ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

Similar Messages

• Multiple gateways for different Traffic on ASA 5510 firewall

  Hello,
  My network atthe moment is set up as:
  WAN, with three sites
  Site 1
  Site 2
  Site 3
  Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
  All sites connect to the WAN using Cisco routers or switches.
  All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
  I am interested in the ASA 5510 with six interfaces.
  Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
  Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
  (a) the type of traffic, say HTTP from users behind the firewall; or
  (b) the IP addresses of the host (i.e. users' PC versus the servers)
  Any assistance is welcome.
  Kind regards,
  IT@C

  yes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
  HTH, pls rate!

• Unable to see interface on ASA 5510 Firewall

  Hi All,
  I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
  Below is the output.
  ciscoasa# sh int ip br
  Interface                  IP-Address      OK? Method Status                Protocol
  Ethernet0/0                x.x.x.x           YES CONFIG up                    up
  Ethernet0/1                x.x.x.x           YES CONFIG up                    up
  Ethernet0/2                unassigned      YES unset  administratively down down
  Internal-Control0/0        127.0.1.1       YES unset  up                    up
  Internal-Data0/0           unassigned      YES unset  up                    up
  Management0/0              192.168.1.1     YES CONFIG up                    up
  Please suggest what could be the reason.
  Regards
  Pankaj

  Hi Ramraj,
  Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
  Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
  fy-a# sh ver
  Cisco Adaptive Security Appliance Software Version 8.4(4)1
  Device Manager Version 6.4(5)
  Compiled on Thu 14-Jun-12 11:20 by builders
  System image file is "disk0:/asa844-1-k8.bin"
  Config file at boot was "startup-config"
  fy-a up 1 day 1 hour
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Ext: Ethernet0/0         : address is 2c54.2d0c.8f1a, irq 9
  1: Ext: Ethernet0/1         : address is 2c54.2d0c.8f1b, irq 9
  2: Ext: Ethernet0/2         : address is 2c54.2d0c.8f1c, irq 9
  3: Ext: Ethernet0/3         : address is 2c54.2d0c.8f1d, irq 9
  4: Ext: Management0/0       : address is 2c54.2d0c.8f1e, irq 11
  5: Int: Not used            : irq 11
  6: Int: Not used            : irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 50             perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 0              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.
  Serial Number: JMX1AXXXXX
  Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  Configuration register is 0x1
  Configuration has not been modified since last system restart.
  fy-a#
  Ramraj please do correct me if am wrong.
  Please do rate if the given information helps.
  By
  Karthik

• (ASA 5510) How do assign multiple public IP addresses to outside interface?

  Hi,
  I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.
  PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
  Any help much appreciated as I really need to get this sorted by Sunday night!
  Jan

  ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
  In regards to static NAT, which version of ASA are you running?
  For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
  static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
  For ASA version 8.3 and above:
  object network obj-192.168.0.3
       host 192.168.0.3
       nat (inside,outside) static 123.123.123.125
  Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
  For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
  For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
  Hope that helps.

• ASA 5510 FireWall Problem

  Hi All
  After some advise and direction
  Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
  called http://partners.highnet.com/login/  ip address 62.233.82.181.
  Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
  to any website and brings back the details
  However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
  on checking the ASA under Home TAB       -       Firewall Dashboard    -    and then under     -      Top 10 protected Servers under SYN attack we are receiving the below error.
  Rank        Server IP-Port           Interface     Average          Current                    Total                           Source IP (Last Attack Time)
  5
             62.233.82.181:80
        INSIDE
              0
                   0
                          8
                            192.168.254.130 (1 mins ago)
  I have tried rebooting the ASA firewall (Still did not resolve).
  I have also  disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection  (Still did not resolve).
  Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
  Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
  Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
  So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
  If you can help or advise it is much appreciated.

