ASA 5512-X version 9.1 multiple contextes supported?

Similar Messages

• Does layer 3 FWSM in multiple contexte support DHCPv6 relay?

  Hi, I'm trying to configure dhcp relay in a layer 3 native-IPv6 context. I don't know how to and I didn't find any relevant documentation.
  All I found is that transparent firewall doesn't support IPv6 DHCP relay (I don't eaven see where is the need), I'm just wondering why there is not a lot of documentation talking about it.
  Anyway, I'll be gratefull if someone could give me the commands, or show me where to find it.
  Thank you.

  I don't think it's supported.
  IPv6 dhcp relay was only added to ASA software as of 9.0 (October 2012). FWSM system software has not kept up with new features since the product reached its end of sales around then (September 2012).

• Configuring "Guest Wi-Fi" VLAN on ASA 5512

  I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2.  This vlan will provide access for wireless "guest" AP's in my network.  I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network.  Below is excerpt of what I think is the relevent config information.  I'm trying to route guest traffic out my "outside" interface.
  Obvious to me I'm missing another command in here.  Any help would be greatling appreciated. If more the running-config is needed please advise.  Thanks in advance!
  interface GigabitEthernet0/1.40
  description Guest Wireless Network
  vlan 40
  nameif guestwireless
  security-level 50
  ip address 10.40.10.5 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 X.X.X.X 1  (public IP at X.X.X.X)
  access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
  mtu guestwireless 1500
  access-group guestwireless_access_in in interface guestwireless
  dhcpd address 10.40.10.50-10.40.10.250 guestwireless
  dhcpd dns 8.8.8.8 interface guestwireless
  dhcpd enable guestwireless

  Stripped out some config pertaining to crypto and credentials
  --------------Config Below-----------------------------------
  : Saved
  ASA Version 8.6(1)2
  hostname ASA
  domain-name company.local
  names
  interface GigabitEthernet0/0
  description ISP Interface
  nameif outside
  security-level 100
  ip address ##.##.###.### 255.255.255.248
  interface GigabitEthernet0/1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1.40
  description Guest Wireless Network
  vlan 40
  nameif guestwireless
  security-level 50
  ip address 10.40.10.5 255.255.255.0
  interface GigabitEthernet0/2
  nameif inside-tempnet
  security-level 0
  ip address 172.29.0.252 255.255.255.0
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa861-2-smp-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name company.local
  same-security-traffic permit inter-interface
  object network NETWORK_OBJ_10.100.10.0_24
  subnet 10.100.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any
  access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24
  access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu guestwireless 1500
  mtu inside-tempnet 1500
  mtu management 1500
  ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup
  nat (guestwireless,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  access-group inside-tempnet_access_in in interface inside-tempnet
  route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  http server enable
  http 0.0.0.0 0.0.0.0 inside-tempnet
  http 172.29.0.0 255.255.255.0 inside-tempnet
  http redirect inside-tempnet 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  dhcpd address 10.40.10.50-10.40.10.250 guestwireless
  dhcpd dns 8.8.8.8 interface guestwireless
  dhcpd enable guestwireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1
  ssl trust-point ASDM_TrustPoint0 outside
  ssl trust-point ASDM_TrustPoint0 inside-tempnet
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  anyconnect profiles VPNConnect disk0:/vpnconnect.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy "GroupPolicy_VPN Connect" internal
  group-policy "GroupPolicy_VPN Connect" attributes
  wins-server none
  dns-server value #.#.#.#
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value company.local
  webvpn
    anyconnect profiles value VPNConnect type user
  tunnel-group "VPN Connect" type remote-access
  tunnel-group "VPN Connect" general-attributes
  address-pool ClientVPN-DHCP-Pool
  authentication-server-group compnay.LOCAL LOCAL
  default-group-policy "GroupPolicy_VPN Connect"
  tunnel-group "VPN Connect" webvpn-attributes
  group-alias "VPN Connect" enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  : end

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Support IPSec VPN Client in ASA Multiple Context Mode

  I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
  "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
  Thank Jason.
  ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

  This is from the v9.3 config-guide:
  Unsupported Features
  Multiple context mode does not support the following features:
  Remote access VPN. (Site-to-site VPN is supported.)

• Software Version ASA 5512-x

  We ahve just ordered a new ASA 5512-X, can anyone tell me what version of software will likly be installed?

  Hi,
  The lowest software level for the new ASA5512-X to ASA5555-X models is 8.6(1) software level
  Here is a link to a document about the compatibility
  http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html#wp42231
  I am not sure if they have yet bumped up the software level the ASA is shipped with.
  I think the models that come with the SSD drive might come with newer 9.x software level.
  - Jouni

• Configure subinterfaces on a multiple context ASA.

  hello,
  i was just confuse. When do we need to configure subinterfaces on a multiple context ASA.
  thanks

  whenever you need to trunk to a switch and be able to have more than the limit of physical interfaces. For instance an ASA 5510 allows you to have 100 VLAN interfaces.
  Whenever you need to setup more than on DMZ.

