getXML('Firewalling10590 milfrankrodriguezNov 17, 2009, 8:05am PSTHi,<br /><br />I have just set up my 1st ASA firewall. I have an L2L between my 2 sites setup without a problem. However when I try to use the vpn client, it connects fine but I cannot get access to the remote LAN<br /><br />I have attached my config, can anyone tell me where i'm going wrong?<br /><br /><b>Attachment Keywords : </b> <br />1) asaconfig.txt<br /> asaconfig.txt123679text/plaintext437011/17/2014no30 branfarm1Nov 17, 2009, 8:13am PSTAre the RemoteLAN addresses the networks listed in Access-list 101?<br /><br />It looks like you have access-list 101 defined as a split-tunnel ACL for the VPNClt tunnel-group. With split tunneling you are telling the VPN client which networks to protect, or in other words, which networks to send down the tunnel. If you are trying to reach the remote LAN through the VPN client tunnel, you don't want to have split tunneling enabled.<br /><br />You need access-list 101 as part of your L2L tunnel, so don't remove it.milfrankrodriguezNov 17, 2009, 8:24am PSTThanks for your quick reply<br /><br />Yes the RemoteLAN addresses are in 101<br /><br />I have disabled split tunneling now but still can't seem to access remote lan branfarm1Nov 17, 2009, 8:30am PSTSince both VPN's are off of the outside interface, your traffic is entering the ASA on the outside then attempting to leave via the outside as well. Try using the "same-security-traffic permit intra-interface" CLI command, or check the "Enable traffic between two or more hosts connected to the same interface" box on the Interfaces page in ASDM. branfarm1Nov 17, 2009, 8:35am PSTAlso, you will need to add 192.168.254.1-192.168.254.50 to your NAT exemption list. Otherwise, as the traffic tries to leave via the outside interface it will be PAT'd to your outside address. <br /><br />Once you change the NAT exemption, you'll need to update your ACL 101 to make traffic sourced from 192.168.254.0, bound for the Remote LAN, use the VPN.milfrankrodriguezNov 17, 2009, 8:39am PSTapplied "same-security-traffic permit intra-interface"<br /><br />Still no luckmilfrankrodriguezNov 17, 2009, 8:46am PSTI have updated my nat exempt list<br /><br />I'm not sure what you mean by this :"you'll need to update your ACL 101 to make traffic sourced from 192.168.254.0, bound for the Remote LAN, use the VPN"<br /><br />How do I do that? branfarm1Nov 17, 2009, 8:57am PSTIf you look at your L2L vpn config, you're using ACL 101 to specify what is called "interesting traffic." This means that traffic that matches the ACL will either trigger the VPN to build (initially) or be sent to the VPN, instead of routing outside normally. <br /><br />What you are attempting to do is have traffic coming from your VPNclt machines be able to reach the remote LAN via your L2L VPN. So you need to be able to have the PIX recognize that traffic from your VPNClt's destined for the RemoteLAN need to also be sent to the VPN.<br /><br />Your ACL 101 should be something like this:<br /><br />access-list 101 extended permit ip <local_source_ip(s)> <mask> <destination_ip(s)> <mask><br /><br />So if your local address range is 192.168.111.0 and you are trying to reach 10.0.0.0/16 and 192.168.10.0/24 on the remote side, ACL 101 should be:<br /><br />access-list 101 extended permit ip 192.168.111.0 255.255.255.0 10.0.0.0 255.255.0.0<br />access-list 101 extended permit ip 192.168.111.0 255.255.255.0 192.168.10.0 255.255.255.0<br />access-list 101 extended permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.255.0.0<br />access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.10.0 255.255.255.0<br /><br />The other side of the L2L vpn will need a mirror of your ACL.milfrankrodriguezNov 17, 2009, 9:03am PSTOh I see, that is not what I am trying to do. The VPN client users will not be using the L2L vpn. They will be accessing probably from home ichacon00Nov 17, 2009, 8:17am PSTWe have a PIX525 running 6.3(4). We are trying to get applications that run on dynamic UDP ports to work with out success. We have added all statements to our outside ACL but they dont seem to have any effect.<br /><br /><b>Attachment Keywords : </b> <br />1) Maersk PIX Config.txt<br /> Maersk PIX Config.txt123691text/plaintext515511/17/2014noetienne.mbuyiNov 17, 2009, 7:53am PSTI am trying to have internal users behind an ASA use a VOIP application. The vendor mentioned to me that their application needs SIP to extend UDP ports 5060 to 5063. Below is what I did.<br /><br />object-group service Five9_SIP udp<br /> description Five9 UDP Ports<br /> port-object range sip 5063<br /><br /><br />access-list From_Internet_In extended permit tcp 72.5.65.0 255.255.255.0 interface outside eq sip<br />access-list From_Internet_In extended permit udp 72.5.65.0 255.255.255.0 interface outside object-group Five9_SIP<br /><br />policy-map global_policy<br /> class inspection_default<br /> inspect dns preset_dns_map<br /> inspect ftp<br /> inspect h323 h225<br /> inspect h323 ras<br /> inspect rsh<br /> inspect rtsp<br /> inspect esmtp<br /> inspect sqlnet<br /> inspect skinny<br /> inspect sunrpc<br /> inspect xdmcp<br /> inspect netbios<br /> inspect tftp<br /> inspect pptp<br /> inspect sip<br />!<br />service-policy global_policy global<br /><br />I know from various forums that a static (inside,outside) might be needed but I am doing PAT (i.e. global outside 1 interface).<br /><br />Regards, waynecromwellNov 16, 2009, 11:26am PSTHi all,<br /><br />I'm having problems with ASDM logging hits on rules. There are no rules showing the number of hits via ASDM. I can see hits on rules via the cli. Has anyone come across a issue like this? I running FWSM version 4.0(3) and ASDM version 6.1(2) on 6506 with a sup II with IOS version 12.2(18)SXF11. Any help would be greatly appreciated.<br /><br />Thanks 30 pkampanaNov 17, 2009, 7:17am PSTThis looks like defect CSCta77829 or CSCsv67531.<br /><br />The former is fixed in FWSM 4.0.7 and later.<br />The latter is fixed in ASDM 06.1(02.51)F.<br /><br />I would suggest trying ASDM 06.1(02.51)F. If you don't have it TAC can help you get it to give it a try.