ASA5515-K9 ASA5510-SEC-BUN-K9 VPN

hi i have 10 Firewalls they are in different location all of them are supporting IPsec 250 Sessions 
to implement one into the HQ and the other 9 into the branches can i configure Site-to-Site VPN from each branch connected to the HQ i mean dose these number of Concurrent  connection to the HQ  Firewall covered by the total Number of 250 or i have to have another kind of license to the HQ Firewall.
thanks 

The actual license includes Site-to-site IPsec and IKEv1 remote access (which is used by the legacy EasyVPN-client). So you are fine with your actual license. Only if you plan to use AnyConnect RA-VPN, then you need additional licenses.
The config will be quite easy if you need pure hub-and-spoke. For spoke-to-spoke-traffic through the hub, it is a little bit more complex. For this scenario you can consult the following document:
https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub

Similar Messages

  • SMARTnet 8x5xNBD part number for ASA5510-SEC-BUN-K9

    Dears,
    I am trying to find the part number for the Cisco SMARTnet Maintenance 8x5xNBD for the Cisco   ASA5510-SEC-BUN-K9.
    I browse cisco website, tried dynamic config tool, forums etc but no luck.
    1: Please let me know the part number for it.
    2: Which tool can be used to find smartnet or other Maintenance details/partnumbers
    3: Is there any specific tool other then Dynamic Config to generate BOM
    BR,
    ABDUL MAJID KHAN

    Yes there is. You can use Cisco Commerce Workspace which is a classical tool from Cisco. Cisco Commerce workspace provides one integrated commerce experience that allows cisco partners to register deals, configure and price products, software and related services, and submit orders from a single Workspace.

  • Failover setup between ASA5510-AIP10SP-K9 and ASA5510-SEC-BUN-K9

    Not sure if we can setup Active/standby failover between ASA5510-AIP10SP-K9 and ASA5510-SEC-BUN-K9 at all?
    If anyone could advice please, that would be grateful. Thanks a lot

    You would need the module on both appliances to setup failover.
    Regards
    Farrukh

  • ASA5510-BUN-K9 + L-ASA5510-SEC-PL= license Does the support change?

    Hi,
    I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.
    I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?
    Any help is much appreciated!

    Hi Juan,
    As long as the contract is still valid it will still cover the firewalls with a new license. The contract is tied to the serial number of the device, rather than the license installed on it.
    -Mike

  • ASA5510-SEC with CSC-SSM and Plus lic

    I have setup the ASA5510-SEC with the CSC-SSM and it is working great.  What I need is to be able to provide, for the client, reports of how much time particular users spend on the Internet, where they go on the Internet etc.  Do I need more product to do this reporting?  Would also like to have email reports
    Thanks,

    I would recommend posting in netpro for this.  This community doesn't work with the ASA series.
    www.cisco.com/go/netpro

  • ASA5510 configuration to end VPN L2L and remote client in DMZ interface

    Hi,
    we have a Cisco ASA5510 with 3 interfaces.
    - Internet Interface with private addressing
    - DMZ Interface with public IP address
    - Internal interface.
    Our ISP route our public IP range to our Internet interface (with a 192.168.x.x).
    I'm trying to configure ASA5510 for L2L VPN and for Cisco VPN client server listening in the public IP@ assigned to the DMZ interface, but for the moment without success.
    Is it possible?. Any consideration to have into account?.
    I attach a diagram.
    I see packets UDP500 arriving to the Internet interface but there is no replies:
    172: 17:07:25.164115 81.223.31.240.50763 > X.X.X.X.500:  udp 1160
    (X.X.X.X is a public IP@ configured in the DMZ interface)
    Thanks a lot.

