ASA 8.2 configuration for an ASA 9.1.(1) device

Similar Messages

• How we archieve configuration for Cisco ASA 5500 series appliances

  Hi,
  We need to archieve configuration for Cisco ASA 5500 series appliances.
  We have Cisco works LMS 3.0.1.
  Device package installed is 4.2
  Any help would be appricated.
  Thanks in advance.
  Samir

  Hi ,
  Thanks for your answer.
  Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
  Cisoworks. Am I correct ?
  Waiting for your reply.
  thanks,
  Samir

• TACACS+ configuration for Cisco ASA

  I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

  Leo,
  I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.
  RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+  with ASDM 6.2+.
  If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.
  CSCtf23419    ASDM OTP authentication support in multi-context and transparent modes
  With WLC is yet not possible and there is a enhancement request filed.
  CSCuf61598    WLC: Need ability to support multiple sessions via OTP authentication
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ASA and VTI configuration

  Good morning experts,
  My experience with ASAs over the last few years has been limited so I am not up on all of the newer features that they offer. I know in the past that ASAs did not support any type of tunnel interfaces and thus did not support a VTI configuration like you can do on an IOS router.
  My problem is that I need to build a VPN tunnel between a few ASAs and a Juniper netscreen which many networks on each side that can not easily be summarized. Being able to build a route based VPN on the ASA would be very helpful as the crypto map could essentially be all zeros. Without this configuration, crypto IDs on both sides are going to get very complication very quickly.
  I can't seem to find any info on VTI configuration for the ASA which leads me to believe it doesn't exist. However a guy I work with that uses ASAs daily firmly believes that after version 8.4 this configuration is supported.
  Can anyone confirm please?
  Elton

  Dear Karthik ,
  I do not think the posted link contain what is elton looking for , actually I have few juniper firewalls and looking to replace them with ASA's but the problem is ASA did not support tow of our main requirements which is Route Based VPN through VTI , and GRE tunneling 
  I do not why Cisco did not support those features on ASA till now (as per my knowledge) most of firewall vendors support that 

• ASA 5505 configured for WebVPN connecting to Citrix Web Interface

  ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
  i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface .  The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark  citrix server http:// 172.30.40.5.) i enter the citrix and then for example  i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
  thanks.

  Teymur,
  Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error.  It is possible that it is generating a different error.
  The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1.  Can you confirm the exact version of code you are running on the ASA.
  If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
  Thanks
  -Jay

• Upgrade from 8.2 to 8.6 for new ASA 5515X

  Hello,
  My customer has a rather complex configuration on an ASA 5510 running version 8.2
  They are migrating to new ASA 5515X models which of course only version support 8.6
  How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
  The X series seems to be a great option for new deployments but what about replacements of existing older models?
  Thanks for any ideas everyone!
  Chris

  Hello,
  I would say go to 8.4 From there you will have the same syntax.
  There will be new commands and features on 8.6... That for sure but you are going to be on the same path.
  Any other question..Sure ..Just remember to rate all of the helpul posts
  Julio

• ASA 5510 ignoring configured acl entry?

  Greetings,
    I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
  interface Ethernet0/0.200
  vlan 200
  nameif SITECORP
  security-level 90
  ip address 10.1.4.1 255.255.254.0
  interface Ethernet0/0.207
  vlan 207    
  nameif SITESERVER
  security-level 90
  ip address 10.1.7.1 255.255.255.128
  interface Ethernet0/1.311
  vlan 311
  nameif MOD1BMS
  security-level 100
  ip address 10.1.144.1 255.255.252.0
  I have the following access-lists configured and applied:
  access-list SITECORP_access_in extended permit ip any any
  access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
  access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
  fw# show run object-group
  object-group network SITECORP
  network-object 10.1.4.0 255.255.254.0
  object-group network MOD1BMS
  network-object 10.1.144.0 255.255.252.0
  object-group network SITESERVER
  network-object 10.1.7.0 255.255.255.128
  fw# show run nat-control
  no nat-control
  packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
  fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
  <snip>
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group SITECORP_access_in in interface SITECORP
  access-list SITECORP_access_in extended permit ip any any
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xd5641ec8, priority=12, domain=permit, deny=false
          hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0
  fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
  <snip>
  Phase: 3
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xd544e8c8, priority=110, domain=permit, deny=true
  hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
  src ip=0.0.0.0, mask=0.0.0.0, port=0
  dst ip=0.0.0.0, mask=0.0.0.0, port=0
  This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
  Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
  Regards,
    Phil

