ASA-5510-k8 vs ASA-5510-k9

Similar Messages

• How to copy contents of ASA 5510 to another ASA 5510?

  Hello,
  I want to copy contents of 1 ASA 5510 to another 5510.
  Both ASA has same license.
  -I tried to connect to 2nd ASA via console cable
  -Went to "Conf t" and copied config of 1st ASA. [ using paste tab from Hyper Terminal ]
  - used commands like copy running config disk0:/startup.config.cfg
  - also used write memory all , wr mem commands
  - But after reboot config was gone.
  As of now I have ASA 8.3.x version in both ASA's.
  How can I save config to 2nd ASA via Hyper Terminal?

  I am trying to save basic config.
  Basic config also not getting saved.
  Steps followed as follows :-
  - Given private IP to eth 0/1
  - no shut
  - speed auto
  - wr
  - exit
  - wr
  - exit
  - hostname asasec
  - wr
  - reload
  After reload firewall is not saving configuration.

• Unable to use ASDM on 5510 and 5520 ASA

  Hello,
  I have been working with ASA's for about 8 months now.  I have a 5520 that is brand new out of the box and a 5510 that I blew up last week (read as format disk, start from scratch).
  I have generated RSA keys, loaded license keys, loaded IOS's and configs in the last few days.  Luckily these boxes are table top at the moment and nothingto do with production.  However, I have tried to load production configurations on to these boxes, and have determined that not all the lines of the configs will load.
  To be specific at the moment, I am unable to load "asdm location 192.168.50.0 255.255.255.0 inside" on either box.  I am also unable to use my broswer and HTTPS://192.168.50.1              to access the ASA, even though I have HTTP serve enabled and HTTP 192.168.50.0 listed in the config.
  Because I blew up one of the boxes and started from scratch and the other box is brand new, is/are there any other special things that need to be done to these boxes?  Like I could put in some of the "crypto" config lines in the boxes until I did the license keys, once they were lin, I could configure the crypto lines.
  I am open to any suggestions as this point as I can't current get the VPN's to come up (different issue here) nor see what's going on with the VPN's without ASDM.
  Thank you!
  Tracey

  Hi,
  please configure the ASDM-permitted subnets as following:
  http
  and make sure that you have overlapping ciphers between the client and the ASA:
  show run ssl
  ssl encryption
  if it persists, get the SSL captures at the ASA as .pcap
  hope this helps
  Mashal Alshboul

• Add Cisco ASA to a live ASA

                    I currently have a Cisco 5510 runing on my network. I have just ordered a second 5510 for failover.
  I would like to to ensure that when I configure HA the live config gets sync'd and not the blank/brand new config. Otherwise I'll loose all my config.
  Can someone advise the best steps to take? Of course I'll take a backup before I start.
  Thanks in advance.

  Hi Martin,
  In addition to Andrew's suggestion - I guess you are planning to add the unit first time (not replacing any failed stdby unit). In this scenario, I suggest you schedule a maintenance window as you need to add the standby ip + failover configuration on primary (current ASA). Once that is done, adding standby unit is very easy.Check the below link for more information.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
  hth
  MS

