Add Cisco ASA to a live ASA

Similar Messages

• How to Add Cisco 861's behind ASA 5505

  I will be setting up a VPN with a client soon.  They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505.  They are set up to be NATed.
  I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
  Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
  The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
  1. How can I assign this seperate public IP block to the ASA? Is it even possible?
  2. If not possible, what would other options be?
  3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
  Appreciate any help or suggestions.

  Hi,
  I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
  If you HAVE to do this as you described I would need some additional information
  What software version is your ASA?
  Do you have a Base License version of the ASA5505?Can confirm this with "show version" command
  In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)
  The first thing mentioned above would be needed to confirm what NAT format to use.
  Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
  There are 2 ways to go.
  Option 1.
  Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
  Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.
  Option 2.
  Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"
  Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
  - Jouni

• Configurate cisco ipsec vpn client at asa 5505 version 8.4

  Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
  please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
  thank you.

  are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
  what version of vpn client ?

• Firewall Ports Required for NAC manager to manage/add Cisco switch

  Hi,
  I am trying to add cisco switches to the NAM, however i am not able to add the switch as I am getting the error "unable to control switch" I have tried to open ports 161-162 on the firwall; if i was to allow any traffic between the NAM and switch, the cisco NAM is able to add/manage the switch.
  Not sure what other ports may be required for cisco NAM to manage the switch?
  Thanks.

  Hi,
  AFAIK, only the UDP ports 161-162 for the SNMP communication need to be open.
  Please make sure you have configured the correct port on the switch:
  (config)# snmp-server host 172.16.1.61 traps version 2c cam_v2 udp-port 162 mac-notification snmp
  If still not working i would check the logs on the firewall for any blocked traffic between the CAM and the switch.
  HTH,
  Tiago
  If  this helps you and/or  answers your question please mark the question  as "answered" and/or rate  it, so other users can easily find it.

• Connecting Cisco VPN client v5 to asa 5505

  I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted.
  Can not ping asa 5505
  Any ideas on what I have missed?

  Your NAT configuration is incomplete, enter the following commands to your configuration:
  access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
  nat (inside) 0 access-list nonat
  This tells the ASA that the traffic destined for the VPN Client should not be NATted and should be sent directly to the client via the VPN Tunnel!
  Please rate if the post helps!
  Regards,
  Michael

• How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

  Hi
  The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
  How to setup MARS to monitor ASA with IPS with active standby topology?
  Thanks!

  Hi,
  The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
  Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
  In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
  Don't forget that you have to manually replicate all IPS configuration every time you make a change.
  HTH
  Andrew.

• Adding live ASA to CSM

                     Hi Everyone,
  I need to add  ASA  which is  in production to CSM 4.3  using Add  Network device method.
  My concern is this ASA  is in multicontext  mode and if i add this to CSM  will it remove or change any config on ASA??
  As i am doing this first time so i do not want to create any outage.
  Regards
  MAhesh

  It will not erase anything,
  Just make sure you discover all contexts and policies at the same time; otherwise, you will have to discover policies for each context separately.
  For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
  Cheers,
  Julio Carvajal Segura

• Cisco Unified Mobility Adv 7 - ASA certificates issue

  Dear All,
  I have Mobility Advantage 7 that i am trying to use with CUCM 7.1 and ASA.
  Now i have come to know that you must have a certificate from Verisign or Geotrust installed in the ASA in order for the mobility to work.
  Is there any other way we can make the mobility work without OR self-signed certificates???
  its urgent and any help in this reference is higly appreciated.
  Nouman

  If I recall correctly, we did a pilot of CUMA and we did not have to have a
  certificate from Verisign. Since it was a pilot, the customer didn't want to
  pay for the cert if it wasn't going to be needed long term. So, we used a
  self-signed cert on the ASA. The "problem" or side-effect was that the
  mobile users were constantly prompted to state they trusted the cert. In a
  way, our hands were tied with respect to trying to make that cosmetic issue
  disappear. It was an all BB shop and the admin had tight controls on the
  BES.
  Regardless, my recollection is that we were able to get away with it but
  that if the customer decided to go full bore that we would need to do the
  Verisign cert.
  HTH.
  Regards,
  Bill
  Please remember to rate helpful posts.

