ASA 5520 k8 model

I have asa 5520 k8 model presently i am running with IOS version 8.0(4) i am upgrading to 8.2(5) is ? any license required from cisco to upgrade to this IOS, and also let me know how many site to site vpn can be configure on this device.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1051K2S5

Hi,
There is no license needed for the software upgrade
To my understanding the device should support the mentioned 750 IPsec peers. Totally other thing is how this is in practice. Depends on other things also.
The command "show vpn-sessiondb detail" gives a nice information on the VPN connections and limits also
- Jouni

Similar Messages

ASA 5520 Software & Firmware Upgrades

Is there a way to update the firmware / microcode on the ASA or SSM? I am planning on upgrading the ASA version from 7.2(2) to 8.0(4) and was wondering how, if at all, the firmware was ever upgraded too. The output from 'sh module' is below.
ASA# sh module
Mod Card Type Model Serial No.
0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1044K1S9
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF10370340
Mod MAC Address Range Hw Version Fw Version Sw Version
0 0018.19eb.ba7d to 0018.19eb.ba81 1.1 1.0(11)2 7.2(2)
1 000a.b89c.d12c to 000a.b89c.d12c 1.0 1.0(11)2 6.0(1)E1
Mod SSM Application Name Status SSM Application Version
1 IPS Up 6.0(1)E1
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
1 Up Up
ASA#
Thanks,
Timothy

I would not recommend upgrading - search the posts for 8.0(4) - you will find alot of people have had issues.
If there is no specific reason for the upgrade i.e feature enhancments, I suggest you stay on 7.2(2)

Asa 5520 without flash

I was handed a firewall ASA 5520 but without external flash, I want to confirm that the ASA at least boot from rommon mode boot must have the external flash connected? I connected to power and I connect it by the console port it did not show any boot.
Additionally I can confirm it is possible that you can connect a flash of a previous ASA model, say a 5510?

Hi,
To my understanding no ASA model comes with a external Flash memory. It should only have the internal Flash memory. The external slot shouldnt be needed.
I've never used or had need for the external Flash card slot on an ASA. But to my understanding atleast ASA models 5510 - 5550 should be identical regarding the external flash memorycard slot
Also if the internal Flash contains atleast one ASA OS image file I think it should always boot up "normally"
- Jouni

Cisco ASA 5520 traffic between interfaces

Hello,
I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
ciscoasa# ping esx_management 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping home_network 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Thank you in advance.

Hi,
Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
Static Identity NAT
static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
OR
NAT0
access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
nat (home_network) 0 access-list HOMENETWORK-NAT0
Hope this helps
- Jouni

Inter VLAN Routing with ASA 5520 and Cat 2960

Hi there,
I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other. The attached screenshot shows the topology.
I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs. Any assistance would be greatly appreciated.
ROUTER CONFIG:
ciscoasa#
ciscoasa# show run
: Saved
ASA Version 8.3(1)
hostname ciscoasa
domain-name null
enable password ###### encrypted
passwd ###### encrypted
names
dns-guard
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
no nameif
security-level 100
ip address 10.10.1.1 255.255.255.0
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 100
ip address 10.10.20.1 255.255.255.0
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 100
ip address 10.10.30.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name null
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu vlan30 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd enable inside
dhcpd address 10.10.10.101-10.10.10.253 vlan10
dhcpd enable vlan10
dhcpd address 10.10.20.101-10.10.20.253 vlan20
dhcpd enable vlan20
dhcpd address 10.10.30.101-10.10.30.253 vlan30
dhcpd enable vlan30
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
: end
SWITCH CONFIG
Switch#show run
Building configuration...
Current configuration : 2543 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
system mtu routing 1500
ip subnet-zero
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
vlan internal allocation policy ascending
interface GigabitEthernet0/1
description Port Configured As Trunk
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface GigabitEthernet0/29
interface GigabitEthernet0/30
interface GigabitEthernet0/31
interface GigabitEthernet0/32
interface GigabitEthernet0/33
interface GigabitEthernet0/34
interface GigabitEthernet0/35
interface GigabitEthernet0/36
interface GigabitEthernet0/37
interface GigabitEthernet0/38
interface GigabitEthernet0/39
interface GigabitEthernet0/40
interface GigabitEthernet0/41
interface GigabitEthernet0/42
interface GigabitEthernet0/43
interface GigabitEthernet0/44
interface GigabitEthernet0/45
interface GigabitEthernet0/46
interface GigabitEthernet0/47
interface GigabitEthernet0/48
interface Vlan1
ip address 10.10.1.2 255.255.255.0
no ip route-cache
interface Vlan10
no ip address
no ip route-cache
interface Vlan20
no ip address
no ip route-cache
interface Vlan30
no ip address
no ip route-cache
ip default-gateway 10.10.1.1
ip http server
ip http secure-server
control-plane
line con 0
line vty 5 15
end

