Difficulty of moving from Meraki MX to Cisco ASA firewall / IDS

Similar Messages

• Configure our own Public IP pool on Cisco ASA firewall

  Hey everyone,
  I need some assistance on the below requirement...Today we have only one internet circuit connected with our external firewall where we are using /26 public IP address for all external traffic. Now we managed to obtain our own subnet (/24) from ARIN and would like to configure on the firewall/internet router for all external services. Is my approach right in order to configure our own subnet on the firewall?
  1. Create a dedicated interface on the Cisco ASA firewall for new public pool...if there is no free interface; then virtual interface also should be fine.
  2. Make sure an appropriate route towards Internet router ( or create default route towards OUTSIDE interface)
  3. Speak to Internet service provider and explain that you are planning to use this specific public IP address on your n/w and ask them to publish in their BGP world with proper prefix#
  4.Implement one external static NAT and make sure everything works as expected.
  Thanks in advance Network Experts!!!
  Regards
  VGS

  You have the basics. but I do have a couple comments / questions
  1. What ASA are you running? If you do not have a free interface and plan to create subinterfaces, you will need to remove the configuration of one of the interfaces, then create subinterfaces and then re-apply the configuration you removed to one of the subinterfaces there...So, why not just overwrite the existing external interface?  Also, keep in mind that the ASA does not support two default routes.  (though I have heard some rumours that this might be added to the 9.3 release, but I have not had this confirmed)
  4. You don't really say what you are going to use this new setup for, but if you are using it for internet then adding just a static NAT will not be enough, you will also need a dynamic NAT.
  Please remember to select a correct answer and rate helpful posts

• Hi, I am getting the following error while booting up cisco asa firewall .

  Hi,
  I'm getting the following error form console when booting up Cisco ASA firewall...
  How do we determine the issue if its hardware or software related?
  ERROR: Type:2; Severity:80; Class:1; Subclass:3; Operation: 3

  Dear Ravi,
  You are getting the message of time out because you must be loading huge volume of data and BW runs for a specific peroid of time and then it gives a dump with message as processing is overdue.what you can do is first you should drop the indexes of the cube and then you should manually load the data-packets.I think you can again load the failed data package.select the failed data package in the monitor screen.then go to edit(on upper left next to monitor).In Edit select Init update then select "settings for further update" now select that process should be run in the background.Now right click on the failed datapacket and select Manual update.
  Hope this works for you.
  With Regards,
  Prafulla

• I Want Buy Cisco ASA Firewall Supporting SIP

  Hello Guys I want to buy cisco ASA Firewall , that support SIP and Session Border Controller  (SBC) So please can any one tell me the most power full that support this protocols ,, Than you guys

  Hi Vijay,
  If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
  HTH,

• Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

  Problem : Unable to access user A to user B
  User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} )  --- User B
  After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
  Ping is unsuccessful from user A to user B
  Ping is successful from user B to user A, data is accessable
  After done the packet tracer from user A to user B,
  Result :
  Flow-lookup
  Action : allow
  Info: Found no matching flow, creating a new flow
  Route-lookup
  Action : allow
  Info : 192.168.5.203 255.255.255.255 identity
  Access-list
  Action : drop
  Config Implicit Rule
  Result - The packet is dropped
  Input Interface : inside
  Output Interface : NP Identify Ifc
  Info: (acl-drop)flow is denied by configured rule
  Below is Cisco ASA 5505's show running-config
  ASA Version 8.2(1)
  hostname Asite
  domain-name ssms1.com
  enable password ZZZZ encrypted
  passwd WWWW encrypted
  names
  name 82 B-firewall description Singapore office firewall
  name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
  name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
  name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
  name 122 A-forti
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.5.203 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 93 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name ssms1.com
  object-group network obj_any
  network-object 0.0.0.0 0.0.0.0
  access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
  access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
  access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
  access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
  access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-631.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 81 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http B-inside-subnet 255.255.255.0 inside
  http fw-inside-subnet 255.255.255.0 inside
  http 0.0.0.0 255.255.255.255 outside
  http 0.0.0.0 0.0.0.0 outside
  http 192.168.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer A-forti
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 2 match address outside_cryptomap
  crypto map outside_map 2 set peer B-firewall
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication pre-share
  encryption aes-192
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.5.10-192.168.5.20 inside
  dhcpd dns 165 165 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username admin password XXX encrypted privilege 15
  tunnel-group 122 type ipsec-l2l
  tunnel-group 122 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  class-map outside-class
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    message-length maximum client auto
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  policy-map outside-policy
  description ok
  class outside-class
    inspect dns
    inspect esmtp
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect icmp
    inspect icmp error
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
  service-policy global_policy global
  service-policy outside-policy interface outside
  prompt hostname context
  Cryptochecksum: XXX
  : end
  Kindly need your expertise&help to solve the problem

  any1 can help me ?

