ASA 5505 backup interface

Similar Messages

• How do I block pings from the outside to the ASA 5505 outside interface?

  I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall.  I found a post that said to enter "icmp deny any outside", however that does not do it.
  I created an ACL to try and do the trick, also to no avail:
  access-list outside_in extended permit icmp any any echo-reply
  access-list outside_in in interface outside
  access-group outside_in in interface outside
  Anyone have a clue what I'm doing wrong?  I'm not the firewall guy as you can tell.  :/
  Thanks in advance...
  Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
  Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
  ASA5505(config)#icmp deny any outside
  You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

  You are allowing echo-reply, thus it will reply to a ping
  try this ACL:
  icmp deny any echo-reply outside
  From: 
  https://supportforums.cisco.com/thread/223769
  Eric

• Input and CRC errors on ASA 5505 outside interface

  All,
  I see input and crc errors on my ASA 5505  eth0/0(outside) interface and packet drops. There is very slow connection though we have 20mb line. ISP also sees the issue on the Lan interface side. We have the speed and duplex configured same on both ISP and our end.
  I am suspecting if this is Physical cable issue. Please suggest.
    Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
          Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
          Input flow control is unsupported, output flow control is unsupported
          Available but not configured via nameif
          MAC address 001a.b4c9.f3d9, MTU not set
          IP address unassigned
          158138067 packets input, 141061681082 bytes, 0 no buffer
          Received 183037 broadcasts, 0 runts, 0 giants
          19642 input errors, 19642 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          0 L2 decode drops
          144684 switch ingress policy drops
          124291353 packets output, 38197278051 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 0 interface resets
          0 late collisions, 0 deferred
          0 rate limit drops
          0 switch egress policy drops
          0 input reset drops, 0 output reset drops

  Hello Ravi,
  This kind of issues CRCs/ Input Errors are tipically known as L1 issues so make sure you check the cable and if that does not make a difference change the port on each side to see if there is a difference.
  Unfortunetly the ASA does not support the Time-Domain Reflectometer feature so we must do the test of L1 by ourselfs.
  Can you clear the counters of the interface, test the changes provided and provide us some feedback?
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Firewall Cisco ASA 5505 new interface license problem

  Hi
  I have one ASA 5505 with a Base License
  The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
  And the question is if with this base license the interface cannot be used or only cannot be named?
  here the output of my firewall:
  Cisco Adaptive Security Appliance Software Version 8.2(5)
  Device Manager Version 6.4(5)
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Int: Internal-Data0/0    : address is e02f.6de6.7843, irq 11
  1: Ext: Ethernet0/0         : address is e02f.6de6.783b, irq 255
  2: Ext: Ethernet0/1         : address is e02f.6de6.783c, irq 255
  3: Ext: Ethernet0/2         : address is e02f.6de6.783d, irq 255
  4: Ext: Ethernet0/3         : address is e02f.6de6.783e, irq 255
  5: Ext: Ethernet0/4         : address is e02f.6de6.783f, irq 255
  6: Ext: Ethernet0/5         : address is e02f.6de6.7840, irq 255
  7: Ext: Ethernet0/6         : address is e02f.6de6.7841, irq 255
  8: Ext: Ethernet0/7         : address is e02f.6de6.7842, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : Unlimited
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 

  Hi,
  The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
  For an interface on the ASA to operate it must have a name with the command "nameif"
  If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
  I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
  - Jouni

• ASA 5505 external interface dying

  Hi,
  We have an ASA 5505 ( version 9.1(2) ) that frequently stopped functioning ie the external interface refuses to pass any traffic , ASDM wont connect,etc.
  The internal interface does continue to function and if we SSH into the unit and do a reload , everything springs back into life again.
  What are the best steps to troubleshooting and finding a fix to this problem?
  Chris

  Hi Amrin,
  you can configure SLA monitoring on ASA and that woudl work fine for you:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
  Hope that helps.
  Thanks,
  Varun

• ASA 5505 - Backup and restore to another device of same model and version

  How can I backup the configuration of the ASA 5505 on 8.x and restore it to another ASA 5505 with same version? I have tried to save the running config to a file and then copy it to the new device and use the boot config: filename but it doesn't work. Or is there any other way to try? Thanks.

  Thanks Andrew, I had tried it but I was having issues with the fact that I kept both ver 7 and ver 8 of the OS images on the flash. So it booted from the first found (ver 7) and creating confusion for me as the config file was for ver 8.
  I noticed that it keeps the 192.168.1.1 IP even though in the config file it has another IP assigned. Is there other things that I need to check that do not change apart the IP address?
  Thanks.

