Converting config from Juniper netscreen to ASA 5585 8.4

Similar Messages

• Startup config error after upgrading to ASA from PIX

  Hey guys.  I get the following startup-config errors when reloading our ASA.  A pix->asa conversion was just done on it.  The ASA is currently running 8.2(5), and I am trying to get ready to update it to the most stable release, and wanted to make sure all my ducks are in a row.  What is going on with the "will be identity translated for outbound"? This is part of the VPN configuration, and I understand nat0 is saying to not nat it.  Is this something that I should be worried about?  The ASA is not in production currently.
  Let me know if you need further information
  Thanks,
  .........nat 0 10.37.0.116 will be identity translated for outbound
  *** Output from config line 406, "nat (inside) 0 10.37.0.1..."
  nat 0 xx.xx.xx.xx (PUBLIC IP) will be identity translated for outbound
  *** Output from config line 431, "nat (inside) 0 xx.xx.xx..."
  Line 406
  nat (inside) 0 10.37.0.116 255.255.255.255
  Line 431
  nat (inside) 0 xx.xx.xx.xx (PUBLIC IP) 255.255.255.255
  Corresponding global
  nat (outside) 0 access-list outside_inbound_nat0_acl outside
  nat (inside) 0 access-list inside_outbound_nat0_acl
  ACL
  access-list outside_inbound_nat0_acl extended permit ip 172.16.16.0 255.255.255.0 any
  access-list inside_outbound_nat0_acl extended permit ip any 172.16.16.0 255.255.255.0
  access-list inside_outbound_nat0_acl extended permit ip 10.37.0.0 255.255.0.0 172.16.16.0 255.255.255.0
  access-list inside_outbound_nat0_acl extended permit ip 172.31.0.0 255.255.0.0 172.16.16.0 255.255.255.0

  Hi,
  I would imagine that there is no problem as the firewall has not given any kind of error message.
  I do personally wonder sometimes why is it so (atleast in the 8.2 softares etc) that the firewall shows a message on the CLI when you are for example configuring a "global" / "nat" command pair.
  I wonder if this falls into the same category.
  The configuration format for NAT has stayed pretty same leading to the 8.2 softwares. I'm not totally sure what software you are going to go for but you seem to have the latest 8.2 series software so next steps are already 8.3 / 8.4 / 9.0 / 9.1
  ALL of the above mentioned softwares introduce a completely new NAT configuration format to the ASA. While the ASA automatically converts the configurations its not always 100% process not to mention that the NAT configuration probably is far from optimal.
  - Jouni

• Asa load config from disk1

  Hi,
  I have a problem with an asa 5540. The internal flash (disk0) is not working anymore.
  I would like to use the external disk1 flash to store the startup configuration otherwise every time I reboot I have an empty configuration.
  Is this possible? how can I do that? I added the command
  boot config disk1:/running-config
  but it's completely ignored during startup, also if I issue the command
  copy running-config disk1:/running-config
  I have the following error
  1545 bytes copied in 3.800 secs (515 bytes/sec)open(ffsdev/2/write/41) failed
  open(ffsdev/2/write/40) failed
  is this error related in some way to the problem?
  Another thing: as far as I understood the license is stored in the disk0:, if this is not readable then I load no licence at all, in fact I have this message
  This activation key is not valid, use default settings only
  this means that once I retrieve the licence I should be able to load the config from the disk1?
  Thanks, sorry for the lengthy message.
  BB

  BB
  The description that you give of the symptoms strongly suggests that there is a hardware problem with disk0. If this device is covered under a maintenance contract I suggest that you open a case with Cisco TAC on it.
  HTH
  Rick

• Transfer config from from one ASA to another

  Hello,
  can you help me,
  What is the best way to transfer config from ASA (5520 )8.4 to ASA (5512) 9.0?
  Thanks in advance

  I can agree with that, if the configuration is small.
  If it's larger, one issue with that suggestion is that you leave yourself susceptible to connection interrupts while copying the configuration to the new firewall. If there's an interruption, your ASA won't have its full configuration and could give you problems. It's a pretty rare occurence but I've seen it happen.
  Something better (in my opinion) than TFTP would be just using HTTPS via ASDM, as it's less of a hassle generally.
  1. copy the running-config to a file on local flash in the old ASA "copy run flash:/config.txt"
  2. grab the configuration file via HTTPS in ASDM (file browser)
  3. upload the new file to the new ASA via HTTPS/ASDM. You'll need to configure basic connectivity for this of course.
  4. in CLI on the new ASA, copy the file to the running-config then save to NVRAM "copy flash:/config.txt run"

