ASA 5520- ISP change proceedure

Hello,
our company is going to change its´ ISP.
The External Ips are going to obviously change too.
We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible.
In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-toSite VPN, Remote Access
Webvpn, ACLs and also routing.  I have looked up some information in this community and still I am not sure about the steps to be
made so to reach our goal.
I have read that chaging only the "names" from the old IP Range to the new Ip range would not really make the change.
The old Ip range will still be configured in the features using the external Ip adress.
Therefore we have to first delete all the information (in the runing config) connected to these Variables and then re insert them.
My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out
during the deleting and inserting procedure.
Have someone any idea how we could make this change with a low percentage of "copy and paste failures"?
I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout?
Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12)
regards
Ray

Hi,
I know this is already marked as "Answered", but i just wanted to air my method.
I'm not sure it the most optimal, and there sure are plenty of room for copy-paste errors. Also, the "Remote Access" part can get a bit tricky i guess, if taking too long.
However, i did this a couple of times on a couple of remote ASAs. They weren't paired though, but i can't imagine the procedure being much different.
I "simply" added another "outside" interface and duplicated access-lists, NATs and statics, VPN tunnel-groups and so on.
In these particular cases, all i had to switch was outside management, a couple of statics and the VPN tunnels terminated on the device.
In my own pace, i could move one tunnel at a time, by just adding a static route to my VPN peer out through the new outside.
When the VPN tunnels were done, new VPN profiles distributed and users notified of the changes, i changed the default route too, making the change complete.
All left to do is a lot of cleanup, but that can be done without disturbing the users too.
Of course, both ISPs have to be active at the same time to accomplish this.
/Sune T.

Similar Messages

  • ASA 5520 Dual Active ISPs

    I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved.  Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time.  I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario. 
    Theoretical Layout:
    ISP1 - Old
    ISP2 - New
    ISP1          ISP2
        2x ASA 5520 - DMZ
                |
           Internal
    ASA 5520s are on version 8.0 and running Active/Active
    We have an FTP server in our DMZ and a secondary server in our Internal LAN that customers communicate with.  The issue that I have been faced with is that some customers will be using ISP1 while others are using ISP2 until the full transition occurs.  Since the customers have explicit firewall rules that only accept communication from a certain source address, we cannot send out the traffic just on ISP2 until they change their settings.
    Any ideas or thoughts on how to configure to be able to make this happen?

    Hello,
    I think you are looking for load balancing implementation and unfortunately the ASA does not support that feature yet.
    There are some workarounds that are not supported by Cisco because as I told you this is supported yet, but you definitly can give it a try.
    Here is the link you can use to get more information about the workaround:
    https://supportforums.cisco.com/docs/DOC-15622
    Please rate helpful posts,.
    Kind regards,
    Julio

  • How to change VPN peer address on ASA 5520

    Environment:
    ASA 5520 running 7.2(1)
    IPSEC L2L VPN established using Wizard.
    The IP address of the remote peer needs to change. Using ASDM, I cannot change the Tunnel Group name (which is currently the peer address). I can change the peer address in the IPSec rule, but is this all that is needed?
    Do I have to add a new tunnel group using the new peer address for the name? If so how does this relate to the other objects that are required for a VPN?
    When you create a VPN using the Wizard, it creates multiple objects that are hard to track when changes are required. Is it best to delete all of the current VPN objects and create a new config using the wizard again?
    Is it better to make the changes using the CLI? What lines need to be changed for the peer address when using commands?
    Thanks in advance for any help!

    I can change the peer address in the IPSec rule, but is this all that is needed?
    - No, tunnel group name must match peer address.
    Do I have to add a new tunnel group using the new peer address for the name?
    - Yes.
    Is it better to make the changes using the CLI?
    - I would always recommend it, but if you don't know it you have no option.
    Add new tunnel-group with group name as new peer address, same key etc. Add new peer address to peer settings under edit ipsec rule. Then you should be able to remove the old tunnel group. Hope this helps you, been a while since I did it this way.

  • ASA 5520 Upgrade From 8.2 to 9.1

    To All Pro's Out There,
    I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
    In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
    I appreciate all the help in advance.