ciscoasa# capture cap10 interface vlan10
ciscoasa# capture cap20 interface vlan20
ciscoasa# show cap cap10
97 packets captured
   1: 17:32:32.541262 802.1Q vlan#10 P0 10.10.10.101.2461 > 10.10.10.1.8905: ud
p 96
   2: 17:32:36.741294 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
   3: 17:32:36.741523 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
   4: 17:32:37.539217 802.1Q vlan#10 P0 10.10.10.101.2462 > 10.10.10.1.8905: ud
p 98
   5: 17:32:39.104914 802.1Q vlan#10 P0 10.10.10.101.2463 > 10.12.5.64.8906: ud
p 95
   6: 17:32:41.738914 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
   7: 17:32:41.739143 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
   8: 17:32:42.544023 802.1Q vlan#10 P0 10.10.10.101.2464 > 10.10.10.1.8905: ud
p 93
   9: 17:32:46.747352 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
10: 17:32:46.747580 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
11: 17:32:47.546633 802.1Q vlan#10 P0 10.10.10.101.2465 > 10.10.10.1.8905: ud
p 98
12: 17:32:51.739921 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
13: 17:32:51.740150 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
14: 17:32:52.544100 802.1Q vlan#10 P0 10.10.10.101.2466 > 10.10.10.1.8905: ud
p 98
15: 17:32:56.741859 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
16: 17:32:56.742088 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
17: 17:32:57.547396 802.1Q vlan#10 P0 10.10.10.101.2467 > 10.10.10.1.8905: ud
p 98
18: 17:33:01.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
19: 17:33:01.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
20: 17:33:02.547609 802.1Q vlan#10 P0 10.10.10.101.2468 > 10.10.10.1.8905: ud
p 97
21: 17:33:06.742774 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
22: 17:33:06.743018 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
23: 17:33:07.543337 802.1Q vlan#10 P0 10.10.10.101.2469 > 10.10.10.1.8905: ud
p 93
24: 17:33:10.375514 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
25: 17:33:11.114679 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
26: 17:33:11.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
27: 17:33:11.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
28: 17:33:11.864731 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
29: 17:33:12.546266 802.1Q vlan#10 P0 10.10.10.101.2470 > 10.10.10.1.8905: ud
p 98
30: 17:33:16.746497 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
31: 17:33:16.746726 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
32: 17:33:17.548403 802.1Q vlan#10 P0 10.10.10.101.2471 > 10.10.10.1.8905: ud
p 97
33: 17:33:21.744880 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
34: 17:33:21.745109 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
35: 17:33:22.545351 802.1Q vlan#10 P0 10.10.10.101.2472 > 10.10.10.1.8905: ud
p 95
36: 17:33:23.785558 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
37: 17:33:24.522464 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
38: 17:33:25.272568 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137: ud
p 50
39: 17:33:26.744926 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
40: 17:33:26.745154 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
41: 17:33:27.548708 802.1Q vlan#10 P0 10.10.10.101.2473 > 10.10.10.1.8905: ud
p 96
42: 17:33:31.749625 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
43: 17:33:31.749854 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
44: 17:33:32.550096 802.1Q vlan#10 P0 10.10.10.101.2474 > 10.10.10.1.8905: ud
p 97
45: 17:33:36.748343 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
46: 17:33:36.748572 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
47: 17:33:37.546251 802.1Q vlan#10 P0 10.10.10.101.2475 > 10.10.10.1.8905: ud
p 95
48: 17:33:41.745566 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
49: 17:33:41.745795 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
50: 17:33:42.547975 802.1Q vlan#10 P0 10.10.10.101.2476 > 10.10.10.1.8905: ud
p 97
51: 17:33:46.747855 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
52: 17:33:46.748084 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
53: 17:33:47.548403 802.1Q vlan#10 P0 10.10.10.101.2477 > 10.10.10.1.8905: ud
p 94
54: 17:33:51.747718 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
55: 17:33:51.747931 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
56: 17:33:52.547670 802.1Q vlan#10 P0 10.10.10.101.2478 > 10.10.10.1.8905: ud
p 97
57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
58: 17:33:56.750678 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
59: 17:33:56.750891 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
60: 17:33:57.563035 802.1Q vlan#10 P0 10.10.10.101.2479 > 10.10.10.1.8905: ud
p 97
61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
62: 17:34:01.752188 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
63: 17:34:01.752402 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
64: 17:34:01.995737 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
65: 17:34:01.995813 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
66: 17:34:01.995950 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
