Hello Friends,
Looking for some industry practice or advise how to handle such situation proactively.
I generally come across a situation where users report a disconnection of production application connectivity in recent past (few minutes or hours back) and would like to know the cause of the issue. Unless a state change of routing protocol or HSRP, or interface status, etc logging buffer (or syslog) doesnt suffice the investigation; need more logs like NAT translation during realtime or check if did the traffic had really reached the router. Is there a way to capture this information continuously?
I have heard of EPC (Embedded Packet Capture) can be used to monitor pass-through traffic, but its CPU intensive.
Thank you,
Krishna
... View more
I just realized I don't need additional configuration, except for specifying the ASDM image on system context.
Config on system mode:
asdm image disk0:/<filename>.bin
Config on non-system context:
http server enable
http <mgmt host> <mask> <associated interface nameif>
... View more
Hi,
I need to gain access of a ASA Context using ASDM.
I am unable to configure ASDM image syntax (asdm image disk0:/asdm-xxx.bin). However the same syntax is valid when used on system context. Please advise how I can fix this.
FW1/contex1(config)# asdm ?
configure mode commands/options: group Associate object group names with interfaces. Warning: This option is designed for use solely by ASDM. Do not manually configure this option. history Enable/Disable Device Manager data sampling location Associate an external network object with an interface. Warning: This option is designed for use solely by ASDM. Do not manually configure this option.
exec mode commands/options: disconnect Specify ASDM session id to be disconnected after this keyword
=========== on system context ===========
FW1(config)#
asdm ?
configure mode commands/options: history Enable/Disable Device Manager data sampling image Specify Device Manager image file path
... View more
Hello experts!
I need advise on potential reasons for interface output queue drops on Cisco 2960 switch and how can I identify the cause of it?
I am observing drops on 2 interfaces viz a 5500 firewall (its a 100 Mbps full duplex interface and getting over utilized - that explains the drops) and 2x 1 gig uplink bundled in a port channel.
I have added the interfaces in PRTG for interface bandwidth utilization, and the uplink ports hasn't exceeded its capacity however I still see the drops.
Thanks in advance!
... View more
Thanks again for your input.
I got some additional information on this:
In the profile under “AnyConnect Profile Editor, Preferences (Part 1)” configuration have option to uncheck auto update for anyconncet client or you can set it as user controllable which means user can override this setting in the client.
If the version is higher on a client machine than ASA device then client will not be prompted for any upgrade
... View more
Hello RJI, Thank you for your response.
Is there a way to push this setting on multiple workstations? Not sure if it its doable via ASA group policy.
... View more
HI,
I have the below lines configured on my ASA version 9.7.x. Whenever a user with lower AnyConnect client version attempts to connect to this VPN, it prompts for upgrading the package.
webvpn enable outside anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1
I intend to have a configuration on ASA such that it will not prompt the user to upgrade the AnyConnect package if it is minimum v4.x or v4.4.x. This will enable the users to connect to multiple VPNs using same client and without the need to upgrade it.
For trial, i removed the statement -
" anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1"
In this case, the users are unable to connect with message:
"The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again."
... View more
Hello Experts,
Please help with below scenario:
Background:
I need to configure NAT on a C3900 router to retain original IP address (referred as Identity NAT in firewall).
Scenario:
There is an existing configuration to perform unconditional NAT, and that's causing a hindrance for a new connection. The ways to overcome it (as per me) is to convert the existing config to "conditional NAT" using route map (needs downtime as its in production) or instead configure a new NAT statement with identity NAT; not sure if this concept works in IOS.
example:
ip nat inside source static 1.1.1.1 1.1.1.1 route-map temp-test
Appreciate your help. Thank you in advance.
... View more
Hi Julio, fantastic explanation!
I have queries regarding multiple context. I want to create portchannel of firewall with sub-interfaces and assign it to contexts. example po1.10 to .20 for context1 and PO.30 to .40 for context 2.
1. Is such configuration supported?
2. Should I allocate Po1 to each context and create the subinterface at context level or create it in system context and allocate each sub interface to context? Does it matter either ways?
Thanks in advance
Krishna
... View more
Hi Dinesh,
Appreciate quick response!
Thats a very useful information.
Do you have any more information / recommendation for Context + VPN? (I am new to using contexts). And for resource allocation.
Thanks in advance
Krishna
... View more
Hello,
I am planning to combine two ASA 5510 (used for separate S2S VPN requirements) into a single Cisco ASA 5512-X using contexts. I would like to know if anyone has deployed S2S VPNs in multi context mode, any known issues and how resource allocation is done (for example)?
Thanks in advance
Krishna
... View more
Hi!
On ASA, suppose I apply a inbound control plane ACL on outside interface; what will be the impact / consequence to the inbound traffic that is using outside interface IP for PAT or Static PAT.
Control plan ACL is applied to restrict to-the-box traffic.
Thanks in advance
Krishna
... View more
Hello Friends,
I have query about VPN services on a ASA.
Can a single ASA host both VPN types - AnyConnect Remote Access & Site to Site IPSec (L2L)?
Except license, are there any points to be considered while hosting both on the same device.
Thanks in advance.
Krishna
... View more
Yes, I agree may be due to TCP intercept.
I dug further on this topic, and found other ASA's configured in same manner having OS 8.2(5.xx) dont behave like this; however the previous versions do. I am trying a version upgrade from 8.0 to 8.2; hopefully it fixes it. Fingers crossed!!
... View more