Posts with #cisco switches - cisco firewall tag
ASA Pre-8.3 to 8.3 NAT Configuration Examples
More Related Topics:
Cisco has pushed its Unified Access networking strategy past the management layer by introducing a new edge switch, which has wireless LAN control functionality, and processes both wired and wireless traffic on the same platform.
With this switch, enterprises will no longer have to tunnel traffic from wireless access points (APs) to a central controller. Instead they can terminate wireless traffic on an edge switch, where they will be able to secure and manage both wired and wireless traffic.
Cisco has "truly for the first time integrated their wired and wireless infrastructure in terms of having one box and using one ASIC [application-specific integrated circuit] that really handles traffic irrespective of whether it is coming in from the wired or wireless LAN standpoint," said Rohit Mehra, vice president of network infrastructure research at Framingham, Mass.-based IDC.
The new Cisco Catalyst 3850 switch, a successor to the workhorse 3750, is built with a new, programmable ASIC, the Unified Access Data Plane (UADP) chip, which gives it the wireless LAN control functionality. A single stack of Catalyst 3850 will support up to 50 access points and 2,000 clients with 40 Gbps of controller throughput.
"In this day and age where wireless traffic has really exploded, and you're carrying all kinds of heavy, latency-sensitive wireless traffic like voice and video, routing all the traffic back to a controller adds an exceptionally large amount of overhead on the network, both local area and wide area," Mehra said.
Not only does this integrated wireless LAN control reduce load on the network, it also enhances traffic management and Quality of Service (QoS) functionality. Because traffic from the wireless LAN is no longer tunneled, it crosses the rest of the wired network as standard IP traffic. Enterprises can now apply the same policies and controls to wired and wireless traffic.
As a result, Cisco customers can do things like granular, hierarchical QoS across their entire infrastructure, said Rob Soderbery, senior vice president and general manager for Cisco's enterprise networking business.
"When you were processing [wired and wireless] streams in different places, doing QoS across that was difficult," he said. "Now you can see all the users and data in one place, and you can set tiered levels on QoS. You can do QoS on a given access point, so you can make sure no one is frozen out. You can then set QoS up to a switch and up to a branch and manage that entire path."
With the Catalyst 3850, wireless LAN traffic will become more efficient, particularly as users are moving from access point to access point, said Andre Kindness, senior analyst with Cambridge, Mass.-based Forrester Research Inc.
"When you're bouncing from AP to AP, you end up tunneling back [from the controller] to the AP where you started from and that's not always the best path possible, from a VoIP call and latency perspective. You want to follow the user. That's why there's this movement to pushing control back to the edge. You start enforcing policies based on users and applications and where the best connection is."
The Cisco Catalyst 3850 is a stackable switch that ships with either 24 or 48 Gigabit Ethernet (GbE) ports, with or without Power over Ethernet (PoE) and optional modules for 10 GbE uplinks. Its prices are identical to comparable configurations of the Catalyst 3750, although customers will have to pay an additional license to activate the wireless control functionality.
Goodbye AirOS: IOS to rule wireless LAN
In addition to the Catalyst 3850, Cisco introduced the Cisco 5760 wireless LAN controller for customers who are not yet ready to dump their controller-based systems. This premium device can manage 1,000 access points and 12,000 clients with 60 Gbps of throughput. It runs on the same ASIC platform as the Catalyst 3850 switch.
The 5760 is also the first Cisco wireless LAN controller to ever run IOS, marking a departure from the AirOS operating system that has powered the company's controllers since it acquired wireless networking vendors Airespace. Soderbery said Cisco will gradually upgrade all of its wireless controllers to run IOS instead of AirOS.
"All the training and learning that network managers have undergone with IOS, they can now use those skills and leverage them on just one platform, whether for wired or wireless," Mehra said.
Many enterprises will be slow to adopt the Catalyst 3850 with its wireless LAN control function, so central controllers running IOS will be important to Cisco's efforts to unify wired and wireless, Forrester's Kindness said.
Cisco is "worried about customers who just bought 3750s in the last year or two," he said. "Most edge switches are kept around for five to seven years so it doesn't make sense for them to replace the edge with this new switch."
Because the 5760 runs IOS, network managers can take advantage of the same services and features that are available on Cisco's switches, including Application Visibility and Control (AVC) and TrustSec. Users can also set policies, such as QoS, on the controller in the same way they do on switches and routers.
The 5760 controller has a base list price of $20,000.
ISE-MDM integration and Prime 360 Experience
Cisco also updated its Identity Services Engine (ISE) and Prime Infrastructure. ISE 1.2 now integrates with mobile device management (MDM) software from Good Technology, Airwatch, MobileIron, Zenprise and SAP.
Prime Infrastructure 2.0 has a new 360 Degree Experience that allows network managers to pivot their view of network activity by users, devices, applications and services. With this new feature, a network manager can click to see, for instance, all the network users who are using Twitter, or all the people who are connecting via an iPad, Soderbery said.
---Original From http://searchnetworking.techtarget.com/news/2240177385/New-Cisco-Catalyst-3850-switch-has-integrated-wireless-LAN-control
More Related Cisco Catalyst Switch Tips:
This walk-through on setting up a Cisco ASA 5505 firewall with a wireless router focuses on things you might encounter when doing the setup at home.