<br /><br />PK k-meltonNov 17, 2009, 6:50am PSTThis morning i configured the Management0/0 interface on the customers ASA appliance. <br />I set up a specific VLAN on the customers switch fabric just for this access (VLAN 12). I put the switch port connecting the cable to the ASA Mgmt interface in VLAN 12. I configured an ip address in VLAN 12 on the M0/0 interface on the ASA.<br />I can ping from the VLAN 12 interface on the switch to the Ip address on the Management interface on the ASA and vice versa.<br />When I try to launch a putty session to the address on the m0/0 interface on the ASA, it times out. <br />Should I be able to connect thru SSH and then also ASDM to the Management IP address? 30 branfarm1Nov 17, 2009, 6:59am PSTHave you added ssh permissions for the management interface?<br /><br />You'll need to add something like:<br /><br />ssh <host/subnet address> <mask> management<br /><br />For ASDM access you'll need to do the same but with http:<br /><br />http x.x.x.x x.x.x.x management k-meltonNov 17, 2009, 7:06am PSTYes I added both of those statements but still cannot access the box from ssh or http... branfarm1Nov 17, 2009, 7:11am PSTHow about routing? Are you attempting to access the ASA from a network that the ASA has a route to via another interface? One reason I don't like to use the management interface is because unless you have a dedicated management subnet, you will run into routing issues. victorfabianNov 16, 2009, 11:40am PST<br />From the firewall perspective how can i determine the amount of TCP users that are hitting the firewall.<br /><br />Is there a command or debug that would allow me to see that. 30 collin_clarkNov 16, 2009, 1:02pm PSTI think the closest you're going to get is with <b>show xlate count</b>. plumbisNov 16, 2009, 7:07pm PST"show conn | i TCP" will give you all TCP conns through the firewall, but this won't give you a count.<br /><br />You could always slap this into excel to get a count. pkampanaNov 17, 2009, 7:06am PSTsh local-host | i TCP flow count<br /><br />will show you the distinct TCP conns each host has. Adding them up will give you the aggregate.<br /><br />I hope it helps.<br /><br />PK pkrysinskiNov 16, 2009, 10:31pm PSTHello All,<br /><br />I just purchased my ASA5505 and I am now debating if I should purchase a Websense and/or Botnet license.<br /><br />I was curious if anyone else has any experience with these items? And if so, could you provide any feedback (positive or negative)?<br /><br />I'm not sure if I should go with just one or the other, or if I need both products? Do they really tax the 5505 itself? Is there a noticeable difference in speed accessing websites?<br /><br />Any help or suggestions you can provide is greatly appreciated, thank you!<br /><br />Lastly, what about the IPS add-on. Is it worth the 1200 dollars to get this module? If I bought the module would I even need the Websense or Botnet licenses?<br /><br />-- Phil 30 pkampanaNov 17, 2009, 7:02am PSTBotnet is a feature that identifies botnet traffic that is going out and alerts you. Later on there will be functionality to block that traffic.<br /><br />The IPS sits inline and monitors the traffic. If it sees something that looks illegit it will alert or block it, depending on what you want. The IPS could or could not catch bothnet traffic depending on the pattern the botnet is using.<br /><br />Webeense is a feature that has the ASA redirect traffic the websense server and websense decides what to do with the traffic, allow the page or block it.<br /><br />So, usually the botnet and IPS are related, the IPS does more than the botnet but botnet captures compromised computers by checking on the destination that they are contacting whereas the IPS checks the traffic patterns.<br />Websense is different and is used for url filtering.<br /><br />It all depends on your needs.<br />As for performance, in general there is no noticeable performance degradation with the features for most networks.<br /><br />I hope it helps.<br /><br />PK<br /> ray_stoneNov 16, 2009, 11:01pm PSTHello Experts, we have cisco ASA 5505 running for our branch office and STS tunnel is configured for remote site. The cisco call manager is placed on remote site. Yesterday, we experienced that all conference calls were got it disconnected automatically and no reply messages were recieving while doing ping to call manager server. I logged into the firewall and saw that the shun automatically turned-on for CCM server and when I manually turned-off then cisco IP phone were got it up. Can anyone explain why it was turned-on for CCM Server. 30 pkampanaNov 17, 2009, 6:47am PSTRay,<br /><br />Check if the ASA has threat detection with shun option enabled.<br /><br />If not then probably you have an IPS that has the ASA configured and identified the CCM as an attached and went in and shunned it.<br /><br />Or a user logged into the ASA and shunned the CM (which I doubt).<br /><br />I hope it helps.<br /><br />PK<br />grimsby.moraineNov 17, 2009, 4:11am PSTPIX525, v7.2(4).<br />Another firewall sits inside the PIX525, then out to the internet. A L2L VPN through the PIX525 hangs every few days and is recovered by rebooting the PIX525. The end peers report "IKE Responder: Remote party timeout - Retransmitting IKE request" and "IKE negotiation aborted due to timeout", the PIX525 reports "%PIX-6-110003: Routing failed to locate next hop for UDP from inside:a.b.c.9/500 to inside:[remote_peer]/500".<br />Note the "inside:[remote_peer" - this peer is actually outside and PIX525 even has static host route for it:<br />route outside [remote_peer] 255.255.255.255 a.b.c.1 1<br />When this happens PIX525 can actualy ping remote_peer.<br />Sometimes this happens several times a day, sometimes it goes 5 days without issue.<br /><br /><b>Attachment Keywords : </b> <br />1) PIX525.txt - Config & debug from PIX525<br /> PIX525.txt123677text/plaintext1838011/17/2014no30 branfarm1Nov 17, 2009, 5:20am PSTHi there,<br /><br />Did you recently upgrade the OS on this PIX? You might try disabling the isakmp keepalive mechanism.<br /><br />Under your tunnel-group w.x.y.x ipsec-attributes:<br /><br />isakmp keepalive disable<br /><br />Not sure if that will fix your issue, but it worked for me when I had a similar sounding issue after upgrading a PIX OS.