ASA 8.4 and NATControll

For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
For example
ASA inside int---10.1.1.1
outside int---120.11.1.1
when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?

Thanks Dan. I should have asked my above question differently, please let me know whether my below explanation is correct or not.
If nat-control is enabled-- for the inside hosts (sec level-100, IP-10.x.x.x) to talk to dmz hosts (sec level-50, IP-192.x.x.x) we need a matching NAT statment like
nat (inside) 1 0.0.0.0 0.0.0.0
global(dmz) 1 interface
for ASA Version 8.3 and above, since there is no nat-control, the inside hosts can talk to dmz hosts without any NAT statement as long as the access-list permits that communication if there is any.

Similar Messages

  • Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

    Dear All,
                         I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
    Thanks
    Vijay

    Hi Vijay,
    If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
    HTH,

  • Difference between ASA 8.3 and 8.4 IOS VERSION?

    What are major differences between ASA 8.3 and 8.4 IOS VERSION?
    Also data flow?

    The release notes outline the differences in each version of ASA software. You can find the ASA 8.4 Release Notes here.
    I don't understand what you're asking about data flow.

  • ASA DMZ zone and Unix proxy server

    Hi.
    i have router which all nat translation done at here. i have a asa and core sw.
    192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.
    int vlan 393
    ip address 192.168.193.1 255.255.255.0
    core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is
    int vlan 8
    ip address 172.30.30.2
    at core sw at i have a default route to asa.
    ip route 0.0.0.0 0.0.0.0 172.30.30.1
    and asa site
    route inside 192.168.193.0 255.255.255.0 172.30.30.2
    all of them are ok.
    i think that is ok.
    at asa i have dmz zone which ip address:
    interface Ethernet0/1
    description connect to CoreSW
    nameif inside
    security-level 100
    ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3
    interface Ethernet0/2
    description DMZ zone connect mail server
    nameif DMZ
    security-level 50
    ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
    my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.
    i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.
    i wrote
    static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
    and access-list
    access-list from_dmz_to_in extended permit ip host 172.16.10.254 any
    access-group from_dmz_to_in in interface DMZ
    at this time what is up?
    the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.
    internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.
    at this time my user connect internet when i wrote this. when i remove this they can not connect internet
    but i  do not  want write anything at my user. how i solved this?
    after that one problem occur.
    when my server to  do nslookup it can not work.
    i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work
    how i solve this issue?
    as you see my access-list all of is open and i do
    static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
    it is this wrong proxy connection???
    musti change proxy server inside interface to other device or asa other interface?
    thanks.

    There is 2 way the proxy server can work, ie: either transparent or explicit proxy.
    From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.
    The reason why transparent proxy does not work is because:
    1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.
    The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.
    2) Also need to find out if the proxy server itself supports transparent proxy.
    Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy?

  • ASA 5505 - Backup and restore to another device of same model and version

    How can I backup the configuration of the ASA 5505 on 8.x and restore it to another ASA 5505 with same version? I have tried to save the running config to a file and then copy it to the new device and use the boot config: filename but it doesn't work. Or is there any other way to try? Thanks.

    Thanks Andrew, I had tried it but I was having issues with the fact that I kept both ver 7 and ver 8 of the OS images on the flash. So it booted from the first found (ver 7) and creating confusion for me as the config file was for ver 8.
    I noticed that it keeps the 192.168.1.1 IP even though in the config file it has another IP assigned. Is there other things that I need to check that do not change apart the IP address?
    Thanks.

  • ASA 5505 VPN and Sprint Mobile Broadband clients.

    I have a strange problem, it's something that just started recently when we had a user try to gain access with a Sprint Mobile Broadband card. We have quite a few remote users, probably not more than 6 ever connected to the VPN at once, and I have not heard of any issues until recently. We are starting to require more travel to remote locations, so the use of the hotel internet, as well as Sprint mobile broadband is becoming more important.
    There are a few issues here. Everything is IPsec.
    Mac OSX with VPN client version 4.9.01 will connect to the VPN when connected to a normal internet connection, but as soon as it gets on the Sprint Mobile Broadband device, it connects for exactly 5 seconds and disconnects.
    Windows XP Pro, has no problems with normal internet, on the wireless broadband modem, it will connect to the VPN, but have no access to internal resources or access to the internet.
    Windows Vista, has issues all the way around, but mainly when connected to the wireless it has the same issues as XP minus the internet browsing.
    Strange thing is, all these problems seem to been different, but they all started around the same time. I have been testing everything I can think of. Talked to Sprint, which the lady there was actually very helpful...just have to get to the right person. But nothing we tried did any good.
    Does anyone know of any settings on my ASA that I need to change in order to get these types of connections to work?
    The best part of all this is that my Linux machine can connect/surf/and browse the internal network through the VPN just like it normally would work.
    Something has to be wrong with my client config settings that is causing this to happen.