This piece focuses on common things you might encounter at home like not having a static IP from your ISP or utilizing your current wireless router. Here we’ll go over what you need to do at a high level, which should work with any wireless router.
The firewall setup can seem a little daunting, especially because you will most likely lose your Internet access while you’re doing it. Remember there are only four basic things you need to configure to get Internet access.
- You should configure the inside and outside interfaces.
- You need a default route that tells your devices where to go.
- You need to configure Port Address Translation (PAT). This is what allows you to only have one IP address from your ISP, but you can have several devices connected on your internal network in a many-to-one configuration.
- You need access rules that open ports so your devices can browse web pages, download from FTP sites, etc.
Initial Setup and Configuration of Interfaces
- Connect the network cable from the modem to port 0 (default outside port) on the ASA.
- Connect your computer to one of the other ports on the ASA, which should be on the inside network by default. Ports 6 and 7 are Power over Ethernet (PoE) ports; I recommend reserving those ports for any devices that can use PoE.
- Open a browser on your computer and go to 192.168.1.1, which is the default address for connecting to the ASA.
- Click Run ASDM. (Another option is to click Run Startup Wizard and do this entire configuration in the wizard.)
- Log in. There are no passwords configured yet, so just leave that blank.
- Click Configuration at the top.
- Click Device Setup.
- Click Interfaces.
- Edit the Inside Interface.
- Make sure it is enabled.
- Specify the internal address you want to use. By default this is 192.168.1.1, which you can leave it at. This will indicate that you are using the 192.168.1.0/24 network as your inside network.
- Click OK.
- Edit the Outside Interface.
- Choose DHCP. If you happen to have a fixed IP at home, please use that. Many ISPs require you to have a business account to get a static IP, though.
- Make sure the interface is enabled.
- Put a check mark next to the option Obtain Default Route Using DHCP. This saves you the step of configuring a static route, and it saves you the hassle of having to change the static route every time your IP changes.
- Click OK.
- Put a check next to Enable Traffic Between Two Or More Interfaces Which Are Configured With The Same Security Levels and next to Enable Traffic Between Two Or More Hosts Connected To The Same Interface.
Those 18 steps take care of the first two basic things I spoke about before: configuring your interfaces and setting up a default route. Now to configure PAT and the access rules.
- Click Firewall while still under the Configuration tab.
- Click NAT Rules.
- Click Add.
- Click Add Dynamic Rule.
- For the original source you can just leave it set at Any (or you can specify the inside network).
- For the translated interface put the outside interface.
- Click OK.
Configure Access Rules
You’ll most likely want to allow HTTP/HTTPS traffic on your ASA. Make sure you add rules for the inside and the outside to permit these, along with any other protocols that might be necessary such as FTP, ICMP, etc. Use Figure A as a reference for the kind of configuration you may need.
Configure Your Wireless Router to Act like an Access Point
This covers setting up the ASA, but you still want to be able to use your wireless router to connect all your laptops, printers, Rokus, etc. The easiest way (though not the only way) to do this is to configure your wireless router to act just as an access point (AP).
In general, you’ll want to disconnect the network cable from the WAN, or outside, port on the AP. Then connect to the management interface of your AP, most likely via a browser while your computer is connected to the AP. Some newer APs have an option to just put a check next to AP Mode and it will do it automatically. However, if you don’t have that option, just make sure you turn off DHCP (use the ASA as your DHCP server) and configure the LAN settings to be on the same network as your ASA.
In my example, you might configure the AP with an IP of 192.168.1.15, a subnet mask of 255.255.255.0, and then the default gateway should be the IP address of the ASA. Now connect one of the LAN, or inside, ports to one of the inside ports on the Cisco ASA (ports 1-7). You may need to reboot the AP, but now you should be able to connect wirelessly and have Internet access through the firewall.
Resource from http://www.techrepublic.com written by Lauren Malhoit
More Related Tips of Cisco ASA 5505:
Many small and medium sized businesses are requiring backup paths for their Internet connections while attempting to keep costs at a minimum. The Cisco ASA 5505 provides a feature called Dual ISP Backup where a company can utilize their main ISP and in the case of an outage, they can utilized a more cost effective solution such as DSL/Cable Internet. This solution does require a Security Plus license.
Let’s assume that a customer is assigned a static public IP address of 100.100.100.100 from their primary ISP and another static public IP address of 184.108.40.206 from their DSL/Cable provider. Ethernet 0/0 will connect to the primary ISP and will be assigned to any VLAN you choose, which in this case will be VLAN2. Ethernet 0/1 will be connected to the customer LAN and will be assigned VLAN1. Ethernet 0/2 will connect to the DSL/Cable provider and will reside in VLAN3.
ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown
ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown
ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.100 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backupisp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 220.127.116.11 255.255.255.0
ASA5505(config-if)# no shutdown
Next, we will create our SLA statements which will track the availability of our primary ISP link. The commands are as follows:
sla monitor 10
type echo protocol ipIcmpEcho 18.104.22.168 interface outside
sla monitor schedule 1 life forever start-time now
track 1 rtr 10 reachability
We are sending 3 ICMP packets to 22.214.171.124 which will be 3 seconds apart. One active ICMP reply will keep the primary link online. The sla monitor statement tells the ASA to begin monitoring the primary link. The track 1 statement tells the ASA we are tracking sla statement 10 and using ICMP reachability as the mechanism.
