ASA 55xx Series configuration

Similar Messages

• Cisco Firewall ASA 5510 series configuration

  Hellow folks i am persuing final year project .. then., i am having cisco firewall ASA5510 series and un-managable switches 2 and related system as 20..what kind of configuration can i  build up for the security protection to the following systems which i have..please...
  guide me and help us in our platform...
  This topic first appeared in the Spiceworks Community

  Hi satish,
  1. First thing make sure that the encryption domains are correct. like -like on both ends
  2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well
  2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something
  HTH
  Kishore

• How we archieve configuration for Cisco ASA 5500 series appliances

  Hi,
  We need to archieve configuration for Cisco ASA 5500 series appliances.
  We have Cisco works LMS 3.0.1.
  Device package installed is 4.2
  Any help would be appricated.
  Thanks in advance.
  Samir

  Hi ,
  Thanks for your answer.
  Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
  Cisoworks. Am I correct ?
  Waiting for your reply.
  thanks,
  Samir

• Simple ASA 55xx to 55xx-X upgrade question

  I have an older model ASA 5500-series and I've purchased a new 5555-X.  If they are both at roughly the same up-to-date software version, can I simply copy the config from the old ASA to the new one?
  I know that I will possibly have to make minor changes such as changing the interface names (ethernet or fa to gi) but are there any significant command structure changes that would cause problems?  (problems caused specifically by moving from a 55xx to a 55xx-X)?

  It really depends what you have configured and what version you are running on the old ASA compaired to the new one.  For example, is the old one running 9.1 and the new one running 9.2?
  If you don't have any thing very specific or special configured for your network, ie. you just have ACL, Objects / object-groups, NAT etc. then you will be fine with copying the configuration straight over with possibly a few minor changes (as you have already mentioned).
  Please remember to select a correct answer and rate helpful posts

• Info about ASA 55xx

  Hi
  i'm starting to read about ASA 55xx in Cisco website. But after some good reading, I have some questions.....
  In Cisco Docs about ASA55xx, I see the "Maximum concurrent AnyConnect or clientless VPN sessions" and "Maximum concurrent site-to-site and IPsec IKEv1 VPN sessions" (e.g. 750 both): well, the maximux concurrent sessions are 750+750 (anyconnect + site-to-site), so I have to add the two types of sessions? Or what are the maximum concurrent sessions (of each type) in ASA5520?
  So, at this point, if I want 750 AnyConnect Session and 750 site-to-site Session which license do i need to buy? ASA5500-SSL-750 ? ASA-VPNS-1000? or whatelse?
  then, what are the "shared" license? When and where do i need to buy them?
  thanks in advance.
  Bye

  Platform capabiliites and required licensing are as noted in the product data sheet:
  Up to 750 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5520 by installing an Essential or a Premium AnyConnect VPN license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 AnyConnect and/or clientless VPN peers or 7500 IPsec VPN peers per cluster.
  Reiterating:
  The ASA 5520 750 site-site VPN capability is in the base license / product (Part number ASA5520-BUN-K9 or  ASA5520-K8 depending on whther you are eleigible to pruchase the strong encryption (-BUN-K9) version)
  The AnyConnect user licenses required depend on whether you need Anyconnect Essentials or Premium. The Anyconnect data sheet outlines the differences. Essentials is one license that allows up to 750 clients to use the appliance simultaneously. Premium (which cannot be loaded at the same time as Essentials) requires the licenses to be purchased according to the tiered per user scheme.
  Shared licenses are shared among ASAs in a cluster (2 or more units configured together).
  There is the concept of licenses in a failover (2-unit) cluster. That is automatic - i.e. the license numbers are additive and shared up to the platform capability. the ASA5500-SSL-750 part would be used in that setup.
  There is also the concept of an anyconnect Premium Shared Server. In that scheme, the shared server allocates licenses in 50 unit blocks to the cluster membes ars they need them. The ASA-VPNS-1000 part number you mention is used in that sort of setup.

• New ASA 55xx

  I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.
  I'm considering upgrading to a ASA 55xx box.
  I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.
  I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?
  Thanks...