<br />grimsby.moraineNov 17, 2009, 6:31am PSTIt has been upgraded recently, from 7.2(1), after i saw bug ID CSCsf04123.<br />I have added that to the DefaultRAGroup but i am a little dubious since this VPN goes through the PIX rather terminate on it.<br />It may be a few days before I know if it's helped.<br />Thanks for the reply.cisco@hrp.noNov 17, 2009, 12:39am PSTI have a problem related to ipsec on a Cisco ASA 5520. Briefly told the problem is when the remote site is initiating traffic againt my site. Traffic initiated from my site is working perfect. When the remote site is initiating traffic sometimes it works and somestimes it is not working. When it is NOT working the log shows the output that I have included in the attached file. So my question is: How can I set up logging on the ASA so that I can see exactly WAHT is causing the problem? The attached file is the result from logging with debug level, but how to see the exact cause of the failure? How to see what proposals the remote gateway is suggesting and so on...?<br /><br />The really strange thing is that it sometimes work, sometimes not. Any ideas?<br /><br /><b>Attachment Keywords : </b> <br />1) asa.txt - output from logging on ASA<br /> asa.txt123667text/plaintext565311/17/2014no30 collin_clarkNov 17, 2009, 6:22am PSTYou're failing at the negotiation of IPSec. You have a log entry of <b>All IPSec SA proposals found unacceptable</b>. Make sure everything matches verbatim in ISAKMP and IPSec. Also here's an excellent troubleshooting guide.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml')">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml</A> amit.bhagatNov 16, 2009, 9:59pm PSTHi Guys,<br /><br />A basic firewall issue-network topology is as follows-<br /><br />R1-PIX-R2<br /><br />R1 config-<br />interface Loopback 0<br /> ip address 192.168.1.1 255.255.255.0<br />!<br />interface fastethernet 0/0<br /> ip address 10.1.1.1 255.255.255.0<br />!<br />ip route 0.0.0.0 0.0.0.0 10.1.1.2<br />!<br /><br />R2 config-<br />interface Loopback 0<br /> ip address 1.1.1.1 255.255.255.255<br />!<br />interface fastethernet 0/0<br /> ip address 10.2.2.2 255.255.255.0<br />!<br />ip route 192.168.1.0 255.255.255.0 10.2.2.1<br />!<br /><br />PIX config in router mode-<br /><br />interface e0<br /> nameif inside<br /> ip address 10.1.1.2 255.255.255.0<br /> security-level 100<br />!<br />interface e1<br /> nameif outside<br /> ip address 10.2.2.1 255.255.255.0<br /> security-level 0<br />!<br />route outside 0.0.0.0 0.0.0.0 10.2.2.2<br />route inside 192.168.1.0 255.255.255.0 10.1.1.1<br />!<br />access-list 101 extended permit ip any any<br />access-list 101 extended permit icmp any any<br />access-list 101 extended permit icmp any any echo<br />access-list 101 extended permit icmp any any echo-reply<br />access-list 101 extended permit icmp any any unreachable<br />!<br />access-group 101 in interface outside<br />!<br /><br />Now, the issue is I CANNOT ping between R1 & R2. However, I can ping from PIX to each device.<br /><br />Any help would be appreciated.<br /><br />Regards,<br />Amit. 30 vikram_anumukondaNov 17, 2009, 1:22am PSTwhat version of the code are you running. amit.bhagatNov 17, 2009, 1:38am PSTPIX OS version 8.04 vikram_anumukondaNov 17, 2009, 1:42am PSTconfig looks good, anything showing up in the logs ? chandru.jNov 14, 2009, 4:40am PSTHi all,<br /><br /> i am able to ping but not able to telnet from inside to DMZ and vise verse also. please find the attachment of configuration.<br /> DMZ -10.244.4.0/24 network <br /> inside -10.244.0.0/24 <br /><br />Thanks in advance<br /><br /><br /><br /><b>Attachment Keywords : </b> <br />1) asa1.txt<br /> asa1.txt123575text/plaintext673611/14/2014no30 kusankarNov 14, 2009, 8:37am PSTThe config appears correct.<br />RTP - Routing, Translation and Permission<br />appear to be correct.<br /><br />Are you sure the host in dmz 10.244.4.x listens on tcp 23?<br /><br />enable loggin buffer<br /><br />command<br />conf t<br />logging buffered debug<br /><br />then issue "sh logg | i 10.244.0.x" the host where you are trying to telnet from on the inside and see what the logs say when you try this telnet when it fails.<br /><br />Also, from the DMZ segment from a 10.244.4.x host are you able to telnet to the 10.244.4.b host that is listening on this port? chandru.jNov 15, 2009, 8:49pm PST<br /><br />Hi,<br /><br /> i am getting error like<br /> 6 Nov 15 2009 23:45:32 302014 10.244.4.100 23 10.244.0.21 1254 Teardown TCP connection 159748 for DMZ:10.244.4.100/23 to inside:10.244.0.21/1254 duration 0:00:30 bytes 0 SYN Timeout<br /><br /> These is DC and DR setup from mplsoutside they can able to telnet DMZ but from inside i am able to do.<br /><br /> chandru.jNov 16, 2009, 12:06am PSTHi,<br /><br /> sorry i am not able to telnetmark.hodge@agilisys.co.ukNov 16, 2009, 4:36am PSTA SYN timeout indicates that the TCP handshake is not completing i.e. the source is sending a SYN, bit not receiving a SYN/ACK in reply.<br /><br />Check that the destination is running the appropriate service (telnet in this case) and that there is not a local software firewall on the destination machine. chandru.jNov 16, 2009, 8:23pm PSTHi,<br /><br /> I am TELNETTing to DMZ switch only, same form DMZ switch i am not able to telnet even ping also to inside.There is no software in between.i attached the DMZ sw configuration.<br /><br />Thanks in advance<br /><br /><b>Attachment Keywords : </b> <br />1) DMZsw.txt<br />DMZsw.txt123674text/plaintext626011/16/2014noduncan_watsonNov 16, 2009, 6:52pm PST/removed pending further investigation<br /> asa1 crypto output.txt123659text/plaintext108611/16/2014noasa2 crypto output.txt123660text/plaintext108611/16/2014no whitefordNov 14, 2009, 9:59am PSTHello,<br /><br />I have upgraded our 2 ASA firewalls (Active/Standby) from 8.0.3 to 8.0.4.48 and the memory has gone from 280mb to 450mb, the ASA's have 512mb.<br /><br />Is this normal/ok?<br /><br />I will call Cisco TAC on Monday, but seems quite a jump to me, I'm wondering if it has turned something on I don't need, not sure how I can check.