    Have you enabled NAT Traversal? (Both on the Client and ASA)
    That would be the first thing to check.
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
    Regards
    Farrukh

  • ASA 5505 Username and Password

    Hi All,
    I am trying to configure an ASA 5505 with a username and password. I set all the pass words:
    password xxxxxxx
    enable password xxxxxxx
    username xxxxxx password xxxxxxx
    When I reload the device it prompts me for the username, then the password and it fails and just asks for the username again. I have even tried to delete the username/password combo but it still prompts me for it. When I do password recovery the confreg is 0x00000001. I am no ASA expert and this is getting a bit frustrating.
    When I first configured the device and reloaded it, everything worked fine.....once. Upon the second reload it just keeps prompting me.
    Thanks for any help.
    Bill

    Hello Carter,
    Hmm, it sounds like a config-register problem.
    So when you are in rommon you got to set the confreg to be on 0x41 so you can ignore the startup-config.
    Then when you enter to the ASA please do the following:
    enable password cisco
    username password cisco
    config-register 0x01
    wr
    and then finally reload,
    Regards,
    Julio

  • Changed our ASA IP address and we're no longer able to Authenticate with RSA.

    Hi,
    We changed our ASA IP last night and since then we can no longer authenticate with RSA.  I know we had to modify the IAS policy on our DC to the new IP but I'm not sure where I would change that in RSA.  Any one have an idea?
    ASA 5510 (8.3)
    RSA (6.1)
    Thanks.

    I don't have
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    > Programs > RSA ACE Server
    I have the following...
    RSA Authentication Manager Configuration Tools > RSA Authentication Manager
    RSA Authentication Manager Configuration Tools > Configuration Management
    RSA Authentication Manager Configuration Tools >  Replica Management
    RSA Authentication Manager Database Tools > Compress
    RSA Authentication Manager Database Tools > Dump
    RSA Authentication Manager Database Tools > Load
    RSA Authentication Manager Control Panel
    RSA Authentication Manager Host Mode
    RSA Authentication Manager Log Monitor
    RSA Authentication Manager Remote Mode
    RSA Security Center
    Where would I find the configuration from those items?

  • VPN ASA inside Interface and ip pool are one same Subnet

    Hi Everyone,
    I have configured RA VPN full tunnel.
    Inside interface of ASA is
    Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
    ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
    Need to know is it good design to have both on same subnet?
    When i access the Switch  connecting to VPN ASA  inside interface via--https://10.0.0.2
    which has IP 10.0.0.2  while using Remote VPN connection to ASA it does not work gives error
    message as below
    Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
    Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
    Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
    Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK  on interface outside
    Current NAT config is
    nat (inside,outside) source dynamic any interface
    Regards
    MAhesh
    Message was edited by: mahesh parmar

    Hi Mahesh,
    It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
    Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
    I would suggest changing the VPN Pool first and then configuring this
    object network LAN
    subnet 10.0.0.0 255.255.255.0
    object network VPN-POOL
    subnet
    nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
    We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
    In the future it would be best if you changed your current Dynamic PAT configuration to this
    nat (inside,outside) after-auto source dynamic any interface
    We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
    - Jouni

