Shulou(Shulou.com)06/01 Report--

1. ASA5510 + Security Plus License! ASA series support for high availability

A:

ASA5505 basic license does not support HA, through Security Plus license. Can support stateless Active/Standby and redundant ISP

ASA5510 basic license does not support HA, but can support FO of A & An and A / A through Security Plus license.

For the above series of ASA5520, the basic license supports the FO of A & An and A / S.

How many ports are available for 2.ASA5510? What's the rate?

A:

Prior to Cisco ASA 5510 7.2.2, Base License is available with 3 FE,Plus License and 5 FE.

Cisco ASA 5510 7.2.2 and later versions are available with 5 FE, whether Base or Plus.

Cisco ASA 5510 7.2.3 and later Base available 5 FE,Plus will upgrade two FE ports to GE ports (2GE+3FE).

3. About the authorization of PIX's HA.

A: one firewall must use UR authorization, the other firewall uses Failover-Active/Active (FO-A/A) authorization, or both devices must be UR license.

One firewall must use UR authorization, and the other firewall must use Failover (FO) or Failover-Active/Active (FO-A/A).

If there is only one firewall, the purchase of a FO or FO-A/A license cannot be used and must be used with a firewall with an UR authorization.

4. Does FWSM support the coexistence of routing mode and transparent mode in multi context mode?

A: FWSM supports the mixing of routing mode and transparent mode in multi context mode after version 3.1.

Can the IPS function of a 5.ISR router be implemented only by IOS software?

A: you can choose the IPS module. The model is AIM-IPS-K9 and the platform is ISR 1841, 2800, 3800 series routers.

6. How do I use the electric port on the SUP720 engine, that is to say, which command allows me to switch from the SFP port to the electric port?

A: for specific commands, please see media-type {rj45 | sfp} in API configuration mode.

Yes, the Catalyst 6500 can support AC and DC hybrid power access.

Does the Supervisor Engine 32 PISA engine of the 7.Cisco Catalyst 6500 series support MPLS traffic?

A: yes, it can be supported.

Where can I download the PDLM file of 8.Supervisor Engine 32 PISA series engine products if they use the NBAR feature?

A: you can download it through the following link: www.cisco.com/cgi-bin/tablebuild.pl/pdlm

Can 9.Cisco Pix upgrade to version 8.0 support SSL × ×?

A: Cisco Pix can be upgraded to the latest version 8.0 software, but Pix cannot support SSL × ×.

10. Why is there no Xlate parameter on ASA DataSheet?

> xlates=max conns, why is it equal to? Architectural reasons:)

11. How to configure ASA dual links?

> > http://www.cisco.com/warp/customer/110/pix-dual-isp.html

Http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml

Http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml

Http://kbase:8000/paws/servlet/ViewFile/70559/pix-dual-isp.xml?convertPaths=1

Http://www.cisco.com/en/US/customer/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml

Http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/ip.htm#wp1047900

twelve。 Please list the anti-Feature supported by ASA5550, such as anti-SYN Flood, Smurf, ipspoof, etc.

> against denial of service (DoS) attacks, such as SYN floods, Internet Control Message Protocol (ICMP) floods, teardrops, port scans, pings of death, and many other common attacks

13. What is the role of ASA5510-SEC-PL? Answer: ASA 5510 Security Plus License w / HA, GE, more VLANs + conns

Cisco ASA 5510 Security Plus license (provides Active/Active

And Active/Standby high availability, increased session and

VLAN capacities, and additional Ethernet interfaces)

This license improves the performance of ASA5510

One: 130000 sessions. Default is 50000.

Two: contains 2 contexts

Three: 5 etheric ports, 2 GE + 3FE

Four: 100 VLAN. Default is 50.

Five: × × clustering and load balancing

Six: high availability, support for A / S

14. When the firewall does A / A, the ARP time out value is 14400, what is the minimum value?

In answer to your question:

-Cisco recommends keeping the default ARP timeout to 14400 second (4

Hours). At a minimum, is should be greater than the CAM timeout for your

Switches which is 300seconds (5 minutes).

-The ARP timeout can be seen in the output of a show interface

-The ARP timeout can be changed using the "arp timeout" in the

Interface configuration mode.

The following diagram explains on a high-level the ip-address that are assigned to the primary and secondary cisco ASA devices in this example.

In the above diagram:

Ext0-Assign your external ip-address to this interface. Ext0 indicates that this is connected to the port 0 on the device.int1-Assign your internal ip-address to this interface. Int1 indicates that this is connected to the port 1 on the device.fail3-Assign an internal ip-address to this interface that will be used between the primary and secondary devices during failover. Fail3 indicates that this is connected to the port 3 on the device.