    Hi,
    My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
    In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
    What you can basically do is
    Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
    You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
    So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
    If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
    If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
    https://supportforums.cisco.com/docs/DOC-31116
    My personal approach when starting to convert NAT configurations for the upgrade is
    Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
    Divide NAT configurations based on type   
    Dynamic NAT/PAT
    Static NAT
    Static PAT
    NAT0
    All Policy Dynamic/Static NAT/PAT
    Learn the basic configuration format for each type of NAT configuration
    Start by converting the easiest NAT configurations   
    Dynamic NAT/PAT
    Static NAT/PAT
    Next convert the NAT0 configurations
    And finally go through the Policy NAT/PAT configurations
    Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
    The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
    One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
    For example
    static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
    In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
    Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
    So to summarize
    Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
    Learn the new NAT configuration format
    Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
    Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
    Convert the configurations manually
    Lab/test the configurations on an test ASA
    During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
    Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
    Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
    Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
    Will add more later if anything comes to mind as its getting quite late here
    Hope this helps
    - Jouni

  • Multiple Public IP's on ASA 5520

    Hi,
    I have ASA 5520 with Ver 8.2.
    Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
    There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
    I did Static NAT 198.24.210.226 to 192.168.1.20  and 198.24.210.227 to 192.168.1.91.
    When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
    I checked the inside traffic, it even did not get into the firewall.
    Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(198.24.210.226)?
    interface GigabitEthernet0/1
    nameif inside
    ip address 192.168.1.1 255.255.255.0
    security-level 100
    no shutdown
    interface GigabitEthernet0/0
    nameif outside
    ip address 198.24.210.226 255.255.255.248
    security-level 0
    no shutdown
    route outside 0.0.0.0 0.0.0.0  198.24.210.225
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 198.24.210.226 255.255.255.255
    static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
    static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
    static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
    static (inside,outside) tcp 198.24.210.227 80   192.168.1.20 80   netmask 255.255.255.255 dns
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.226 eq 3389
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.226 eq 9070
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80
    access-group OUTSIDE-IN in interface outside

    Also,
    You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
    You can naturally check the following
    show run sysopt
    Check that you DONT have the following
    sysopt noproxyarp outside
    At the moment you are not actually configuring Static NAT but rather Static PAT.
    You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
    Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
    If you wanted to staticly assing public IPs to both of these servers you could do
    static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
    static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 3389
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 9070
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389
    access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80
    - Jouni

  • ASA 5520 upgrade from 8.4.6 to 9.1.2

    Dear All,
      I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
    Below is the process :
    Upgrade an Active/Standby Failover Configuration
    Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
    Download the new software to both units, and specify the new image to           load with the boot system command.
    Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
    Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
    active#failover reload-standby
    When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
    active#no failover active
    Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
    Reload the former active unit (now the new standby unit) by entering           the reload command:
    newstandby#reload
    When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
    newstandby#failover active
    This completes the process of upgrading an Active/Standby Failover       pair.
    Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 ) 
    It is mentioned on cisco site that
    Major Release
    —You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release. 

    Hi Tushar,
    The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
    Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
    http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
    - Prateek Verma

  • Asa 5520 "loosing" code after code has been put in and operating

    Sorry to ask this if it has all ready been covered.  We have an asa 5520 running 8.3.2(1) code.  Three times now I have entered code and rules in our asa and had things working, only to have the code "dissapear" and thus things stop working.  We upgraded to 8.3.2(1) back in January of 2011, and have not had this problem until the last month.  I was wondering if there is a bug with 8.3.2(1) code that has decided to show itself for whatever reason now.  We have also had some other things relating to the VPN that were "working" and at some point just stopped working.  We do have a second asa 5520 that is the failover/standby.  We also have two 6509 with firewall services modules, one primary and the other standby.  Just wondering how to troubleshoot something like this.  I have putty logs of me putting the code in and doing a write mem saving the changes, yet on three occations those things stopped working, and I had to put the code in again.
    **update** as I was typing this, we realised there was a problem with the two ASA's.  For some reason, failover had stopped working, and both ASA's were trying to be the primary and causing issues.  After several reboots, we wound up turning failover back on  on the second ASA, and things seem to be normal now.  No idea what would have caused the failover to break.  Not sure how long this had been going on, it may have had to do with my code seeming to dissapear?