    I don't think it is possible with only one *logical* interface. Router as a EZVPN Client requires two interfaces to do PAT for traffic going to the Internet. So far as I know, this is autoconfigured in both Client and NEM modes and cannot be disabled. However you *can* use 802.1q trunk to create two *logical* interfaces and configure EZVPN Client, or just configure Site-to-Site on a stick.
    HTH

  • Issues with multiple subnets - ASA5510 to Vigor 2820 VPN

    Hi there,
    I am hoping someone here can help.  I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office.  We have an ASA 5510  in London, talking to a Vigor 2820 in Edinburgh. 
    The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall. 
    The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there. 
    I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel.  However, I have had much trouble adding additional subnets for our VLANs in London.
    What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
    Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules.  Looking at these rules though, I can't spot the problem.  Multiple changes of order of the rules, and reloads have not sorted out the problem.  When I run a packet trace on the main subnet it works fine.  I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
    I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
    Firstly, here's the ASA config that seemed relevant.  I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
    access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5     group 1      lifetime 28800crypto isakmp nat-traversal  30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none  wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable  ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable  backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable  nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
    Note: [branch peer ip] replaces any instances of the branch office outside IP address
    I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem.  I'd really appreciate any suggestions on how to track this down. 
    Here's the vigor config:
    So it looks to match ok to me at both ends, unless there is something I missed.  The vigor routing table shows:
    Key: C - connected, S - static, R - RIP, * - default, ~ - private*             0.0.0.0/         0.0.0.0 via [ISP gateway server],   WAN1S         [branch peer ip]/ 255.255.255.255 via [branch peer ip],   WAN1S~       192.168.40.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.50.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.10.0/   255.255.255.0 via [London office ip],    VPNS~        192.168.0.0/   255.255.255.0 via [London office ip],    VPNC~        192.168.2.0/   255.255.255.0 is directly connected,    LANS~        192.168.7.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.30.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.20.0/   255.255.255.0 via [London office ip],    VPN*     [ISP dns server]/ 255.255.255.255 via [ISP gateway server],   WAN1
    I have replaced IPs here as is shown.  You can see the vigor seems to want to route the appropriate traffic over the VPN.
    Finally, here is the packet trace output:
    ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.50.0    255.255.255.0   insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in  id=0x4529e48, priority=12, domain=permit, deny=false        hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4      Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44057f0, priority=0, domain=permit-ip-option, deny=true        hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5      Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false        hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6      Type: NAT     Subtype: rpf-checkResult: ALLOW Config:       nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in  id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: in  id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true        hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9      Type: VPN     Subtype: encryptResult: DROP  Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false        hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.50.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0Result:       input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop  Drop-reason: (acl-drop) Flow is denied by configured rule
    So it seems to find the rule, which it ought to match, but then returns DENY.  What's going on here?  Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
    For further information, this is output for the WORKING subnet - I have just taken a small part here though:
    Phase: 10     Type: VPN     Subtype: encryptResult: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false        hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.0.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0
    Thanks very much in advance for any help you can provide - I've been really stuck on this one!
    Chris

    Hi,
    Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
    Also issue the command twice.
    Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
    Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
    Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
    Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
    When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
    And looking at your configurations, it should be like this
    access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
    EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
    EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
    EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
    - Jouni

  • I Want to Buy ASA5505-SEC-BUN-K9 License Key --ONLINE

    Hello Guys i want to buy Cisco ASA 5505 License Key by Online , so please can any one refer to me a very helpfull way to buy for this license ---it urgent please

    I'm assuming you don't have a reseller realtionship already. In that case, just go to Amazon.com and pick one.
    For example:
    http://www.amazon.com/Asa-5505-Sec-Plus-License/dp/B000MFORRA

  • What version of Cisco software and firmware is supposed to be packaged with a new CISCO ASA5505-SEC-BUN-K9?

    What version of ASA should be expected (8.2)?
    What version of ASDM (6.3)?
    Will registration of this product give me rights to download the latest version of these software package directly from Cisco?
    The box has an NB date: 11-MAR-14.  What does NB date mean?
    I just bought this product and all the printed material and the CD are full of apparently dated material.  I tried to use the "Cisco ASM-IDM launcher Installer Information" from the CD and it is asking for the JRE to be downloaded from http://java.sun.com/javase/downloads while I have the latest version already installed. What in the world?  This is a security product and it is demanding that a inherently insecure product be installed?
    I also got a three pronged power cable that seems to be a standard for latin America or Europe. Can someone give me a heads up on this?

