ASA 5525 IPS

Similar Messages

• Renaming ASA 5525 IPS

  I have a cluster of 2xASA 5525s with software IPS modules. I would like to rename the hostname of each of the IPS modules. This is easy enough but I was wondering how this affects the reporting data in IME. I know the IPS name is used as a PK field in IME so you can't edit it. I'm worried if I delete the devices from IME and re-add them with their new hostnames that the historic data will be lost for the sensors. Is there any way around this? Will IME automatically pick up the new hostname from the ISP meaning I won't have to re-add them?

  thank you very much
  I re-image ips and "show module" and "session IPS"
  ciscoasa# show module
  Mod Card Type                                    Model              Serial No.
    0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525            FCH1623704D
  ips ASA 5525-X IPS Security Services Processor   ASA5525-IPS        FCH1623704D
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 a493.4caa.50b3 to a493.4caa.50bc  1.0          2.1(9)8      8.6(1)
  ips a493.4caa.50b1 to a493.4caa.50b1  N/A          N/A          7.1(4)E4
  Mod SSM Application Name           Status           SSM Application Version
  ips IPS                            Up               7.1(4)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
  ips Up                 Up
  Mod License Name   License Status  Time Remaining
  ips IPS Module     Enabled         perpetual
  when loggin IPS display
  ***LICENSE NOTICE***
  There is no license key installed on this IPS platform.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  why no license!!

• ASA 5525-IPS CPU Temp

  Hi all,
  I'm trying to find what are the recommended working values of the CPU Temp. However, I've only locate the environment(ambient) values in the datasheet.
  ASA# sh env
  Cooling Fans:
     Chassis Fans:
     Cooling Fan 1: 6144 RPM - OK
     Cooling Fan 2: 5888 RPM - OK
     Cooling Fan 3: 5888 RPM - OK
  Temperature:
     Processors:
     Processor 1: 64.0 C - OK
     Chassis:
     Ambient 1: 37.0 C - OK  (Chassis Back Temperature)
     Ambient 2: 33.0 C - OK  (Chassis Front Temperature)
     Ambient 3: 36.0 C - OK  (Chassis Back Left Temperature)
  Anybody knows where I can find it? I need to check the values by SNMP and I don´t know how can I set the values for Normal, Warning and Critical.
  Thanks in advance.

  Hi,
  Here is the info:
  Chassis           |      Temp
  Critical                 55 degrees C
  Non-Recoverable   60 degreees C
  Processsors     |    Temp
  Critical                 70 degrees C
  Non-Recoverable   90 degrees C

• P2P blocking on ASA 5525 with Software Version 8.6(1)2

  Hello,
  We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
  Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
  We have DMZ setup & also inline IPS module.
  Thanks in advance.
  Regards,
  Sandeshc Chavan.

  Hi Chavan , 
  You can try to block this by port. 
  The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). 
  The config is
  Access-list BLOCK-P2P-TRAFFIC deny tcp any any range  6881 6889 log 
  And applies to the desire interface with the "Access-group command"
  For example:
  Access-group  BLOCK-P2P-TRAFFIC outbound interface DMZ
  However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
  Also you can execute  from the cmd on windows  the command  netstat -a and check the port Bit torrent is using .
  Hope this helps.

• How to Enable logging of the ASA 5525?

  I need help to enable logging of the ASA 5525 for all new rules created today from the firewall module, rules changed, deleted desabilidas and disabled rules.
  Not found in the historic level of the ID on new firewall rules.
  0 or emergencies—System is unusable.
  1 or alerts—Immediate action needed.
  2 or critical—Critical conditions.
  3 or errors—Error conditions.
  4 or warnings—Warning conditions.
  5 or notifications—Normal but significant conditions.
  6 or informational—Informational messages.
  7 or debugging—Debugging messages.
  Thank you.

  You cannot log only those changes but you can log *all* changes.
  The messages 111008 and 111010 are the ones to look for (as described in this post).