• ASA rpf-check DROP, ASA checking NAT in the incorrect interface

  Hi
  My current architecture is :
  Internet <--> FW <--> ASA <--> LAN
                        FW <--> ASA
  we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
  the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
  the "vpn" interface is used to grant access to our LANs from remote Offices
  let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
  below the current configuration :
  interface GigabitEthernet0/0
    nameif inside
   security-level 100
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address 192.168.11.2 255.255.255.0
  interface GigabitEthernet0/2
   nameif vpn
   security-level 0
   ip address 192.168.12.2 255.255.255.0
  object-group network Inside_LANs
   network-object 192.168.3.0 255.255.255.0
   network-object 192.168.4.0 255.255.255.0
   network-object 192.168.5.0 255.255.255.0
  access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo 
  access-list Inside-to-outside extended permit udp any host TimeServer eq ntp 
  access-list Inside-to-outside extended permit ip object-group Inside_LANs any 
  global (outside) 1 interface
  global (outside) 2 192.168.11.60 netmask 255.255.255.255
  nat (inside) 1 access-list Inside-to-outside
  nat (inside) 2 192.168.6.0 255.255.255.0
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255 
  route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
  route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
  our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
  example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.13
  Phase: 5
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match udp inside any inside host TimeServer eq 123
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
  Additional Information:
  example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.10
  Phase: 6
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
    match ip inside host 192.168.2.10 outside any
      static translation to 192.168.11.10
      translate_hits = 76643, untranslate_hits = 188597
  Additional Information:
  example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.4.40
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match ip inside 192.168.4.0 255.255.255.0 vpn any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 1, untranslate_hits = 0
  Additional Information:
  example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.6.30
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 2 192.168.6.0 255.255.255.0
    match ip inside 192.168.6.0 255.255.255.0 vpn any
      dynamic translation to pool 2 (No matching global)
      translate_hits = 117, untranslate_hits = 0
  Additional Information:
  our questions :
  1) why ASA don't check the reverse path route before checking the NAT ?
   if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
  2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
  when ASA check a server with static NAT it find  a match in the outside interface but even so it discard it and the connection Work. (example 2)
  when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
  3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
  why ASA checking the global NAT even if it's not the correct interface ?
  Why it's working for static NAT and not working for the dynamic one ?
  Thanks a lot

  Hi,
  It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
  But to me the situation in its current form looks the following.
  Example 1
  To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
  Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
  Example 2
  This seems to be working as expected also.
  According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
  Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
  Example 3 and 4
  These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
  In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
  Hope this helps :)
  - Jouni

• Route inside does not work on ASA 8.2(3), ASA cannot ping inside hosts

  Hi Guys,
  I have a problem on one our ASA seems to acting strange.
  I have copy these routes below on ASA, and able to ping only 10.126.0.32.
  route inside 10.126.0.10 255.225.255.255 10.20.3.1
  route inside 10.126.0.30 255.225.255.255 10.20.3.1
  route inside 10.126.0.31 255.225.255.255 10.20.3.1
  route inside 10.126.0.32 255.225.255.255 10.20.3.1
  route inside 10.126.0.140 255.225.255.255 10.20.3.1
  route inside 10.126.0.141 255.225.255.255 10.20.3.1
  route inside 10.126.0.142 255.225.255.255 10.20.3.1
  When I saved the configuration and checking back on ASA running-configuration, none of above routes exists.
  MYASA(config)# route inside 10.126.0.10 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.30 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.31 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.32 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.140 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.141 255.225.255.255 10.20.3.1
  MYASA(config)# route inside 10.126.0.142 255.225.255.255 10.20.3.1
  MYASA(config)# end
  MYASA# show run | in route inside
  route inside 10.0.0.0 255.0.0.0 10.20.3.1 1
  route inside 10.96.0.0 255.224.0.0 10.20.3.1 1
  route inside 10.96.0.10 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.30 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.31 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.32 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.140 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.141 255.225.255.255 10.20.3.1 1
  route inside 10.96.0.142 255.225.255.255 10.20.3.1 1
  route inside 10.100.1.61 255.255.255.255 10.20.3.1 1
  route inside 10.101.20.112 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.113 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.114 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.115 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.201 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.202 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.204 255.255.255.255 10.0.0.254 1
  route inside 10.101.20.205 255.255.255.255 10.0.0.254 1
  route inside 10.101.22.22 255.255.255.255 10.20.3.1 1
  route inside 10.101.24.100 255.255.255.255 10.0.0.254 1
  route inside 10.101.24.101 255.255.255.255 10.0.0.254 1
  route inside 10.101.25.0 255.255.255.0 10.20.3.1 1
  route inside 10.126.0.32 255.255.255.255 10.20.3.1 1
  route inside 67.215.65.132 255.255.255.255 10.20.3.1 1
  route inside 192.168.1.3 255.255.255.255 10.0.0.254 1
  route inside 192.168.1.4 255.255.255.255 10.0.0.254 1
  route inside 192.168.151.0 255.255.255.0 10.20.3.1 1
  route inside 192.168.151.48 255.255.255.240 10.0.0.254 1
  route inside 205.210.235.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.236.0 255.255.255.0 10.20.3.1 1
  route inside 205.210.237.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.238.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.239.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.240.0 255.255.255.0 10.0.0.254 1
  route inside 205.210.241.0 255.255.255.0 10.0.0.254 1
  MYASA#
  It maybe a bug on the ASA?
  Thanks
  Rizwan Rafeek