  • Two Asa Two Isp and Windows 2008 R2 Server

    Hello Everybody ,
    If you can support my issue , I do appreciate a lot.
    First of all thanks a lot for your interest ..
    Here is my  issue :
    I have two Isp Connection ( 1 metro Eth Connection  and 1 Ghdsl Connection )
    1) Asa 5505 (Version 8.0(5)) is for the 1.st Isp Connection
    Windows 2008 R2 server is up and running as Web Server on this ASA 5505 config.
    As:
    (static (inside,outside) mywebsrv.mycompany.com 192.168.5.5 netmask 255.255.255.255
    And Ipconfig of W2008Srv is 192.168.5.5 255.255.255.0 192.168.5.1 (Gateway ASA 5505)
    2) Asa 5510 (Version 8.0(5)) is for the 2.nd Isp Connection
    Windows 2003 R2 server is up and running as Ftp Server on this ASA 5510 config.
    As:
    (static (inside,outside) myftpsrv.mycompany.com 192.168.50.10 netmask 255.255.255.255
    And Ipconfig of W2003Srv is 192.168.50.10  255.255.255.0 192.168.50.1 (Gateway ASA 5510)
    Here is my question :
    I need to move my Ftp server (due to old hardware + old server issues ) 
    into the Windows 2008 R2 Server ( HP DL Server with 4 Nic).
    If I conect my Asa 5510 to the second nic of Windows 2008 R2 Server.
    and give an ip address as 192.168.50.10 255.255.255.0
    what should be the gateway Ip address : ?
    Before I go ahead and implement :
    a) What do I need to do  on  the Windows 2008 R2 Server
    as persistent route adds with different metrics
    b) Any config adds or changes on Asa 5505 and ASA 5510 regarding static routes with
       different metric and so on ...
    Many thanks in advance for your support .

    If you do that, the second interface will work as a failsafe for the first NIC.
    As far as i know, you won't be able to route traffic based on the type of traffic nor do load-balancing between the interfaces.
    I guess the best approach will be to get a newer server and use it as a replacement for the one running 2003 R2.

  • ASA 8.0 and Microsoft ISA (local user backup)

    What is the command so that when the username + password cannot be found in the microsoft isa server, the pix will look at the local database?
    This command works in the router, but I cannot seem to find the equivlant for the pix.
    aaa authentication login default local group tacacs+
    Basically does the pix asa 8.0 support Multiple authorization commands?
    Thank you very much for your help.

    On a router, "aaa authentication login default local group tacacs+ " will ALWAYS use the local user DB, never tacacs.
    "aaa authentication login default group tacacs+ local" will first try tacacs and only if the tacacs server is not responding, use the local DB. Note that if the tacacs DOES respond but rejects the authentication attempt (user does not exist or wrong password), that the router will NOT use the local DB.
    That said, on pix/asa you can do the same, e.g.:
    aaa-server TPLUS protocol tacacs+
    aaa-server TPLUS (management) host 10.0.0.1
    aaa authentication telnet console TPLUS LOCAL
    hth
    H

  • ASA reset-I and reset-O

    Hi there, 
    I have a couple of questions regarding Reset-I and Reset-O messages on the Cisco ASA.  I read a document that Reset-I will appear on the ASA if the inside host resets the connection, but what denotes an 'Inside' host?  Is the inside host determined based on the context of the connection? for example If a host on the internet initiated a connection to a host in the DMZ, and the internet host sent the reset would this be logged as a 'Reset-I' because although the host was on the internet it was the side initiating the connection.
    Also.. the same document said that the Reset was sent to the ASA as an indication to drop the connection, but the hosts wouldnt know about the ASA, so isnt the reset actually sent to the host with which they are communicating?
    Last question - What would actually cause a connection to be reset, as it says resets are sent after the TCP connection has been established.

    Hi,
    It is actually on the basis of the Security level. If the reset is sent from the Higher Security level , then it will be "RESET-I" and if from the lower level "RESET-O".
    I think if you go through this document and the command , you would understand the behavior of ASA sending the RESETS.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1452931
    Thanks and Regards,
    Vibhor Amrodia

  • ASA interface name and nameif are different

    Hi Everyone,
    On one of ASA  i have this config say
    interface BCISCO
    nameif CISCO
    ip address 192.168.x.x 255.255.0.0 standby IP 192.168.x.x
    Need to understand why we have interface and nameif different here?
    Also when i try to access ASA  by ASDM to ASA  from internal network log shows
    built inbound TCP connection for ASA interface.
    So need to know whenever we access ASA  from internal network it will say inbound connection?
    Or there are some criteria that tells when connection is inbound to ASA?
    Thanks
    MAhesh

