CNA and ASA 5510

Hi.
Can I add an ASA 5510 to my network diagram on the CNA?
If I can, what monitoring and contol can be done on the ASA?
The ASA is being managed using SDM.
Thanks,
Danny.

aborole:
Do you know what technology/mibs or other means thats used to discover ASA and other information like interfaces on which this ASA is connected to other devices in the network ?
Thanks,
Chandra.

Similar Messages

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
WLC 2504
1142 LAPs
4510R+E
ASA 5510
Existing configuration as follows:
WLC management interface and APs addressed on the 192.168.126.0 /25 network
Internal WLAN mapped to the management interface
Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
4510 connected to ASA inside interface (security level 100)
Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
What is the best way to add guest wireless to our existing configuration?
Note: I need the guest wireless to be filtered by Websense as our internal wireless is
Any advice would be greatly appreciated!

Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
Any input would be greatly appreciated...
JW

RAS and ASA 5510

I have a ASA 5510 and need to restrict internet access to a defined group in the AD. I was told that you can use RAS server to acomplish this. Has anybody done this before? Any pointers?

Hi
this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.
If you remove this line:
authorization-server-group RADIUS01
you'll see it starts to work fine
In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.
This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.
Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).
hth
Herbert

10Mb Metro link between ASA 5505 and ASA 5510

Dear all,
I have encountered one difficult problem, I wished all expert could give my - newie some tips,
Environment
One ASA 5505 - ASA 7.2(1) and ASDM 5.2(1)
One ASA 5510 - ASA 7.2 (1) and ASDM 5.2(1)
These two firewall make site-to-site VPN connection
two ASA has three interface - the one is inside (security level is 100), the another is outside (security level is 0), the finally interface is metro (security level is also 100)
***** I didn't know why around 3 days to one week , these two ASA would hang and make all internal PC cannot access to internet, it need to uplug and replug power, and then the ASA resumed. I didn't know how to shooting this problem, is ASA version is old (7.2(1)), or other problem,
***** I didn't know how to see the log, in the matter of fact, I have already set up a syslog in the one windows server, but I see log, I found no any error log for ASA error or hang message, please everyone.

To see the error logs on ASA; telnet to the device and after authentication give command "show log". This will display a long list of log messages. Point out to the log messages that have been logged at the time when the connection went down. Without the error message or syslog message it would not be possible to figure out the problem. Following link may help you to configure ASA for syslog
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

AIM-SSM interfaces and ASA 5510

All, can anyone explain if and how routing works between the ASA and the IPS card?
1)Is the single NIC in the IPS card for management purposes only?
2)Is the IP address configured in the card's setup process for this one NIC?
3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?
Thanks
Jonathan

The IPS card has 3 interfaces.
The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.
The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.
The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,
The management interface is for management only.
The IP Address configured during setup is only for this management interface.
As for routing between the ASA and the SSM, this is completely up to the user.
All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.
The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.
When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.
Some scenarios:
1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.
The SSM can then communicate only to that one machine.
2) A secure network for managing the security devices that is NOT routable to/from other networks.
In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.
The SSM would only be able to communicat with the management box, and the ASA management port.
The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.
SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.
(NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)
3) A secure network that IS routable to/from other networks.
Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.
NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)
4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.

ASA 5510 anti spam module issue need help

hi all,
i have ASA5510 my E0 interface is having public ip and E1 is having 192.168.1.0/24 network and my DMZ E2 is 172.16.2.0/24 network.
my management interface ip address is 10.10.10.1 and ive put 10.10.10.5 for SSM module. but im not receiving the updates from net bcoz there is no connection to the internet from 10.10.10.0/24 network.
how can i do that, and ASA 5510 has got 4 ports E0,E1,E2,E3 but i can see that port E3 is activated if i chk the sh run there is no port E3.
now my issue is i would like to allow 10.10.10.0/24 to access internet to update the module.
pls help, i will rate all the posts.
Regards
Binoy.