  I would use one ASA with the AIP-SSM module.
  And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.
  There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)
  Regards
  Farrukh

• How many default virtual context counts with ASA 5585 Series

  Hi All:
  I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.
  I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797
  It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or  1 admin context plus "2" context (3 contexts available)
  thks fot your reply

  Hi,
  To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".
  In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.
  Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.
  This is what Cisco documentation mentions about Active/Standby  and Active/Active Failover Licensing at version 8.3 and above:
  Or you have two ASA 5540 adaptive security  appliances, one with 20 contexts and the other with 10 contexts; the  combined license allows 30 contexts. For Active/Active failover, for example, one unit  can use 18 contexts and the other unit can use 12 contexts, for a total  of 30; the combined usage cannot exceed the failover cluster license.
  I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts
  Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.
  Licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 2              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 2              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 2              perpetualTotal UC Proxy Sessions           : 2              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 4              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 4              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 4              perpetualTotal UC Proxy Sessions           : 4              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetual
  Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

• Cisco Prime Infrastructure 2.0 and ASA 55xx platform

  Hello,
  We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
  When I attempt to add ASA's to prime i get the following collection errors:
  Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
  In the logfile I get the following XML parsing error on the MIB:
  <palError>
    <deviceId>6284310032</deviceId>
    <code>VALIDATION_ERROR</code>
    <message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
    <result>
      <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
        <xmp-im-file-system-module>
          <MemoryPoolStatistics>
            <memoryPoolIndex>1</memoryPoolIndex>
            <free>4294967295</free>
            <largestFree>4294967295</largestFree>
            <used>3484331296</used>
          </MemoryPoolStatistics>
  To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
  Regards,
  Marcel

  The X series (all with 64-bit SMP images) are not currently supported by PI 2.0. We can hope for a device update in the coming months to remedy that situation.
  If you click on the arrow next to the help icon in the top right of your PI and choose "Device Level Support" you will see:
  Cisco ASA-5500 Series Adaptive Security Appliances
  Features :
  Topology
  LLDP Neighbor Discovery
  CDP Neighbor Discovery
  Configuration
  Configuration Archive
  Software Image Management
  Monitoring
  Device Availability
  Reachability
  Inventory
  Physical
  System - Memory Pools
  Interfaces - IP
  Interfaces - Ethernet
  Device Type
  SYSOIDS
  S/W Version
  Software
  Cisco ASA-5510 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.669
  OID:1.3.6.1.4.1.9.12.3.1.3.447
  Cisco ASA-5510 Adaptive Security Appliance Security Context
  OID:1.3.6.1.4.1.9.1.773
  Cisco ASA-5520 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.670
  OID:1.3.6.1.4.1.9.12.3.1.3.448
  Cisco ASA-5520 Adaptive Security Appliance Security Context
  OID:1.3.6.1.4.1.9.1.671
  Cisco ASA-5540 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.672
  OID:1.3.6.1.4.1.9.12.3.1.3.449
  Cisco ASA-5540 Adaptive Security Appliance Security Context
  OID:1.3.6.1.4.1.9.1.673
  Cisco ASA-5560 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.12.3.1.3.454
  Cisco ASA-5550 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.753
  Cisco ASA-5550 Adaptive Security Appliance Security Context
  OID:1.3.6.1.4.1.9.1.763
  Cisco ASA-5505 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.745
  OID:1.3.6.1.4.1.9.12.3.1.3.560
  Cisco ASA-5580 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.914
  Cisco ASA-5585 Adaptive Security Appliance
  OID:1.3.6.1.4.1.9.1.1194
  OID:1.3.6.1.4.1.9.1.1195
  OID:1.3.6.1.4.1.9.1.1196
  OID:1.3.6.1.4.1.9.1.1197
  Cisco ASA-5585 Adaptive Security Appliance Security Context
  OID:1.3.6.1.4.1.9.1.1198
  OID:1.3.6.1.4.1.9.1.1199
  OID:1.3.6.1.4.1.9.1.1200
  OID:1.3.6.1.4.1.9.1.1201
  Cisco ASA-5585 Adaptive Security Appliance System Context
  OID:1.3.6.1.4.1.9.1.1202
  OID:1.3.6.1.4.1.9.1.1203
  OID:1.3.6.1.4.1.9.1.1204
  OID:1.3.6.1.4.1.9.1.1205
  Cisco ASA-5580 Adaptive Security Appliance Security Context
  OID:1.3.6.1.4.1.9.1.915
  Cisco ASA-5580 Adaptive Security Appliance System Context
  OID:1.3.6.1.4.1.9.1.916

• ASA X-series firewalls difference & multi context features

  Does anyone have a quick guide to show the feature differences between the X and regular ASA series firewalls?
  And does this still hold true WRT multi-context ASA in the X-series?
  No multi-context.....
  - If you need to provide VPN services such as remote access or site-to-site VPN tunnels.
  - If you need to use dynamic routing protocols. With multiple context mode, you can use only static routes.
  - If you need to use QoS.
  - If you need to support multicast routing.
  - If you need to provide Threat Detection.
  tia,
  Will

  A few changes in the new ASA version 9.0 (supported on both ASA and ASA-X series):
  http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890
  In multiple context mode, it does support the following:
  - Site to site VPN tunnels only.
  - Dynamic routing protocols: EIGRP and OSPFv2 only.
  - QoS is not supported.
  - Multicast routing is not supported.
  - Thread Detection is not supported
  Here is the unsupported feature on multiple context as off Version 9.0:
  http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_contexts.html#wp1382237

• PFIs on E series configured for input, by default?