• ASA 5525, v9.1.2 - IPAA: Error freeing address ip-address, not found

  Hello everybody!
  The following problem:
  VPN-dial-in on the ASA .
  There are different VPN group policies , each with its own DHCP pool .
  Authentication is performed by the AAA AD .
  Everything works properly.
  However, 3 users of a VPN group can not dial in . On the firewall then this error always comes in the log :
  IPAA : Error freeing address 172.24.16.41 , not found
  That address is nowhere else on the firewall , but was once assigned to a user . But this Network Object is deleted now.
  The DHCP pool for this VPN Group goes from .33 to .63 .
  I don not understand why the ASA always wants to take the .41 However, even if no one else is logged in via VPN .
  No matter which one of the 3 users I take, the ASA always wants to assign the .41 .
  For all the other users that are having no problem, it assumes a different IP from the pool.
  I recreated the pool, created another pool and assigned that pool, I rebootet the ASA. No luck.
  Also did a "clear arp".
  No improvement .
  Ideas ?
  As I said, all other VPN groups and users have no problems.
  ASA 5525 , v9.1.2
  Thank You!

  Problem solved.
  The User is only allowed to be in one of the VPN-Groups in the ActiceDirectory.
  Those 2 problem-users where in two VPN-groups.
  So, problem fixed.

• Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

  Hello
  I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
  Setup:
  We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
  Configuration in regards to certificate:
  crypto key generate rsa label vpn.company.dk modulus 2048
  crypto ca trustpoint vpn.trustpoint
  keypair vpn.company.dk
  fqdn none
  subject-name CN=*.company.dk,C=DK
  !id-usage ssl-ipsec
  enrollment terminal
  crl configure
  crypto ca authenticate vpn.trustpoint
  ! <import intermediate certificate>
  crypto ca enroll vpn.trustpoint
  ! <send CSR to CA>
  crypto ca import vpn.trustpoint certificate
  ! <import SSL cert received back from CA>
  ssl trust-point vpn.trustpoint outside
  Problem:
  When I try to import the certificate I receive the following error:
  crypto ca import vpn.trustpoint certificate
  WARNING: The certificate enrollment is configured with an fqdn
  that differs from the system fqdn. If this certificate will be
  used for VPN authentication this may cause connection problems.
  Would you like to continue with this enrollment? [yes/no]: yes
  % The fully-qualified domain name will not be included in the certificate
  Enter the base 64 encoded certificate.
  End with the word "quit" on a line by itself
  -----BEGIN CERTIFICATE-----
  <certificate>
  -----END CERTIFICATE-----
  quit
  ERROR: Failed to parse or verify imported certificate
  Question:
  - Does any one of you have any pointers in regards to what is going wrong?
  - Especially in regards to fqdn and CN, I also have a question. My config
  fqdn none
  subject-name CN=*.company.dk,C=DK
  would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
  So do you have insight or pointers which might help me?
  Thank you in advance

  I also have a wildcard cert for my SSL VPN ASAs.
  When i import the cert I use ASDM instead of CLI...
  I import the wildcard as a *.pfx file and type in the password. works fine...
  Perhaps the format is incorrect?
  Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
  Not sure if this helps but give ASDM a try?

• Custom IPS sigs on NGFW (ASA-CX) IPS solution?

  Hi folks,
  I am trying to determine if it is possible to create custom IPS sigs on the ASA-CX module?  Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo.
  I couldn't find anything in the docs that said this was possible.
  Thanks!
  Neil

  Thank you for your response.  However my question was targeted towards Intrusion Prevention signatures such as the ones found on the traditional IPS units.  I would want the ability to use the various IPS engines such as Atomic IP, HTTP, etc and create sigs that match on things inside the packet, URL string, etc.
  Thanks!

• ASA 5525 firewall Trace Route.

  Hi,
  We are Having  ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
  ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
  PLease help me to resolve this issue.
  Regards,
  Dheeraj

  Hi Dheeraj,
       firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
  Make the Firewall Show Up in a Traceroute in ASA/PIX
  ciscoasa(config)#class-map class-default
  ciscoasa(config)#match any
  !--- This class-map exists by default.
  ciscoasa(config)#policy-map global_policy
  !--- This Policy-map exists by default.
  ciscoasa(config-pmap)#class class-default
  !--- Add another class-map to this policy.
  ciscoasa(config-pmap-c)#set connection decrement-ttl
  !--- Decrement the IP TTL field for packets traversing the firewall.
  !--- By default, the TTL is not decrement hiding (somewhat) the firewall.
  ciscoasa(config-pmap-c)#exit
  ciscoasa(config-pmap)#exit
  ciscoasa(config)#service-policy global_policy global
  !--- This service-policy exists by default.
  WARNING: Policy map global_policy is already configured as a service policy
  ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
  !--- Adjust ICMP unreachable replies:
  !--- The default is rate-limit 1 burst-size 1.
  !--- The default will result in timeouts for the ASA hop:
  Cheers,
  Naveen