Try these links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f70.html#wp1051819
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Using ASA 5510 and router for dual WAN Connections.

Guys, neeed some help here:
Context:
1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
4- A router will be deployed in front of the ASA to terminate internet links.
5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
Questions:
How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
Thanks
Ndaungwe

Hi,
Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
Thx
MS

Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops

Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
Here is the Cisco switch port facing the ASA 5510 configuration:
interface FastEthernet2/0/6
description Trunk to ASA 5510
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 131,500
switchport mode trunk
switchport nonegotiate
And here is the ASA 5510 port configuration:
interface Ethernet0/3
speed 100
no nameif
no security-level
no ip address
interface Ethernet0/3.500
vlan 500
nameif outside
security-level 0
ip address X.X.X.69 255.255.255.0
There is a default route on ASA to X.X.X.1.
When I try to ping from ASA X.X.X.1 i get:
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
I have also changed the ports on the Switch and ASA but the same error stays.
Any thoughts?

I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
Maybe you should adjust the "speed 100"? In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch. Alternatively, have both sides set
speed 100
duplex full
and see if things improve.
-- Jim Leinweber, WI State Lab of Hygiene

ASA 5510 and VPN access to remote site over Ext WAN

ASA 5510
int client IP 172.0.1.XXX /24
VPN Client IP 172.0.1.248 /29
Static routes in the ASA
1) 0.0.0.0 --- points to router1
2) 172.29.1.1 --- Points to router2
3) 172.29.1.2 --- Points to router2
Router1 Internet connection // VPN access in path
Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
................../---- ROUTER 1
..Inside -- ASA --- outside (switch 2 rtrs)
..................\---- ROUTER 2
If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
3000 packets captured
1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

Hi,
Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
Something like this:-
access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT

ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enable

Hi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni

NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

Hi everyone,
Hoping someone can help please.
We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
Has anyone implemented this before and if so, are there any guides available please?
Many Thanks,
Dean.

Hi Dean,
Thanks for posting here.
Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
Checklist: Configure NPS for Dial-Up and VPN Access
http://technet.microsoft.com/en-us/library/cc754114.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support

ASA 5510 and Certifcates

Hi,
Which certificates do I install on the ASA 5510 ???
I have a TrustExternalCARoot, TrustServerCA, ExtendedValidationSecureServerCA and the name of the domain all ending in crt. Yet the instructions only refer to two certificates ?
Thanks
Ed

Any ideas?
Sent from Cisco Technical Support iPhone App

ASA 5510 8.4(2) and IPS SSM-20 7.0(6) E4

Hi, I'm thinking the ASA 5510, ver. 8.4(2) with IPS SSM-20 ver. 7.0(6) E4 falls into IPS unresponsive state.
Now I'm testing the ASA 5510 ver. 8.4(2) with IPS SSM-20 ver. 7.0(4) E4, to verify if the system falls into the same condition.
Any experience ?
In case of incompatibility, how to downgrade ISP SSM-20 to 7.0(4) ?
thanks
rs

You may remove last signature update or service pack by using "downgrade" command in config mode on IPS CLI:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html
"Downgrading removes the last applied service pack or signature update from the sensor."

Multiple gateways for different Traffic on ASA 5510 firewall

Hello,
My network atthe moment is set up as:
WAN, with three sites
Site 1
Site 2
Site 3
Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
All sites connect to the WAN using Cisco routers or switches.
All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
I am interested in the ASA 5510 with six interfaces.
Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
(a) the type of traffic, say HTTP from users behind the firewall; or
(b) the IP addresses of the host (i.e. users' PC versus the servers)
Any assistance is welcome.
Kind regards,
IT@C

yes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
HTH, pls rate!

IPSec tunnel on sub-interface on ASA 5510

Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
Muds

Hi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds

CNA and ASA 5510

Similar Messages

Maybe you are looking for