Next, our static route default route statements can be edited to ensure the primary ISP route will follow the sla and the DSL/Cable link will become active in the event of a primary failure. We do that with the following statements:
route outside 0.0.0.0 0.0.0.0 126.96.36.199 1 track 1
route backupisp 0.0.0.0 0.0.0.0 188.8.131.52 254
You can test the functionality by unplugging the primary ISP link from the ASA.
This solution comes in handy for smaller businesses who require redundant Internet connectivity at a price point. Cisco also has excellent documentation located on their website at
---Resource from ciscocentral.com.au
More Cisco Firewall Tips:
Here is a 3560 and 3550 comparison for anyone interested in the differences between the two switches.
Catalyst 3560 Only Features [12.2(25) SEE2]
- Access Switch Device Manager (SDM) Template
- IEEE 802.3af Power over Ethernet
- IGMP Throttling
- IPv6 (Internet Protocol Version 6)
- MLD Snooping
- Private VLANs
- VLAN-Based QoS on Physical Ports
- SRR (Shaped Round Robin)
- Weighted Tail Drop (WTD)
Note: The details of Catalyst 3560 Only Features you can visit Cisco.com's related pages.
Cisco 3560 Only Commands [12.2(25)SEE2]
- clear dot1x
- clear eap
- clear ipc
- clear mac address-table move update
- exception crashinfo
- ipv6 access-list
- ipv6 mld snooping
- ipv6 mld snooping last-listener-query-count
- ipv6 mld snooping last-listener-query-interval
- ipv6 mld snooping listener-message-suppression
- ipv6 mld snooping robustness-variable
- ipv6 mld snooping tcn
- ipv6 mld snooping vlan
- ipv6 traffic-filter
- ip vrf (global configuration) - Not Documented
- ip vrf (interface configuration) - Not Documented
- mdix auto
- mls qos queue-set output buffers
- mls qos queue-set output threshold
- mls qos rewrite ip dscp
- mls qos srr-queue input bandwidth
- mls qos srr-queue input buffers
- mls qos srr-queue input cos-map
- mls qos srr-queue input dscp-map
- mls qos srr-queue input priority-queue
- mls qos srr-queue input threshold
- mls qos srr-queue output cos-map
- mls qos srr-queue output dscp-map
- mls qos vlan-based
- power inline consumption
- renew ip dhcp snooping database
- radius-server dead-criteria
- show cable-diagnostics tdr
- show controllers power inline
- show eap
- show ipc
- show ipv6 access-list
- show ipv6 mld snooping
- show ipv6 mld snooping address
- show ipv6 mld snooping mrouter
- show ipv6 mld snooping querier
- show link state group
- show mac address-table move update
- show mls qos input-queue
- show mls qos queue-set
- show mls qos vlan
- srr-queue bandwidth limit
- srr-queue bandwidth shape
- srr-queue bandwidth share
- switchport mode private-vlan
- switchport private-vlan
- system env temperature threshold yellow
- test cable-diagnostics tdr
NOTE: More details Cisco 3560 Only Commands you can visit Cisco.com
Cisco 3550 Only Commands [12.2(25) SEE2]
- access-list hardware program nonblocking
- boot buffersize
- ip dhcp snooping information option format snmp-ifindex
- ip igmp snooping source-only-learning age-timer
- mls qos cos policy-map
- mls qos min-reserve
- show fm
- show fm interface
- show fm vlan
- show forward
- show tcam
- show tcam pbr
- show tcam qos
- wrr-queue bandwidth
- wrr-queue cos-map
- wrr-queue dscp-map
- wrr-queue min-reserve
- wrr-queue queue-limit
- wrr-queue random-detect max-threshold
- wrr-queue threshold
Catalyst 3560 - IPv6 routing is not documented in the 3560 command reference
Catalyst 3560 - IPv6 QoS not supported as of 12.2(25) SEE2
Cisco 3560 - The SDM needs to be changed to support IPv6 routing. This will require a reload to take effect. More...
Cisco 3560 - Support for bits per second when using Storm Control
Catalyst 3560 - Ports are set by default to dynamic auto as opposed to dynamic desirable. This means that two 3560's will not automatically trunk but a 3560 will trunk if connected to a 3550. More...
Catalyst 3560 - The SMI image is now called IP Base and the EMI image is now called IP Services
Catalyst 3550 - IPv6 can be bridged using fallback bridging
More Cisco Switch Tips and Tutorials you can visit: http://blog.router-switch.com/category/reviews/cisco-switches/
Q. What is Cisco ASA Software Release 9.0?
A. Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core ASA code delivers enterprise-class security capabilities for ASA devices in a variety of form factors, including a wide range of standalone appliances, hardware blades that integrate with the organization's existing network infrastructure and software that can secure and protect public and private clouds.