67: 17:34:01.996011 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
68: 17:34:01.996118 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
69: 17:34:01.996179 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
70: 17:34:02.551836 802.1Q vlan#10 P0 10.10.10.101.2480 > 10.10.10.1.8905: ud
p 98
71: 17:34:03.011306 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
72: 17:34:03.011367 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
73: 17:34:03.011443 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
74: 17:34:03.011489 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
75: 17:34:03.011550 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
76: 17:34:03.011596 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
77: 17:34:04.027037 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
78: 17:34:04.027082 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
79: 17:34:04.027174 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
80: 17:34:04.027250 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
81: 17:34:04.027311 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
82: 17:34:04.027357 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
84: 17:34:06.058514 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 49
85: 17:34:06.058605 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427: u
dp 34
86: 17:34:06.058651 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 49
87: 17:34:06.058712 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427: u
dp 34
88: 17:34:06.058758 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 49
89: 17:34:06.058819 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
udp 34
90: 17:34:06.750907 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
91: 17:34:06.751151 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
92: 17:34:07.552751 802.1Q vlan#10 P0 10.10.10.101.2481 > 10.10.10.1.8905: ud
p 96
93: 17:34:11.752082 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
94: 17:34:11.752326 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
95: 17:34:12.553392 802.1Q vlan#10 P0 10.10.10.101.2482 > 10.10.10.1.8905: ud
p 96
96: 17:34:16.755438 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
97: 17:34:16.755682 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
98: 17:34:17.554811 802.1Q vlan#10 P0 10.10.10.101.2483 > 10.10.10.1.8905: ud
p 97
99: 17:34:21.751303 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
100: 17:34:21.751563 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
101: 17:34:22.552034 802.1Q vlan#10 P0 10.10.10.101.2484 > 10.10.10.1.8905: ud
p 95
102: 17:34:26.753989 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
103: 17:34:26.754218 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
104: 17:34:27.560334 802.1Q vlan#10 P0 10.10.10.101.2485 > 10.10.10.1.8905: ud
p 98
105: 17:34:31.755499 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
quest
106: 17:34:31.755728 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
ply
107: 17:34:32.563950 802.1Q vlan#10 P0 10.10.10.101.2486 > 10.10.10.1.8905: ud
p 95
107 packets shown
ciscoasa# show cap cap20
92 packets captured
   1: 17:26:53.653378 802.1Q vlan#20 P0 10.10.20.101.1187 > 216.49.94.13.80: S 8
20343450:820343450(0) win 65535
   2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
   3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
   4: 17:27:55.593688 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
   5: 17:27:58.555284 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
   6: 17:28:04.564790 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
499891746:1499891746(0) win 65535
   7: 17:29:06.504856 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
   8: 17:29:06.504917 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
   9: 17:29:06.505222 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
10: 17:29:09.467032 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
11: 17:29:15.476537 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
7080594:47080594(0) win 65535
12: 17:30:17.417245 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
14: 17:30:20.378688 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
16: 17:30:26.388102 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
445997597:1445997597(0) win 65535
17: 17:30:28.721047 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
18: 17:30:34.222507 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
19: 17:33:43.156928 802.1Q vlan#20 P0 arp who-has 10.10.20.101 tell 10.10.20.1
01
20: 17:33:44.187002 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
21: 17:33:44.187047 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
6:bb
22: 17:33:44.187261 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
quest
23: 17:33:44.187520 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
ply
24: 17:33:44.239016 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
25: 17:33:44.327360 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
26: 17:33:44.989740 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
