ASDM Interface

My setup is :PIX 515E, IOS 8.0(4)28, ASDM 6.1(5)57, Firewall mode routed, 6 interfaces, 128Mb.
My question is, can ASDM be accessed through any interface on the PIX besides ethernet1? I'd prefer to run ASDM through ethernet5 but it refuses to run. I have tried deconfiguring eth1 and copying its config to eth5 to no avail. The basic setup on eth1 that works is:
interface Ethernet1
nameif Management
security-level 100
ip address 100.100.100.18 255.255.255.0
This doesn't work on eth5.
Matt.

The responses are as follows:
PIX515E# show asp table socket
Protocol Socket Local Address Foreign Address State
TCP 0002082c 100.100.100.18:23 0.0.0.0:* LISTEN
SSL 0002e9ec 100.100.100.18:443 0.0.0.0:* LISTEN
SSL 0008993c 100.100.100.18:443 Miffy:1063 ESTAB
PIX515E# show run interface eth5
interface Ethernet5
description MGT_INTERFACE
speed 100
duplex full
nameif Management
security-level 0
ip address 100.100.100.18 255.255.255.0
I figured it out. I was allowing telnet/http access to the inside interface, not the management interface. Inside is Eth1, Management is Eth5.
A force of habit. As this PIX has 6 Eth interfaces I thought I'd dedicate one to management. Now to interface between my 877 & 1751-V!
Thanks for your help Vibhor.

Similar Messages

How to block IP addresses or IP blocks through the 5505 ASDM interface, not through command lines?

Is it possible to block IP addresses or IP blocks through the 5505 ASDM interface, and not through command lines? If so, how?

Unfortunately I can't share any information on the router. It's company policy. But, if you could let me know where in the GUI interface of the router where I can find the ACL and how to enter the IPs to block I would really appreciate it.

How to find device neighbors from the asdm interface for the pix

I am able to get to my pix using the asdm, I looked around the interface did not see where it can show me other cisco devices on the network? trying to get my topology going. I am thinking it should be on there somewhere just like on the router there is a show neighbor command.

Cisco firewalls do not do CDP if that is what you are looking for.
If this is eigrp or ospf neighbor then, you can do that via CLI.
Once you telnet or ssh to the firewall you can issue "sh eigrp nei" or "sh ospf nei"
-Kureli

ASDM and privilege level (using TACACS)

Hi experts,
Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
     On CLI:     perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
     On CLI:     lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
     On CLI:     lose enable access (same as config 2)
     On ASDM:     unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question:     Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
     On CLI:     acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
     On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.

Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
     --> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
     --> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
     --> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
     --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
     (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
     --> now I can't get admin access on ASDM: OK
     --> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks

DNS resolution on Anyconnect - multiple different internal DNS servers

All,
We have multiple different internal windows AD domains within our network, that currently do not replicate their DNS zones between them.
Is there anyway with an ASA/anyconnect VPN to create a configuration so the ASA inspects the DNS lookups from a user connected via the anyconnect VPN client, and route it to a defined internal DNS server?
For example I have three internal AD domains site1.com with a dns server ip of 1.1.1.1 , site2.com 2.2.2.2, site3.com with a dns server ip of 3.3.3.3, when a user VPN's in and performs a dns lookup for the name server1.site1.com the ASA see's it is for site1.com and routes the lookup to 1.1.1., however when a user performs a dns lookup for server1.site2.com, the asa see's its is fro site2.com and routes the DNS lookup to 2.2.2.2.
Any thoughts on alteratives to over come the problem also welcome and/or if anyone can point me to a link that explains the function of "mulitple DNS server groups, which is located in the ASDM interface under Remote Access VPN->DNS (as I have not been able to find a plain english explanation of the function as I am unsure if this does what I am looking for)
Thanks

Hi Dominick,
I have a solution for your problem. You will need to log into the CLI of the WSA and issue the following commands:
s370r01.csw> dnsconfig
Currently using the local DNS cache servers:
1. Priority: 0 10.9.8.8
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
- SEARCH - Configure DNS domain search list.
[]> localhosts <----- Hidden Command
Local IP to Host mappings:
Choose the operation you want to perform:
- NEW - Add new local IP to host mapping.
- DELETE - Delete an existing mapping.
[]> new
Enter the IP address of the host you are adding.
[]> 10.1.1.1 < -------- IP of the M series
Enter the canonical host name and any additional aliases (separate values with spaces)
[]> Host name of the M series. Hit enter until you get back to the command prompt and type commit then enter.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