    What version of ASA should be expected (8.2)?
    On my last order, which was about 6 months ago, I got an ASA with version 9.1.  So I would assume that you would get atleast that version now if not a newer version.
    What version of ASDM (6.3)?
    Again, I got ASDM version 7.1 with my last purchase, so a new order should receive the same if not newer.
    Will registration of this product give me rights to download the latest version of these software package directly from Cisco?
    No, you will need to have a support contract with Cisco in order to download newer versions of software. Product registration only gives you rights to download software that was shipped with the device.
    The box has an NB date: 11-MAR-14.  What does NB date mean?
    Not sure what that is.
    I just bought this product and all the printed material and the CD are full of apparently dated material.  I tried to use the "Cisco ASM-IDM launcher Installer Information" from the CD and it is asking for the JRE to be downloaded from http://java.sun.com/javase/downloads while I have the latest version already installed. What in the world?  This is a security product and it is demanding that a inherently insecure product be installed?
    I think Richard is right.  Sounds like the box has been sitting on the shelf a while.  Perhaps ask the reseller to provide you with a new image release?
    I also got a three pronged power cable that seems to be a standard for latin America or Europe. Can someone give me a heads up on this?
    In all the Cisco purchases I have made I have always received a 3 prong cable along with 2 others (a 2 prong and another...different...3 prong cable).  I believe the devices are shipped in such a way that they do not need to be "customized" for each country. That way they can be shipped to whichever country and be good to go once they arrive.
    Please remember to select a correct answer and rate

  • How to get ASA K9 Bundle

    Hi,i have ordered for ASA 5510 SEC-BUN-K9,but i have recieived ASA 5510-sec-Bun-K8 but not K9.i have tried to download from cisco downloads but i would not find ASA5510-SEC-BUN-K9 to download ,How can this problem be solved?????where can i get the K9 image?

    ASA5510-BUN-K9:
    Cisco ASA 5510 Firewall Edition includes 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
    ASA5510-K8:
    Cisco ASA 5510 Firewall Edition includes 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 SSL VPN peers, DES license
    The difference seems obvious. K9 supports 3des/aes, k8 only supports des. This is usually just a license upgrade, but I honestly don't know for sure.
    http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html
    register for 3des/aes keys here:
    http://www.cisco.com/kobayashi/sw-center/ciscosecure/asa.shtml

  • ASA-5510-k8 vs ASA-5510-k9

    Hello all!
    I was wondering if anyone new the difference out there between an ASA5510-k8 and k9. Is this a software or hardware version. If I was using 2 ASA's in failover/standby environment those the 2 need to match or can these be different. Any feedback would be helpful Thanks.

    Hi Edwin,
    Please see below the information ref to 5510 licensing (gives you the differences between K8 &K9) and Active/standby failover implementation requirements for ASA...
    Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, 3DES/AES license
    ASA5510-BUN-K9
    Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, DES license
    ASA5510-K8
    Cisco ASA 5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, Active/Standby high availability, 3DES/AES license
    ASA5510-SEC-BUN-K9
    Licensing Requirements for Active/Standby Failover
    The following table shows the licensing requirements for this feature:
    Model
    License Requirement
    ASA 5505
    Security Plus License. (Stateful failover is not supported).
    ASA 5510
    Security Plus License.
    All other models
    Base License.
    Prerequisites for Active/Standby Failover
    Active/Standby failover has the following prerequisites:
    •Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
    •Both units must have the same software configuration and the proper license.
    •Both units must be in the same mode (single or multiple, transparent or routed).
    Below are the  links for reference..
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
    hth
    MS

  • Active/Standby Failover with pair of 5510s and redundant L2 links

    Hi
    I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
    Thanks in advance
    Zoran Milenkovic

    Hello Zoran,
    Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
    The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
    Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
    Also make sure that both ASAs have required hardware/software/license based on following link-
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
    Hope this helps.
    Regards,
    Vibhor.