• Problem Packet Flow through Cisco ASA Firewall

  I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
  packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
  show
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found flow with id 1374599592, using existing flow
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  if you change the source or destination port, the packet is successfully
  clear conn did not help
  please tell me how to solve the problem?

  Hi,
  I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
  It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
  I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
  - Jouni

• Cisco ASA 5505 Site to Site VPN Problem

  Hi All,
  We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
  We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
  When I dial into the modem which is connected to the firewall I see the following messages in the logs:
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
  I have checked both firewalls for any mis-matched parameters and do not see any.
  Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
  Thanks!

  Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
  hostname
  domain-name
  enable passwordpasswd names
  interface Vlan701
  nameif inside
  security-level 100
  ip address 10.65.0.69 255.255.255.252
  interface Vlan999
  nameif outside
  security-level 0
  ip address ******  255.255.255.248
  interface Ethernet0/0
  description Link to Internet
  switchport access vlan 999
  interface Ethernet0/1
  description
  switchport access vlan 701
  interface range Ethernet0/2 - 0/7
  switchport access vlan 2
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name******
  access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap warnings
  logging asdm informational
  logging host outside *****
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list nonat
  route inside ******
  route outside 0.0.0.0 0.0.0.0 ********
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  snmp-server location **:
  snmp-server contact **
  snmp-server community shortkey
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
  crypto map CASGMAP 50 match address 101
  crypto map CASGMAP 50 set pfs group1
  crypto map CASGMAP 50 set peer ********
  crypto map CASGMAP 50 set transform-set 3desmd5
  crypto map CASGMAP 50 set security-association lifetime seconds 3600
  crypto map CASGMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet **** inside
  telnet timeout 5
  ssh **** inside
  ssh **** outside
  ssh timeout 5
  console timeout 30
  management-access inside
  dhcpd ping_timeout 750
  priority-queue outside
  ntp server **
  username ***
  tunnel-group ******** type ipsec-l2l
  tunnel-group ******** ipsec-attributes
  pre-shared-key ***
  class-map VoIP
  match dscp ef
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map General-purpose
  class VoIP
  priority
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
  service-policy General-purpose interface outside
  prompt hostname context

• LDAP Authentcation on Cisco ASA 8.2(1)