ASA5505 - Qos / Priority / Traffic Shaping - VOIP/SIP

I have a client using a VOIP service to a third party provider (RingCentral). They are connected via Cable ISP (6mb) to the Internet and now experiencing performance issues with their VOIP service. They indicated that the call can be heard but that there is jitter and choppines in the call and they have to place a regular landline call. Their provider recoomended using QOS to help improve. I did not see anything straight forward on the ASDM interface to do this and figure it may require command line to accomplish.
They have Cisco IP 303 and 5252G2 phones which connect through an ASA5505 7.2(4) to their provider for service. Apparently the voip app uses the following ports:
UDP
5060-5090
8000-8200
16384-16482
What would be the best solution to improve performance or perhaps traffic shape / priortize traffic to help. I assume this may be happening if there are heavy downloads or activity happening on the network. The ASA5505 is on 7.2(4). I'd appreciate if someone could provide some coded examples for the above info.
Much appreciated!

Hi Vito,
You can prioritize your voice traffic over data traffic, refer to this doc for prioritization:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#Pqu
Hope that helps
Thanks,
Varun

Vlan passthrough

Dear experts,
I'm having trouble configuring my ASA 5510 firewall for passthough vlans.
I want to passtrough vlans from the "outside" interface to the "lan" interface.
The ISP provides VOIP as a service to our company on the same internet connection on the seperate Vlan.
The ASA has to filter the internet access (untagged traffic) but has to pass trough the voice traffic (tagged traffic)
to the lan interface. the ISP also provides DHCP for my ip phones, so the asa also has to passtrough dhcp requests.
do i need DHCP relay?
i'll tried to connect 1 vlan to multiple fysical interfaces but i get an error message that this is not posible
Is this posible using the ASDM interface or do i need to configure this by the CLI?
I attached a drawing how the environment must look like.
Hope someone can help me out here.

VLAN will not passthrough because the SLM2008 doesn't have trunking capability.

VPN consulting

Hello everybody, I'm quite new with ASA configurations, and I am having some problems with a VPN configuration. I've configure a VPN wich
unexpectedly goes down. the strange is that the other side of the tunnel still have connectivity. another strange things is that in the MONITORING--VPN--IPsec Site to Site connections I can see always the link up.
Has anybody any idea what can I do to resolve this issue?
Thanks and regards.