• Route inside does not work on ASA 8.2(3), ASA cannot ping inside hosts

  Hi Guys,
  I have a problem on one our ASA seems to acting strange.
  I have copy these routes below on ASA, and able to ping only 10.126.0.32.
  route inside 10.126.0.10 255.225.255.255 10.20.3.1
  route inside 10.126.0.30 255.225.255.255 10.20.3.1
  route inside 10.126.0.31 255.225.255.255 10.20.3.1
  route inside 10.126.0.32 255.225.255.255 10.20.3.1
  route inside 10.126.0.140 255.225.255.255 10.20.3.1
  route inside 10.126.0.141 255.225.255.255 10.20.3.1
  route inside 10.126.0.142 255.225.255.255 10.20.3.1
  When I saved the configuration and checking back on ASA running-configuration, none of above routes exists.
  MYASA(config)# route inside 10.126.0.10 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.30 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.31 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.32 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.140 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.141 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.142 255.225.255.255 10.20.3.1
  MYASA(config)# end
  MYASA# show run | in route inside
  route inside 10.0.0.0 255.0.0.0 10.20.3.1 1
  route inside 10.96.0.0 255.224.0.0 10.20.3.1 1
  route inside 10.96.0.10 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.30 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.31 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.32 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.140 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.141 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.142 255.225.255.255 10.20.3.1 1
  route inside 10.100.1.61 255.255.255.255 10.20.3.1 1
  route inside 10.101.20.112 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.113 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.114 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.115 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.201 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.202 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.204 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.205 255.255.255.255 10.0.0.254 1
  route inside 10.101.22.22 255.255.255.255 10.20.3.1 1
  route inside 10.101.24.100 255.255.255.255 10.0.0.254 1
  route inside 10.101.24.101 255.255.255.255 10.0.0.254 1
  route inside 10.101.25.0 255.255.255.0 10.20.3.1 1
  route inside 10.126.0.32 255.255.255.255 10.20.3.1 1
  route inside 67.215.65.132 255.255.255.255 10.20.3.1 1
  route inside 192.168.1.3 255.255.255.255 10.0.0.254 1
  route inside 192.168.1.4 255.255.255.255 10.0.0.254 1
  route inside 192.168.151.0 255.255.255.0 10.20.3.1 1
  route inside 192.168.151.48 255.255.255.240 10.0.0.254 1
  route inside 205.210.235.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.236.0 255.255.255.0 10.20.3.1 1
  route inside 205.210.237.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.238.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.239.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.240.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.241.0 255.255.255.0 10.0.0.254 1
  MYASA#
  It maybe a bug on the ASA?
  Thanks
  Rizwan Rafeek

  Hi Vibhor,
  Well, problem is resolved from Cisco Tech support, it boiled down a bug.
  "route inside 10.126.0.32 255.225.255.255 10.20.3.1", this route already existed, and yet it only one route shows up out of 7 copied, that is a bug.
  Thanks for your reply.
  Regards
  Rizwan Rafeek.

• Comparison of ASA-CX and normal ASA

  Hi all,
  Is it possible to get some comparison table or document that highlights main advantage of using CX over normal ASAs ?

  There no advantages/disadvantages one over  another. CX is not a standalone ASA, but a module (hardware or software), wich complements normal ASA with some extended function, as Application Visibiltiy And conrol and web filtering. Technically, CX is module, wich allows the ASA perform functions, usually done by cisco ironport VSA.
  Traffic, after being filterd by "normal" asa is redirected to CX for further inspection and policies application.
  You can see session on ciscolive365.com regarding CX or just google what it is. And, as I said, you souldn't compare them.

• ASA-5510-k8 vs ASA-5510-k9

  Hello all!
  I was wondering if anyone new the difference out there between an ASA5510-k8 and k9. Is this a software or hardware version. If I was using 2 ASA's in failover/standby environment those the 2 need to match or can these be different. Any feedback would be helpful Thanks.

  Hi Edwin,
  Please see below the information ref to 5510 licensing (gives you the differences between K8 &K9) and Active/standby failover implementation requirements for ASA...
  Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, 3DES/AES license
  ASA5510-BUN-K9
  Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, DES license
  ASA5510-K8
  Cisco ASA 5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, Active/Standby high availability, 3DES/AES license
  ASA5510-SEC-BUN-K9
  Licensing Requirements for Active/Standby Failover
  The following table shows the licensing requirements for this feature:
  Model
  License Requirement
  ASA 5505
  Security Plus License. (Stateful failover is not supported).
  ASA 5510
  Security Plus License.
  All other models
  Base License.
  Prerequisites for Active/Standby Failover
  Active/Standby failover has the following prerequisites:
  •Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
  •Both units must have the same software configuration and the proper license.
  •Both units must be in the same mode (single or multiple, transparent or routed).
  Below are the  links for reference..
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
  hth
  MS

• Add Header and Footer in Live Cycle ES2

  Hi,
  We are quite new to the use of live cycle pdf generation. Can anyone help us with information as to how we can add header and footers to our pdf files using livecycle ES2.
  And further, we would like to know whether header and footer adding is available in the trial version of Livecycle ES2?