27: 17:33:45.150611 802.1Q vlan#20 P0 10.10.20.101.6646 > 10.10.20.255.6646:
udp 236
28: 17:33:45.331312 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
29: 17:33:45.740943 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
30: 17:33:46.331892 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
31: 17:33:46.492131 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
32: 17:33:47.243502 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
33: 17:33:47.994501 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
34: 17:33:48.335050 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
35: 17:33:48.335141 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
36: 17:33:48.745658 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
37: 17:33:49.496861 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
38: 17:33:50.248812 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
39: 17:33:50.249300 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
40: 17:33:50.999170 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
41: 17:33:50.999246 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
42: 17:33:51.750342 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
43: 17:33:51.750418 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
44: 17:33:52.341336 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
udp 34
45: 17:33:52.341474 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
udp 34
46: 17:33:52.501576 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
47: 17:33:52.501652 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
48: 17:33:53.254183 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
49: 17:33:53.254320 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 204
50: 17:33:54.134361 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
51: 17:33:54.755118 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
52: 17:33:54.823535 802.1Q vlan#20 P0 10.120.2.198.1261 > 161.69.12.13.443: R
250934743:250934743(0) ack 2427374744 win 0
53: 17:33:54.823901 802.1Q vlan#20 P0 10.120.2.198.1262 > 161.69.12.13.443: R
3313764765:3313764765(0) ack 1397588942 win 0
54: 17:33:54.824618 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
55: 17:33:56.257448 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
56: 17:33:57.759833 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
57: 17:33:57.779729 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
58: 17:33:59.245394 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
59: 17:33:59.262178 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
60: 17:34:00.263780 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
61: 17:34:01.265382 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
62: 17:34:02.266908 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 186
63: 17:34:03.268540 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
64: 17:34:03.789189 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
2860571026:2860571026(0) win 65535
65: 17:34:04.019591 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
66: 17:34:04.745933 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
request
67: 17:34:04.770757 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
68: 17:34:05.521991 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
69: 17:34:06.273209 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
70: 17:34:07.024367 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
71: 17:34:07.775518 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
72: 17:34:08.526706 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 68
73: 17:34:09.277939 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
74: 17:34:09.278061 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 174
75: 17:34:09.278702 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138: ud
p 204
76: 17:34:15.810489 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
77: 17:34:16.809726 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
78: 17:34:17.811222 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
79: 17:34:19.814349 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
80: 17:34:19.814380 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
81: 17:34:23.820682 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
udp 31
82: 17:34:23.820788 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
udp 31
83: 17:34:30.822924 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
84: 17:34:31.572892 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
85: 17:34:32.324079 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137: ud
p 50
86: 17:34:33.083079 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
87: 17:34:34.077007 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
88: 17:34:35.078639 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
89: 17:34:37.081584 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
90: 17:34:37.081706 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
91: 17:34:41.087809 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
udp 44
92: 17:34:41.087840 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
udp 44
92 packets shown

HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

Hi all!
we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
Best regards for all,

You cannot make a 5520 establish failover with the mate being a 5525-X.
1. The configuration guide (here) states:
The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520

Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
Will this patch be installed in a version which I can use on ASA5520, if I understand the documentation correct, this patch is only installed in versions which are running on -X models of the ASA. 9.2, 9.3

Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.
You need to add route exempt the inside interfaces to all private subnet.

VPN clients not able to ping Remote PCs & Servers : ASA 5520

VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
Remote ip section : 192.168.1.0/24
VPN IP Pool : 192.168.5.0/24
Running Config :
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
passwd z40TgSyhcLKQc3n1 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GST 4
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 213.42.20.20
domain-name default.domain.invalid
access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.113 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
access-list outtoin extended permit tcp any host 83.111.113.114 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq www
access-list outtoin extended permit tcp any host 83.111.113.115 eq https
access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
92.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
2.168.5.0 255.255.255.0
access-list inet_in extended permit icmp any any time-exceeded
access-list inet_in extended permit icmp any any unreachable
access-list inet_in extended permit icmp any any echo-reply
access-list inet_in extended permit icmp any any echo
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging recipient-address [email protected] level emergencies
logging recipient-address [email protected] level errors
mtu outside 1500
mtu inside 1500
ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
access-group inet_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have no
been met or due to some specific group policy, you do not have permission to u
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy fualavpn internal
group-policy fualavpn attributes
dns-server value 192.168.1.111 192.168.1.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value fualavpn_splitTunnelAcl
username test password I7ZgrgChfw4FV2AW encrypted privilege 0
username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
username Moghazi attributes
password-storage enable
username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
username fualauaq attributes
password-storage enable
username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
username Basher password Djf15nXIJXmayfjY encrypted privilege 0
username Basher attributes
password-storage enable
username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
username fualafac attributes
password-storage enable
username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
username fualaab attributes
password-storage enable
username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
username fualaadh2 attributes
password-storage enable
username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
username fualaain2 attributes
password-storage enable
username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
username fualafj2 attributes
password-storage enable
username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
username fualakf2 attributes
password-storage enable
username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
username fualaklb attributes
password-storage enable
username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
username fualastr attributes
password-storage enable
username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
username fualauaq2 attributes
password-storage enable
username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
username fualastore attributes
password-storage enable
username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
username fualadhd attributes
password-storage enable
username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
username fualaabi attributes
password-storage enable
username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
username fualaadh attributes
password-storage enable
username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
username fualajuh attributes
password-storage enable
username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
username fualadah attributes
password-storage enable
username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
username fualarak attributes
password-storage enable
username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
username fualasnk attributes
password-storage enable
username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
username rais attributes
password-storage enable
username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
username fualafuj attributes
password-storage enable
username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
username fualamaz attributes
password-storage enable
username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
username fualashj attributes
password-storage enable
username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
username fualabdz attributes
password-storage enable
username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
username fualamam attributes
password-storage enable
username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
username fualaajm attributes
password-storage enable
username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
username fualagrm attributes
password-storage enable
username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
username fualakfn attributes
password-storage enable
username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
username Fualaain attributes
password-storage enable
username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
username John password D9xGV1o/ONPM9YNW encrypted privilege 15
username John attributes
password-storage disable
username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
username wrkshopuaq attributes
password-storage enable
username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
username Faraj attributes
password-storage enable
username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
username Hameed attributes
password-storage enable
username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
username Riad password iB.miiOF7qMESlCL encrypted privilege 0
username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
username Azeem attributes
password-storage disable
username Osama password xu66er.7duIVaP79 encrypted privilege 0
username Osama attributes
password-storage enable
username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
username Wissam attributes
password-storage enable
username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.4 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.111 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
http 83.111.113.117 255.255.255.255 outside
http 192.168.1.17 255.255.255.255 inside
http 192.168.1.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn general-attributes
address-pool fualapool
address-pool VPNPool
default-group-policy fualavpn
tunnel-group fualavpn ipsec-attributes
pre-shared-key *
tunnel-group fualavpn ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:38e41e83465d37f69542355df734db35
: end

Hi,
What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
Regards,

ASA 5520 Upgrade From 8.2 to 9.1

To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.

Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni

DHCP question on VPN to ASA 5520

Our VPN uses the Microsoft VPN client to connect to an ASA 5520 running 8.0(3). Clients get address from our internal DHCP server. How do I get the ASA to send the client computer name in the DHCP request, rather the the group name and some number it appends to it? This is an issue for us because those entries show up as "rogue" registrations in DNS, because they don't match our naming structure.

Make sure if the client is forwarding it's name in the DHCP messages. Parameters can't be added at ASA.

Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

Hi,
I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
The scanario:
Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
Any help or advice is much appreciated.
Thanks.

Hello Bernard,
What you are looking for is a Remote Ipsec VPN mode not a L2L.
Here is the link you should use to make this happen:)
https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
Regards,
Julio

Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
Daniel

What is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

Multiple Public IP's on ASA 5520

Hi,
I have ASA 5520 with Ver 8.2.
Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
I did Static NAT 198.24.210.226 to 192.168.1.20 and 198.24.210.227 to 192.168.1.91.
When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
I checked the inside traffic, it even did not get into the firewall.
Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(198.24.210.226)?
interface GigabitEthernet0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
interface GigabitEthernet0/0
nameif outside
ip address 198.24.210.226 255.255.255.248
security-level 0
no shutdown
route outside 0.0.0.0 0.0.0.0 198.24.210.225
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 198.24.210.226 255.255.255.255
static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 80 192.168.1.20 80 netmask 255.255.255.255 dns
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
access-group OUTSIDE-IN in interface outside

Also,
You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
You can naturally check the following
show run sysopt
Check that you DONT have the following
sysopt noproxyarp outside
At the moment you are not actually configuring Static NAT but rather Static PAT.
You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
If you wanted to staticly assing public IPs to both of these servers you could do
static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
- Jouni