Q. What's new in Cisco ASA Software Release 9.0?
A. ASA Software Release 9.0 provides several enhancements. Major new features in this release include:
• The ability to join up to eight Cisco ASA 5585-X or 5580 Series adaptive security appliances in a single cluster, for a linear, predictable increase in performance while providing high availability for always-on data centers
• Integration with Cisco Cloud Web Security (formerly ScanSafe), which allows enterprises to enforce granular web access and web application policy while providing protection from viruses and malware
• Cisco TrustSec Security Group Tags (SGTs), which integrats security into the network fabric to extend the policy construct on the ASA platform
• Next-Generation Encryption, including the Suite B set of cryptographic algorithms, for much better confidentiality
• IPv6, including critical IPv4-to-IPv6 translation features, enabling ASA to be deployed in a mixed v4/v6 environment
• Dynamic routing and site-to-site VPN on a per-context basis, providing much better segmentation between departments or between customers
Q. What Cisco ASA models are supported by ASA 9.0?
Q. Does ASA 9.0 support clustering?
A. Yes. Cisco ASA Release 9.0 enables up to eight Cisco ASA 5585-X or 5580 Adaptive Security Appliance firewall modules to be joined in a single cluster to deliver up to 128 Gbps of multiprotocol throughput (300 Gbps max) and more than 50 million concurrent connections. Alternatively, slot 1 of each ASA 5585-X can be populated with an integrated Intrusion Protection System (IPS) module, for up to 60 Gbps of IPS throughput.
Q. What are some of the key features of the clustering architecture in Cisco ASA Release 9.0?
A. At the core of the clustering architecture in ASA 9.0 is the patent-pending Cisco Cluster Link Aggregation Control Protocol (cLACP). The protocol enables multiunit ASA clusters to function and be managed as a single entity, identifies the backup unit, and creates the session backup. Policies pushed to the cluster get replicated across all units within the cluster, and the health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from the single management console.
Q. What ASA models will support clustering?
A. Initially, Cisco ASA Software Release 9.0 will enable clustering on the ASA 5580 and 5585-X Adaptive Security Appliances.
Q. What ASA modes are supported?
A. Clustered ASA appliances can operate in routed, transparent, or mixed-mode. All members of the cluster must be in the same mode.
Q. Do I have to purchase any license to enable clustering?
A. Yes. A cluster license must be purchased and enabled.
Q. How do feature licenses behave when ASA appliances are clustered?
A. Table 1 provides an explanation of the behavior of key features.
Table 1. Cluster Behavior of Different Cisco ASA Feature License Types
Behavior in Cluster
Enable/disable feature license
Only one unit in the cluster is required to have a license.
Security+ on the Cisco ASA 5585-X: License is only required on one unit.
The cluster capacity equals the sum of all licenses installed (subject to the total capacity of each individual appliance).
• 4-node cluster
• Node 1 = 200 SC
• Nodes 2,3, and 4 = 0
• Total capacity = 200
• 4-node cluster
• Node 1 = 200 SC
• Node2 = 100 SC
• Nodes 3 and 4 = 0
• Total capacity = 250 SC
If the feature is installed on one unit, it is automatically enabled on the entire cluster. The total duration of the license equals the sum of all remaining license durations.
If the botnet traffic filter is installed on one node, it becomes available to the entire cluster. If Node 1 has 9 months remaining and Node 2 has 7 months remaining, the total remaining duration of the botnet traffic filter feature will be 16 months for the entire cluster.
Q. What is meant by "scaling factor"?
A. Scaling factor is a measurement of expected performance and scale in a clustered environment. For example, if a 4-unit cluster is configured using 20-Gbps firewalls with a scaling factor of 0.8, the expected performance of that cluster will be: 0.8 x 4 x 20 Gbps = 64 Gbps.
Q. What is the expected performance and capacity with a 2-, 4-, and 8-unit cluster?
A. Cisco currently offers a scaling factor of between 0.7 and 1.0, depending on the traffic profile. Table 2 shows the expected performance of a 2-unit cluster with a multiprotocol traffic profile (the expected performance of 4- and 8-unit clusters can be calculated by multiplying the 2-unit cluster results by 2 and 4, respectively).
Table 2. Sample Data for a Two-Node Cluster
Q. What is the expected behavior if the cluster uses an integrated IPS module in slot 1 of each unit?
A. All IPS modules in the cluster are configured as independent IPSs, so no configuration sync is required. However, Cisco Security Manager and Cisco IPS Manager Express can be used to simplify configuration management across the IPS modules in the cluster. When the traffic enters the cluster, one specific unit becomes the owner for that specific session. When a policy dictates that traffic be redirected to an IPS for further analysis, the IPS module physically associated with that "owner" unit will be utilized. In other words, traffic from one firewall cannot be redirected to an IPS that is integrated with a different firewall in the cluster.
Q. How is session and configuration information synchronized across the cluster members?
A. Cisco ASA Software Release 9.0 uses Cluster Control Link (CCL) to synchronize all state information across the cluster.
Q. How is the cluster managed?
A. The clustered ASA appliances behave as a single firewall instance, so a single instance of Cisco Application Security Device Manager (ASDM) is capable of managing an 8-unit cluster as a single ASA unit. To simplify the configuration phase, cluster configuration steps have been added to the ASDM High Availability and Scalability wizard (Figure 1).