  Hi,
  Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
  On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
  packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
  You could maybe also try to generate TCP SYNs directly from the ASA
  ping tcp 62.233.82.181 80
  And see if the server replies
  - Jouni

• Unable to access public ip from branch vpn (Cisco ASA 5510 Firewall)

                     Hi,
  As per the above diagram
  in Head office -  able to access public ips
  In Branch office - unable to access public ips only accessing head office servers and internet is shared from head office.
  please see the below configuration in Branch office router:
  access-list 1 permit any
  access-list 100 remark ****** Link to Firewall-HO1 ******
  access-list 100 permit ip 10.21.211.0 0.0.0.255 172.16.35.0 0.0.0.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 172.16.35.0 0.0.0.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 100 permit ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 172.16.35.0 0.0.0.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 100 permit ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 100 permit ip 10.21.211.0 0.0.0.255 host 78.93.190.226
  access-list 100 permit ip 10.21.111.0 0.0.0.255 host 78.93.190.226
  access-list 100 permit ip any any
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.211.0 0.0.0.255 172.0.0.0 0.255.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.111.0 0.0.0.255 172.0.0.0 0.255.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
  access-list 101 deny   ip 10.21.10.0 0.0.0.255 172.0.0.0 0.255.255.255
  access-list 101 permit ip host 10.21.211.51 any
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq pop3
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq smtp
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq pop3
  access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq smtp
  access-list 102 permit ip 10.21.211.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 101
  Thanks for your valuable time and cosiderations

  any1 can help me ?

• ASA 5510 Guest Internet Access

  I have a subnet for guest network access, both wired and wireless.  We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'.  For most internal traffic, it all stays behind the ASA.  But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA.  The question is, how can I still permit those users to access our internal DNS servers?  Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.?  I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
  Regards,
  Scott

  Hello Scott,
  Your ASA will need to have a route for both networks
  You also will need the following command:
            -same-security-traffic permit intra-interface
  The thing is that the packets from the guest vlan will go directly to the ASA as its default gateway, then packets will be routed to the Router on stick and finally to the DNS server, the reply will go from the DNS to the Router on stick and then directly to the Guest user.
  Nat exemption will look like this:
  access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.6
  access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.4
  nat (inside) 0 access-list nonat
  Please give it a try, also please provide packet tracer
  packet-tracer input inside udp 192.168.14.10 1025 192.168.11.4 53
  Regards,
  Julio
  Rate helpful posts

• Customers, Sales Orders Restrictions based on Sales Office and Sales Groups

  hi all,
  We have a typical scenario for one of our customers. They are SAP ERP, ECC 6.0.
  They have sales employees/managers assigned to customers. In order to maintain the link between the sales employees and the customers, their earlier implementation partner followed the following method for the linkage.
  Each sales employee and each sales managers are given a SAP User ID like 101, 012, 103 etc.. Sales groups OR Sales offices are also maintained with the same numbers/IDs. At the customer master level, each customer's sales group is given the sales employee ID (which is same as that of the sales group). The example is as follows.
  Customer No.             Sales Group                 Sales Office                                                                               
  CU1                              101                             108
  CU2                              101                             108
  CU3                              102                             108
  CU4                              103                             109
  CU5                              104                             110
  The sales group names and the sales offices names are given the same names as that of the user IDs of the sales employees/sales managers. In the above example, the sales employee 101 (sales group 101) is assigned to customers CU1, CU2. The sales manager 108 (Sales office 108) is managing the sales employees 101 and 102.
  Now the customer has some authorization issues. He wants us to provide authorizatinos in such a way that -
  if the sales employee 101 logs on to the system he should be able to Display the CUSTOMERS and the Sales Orders (XD03, VD03, VA03) that are assinged only to him (In other words with the sales group 101) and similarly for other sales employees.
  if the sales manager 108 logs on to the system he should be able to display the customers and the sales orders that are assigned to his sales employees (101, 102). In other words with the sales office as the manager's ID 108.
  I tried to use the authorization object V_VBKA_VKO but this doesnt see to be serving the purpose as this object is not being checked at all in any of the above VA03, XD03 and VD03 transactions.
  Similarly I did not find any other authorization object which makes use of Sales group field and Sales office field which also has a linkage to VA03, XD03 and VD03 transactions.
  The customer is evaluating our contract with them based on this solution.
  Any help is greatly and highly appreciate.
  Thanks,
  Niran.

  Hi,
  Please use the following authorization objects for your purpose. For more details please go through the documentation of the objects:
  V_KNA1_BRG     Customer: Account Authorization for Sales Areas
  V_KNA1_VKO     Customer: Authorization for Sales Organizations
  FYI:    V_VBKA_VKO     SD     Sales Activities: Authoriz.for org.data and sales activ.type
  contains the following Fields which are relavant to your query
  VKORG      Sales Organization
  VTWEG      Distribution Channel
  SPART      Division
  VKBUR      Sales Office
  VKGRP      Sales Group
  KTAAR      Sales Activity Type for Sales Support
  ACTVT      Activity
  Regards,
  Dipanjan

• Oracle HR restrictions based on multiple assignments and multiple GRE's.