  Hello Phil,
  That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
  But you do not have to change the Security level, of course that is one work-around but again the solution is :
  -     same-security-traffic permit inter-interface
  Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
  Regards,
  Julio

• ASA 5520 : IP address for CSC SSM

  Hi All,
  I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
  There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
  My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
  Thanks and Regards.
  Sonu

  Hi
  put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
  for EX
  your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
  Hopes this helps
  regs
  S.Mohana sundaram

• Best Pactice for Connecting ASA to Catalyst Switch with Mulitple VLANs

  Hi all,
  Have the following network topology that was in place when I started the job (See attached pdf).  Am thinking it might be better if I could eliminate the Cisco 2811 router and connect directly from the ASA to my 12 port fiber switch (192.168.7.1).  In my thinking this would eliminate an unnecessary piece of equipment and also give me a gig link to my ASA as opposed to the 100 meg link I have now with the old router.  The 12 port fiber has links to most of my IDFs and is acting as my VLAN gateway for all inter VLAN routing.
  Is my current topology ideal or would I be better served to remove router and connect directly to the 3750G-12s Fiber switch or my Master Switch (192.168.7.4)?  Only thing I don’t like about direct connect to Master switch is that it takes scheduling a major outage for me to reboot it.  However, if that is best practice in this case, I can live with it.
  It appears the 12 port fiber cannot have IP addresses  assigned directly to Ports, only to VLANs.  So would I have to create a separate vlan for my ASA and assign IPs to the vlan on each end of the connection?
  I have read some suggestions that say it is better to terminate all VLANs on the ASA.  So as I understand that would require creating subinterfaces on my ASA LAN port and assigning each subinterface to its own VLAN  Inter VLAN routing would then be controlled by ASA.
  Does not seem practical to me as I have about 15 VLANs total.  Not showing everything in the drawing.
  Guess my main question is “What is best practice for topology and routing in my scenario?”

  Hi Mcreilly,
  You should be able to assign an ip address on cat6k sup720 if you are running native ios on sup 720.
  If you are running catos then you will not be able to do that and you can have it configured as trunk and connect to the router.Also I do not think that you need subinterfaces on router and trunk on switch because your cat6k with sup720 must be doing intervlan routing between vlans.
  You can just connect it on some port on any vlan and same subnet ip address which you have it on msfc for that vlan you can assign on the router interface and anybody want to go out via t3 link will get routes on sup720 and move out via router vlan.
  For suppose you do not want the router to be part of existing vlan you can create one vlan on cat6k sup720 and assign one port to that new vlan and connect the royter to that new vlan port and then create logical interface on msfc for that new vlan and assign an ip address range on that logical vlan and same subnet ip address range you can assign on router physical interface.
  Any one from other vclan get routed on sup 720 msfc and will move out via the vlan on which you have connected the router.
  because you have only one router you will not be able to maintain box level redundancy by which i mean if the router goes down t3 will be unreachable.
  HTH
  Ankur

• What are best practices for connecting asa to nexus 5000

  just trying to get a feel for the best way to connect redundant asa to redundant nexus 5000
  using a vpc vlan is fine, but then running a routing protocol isn't supported, so putting static routes on 5000 works, but it doesn't support ip sla yet so you cant really stop distributing the default if your internet goes down. just looking for what was recommended.

  you want to test RAC upgrade on NON RAC database. If you ask me that is a risk but it depends on may things
  Application configuration - If your application is configured for RAC, FAN etc. you cannot test it on non RAC systems
  Cluster upgrade - If your standalone database is RAC one node you can probably test your cluster upgrade there. If you have non RAC database then you will not be able to test cluster upgrade or CRS
  Database upgrade - There are differences when you upgrade RAC vs non RAC database which you will not be able to test
  I think the best way for you is to convert your standalone database to RAC one node database and test it. that will take you close to multi node RAC

• Failover for Single ASA

  Hi All,
  I want to know what all fail-over I can build for single ASA. I am planning to connect as per the attached.
  Please let me know  all configuration that i can build. Do i need to assign 2 ip's for that 2 interfaces connected to inside,dmz and outside.
  Please let me know if you any other design.
  Regards,
  Satya.M