Figure 1. Cluster Configuration Steps in ASDM High Availability and Scalability Wizard
Once the cluster has been deployed, the ASDM Cluster Dashboard (Figure 2) shows the entire cluster on a single screen. The dashboard displays following information:
• Devices information (IP addresses, version, role, and so on)
• Health status: CPU and memory utilizations
• Average CPU and memory status across the cluster
• Control link usage
• Performance statistics: Connections per second and throughput
• Capacity information (number of connections)
Figure 2. ASDM Cluster Dashboard
Cloud Web Security Integration
Q. What are the advantages of cloud web security being integrated with the firewall?
A. Now that Cisco Cloud Web Security is integrated with Cisco ASA Software Release 9.0, organizations gain a centralized content security solution combined with localized network security. However, in contrast to Unified Threat Management appliances (UTMs), which suffer significant performance degradation when web security services are enabled, there is little to no impact on ASA performance because the content scanning is offloaded to the Cisco web security cloud. Administrators can choose to perform deep content scanning on a subset of traffic, based on network address, Microsoft Active Directory user or group name, or hosts residing inside a specific security context.
Q. How does Cisco ASA redirect traffic to Cisco Cloud Web Security?
A. The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified based on user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:
• Approved traffic: Traffic from known safe websites, that is approved by corporate policy
• VPN traffic: Traffic flowing through a site-to-site VPN tunnel
• Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for granular web policy control, including URL filtering, antivirus scanning, web content scanning scansafe-scanlets, and web application visibility and control
The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).
Q. How does integrated Cisco Cloud Web Security compare with web security functionalities that are offered on-box from other firewall vendors?
A. The key challenge with all-in-one approaches to security is that all security functionalities (firewall, network access control, web, antivirus, VPN, and so on) compete for fixed computing resources (for example, CPU, Regex, and crypto). As a result, performance can drop significantly as more services are enabled. In contrast, with Cisco Cloud Web Security integrated into ASA 9.0, the antivirus and web security component is executed on the scalable Cisco Cloud Web Security cloud, while the network security component is executed on the Cisco ASA. As a result, both services achieve maximum security efficacy, with little or no performance impact.
Q. My deployment is not yet ready for identity enablement. Can I still use the Cisco Cloud Web Security Connector in Cisco ASA Software Release 9.0?
A. Yes. Traffic can be redirected to Cisco Cloud Web Security based on 5-tuples, or by using a cut-through-proxy and local database users on the Cisco ASA. However, either of these methods will disable user-level and group-level reporting, as well as policy control on both the ASA and Cisco Cloud Web Security.
Q. Is Cisco Cloud Web Security available when the Cisco ASA appliance is in multicontext mode?
A. Yes. When the ASA is configured for multicontext mode, managed security providers can enable Cisco Cloud Web Security on a per-context basis. Note, however, that Cisco Cloud Web Security is not supported when Cisco ASA is in transparent mode.
Q. What are some of the configuration steps required to integrate Cisco Cloud Web Security with Cisco ASA?
A. Cisco ASA configuration has two broad components: Cisco Cloud Web Security information and traffic classification. Traffic classifications are performed using the Cisco ASA Modular Policy Framework (MPF), while Cisco Cloud Web Security classifications require the following information:
• IP address of the Cisco Cloud Web Security tower (primary and backup)
• A valid license
• A designated "retry count" before declaring a tower "dead"
Q. Up to 10 percent of the employees in my organization are remote. How can I extend Cisco Cloud Web Security capabilities to those remote users?
A. Cisco Cloud Web Security capabilities are extended to remote users via the Cisco AnyConnect® Secure Mobility Client. The AnyConnect client performs split-tunneling of web and VPN traffic to eliminate the need to backhaul Internet traffic to company headquarters, thereby enabling complex remote access use cases. For example, if a user is traveling from the United States to Japan, AnyConnect will automatically find the closest Cisco Cloud Web Security tower in Japan, even if the VPN tunnel is terminated to the U.S. headquarters location.
Q. How can I enforce Web 2.0 policies on personal handhelds (iPhone and iPads)?
A. The Cisco AnyConnect Secure Mobility Client launches the tunnel to the Cisco ASA headend. The ASA redirects part of tunnel traffic (port 80 and port 443) to the Cisco web security cloud for Web 2.0 application enforcement. This entire process is transparent to the end user.
Q. Is Cisco Cloud Web Security integration available on all Cisco ASA platforms?
A. Yes. Cisco Cloud Web Security integration is available on all currently shipping Cisco ASA appliance platforms, including the Cisco ASA 5500 Series, the Cisco ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module. It is not yet available on the Cisco ASA 1000V Cloud Firewall.
Q. How does this integration achieve high availability?
A. There are two pieces to high availability (HA): Cisco Cloud Web Security Tower HA and Cisco ASA HA. When you configure Cisco Cloud Web Security tower information, you can configure a backup Cisco Cloud Web Security tower, which automatically redirects web traffic to the secondary tower if the primary tower goes down. If you are using Cisco ASA HA, the entire system - including the ASA and the Cisco Cloud Web Security tower - can achieve full redundancy in either active/passive or active/active mode. In exceptional circumstances, if both Cisco Cloud Web Security towers are unavailable (e.g., due to the loss of Internet connectivity), the ASA can be configured to either fail-open or fail-close.
Q. Where do I go for more information on the integrated Cisco Cloud Web Security?
A. More information on Cisco Cloud Web Security web AVC can found at Application Visibility and Control now available in Cisco Cloud Web Security.