• Convert configuration of Juniper to Cisco Firewall

  Can somebody help me to convert the following config of Juniper router to cisco ASA
  set interfaces ge-0/0/0 description xxxxxxxxxxx
  set interfaces ge-0/0/0 vlan-tagging
  set interfaces ge-0/0/0 mtu 4000
  set interfaces ge-0/0/0 no-gratuitous-arp-request
  set interfaces ge-0/0/0 unit 1 arp-resp unrestricted
  set interfaces ge-0/0/0 unit 1 proxy-arp
  set interfaces ge-0/0/0 unit 1 vlan-id 1
  set interfaces ge-0/0/0 unit 1 family inet address X.X.X.X/25
  set interfaces ge-0/0/0 unit 255 vlan-id 255
  set interfaces ge-0/0/0 unit 255 family inet address X.X.X.X/30
  set interfaces ge-0/0/1 description TUNNEL
  set interfaces ge-0/0/1 vlan-tagging
  set interfaces ge-0/0/1 mtu 4000
  set interfaces ge-0/0/1 no-gratuitous-arp-request
  set interfaces ge-0/0/1 unit 1 arp-resp restricted
  set interfaces ge-0/0/1 unit 1 proxy-arp unrestricted
  set interfaces ge-0/0/1 unit 1 vlan-id 1
  set interfaces ge-0/0/1 unit 1 family inet address X.X.X.X/25
  set interfaces ge-0/0/2 description to-xxxxxxxxxx
  set interfaces ge-0/0/2 vlan-tagging
  set interfaces ge-0/0/2 mtu 4000
  set interfaces ge-0/0/2 unit 556 vlan-id 556
  set interfaces ge-0/0/2 unit 556 family inet address X.X.X.X/30
  set interfaces ge-0/0/2 unit 558 vlan-id 558
  set interfaces ge-0/0/2 unit 558 family inet address X.X.X.X/30
  set interfaces vlan unit 1 proxy-arp unrestricted
  set routing-options static route X.X.X.X/32 next-hop X.X.X.X
  set routing-options static route X.X.X.X/32 next-hop X.X.X.X
  set routing-options static route X.X.X.X/32 next-hop X.X.X.X
  set routing-options static route X.X.X.X/32 next-hop X.X.X.X
  set routing-options static route X.X.X.X/32 next-hop X.X.X.X
  set routing-options static route X.X.X.X/30 next-hop X.X.X.X
  set routing-options static route 0.0.0.0/0 next-hop X.X.X.X
  set protocols rip receive both
  set protocols rip group xxxxxx neighbor ge-0/0/0.1
  set policy-options policy-statement RIP-export term a from protocol direct
  set policy-options policy-statement RIP-export term a from protocol rip
  set policy-options policy-statement RIP-export term a then accept

  hello
  what's the mean of the following command and what's the equivalent on cisco 
  unit 1 arp-resp unrestricted
  no-gratuitous-arp-request
  unit 1 proxy-arp
  set interfaces vlan unit 1 proxy-arp unrestricted
  the problem if we activate the proxy arp on asa cisco 5525 X didnt work and i note that the proxy arp is enabled by default
  below all juniper configuration
  set interfaces ge-0/0/0 description Test
  set interfaces ge-0/0/0 vlan-tagging
  set interfaces ge-0/0/0 mtu 4000
  set interfaces ge-0/0/0 no-gratuitous-arp-request
  set interfaces ge-0/0/0 unit 1 arp-resp unrestricted
  set interfaces ge-0/0/0 unit 1 proxy-arp
  set interfaces ge-0/0/0 unit 1 vlan-id 1
  set interfaces ge-0/0/0 unit 1 family inet address 10.10.132.1/25
  set interfaces ge-0/0/0 unit 255 vlan-id 255
  set interfaces ge-0/0/0 unit 255 family inet address 192.168.2.2/30
  set interfaces ge-0/0/1 description Test2
  set interfaces ge-0/0/1 vlan-tagging
  set interfaces ge-0/0/1 mtu 4000
  set interfaces ge-0/0/1 no-gratuitous-arp-request
  set interfaces ge-0/0/1 unit 1 arp-resp restricted
  set interfaces ge-0/0/1 unit 1 proxy-arp unrestricted
  set interfaces ge-0/0/1 unit 1 vlan-id 1
  set interfaces ge-0/0/1 unit 1 family inet address 10.10.132.129/25
  set interfaces ge-0/0/2 description to-BB
  set interfaces ge-0/0/2 vlan-tagging
  set interfaces ge-0/0/2 mtu 4000
  set interfaces ge-0/0/2 unit 556 vlan-id 556
  set interfaces ge-0/0/2 unit 556 family inet address 10.1.6.90/30
  set interfaces ge-0/0/2 unit 558 vlan-id 558
  set interfaces ge-0/0/2 unit 558 family inet address 10.1.6.134/30
  set interfaces vlan unit 1 proxy-arp unrestricted
  set routing-options static route 208.226.76.25/32 next-hop 10.10.132.101
  set routing-options static route 24.201.44.122/32 next-hop 10.10.132.101
  set routing-options static route 216.150.170.90/32 next-hop 10.10.132.101
  set routing-options static route 42.220.13.162/32 next-hop 10.10.132.101
  set routing-options static route 81.247.181.14/32 next-hop 10.10.132.101
  set routing-options static route 10.1.6.128/30 next-hop 10.1.6.89
  set routing-options static route 0.0.0.0/0 next-hop 10.1.6.133
  set protocols rip receive both
  set protocols rip group Group1 neighbor ge-0/0/0.1
  set policy-options policy-statement RIP-export term a from protocol direct
  set policy-options policy-statement RIP-export term a from protocol rip
  set policy-options policy-statement RIP-export term a then accept