  • Firewall Interfaces

    Hi  ,
    i have  purchased a new  firewall  and  ask the vendor  the part no---ASA5510-SEC-BUN-K9 .
    Which  has  3 fast ethernet and  2gig  ports   . How  to  identify  thoses ports  . Does  they  come  with  ethernet 0,1,2,3,4  or   Gig 0 and gig 1 then fast 2,3 and 4.
    Please advice.
    THANKS,
    Saroj

    They go by e0/0, e0/1, e0/2, e0/3 and e0/4.
    The first 2 ports e0/0 and e0/1 can be enabled to gig speed.

  • Change ASA5510 to ASA5515-X

    Hi,
    I would like to change ASA5510 to ASA5515-X.
    ASA5510 version is 9.1.1
    Which is the best method to copy the configuration?
    Downtime is acceptable.
    I dont know if backup (with ASDM) ASA5510 configuration and restore on 5515 could work because of their difference (Ethernet, GigabitEthernet for example...)
    Thanks for your help,
    Patrick

    What I've done to copy ASA 5510 configuration to ASA 5515-X without error...
    On ASA 5510 :
    - backup configuration with ASDM --> backup.zip with password
    - copy running-config in a file : backup.cfg
    I modified few lines on backup.cfg:
    - Ethernet to GigabitEthernet
    - boot image
    On ASA 5515-X
    - I configured management interface then I copy many files (dap.xml, <allvpnprofiles>.xml, anyconnect.pkg, ASA, ASDM, backup.cfg)
    - I configure "boot system" and "asdm image"
    - on ASDM, I restored with the wizard and I select Certificate and VPN. (but VPN data was not restored)
    - with CLI, I copied backup.cfg to running-config then write mem
    - there was only few warnings and there was no error after reboot.
    I didnt tried to connect in production but configuration seems correct.
    Patrick

  • ASA5510 VPN Bandwidth Calculations

    Were running an ASA5510 with multiple IPSEC VPN clients over a 100Mb leased line. At the moment we have about 10 active clients however we are looking at gearing up to about 100 clients.
    Question is, is there a known method for calculating the required bandwidth for this number of clients or indeed obtaining metrics from already connected clients to help with this calculation.
    We have tried a few monitoring products, most notably Solarwinds, however none of the products we have tried seems to be able to give us the throughput of the individual VPN connections to assist with our calcs....

    Hi Rob,
    Check  out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP  monitoring and measuring the traffic load for IPsec  (Site-to-Site,  Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco  ASA. It allows the user to see traffic load on a VPN  tunnel over time  in graphical form.
    Advantage of VPNTTG over other SNMP based monitoring software's is   following: Other (commonly used) software's are working with static OID   numbers, i.e. whenever tunnel disconnects and reconnects, it gets   assigned a new OID number. This means that the historical data,  gathered  on the connection, is lost each time. However, VPNTTG works  with VPN  peer's IP address and it stores for each VPN tunnel  historical  monitoring data into the Database.
    For more information about VPNTTG please visit www.vpnttg.com

Maybe you are looking for

  • Setting up Time Machine - it won't recognise my external hard disk - help!

    I'm trying to set up time machine to use as my back up system. I have an external drive plugged in by USB that the desktop and finder are picking up - but when I got to 'find disk' as I am setting up Time Machine - it doesn't show any disks to choose

  • Third party windows 8.1 driver for VMSpc Version 3.0

    I purchased a HP Stream 7 to use as an engine monitor for my motorhome. The tablet will not recognize the driver for the JIB. I have the latest driver and it installs perfectly on my Pavilion x2 with the same operating system. Nothing seems to work w

  • Strange problem pasting and backspacing in Mail.app

    I've been having a strange problem in Mail.app when composing messages.  Suppose I have a short, three-line message like this: Hi John, Here's the quote from Einstein: Simple enough, right?  So then I go to another application -- for example, Firefox

  • Retouching headshots

    I edited one of my head shots on my iPhone with different apps, and the image resolution is low. I was wondering if there is a way to use photoshop to take the original/unedited (high-resolution) image and and match its pixel to the edited image, byp

  • Ipod touch stopped working completely

    I have a 3rd Gen Ipod Touch and it was working fine until I hooked it up to my computer and started to update it. The screen went white and then it failed to update it and now my ipod touch wont even turn on. What do I do?