  Hi Vibhor,
  Well, problem is resolved from Cisco Tech support, it boiled down a bug.
  "route inside 10.126.0.32 255.225.255.255 10.20.3.1", this route already existed, and yet it only one route shows up out of 7 copied, that is a bug.
  Thanks for your reply.
  Regards
  Rizwan Rafeek.

• Comparison of ASA-CX and normal ASA

  Hi all,
  Is it possible to get some comparison table or document that highlights main advantage of using CX over normal ASAs ?

  There no advantages/disadvantages one over  another. CX is not a standalone ASA, but a module (hardware or software), wich complements normal ASA with some extended function, as Application Visibiltiy And conrol and web filtering. Technically, CX is module, wich allows the ASA perform functions, usually done by cisco ironport VSA.
  Traffic, after being filterd by "normal" asa is redirected to CX for further inspection and policies application.
  You can see session on ciscolive365.com regarding CX or just google what it is. And, as I said, you souldn't compare them.

• Ipad to ASA with certifcate authentication ASA local CA

  Hi all,
       I have been working on trying to get an IPAD using the built in VPN client to connect to an ASA5510 version 8.2(5). I have attached the debug from where I have gotten so far.  Phase 1 is failing somewhere but the messages aren't real clear or at leat not to me.  The ASA is acting as the local CA for the certificate. I inherited the config from another guy as he couldn't get it working and I have made some progress but still not luck in getting the tunnel to just come up. Access to resources will be next but I'd like to just see the ipad show connected.  I am wonderig if the Certificate the guy created for the local CA isn't fully up to snuff since the issuer-name isn't in DNS today.
  Any info is greatly appreciated and I have been a lot of docs I could find on the internet about this topic.
  Thanks.

  Hello Greg,
  I am not sure if this is the only problem you have but at least I can see the following on the debug:
  Transform-Id: KEY_IKE
          Reserved2: 0000
          Life Type: seconds
          Life Duration (Hex): 0e 10
          Encryption Algorithm: AES-CBC
          Key Length: 256
          Authentication Method: XAUTH_INIT_RSA_SIG
          Hash Algorithm: SHA1
          Group Description: Group 2
  And the following is setup in your ASA:
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 5
  Please change the diffie-hellman group so the isakamp phase (1) can match on both sites!
  Regards,
  Julio

• ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

  Hi,
  As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.
  And rest users we have to block excluding Mails.
  Please help.
  Thanks,
  Regards,
  Hemant Yadav 

  login as: Rakh
  [email protected]'s
  password:
  Type help or '?' for a list of available commands.
  FAST-HQ-ASA> en
  Password:
  Invalid password
  Password: ***********
  FAST-HQ-ASA# show rum
                      ^
  ERROR: % Invalid input detected at '^' marker.
  FAST-HQ-ASA# show run
  : Saved
  ASA Version 8.3(1)
  hostname FAST-HQ-ASA
  enable password 7tt1ICjiO2a2/Hn2 encrypted
  passwd U8oee3lIrDCUmSK2 encrypted
  names
  interface Ethernet0/0
  description ASA Outside segment
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 62.173.33.67 255.255.255.240
  interface Ethernet0/1
  description VLAN AGGREGATION point
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1.2
  description INSIDE segment (User)
  vlan 2
  nameif INSIDE
  security-level 100
  ip address 192.168.172.1 255.255.255.0
  interface Ethernet0/1.3
  description LAN
  vlan 3
  nameif LAN
  security-level 100
  ip address 192.168.173.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network INSIDE
  subnet 192.168.172.0 255.255.255.0
  object network LAN
  subnet 192.168.173.0 255.255.255.0
  object network MAIL-SERVER
  host 192.168.172.32
  object network DENY-IP-INTERNET
  range 192.168.172.121 192.168.172.200
  object-group service serBLOCK-INTERNET tcp
  port-object eq www
  object-group network BLOCK-IP-INTERNET
  network-object object DENY-IP-INTERNET
  access-list 102 extended permit icmp any any time-exceeded
  access-list 102 extended permit icmp any any echo-reply
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https
  access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET
  access-list BLOCK-WWW extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  mtu LAN 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INSIDE
  nat (INSIDE,OUTSIDE) dynamic interface
  object network LAN
  nat (LAN,OUTSIDE) dynamic interface
  object network MAIL-SERVER
  nat (INSIDE,OUTSIDE) static 62.173.33.70
  access-group OUTSIDE-IN in interface OUTSIDE
  access-group BLOCK-WWW out interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh 192.168.172.37 255.255.255.255 INSIDE
  ssh 192.168.173.10 255.255.255.255 LAN
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username Rakh password EV9pEo1UkhHJSbIW encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d
  : end
  FAST-HQ-ASA#