• WAAS and Juniper Netscreen Interoperability

  I've been doing a dig on historical posts relating to WAAS deployed through firewalls.
  I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.
  When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..
  thanks
  Ajaz

  Hi Ajaz,
  WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
  these changes.
  On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
  Netscreen config guide on command to disable TCP sequence number checking.
  If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
  tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.
  Few questions:
  - Whats the version running on WAEs?
  - Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.
  Hope this helps,
  Best Regards,
  Rahul Vavale

• REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL

  Hey,
  we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes. 
  i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
  My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
  MY PROCESS OF REMOVING CONFIG:
  REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS 
  REMOVE THE OBJECTS AND OBJECTS GROUPS
  REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
  REMOVE CRYPTO MAP TRANSFORM-SET
  REMOVE ISAKMP-POLICY
  REMOVE CRYPTO MAP 
  WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
  BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
  IPSEC(crypto_map_check): crypto map XYZ 20 incomplete.  No peer or access-list specified.
  20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
  any help would great
  regards

  Hi
  You could do either of 2 things.
  1) Enable NAT-Traversal on your ASA
  2) Add the following on your pix :
  fixup protocol esp-ike
  This allows one IPSEC connection to run through PAT.
  HTH
  Jon

• Upgrading from SSM-10 to ASA 5525x

  We are upgrading from an ASA 5510 with a SSM-10 module to the 5525x ips.  Can we simply copy the config from the SSM-10 to the 5525x?

  Please refer the below document for the details regarding the catalog conversions.
  http://helpx.adobe.com/photoshop-elements/kb/common-catalog-issues-upgrade-elements.html

• Vlan on asa-5585

  Hi,
  Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
  The asa in this case is an interface for subsidary users to connect into this new network.
  We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
  eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
  How do we achieve this?
  Appreciate all help on this.

  Hi,
  You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
  The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
  In Single Context the configuration would be something like this
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  vlan 100
  nameif LAN
  security-level 100
  ip add 10.10.10.1 255.255.255.0
  interface GigabitEthernet0/0.200
  vlan 200
  nameif DMZ
  security-level 50
  ip add 192.168.10.1 255.255.255.0
  If you are running Multiple Context mode the configuration could be something like this
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  description LAN
  vlan 100
  interface GigabitEthernet0/0.200
  description DMZ
  vlan 200
  context EXAMPLE-CONTEXT
  allocate-interface GigabitEthernet0/0.100
  allocate-interface GigabitEthernet0/0.200
  config-url disk0:/EXAMPLE-CONTEXT.cfg
  Or something along these lines
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed.
  - Jouni

• Wireless Controller & Juniper Netscreen Firewall

  I I have a Cisco WLC 4402 plugged into a Cisco Switch 3750 with 10 Access Points connected to this switch.
  I have a Juniper Netscreen 5XT Firewall, that I wish to place on this wireless network. Does anyone have any experience with setting up a Juniper FW and Cisco WLC?
  First Question would be were would I place the firewall?

  NetScreen IDP Device and Server Support
  MARS supports multiple versions of NetScreen IDP. How this support is realized within MARS differs based on the version of the sensor that you are running.
  •NetScreen IDP-Management Server-The NetScreen IDP Management Server is the management software for IDP version 2.x and 3.x sensors. Usually, the IDP-Management Server is installed on the IDP appliance. However, it can be removed from the IDP appliance an and installed on a Solaris or Linux server. In MARS, IDP v2.1 and 3.x are both supported as agents on a Linux host running IDP-Management Server.
  •NetScreen Security Manager- (NSM) provide support for the following NetScreen sensors:
  -NetScreen IDP 4.0
  -NetScreen IDP 4.1
  MARS does not support multiple reporting devices on the same host (as defined by reporting IP address), IDP-Management Server and NSM cannot co-exist on the same host unless they report to MARS via different IP addresses. However, you can define multiple sensors per management server.