• Remote Access VPN Support in Multiple Context Mode (9.1(2))?

  Hi Guys,
  I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
  Multiple Context Mode New Features:
  Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
  New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
  Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
  New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
  Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
  Regards,
  Leon

  Hey Leon,
  According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
  Regards,
  Dennis

• Are VPN Clients supported in multiple context mode?

  Hi,
  Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
  I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
  - Is VPN Client supported in Multiple Context mode?
  - What is AnyWhere Essentials vs Premium Peers?
  Boudewijn
  Here is some additional output fromt he current configuration:
  Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
  Device Manager Version 7.1(3)
  Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                               Boot microcode        : CNPx-MC-BOOT-2.00
                               SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                               IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                               Number of accelerators: 1
  Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  Encryption-DES                    : Enabled        perpetual
  Encryption-3DES-AES               : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  IPS Module                        : Disabled       perpetual
  Cluster                           : Disabled       perpetual
  This platform has an ASA 5515 Security Plus license.

  Hi,
  No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
  The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
  This might answer the VPN Licensing related question
  http://packetpushers.net/cisco-asa-licensing-explained/
  I never seem to remember it exactly myself even.
  - Jouni

• Asa-5512-x no connectivity to internet

  I am going from a pix-515e to asa-5512-x.   I used the wizard for the initial setup.  I then set the interfaces the same, objects, nat rules, routes, ACLs the same as in the 515e (except for the outside interface ACL where you use the inside address now, rather than the outside...and you have a global deny rule for all interfaces) . 
  I take the cables from the inside / outside interface from the 515e, plug them into the 5512x and nada...
  Computers on the inside can't get out.   I see egress failures on the ASDM monitor from the inside to outside.  I don't see any traffic coming in on the outside interface to the inside as I do on the ASDM of the 515e.  
  ASA Version 9.1(5)  
  hostname ASA-5512-X
  domain-name mydomain.com
  interface GigabitEthernet0/0
   nameif outside
   security-level 0
   ip address 98.xxx.xxx.xxx 255.255.255.224  
  interface GigabitEthernet0/2
   nameif inside
   security-level 100
   ip address 10.0.1.242 255.255.252.0  
  interface Management0/0
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0  
  boot system disk0:/asa915-smp-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 10.0.3.42
   domain-name mydomain.com
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit ip any any  
  access-list outside_access_in extended permit tcp any object webserver-inside object-group web-ports  
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-716.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static webserver-inside webserver-outside unidirectional
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 2  
  route inside 172.20.0.0 255.255.0.0 10.0.0.1 1  
  route inside 172.21.0.0 255.255.0.0 10.0.0.1 1  
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.0.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet 10.0.0.0 255.255.0.0 inside
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map  
    inspect ftp  
    inspect h323 h225  
    inspect h323 ras  
    inspect rsh  
    inspect rtsp  
    inspect esmtp  
    inspect sqlnet  
    inspect skinny   
    inspect sunrpc  
    inspect xdmcp  
    inspect sip   
    inspect netbios  
    inspect tftp  
    inspect ip-options  
  service-policy global_policy global
  prompt hostname context  
  call-home reporting anonymous

  At a quick glance the config looks pretty clean (please do use ssh and not telnet though)
  Since you replaced one box with another, have you checked that your upstream (Outside) device is reachable from the ASA itself? (i.e can you ping your default gateway at 98.xxx.xxx.xxx 2 )
  I've sometimes seen cases where we had to ask the ISP to clear their ARP cache when changing out firewalls.

• Multiple Context - Changing http server port

  Hi,
  Is it possible to change the firewall https port to different port? Normally in single context mode you can change it with this command.
  http server enable 4434
  In multiple context mode there is no option for the port...
  http server enable ?

  hi marius,
  i just tried this on our live ASA 5520 and you're right, it can't be done on admin context.
  it also can't assign a diffrent port under a different context. only default 443 is accepted.
  ciscoasa/admin(config)# ip http serve enable ?
  ERROR: % Unrecognized command
  ciscoasa/CONTEXT(config)# sh ve
  Cisco Adaptive Security Appliance Software Version 8.3(2)
  Device Manager Version 6.3(5)
  ciscoasa/CONTEXT(config)# http server enable ?
  configure mode commands/options:

• Botnet Filter with multiple Context Mode

  We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
  How should be the Botnet Filter configured in Multiple Context Mode?
  Thanks for any response in advance.