ASA 5520 intervlan routing at low speed

I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
ASA Version 8.4(2)
hostname ***
domain-name ***
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
dns-guard
interface GigabitEthernet0/0
nameif DMZ
security-level 50
ip address 10.2.5.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
interface GigabitEthernet0/1.100
vlan 100
nameif Devices
security-level 100
ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet0/1.101
vlan 101
nameif Common
security-level 100
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/1.102
vlan 102
nameif Design
security-level 100
ip address 10.2.2.1 255.255.255.0
interface GigabitEthernet0/1.103
vlan 103
nameif Ruhlamat
security-level 90
ip address 10.2.3.1 255.255.255.0
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
interface GigabitEthernet0/2.10
vlan 10
nameif HOLOGR
security-level 40
ip address 10.1.2.4 255.255.0.0
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address ***
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW
host 10.2.1.6
object network MAIL
host 10.2.5.5
object network TEST
host 10.2.1.85
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.0.88
network-object host 10.1.6.1
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object 10.2.0.0 255.255.255.0
network-object host 10.1.6.4
network-object host 10.1.1.57
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2080
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_6
network-object host 10.1.4.42
network-object host 10.1.4.234
network-object host 10.1.4.175
network-object host 10.1.4.217
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.14
network-object host 10.2.1.91
object-group network DM_INLINE_NETWORK_4
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
object-group service DM_INLINE_TCP_2 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_5
network-object host 10.2.1.14
network-object host 10.2.1.39
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.85
network-object host 10.2.1.31
network-object host 10.2.1.32
network-object host 10.2.1.40
network-object host 10.2.1.55
network-object host 10.2.1.35
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_3 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_7
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_9
network-object host 10.2.1.4
network-object host 10.2.1.3
object-group network DM_INLINE_NETWORK_2
network-object host 10.1.1.101
network-object host 10.1.6.1
network-object host 10.1.6.4
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object host 10.1.1.57
object-group network DM_INLINE_NETWORK_10
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_4 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_12
network-object host 10.2.0.11
network-object host 10.2.0.14
object-group service DM_INLINE_TCP_5 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_13
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_14
network-object host 8.8.4.4
network-object host 8.8.8.8
network-object host 10.1.1.1
object-group network DM_INLINE_NETWORK_15
network-object host 10.2.1.39
network-object host 10.2.1.57
object-group network DM_INLINE_NETWORK_16
network-object host 10.2.1.14
network-object host 10.2.1.6
access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
access-list Common_access_in extended permit icmp any any
access-list Common_access_in extended permit ip host 10.2.1.76 host ***
access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
access-list HOLOGR_access_in extended permit icmp any any log disable
access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
access-list test extended permit tcp any host 10.2.5.1 eq telnet
access-list test extended permit tcp any host 10.2.5.1 eq https
access-list test extended permit tcp host 10.2.5.1 any eq https
access-list test extended permit tcp host 10.2.5.1 any eq telnet
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered critical
logging trap warnings
logging asdm informational
logging from-address ***
logging recipient-address *** level critical
logging host Common 10.2.1.2
logging flash-bufferwrap
logging flash-maximum-allocation 8192
logging permit-hostdown
no logging message 106014
no logging message 313005
no logging message 313001
no logging message 106023
no logging message 305006
no logging message 733101
no logging message 733100
no logging message 304001
logging message 313001 level critical
logging message 106023 level errors
mtu DMZ 1500
mtu inside 1500
mtu Devices 1500
mtu Common 1500
mtu Design 1500
mtu Ruhlamat 1500
mtu HOLOGR 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
icmp permit any Common
icmp permit any HOLOGR
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
object network WWW
nat (Common,outside) static interface service tcp *** ***
object network MAIL
nat (DMZ,outside) static interface service tcp smtp smtp
nat (DMZ,outside) after-auto source dynamic any interface
nat (Common,outside) after-auto source dynamic any interface
nat (Devices,outside) after-auto source dynamic any interface
access-group Common_access_in in interface Common
access-group Design_access_in in interface Design
access-group Ruhlamat_access_in in interface Ruhlamat
access-group HOLOGR_access_in in interface HOLOGR
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 10.2.1.6 255.255.255.255 Common
snmp-server host Common 10.2.1.6 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
sysopt noproxyarp inside
sysopt noproxyarp Devices
sysopt noproxyarp Common
sysopt noproxyarp Design
sysopt noproxyarp Ruhlamat
sysopt noproxyarp HOLOGR
sysopt noproxyarp outside
sysopt noproxyarp management
service resetoutside
telnet 10.2.1.0 255.255.255.0 Common
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Common
dhcprelay setroute Common
threat-detection basic-threat
threat-detection scanning-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.1.4 source Common prefer
webvpn
smtp-server 10.2.5.5
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
: end

Hi Philip,
I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
https://supportforums.cisco.com/docs/DOC-1222
-Mike

ASA 5520 upgrade from 8.4.6 to 9.1.2

Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
Download the new software to both units, and specify the new image to           load with the boot system command.
Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
active#no failover active
Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering           the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover       pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release.

Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma

ASA 5520 k8 model

Similar Messages

Maybe you are looking for