Secure Remote Access
Q. Does ASA support IPv6 remote access connections?
A. Yes. IPv4/IPv6 dual stack has been supported inside SSL tunnels since ASA 8.4. ASA 9.0 expands this support to enable IPv4 and IPv6 on the public interface when used in conjunction with Cisco AnyConnect 3.1 or greater. ASA 9.0 also enables IPv6 clientless support.
Q. Does ASA 9.0 support Suite B cryptographic standards?
A. Yes. ASA 9.0 provides comprehensive next-generation encryption capabilities, which includes the Suite B cryptographic standards for remote access and site-to-site connections using an IPsec tunnel. For more information, see the "AnyConnect VPN - Next Generation Encryption" section of this document.
Q. Is next generation encryption available on all ASA platforms?
A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.
Q. Can we use the Cisco AnyConnect Secure Mobility Client with ASA 9.0?
A. Yes. The Cisco AnyConnect Secure Mobility Client is fully supported in ASA 9.0. Customers are encouraged to migrate to AnyConnect for VPN remote access as soon as possible.
Q. Does ASA 9.0 support Virtual Desktop Infrastructure (VDI)?
A. Yes. ASA native clientless support for Citrix VDI deployments has been updated in ASA 9.0 to include XenApp 6.5 and the latest versions of XenDesktop (up to 5.5) both laptops, desktops, and mobile devices (Citrix Mobile Receiver). Support for VMware VDI deployments is also offered (via SmartTunnels). As in past releases, Cisco AnyConnect supports Citrix and VMWare VDI deployments.
More Related Cisco ASA Tips
Cisco Catalyst 2960 Series, intelligent Ethernet switches, is popular with the larger enterprises and companies, as well as Cisco 3750 series.
Why Cisco 2960 and Cisco 3750 are welcomed by the larger companies? There are some tips, features and reviews of Catalyst 2960 switches & Cisco 3750 series shown why they are?
Cisco Catalyst 2960 Series
Cisco Catalyst 2960 Series Intelligent Ethernet switches, a new line of fixed-configuration standalone devices, provide desktop Fast Ethernet and Gigabit Ethernet connectivity for entry-level enterprise, mid-market, and branch office networks, helping enable enhanced LAN services.
The Catalyst 2960 Series offers integrated security, including network admission control (NAC), as well as advanced quality of service (QoS) and resiliency, delivering intelligent services for the network edge.
The series also includes a number of hardware enhancements for network managers, including configurations featuring dual-purpose (alternatively wired) uplinks for Gigabit Ethernet, allowing the network manager to use either a copper or a fiber uplink. Also included is a 24-port Gigabit Ethernet family member, accelerating Gigabit to the Desktop (GTTD) across the network.
Table 1 provides brief descriptions of the switches in the Catalyst 2960 Series.
The Catalyst 2960 Series offers the following benefits:
• Intelligent features at the network edge, such as sophisticated access control lists (ACL) and enhanced security.
• Dual-purpose uplinks for Gigabit Ethernet uplink flexibility, allowing use of either a copper or a fiber uplink. Each dual-purpose uplink port has one 10/100/1000 Ethernet port and one SFP-based Gigabit Ethernet port, with one port active at a time.
• Network control and bandwidth optimization through advanced QoS, granular rate-limiting, ACLs, and multicast services.
• Network security through a wide range of authentication methods, data encryption technologies, and network admission control based on users, ports, and MAC addresses.
• Easy network configuration, upgrades, and troubleshooting as part of the mid-market or branch solution using the embedded Device Manager and Cisco Network Assistant.
• Auto-configuration for specialized applications using Cisco Smartports.
Cisco Catalyst 3750 Switches
The Cisco Catalyst 3750 Series switches are a premier line of enterprise-class, stackable, multilayer switches that provide high availability, security, and quality of service (QoS) to enhance the operation of the network. Its innovative unified stack management raises the bar in stack management, redundancy, and failover.
With a range of Fast Ethernet and Gigabit Ethernet configurations, the Cisco Catalyst 3750 Series can serve as both a powerful access layer switch for medium enterprise wiring closets and as a backbone switch for mid-sized networks. Customers can deploy network wide intelligent services, such as advanced QoS, rate-limiting, Cisco security access control lists (ACLs), multicast management, and high-performance IP routing—while maintaining the simplicity of traditional LAN switching. Embedded in the Cisco Catalyst 3750 Series is the Cisco Cluster Management Suite (CMS) Software, which allows users to simultaneously configure and troubleshoot multiple Cisco Catalyst desktop switches using a standard Web browser.
Key Features & Benefits of Cisco 3750 Switches
Ease of Use: "Plug-and-Play" Configuration
A working stack is self-managing and self-configuring. When switches are added or removed, the master switch automatically loads the Cisco IOS Software revision running on the stack to the new switch, loads the global configuration parameters, and updates all the routing tables to reflect changes. Upgrades are applied universally and simultaneously to all members of the stack.
The Cisco 3750 Series stacks up to nine switches as a single logical unit for a total of 468 Ethernet or PoE 10/100 ports, or 468 Ethernet 10/100/1000 ports or PoE 10/100/1000 ports, or nine 10 Gigabit Ethernet ports.
