On Mon, 2009-05-11 at 16:55 -0400, Deny IP Any Any wrote:
> 8.0.4(28) contains numerous security fixes over plain 8.0.4, as per
> http://www.cisco.com/en/US/products/products_security_advisory09186a0080a994f6.shtml
It does indeed, and they're a nasty bunch of bugs. I had completely
forgot about th
On Mon, 2009-05-11 at 14:01 -0400, SHAM SHARMA wrote:
> - CPU Spike bug is confirmed by cisco .. tht has brought our network
> down 3 times so far ...currently we are running 8 0 (4) 28 ... now
> cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
> spike issue in it ..
>
> - plus
What's the bug id for that?
Why are you running interim code?
tv
- Original Message -
From: "SHAM SHARMA"
To: "Marcelo Zilio"
Cc: "Cisco-nsp"
Sent: Monday, May 11, 2009 1:01 PM
Subject: Re: [c-nsp] Trouble in an ASA migration from CheckP
we just moved to ASA's from checkpoint
- CPU Spike bug is confirmed by cisco .. tht has brought our network
down 3 times so far ...currently we are running 8 0 (4) 28 ... now
cisco is releasing 8 0 (4) 32 and they confident they have fixed cpu
spike issue in it ..
- plus doing changes from ASDM f
Hi Sham,
I've been working with Cisco Firewalls for the past four years and until now
they always worked well for me.
The old PIXes before version 7.x really leave to be desired, but the new ASA
have been greatly improved.
However I have to agree with you in some points (using a lot of public IP
Agree .. Cisco still has long way to go match with Checkpoint
You will notice it as you will go with this transaction You will
endup in using more public IP's ... finding lot of bugs ... helping
Cisco not vice versa
Sorry but tht's utter truth ...
On 5/11/09, Rubens Kuhl wrote:
> On Mon, M
On Mon, May 11, 2009 at 10:11 AM, Marcelo Zilio wrote:
> Hi Rubens,
>
> Thanks for your response.
>
> I'm sorry, but I didn't understand what you meant...
>
> Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
> control their DNS resolution.
Yes we can! :-)
http://www.oreilly
Hi Peter,
Thanks for you response.
I'm almost sure that I've tried reverse inside and outside interfaces, but I
will go dobule check. :)
regards,
Marcelo
2009/5/11 Peter Rathlev
> On Mon, 2009-05-11 at 08:35 -0300, Marcelo Zilio wrote:
> > I've tryied your suggestion and I got the following:
Hi Rubens,
Thanks for your response.
I'm sorry, but I didn't understand what you meant...
Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
control their DNS resolution.
thanks and regards.
Marcelo
2009/5/11 Rubens Kuhl
> A possible solution that it's not a straightforwa
On Mon, 2009-05-11 at 08:35 -0300, Marcelo Zilio wrote:
> I've tryied your suggestion and I got the following:
...
> ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION1
> ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION2
> ERROR: mapped-address conflict
A possible solution that it's not a straightforward Checkpoint
replacement would be using DNS views. To 200.1.1.1, DNS would answer
80.1.1.1; to 190.1.1.1, DNS would answer 80.1.1.2, and 80.1.1.2 would
be translated to 10.1.1.2.
You can even enforce this by using both NAT and access rules.
Ruben
Hello Ryan
Thanks for the input.
I've tryied your suggestion and I got the following:
---
ciscoasa(config)# access-list CONDITION1 permit ip host 10.1.1.1 host
200.1.1.1
ciscoasa(config)# access-list CONDITION2 permit ip host 10.1.1.2 host
190.1.1.1
ciscoasa(config)#
ciscoasa(config)# static
Then you should use an access-list for interesting traffic to match on those
specific conditions. This is static policy nat. See the ASA 8.0 config
guide:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553
static (inside,outside) 80.1.1.1 access-list COND
Hi Mike,
Thank you for your response.
This in not exactelly what I need as you can see in my previous reply.
Even though I think somehow this can be accomplished according to this doc:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
Thanks and rega
Hi,
Thank you for the feedback.
What I must do is for example:
200.1.1.1 (internet) > ASA (NAT IP 80.1.1.1) > 10.1.1.1 (inside)
190.1.1.1 (internet) > ASA (NAT IP 80.1.1.1) > 10.1.1.2 (inside)
When packets come from 200.1.1.1 towards 80.1.1.1 ASA should redirect to
inside IP 10.
Hello Marcelo:
> I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> freeze
> on a situation that seems ASA cannot "reproduce" CheckPoint
> configuration.
> Follow the scenario:
>
> - IP Address X on the Internet access IP Address X1 in the Inside
> network
> through the X-NAT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marcelo Zilio wrote:
> Hi,
>
> I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze
> on a situation that seems ASA cannot "reproduce" CheckPoint configuration.
> Follow the scenario:
>
> - IP Address X on the Internet access IP
Hi,
I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze
on a situation that seems ASA cannot "reproduce" CheckPoint configuration.
Follow the scenario:
- IP Address X on the Internet access IP Address X1 in the Inside network
through the X-NAT Address.
- IP Address Y on th
18 matches
Mail list logo