  In oracle HR, with multiple assignments and multiple GRE. How can we restrict to having 1 assignment per GRE. I do not want more than 1 assignments per GRE. Has anyone done this before?

  Hi,
  If the requirement is to prevent the creation of multiple assignments, you can achieve that by personalizing the assignment form.
  Thanks
  Satheesh

• How to granularly enable Multi-Factor Auth based on the system and not the user?

  Hi,
  we are using Azure AD to federate some cloud services. We want to deploy Azure MFA to some of them, but not all. In particular, we don't want MFA for o365.
  How can I force MFA depending of the service ?
  Regards,
  John

  Hi,
  I think you may ask in:
  https://social.msdn.microsoft.com/Forums/en-US/home?forum=windowsazureactiveauthentication&filter=alltypes&sort=lastpostdesc
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• WHAT CAN I DO... MY SCREEN KEEPS COMING UP W CHECK CONNECTION , NOT CONNECTED TO INTERNET, CAN NOT USE FACE TIME AND CAN NOT CLOSE OUT MAIL.

  I recently set up my new iMac to a fiber optic service and it was working great until about 2 weeks ago. Numerous times a window comes up and says can not connect to server, I can not sign into Facetime, and cannot close out my email. Hmmmmm

  Contact the ISP.

• DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

  Hi Guys,
  I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
  The Design :
  Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
  ||
  ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
  ||
  Switch
  ||
  LAN
  Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
  I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
  I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
  Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
  Thanks,
  Aj.

  Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
  All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
  1) what RProtocol r u using?
  a) It's OSPF
  2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
  a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
      (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
      (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
  3) are your tunnels config correctly? try show crypto ipsec sa
  a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
  4) on your hub'spoke do a debug ip icmp
  a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
  I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
  Additional to the info above, Please also note :
  I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
  So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
  From HUB router I'm able to ping clients behind Spokes.
  Does that give any Ideas ?
  Thanks in Advance.
  Aj.

• Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

  I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
  WLC 2504
  1142 LAPs
  4510R+E
  ASA 5510
  Existing configuration as follows:
  WLC management interface and APs addressed on the 192.168.126.0 /25 network
  Internal WLAN mapped to the management interface
  Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
  WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
  4510 connected to ASA inside interface (security level 100)
  Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
  ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
  What is the best way to add guest wireless to our existing configuration?
  Note: I need the guest wireless to be filtered by Websense as our internal wireless is
  Any advice would be greatly appreciated!

  Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
  Any input would be greatly appreciated...
  JW

• Reset ASA 5510 back to MFG Settings - Please help??

  A network engineer was in the middle of setting up a customer ASA 5510 Firewall and left. We don't know the IP/UN/PW.
  Is there a way to hard reset the firewall back to manufacture settings?
  Thanks in advance.

  Hi,
  The easiest thing would be to do a password recovery, as described here:
  http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131
  Then you can simply reset the password and carry on where he left off.
  HTH
  Andrew.

• ASA-5510-k8 vs ASA-5510-k9

  Hello all!
  I was wondering if anyone new the difference out there between an ASA5510-k8 and k9. Is this a software or hardware version. If I was using 2 ASA's in failover/standby environment those the 2 need to match or can these be different. Any feedback would be helpful Thanks.

  Hi Edwin,
  Please see below the information ref to 5510 licensing (gives you the differences between K8 &K9) and Active/standby failover implementation requirements for ASA...
  Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, 3DES/AES license
  ASA5510-BUN-K9
  Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, DES license
  ASA5510-K8
  Cisco ASA 5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, Active/Standby high availability, 3DES/AES license
  ASA5510-SEC-BUN-K9
  Licensing Requirements for Active/Standby Failover
  The following table shows the licensing requirements for this feature:
  Model
  License Requirement
  ASA 5505
  Security Plus License. (Stateful failover is not supported).
  ASA 5510
  Security Plus License.
  All other models
  Base License.
  Prerequisites for Active/Standby Failover
  Active/Standby failover has the following prerequisites:
  •Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
  •Both units must have the same software configuration and the proper license.
  •Both units must be in the same mode (single or multiple, transparent or routed).
  Below are the  links for reference..
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
  hth
  MS