Vishnu, Hi, sorry for my delay, to bring the tunnel back I just go to MONITORING--->VPN---> I filter by IPsec Site-to-Site and then I select the Connection Profile for my tunnel and then I press the Logout button (in the ASDM Interface) and after a couple of seconds the tunnels starts to works again.
my config in the far end ASA is:
REMOTESITE# sho run
: Saved
ASA Version 8.2(5)
hostname REMOTESITE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
no nameif
no security-level
no ip address
interface Ethernet0/0.10
description Internet Inside
vlan 10
nameif InternetInside
security-level 50
ip address PRIVATE IP ADDRESS
interface Ethernet0/0.130
vlan 130
nameif inside
security-level 100
ip address PRIVATE IP ADDRESS
interface Ethernet0/1
no nameif
no security-level
no ip address
interface Ethernet0/1.19
vlan 19
nameif outside
security-level 0
ip address PUBLIC IP ADDRESS
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group network RemoteSite
network-object 10.32.0.0 255.255.0.0
object-group network LocalSite
network-object 10.30.0.0 255.255.0.0
network-object host 10.2.3.240
network-object host 10.2.3.230
network-object host 10.2.3.233
network-object host 10.2.3.243
network-object host 10.2.3.248
access-list inside_access_in extended permit ip object-group RemoteSite any
access-list inside_nat_outbound extended permit ip object-group RemoteSite any
access-list outside_1_cryptomap extended permit ip object-group RemoteSite object-group LocalSite
access-list outside_1_cryptomap extended permit ip object-group LocalSite object-group RemoteSite
access-list inside_nat0_outbound extended permit ip object-group RemoteSite object-group LocalSite
access-list inside_nat0_outbound extended permit ip object-group RemoteSite 192.168.150.0 255.255.255.0
access-list InternetInside_nat_outbound extended permit ip 172.16.1.32 255.255.255.224 any
access-list VPN-RemoteSite_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPN-RemoteSite_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list VPN-RemoteSite_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu InternetInside 1500
ip local pool RemoteSite-VPN 192.168.150.10-192.168.150.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (InternetInside) 1 access-list InternetInside_nat_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.181.54.177 1
route outside 10.2.3.230 255.255.255.255 204.181.54.177 1
route outside 10.2.3.233 255.255.255.255 204.181.54.177 1
route outside 10.2.3.240 255.255.255.255 204.181.54.177 1
route outside 10.2.3.243 255.255.255.255 204.181.54.177 1
route outside 10.2.3.248 255.255.255.255 204.181.54.177 1
route outside 10.30.0.0 255.255.0.0 204.181.54.177 1
route inside 10.32.0.0 255.255.0.0 10.32.2.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tac-auth protocol tacacs+
aaa-server tac-auth (inside) host 10.30.5.43
timeout 5
key *****
aaa-server tac-auth (inside) host 10.30.120.43
timeout 5
key *****
aaa authentication enable console tac-auth LOCAL
aaa authentication http console tac-auth LOCAL
aaa authentication serial console tac-auth LOCAL
aaa authentication ssh console tac-auth LOCAL
aaa authentication telnet console tac-auth LOCAL
aaa authorization command tac-auth LOCAL
aaa accounting enable console tac-auth
aaa accounting telnet console tac-auth
aaa accounting ssh console tac-auth
aaa accounting serial console tac-auth
aaa accounting command privilege 15 tac-auth
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http LocalSitePUBLICIP outside
http LocalSitePUBLICIP outside
http LocalSitePUBLICIP outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer LocalSitePUBLICIP
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 63f6c54f
    30820234 3082019d a0030201 02020463 f6c54f30 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
    86f70d01 09021608 63697363 6f617361 301e170d 31323035 33313038 33373235
    5a170d32 32303532 39303833 3732355a 302c3111 300f0603 55040313 08636973
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b7 f802ade8
    d40ba8e6 a32d4e57 0c1dce0c 970d7f62 afb83546 aa2eeb4a 798cee09 b6ed1217
    356d486c 2cb43ce2 0754ee4f a49be90a 65a4c586 b61dd4e0 68b587fa e9f546ea
    a54a9ec6 f2f316ad 7e2bdb7d 4e0b0630 2efa0d29 7350bce1 dbe67e89 ba2c2193
    67918b03 02c6f9b3 3cca9bc9 e97a1c61 3603c1c6 6097285a 5e7b4302 03010001
    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
    04030201 86301f06 03551d23 04183016 8014d665 a29f0fd4 b60293fe c2cc6f9d
    c6c3a617 c942301d 0603551d 0e041604 14d665a2 9f0fd4b6 0293fec2 cc6f9dc6
    c3a617c9 42300d06 092a8648 86f70d01 01050500 03818100 0d3b6049 08f662e4
    e07f1113 8194da6a a221c29e d850b7b4 d5fdb695 c24c066c f272856c b5cd9712
    6a8839f3 037cdce1 3d4a326d f8d40768 c31bf450 18fab62b f36a383e b40827ee
    ab3c8290 17928639 ace48926 2a018b85 cabf73b0 e98f92b2 b7973add d194d9d2
    b144a1be ef4cb498 8c381d1e cade9141 ec80cea8 e787c65d
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh PUBLIC IP ADDRESS outside
ssh PUBLIC IP ADDRESS outside
ssh PUBLIC IP ADDRESS outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN-RemoteSite_2 internal
group-policy VPN-RemoteSite_2 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-RemoteSite_splitTunnelAcl
default-domain none
group-policy VPN-RemoteSite internal
group-policy VPN-RemoteSite attributes
vpn-filter value outside_1_cryptomap
vpn-tunnel-protocol IPSec
group-policy VPN-RemoteSite_1 internal
group-policy VPN-RemoteSite_1 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain none
username admin password 2QP3zeqDx2bZ8oiO encrypted privilege 15
username vpn-RemoteSite password YllBSswY7sUORmMr encrypted privilege 0
username vpn-RemoteSite attributes
vpn-group-policy VPN-RemoteSite_1
tunnel-group LocalSitePUBLICIP type ipsec-l2l
tunnel-group LocalSitePUBLICIP general-attributes
default-group-policy VPN-RemoteSite
tunnel-group LocalSitePUBLICIP ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group VPN-RemoteSite type remote-access
tunnel-group VPN-RemoteSite general-attributes
address-pool RemoteSite-VPN
default-group-policy VPN-RemoteSite_2
tunnel-group VPN-RemoteSite ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00cfcfa94733b8335dd7a34b36b3a18a
: end
REMOTESITE#
for my ASA in the local side I think it could be more difficult because in that device I have all the company config.