• ASA 5505: Outside Interface Becomes Inaccessible

  Greetings --
  I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side.  AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA.  Internally, I can ping the IP address and I can ssh into the ASA.
  The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM.  To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
  Any ideas why the lockouts are occuring?  Is it possible my ISP is shutting down the IP?
  Below is the configs to the ASA:
  hostname psa-asa
  enable password IqUJj3NwPkd63BO9 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.1.0 Net-10
  name 192.168.1.20 dbserver
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.98 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.43 255.255.255.0
  interface Vlan3
  no nameif
  security-level 50
  ip address 192.168.5.1 255.255.255.0
  ftp mode passive
  object-group service RDP tcp
  port-object eq 3389
  access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
  access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
  access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
  access-list outside_access_in extended permit ip host Mac any
  pager lines 24
  logging enable
  logging timestamp
  logging monitor errors
  logging history errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list vpn_nat_inside outside
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 162.134.70.20
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=pas-asa.null
  keypair pasvpnkey
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate fecf8751
      308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
      0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
      092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
      3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
      7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
      2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
      02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
      deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
      61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
      86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
      0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
      67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
      c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
      6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
      a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
      62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
      434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
      f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
      14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
      2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
      6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
      f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
      681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  vpn-sessiondb max-session-limit 10
  telnet timeout 5
  ssh 192.168.1.100 255.255.255.255 inside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 60
  console timeout 0
  dhcpd auto_config inside
  dhcpd address 192.168.1.222-192.168.1.223 inside
  dhcpd dns 64.238.96.12 66.180.96.12 interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect-essentials
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLClientPolicy internal
  group-policy SSLClientPolicy attributes
  wins-server none
  dns-server value 64.238.96.12 66.180.96.12
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout none
  vpn-session-timeout none
  ipv6-vpn-filter none
  vpn-tunnel-protocol svc
  group-lock value PSA-SSL-VPN
  default-domain none
  vlan none
  nac-settings none
  webvpn
    svc mtu 1200
    svc keepalive 60
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression none
  group-policy DfltGrpPolicy attributes
  dns-server value 64.238.96.12 66.180.96.12
  vpn-tunnel-protocol IPSec svc webvpn
  username user1 password ks88YmM0AaUUmhfU encrypted privilege 0
  username user1 attributes
  vpn-group-policy SSLClientPolicy
  service-type remote-access
  username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0
  username user2 attributes
  vpn-group-policy SSLClientPolicy
  service-type remote-access
  username user3 password lQ8frBN8p.5fQvth encrypted privilege 15
  username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15
  username user4 attributes
  vpn-group-policy SSLClientPolicy
  vpn-simultaneous-logins 3
  vpn-idle-timeout none
  vpn-session-timeout none
  service-type admin
  username user5 password PElMTjYTU7c1sXWr encrypted privilege 0
  username user5 attributes
  vpn-group-policy SSLClientPolicy
  service-type remote-access
  username user6 password /zt/9z7XUifQbEsA encrypted privilege 0
  username user6 attributes
  vpn-group-policy SSLClientPolicy
  service-type remote-access
  username user7 password aEGh.k89043.2NUa encrypted privilege 0
  username user7 attributes
  vpn-group-policy SSLClientPolicy
  service-type remote-access
  tunnel-group DefaultRAGroup general-attributes
  address-pool SSLClientPool-10
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group PSA-SSL-VPN type remote-access
  tunnel-group PSA-SSL-VPN general-attributes
  address-pool SSLClientPool-10
  default-group-policy SSLClientPolicy
  tunnel-group PSA-SSL-VPN webvpn-attributes
  group-alias PSA_VPN enable
  group-url https://xxx.xxx.xxx.43/PSA_VPN enable
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841

  Hi,
  I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
  I sometime use it personally when testing different stuff on my home ASA.
  It naturally isnt a real option if you actuall setup a separate Syslog server.
  You wouldnt really need to add much to your logging configuration
  logging device-id hostname
  logging trap informational
  logging host
  Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
  Though the above would generate a lot of logging.
  I am not even 100% sure it would log anything when you are facing the problem.
  Best would be to also troubleshoot while the problem is there.
  Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
  If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
  - Jouni

• Asa 5505 sub interface plus ports

  I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

  The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
  You find more on this topic on the Config-Guide:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

• Cisco ASA 5510 Backup Interface configuration

  Hi Experts,
  I am a newbie with Cisco Firewalls, pls help.
  We have a BSNL Leased Line of 2MBPS with few Static IP's of Which 2 IP's are configured in Firewall 1 For the Outside Interface and one for publishing the DMZ server. Most of the times due to some reasons or the other the BSNL line is going down. so now I need to configure one another TATA Broadband 1MBPS Dialup Line as a Backup for the BSNL Line so as to provide a uninterupted Internet to our users.
  Pls guide me the Steps
  Thank in Advance.
  Anish N