  Are the PFIs on the E series configured, by default, for input?
  I work with a 6071E board and am trying to trigger analog acquisition with an external trigger on PFI0/TRIG1, but it's not working.
  Of course, there could be any number of reasons for this (especially comedi software...ugh), but I wanted to make sure I don't have to explicity configure PFIs for input to use them as such.
  thanks, jon

  The lines are configured for input by default. According to Appendix C of the E Series User Manual at system power-on and reset, both the PFI and DIO lines are set to high-impedance by the hardware. This means that the device circuitry is not actively driving the line either high or low.
  Regards,
  Justin Britten

• ASA 5505 VPN configuration question

  I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
  The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
  Thanks for any help
  Thanks much

  Hi Kevin
  Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
  Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
  Regards

• Cisco ASA 8.6 configuration issues

  Hello all ,
                                               internet router-----------outside------------- ASA -------inside-------------cisco 3750 (----A----)
                                                                                                          |
                                                                                                          |
                                                                                                       DMZ
                                                                                                           |
                                                                                                           |                                                                                                        
                                                                                                           Cisco  3750 (-----B---)
  1- switch A -- wireless User + Cisco Wireless Ip phones
  2- Switch B -- CUCM
  Problem discriptiom :
  --- from switch A i can not ping SwitchB (DMZ) so ip phones can not reached to CUCM
  --- on switchA 4 VLANS are configured with Different SSIDs and internet is working fine .
  --- on Switch A   i want 2 VLANs (vlan60 and vlan 80) to communicate with DMZ also (Not working )
  ## some relevent Config is as under :
  SWITCH A CONFIG
  ===============
  vlan internal allocation policy ascending
            interface FastEthernet0
             no ip address
             no ip route-cache cef
             no ip route-cache
             shutdown
            interface GigabitEthernet1/0/1
             switchport access vlan 60
             switchport mode access
             spanning-tree portfast
  |
  |
  |
  |
  |
  |
            interface GigabitEthernet1/0/23
             description **connected to ASA-Inside**
             switchport access vlan 100
             switchport mode access
  interface Vlan10
             ip address X.X.100.5 255.255.255.0
            interface Vlan50
             ip address X.X.6.12 255.255.255.0
            interface Vlan60
             ip address X.X.8.251 255.255.255.0
            interface Vlan80
             ip address X.X.10.251 255.255.255.0
            interface Vlan100
             ip address X.X.20.1 255.255.255.0
            ip classless
            ip route 0.0.0.0 0.0.0.0 X.X.20.2
  =========================================
  ASA CONFIG
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  ip address X.X.20.2 255.255.255.0
  |
  |
  interface GigabitEthernet0/2
  nameif DMZ
  security-level 50
  ip address X.X.21.2 255.255.255.0
  |
  |
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address 192.168.2.5 255.255.255.0
  |
  |
  object network IN-OUT
  subnet 0.0.0.0 0.0.0.0
  object network W-PHONE
  subnet X.X.10.0 255.255.255.0
  object network BECA-WIRELESS-USER
  subnet X.X.8.0 255.255.255.0
  pager lines 24
  |
  |
  nat (inside,outside) source dynamic IN-OUT interface
  nat (inside,DMZ) source dynamic W-PHONE interface
  nat (inside,DMZ) source dynamic BECA-WIRELESS-USER interface
  route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
  route inside X.X.6.0 255.255.255.0 X.X.20.1 1
  route inside X.X.7.0 255.255.255.0 X.X.20.1 1
  route inside X.X.8.0 255.255.255.0 X.X.20.1 1
  route inside X.X.10.0 255.255.255.0 X.X.20.1 1
  timeout xlate 3:00:00
  ============================================
  switch B
  interface GigabitEthernet1/0/17
           switchport access vlan 50
           switchport mode access
           switchport voice vlan 20
           spanning-tree portfast
          interface GigabitEthernet1/0/18
           switchport access vlan 50
           switchport mode access
  interface Vlan10
           ip address X.X.100.1 255.255.255.0
          interface Vlan20
           ip address X.X.7.1 255.255.255.0
           ip helper-address X.X.6.6
          interface Vlan50
           ip address X.X.6.30 255.255.255.0
           ip helper-address X.X.6.6
          interface Vlan60
           ip address X.X.8.252 255.255.255.0
          interface Vlan101
           ip address X.X.21.1 255.255.255.0
          ip forward-protocol nd
          ip http server
          ip http secure-server
          ip route 0.0.0.0 0.0.0.0 X.X.6.4
          ip route X.X.6.0 255.255.255.0 X.X.21.2
          ip route X.X.7.0 255.255.255.0 X.X.21.2

