[c-nsp] Cisco ASA ASDM
Ibrahim Alsharif
ib_cims at yahoo.com
Tue Nov 18 07:45:01 EST 2008
Hello Guys,
Thank you Jeff & Ryan,
I've solved the problem, all I need to do was from one of the two context I should issue this command: admin-context C-A
C-A is one of the two contexts I have in addition to the admin context.
Thanks
Ibrahim Alsharif
________________________________
From: "cisco-nsp-request at puck.nether.net" <cisco-nsp-request at puck.nether.net>
To: cisco-nsp at puck.nether.net
Sent: Monday, November 17, 2008 5:47:54 PM
Subject: cisco-nsp Digest, Vol 72, Issue 72
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Dear Sender, (hans)
2. Re: Virtual Routers (Ben Steele)
3. Re: FWSM (3.1) - Memory and CPU issue (Varaillon Jean Christophe)
4. Re: Catalyst 3750 stacks with many members (Phil Mayers)
5. Re: Virtual Routers (Ben Steele)
6. Re: tftp (Aaron)
7. Cisco ASA ASDM (Ibrahim Alsharif)
8. VSS SRND (Pavel Skovajsa)
9. BGP Distribute List (Mike Louis)
----------------------------------------------------------------------
Message: 1
Date: Mon, 17 Nov 2008 10:25:36 +0100
From: "hans" <hans at beolink.com>
Subject: [c-nsp] Dear Sender,
To: cisco-nsp at puck.nether.net
Message-ID: <10811171025.AA05088 at beolink.com>
Dear Sender,
Thank you very much for your message. I am currently out of the office and will reply to your e-mail upon my return on Monday, November 24rd.
Should you need immediate assistance, please call our office at +34 952 817 250.
Best regards,
Hans-Georg Luna Oesterreich
------------------------------
Message: 2
Date: Mon, 17 Nov 2008 21:38:33 +1030
From: "Ben Steele" <ben.steele at internode.on.net>
Subject: Re: [c-nsp] Virtual Routers
To: "'Holemans Wim'" <wim.holemans at ua.ac.be>,
<cisco-nsp at puck.nether.net>
Message-ID: <000901c948a4$d4c7f380$7e57da80$@steele at internode.on.net>
Content-Type: text/plain; charset="us-ascii"
You can do what you want without vrf using PBR, as you mentioned.
Using the standard svclc vlans the flow of traffic would be:
Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS)
-> IPS -> 6500 VLAN 3 -> Inside Host
So in this example physically the IPS would be cabled with 2 separate cables
(in/out) in 2 different vlans on the 6500.
Any reason that wouldn't work? Gives you the option to bypass the IPS by
simply not including it in the IPS PBR acl.
Ben
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim
Sent: Monday, 17 November 2008 7:01 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Virtual Routers
Is there a way to divide a 6500 into multiple 'Virtual Routers' with
different routing tables ? I've read about VRF-Lite but it is always
mentioned in a VPN environment with remote and central devices. I need
to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and
back into the same 6500. Maybe PBR would do the trick but I'm still
looking for some good and clear info on virtual routing in a LAN
environment (if existing).
Thanks,
Wim Holemans
Netwerkdienst Universiteit Antwerpen
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008
7:58 PM
------------------------------
Message: 3
Date: Mon, 17 Nov 2008 13:11:47 +0200
From: Varaillon Jean Christophe <j.varaillon at cosmoline.com>
Subject: Re: [c-nsp] FWSM (3.1) - Memory and CPU issue
To: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
Message-ID: <000301c948a5$4bec2260$e3c46720$%varaillon at cosmoline.com>
Content-Type: text/plain; charset=us-ascii
Replying to my own post.