  Hi Anish,
  Check the below mentioned link for configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

• ASA 5505 Backup

  Hello i have two ASA5505 .
  On one i have erased disk0 and i can't access it over ASDM...
  I have copied the 2bin files asa-k8.bin and asdm-k8.bin from the working ASA to the ereased still no ASDM...
  My questions are :
  Are the licenses gone?
  What should i do to fix it?
  I have a backup.zip from the working one. Can i import it in the ereased with CLI ?
  Thanks

  Hello,
  Can you share to the community  how you did it ?
  So if someone having the same issue can fix it with this
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• ASA 5505 Backup Config to TFTP Server

  Is there a way to backup the configuration file to a tftp server? I've tried "copy start tftp" and copy run tftp". No luck, I get an error message. Thanks in advance.

  What kind of error message did you get?
  ciscoasa# write net ?  WORD  IP address of tftp server and file name :. Place IPv6        address within square brackets. 

• Asa 5505 transparent firewall issue

  hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
  now i  add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
  i conigured vlan1 -- inside and vlan 2 as outside in asa  5505
  in my uc 560 data is vlan 1 and my voice is vlan 100.
  when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
  is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.

  hi rojas,
  here is my problem,
  my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
  when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
  my data vlan1 is 192.168.123.x
  and my voice vlan100 is  10.1.1.x
  and the firewall ip 192.168.123.3

• ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

  I have ASA 5505 8.4.  How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
  Or as something else to implement it?
  My configuration for SLA monitor:
  sla monitor 123
   type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
   num-packets 3
   timeout 3000
   frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability

  Hey cadet alain,
  thank you for your answer :-)
  I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
  Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
  3
  Nov 21 2011
  18:29:56
  77.xxx.xxx.99
  59068
  80.xxx.xxx.180
  80
  TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
  The attached file is only the show running-config
  Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
  Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
  Regards.
  Chris

• ASA 5505 - Cannot ping outside natted interface

  Hello,
  I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
  Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
  Thank you in advance
  the config are:
  : Saved
  ASA Version 8.2(1)
  hostname ciscoasa
  domain-name domain
  enable password ********** encrypted
  passwd ************ encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 172.88.188.122 255.255.255.248
  interface Vlan3
  no forward interface Vlan2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain
  same-security-traffic permit intra-interface
  access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
  access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
  access-list outside_in extended permit tcp any host 172.88.188.123 eq www
  access-list outside_in extended permit icmp any any
  access-list outside_in extended permit icmp any any echo-reply
  access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
  access-list inside_out extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu backup 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (outside) 1 172.88.188.128
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
  static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
  static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
  route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd lease 1048575
  dhcpd auto_config outside
  dhcpd address 192.168.1.100-192.168.1.200 inside
  dhcpd dns 8.8.8.8 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:865943aa325eb75812628fec3b1e7249
  : end

  You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
  Hairpinning would look like this in your scenario.
  same-security-traffic permit intra-interface
  global (inside) 1 interface
  static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
  static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
  static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

• ASA 5505 with Backup ISP

  I am working with a client that currently has an ASA 5505 with two ISPs for failover using a tracked interface.  I would like to configure logging so that the ASA will email us when the Primary ISP goes down and fails over to the backup.  Here is what I have so far...
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 12
  interface Ethernet0/2
  speed 100
  duplex full
  interface Ethernet0/3
  switchport access vlan 22
  speed 100
  duplex full
  interface Ethernet0/4
  switchport access vlan 22
  interface Ethernet0/5
  switchport access vlan 22
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 50.76.252.33 255.255.255.248
  interface Vlan12
  nameif backup
  security-level 0
  ip address 168.93.174.130 255.255.255.248
  interface Vlan22
  nameif Phones
  security-level 100
  ip address 192.168.3.1 255.255.255.0
  logging enable
  logging buffered warnings
  logging asdm warnings
  logging from-address [email protected]
  logging recipient-address [email protected] level errors
  route outside 0.0.0.0 0.0.0.0 DG-Commcast 128 track 1
  route backup 0.0.0.0 0.0.0.0 DG-FirstCom 255
  sla monitor 123
  type echo protocol ipIcmpEcho 73.120.130.1 interface outside
  frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability
  Let me know if you need any more info from the config; it's quite long and not sure what all is needed...
  The primary interface is Outside and the backup is obviously Backup
  Thanks!
  Tony

  Hi Tony,
  As long as the event covered under 'errors' list - inaddition to the above config, you need to add..
  loging mail errors
  smtp-server
  Check the below link for more information on ASA message logging..
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml
  hth
  MS