<br /><br />Thanks 30 plumbisNov 14, 2009, 10:24am PSTThis is expected due to new features. I would suggest disabling threat-detection to free up some memory. As long as you aren't seeing a steady increase in memory I wouldn't sweat it. whitefordNov 14, 2009, 10:57am PSTHow do I disable threat-detection? plumbisNov 15, 2009, 8:26am PSTto see what threat-detection features are enabled issue the command "show run threat-detection"<br /><br />to disable those features use the "no" keyword before them.<br /><br />For example<br />===========================<br />ciscoasa# sh run threat-detection<br />threat-detection basic-threat<br />threat-detection statistics access-list<br />ciscoasa# conf t<br />ciscoasa(config)# no threat-detection basic-threat<br />ciscoasa(config)# no threat-detection statistics access-list<br />=========================== whitefordNov 15, 2009, 12:15pm PSTThanks,<br /><br />I tried that but made no difference to the amount of memory being used, how can I show what is taking it all up? jeyeNov 15, 2009, 3:22pm PSTYou can try <b>show proc mem</b>.<br /><br />HTH,<br />jerry whitefordNov 16, 2009, 12:07am PSTThis is what it shows:<br /><br /><b>Attachment Keywords : </b> <br />1) sh proc mem.txt<br />sh proc mem.txt123650text/plaintext860711/16/2014no plumbisNov 16, 2009, 7:13pm PSTThe top two offenders are tmatch compile and dispatch unit. tmatch compile is related to ACLs and dispatch unit related to traffic.<br /><br />How big are your access lists? (show access-list | i elements)<br /><br />What is the platform? <br /><br />How much traffic is going through this box?<br /><br />Are there drops, errors, overruns or underruns on the interfaces? J_Vansen_SNov 16, 2009, 5:42pm PSTHi <br /><br />I would like to know if the CSC-SSM trendmicro module is able to scan for virus transferred thru IM(Instant messaging) and torrents? 30 plumbisNov 16, 2009, 7:04pm PSTThe CSC module is only able to scan HTTP, FTP, POP and SMTP traffic, so no, unless they are transferring via HTTP J_Vansen_SNov 16, 2009, 7:12pm PSTwould the AIP-SSM do the trick instead? bericalebNov 5, 2009, 10:39pm PSTHi Experts<br />here is the show ver output of my 2xASA5520. I will be configuring Site-to-Site VPNs on the ASA. My plan is to have one unit as a Primary unit and the other as a Secondary (standby) unit. Will my VPNs work with the current failover mode (Active/Active) if I proceed to configuring the VPNs? 30 bericalebNov 5, 2009, 10:40pm PSTMy apologies, here is the attachment.<br /><br /><b>Attachment Keywords : </b> <br />1) show ver output on both firewalls.doc<br />show ver output on both firewalls.doc123264application/mswordword3123211/05/2014no cmcbride@perimetercenter.comNov 6, 2009, 12:48pm PSTIf you enable Stateful Failover, then VPN tunnels should failover in an active/standby configuration. <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A><br /><br />That said, in the real world I've seen problems with Firewall failover causing problems with VPN tunnels. Almost always the problem is with the tunnels that are terminated by older Cisco equipment or non-cisco equipment. I.e. Pix 501, 821 routers, etc. But in VPN tunnels between ASA's it seems to failover the tunnel just fine.<br />orbanattilaNov 6, 2009, 10:00pm PSTWhen the ASA is configured for security contexts or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable. bericalebNov 16, 2009, 7:04pm PSTHi<br />thanks.<br />So in my case, if the ASAs are on a single security context and failover is Active/Active, what do I do, if I want to also run IPSEC and SSL VPNs on these firewalls?zhaodifanNov 13, 2009, 4:08pm PSTHey guys,<br /><br />I am trying to use ASA to block P2P download. I did find this link and I tested it but it's not blocking my Bitcomet download...<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml#built')">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml#built</A><br /><br />The page said that "The ASA can block P2P type applications only if P2P traffic is being tunneled through HTTP". However when I am using my wireshark to monitor the traffic I only see UDP and TCP, not HTTP... I guess that's why it's not working.<br /><br />Then I checked more on the internet and seems I need to buy a AIP-SSM or CSC-SSM module to block the P2P. Is this true? If it's true, which one should I use? Or do you have another way to block P2P with just the ASA itself? Thanks a lot! 30 plumbisNov 15, 2009, 8:32am PSTThis is correct, the regex classes in this example work by blocking HTTP requests. You could block someone from going to <A HREF="javascript:newWin('http://www.thepiratebay.com')">www.thepiratebay.com</A> for example but it wouldn't work if they already have a torrent running. <br /><br />I don't know about the AIP module but the CSC module can only filter on HTTP, FTP, SMTP and POP traffic so you wouldn't be able to filter bit torrent layer 7 traffic. zhaodifanNov 16, 2009, 3:02pm PSTThank you Plumbis! ewong0088Nov 13, 2009, 11:52am PSTANy help is appreciated.<br />Getting ready to upgrade a ASA 5520 from 7.2 code to 8.x, all because of the IPS module needs to be upgraded from 6.1 to 7.x.<br />Two question:<br />(1) Should I expect a smooth upgrade (from 7.2 to 8.x) on the ASA box? Anyone runs into problem, gotcha kind of thing? ANy problem on the config file not being converted correctly?<br />(2) For the IPS part, do you or do you not to use the upgrade command within the IPS module? From the IPS's doc. it says to use the upgrade command. From ASA's doc. it says to use: hw-module command. If I understand this correctly, by using hw-module command to upgrade the IPS from within the ASA, it would wipe my IPS config file.Don't want to do that if I can help it.<br />Thank you. 30 mkharbanNov 16, 2009, 10:26am PSTHi,<br /><br />There should not be any issues upgrading ASA from 7.2 to 8.x code. I would suggest going to the latest interim for 8.0(4) version as it has fixes for many caveats.<br /><br />Also in case an upgrade is performed on the module the configuration will not be wiped out. <br /><br /><br />Also, the upgrade command is used for performing signature upgrade for the module. You can not upgrade the version for the module with the upgrade command. <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080816cb4.shtml#upgrade2')">http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080816cb4.shtml#upgrade2</A><br /><br />Hope this helps!