Return on Investment through Lower Operations Costs
The automatic Cisco IOS Software version checking and loading of the global configuration parameters provide the first level of operational time saving. The second level is added during the event of an outage. When you remove a troubled switch from an existing stack of switches and replace it with another switch, the master switch will recognize this as a maintenance outage and automatically reload the port-level configuration that was on the previous switch without user intervention. This allows IT managers to have local personnel in remote locations perform maintenance tasks instead of sending costly technicians out for a few minutes of work, thus saving thousands of dollars in operational costs.
Mix-and-Match Switch Types: Pay as You Expand Your Network
Stacks can be created with any combination of Cisco Catalyst 3750 and Cisco Catalyst 3750-E series. Customers who need a mixture of 10/100 and 10/100/1000 ports, PoE, and wiring-closet aggregation capability can incrementally develop the access environment, paying only for what they need. When uplink capacity needs to be increased, you can easily upgrade your bandwidth by adding a 10 Gigabit Ethernet version to the stack and upgrade your Gigabit Ethernet links with 10 Gigabit Ethernet on the existing fiber.
Availability: Uninterrupted Performance at Layer 2 and Layer 3
The Cisco Catalyst 3750 switch increases availability for stackable switches. Each switch can operate as both a master controller and a forwarding processor. Each switch in the stack can serve as a master, creating a 1:N availability scheme for network control. In the unlikely event of a single unit failure, all other units continue to forward traffic and maintain operation.
Smart Multicast: A New Level of Efficiency for Converged Networks
With Cisco StackWise technology, the Cisco Catalyst 3750 Series offers greater efficiency for multicast applications such as video. Each data packet is put onto the backplane only once, which provides more effective support for more data streams.
Superior Quality of Service Across the Stack and at Wire Speed
The Cisco 3750 Series offers Gigabit and 10 Gigabit Ethernet speed with intelligent services that keep everything flowing smoothly, even at 10 times the normal network speed. Mechanisms for marking, classification, and scheduling deliver best-in-class performance for data, voice, and video traffic, all at wire speed.
Network Security: Granular Control for the Access Environment
The Cisco 3750 supports a comprehensive set of security features for connectivity and access control, including ACLs, authentication, port-level security, and identity-based network services with 802.1x and extensions. This set of comprehensive features not only helps prevent external attacks, but also defends the network against "man-in-the-middle" attacks, a primary concern in today's business environment.
Single IP Management: Many Switches, One Address
Each Cisco Catalyst 3750 Series stack is managed as a single object and has a single IP address. Single IP management is supported for activities such as fault detection, VLAN creation and modification, network security, and QoS controls.
Jumbo Frames: Support for High-Demand Applications
The Cisco 3750 Series Switch supports jumbo frames on the 10/100/1000 configurations for advanced data and video applications requiring very large frames.
The Catalyst 3750 Series supports IPv6 routing in hardware for maximum performance. As network devices grow and the need for larger addressing and higher security becomes critical, the Cisco 3750 switch will be ready to meet the requirement.
Standard PoE Support: Graceful Addition of IP Communications
The Cisco Catalyst 3750 and 3750G PoE models support Cisco IP phones and Cisco Aironet wireless LAN (WLAN) access points, as well as any IEEE 802.3af-compliant end device. The Cisco Catalyst 3750 and 3750G 24-port versions can support 24 simultaneous full-powered PoE ports at 15.4W for maximum powered device support. The 48-port versions can deliver the necessary power to support 24 ports at 15.4W, 48 ports at 7.7W, or any combination in between.
10 Gigabit Ethernet Support: Increased Uplink Bandwidth for Gigabit Ethernet Deployments
The Cisco Catalyst 3750 allows network managers to incrementally add IEEE 802.3ae-compliant 10 Gigabit Ethernet connectivity in their wiring closets or grid clusters, further facilitating and enhancing Gigabit Ethernet networks. This provides investment protection to customers who want to use their existing fiber plant, add uplink bandwidth capacity to their switching stacks, and provide higher performance to applications and users.
The Cisco 3750 Series switch offers both a superior command-line interface (CLI) for detailed configuration and Cisco Network Assistant Software, a Web-based tool for quick configuration based on preset templates. In addition, CiscoWorks supports the Cisco Catalyst 3750 Series for network wide management.
Models Comparison of Cisco 3750 Series Switches
Report from Cisco market and customers told us that Cisco Catalyst 3750G and Cisco 3750 V2 series are more welcomed than Cisco 3570-E series.
More Cisco 2960 and Cisco catalyst 3750 Info:
Video Offer: Cisco Catalyst 3560 and 3750 QoS Simplified
As Cisco user know, Cisco 2960s can route now. As of 12.2(55)SE, Cisco 2960s switches are layer 3 switches (with some limitations mentioned later).
Configuring 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.
First we’ll change the SDM template:
SwitchA(config)#sdm prefer lanbase-routing
Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
System configuration has been modified. Save? [yes/no]: y
Proceed with reload? [confirm]
After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.
Now we verify:
SwitchA#show sdm prefer
The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 255 VLANs.
number of unicast mac addresses: 4K
number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 4.25K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 0.25K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
The change was successful and we’re given the details about this SDM template.
Now seems like a good time to touch on the limitations of the layer 3 capabilities on Cisco 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, thCatalyst e 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.