• AP 1602 apply config from AP 1131AG

  hello
  At the moment i have ~30 AP's like 1131AG. Always for simplicity i was preparing new one like:
  - saving config from existing one "Current Startup  Configuration File"
  - edit ( changing IP, Name, Radius IP )
  - upload to new device.
  Now i am not able to buy 1131AG (end of life) and i got offer for AP 1602.
  My questions:
  - can i upload configuration to AP 1602 as above using config from 1131AG ? ( even if i should adjust some config manually after upload )
  ( or i will have to config from scratch ?)
  - just to confirm: On 1131 i am using Two RADIUS server, two SSIDs, vlans - is it still possible on 1602 ? or should i worry about loosing some capabilietes ?
  P.S appologize in advance if those are "lamer" questions - i tried to find it prior post but with no luck.
  Regards

  Hi Tomas,
  Hope you are talking about autonomous AP's here and if then you should be fine with this.
  - can i upload configuration to AP 1602 as above using config from 1131AG ? ( even if i should adjust some config manually after upload )
  ANS:- Most likely the 1602 AP you would be getting the will be having LWAP IOS (which works only with WLC). IF so you will have covert this autonomous mode and try configuring this as AP1131AG configuration with very little modifications. You could ask your reseller if they can get you a autonomous ios 1602 AP rather than lightweight then your life would be easier. Else you could use below url procedures to convert from LWAP to autonomous.
  http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
  http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918https://supportforums.cisco.com/docs/DOC-14960
  - just to confirm: On 1131 i am using Two RADIUS server, two SSIDs, vlans - is it still possible on 1602 ? or should i worry about loosing some capabilietes ?
  You can acheive this on 1602 as well with out lose of any capabilities.
  Hope that helps.
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• ASA 5585-X Licensing

  Hi,
  I was hoping to get some assistance from the community on 5585 part numbers/licensing.
  We have recently purchased some 5585-X SSP-20's.  The part number ordered was ASA5585-S20C20XK9       "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES".  We want to enable the 10GE ports on the SSP-20, do we just purchase an additional license?  We are being guided by our reseller to swap the hardware for ASA5585-S20C20XK9      "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES".
  Thanks,
  Colin

  Based on the documentation you need the Security-Plus License to enable 10G for the 5585 with SSP10 or SSP20.

• How many default virtual context counts with ASA 5585 Series

  Hi All:
  I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.
  I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797
  It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or  1 admin context plus "2" context (3 contexts available)
  thks fot your reply

  Hi,
  To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".
  In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.
  Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.
  This is what Cisco documentation mentions about Active/Standby  and Active/Active Failover Licensing at version 8.3 and above:
  Or you have two ASA 5540 adaptive security  appliances, one with 20 contexts and the other with 10 contexts; the  combined license allows 30 contexts. For Active/Active failover, for example, one unit  can use 18 contexts and the other unit can use 12 contexts, for a total  of 30; the combined usage cannot exceed the failover cluster license.
  I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts
  Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.
  Licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 2              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 2              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 2              perpetualTotal UC Proxy Sessions           : 2              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 4              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 4              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 4              perpetualTotal UC Proxy Sessions           : 4              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetual
  Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

• Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

  Hi,
  We have a firewall service environment where logging is handled with UDP at the moment.
  Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
  You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
  The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
  "%ASA-3-201008: Disallowing new connections."
  Here start my questions:
  - New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
  - I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
  - Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
  - After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
  - As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
  At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
  Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
  It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
  Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
  - Jouni

  Hi,
  I FINALLY had the time to look at this issue as I was testing something else in our lab too.
  In short, here is what I did:
  I configured the TCP logging in the same way as in the original post
  I configured the TCP logging giving the commands in different order
  Did some other tests related to the proble
  Device used: ASA 5585-X
  Software: 8.4(2)
  Original Device and software : ASA 5585-X running 8.4(1)9
  Heres the above scenarions and what actually happened
  Original situation
  Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
  I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
  The firewall immediatly starts blocking all connections going through it.
  I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
  After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
  After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
  After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
  In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
  After this the connections work like usual. (UDP logging in the saved configuration)
  Giving the configurations in different order
  After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
  First I add the command "logging permit-hostdown" command
  Then I add the command "logging host tcp/1470"
  After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
  Removing the "logging permit-hostdown" command
  After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
  Configuring wrong TCP port to "logging host" command
  I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
  Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
  Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
  So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
  There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
  There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
  - Jouni

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))