    Here is the output of the show ver.  I removed the serial number.
    ACH-2nd-EXT-ASA01#sh ver
    Cisco Adaptive Security Appliance Software Version 8.3(2)1
    Device Manager Version 6.4(7)
    Compiled on Wed 04-Aug-10 21:41 by builders
    System image file is "disk0:/asa832-1-k8.bin"
    Config file at boot was "startup-config"
    ACH-2nd-EXT-ASA01 up 4 days 22 hours
    failover cluster up 4 days 22 hours
    Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB
    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
    0: Ext: GigabitEthernet0/0  : address is 001d.a298.c41c, irq 9
    1: Ext: GigabitEthernet0/1  : address is 001d.a298.c41d, irq 9
    2: Ext: GigabitEthernet0/2  : address is 001d.a298.c41e, irq 9
    3: Ext: GigabitEthernet0/3  : address is 001d.a298.c41f, irq 9
    4: Ext: Management0/0       : address is 001d.a298.c420, irq 11
    5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
    6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces    : Unlimited      perpetual
    Maximum VLANs                  : 150            perpetual
    Inside Hosts                   : Unlimited      perpetual
    Failover                       : Active/Active  perpetual
    VPN-DES                        : Enabled        perpetual
    VPN-3DES-AES                   : Enabled        perpetual
    Security Contexts              : 2              perpetual
    GTP/GPRS                       : Disabled       perpetual
    SSL VPN Peers                  : 10             perpetual
    Total VPN Peers                : 750            perpetual
    Shared License                 : Disabled       perpetual
    AnyConnect for Mobile          : Enabled        perpetual
    AnyConnect for Cisco VPN Phone : Disabled       perpetual
    AnyConnect Essentials          : Enabled        perpetual
    Advanced Endpoint Assessment   : Disabled       perpetual
    UC Phone Proxy Sessions        : 2              perpetual
    Total UC Proxy Sessions        : 2              perpetual
    Botnet Traffic Filter          : Disabled       perpetual
    Intercompany Media Engine      : Disabled       perpetual
    This platform has an ASA 5520 VPN Plus license.
    Failover cluster licensed features for this platform:
    Maximum Physical Interfaces    : Unlimited      perpetual
    Maximum VLANs                  : 150            perpetual
    Inside Hosts                   : Unlimited      perpetual
    Failover                       : Active/Active  perpetual
    VPN-DES                        : Enabled        perpetual
    VPN-3DES-AES                   : Enabled        perpetual
    Security Contexts              : 4              perpetual
    GTP/GPRS                       : Disabled       perpetual
    SSL VPN Peers                  : 20             perpetual
    Total VPN Peers                : 750            perpetual
    Shared License                 : Disabled       perpetual
    AnyConnect for Mobile          : Enabled        perpetual
    AnyConnect for Cisco VPN Phone : Disabled       perpetual
    AnyConnect Essentials          : Enabled        perpetual
    Advanced Endpoint Assessment   : Disabled       perpetual
    UC Phone Proxy Sessions        : 4              perpetual
    Total UC Proxy Sessions        : 4              perpetual
    Botnet Traffic Filter          : Disabled       perpetual
    Intercompany Media Engine      : Disabled       perpetual
    This platform has an ASA 5520 VPN Plus license.
    Serial Number: xxxxxxxxxxx
    Running Permanent Activation Key: 0xf730cf7a 0x0449cabf 0xc922e5d4 0xc7bc5cb0 0x851ed6bb
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    ACH-2nd-EXT-ASA01#