Why i cant access asa 8.4 thruogh asdm from outside interface ???

hi all ,
plz help e why i cant access asa asdm from outside interface
my puclic ip on outisde is :
x.x.55.34
i changed portf of asdm to 65000 because i have portforward ,
i tried to connect to my ip thriuogh asdm bu :
x.x.55.34
x.x.55.34:65000
but no luck ,
it succed if i try to connect locally
here is my sh run command :
====================================================
ASA5505#
ASA5505# sh run
: Saved
ASA Version 8.4(2)
hostname ASA5505
enable password qsddsEGCCSH encrypted
passwd 2KFsdsdbNIdI.2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 2
interface Vlan1
nameif ins
security-level 100
ip address 10.66.12.1 255.255.255.0
interface Vlan2
nameif outside
security-level 50
ip address x.x.55.34 255.255.255.248
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network localsubnet
subnet 10.66.12.0 255.255.255.0
description localsubnet
object network HTTP-Host
host 10.66.12.249
description web server
object network HTTPS-HOST
host 10.66.12.249
description Https
object network RDP-Host
host 10.66.12.122
description RDP host
object network citrix-host
host 10.66.12.249
description citrix
object service rdp
service tcp destination eq 3389
object service https
service tcp destination eq https
object service citrix
service tcp destination eq 2598
object service http
service tcp destination eq www
object network RDP1
host 10.66.12.249
object network HTTPS-Host
host 10.66.12.249
object network CITRIX-Host
host 10.66.12.249
object-group network RDP-REDIRECT
object-group network HTTP-REDIRECT
object-group network HTTPS-REDIRECT
object-group network CITRIX-ICA-HDX-REDIRECTION
object-group network CITRIX-ICA-SESSION-RELIABILITY-REDIRECTION
object-group service CITRIX-ICA-HDX
object-group service CITRIX-SR
object-group service RDP
object-group network MY-insideNET
network-object 10.66.12.0 255.255.255.0
access-list outside_in extended permit tcp any host 10.66.12.249 eq www
access-list outside_in extended permit tcp any host 10.66.12.249 eq https
access-list outside_in extended permit tcp any host 10.66.12.249 eq 2598
access-list outside_in extended permit tcp any host 10.66.12.122 eq 3389
access-list outside_in extended permit tcp any host 10.66.12.249 eq citrix-ica
access-list outside_in extended permit tcp any host x.x.55.34 eq 65000
access-list outside_in extended permit tcp any host x.x.55.34 eq https
access-list outside_in extended permit ip any any
pager lines 24
mtu ins 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
object network localsubnet
nat (ins,outside) dynamic interface
object network HTTP-Host
nat (ins,outside) static interface service tcp www www
object network RDP-Host
nat (ins,outside) static interface service tcp 3389 3389
object network HTTPS-Host
nat (ins,outside) static interface service tcp https https
object network CITRIX-Host
nat (ins,outside) static interface service tcp citrix-ica citrix-ica
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.109.55.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 65000
http 10.66.12.0 255.255.255.0 ins
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access outside
dhcpd address 10.66.12.160-10.66.12.180 ins
dhcpd dns 212.112.166.22 212.112.166.18 interface ins
dhcpd enable ins
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username test password P4ttSdddd3SV8TYp encrypted privilege 15
username ADMIN password 5dddd3ThngqY encrypted privilege 15
username drvirus password p03BtCddddryePSDf encrypted privilege 15
username cisco password edssdsdOAQcNEL encrypted privilege 15
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

For access over VPN you need:
management-access inside
and don't forget:
ssh inside
http inside
I'm guessing you forgot to grant ASDM (http/https) access to the IP addresses used by the VPN? Can you SSH? If not, that is your problem to solve first.

ASDM is not working in outside interface

Hi,
I am new to ASA. I have got ASA 5510 and was trying to enable ASDM access through outside interface. but its not working for me.. . I have configured a public ip in outside interface and enabled ssh and asdm. SSH is working but asdm is not working. It is a test enviorment so i havent configured any ACL yet.
VPN-TEST# show version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
VPN-TEST up 4 hours 33 mins
Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is d0d0.fd1d.8758, irq 9
1: Ext: Ethernet0/1         : address is d0d0.fd1d.8759, irq 9
2: Ext: Ethernet0/2         : address is d0d0.fd1d.875a, irq 9
3: Ext: Ethernet0/3         : address is d0d0.fd1d.875b, irq 9
4: Ext: Management0/0       : address is d0d0.fd1d.8757, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 50
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 0
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 250
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled
This platform has a Base license.
VPN-TEST# show run http
http server enable
http 0.0.0.0 0.0.0.0 outside
VPN-TEST# show run asdm
asdm image disk0:/asdm-621.bin
asdm history enable
Could anyone please help me to find out what i am missing?
Kind Regards,
Praveen