<br /><br />Thanks,<br />Manish<br />Cisco TAC ewong0088Nov 16, 2009, 11:09am PSTmkharban, thank you for the info.<br />SO what you are saying is that in order to go from 6.1.x to 7.x IPS, no matter what, I have to REIMAGE the IPS and therefore wipe my IPS config? Upgrade command within IPS won't work?<br />Thanks. pkampanaNov 16, 2009, 10:37am PST(1) the upgrade should go smoothly and convert the config ok.<br /><br />(2) if you upgrade the IPS from the ASA ("hw module" command) than it will re-image the module and wipe it is config, that is correct. Make sure you keep a copy of it. And I suggest to upgrade from the module with the patch in order to avoid a full reimage.<br /><br />I hope it helps.<br /><br />PK ewong0088Nov 16, 2009, 11:14am PSTpkampana, thank you for the info.<br />So you are saying upgrade command does work within the IPS going from version 6.1.x to 7.x?<br />These statement are contradictory. See above.<br />Thank you for the help.<br /><br /> bruce.summersNov 12, 2009, 2:50pm PSTI'm running FWSM v3.2(2). I have an allow icmp any any configured that I'm allowing my intra-net folks to ping inbound. I have a question and a scenario.<br />question:<br /><br /> does icmp any any, really mean ANY type/code of icmp?<br /><br />scenario:<br />i've ran into an issue with my edge router. <br /><br />The MTU size is set to 1400 on the edge. If a server initiates an icmp packet with a "dont frag" flag, (doing it for path mtu test) the edge sends it back to the firewall advising the packets must be fragmented (due to the mtu 1400) <br /><br />heres the catch, the firewall realizing the packet was destined to a remote location and not directly to the edge router, is dropping the packet with a "no matching session"...which of course makes sense, since the destination in the original packet wasnt the router.<br /><br />I'm wondering how I allow the traffic back to the source (server) when the router grabs the packet and says, "you cant move forward due to MTU 1400" and shoots it back to the firewall?<br /><br />sincerely,<br /><br />bruce 30 vikram_anumukondaNov 13, 2009, 12:08am PSTicmp any any - does cover any type/code of icmp.<br /><br />have you tried enabling icmp and icmp error inspection under global policy to see if it helps your scenario. bruce.summersNov 15, 2009, 12:10pm PSTI havent tried that...is that just to monitor/inspect? or is that another layer of "allowance"?<br /><br />bruce vikram_anumukondaNov 15, 2009, 10:33pm PSTThat's for inpsection. pkampanaNov 16, 2009, 10:35am PST"icmp any any time-exceeded" in an ACL if you don't have inspection or "inspect icmp error" will get you the solution.<br /><br />I hope it helps.<br /><br />PK carl_townshendNov 16, 2009, 4:48am PSThi <br />speaking to someone today, they said you shouldnt use the management port on the asa for the failover port, is this correct ? 30 collin_clarkNov 16, 2009, 6:30am PSTThat is correct. Check the 5th paragraph in this link.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml')">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A>jfraaschNov 16, 2009, 5:29am PSTJust found out a requirement I did not know about.<br /><br />I had failover set up for FWSM across two 6500 chassis. Things worked great....except failover between the two chassis took about 4 seconds. I tested and each of five failovers I had a user drop about 3-5 pings before the standby FWSM took over.<br /><br />So, it looks like I need to take the default gateways off the FWSM and go back to HSRP.<br /><br />Has anyone had any success with FWSM in bridge mode?<br /><br />I am going to start scouring the site for links right now but thought I would ask here first.<br /><br />Thanks!<br /><br />James 30 jan.nielsenNov 16, 2009, 5:50am PSTSounds about right, even if you use the lowest hello timers (500mS) it will still spend 3-4 seconds before a failover accours, interface down detection can be optimized by using the autostate feature in the switch, which does not work in VSS setups.jfraaschNov 16, 2009, 5:55am PSTI will be running SSO fail over. I have redundant Supes in each of two chassis. I will not be running VSS mode because customer is not comfortable with it. rexbiestyNov 16, 2009, 1:16am PSTHi, tricky one. We've just taken over management of a site and my responsibility is for their Pix. This customer has 2 other sites that connect via MPLS (looked after by BT) who's traffic is filtered by the pix. However, one of these sites has an issue whereby if one of the users plugs a network cable into 2 ports it slowly brings down the network and stops access to our site. Given that this site is a school and the users are students, this happens quite often.<br /><br />Would I be right in thinking that any solution would need to be implemented on either the switch or router at the remote site? As I dont know must about routing protocols for switches or routers is there any advice I can give them given that I dont have any access to that site and is there anything I can implement on the firewall to help.<br /><br />Thanks, Rex. 30 hobbeNov 16, 2009, 2:16am PSTMy guess is that it is best solved with spanning tree in the switches.<br />If they have "new" cisco switches then try to enable rapid spanning tree (if all the switches support it) and set the ports to portfast (it works nice with rapid)<br />if the switches does not support rapid spanning tree, then use the "normal" spanning tree but do not set the ports to portfast (unless they are for a server)<br /><br />Since it is a school there are probably some bright kids there so there are some nice features that there is a possibility to implement fx floodguard and bpdu guard features.<br /><br />And no there is nothing you can do on your end. This is a local problem.<br /><br />HTH<br /> rexbiestyNov 16, 2009, 2:25am PSTThanks, just the answer I was looking for. I'll pass this info on to those that look after the switches at the remote site to sort. hobbeNov 16, 2009, 2:34am PSTThere is one drawback to using the old spanning tree and that is that the switches do not open the port until aprox 30 seconds, that can affect the dhcp process depending on how fast the computers are.