Concerning the CPU, this is a known issue:
CSCsi63155 "the CPU usage of one of the context goes up to 60% and it stays
there "
(http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/release/notes/fwsmrn31
.html#wp161596)
Christophe
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Varaillon Jean
Christophe
Sent: Friday, November 14, 2008 2:07 PM
To: 'Cisco-nsp'
Subject: Re: [c-nsp] FWSM (3.1) - Memory and CPU issue
>The CPU of context2 is never changing (stack at 62%) and this does not
>reflect at all the pattern of traffic/connection/translation that we get
>during a wotrking day. Why What would keep the CPU so busy given that the
>amount of traffic is not the issue here?
This output shows clearly that the traffic is almost null but still it has
60% of CPU.
What could justify such a value?
FWSM/context2# show cpu usage
CPU utilization for 5 seconds = 60.5%; 1 minute: 62.2%; 5 minutes: 62.4%
FWSM/context2# show perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 279/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
TCP Intercept 0/s 0/s
Thanks,
Christophe
__________ Information from ESET Smart Security, version of virus signature
database 3613 (20081114) __________
The message was checked by ESET Smart Security.
http://www.eset.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
__________ Information from ESET Smart Security, version of virus signature
database 3617 (20081117) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 3617 (20081117) __________
The message was checked by ESET Smart Security.
http://www.eset.com
------------------------------
Message: 4
Date: Mon, 17 Nov 2008 09:57:42 +0000
From: Phil Mayers <p.mayers at imperial.ac.uk>
Subject: Re: [c-nsp] Catalyst 3750 stacks with many members
To: Holemans Wim <wim.holemans at ua.ac.be>
Cc: cisco-nsp at puck.nether.net
Message-ID: <20081117095742.GA30401 at wildfire.net.ic.ac.uk>
Content-Type: text/plain; charset=us-ascii; format=flowed
On Mon, Nov 17, 2008 at 09:34:55AM +0100, Holemans Wim wrote:
>Got some personal mails all in support of the stacking, saw only
>negative mails on the list, interesting...
>Price difference between 2x 3750 and a 6504 is not so small and a 6504
Sure, but you were talking about stacks of 7.
We've run stacks of 2 for years without trouble.
------------------------------
Message: 5
Date: Mon, 17 Nov 2008 21:54:20 +1030
From: "Ben Steele" <ben.steele at internode.on.net>
Subject: Re: [c-nsp] Virtual Routers
To: "'Ben Steele'" <ben.steele at internode.on.net>, "'Holemans Wim'"
<wim.holemans at ua.ac.be>, <cisco-nsp at puck.nether.net>
Message-ID: <000c01c948a7$08fc4aa0$1af4dfe0$@steele at internode.on.net>
Content-Type: text/plain; charset="us-ascii"
Actually I just realised after I sent this that you will need to PBR the
last hop in the 6500 before the inside host too if you haven't brought it
into a vrf otherwise the intial route will take hold and loop you back into
the FWSM again.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Monday, 17 November 2008 9:39 PM
To: 'Holemans Wim'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Virtual Routers
You can do what you want without vrf using PBR, as you mentioned.
Using the standard svclc vlans the flow of traffic would be:
Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS)
-> IPS -> 6500 VLAN 3 -> Inside Host
So in this example physically the IPS would be cabled with 2 separate cables
(in/out) in 2 different vlans on the 6500.
Any reason that wouldn't work? Gives you the option to bypass the IPS by
simply not including it in the IPS PBR acl.
Ben
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim
Sent: Monday, 17 November 2008 7:01 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Virtual Routers
Is there a way to divide a 6500 into multiple 'Virtual Routers' with
different routing tables ? I've read about VRF-Lite but it is always
mentioned in a VPN environment with remote and central devices. I need
to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and
back into the same 6500. Maybe PBR would do the trick but I'm still
looking for some good and clear info on virtual routing in a LAN
environment (if existing).
Thanks,
Wim Holemans
Netwerkdienst Universiteit Antwerpen
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008
7:58 PM
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008
7:58 PM
------------------------------
Message: 6
Date: Mon, 17 Nov 2008 09:51:01 -0500
From: Aaron <dudepron at gmail.com>
Subject: Re: [c-nsp] tftp
To: "chloe K" <chloekcy2000 at yahoo.ca>
Cc: cisco-nsp at puck.nether.net
Message-ID:
<480dad640811170651o8f101cfy2ea6af511e11536d at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
What do you mean verify?