On the Cisco ASA 5520 model, it has 4 ports on the back, marked as 0, 1, 2 and 3. In our example, we'll be using port 0, 1, and 3 as explained above.

Other than the 4 network ports, you'll also see slots marked as mgmt, usb, usb, console, aux, flash card.

While the example mentioned here was done on Cisco ASA 5520 model, the same configurations will work on other Cisco ASA 5500 series. I.e Cisco ASA 5510, Cisco ASA 5505 etc.

1. Setup failover interface on Primary ASA

Connect your laptop serial port to the primary ASA device using the console cable that came with the device.

Use PuTTY-> Select "Serial"-> Make sure serial line is set to "Com1"-> and speed is set to "9600"

Execute the following commands to mark the port 0/3 as failover lan unit primary.

Enableconfig tfailover lan unit primaryinterface gigabitEthernet 0/3no shutdown

2. Assign the failover ip-address on Primary ASA using LANFAIL

Execute the following commands which will assign "10.10.1.1" (the one marked as fail0 in the diagram above) to the 0 This device should also know what is the failover ip-address of the standby 3 interface on the primary device. This device should also know what is the failover ip-address of the standby. In this example, it is 10.10.1.2

You should also specify a failover key. Make sure the same key is used when you are configuring failover on the secondary device. In this example, the failover key is "secretkey"

Failover lan interface LANFAIL gigabitethernet 0/3failover interfaces ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2failover key secretkeyfailover link LANFAILexitshow failover

3. Assign the External ip-address on Primary ASA

Execute the following commands which will assign "174.121.83.47" (the one marked as ext0 in the diagram above) to the 0 interface on the primary device. This device should also know what is the external ip-address of the standby ASA device. In this example, it is 174.121.83.48

Show runconfig tinterface gigabitEthernet 0/0nameif externalip address 174.121.83.47 255.255.255.0 standby 174.121.83.48no shutdownexit

4. Assign the Internal ip-address on Primary ASA

Execute the following commands which will assign "192.168.1.47" (the one marked as int0 in the diagram above) to the 0 This device should also know what is the internal ip-address of the standby ASA device 1 interface on the primary device. This device should also know what is the internal ip-address of the standby ASA device. In this example, it is 192.168.1.48

Interface gigabitEthernet 0/1nameif internalsecurity-level 100ip address 192.168.1.47 255.255.255.0 standby 192.168.1.48no shutdownexitshow run

5. Verify the configuration on Primary ASA

Execute the following commands to verify the failover configuration that has been setup so far on the Cisco ASA primary device.

Monitor externalmonitor internalexitshow failoverfailoverexitshow failover interfaceshow failover

6. Setup failover interface on Secondary ASA

Connect your laptop serial port to the secondary ASA device using the console cable that came with the device.

Use putty-> Select "Serial"-> Make sure serial line is set to "Com1"-> and speed is set to "9600"

Execute the following commands to mark the port 0/3 as failover lan unit secondary

Enconfig tno failoverfailover lan unit secondaryinterface gigabitEthernet 0/3no nameifno shutdownfailover lan interface LANFAIL gigabitEthernet 0/3

7. Assign the failover ip-address on Secondary ASA using LANFAIL

Execute the following commands which specifies the primary LANFAIL ip-address is 10.10.1.1 and standby is 10.10.1.2

You should also specify a failover key. Make sure the same key that you used while configuring primary ASA is used here also. In this example, the failover key is "secretkey"

Failover interface ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2failover key secretkeyfailover link LANFAILfailoverexitshow run

8. Automatic Configuration Copy from Primary to Secondary ASA

On you configure the LANFAIL as shown above, all other configurations are automatically copied from the primary Cisco ASA device to the standby cisco ASA device.

Show failoverconfig tinterface gigabitEthernet 0/3no shutdownexitshow failover

9. Setup Additional Configuration on ASA Primary

Setup additional configurations on the Cisco ASA primary device as shown below. This includes, hostname setup, domain name setup, route setup, allow http and ssh on internal ip-address for the cisco ASA primary.

Configno monitor managementhostname FW-PRIMARYdomain name thegeekstuff.comrouter external 0.0.0.0 0.0.0.0 174.121.83.0exitconfig thttp 192.168.0.0 255.255.0.0 internalssh 192.168.0.0 255.255.0.0 internal

Note: All the above configuration will be copied over automatically to the Cisco ASA standby device, as the failover is already configured. The only thing you need to setup on Cisco ASA standby is the hostname as "FW-STANDBY" as shown below.

Config thostname FW-STANDBY

Finally, view the current running configuration, and write it to the memory as shown below.

Show runwrite mem

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.