• ASA 5515 management interface

  I started to configure a new ASA 5515 to replace an 5510.  When I attempted to remove the "management-only" command from the Management0/0 interface I was greeted with the following error:
  "ERROR: It is not allowed to make changes to this option for management interface on this platform."
  Does this mean we can't use the managment interface anymore on these newer ASAs?  I was planning on using that port when we bought it.  If this is the case, let this be a warning to whoever is counting the managment port as a 7th interface on the 5515!

  Update: I just found out that you can't use the management interface for failover purposes either.     Argggggg.
  "Management interface cannot be configured for failover on this platform."

• Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

  I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
  I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads????  Anyone else seeing these problems?   If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
  I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
  Is anyone else seeing this performance problem with the 9.2.3 code?  I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
  My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached. 
  Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

  After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
  I get much better results using the Cisco 3750X attached to the FIOS  (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300).  Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds.  Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
  I may have to live with it but the inconsistency is what really bothers me.
  Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
  Anything obviously  missing - new command or anything?   Xlates causing issues?

• Problem with VPN Client passthrough on ASA 5505

  I am having a problem with passing through a VPN client connection on an ASA 5505. The ASA is running version 8 and terminates an anyconnect VPN. The ASA is using PAT. When the inside user connects with the VPN client, it connects but no traffic passes through the tunnel. I see the error
  305006 regular translation creation failed for protocol 50 src INSIDE:y.y.y.y dst OUTSIDE:x.x.x.x
  UDP 500,4500 and ESP are allowed into the ASA. Ipsec inspection has also been setup on a global policy, but the user still cannot pass traffice to the remote VPN he is connected through.
  At the Main Office we have an ASA 5510 that terminates a site to site VPN, allows remote connections with PAT and allows passthrough no problems. Any ideas?

  I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
  3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
  regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
  HELP?

• ASA 5520 VERSION 8.2 UPGRADE TO 9.0

  Hello friends,
  I am considering to perform an upgrade of my ASA 5520 with versión 8.2 to 9.0, so I will enjoy the benefits of anyconnect for mobile devices. I clearly understand that I must pay special attention to:
  NAT Rules.
  RAM Memory: 2 GB.
  Adding the part numbers to power on the newest versions of anyconnect and for mobile devices
  L-ASA-AC-E-5520= ASA-AC-M-5520=
  am I missing any other thing? Flash requirement? Or to pay attention to some other configurations? 
  Any comment or documentation will be appreciated.
  Regards!

  You can run the latest AnyConnect client - including mobile clients - with those licenses even on an ASA with the current  8.2 code - 8.2(5) as of now. While it's a bit old and lacking some of the newer features, it's a solid and stable release.
  That would save you the trouble of migrating your NAT configuration (and other bits) and upgrading memory.
  Since the ASA 5500 series (5510, 5520 etc.) is past End of Sales you have a limited future on those platforms. For instance, ASA 9.1(x) is the last set of code releases that will be available for them. (The current software on the 5500-X is 9.3(1).)