Assuming you mean verify the image was copied correctly, you can look at the
MD5 signature via the verify command.
To verify the checksum of a file on a flash memory file system or compute a
Message Digest 5 (MD5) signature for a file, use the *verify* command in
privileged EXEC mode.
*verify *[*/md5* [*md5-value*]]* filesystem*:[*file-url*]
Cisco 7600 Series Router
*verify* {*/md5** **flash-filesystem* [*expected-md5-signature*] | */ios **
flash-filesystem* | *flash-filesystem*}
On Sat, Nov 15, 2008 at 3:33 PM, chloe K <chloekcy2000 at yahoo.ca> wrote:
> yes. it works
>
> how can I verify the flash?
>
> Thank you
>
> Mark Tinka <mtinka at globaltransit.net> wrote:
> On Saturday 15 November 2008 19:57:18 chloe K wrote:
>
> > Hi
> >
> > How to copy the falsh to tftp?
>
> #copy flash: tftp:
>
> Cheers,
>
> Mark.
>
>
>
> ---------------------------------
> Be smarter than spam. See how smart SpamGuard is at giving junk email the
> boot with the All-new Yahoo! Mail
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
Message: 7
Date: Mon, 17 Nov 2008 06:51:23 -0800 (PST)
From: Ibrahim Alsharif <ib_cims at yahoo.com>
Subject: [c-nsp] Cisco ASA ASDM
To: cisco-nsp at puck.nether.net
Message-ID: <584081.58404.qm at web63805.mail.re1.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Hello Dears,
I'm working on Single ASA 5540 device I've configured it with two security context (C-A) & (C-B) when I accessed the ASA through ASDM it shows only (C-A) Context
only one context appear in the ASDM.
what I want to know how I can administer the two security contexts from ASDM.
Thank you,
Ibrahim Alsharif,
------------------------------
Message: 8
Date: Mon, 17 Nov 2008 16:23:43 +0100
From: "Pavel Skovajsa" <pavel.skovajsa at gmail.com>
Subject: [c-nsp] VSS SRND
To: cisco-nsp at puck.nether.net
Message-ID:
<323aca890811170723l65655b92p38abd9eb8ecf0cba at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello all,
does anybody have a clue when the VSS Block SRND is going to be
published on Design Zone? The Enterprise Campus 3.0 Architecture
(http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html)
states that:
""
Most campus environments will gain the greatest advantages of a
virtual switch in the distribution layer. For details on the design of
the virtual switching distribution block see the upcoming virtual
switch distribution block design, http://www.cisco.com/go/srnd.
""
This has been there for almost 6 months now, and still no VSS SRND....
Thanks,
Pavel Skovajsa
------------------------------
Message: 9
Date: Mon, 17 Nov 2008 10:47:31 -0500
From: Mike Louis <MLouis at nwnit.com>
Subject: [c-nsp] BGP Distribute List
To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Message-ID:
<CBBF2C7B2547D14A910A349B58810AC23E3DF21071 at mncmx1.NWNIT.CORP>
Content-Type: text/plain; charset="us-ascii"
I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset.
Here is the config.
Any ideas why this is not working?
router bgp 100
no synchronization
bgp log-neighbor-changes
network x.x.230.160 mask 255.255.255.252
network 172.x.36.0 mask 255.255.254.0
network 172.x.253.152 mask 255.255.255.252
network 172.x.253.156 mask 255.255.255.252
network 172.x.255.0 mask 255.255.255.0
neighbor x.x.230.161 remote-as 65000
neighbor x.x.230.161 weight 500
neighbor x.x.230.161 distribute-list routeout out
neighbor 172.x.255.252 remote-as 65535
neighbor 172.x.255.252 distribute-list routeout out
no auto-summary
I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list.
Any ideas?
________________________________
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 72, Issue 72
*****************************************
More information about the cisco-nsp
mailing list