• DNS Resolution in Cisco ASA 5525

  Hey all,
  I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
  Current Version: Cisco ASA 5525
  ASA Version: 8.6(1)
  I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
  What I've done.
  dns domain-lookup inside
  dns domain-lookup outside
  name-server x.x.x.x (Primary internal dns server)
  name-server x.x.x.x (Secondary internal dns server)
  name-server 8.8.8.8 (Google external dns server)
  name-server 8.8.4.4 (Google external dns server)
  domain-name example.com
  With this config I can, however, ping hostnames of internal servers.
  This is an example of me pinging an external hostname.
  ciscoasa# ping google.ca
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:803::101f
  Success rate is 0 percent (0/1)
  Any ideas?
  Thanks!

  officeasa# ping www.google.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:802::1012
  Success rate is 0 percent (0/1)
  John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
  (I know without certain information you cannot help but I need to ensure security on my end)
  Thanks for understanding.

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

  Hello there!
  I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

  If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
  Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
  - Bob

• NAT issue on ASA 5525 8.6(1)

  Hello Experts,
                      We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where wer are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the webserver IP. The firewall get hits, but web server page is not being displayes. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I
                            |INTERNET|
                                   |
                                   |
                           195.201.55.X
                              [ ASA ]
                            Natting to
                           10.100.100.151
                                [ F5 ]
                                  |
  Real Servers---> .150   .151
  NAT Config is;
  nat (DMZ1,OUTSIDE) source static 10.100.100.151  195.201.55.X
  Your help will be appreciated if you can provide the right nat config;
  Regards

  Hi Jouni,
              The packet tracer looks good, all green tick boxes. I need to install wireshark on the Servers to makesure they are getting request from the Firewall.
  The funny thing is, on the firewall if I change the NAT say, from public IP translate to the real IP of the servers, then it works perfectly. But as soon as I change the NAT rule i.e Public IP translate to the VIP address, then it doesn't bring up the webpage. though I can ping the VIP address from the firewall, and the VIP address is the same subnet as the FW and F5 boxes with /24 mask! e.g  FW int ip is 10.100.100.1 and F5 connecting to FW is 10.100.100.3  and the VIP is
  10.100.100.151/24.
  Akshy,
           On the FW I did the TCP Ping, but It doesn't work. Like I said, I will install wireshark on the server and then will see if it works.
  Many thanks guys for your quick response and help. I will let you know the result.
  Regards

• ASA 5525-X code 8.6.1 downgrade

  Can I downgrade the firewall code to 8.0, it's running 8.6.1 right now.

  Hi,
  Unfortunately, the new ASA5500-X series only supports the newer software levels. From 8.6(1) onwards. To my understanding it shouldnt be possible to downgrade the ASA any lower from that software level.
  Here is a quote from Cisco document
  SoftwareQ. What software is supported on the Cisco ASA 5500-X Series Next-Generation Firewalls?
  A. The Cisco ASA 5500-X Series supports Cisco ASA Software Release 8.6.1  and later. CWS requires ASA Software Release 9.0.1 or later. The IPS  service on the ASA 5500-X Series requires Cisco IPS Sensor Software  Release 7.1.4 or later. AVC and WSE require ASA CX Software Release  9.1.1 (Cisco ASA Software Release must be 9.1.1).
  Source:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html
  - Jouni

• Asa and ips with ha

  Hi,
  If I use 2 asa 5510 with HA in mode A/A or A/P
  Is it possible in A/A mode to use one IPS module, except for security problem ?
  Or is it preferable to use asa as A/P.
  Regards

  I think it is possible to have two ASA with HA in mode A/A to use IPS module. The ASA can also be used in mode A/P which is preferable as it has cost advantage.