Hi guys,
I'm just wondering as I've to do this in the coming days is there a particular procedure in upgrading the IOS on a 3750 Stack? Do I have to upgrade the IOS on all Switches in the Stack or just the Master?
Thanks,
Paul
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
I got it working,
I was only inspecting ICMP traffic, so I just added DNS and HTTP.
It's a steep learning curve.
Thanks,
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Hi again,
I got ping working now from my laptop behind the ASA. There was an issue with NAT on the SSG.
Again, my setup is as follows:
laptop---ASA----SSG---InternetRouter-----INTERNET----FREE-DNS
From my laptop I can ping the DNS server 208.67.220.220
But I cannot browse the Web.
I moved...
Andy,
thanks again,
I did as you said and added the following:
class-map global-class
match any
!
!
policy-map global-policy
class global-class
inspect dns
class class-default
inspect icmp
!
service-policy global-policy global
This no joy.
Here's some of the log output...
Hi,
packet trace tool now works to IPs on the internet, don't know what changed :-)
But when I do pings from the actual PC they fail :-(
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Hi there,
I did the packet trace again;
The icmp packet passes the acl,
Is nat'd,
But the result shows the packet dropped with the reason:
(sp-securit-failed) Slowpath security checks failed.
Yes ADB100, you're right my networks is of the form:
PC---ASA5550----SSG350----Internet...
Andy,
thanks for the input.
I've made the changes you suggested.
I've now only one acl on the inside;
any any permit IP
Still not able to ping the dns server :-(
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Here's my config:
asaprimary# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname asaprimary
domain-name vmware.com
enable password vs58aXBRi4lxH.QI encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 194.196.148.0 ATT_Network description from AT&T Router
name 10.20.30.2 DMZ_interface...
Hi thanks for the reply.
I can ping the DNS server from the internet.
In my security policy table I have a rule allowing ping and DNS through.
I run the Packet Trace tool and ping from a host on the LAN to the default gateway and it fails saying that the Implicit Deny rule has blocked the...
Hi,
I'm not sure what you mean by inspecting DNS traffic.
I've all IP traffic allowed through my firewall as far as I can tell but I cannot ping the dns server (208.67.220.220)from behind the firewall.
Any ideas why I cant even ping?
Thanks,
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer...
Hi,
I'm having a problem with my 5550 whereby DNS queries from a pc on the lan is being blocked eventhough I've all IP traffic allowed from the lan.
Here's my alarm:
172.16.30.x 208.67.220.220 Deny inbound UDP from 172.16.30.x/57671 to 208.67.220.220/53 due to DNS Query
Any ideas?
Thanks...
Hi again,
is it possible to do static dhcp on a cisco switch?
I found a document here:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtdhcpsm.html#wp1060281
But I don't have the "origin" option within my DHCP configuration.
Is there any other way of doing this?
Thanks...
OK so once the new switch is running a similar release IOS adding it to the stack should work fine?
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Hi there,
I have a stack of four WS-C3750-48PS-S Switches on the user lan.
I have one WS-C3750G-48TS-S that was assigned to training that now needs to join the user lan.
Is it possible or even advisable to add a WS-C3750G-48TS-S to the current stack??
Thanks,
Paul Kilcoyne B. Eng...
Hey,
I got it working, thanks for the tip.
I went to:
configuration>Properties>Device Access>HTTPS/ASDM>
selected my DMZ interface with the source 0.0.0.0 0.0.0.0
Thanks a million, won't have to think about this over the weekend now :-)
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer...
Hi there,
I've given up on https access for the time being.
Is there any way to ssh to the outside interface of an 5550?
Thanks,
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Hi,
I have a newly installed ASA behind our outer firewall, I want to be able to access it from the Internet via the ASDM java programme.
What port would I have to forward to allow ASDM access?
Thanks,
Paul
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Great,
thanks again. So I can configure my cisco router/ switch to do GLBP on the two interfaces my ISPs are connected into.
I'll let you know how I get on.
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
Lastly,
will this implementation of VRRP load balance internet traffic or will it just chose one ISP always above the other similar to redundancy?
Many thanks,
Paul Kilcoyne B. Eng.
Innealtóir/ Engineer
http://www.pknetworks.ie
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.