Hello all, I have 2 data centers conencted via WAN and each has their own Internet conenction.  One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections.  The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail. So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet.  That way it is routed back to the proper firewall.  I am able to do this with the following code, but this code only works with a static one to one NAT.  I am limited in public IP addresses, so I want to NAT on a per port basis.  Each time I try to change the any any to a specific port, it fails.  Any siggestions? object network host-inside-int host 10.1.52.172 object network host-outside-nat1 host 10.1.43.3 access-list outside_in extended permit icmp any any access-list outside_in extended permit ip any any nat (outside,inside) source dynamic any interface destination static host-outside-nat1 host-inside-int nat (outside,inside) source dynamic any interface destination static host-outside-nat1 host-outside-nat1 object network host-inside-int nat (inside,outside) static host-outside-nat1 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 10.1.43.1 1 route inside 10.0.0.0 255.0.0.0 10.1.42.1 1 Thanks! ... View more

Hello All, I am in the process of evaluating our disaster recovery plans and found that my company has redundant network connections, but does not have it implemented in a way that allows recovery of a failure.  My company has 4 locations, all conencted via WAN circuits (all point to point with multiple vendors).  We also have an Internet connection in each location.  So, the core switches in each site have a static route to the ISP for all Internet traffic. So, when we have Internet issues in a site, the plans are to use the WAN conenction as a backup.  This only seems to work at the moment when we manually change the default route on our LAN switch to point to the WAN rather than the Internet provider.  This isn't ideal since it only works when the primary Internet connection is down. I would like to use the secondary Internet connection not only as a backup for failure, but also for services to be reachable via two Internet connections, like a website.  At this point, when we create a nat on a remote firewall, the traffic comes in but cannot go back because it is routed out the local Internet. Can someone please help describe how to go about enabling inbound access from the Internet via the primary or secondary Intertnet connection of a data center. Thanks! ... View more

I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect. here is my scenario: ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password ACS -- AD - AD Group mapping to put user in the correct ACS group ASA SSL - matches username in ACS group to display customized SSL bookmarks all looks good ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB ASA IPSec - Authenticates with ACS Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD? What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it. Thanks! ... View more

I am fairly new to content engines allthough I think I understand the concepts. I have about 80 content engines in remote sites and the person who set them up , did it for web traffic to permit and deny specific sites that each remote office wants to access or not. I want to extend this to do file share caching. Can this be done on the same physical CE or do I need another box? They are internal to the 3825 routers. Thanks! ... View more

We are currently using checkpoint and are moving to ASA5520. We also have a clientless SSL vPN appliance to roll into the ASA too. My question is, how can I use the ASA for SSL VPN and IPSec VPN with RSA secureID? Can I do this for a select group of users, because most of the population do not have secureID tokens? ... View more

It has been recommended to me to converge my internal network and public Internet into a single 6509 switch with FWSM. I was told to do it with VLANS and that it would have line speed performance. How can this be done? ... View more

I have an older 6509 with dual sup 2+ and 6348 blades and some old fiber cards. All running on Cat OS. I need to upgrade this to IOS without losing the config. Is there a way I can stage it onto a flash card? How do i roll back in the evnt it fails or is it worth it to troubleshoot and continue to move forward? I would rather not have to do it twice. ... View more

I have a hub site which was part of an aquisition, but is now completely trsuted. They have a linux firewall with 192.168.0.x LAN addresses, but are all 1 to 1 static natted to 10.161.0.x addresses. I need to figure out how to remove the linux fw with either a vlan or something, but be able to preserve the IP addresses at least until I can have all the devices change their IP to the correct addresses. There are a lot of apps using the natted IP addresses and not DNS. There are some using the non natted IP when accessed internally on the segment. Can I put in a vlan with primary and secondary addresses for both old and new segments and just route it to my WAN? ... View more

I currently have an ATM frame in place with 2 hub locations where my frame PVC all come back to for corporate apps and Internet. I want to implement MPLS and am nervous about the any to any when a virus were to spread from one remote site to another while not infecting a hub site and go undetected. Cisco's proposal is to ASA at the hub sites all remote traffic and remove the any to any theory of MPLS with routing to a hub site. How will this impact performance, routing, VoIP or any future network plans? I don't want unecessary traffic to the hub sites if I don't have to, but I want it a secure as possible. ... View more