  We would also need to see the ACL configuration of the ASA as this is what actually controls the flow of traffic, that is if routing is correct which it seems to be from your configuration.
  What you can do is run a packet-tracer on the ASA to see if the packet is allowed through the ASA:
  packet-tracer input inside tcp 12345 detail
  This should give you an indication where or if there is a misconfiguration on the ASA.
  Please post the output here if you require further assistance.  Also a full ASA configuration (remove public IPs and passwords) would help to identify the issue.
  Please remember to rate and select a correct answer

• ASA 5510 ignoring configured acl entry?

  Greetings,
    I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
  interface Ethernet0/0.200
  vlan 200
  nameif SITECORP
  security-level 90
  ip address 10.1.4.1 255.255.254.0
  interface Ethernet0/0.207
  vlan 207    
  nameif SITESERVER
  security-level 90
  ip address 10.1.7.1 255.255.255.128
  interface Ethernet0/1.311
  vlan 311
  nameif MOD1BMS
  security-level 100
  ip address 10.1.144.1 255.255.252.0
  I have the following access-lists configured and applied:
  access-list SITECORP_access_in extended permit ip any any
  access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
  access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
  fw# show run object-group
  object-group network SITECORP
  network-object 10.1.4.0 255.255.254.0
  object-group network MOD1BMS
  network-object 10.1.144.0 255.255.252.0
  object-group network SITESERVER
  network-object 10.1.7.0 255.255.255.128
  fw# show run nat-control
  no nat-control
  packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
  fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
  <snip>
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group SITECORP_access_in in interface SITECORP
  access-list SITECORP_access_in extended permit ip any any
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xd5641ec8, priority=12, domain=permit, deny=false
          hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0
  fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
  <snip>
  Phase: 3
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xd544e8c8, priority=110, domain=permit, deny=true
  hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
  src ip=0.0.0.0, mask=0.0.0.0, port=0
  dst ip=0.0.0.0, mask=0.0.0.0, port=0
  This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
  Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
  Regards,
    Phil

  Hello Phil,
  That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
  But you do not have to change the Security level, of course that is one work-around but again the solution is :
  -     same-security-traffic permit inter-interface
  Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
  Regards,
  Julio

• ASA 8.2 configuration for an ASA 9.1.(1) device

  Hello, I have a configuration file from a 5510 running ASA ver 8.2
  I have a brand new ASA5525 running ASA ver 9.1(1)
  It is my understanding the configuration syntax is different between these versions
  I need to take this config I have and somehow auto-format it to work with 9.1(1).  Upgrade is not an option since the firewall is already on 9.1(1)
  Anyone know how would I go about this?

  Hi,
  I think you can use this Document to understand the Syntax changes and you will find the corresponding syntax for ASA 9.x as well.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
  Also , you can check out this Automated tool as well:-
  http://www.tunnelsup.com/nat-converter
  I would recommend going through and manually converting the configuration to prevent any errors.
  Thanks and Regards,
  Vibhor Amrodia

• ASA 55xx and Videoconferencing and VCS

  I'm not a Security or ASA guy but I always encounter on all my projects the question of "can you help me translate into a configuration that TCP/IP ports you need for your videoconferencing?"
  APpreciate it a lot if someone can send or email or PM me a working config(scrubs the confidential info) of the ASA that will work for the setup that has
  VCS Control
  VCS Expressway
  Internal video endpoints calling External (different company's) endpoints
  Thanks

  Sory forgot to add more details.
  The protocols will be H.323 and SIP.  Tandberg(now Cisco) has a document that lists all the TCP and UDP ports that are required to be open in the firewall.
  It is just translating those ports into an actual ASA command lines or config that I need since I am not an ASA guy.
  I just want to help the customer that is asking for assistance as I always encounter this question and it is a bt frustrating not have the info.  I am enrolling myself in an ASA class soon though.