  • ASA 5520 Not Failing over

        Hi All
    Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
    Firewall (Primary)
    Cisco Adaptive Security Appliance Software Version 9.1(1)
    Device Manager Version 7.1(2)
    Compiled on Wed 28-Nov-12 10:38 by builders
    System image file is "disk0:/asa911-k8.bin"
    Config file at boot was "startup-config"
    DEO-FW-01 up 5 hours 1 min
    failover cluster up 5 hours 1 min
    Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08
                                 Number of accelerators: 1
    0: Ext: GigabitEthernet0/0  : address is 001e.f762.bc44, irq 9
    1: Ext: GigabitEthernet0/1  : address is 001e.f762.bc45, irq 9
    2: Ext: GigabitEthernet0/2  : address is 001e.f762.bc46, irq 9
    3: Ext: GigabitEthernet0/3  : address is 001e.f762.bc47, irq 9
    4: Ext: Management0/0       : address is 001e.f762.bc43, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 150            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 750            perpetual
    Total VPN Peers                   : 750            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5520 VPN Plus license.
    Here is the failover config
    failover
    failover lan unit primary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
    Here is the Show failover output
    Failover On
    Failover unit Primary
    Failover LAN Interface: SFO GigabitEthernet0/3 (Failed - No Switchover)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 160 maximum
    failover replication http
    Version: Ours 9.1(1), Mate Unknown
    Last Failover at: 12:53:27 UTC Mar 14 2013
            This host: Primary - Active
                    Active time: 18059 (sec)
                    slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
                      Interface inside (10.10.16.1): No Link (Waiting)
                      Interface corporate_network_traffic (10.10.16.21): Unknown (Waiting)
                      Interface outside (193.158.46.130): Unknown (Waiting)
                    slot 1: empty
            Other host: Secondary - Not Detected
                    Active time: 0 (sec)
                      Interface inside (10.10.16.2): Unknown (Waiting)
                      Interface corporate_network_traffic (10.10.16.22): Unknown (Waiting)
                      Interface outside (193.158.46.131): Unknown (Waiting)
    Stateful Failover Logical Update Statistics
            Link : SFO GigabitEthernet0/3 (Failed)
    Here is the output for the secondary firewall
    Cisco Adaptive Security Appliance Software Version 9.1(1)
    Device Manager Version 6.2(5)
    Compiled on Wed 28-Nov-12 10:38 by builders
    System image file is "disk0:/asa911-k8.bin"
    Config file at boot was "startup-config"
    ciscoasa up 1 hour 1 min
    failover cluster up 1 hour 1 min
    Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08
                                 Number of accelerators: 1
    0: Ext: GigabitEthernet0/0  : address is 0023.0477.12e4, irq 9
    1: Ext: GigabitEthernet0/1  : address is 0023.0477.12e5, irq 9
    2: Ext: GigabitEthernet0/2  : address is 0023.0477.12e6, irq 9
    3: Ext: GigabitEthernet0/3  : address is 0023.0477.12e7, irq 9
    4: Ext: Management0/0       : address is 0023.0477.12e3, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 150            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 750            perpetual
    Total VPN Peers                   : 750            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5520 VPN Plus license.
    Here is the failover config
    failover
    failover lan unit secondary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
    Here is the Show failover output
    failover
    failover lan unit secondary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
    Failover On
    Failover unit Secondary
    Failover LAN Interface: SFO GigabitEthernet0/3 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 0 of 160 maximum
    failover replication http
    Version: Ours 9.1(1), Mate Unknown
    Last Failover at: 12:58:31 UTC Mar 14 2013
    This host: Secondary - Active
    Active time: 3630 (sec)
    slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
    slot 1: empty
    Other host: Primary - Not Detected
    Active time: 0 (sec)
    Stateful Failover Logical Update Statistics
    Link : SFO GigabitEthernet0/3 (up)
    interface g0/3 on both are up via the No shutdown command. However I get the following error No Active mate detected
    please could someone help.
    Many thanks

    Hello James,
    You have configured  the IPs on the interfaces incorrectly.
    Let me point it out
    failover
    failover lan unit primary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
    You are telling the Primary device use IP address 10.10.16.25 and the secondary firewall will be 10.10.26.26
    Now let's see the configuration on the Secondary Unit?
    failover
    failover lan unit secondary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
    On the secondary you are saying the primary IP will be 10.10.16.26 and the secondary will be 10.10.16.25
    You have it backwards and based on the output I would say you configured it on all of the interfaces like that
    So please change it and make it the same on all of the interfaces so both devices know the same thing ( which IP they should use when they are primary and secondary, this HAVE to match )
    Hope that I could help
    Julio Carvajal