  Hi Satya, 
  You cannot assign IP's of the same subnet to two different interfaces of the ASA in the routed mode. So as per your diagram, you cannot connect Inside interface of the ASA to both the 6504E switches or to the DMZ switches as you have shown. If you want to do such a failover, you can use 2 ASA's with Active/Standby failover while connecting ASA-1 to 6504EGa and ASA-2 to 6504EGb. You can also do Active/Active failover.
  Also with 1 ASA, if you want to configure 2 ISP's on 2 interfaces, please remember policy based routing is not supported on ASA so at any gien time only 1-ISP will be active for all the traffic going out. You can have the failover configured so that everything fail's over to the secondary ISP when Primary goes down with tracks etc.
  I hope this helps. If not, can you please post your exact requirements for the failover so that we can suggest you better.
  Best, 
  Raghav

• TACACS config for PIX & ASA

  I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

  I am actually looking for a similar command which I used on the Cisco 2950/3750
  aaa new-model
  aaa authentication login default group tacacs+ enable local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

• Configure CPN Between Asa-Astaro

  Hi All
  I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:
  Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!
  Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!
  Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!
  My configuration for VPN is:
  ACL:
  access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
  VPN:
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map Internet_map 20 match address Internet_cryptomap_20_1
  crypto map Internet_map 20 set peer 186.1.10.74
  crypto map Internet_map 20 set transform-set ESP-3DES-MD5
  crypto map Internet_map 20 set security-association lifetime seconds 86400
  crypto map Internet_map 20 set security-association lifetime kilobytes 4608000
  crypto map Internet_map 20 set nat-t-disable
  crypto map Internet_map 40 match address Internet_cryptomap_40
  crypto map Internet_map 40 set peer 165.98.233.180
  crypto map Internet_map 40 set transform-set ESP-3DES-MD5
  crypto map Internet_map 40 set security-association lifetime seconds 86400
  crypto map Internet_map 40 set security-association lifetime kilobytes 4608000
  crypto map Internet_map 60 match address Internet_cryptomap_60
  crypto map Internet_map 60 set peer 200.50.2.114
  crypto map Internet_map 60 set transform-set ESP-3DES-MD5
  crypto map Internet_map 60 set security-association lifetime seconds 28800
  crypto map Internet_map 60 set security-association lifetime kilobytes 4608000
  crypto map Internet_map interface Internet
  isakmp identity address
  isakmp enable Internet
  isakmp enable management
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption aes
  isakmp policy 10 hash md5
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  tunnel-group DefaultRAGroup ipsec-attributes
  isakmp keepalive threshold 10 retry 2
  tunnel-group 186.1.10.74 type ipsec-l2l
  tunnel-group 186.1.10.74 ipsec-attributes
  pre-shared-key *
  tunnel-group 165.98.233.180 type ipsec-l2l
  tunnel-group 165.98.233.180 ipsec-attributes
  pre-shared-key *
  tunnel-group 200.50.2.114 type ipsec-l2l
  tunnel-group 200.50.2.114 ipsec-attributes
  pre-shared-key *
  Thanks in Advanced
  Regards

  Take a look at this:
  http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K74152394

• ASA 55xx Series configuration

  1) Is there any support provided for uploading our own custom login pages to the ASA appliance? e.g. flash embeded html page
  2) Can the ASA appliance be configured to redirect the authentication to a specific URL (custom web server which will do some means of authentication) and if successfully authenticated then webserver will post the credentials back to the appliance. This way it will support multi-factor authentication.

  Yes, I think there few support will provide for uploading our own custom login pages to the ASA appliance and you can redirect the authentication to a specific URL: for more information please click following URLs:
  http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
  http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

• ASA 5520 IPS configuration

  Dear boss
  I have a ASA 5520  with IPS in my Data center. i am using it for routing and access list.  it is running and my all 80 branches running on it.
  now i want to enable IPS.
  How i start it ?
  when i click on IPS on graphic mood an it asking an IP. what it should be ?
  what is the procedure  ?
  Is there any risk to enable it during business hour ?
  please tell me details
  Thanking You
  shahid

  Hi,
  To know more details for configuring IPS in ASA Firewall the below URL will help you
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
  Regards,
  MK