  sh run | grep dns
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  policy-map type inspect dns preset_dns_map
  inspect dns preset_dns_map
  ping update-manifests.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
  ping updates.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
  ASA Version 8.4(2)
  hostname DE-VM-TER-FW-02
  enable password 8Ry2Yj8765U24 encrypted
  passwd 2KFQnb6IdI.2KY75 encrypted
  names
  interface GigabitEthernet0/0.3207
  nameif TR_v207
  security-level 50
  ip address 10.28.6.60 255.255.255.248
  interface GigabitEthernet0/0.3208
  nameif TR_v208
  security-level 70
  ip address 10.28.6.68 255.255.255.248
  interface GigabitEthernet0/0.3209
  nameif TR_v209
  security-level 80
  ip address 10.28.6.76 255.255.255.248
  interface GigabitEthernet0/0.3210
  nameif TR_v210
  security-level 90
  ip address 10.28.6.84 255.255.255.248
  interface GigabitEthernet0/1
  nameif COLT
  security-level 0
  ip address 217.111.58.46 255.255.255.240
  interface GigabitEthernet0/3
  nameif T-COM
  security-level 0
  ip address 194.25.250.94 255.255.255.240
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  name-server 8.8.8.8
  object network COLT_dynamic_NAT
  subnet 0.0.0.0 0.0.0.0
  object network T-COM_dynamiy_NAT
  subnet 0.0.0.0 0.0.0.0
  object-group network DM_INLINE_NETWORK_1
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
  access-list COLT_access_in extended deny ip any any
  access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
  access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
  access-list T-COM_access_in extended deny ip any any
  access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
  access-list TR_3208_access_in extended permit ip any any
  access-list TR_3208_access_in extended permit icmp any any
  access-list TR_v207_access_in extended deny ip any any
  access-list TR_v210_access_in extended deny ip any any
  access-list TR_v209_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu TR_v208 1500
  mtu T-COM 1500
  mtu COLT 1500
  mtu TR_v207 1500
  mtu TR_v210 1500
  mtu TR_v209 1500
  ip verify reverse-path interface T-COM
  ip verify reverse-path interface COLT
  ipv6 access-list TR_v207_access_ipv6_in deny ip any any
  ipv6 access-list TR_v208_access_ipv6_in deny ip any any
  ipv6 access-list TR_v209_access_ipv6_in deny ip any any
  ipv6 access-list TR_v210_access_ipv6_in deny ip any any
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network COLT_dynamic_NAT
  nat (any,COLT) dynamic interface
  object network T-COM_dynamiy_NAT
  nat (any,T-COM) dynamic interface
  access-group TR_3208_access_in in interface TR_v208
  access-group TR_v208_access_ipv6_in in interface TR_v208
  access-group T-COM_access_in in interface T-COM
  access-group COLT_access_in in interface COLT
  access-group TR_v207_access_in in interface TR_v207
  access-group TR_v207_access_ipv6_in in interface TR_v207
  access-group TR_v210_access_in in interface TR_v210
  access-group TR_v210_access_ipv6_in in interface TR_v210
  access-group TR_v209_access_in in interface TR_v209
  access-group TR_v209_access_ipv6_in in interface TR_v209
  route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
  route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
  route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  telnet timeout 5
  ssh timeout 5
  no threat-detection statistics tcp-intercept
  dynamic-filter use-database
  dynamic-filter enable interface T-COM
  dynamic-filter enable interface COLT
  dynamic-filter drop blacklist interface T-COM
  dynamic-filter drop blacklist interface COLT
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map dynamic-filter-snoop
  service-policy global_policy global
  Cryptochecksum:7bbe975fb39e189e99d8878787a0037
  : end
  System Context
  dynamic-filter updater-client enable
  ​ Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured

• ASA5540 in multiple-context SNMP/icmp doesn´t work

  Hi there,
       I need some help in order to understante what´s going on with an asa540 configure in multiple-context mode.
       I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
       CISCOASA/CONTEXTA#
       JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
      JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
       If I try to ping returns the same error:
       CISCOASA/CONTEXTA#
       JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
      Following attached the conf of my asa
    My question is Why I can´t ping or even use snmp ???  
     If anyone could me help with a tip or a document about it ...
     My best regards
     Adriano    

  CISCOASA/CONTEXT# packet-tracer input inside icmp 10.132.0.25 8 0 10.6.72.2
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   10.6.72.2       255.255.255.255 identity
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   IP_SRV_HSLCACTIP01 255.255.255.255 inside
  Phase: 5
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 453866627, packet dispatched to next module
  Phase: 10
  Type: ROUTE-LOOKUP
  Subtype: output and adjacency
  Result: ALLOW
  Config:
  Additional Information:
  found next-hop 0.0.0.0 using egress ifc identity
  adjacency Active
  next-hop mac address 0000.0000.0000 hits 22196
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: allow
  Route information:
  route inside 10.132.0.0 255.255.252.0 10.6.72.1 1
  route inside IP_SRV_HSLCACTIP01 255.255.255.255 10.6.72.1 1
  CISCOASA/CONTEXT# sh route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 200.206.50.233 to network 0.0.0.0
  C    200.206.50.232 255.255.255.248 is directly connected, outside
  S    10.132.0.0 255.255.252.0 [1/0] via 10.6.72.1, inside
  S    IP_SRV_HSLCACTIP01 255.255.255.255 [1/0] via 10.6.72.1, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via 200.206.50.233, outside
  Regards,

• Explain about transparent mode, single mode, multiple context mode

  You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

  Great question. Hope the below helps:
  Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
  Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
  Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
  Hope this helps. Let me know if you have anymore questions!
  -Mike
  http://cs-mars.blogspot.com