  • Cisco ASA 5520s in Cluster Outside interface stops sending traffic

    Hi,
    We are running a Pair of ASA 5520s in active/standby mode.  In the last couple days the active device will just stop communicating on the outside interface.  Because the rest of the interfaces are still up,  it will not fail over, so we have to fail it manually.  The secondary unit works and passes traffic correctly.  We then reboot the Primary. 
    Then after some undetermined time,  it happens again and we have to manually fail it the other way,  reboot the affected ASA and wait for it to happen again.
    We have a case with TAC but they have not been able to figure this one out.  Has anyone else seen this behavior?
    This is the version info:
    Cisco Adaptive Security Appliance Software Version 8.4(7)
    Device Manager Version 7.3(1)100
    Thanks

    Hi,
    There are various possibilities on the ASA device which might be causing this issue:-
    1) Block depletion
    2) Memory depletion
    Other things might be related to the external ISP as well.
    Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
    If you can share the output , i can have a look at it otherwise you can open a TAC case.
    Thanks and Regards,
    Vibhor Amrodia

  • Security Manager traceroute ASA 5520

    How can I use Security Manager (3.2) to configure a ASA 5520 to show up in a traceroute, have found a doc on how to do this from the cmd line but would prefer to keep everything in CSM.
    Mike

    There used to be a similar bug in IDM.
    The sensor itself does not declare an interface as promiscuous.
    SO CSM has to intepret the configuration to determine if the interface is promiscuous.
    On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.
    So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.
    And the above is True for Appliances.
    What the CSM developers may not have realized is that this is NOT true for Modules.
    For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.
    That knowledge is only within the configuration of the ASA chassis itself.
    CSM is simply incorrectly using the rules for Appliances against the SSMs.
    This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.
    CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.
    Marco

  • POODLE vulnerability - ASA 5520

    Hi
    I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.
    Which workaround should i do??? it would have any impact in my VPN or servers DMZ????
    Thanks...

    Hi ,
    Both these  ASA versions are vulnerable 
    Conditions:
    The default configuration of SSL on all versions of the ASA enables SSLv3.
    Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.
    To see the SSL configuration:
    show run all ssl
    Default configuration of the ASA:
    ssl client-version any
    ssl server-version any
    The following non-default configuration values also enable SSLv3:
    ssl client-version sslv3-only
    ssl client-version salve
    ssl server-version sslv3-only
    ssl server-version sslv3
    The following versions are vulnerable regardless of ssl configuration:
    * 9.0.x
    * 9.1.1.x
    Workaround:
    Disable SSLv3, write the changes to the startup-config.
    This workaround only applies to the following versions:
    * 7.x and later
    * 8.2 and later
    * 8.3 and later
    * 8.4 and later
    * 8.5 and later
    * 8.6 and later
    * 8.7 and later
    * 9.1.2 and later (with CSCug51375 fix)
    * 9.2.1 and later (with CSCug51375 fix)
    * 9.3.1 and later
    Use the following config-mode commands:
    ssl server-version tlsv1
    ssl client-version tlsv1-only
    There is no need to reboot. The configuration must be saved via "write memory".
    Here is the bug details CSCur23709
    Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)
    Thanks,
    Prashant Joshi

  • Upgrading ASA 5520

    Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.

    Try this,
    To upgrade/install the ASDM follow the example procedure,
    ASA(config)# copy tftp flash
    Address or name of remote host [x.x.x.x]?
    Source filename [pix704.bin]? asdm-504.bin
    Destination filename [asdm-504.bin]?
    Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
    Writing file flash:/asdm-504.bin...
    5958324 bytes copied in 165.460 secs (36111 bytes/sec)
    ASA(config)#
    ASA(config)# sh flash
    Directory of flash:/
    7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
    11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
    13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
    // asdm-504.bin is now copied in the flash. Now we need to set PIX to use
    // this image for loading ASDM.
    ASA(config)# asdm image flash:/asdm-504.bin
    // Last steps involve saving the running configuration to memory as we have
    // made changes to boot files and reloading the PIX.
    ASA(config)# write memory
    Building configuration...
    Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
    4807 bytes copied in 3.20 secs (1602 bytes/sec)
    [OK]
    ASA(config)# reload
    // Once PIX comes back up, we can verify that upgradation has been successfull
    // by using "show version" command.
    Refer to the link ASDM Upgrade Procedure
    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
    hope this helps.. all the best.. rate replies if found useful..
    Raj

  • Cisco ASA 5520 traffic between interfaces

    Hello,
    I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
    ciscoasa# ping esx_management 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping home_network 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thank you in advance.