Now we’ll enable IP routing and configure a couple SVIs:
SwitchA(config)#int vlan 15
SwitchA(config-if)#ip add 192.168.15.1 255.255.255.0
SwitchA(config-if)#int vlan 25
SwitchA(config-if)#ip add 192.168.25.1 255.255.255.0
SwitchA#sh ip route
C 192.168.15.0/24 is directly connected, Vlan15
C 192.168.25.0/24 is directly connected, Vlan25
We deployed some new Cisco Catalyst 6513 with Sup2T supervisor engines as access switches several days ago. During the initial configuration, we realized that Cisco had introduced some new reserved VLANs on IOS15 for internal usage:
VLAN id: 3990 is an internal vlan id - cannot use it to create a VTP VLAN.
Reserved VLANs can be checked with the command “sh vlan internal usage”:
switch #sh vlan internal usage
1006 online diag vlan0
1007 online diag vlan1
1008 online diag vlan2
1009 online diag vlan3
1010 online diag vlan4
1011 online diag vlan5
1012 PM vlan process (trunk tagging)
3968 MET reserved VLAN
3969 MET reserved VLAN
3970 MET reserved VLAN
3971 MET reserved VLAN
4030 MET reserved VLAN
4031 MET reserved VLAN
Due some code being backported from NX-OS to IOS 15, VLANs from 3968 to 4031 are now reserved for MET usage. However, if you are deploying these switches on working environments you may have the need to use some of these VLANs. If this is the case, you can change the VLAN range with the following command:
switch (config)#vlan internal reserved met vlan 3904
The new MET VLAN will take effect after reload.
Please reload, or no change will be made
Configuration MET VLAN value is 3904
Operation MET VLAN value is 3968
After you reload the switch the new VLAN range will be applied:
switch #sh vlan internal usage
3904 MET reserved VLAN
3905 MET reserved VLAN
3906 MET reserved VLAN
3965 MET reserved VLAN
3966 MET reserved VLAN
3967 MET reserved VLAN
---Original resources from packetpushers.net
Cisco ASA configuration may be a frustrating issue for many Cisco users. In fact, everyone has his own troublesome condition. Here Ethan Banks, a network engineer, share his experience of helping his VPN client access a remote office, as well as an example of Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration.
Let’s share the case:
“I ran into an issue over the weekend where a VPN client was unable to access a remote office connected via an L2L tunnel terminated on the same firewall. The symptoms were straightforward enough. The client was unable to either ping or open a URL at a specific server at the remote office, although this connectivity used to work. In this example, VPN client 192.168.100.100 was not able to access server 10.11.12.1, although access to resources in the 10.10.0.0/16 network was fine.
I confirmed the remote office firewall was unlikely to be the issue; the remote firewall had seen no changes. As I knew the headquarters Cisco ASA firewall HAD seen a few changes, that’s where I focused my attention. After reviewing the headquarters firewall rulebase, I knew that the VPN client IP pool had permission to access resources in the remote office.
Monitoring the firewall logs, I spotted several “110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port” messages tied directly to the VPN client trying to open a socket to 10.11.12.1. So, I reviewed the firewall routing table with “show route” and “show asp table routing” and found no issues…not that I expected to. If the routing table was having a problem, connectivity issues would have been more widespread.
Of course, NAT sprung to mind as a potential issue, but I couldn’t see an obvious problem. There was a NAT that exempted the entire VPN client pool from being translated to any RFC1918 destinations. As this clearly covered the remote office IP range, I was a little stumped. This confusion was compounded by the fact that the connectivity used to work. A perplexing issue.
Take a read “Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6-Setting General VPN Parameters”. A couple of highlights caught my eye:
- The “same-security-traffic permit intra-interface” is required. Fair enough, easy to implement, makes sense, and I’d already done that. No problem.
- Now the documentation got confusing because of two conflicting statements:
- “When the ASA sends encrypted VPN traffic back out this same interface NAT is optional. The VPN-to-VPN hairpinning works with or without NAT.” Okay – so I don’t need to write a NAT statement for the hairpinned traffic. NAT is optional, right? But then you next read…
- “To exempt the VPN-to-VPN traffic from NAT, add commands that implement NAT exemption for VPN-to-VPN traffic.” Uh, hang on. So I *do* need a NAT statement?
From my experience, I believe that, yes, you need a NAT exemption statement. I think all Cisco is trying to say is that you don’t have to actually translate the source or destination address into something else to be able to get through the hairpin.
Writing a NAT exemption statement is not an unusual thing to have to do in an ASA, but the magic in the context of hairpinning is in defining the ingress and egress interfaces. In a hairpin path, the traffic flows in and out the same interface. While I did have a NAT statement that matched source and destination addresses in question, the interfaces were only suitable for handling source VPN client to destination headquarters network traffic…not traffic headed from VPN client to the remote office network. Therefore, I needed a NAT statement like this: “nat (outside,outside) source static client_vpn_pool client_vpn_pool destination static remote_office_net remote_office_net“.
The order of the NAT statement also mattered, as NAT statements are processed in order. Once I moved my new NAT statement to the top of the list, the issue was resolved.”
More Related Cisco Contents http://blog.router-switch.com/category/cisco-certification/ccie/