  Hi,
  Thanks for the reply.
  We have another newly raised problem in the header and footer adding from Livecycle ES2. According to the PDF that you referred in the previous reply, we can add graphics to the PDF header, but we are unable to find a DDX tag that would enable us to add a image URL.
  Can you please help us again on the above?
  Purnima

• ASA rpf-check DROP, ASA checking NAT in the incorrect interface

  Hi
  My current architecture is :
  Internet <--> FW <--> ASA <--> LAN
                        FW <--> ASA
  we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
  the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
  the "vpn" interface is used to grant access to our LANs from remote Offices
  let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
  below the current configuration :
  interface GigabitEthernet0/0
    nameif inside
   security-level 100
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address 192.168.11.2 255.255.255.0
  interface GigabitEthernet0/2
   nameif vpn
   security-level 0
   ip address 192.168.12.2 255.255.255.0
  object-group network Inside_LANs
   network-object 192.168.3.0 255.255.255.0
   network-object 192.168.4.0 255.255.255.0
   network-object 192.168.5.0 255.255.255.0
  access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo 
  access-list Inside-to-outside extended permit udp any host TimeServer eq ntp 
  access-list Inside-to-outside extended permit ip object-group Inside_LANs any 
  global (outside) 1 interface
  global (outside) 2 192.168.11.60 netmask 255.255.255.255
  nat (inside) 1 access-list Inside-to-outside
  nat (inside) 2 192.168.6.0 255.255.255.0
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255 
  route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
  route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
  our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
  example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.13
  Phase: 5
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match udp inside any inside host TimeServer eq 123
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
  Additional Information:
  example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.10
  Phase: 6
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
    match ip inside host 192.168.2.10 outside any
      static translation to 192.168.11.10
      translate_hits = 76643, untranslate_hits = 188597
  Additional Information:
  example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.4.40
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match ip inside 192.168.4.0 255.255.255.0 vpn any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 1, untranslate_hits = 0
  Additional Information:
  example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.6.30
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 2 192.168.6.0 255.255.255.0
    match ip inside 192.168.6.0 255.255.255.0 vpn any
      dynamic translation to pool 2 (No matching global)
      translate_hits = 117, untranslate_hits = 0
  Additional Information:
  our questions :
  1) why ASA don't check the reverse path route before checking the NAT ?
   if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
  2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
  when ASA check a server with static NAT it find  a match in the outside interface but even so it discard it and the connection Work. (example 2)
  when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
  3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
  why ASA checking the global NAT even if it's not the correct interface ?
  Why it's working for static NAT and not working for the dynamic one ?
  Thanks a lot

  Hi,
  It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
  But to me the situation in its current form looks the following.
  Example 1
  To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
  Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
  Example 2
  This seems to be working as expected also.
  According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
  Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
  Example 3 and 4
  These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
  In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
  Hope this helps :)
  - Jouni

• Cisco Prime Infrastructure 2.1 can't add Cisco ISE 1.2 to "External Management Servers"

  Hi all,
  I'm trying to add Ciso ISE 1.2 (1.2.0.899 with version 13 patch) servers (primary and secondary) as "External Management Servers" in Cisco PI 2.1 (2.1.0.0.87) but there appears such message indicating that ISE server is not reachable: 
  The weird thing is that ISE servers are reachable from PI and vice-versa (I can ping each other from their CLIs)
  There were added ISE servers to PI long ago (primary and secondary ISE) and then secondary was deleted from PI. Primary ISE still persists in PI but its status is unreachable:
  But I can see info about wired clients authenticating on the switchs (NADs for ISE) - weird, status is unreachable but client info is being received from ISE.
  I tried application stop NCS/application start NCS on PI and application stop ise/application start ise on ISE - no success for that issue.
  So I can't find a way to solve that weird issue, maybe you can help me find out the cause of such things. Thanks. 

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• How to copy contents of ASA 5510 to another ASA 5510?

  Hello,
  I want to copy contents of 1 ASA 5510 to another 5510.
  Both ASA has same license.
  -I tried to connect to 2nd ASA via console cable
  -Went to "Conf t" and copied config of 1st ASA. [ using paste tab from Hyper Terminal ]
  - used commands like copy running config disk0:/startup.config.cfg
  - also used write memory all , wr mem commands
  - But after reboot config was gone.
  As of now I have ASA 8.3.x version in both ASA's.
  How can I save config to 2nd ASA via Hyper Terminal?

  I am trying to save basic config.
  Basic config also not getting saved.
  Steps followed as follows :-
  - Given private IP to eth 0/1
  - no shut
  - speed auto
  - wr
  - exit
  - wr
  - exit
  - hostname asasec
  - wr
  - reload
  After reload firewall is not saving configuration.