    Hi,
    Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
    I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
    packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
    I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
    I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
    Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
    Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
    Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
    Static Identity NAT
    static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    OR
    NAT0
    access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
    nat (home_network) 0 access-list HOMENETWORK-NAT0
    Hope this helps
    - Jouni

  • HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

    Hi all!
    we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
    We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
    Best regards for all,

    You cannot make a 5520 establish failover with the mate being a 5525-X.
    1. The configuration guide (here) states:
    The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
    2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

  • VPN clients not able to ping Remote PCs & Servers : ASA 5520

    VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
    Remote ip section : 192.168.1.0/24
    VPN IP Pool : 192.168.5.0/24
    Running Config :
     ip address 192.168.1.2 255.255.255.0
    interface GigabitEthernet0/2
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    interface Management0/0
     shutdown
     no nameif
     no security-level
     no ip address
     management-only
    passwd z40TgSyhcLKQc3n1 encrypted
    boot system disk0:/asa722-k8.bin
    ftp mode passive
    clock timezone GST 4
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 213.42.20.20
     domain-name default.domain.invalid
    access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
    access-list outtoin extended permit tcp any host 83.111.113.113 eq https
    access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
    access-list outtoin extended permit tcp any host 83.111.113.114 eq https
    access-list outtoin extended permit tcp any host 83.111.113.114 eq www
    access-list outtoin extended permit tcp any host 83.111.113.115 eq https
    access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
    access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
    access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
    92.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
    2.168.5.0 255.255.255.0
    access-list inet_in extended permit icmp any any time-exceeded
    access-list inet_in extended permit icmp any any unreachable
    access-list inet_in extended permit icmp any any echo-reply
    access-list inet_in extended permit icmp any any echo
    pager lines 24
    logging enable
    logging asdm informational
    logging from-address [email protected]
    logging recipient-address [email protected] level errors
    logging recipient-address [email protected] level emergencies
    logging recipient-address [email protected] level errors
    mtu outside 1500
    mtu inside 1500
    ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
    ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound outside
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
    static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
    access-group inet_in in interface outside
    route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy DfltGrpPolicy attributes
     banner none
     wins-server none
     dns-server none
     dhcp-network-scope none
     vpn-access-hours none
     vpn-simultaneous-logins 10
     vpn-idle-timeout 30
     vpn-session-timeout none
     vpn-filter none
     vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
     password-storage disable
     ip-comp disable
     re-xauth disable
     group-lock none
     pfs disable
     ipsec-udp disable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelall
     split-tunnel-network-list none
     default-domain none
     split-dns none
     intercept-dhcp 255.255.255.255 disable
     secure-unit-authentication disable
     user-authentication disable
     user-authentication-idle-timeout 30
     ip-phone-bypass disable
     leap-bypass disable
     nem disable
     backup-servers keep-client-config
     msie-proxy server none
     msie-proxy method no-modify
     msie-proxy except-list none
     msie-proxy local-bypass disable
     nac disable
     nac-sq-period 300
     nac-reval-period 36000
     nac-default-acl none
     address-pools none
     client-firewall none
     client-access-rule none
     webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have no
     been met or due to some specific group policy, you do not have permission to u
    e any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy fualavpn internal
    group-policy fualavpn attributes
     dns-server value 192.168.1.111 192.168.1.100
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value fualavpn_splitTunnelAcl
    username test password I7ZgrgChfw4FV2AW encrypted privilege 0
    username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
    username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
    username Moghazi attributes
     password-storage enable
    username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
    username fualauaq attributes
     password-storage enable
    username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
    username Basher password Djf15nXIJXmayfjY encrypted privilege 0
    username Basher attributes
     password-storage enable
    username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
    username fualafac attributes
     password-storage enable
    username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
    username fualaab attributes
     password-storage enable
    username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
    username fualaadh2 attributes
     password-storage enable
    username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
    username fualaain2 attributes
     password-storage enable
    username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
    username fualafj2 attributes
     password-storage enable
    username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
    username fualakf2 attributes
     password-storage enable
    username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
    username fualaklb attributes
     password-storage enable
    username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
    username fualastr attributes
     password-storage enable
    username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
    username fualauaq2 attributes
     password-storage enable
    username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
    username fualastore attributes
     password-storage enable
    username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
    username fualadhd attributes
     password-storage enable
    username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
    username fualaabi attributes
     password-storage enable
    username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
    username fualaadh attributes
     password-storage enable
    username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
    username fualajuh attributes
     password-storage enable
    username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
    username fualadah attributes
     password-storage enable
    username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
    username fualarak attributes
     password-storage enable
    username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
    username fualasnk attributes
     password-storage enable
    username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
    username rais attributes
     password-storage enable
    username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
    username fualafuj attributes
     password-storage enable
    username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
    username fualamaz attributes
     password-storage enable
    username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
    username fualashj attributes
     password-storage enable
    username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
    username fualabdz attributes
     password-storage enable
    username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
    username fualamam attributes
     password-storage enable
    username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
    username fualaajm attributes
     password-storage enable
    username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
    username fualagrm attributes
     password-storage enable
    username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
    username fualakfn attributes
     password-storage enable
    username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
    username Fualaain attributes
     password-storage enable
    username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
    username John password D9xGV1o/ONPM9YNW encrypted privilege 15
    username John attributes
     password-storage disable
    username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
    username wrkshopuaq attributes
     password-storage enable
    username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
    username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
    username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
    username Faraj attributes
     password-storage enable
    username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
    username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
    username Hameed attributes
     password-storage enable
    username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
    username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
    username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
    username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
    username Riad password iB.miiOF7qMESlCL encrypted privilege 0
    username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
    username Azeem attributes
     password-storage disable
    username Osama password xu66er.7duIVaP79 encrypted privilege 0
    username Osama attributes
     password-storage enable
    username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
    username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
    username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
    username Wissam attributes
     password-storage enable
    username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.1.4 255.255.255.255 inside
    http 192.168.1.100 255.255.255.255 inside
    http 192.168.1.111 255.255.255.255 inside
    http 192.168.1.200 255.255.255.255 inside
    http 83.111.113.117 255.255.255.255 outside
    http 192.168.1.17 255.255.255.255 inside
    http 192.168.1.16 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    tunnel-group fualavpn type ipsec-ra
    tunnel-group fualavpn type ipsec-ra
    tunnel-group fualavpn general-attributes
     address-pool fualapool
     address-pool VPNPool
     default-group-policy fualavpn
    tunnel-group fualavpn ipsec-attributes
     pre-shared-key *
    tunnel-group fualavpn ppp-attributes
     authentication pap
     authentication ms-chap-v2
     authentication eap-proxy
    telnet 0.0.0.0 0.0.0.0 outside
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:38e41e83465d37f69542355df734db35
    : end