Hi Marvin,
Thanks for your reply.
** Is asdm-621.bin present on disk0? **
VPN-TEST# show flash:
--#-- --length-- -----date/time------ path
   92 16275456    Apr 25 2010 02:44:00 asa821-k8.bin
   93 11348300    Apr 25 2010 04:56:04 asdm-621.bin
**Can you reach your test workstation from the outside interface? Is that where you successfully ssh from?**
I was trying to reach it from my home and i can ping my home station from outside interface.
** Is there any firewall or router ACL in the path between your workstation and the ASA? **
There is no firewall configured.
**Does the ASA log show anything when you try without success to launch ASDM? **
I cant see any logs... IS there any specail command to enable login ?
** What error specifically do you see? **
It shows the webpage is not available.

ASDM not showing access rules for interfaces

Strangest thing. I have applied the access lists and can see that in CLI, but ASDM isnt displaying them.
in CLI:
access-group inside_access_in in interface inside
But ASDM doesnt display the interface under "Firewall - Access Rules"
Cisco Adaptive Security Appliance Software Version 8.4(5)6
Device Manager Version 7.1(4)
Anyone else seeing this?
I configured this firewall a few months ago and havent touched it since. I have updated Java and suspect that it may have something to do with it.
Java version 7 Update 45

Hi there
I am sorry for any delay.
Please check this out:
ASDM 7.0 Edit Bookmark Window empty.
Symptom:
In the Edit Bookmark Window all fields are empty.
Conditions:
ASDM 7.0
Workaround:
If running any ASA code before 9.0 downgrade to ASDM 6.4.
If running ASA 9.0, there is no workaround.
Fixed-In
7.1(1.2)
You may try with the latest version available Release 7.1.1
HTH.
Please rate any helpful posts

Require Client Certificate to Access ASDM on the Following Interfaces

Hello
I have an ASA 5585 with an outside interface with two subnets. The mgmt interface is the secondary interface. I have a certificate linked to the outside interface's primary ip address. When I ASDM to the ASA I get a dialog box telling me the cert is self signed. Do I need to get a second cert or can I do something else on the ASA that will allow the existing cert on the ASA to work with ASDM on the ASA?
I.e. Configuration/Management Access/ASDM/HTTPS/Telent/SSH/Require Client Certificate to Access ASDM on the Following Interfaces
Thanks!
Matt

You can bind the identity certificate to multiple interfaces. Whether it is self-signed or from a third party trusted root CA it will work either way.
You may get some warnings from ASA if the FQDN or IP address you are connecting to does not match the certificate but clicking through that will allow you to manage the appliance.
Client certificates are a totally separate issue. That's typically only used when you have a PKI and are using the certificates issued to a client as a form of authentication and/or authorization.

Managing ASA5510 using ASDM via internal interface

Hello
I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address "10.1.1.0"
Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
Sorry if this is confusing... I don't know how else to phrase it.
Thanks
Ed

Hi
it sounds like a better plan than opening up for each and every unit on the inside :).
But if you have a old laptop or something like that I would state that setting that up with a syslog server and use that to manage the firewall would be a even better option.
that way you would get logs and a management station.
there are several syslog servers that are free and I like to use grep that is also free to filter information.
http 10.1.1.52 255.255.255.255 inside
will make the 10.1.1.52 the only server to work with asdm
but you will have to remove the old http 10.1.1.0 255.255.255.0 inside statement.
If you find the answers helpful please rate.
good luck
HTH

Unable to capture packets on ASA(ASDM)

Hi all,
We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
local 20.0.0.0/24 -->this will get natted to --->12.0.6.0/24 when going in for tunnel
we have created
static(outside,inside) 12.0.6.10 20.0.0.10 255.255.255.255 working
static(outside,inside) 12.0.6.11 20.0.0.11 255.255.255.255 not working, we need to check whether its hitting 12.0.6.11
Kindly advise...
Regards,
Bala

Where are you trying to initiate the connection from?
If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
Please share what you have configured to capture the traffic?
To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.

ASA 5505 backup interface

Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: end

Hi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun

ASDM Interface

Similar Messages

Maybe you are looking for