ASA 5585-X CX20 Prime Security Manager

Similar Messages

• Security Manager traceroute ASA 5520

  How can I use Security Manager (3.2) to configure a ASA 5520 to show up in a traceroute, have found a doc on how to do this from the cmd line but would prefer to keep everything in CSM.
  Mike

  There used to be a similar bug in IDM.
  The sensor itself does not declare an interface as promiscuous.
  SO CSM has to intepret the configuration to determine if the interface is promiscuous.
  On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.
  So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.
  And the above is True for Appliances.
  What the CSM developers may not have realized is that this is NOT true for Modules.
  For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.
  That knowledge is only within the configuration of the ASA chassis itself.
  CSM is simply incorrectly using the rules for Appliances against the SSMs.
  This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.
  CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.
  Marco

• How many default virtual context counts with ASA 5585 Series

  Hi All:
  I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.
  I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797
  It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or  1 admin context plus "2" context (3 contexts available)
  thks fot your reply

  Hi,
  To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".
  In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.
  Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.
  This is what Cisco documentation mentions about Active/Standby  and Active/Active Failover Licensing at version 8.3 and above:
  Or you have two ASA 5540 adaptive security  appliances, one with 20 contexts and the other with 10 contexts; the  combined license allows 30 contexts. For Active/Active failover, for example, one unit  can use 18 contexts and the other unit can use 12 contexts, for a total  of 30; the combined usage cannot exceed the failover cluster license.
  I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts
  Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.
  Licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 2              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 2              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 2              perpetualTotal UC Proxy Sessions           : 2              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 4              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 4              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 4              perpetualTotal UC Proxy Sessions           : 4              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetual
  Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

• Which routing protocols are supported on ASA 5585

  Hi,
  I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
  I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
  I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
  if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
  Thanks

  You're welcome.
  Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
  ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
  FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

• Cisco asa 5585 syslog options for ips?

  We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
  Please elaborate
  Thanks.

  Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
  Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail.

• Cisco Security Manager and User-aware firewall rules

  Hello !
  I have a firewall ASA which is managed with CSM and I try to create some user-aware rules. To do this, I need to match CSM with an Active Directory server.
  I added an AAA server group matching my Active Directory server in the Identity Setting menu from Security Manager Administration and when i click on "Test", I obtain the error message "Unsuccessful Bind prevented to fetch data, please reconfigure AAA server".
  What can I do to solve this problem ?
  Thank you !
  Stephane

  You can contact your local AM to get an evaluations version, this is related to the new 'restricted' downloaded access on CCO. You need to have a service contract assocaited for that 'specific' product to download software (I know it does not make sense in case of an evaluation).
  And you also have the following alternate:
  Note:
  This download does not include  CiscoWorks Resource Manager Essentials (RME). For customers that wish to  also evaluate CiscoWorks RME or that prefer a media format rather than a  large download, an evaluation DVD can be ordered from Cisco  Marketplace. At http://www.cisco.com/pcgi-bin/marketplace/welcome.pl,  navigate to the Collateral and Subscriptions Store and search for part  number EVAL-CSMGR-4.0.
  Regards
  Farrukh

• Import Network host objects to Cisco Security Manager

  Is it possible to import complete lists of Network Hosts objects to Cisco Security Manager?
  Exporting the hosts already defined in the ASAs is easy but how to import them in CSM??
  Thanks

  No hostnames discovered go the Policy Object Manager (nor to the Access rules), only group-names (there's a bug in ASAs related to single host names too). The way CSM handles single hosts is previously creating them, so when we later discover devices, the single hosts names set in the discovered device are not considered, only their IP addresses; then you can see that in the discovered access rules CSM shows the hostname as the previously defined ones in the Policy Object Manager. If you dont define those hostnames before the device discovery, you will only see IP addresses, no hostnames, no matter they are set in your firewalls.
  Imagine discovering a couple FWSM modules with 500 access rules, and you only get to see the IP addresses of the 2,500 hosts on your network. And you have all those hosts already defined in your FWSM firewalls, when you log via ASDM you view your hard created rules with hostnames, and when you log to CSM you only view IP addresses. The clients get very disappointed with CSM after that, and discard it. The bigger the network, the faster they reject CSM.
  The only way to add hosts in the Policy Object Manager is 1 by 1. But as this may have happened to more than one company and considering how easy it is to code a feature like that, I assume that it's possible to import a complete list of single hosts to CSM.
  is that really possible? it should be.
  thanks for the replies so far

• Vlan on asa-5585

  Hi,
  Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
  The asa in this case is an interface for subsidary users to connect into this new network.
  We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
  eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
  How do we achieve this?
  Appreciate all help on this.

  Hi,
  You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
  The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
  In Single Context the configuration would be something like this
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  vlan 100
  nameif LAN
  security-level 100
  ip add 10.10.10.1 255.255.255.0
  interface GigabitEthernet0/0.200
  vlan 200
  nameif DMZ
  security-level 50
  ip add 192.168.10.1 255.255.255.0
  If you are running Multiple Context mode the configuration could be something like this
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  description LAN
  vlan 100
  interface GigabitEthernet0/0.200
  description DMZ
  vlan 200
  context EXAMPLE-CONTEXT
  allocate-interface GigabitEthernet0/0.100
  allocate-interface GigabitEthernet0/0.200
  config-url disk0:/EXAMPLE-CONTEXT.cfg
  Or something along these lines
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed.
  - Jouni

• Cisco Security Manager Advice

  Hi,
  I'm looking into Cisco Security Manager. From what I understand you can monitor and manage Cisco security appliances. I'm interested in the monitoring of our Cisco ASAs - specifically, monitoring VPN sessions and their  trending over months at a time and I would like to monitor other Cisco devices on the network for link problems/performance and such - I don't want to use Cisco Security Manager as a management point. Would Cisco Security Manager not be the right tool for this?
  We have SolarWinds and I've heard that you can assign UnDPs(Device Pollers) to devices you want to monitor, including ASAs and these pollers can give you trending for VPN sessions with graphing. I just want to make the most of our budget dollars.
  Any advice?
  Thanks, Pat.