    Hi,
    What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
    Regards,

Maybe you are looking for

  • Cenvat on Capital Goods

    Hi all, Whenever credit on capital goods need to be availed, you can claim 50% of credit at the time of receipt by specifying 'Yes' in the 'Claim CENVAT. Now I want to know that where I have to setup / define the percentage of CENVAT credit the user

  • It's Time to Celebrate our Nation!

    Independence Day -- for me and my family, it's the summer holiday.  As much as we look forward to parades, a cookout, strawberry shortcake, and fireworks, it's a chance to remember the freedoms we all enjoy in this great nation.  

  • Skipping songs completly

    Songs that recently got down loaded from the iTunes Music Store will not play on my new nano. It displays the song title, artist, and album art in the now playing menu starting at 0:00, then it skips over the song before playing and goes to the next

  • Table for Activity confirmation

    Hi PP exper Kindly suggest me  from which table I will get  activity  confirmation detail  when I do the production order confirmation  example my activity 9000( labor)  30 hr , 9001( m/c)  15 kw etc kindly suggest me Regards Akil

  • Signature Validation Failed

    Hi, While performing cross domain SSO using SAML2.0 between the Oracel Identity Federation(IdP) and Novell Access Manager(SP). The connection between the both is in open mode and havent enabled SSO between the two. In the Idp end and the SP end, meta