    Hi Jouni,
    yes it is in context mode
    72           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-302013: Built inbound TCP connection 11283929 for Net:192.168.100.17/62287 (192.168.100.17/62287) to identity:192.168.100.12/443 (192.168.100.12/443)
    71           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK  on interface Net
    70           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
    69           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"
    68           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)
    67           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK  on interface Net
    66           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
    65           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"
    64           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-606001: ASDM session number 0 from 192.168.100.17 started
    63           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62284 to Net:192.168.100.12/https for user "cisco"
    62           2013/04/17 10:10:52.733 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)
    61           2013/04/17 10:10:52.718 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283681 for Net:192.168.100.17/62284 (192.168.100.17/62284) to identity:192.168.100.12/443 (192.168.100.12/443)
    60           2013/04/17 10:10:52.515 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62283 to 192.168.100.12/443 flags FIN ACK  on interface Net
    59           2013/04/17 10:10:52.515 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-302014: Teardown TCP connection 11283636 for Net:192.168.100.17/62283 to identity:192.168.100.12/443 duration 0:00:02 bytes 806 TCP Reset-O
    58           2013/04/17 10:10:52.515 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62283 to Net:192.168.100.12/https for user "cisco"
    57           2013/04/17 10:10:52.358 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-606003: ASDM logging session number 0 from 192.168.100.17 started
    56           2013/04/17 10:10:52.358 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62282 to Net:192.168.100.12/https for user "cisco"
    55           2013/04/17 10:10:50.374 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283636 for Net:192.168.100.17/62283 (192.168.100.17/62283) to identity:192.168.100.12/443 (192.168.100.12/443)
    54           2013/04/17 10:10:50.140 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283629 for Net:192.168.100.17/62282 (192.168.100.17/62282) to identity:192.168.100.12/443 (192.168.100.12/443)
    53           2013/04/17 10:10:50.108 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62281 to 192.168.100.12/443 flags FIN ACK  on interface Net
    52           2013/04/17 10:10:50.108 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-302014: Teardown TCP connection 11283529 for Net:192.168.100.17/62281 to identity:192.168.100.12/443 duration 0:00:02 bytes 3107 TCP Reset-O
    51           2013/04/17 10:10:49.937 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-605005: Login permitted from 192.168.100.17/62281 to Net:192.168.100.12/https for user "cisco"
    50           2013/04/17 10:10:47.640 MST     192.168.100.12  Apr 17 2013 17:10:46: %ASA-6-302013: Built inbound TCP connection 11283529 for Net:192.168.100.17/62281 (192.168.100.17/62281) to identity:192.168.100.12/443 (192.168.100.12/443)
    Where interface NET is ASA interface with IP 192.168.100.12
    192.168.100.17 is MY PC IP
    This is log while i access the ASA  by https.
    Can you please tell in logs why it has repeat logs for example
    ASDM logging session started  it has this line 2 times
    Thanks
    MAhesh

  • ASA: Smart Tunnel and proxy problem

    Hello
    I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
    They get proxy warning when they click on a bookmark.
    If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
    Is it a common problem if so is there a soultion ?
    KR
    Daniel

    Hi Daniel,
    "Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
    the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
    . If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
    You can get more information from following link:-
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
    HTH!!
    Regards,
    Naresh

  • ASA connection rate and stateful packet inspections rate limiting

    Can anyone please send me a link or links on how configuring "connection rate" and "stateful packet inspections rate" on an ASA?
    It seems not easy to find the links
    thanks,
    Han

    Hi Han,
    I assume you're referring to the use of resource classes to limit the connection build and inspection rates? If so, this is only available in multiple context mode. You can find some config examples for that feature here:
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1142960
    -Mike

Maybe you are looking for

  • IR Report based off of page item value

    Hey all, I want to create an IRR region and have the report update based off of a a page item. The page item will be a drop down of the tables I want to show, so something like: Select * from '||v('P1_TABLES') This will work with the normal report bu

  • New bug in Firefox

    Dear Firefox Supportline, I have found a bug and would like you to fix it in the next versions of Firefox. Code example: <!DOCTYPE html> <html> <head></head> <body> <div style="background-color: orange;"> <div style="float: left;">TEXT</div> <div sty

  • Problem with S_ALR_87013149 and S_ALR_87013148

    Hello Experts, I have a problem with standard reports S_ALR_87013149 and S_ALR_87013148. They give no data : "No records were selcted" What's the solution for that ? Thanks, Ferdaws

  • HT4534 i accidentaly erased the application system prefences how do i get it back?

    i accidentaly erased the application system prefences how do i get it back?

  • My book on iboostore

    hello i just put online my new book on ibook but wheni go to look for it on apple store i cannot see it on itunes sotre.. why? in itunesconnect it says to me tha my book is on store   but i cannot see it wheni try to see it on ibookstore.... helppppp