  CSM 4.3 and above can be used to monitor VPN sessions on Cisco ASAs. You can definitely use CSM as a monitoring only solution for ASAs (without using it for management). You can also explicitly disable policy change privileges for all admins so they do not modify stuff by mistake. Note however that CSM is primarily focused on end-to-end management scenarios (including policy change, troubleshooting, reporting, etc). So you may not find all the bells and whistles in CSM for monitoring scenarios that you may find with some of the pure monitoring only solutions.

• ASA 5585-X Licensing

  Hi,
  I was hoping to get some assistance from the community on 5585 part numbers/licensing.
  We have recently purchased some 5585-X SSP-20's.  The part number ordered was ASA5585-S20C20XK9       "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES".  We want to enable the 10GE ports on the SSP-20, do we just purchase an additional license?  We are being guided by our reseller to swap the hardware for ASA5585-S20C20XK9      "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES".
  Thanks,
  Colin

  Based on the documentation you need the Security-Plus License to enable 10G for the 5585 with SSP10 or SSP20.

• ASA 5585-X TACACS+/RADIUS Server

  All,
  Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
  I've used Cisco Secure ACS for TACACS and RADIUS AAA..
  My client has ordered a bunch of them.   They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
  Thanks for any information.
  Stephanie

  Adding to Jan's correct answer.
  The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
  Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

• CSM Cisco Secure Manager - deploy a Blank configuration!

  Hi all,
  need some help. Its just installed a CSM, v.4.8. It adds a device and its configuration from the network, a FW ASA 8.3 correctly.
  i make a change on the local policy and as soon i make a deploy to device it start doing a:
  no xxxx
  no xxxx1
  no xxxx2
  for each line of the current configuration! so it deletes all!
  I am missing a point in here. User guide says that i have to bind a policy to the device but that easy step i do not know how to do it.
  thanks in advance for the help
  Regards
  José

  Security Manager does not currently leverage object groups for ACL objects used in VPNs. An enhancement bug has been filed under CSCsl20196 and is something we are looking to address in the upcoming Security Manager 3.2 release due late 1QCY08.

• Help for Cisco Security Manager

  Hi All,
  Please help me how cisco security manger is managing logs from different devices.
  For example cisco security manager can manage FWSM, ASA, IPS devices.
  Does it stores  logs from this devices into some central location where CSM is being installed in some database or some file.
  Can I be able to read logs for all those devices including CSM from one single point. Please help me.

  Hi Bidyut,
  When CSM services are running, Event Viewer can show the events in real time.
  You are right about backup. When CSM application backup is running, its services on the server are stopped. So, there is a risk of loosing logging events that are sent to CSM server during the period of backup. By scheduling backup out of user-activity hours, risk of losing important events can be minimized.
  On the other hand, events on IPS devices have to be polled from the device. So, there is no loss of IPS events in case of CSM application backup.
  Thanks & Regards,
  Chetan

• Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

  Hi,
  We have a firewall service environment where logging is handled with UDP at the moment.
  Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
  You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
  The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
  "%ASA-3-201008: Disallowing new connections."
  Here start my questions:
  - New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
  - I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
  - Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
  - After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
  - As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
  At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
  Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
  It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
  Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
  - Jouni

  Hi,
  I FINALLY had the time to look at this issue as I was testing something else in our lab too.
  In short, here is what I did:
  I configured the TCP logging in the same way as in the original post
  I configured the TCP logging giving the commands in different order
  Did some other tests related to the proble
  Device used: ASA 5585-X
  Software: 8.4(2)
  Original Device and software : ASA 5585-X running 8.4(1)9
  Heres the above scenarions and what actually happened
  Original situation
  Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
  I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
  The firewall immediatly starts blocking all connections going through it.
  I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
  After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
  After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
  After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
  In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
  After this the connections work like usual. (UDP logging in the saved configuration)
  Giving the configurations in different order
  After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
  First I add the command "logging permit-hostdown" command
  Then I add the command "logging host tcp/1470"
  After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
  Removing the "logging permit-hostdown" command
  After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
  Configuring wrong TCP port to "logging host" command
  I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
  Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
  Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
  So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
  There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
  There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
  - Jouni

• FlexConfigs in Cisco Security Manager 3.2.1 SP1

  Hi,
  I have a problem with Cisco Security Manager 3.2.1 SP1 (fresh intall).
  When I create a FlexConfig with any IP AUDIT commands or VPDN (for PPPoE config) every time I deploy the configurations in file the flexconfig is repeated in the configuration. The behavior is the same on PIX and ASA configuration.
  If I deploy 20 times my devices than I'll have 20 times the same line in the configuration !
  Any way to solve that problem in CSM??
  The server is Win 2003 Standard English and there's absolutely nothing else than CSM installed on it...so??

  Hello,
  I'm having the same problem for one of our customers! but flexconfig didn't work!
  Can you please be more specific what exactly you did! Flex config doens't remove generated command it's adding the no crypto ca enroll 'trustpoint name' after the generated crypto ca enroll 'trustpoint name'
  I've been also looking for related bugs but didn't find any!
  Regards