynul ,
We need to create a site-to-site vpn tunnel with pix.Our network is as follow :
LAN (192.168.1.X) --- PIX (public IP) --- (public IP) Router --- INTERNET --- Router --- PIX --- LAN
Our network address is 192.168.1.X , we have about hundreds of PCs in our LAN ,
but the network administrator of the other LAN asks us to use the 172.16.1.X , as network address.
We don't want to re-configure all our pcs.
Is there any command we can do on the pix to avoid the reconfiguration of our LAN ?
You do not need to reconfigure your LAN. All you need to do is translate your LAN IP addresses into something else so that you can build up the tunnel based on the translated IP address.
What version of code you are running on the PIX ? Here is an example on how to do that between VPN 3K and PIX, but idea is the same between PIX to PIX:
I need some urgent help on recreating the VPN traffic
on an ASA 5540 from PIX.
Hello There !
Plese, provide me the requirement as to what you are trying to accomplish - the business need ! I shall try my best to get you there !
Waiting for more details from you.
Dear Mr.Hoda !
I've a question about ASA too.
I 've read ASA document from Cisco : http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ip.htm#wp1047894
I 've seen the below sentences:
-?You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.
-If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the message "ERROR: Cannot add route entry, possible conflict with existing routes."
But, when I configured ASA with 02 default routes with different interfaces (example: outside1 and outside2), "ERROR" message is not occured.
Pls, help me to explain the different between document and configuration based on fact.