<br /><br />"old" spanning-tree<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm')">http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm</A><br /><br />Rapid Spanning-tree<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml')">http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml</A><br /><br /><br />HTH<br /> rexbiestyNov 16, 2009, 2:38am PSTThanks again. pguibordNov 14, 2009, 11:20am PSTHi All!!!<br /><br />I am running a PIX 515 failover pair running 6.3.5 and get the error message that follows:<br /><br />"No translation group found for tcp src lyontwp-secure:172.16.7.69/52955 dst inside:4.2.2.2/9100"<br /><br />I am trying to use NAT Exemption to bypass NAT entirely for a specific source network (172.16.7.0/24) destined to any address and get the "no translation group" error. In this test host 172.16.7.69 is sitting behind the PIX interface named lyontwp-secure. <br /><br />These are the NAT exemption commads in the config:<br />nat (lyontwp-secure) 0 access-list NoNat<br />access-list NoNat permit ip 172.16.7.0 255.255.255.0 any<br /><br />The config is attached........<br /><br /><br /><b>Attachment Keywords : </b> <br />1) PIX-Config.txt<br /> PIX-Config.txt123580text/plaintext459811/14/2014no30 vikram_anumukondaNov 14, 2009, 6:43pm PSTtry with this<br /><br />static (lyontwp-secure,inside) 172.16.7.0 172.16.7.0 netmask 255.255.255.0 0 0 hebaerteNov 15, 2009, 2:41am PSTNote that the syslog says "inside:4.2.2.2" so it thinks 4.2.2.2 is on the *inside* and therefor (assuming that "inside" has a higher security-level than "lyontwp-secure")<br />you would need a nat entry (or nat exemption) for 4.2.2.2.<br /><br />Is 4.2.2.2 really on the inside (I doubt it, unless you replaced the real address with 4.2.2.2, so just to be sure)?<br /><br />-If yes, add something like <br />static(inside,lyontwp-secure) 4.2.2.2 4.2.2.2<br /><br />-If not, then check why it thinks it is. Usually this is caused by a routing error or a wrong static nat entry. If you need help with that, please post "show route" and "show run nat", "show run static" pguibordNov 15, 2009, 6:24am PST<br />Vikram,<br /><br />Thanks for the reply!<br /><br />Unfortunately I already tried that and still a no go.<br /><br /><br />Hebaerte,<br /><br />Likewise, thank you for the reply!<br /><br />4.2.2.2 is on the inside so yes traffic is flowing from a lower security interface (internal network) <br />to a higher (internal network). Eventually it will hit an ASA failover pair that is bordering the internet.<br /><br />I do not want this traffic natted as it passes through the internal network (gathering netflow stats) so that <br />is why I am trying NAT exemtion from this source network to any out on the internet.<br /><br />I read that traffic can flow from lower to higher (see link and snippet below) as long as you have an access-list permitting it.<br /><br /><A HREF="javascript:newWin('http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html')">http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html</A><br /><br />"3. As the packet passed the inbound security check is passed to ASA that performs the inbound network <br />translation (destination NAT)." <br /><br />So the question is should not NAT Exemption satisfy step 3 in this document?<br /><br /> hebaerteNov 15, 2009, 11:12am PSTIf you don't want to translate the addresses on the lower security interface then you don't need to configure any NAT exemption or any kind of NAT for them.<br />But again, you *do* need to do NAT (in this case identity NAT or NAT exemption) for the addresses on the inside (higher sec interface).<br /><br />So I repeat my suggestion of<br /><br />static (inside, ...) 4.2.2.2 4.2.2.2<br /><br />or alternatively<br /><br />access-list nonat permit host 4.2.2.2 any<br />nat (inside) 0 access-list nonat<br /><br />(it may seem counter-intuitive that you need to define this as if it is for outbound traffic, but it's just like that, this will work both ways).<br /><br />Herbert pguibordNov 15, 2009, 1:00pm PST<br />Thank you Herbert but I cannot enter identity NAT or NAT exemption entries for every host that exists on the internet. 4.2.2.2 was only an example of a host (not even a host we own) siting out on the internet.<br /><br />Can I not do:<br /><br />access-list nonat permit ip any any<br />nat (inside) 0 access-list nonat<br /><br />One more question, you are referencing the "inside" interface above and this traffic is being sourced (172.16.7.0/24)inbound on the lyontwp-secure interface passing through the PIX and then out the inside interface destined to 4.2.2.2. Shouldn't the commands be:<br /><br />access-list nonat permit ip 172.16.7.0 255.255.255.0 any<br />nat (lyontwp-secure) 0 access-list nonat<br /><br />If you say no then I clearly do not understand NAT on the PIX and apologize.<br /><br /> pguibordNov 15, 2009, 1:29pm PST<br />(Herbert, In my last post I did not say I appreciate your assistance and patience in assisting with this issue, I truly do...) <br /><br /><br />Thank you Herbert but I cannot enter identity NAT or NAT exemption entries for every host that exists on the internet. 4.2.2.2 was only an example of a host (not even a host we own) siting out on the internet. <br /><br />Can I not do: <br /><br />access-list nonat permit ip any any <br />nat (inside) 0 access-list nonat <br /><br />One more question, you are referencing the "inside" interface above and this traffic is being sourced (172.16.7.0/24)inbound on the lyontwp-secure interface passing through the PIX and then out the inside interface destined to 4.2.2.2. Shouldn't the commands be: <br /><br />access-list nonat permit ip 172.16.7.0 255.255.255.0 any <br />nat (lyontwp-secure) 0 access-list nonat <br /><br />If you say no then I clearly do not understand NAT on the PIX and apologize. <br /> hebaerteNov 16, 2009, 1:58am PSTMy motto is "Patience is a virtue" :)<br />The answer is indeed No (I did say it may seem couner-intuitive), but ther is no need to apologize - I remember when I first worked with a Pix, I didn't get it either.