• ASA v9.0.1 and ASDM v7.0.1 released

  Looks like v9 is now out...
  http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.pdf
  Regards Simon
  http://www.linksysinfo.org       

  Thanks for spreading out the good news Simon.
  People interested in these two releases can find them here.
  ASA 9.0.1 and ASDM 7.0.1
  Important points to consider before an upgrade to 9.0:
  ASA and ASDM Compatibility
  ASA OS
  ASDM
  ASA Model:
  ASA 5505
  ASA 5510, 5520, 5540
  ASA 5550
  ASA 5580
  ASA 5512-X, 5515-X,   5525-X, 5545-X, 5555-X
  ASA 5585-X
  ASASM
  ASA 1000V
  ASA 9.0(1)
  ASDM 7.0(1).
  YES
  YES
  YES
  YES
  YES
  YES
  YES
  No
  Limitations and Restrictions
  •Clientless SSL VPN with a self-signed certificate on the ASA—When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the "Confirm Security Exception" button is disabled. See: https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and later, use compatibility mode.
  •Citrix Mobile Receiver and accessing Virtual Desktop Infrastructure (VDI):
  –CSD is not supported.
  –HTTP redirect is not supported.
  –Using Citrix Receiver mobile clients to access web interface of Citrix servers is not supported.
  –Certificate or smart card authentication is not supported as a means of auto sign-on.
  –You must install XML service and configure on XenApp and XenDesktop servers.
  –Make sure the ports 443, 1494, 2598, and 80 are open on any intermediate firewalls between the ASA and the XenApp/XenDesktop server.
  –The password-expire-in-days notification on tunnel group that is used by VDI is not supported.
  •When configuring for IKEv2, for security reasons you should use groups 21, 20, 19, 24, 14, and 5. We do not recommend Diffie Hellman Group1 or Group2. For example, use
  crypto ikev2 policy 10
  group 21 20 19 24 14 5
  As always make sure you are familiar with the upgrade procedure Upgrading the Software.
  Important Notes
  •Downgrading issues—Upgrading to Version 9.0 includes ACL migration (see the "ACL Migration in Version 9.0" section). Therefore, you cannot downgrade from 9.0 with a migrated configuration. Be sure to make a backup copy of your configuration before you upgrade so you can downgrade using the old configuration if required.
  •Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  To enable per-session PAT after you upgrade, enter:
  clear configure xlate
  The above deny rules are cleared so that only the default permit rules are still in place, thus enabling per-session PAT.
  •No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
  –Unified Communications
  –VPN
  You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.
  More information at:
  Release Notes for the Cisco ASA Series, 9.0(x)
  HTH.
  Portu.
  Please rate any helpful posts

• Policy Nat ASA 8.6(1)

  Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration.  I believe I have most of it correct, but this one issue persists that I'm trying to get resolved.  There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:
  global (outside) 3 192.168.201.0
  global (outside) 4 192.168.205.0
  nat (inside) 4 access-list NAT1 0 0
  nat (inside) 3 access-list NAT 0 0
  access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
  access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215
  This works fine.  On the ASA I tried using this:
  object network obj-10.100.3.215
   host 10.100.3.215
  object-group network obj-192.168.105.0_2
   network-object 192.168.105.0 255.255.255.0
  object-group network obj-192.168.101.0_2
   network-object 192.168.101.0 255.255.255.0
  nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
  nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
  That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd).  I cleared this and tried it again w/ the following:
  object network obj-10.100.3.215
  host 10.100.3.215
  object-group network obj-192.168.205.0_2
   network-object 192.168.205.0 255.255.255.0
  object-group network obj-192.168.201.0_2
   network-object 192.168.201.0 255.255.255.0
  object-group network obj-192.168.105.0_2
   network-object 192.168.105.0 255.255.255.0
  object-group network obj-192.168.101.0_2
   network-object 192.168.101.0 255.255.255.0
  nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
  nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
  If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails.  Is the syntax correct?  I asked for a trace-route from the pc at the time it failed but it wasn't provided.

  I am trying to replace an asa 5510 with an asa 5515x.  When I try the same nat command as listed above I get this message
  "ERROR: This syntax of nat command has been deprecated."
  Is there an alternative to nat to an access-list?
  Thanks.