<br /><br />The one thing to remember about NAT on Pix, and I've said it before, and I'm not sure how to phrase it otherwise: you always always always (*) - need an xlate (this is what we call an entry in the translation table) for the address on the _higher_ security interface.<br /><br />So for low-to-high, you need to "translate" (or exempt) the _destination_ address, not the source.<br /><br />In the more common scenario, this is probably more logical, i.e. you have a webserver on the inside, and a client on the outside connecting to it; in that case you need a static(inside,outside) for the webserver address.<br /><br />In your scenario, 4.2.2.2 is like the webserver on the inside, and your 172.x.x.x is the client on the "outside" (allow me to call it outside since it is easier to type - in general, whenever I say outside I mean lower security, and inside is higher security).<br /><br />So what can you do:<br /><br />a) you can indeed do "access-list nonat permit ip any any"<br /><br />b) you could swap the security levels (I would advise to also change the name "inside" to avoid confusion later) so that the Internet (and the network between the Pix and the ASA pair) is the outside. Then you can do nat exemption for 172.x.x.x like you originally tried.<br />Note that in this case you may also need to put an ACL on the now-outside interface if you need to allow some traffic in the other direction.<br /><br />I hope I didn't make it more complicated instead of more clear... let me know.<br /><br />Herbert<br /><br />(*) well, as with all rules there is an exception - but not on Pix 6; in version 8 IIRC you can disable nat-control and then this requirement is no longer true. vikram_anumukondaNov 15, 2009, 10:58pm PSTdid you get the same error message " No translation group found " with the static too.<br /><br />I believe you must be doing some kind of nat for "lyontwp-secure" network.<br /><br />and also check the nat VS Static. section at this link<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1185638')">http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1185638</A> fsmontenegroNov 11, 2009, 7:27am PSTHi everyone!<br /><br />Weird problem on a PIX515 with 7.2.4: adding the "route inside 0.0.0.0 0.0.0.0 <gw> tunneled" fails.<br /><br />See below:<br />PIX-1# sh run | inc route<br />route outside 0.0.0.0 0.0.0.0 x.x.x.x<br />route inside InternalNets 255.0.0.0 10.255.x.1 1<br />route inside 192.168.0.0 255.255.0.0 10.255.x.1 1<br />PIX-1# conf t<br />PIX-1(config)# route inside 0.0.0.0 0.0.0.0 10.255.x.1 tunneled <br />ERROR: Cannot add route entry, conflict with existing routes<br /><br />Any ideas?<br /><br />Thanks!<br /> 30 vikram_anumukondaNov 11, 2009, 7:52am PSTit's because you are using a inside interface in the tunneled route and outside interface for the default route.<br /><br />Check this link: <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ip.html#wp1047900')">http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ip.html#wp1047900</A> acomiskeyNov 11, 2009, 8:03am PSTWhat is he doing should work just fine. I use it on a few ASA's myself. fsmontenegroNov 11, 2009, 8:05am PSTHi Vikram,<br /><br />I'm doing the same thing in an ASA:<br />route outside 0.0.0.0 0.0.0.0 y.y.y.y 1<br />route inside 10.0.0.0 255.0.0.0 10.5.x.x 1<br />route inside 0.0.0.0 0.0.0.0 10.5.x.x tunneled<br /><br />Could it be a PIX/ASA difference? Something else? Same thing happens with 8.0.4 code as well.<br /><br />Thanks!<br /> acomiskeyNov 11, 2009, 8:08am PSTDoes it complain if you try adding the inside tunneled route first, then the outside route? fsmontenegroNov 11, 2009, 8:12am PSTHi,<br /><br />Haven't tried that as we were accessing the PIX remotely via outside...<br /><br />Will try to get someone to test it on-site for us.<br /><br /><br /> vikram_anumukondaNov 11, 2009, 8:11am PSTare you saying it's working in ASA, if yes then we are only left with PIX/ASA difference.<br /><br />what version are you running by the way. fsmontenegroNov 11, 2009, 8:13am PSTHi, I have a separate ASA5520 pair running 8.0.4 that is working fine with that configuration.<br /><br />This particular scenario is another VPN headend, a single PIX515 running 7.2.x (same thing happened with 8.0.x code).<br /><br /> vikram_anumukondaNov 11, 2009, 9:09am PSTtried to lookup if there are any bugs, but no luck.<br /><br />strange issue. <br /><br />Not sure if a reboot would help. vikram_anumukondaNov 15, 2009, 11:00pm PSTwould like to know if you managed to fix this issue. pkrysinskiNov 13, 2009, 9:45pm PSTHello All,<br /><br />I recently purchased a Cisco ASA5505 (basic license) for use at home. I also just purchased Vonage for home phone & fax line usage.<br /><br />While reading the instructions, the Vonage hardware needs to be placed between the cable modem & my internal LAN equipment.<br /><br />Instead of going with this model, I was curious if anyone knows or could provide details on how to place the Vonage hardware behind the ASA5505?<br /><br />I don't know if this could be possible by placing the Vonage device into a DMZ port or if there was another way this could be accomplished.<br /><br />If you can provide a configuration example that would be extremely helpful as well!<br /><br />Thank you in advance for your assistance!<br /><br />-- Phil 30 plumbisNov 15, 2009, 8:29am PSTI'm not sure how vontage works but it probably requires a static translation. You can add something like<br /><br />static (inside,outside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255<br /><br />To translate the 1.1.1.1 outside address to the 192.168.1.2 inside address. pkrysinskiNov 15, 2009, 6:40pm PSTThank you very much for the suggestion. I am going to try this as soon as I receive the Vonage hardware.<br /><br />Hopefully I can make this work without having to upgrade my license to allow DMZ functionality, since that is around 500 dollars I think.<br /><br />-- Philiketurner931Nov 15, 2009, 11:29am PSTHello,<br /><br /> I have an ASA 5505 and setup a outside interface that has ip address dhcp for my internet connection. I am running dhcp on this box for my inside network. I ping the ip addresses on the internet however I keep getting these errors when I try to browse the internet from the inside network.<br />6 Nov 15 2009 14:15:38 110002 192.168.1.10 2069 Failed to locate egress interface for TCP from inside:192.168.1.10/2069 to 77.178.232.99/80<br /><br /><br />6 Nov 15 2009 14:25:56 305012 192.168.1.10 58055 86.16.2.106 1038 Teardown dynamic UDP translation from inside:192.168.1.10/58055 to outside:88.16.2.106/1038 duration 0:00:30<br /><br /><br /><br /> 30jon.marshallNov 15, 2009, 12:12pm PSTCharlie<br /><br />So the outside interface is up and getting an IP address ? <br /><br />If so can you check your routing table - you should have a default-route in their pointing to the next-hop ISP address.<br /><br />Joniketurner931Nov 15, 2009, 12:29pm PSTThanks,<br /><br /> Got it everything is working great now. I can't belive I missed that. tech_tracNov 15, 2009, 4:00am PSTHello, <br /><br />I have configured the burst rate and average rate to 20 and the average drops/sec and current drops/sec is very well below 20. But I still see the trigger count going up with the syslog<br />message<br /><br />ASA-4-%733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 20; Current average rate is 7 per second, max configured rate is 20; <br />Cumulative total count is 4667<br /><br />Why is the syslog message still getting generated. Do I need to restart the ASA for the change in configuration to take effect. <br /><br />Thanks. thegrave2000Nov 10, 2009, 7:18am PSTHello,<br /><br />I have a problem with FWSM running version 3.2(5) on Catalyst 6506 with 12.2SXH(33)a. All the interfaces of the FWSM are in down/down state without any explicable reason. The output is in the attachment - FWSM2 is the problematic one, FWSM1 is working fine. Uptime is 16 days on both modules.<br /><br />Both switches have this configuration:<br /><br />firewall multiple-vlan-interfaces<br />firewall module 1 vlan-group 2,<br />firewall vlan-group 2 77-80,749,750<br /><br />I have one more 6506 with FWSM both running the same versions - the module works just fine. The trunks between the two switches are up, the VLANs are in STP Forwarding State (I'm running MST btw), everything looks just fine. The more interesting thing is that I'm 99% sure this problem is reoccurring in time - it appears for a while then it disappears without any logical reason. I searched through the bug toolkit as the FWSM version is quite old but I couldn't find a bug matching this description. Anyone had a similar problem? I plan to do an upgrade tomorrow if I don't find another solution.<br /><br />Kind Regards,<br /><br />Stefan<br /><br /><b>Attachment Keywords : </b> <br />1) FWSM Output.txt<br /> FWSM Output.txt123435text/plaintext772211/10/2014no30fdelcura@satec.esNov 13, 2009, 5:17am PSTHello:<br /><br />It's strange you can access to FWSM cause the SXH IOS is not valid for FWSM support, you need the SXI IOS.<br /><br />Go to this link:<br /><br /><A HREF="javascript:newWin('http://tools.cisco.com/ITDIT/CFN/Dispatch?act=rlsSelect&task=search&searchby=image')">http://tools.cisco.com/ITDIT/CFN/Dispatch?act=rlsSelect&task=search&searchby=image</A><br /><br />Select the image you have and you'll see that IOS doesn't support FWSM.<br /><br />Regardsthegrave2000Nov 14, 2009, 4:13am PSTI think you are referring to this feature:<br /><br />VSS - Firewall Service Module (FWSM) support<br /><br />This is for 6500 VSS systems and that's not my case. I have a 6509 with Sup10G and FWSM and believe me - it works.<br /><br />Anyway, the problem disappeared after a restart. I realized that the FWSM was like that since that switch had a major crash 17 days ago as this was the uptime of the module and a single packet wasn't transmitted. If the problem appears again though I'll upgrade the software. Any observations on 4.x track? Is it stable, does it cause any issues with regular L2/L3 protocols? plumbisNov 14, 2009, 10:25am PSTThe latest 4.0 code is pretty solid and also gives you more room for ACL entries due to code optimizations. thegrave2000Nov 14, 2009, 12:13pm PSTThanks for the information! Do you have any idea if it's necessary to upgrade the license I have for 3.2 to go to 4.x?faizankhursheedNov 13, 2009, 10:44pm PSTDear All<br /> <br /> <br />Issue regarding HUB and spoke topology .I have Two RTR Primary and seconday i<br />configured remote access VPN on Head office Permiter RTR to remotely acces<br />my head office and branches .Actually im facing Issue is that the few<br />branches terminate on Secondary RTR which i m not able to access them remotely<br />coz i know the reson i configrued Remote access vpn on permiter RTR<br />.is ther any possbiility to redirect my traffic so im able to remotely access<br />my those branches which comes from secondary router 30 andrew.prince@monster.comNov 14, 2009, 9:30am PSTCheck your routing, this can possible be fixed with routing.<br /><br />HTH> melatisariindahNov 12, 2009, 8:52pm PSTDear All,<br /><br />I want to ask about the WCCP feature in ASA 8.x<br /><br />I am using squid proxy as a transparent mode. What should I do to redirect the user web traffic to this proxy passthrough the ASA?<br /><br />The ASA is configured with the sub interface. And the users is in different subnet with the proxy.<br /><br />Can we do the redirect progress in this case ? <br /><br />“WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance.” (<A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html')">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html</A>)<br /><br />Thx for the response. 30 pkampanaNov 13, 2009, 8:29am PSTIf the proxy is behind a different subinterface compared to your users that need to be redirected it won't work.<br /><br />The squid needs to be behind the same interface/subinterface as the users to be redirected.<br /><br />I hope it helps.<br /><br />PK melatisariindahNov 13, 2009, 8:04pm PSTThe squid should in the same interface/subinterface or in the same network ID?<br />For example, at INSIDE interface in ASA, I have L3 switch which have server vlan and client vlan. It is possible to use wccp in this case? Because the traffic will out from the same interface (INSIDE) but with different network ID (squid in vlan server and client in vlan client). <br /><br />Thx.')