  Dear Security Experts,
  i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
  I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
  The name of user account is testvendor that belongs to the group of Test-vendor.
  Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
  The configuration and debug output is shown below.
  SHOW RUN
  ldap attribute-map ABC-VENDOR
    map-name  memberOf Group-Policy
    map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  aaa-server ldapvend protocol ldap
  aaa-server ldapvend (INSIDE) host 10.1.141.7
  ldap-base-dn DC=abc,DC=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
  server-type microsoft
  ldap attribute-map ABC-VENDOR
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
  vpn-simultaneous-logins 0
  group-policy Allow-Vendor internal
  group-policy Allow-Vendor attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol IPSec
  dns-server value 10.1.141.7
  default-domain value abc.org
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_acl
  tunnel-group ABC-AD-VENDOR type remote-access
  tunnel-group ABC-AD-VENDOR general-attributes
  address-pool vendor_pool
  authentication-server-group ldapvend
  default-group-policy NOACCESS
  tunnel-group ABC-AD-VENDOR ipsec-attributes
  pre-shared-key *
  Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
  map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
  DEBUG LDAP 255
  [454095] Session Start
  [454095] New request Session, context 0xb1f296b0, reqType = Authentication
  [454095] Fiber started
  [454095] Creating LDAP context with uri=ldap://10.1.141.7:389
  [454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
  [454095] supportedLDAPVersion: value = 3
  [454095] supportedLDAPVersion: value = 2
  [454095] Binding as ldapvpn
  [454095] Performing Simple authentication for ldapvpn to 10.1.141.7
  [454095] LDAP Search:
          Base DN = [DC=abc,DC=local]
          Filter  = [sAMAccountName=testvendor]
          Scope   = [SUBTREE]
  [454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
  [454095] Talking to Active Directory server 10.1.141.7
  [454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
  [454095] Read bad password count 0
  [454095] Binding as testvendor
  [454095] Performing Simple authentication for testvendor to 10.1.141.7
  [454095] Processing LDAP response for user testvendor
  [454095] Message (testvendor):
  [454095] Checking password policy
  [454095] Authentication successful for testvendor to 10.1.141.7
  [454095] Retrieved User Attributes:
  [454095]        objectClass: value = top
  [454095]        objectClass: value = person
  [454095]        objectClass: value = organizationalPerson
  [454095]        objectClass: value = user
  [454095]        cn: value = testvendor
  [454095]        givenName: value = testvendor
  [454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
  [454095]        instanceType: value = 4
  [454095]        whenCreated: value = 20111019133739.0Z
  [454095]        whenChanged: value = 20111030135415.0Z
  [454095]        displayName: value = testvendor
  [454095]        uSNCreated: value = 20258545
  [454095]        uSNChanged: value = 20899179
  [454095]        name: value = testvendor
  [454095]        objectGUID: value = ).u>.v.H.6>..u.Z
  [454095]        userAccountControl: value = 66048
  [454095]        badPwdCount: value = 0
  [454095]        codePage: value = 0
  [454095]        countryCode: value = 0
  [454095]        badPasswordTime: value = 129644550477428806
  [454095]        lastLogoff: value = 0
  [454095]        lastLogon: value = 129644551251183846
  [454095]        pwdLastSet: value = 129635050595360564
  [454095]        primaryGroupID: value = 513
  [454095]        userParameters: value = m:                    d.                       
  [454095]        objectSid: value = ...............n."J.h.0.....
  [454095]        accountExpires: value = 9223372036854775807
  [454095]        logonCount: value = 0
  [454095]        sAMAccountName: value = testvendor
  [454095]        sAMAccountType: value = 805306368
  [454095]        userPrincipalName: value = [email protected]
  [454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095]        msNPAllowDialin: value = TRUE
  [454095]        dSCorePropagationData: value = 20111026081253.0Z
  [454095]        dSCorePropagationData: value = 20111026080938.0Z
  [454095]        dSCorePropagationData: value = 16010101000417.0Z
  [454095]        lastLogonTimestamp: value = 129638228546025674
  [454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
  [454095] Session End

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Cisco ASA 5510 Specs

  In Cisco ASA Firewall 5510 does the feature content filter come built in?
  Posted by WebUser Allyson Buscemi from Cisco Support Community App

  Here is a number of Cisco Press book for ASA:
  http://www.ciscopress.com/search/index.asp?query=ASA
  Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition
  Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• Cisco ASA - Web Server Publishing

  My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.
  The users will be using secure https acccess to the Web Server.
  I have only 1 Public IP Address assigned to access both the Web Servers.
  Wanted to know what are the things required in the Cisco ASA firewall.
  1. What type of licenses ?
  2. What type of certificates ?
  3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.
  I dont want any client software on the end users PC.....

  ThanksI do have 2 Public IP address for my 2 servers.That is clear.
  I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.
  Prior 8.3:
  static (inside,outside) public_ip1 web_server1 
  static (inside,outside) public_ip2 web_server2
  8.3 or later:
  object network web_server1_real
  host web_server1
  nat (inside,outside) static public_ip1
  object network web_server2_real
  host web_server2
  nat (inside,outside) static public_ip2
  Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.
  About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.
  Regards,
  AM

• Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

  I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.
  The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
  Can some one please advise?
  CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

  We can troubleshoot this issue. Please provide me the following outputs:
  show run aaa-server
  show run ldap
  Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Cannot ping inside IP behind sonicwall from Cisco ASA 5500

  I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
  The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
  I have another office that also has a sonicwall (same config)  and I can ping that inside IP from Site A.
  I can not see why I can ping one site and not the other.
  What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
  I prefer the wizard over the CLI.
  Thanks,

  Hi
  AFAIK No you can not make vpn, transparent and routing in the same unit.
  I would not want the DMZ and the outside interface to have overlapping ip address ranges.
  logging and trying to keep track of it all would be way to confusing for me.
  so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
  The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
  This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
  Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
  Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
  With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
  good luck
  HTH

• Moving from CSS to ACE

  I'm trying to find documentation on moving from a CSS to the ACE but have not been able to find much on the ACE in general (no books at all). Does anyone have any info on this? We are currently using the CSS for multiple Web and Server farms, and are looking to add SSL in the mix. Trying to decide if we should just offload the SSL to the ACE for now (eventually migrating completely to the ACE) or if we should convert everything over at the same time.
  Any links or book suggestions would be appreciated!

  Hi,
  Here is the official link to ACE documentaton (but you probably have already found this...):
  http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
  I don't believe that there is a book, as this is relatively new product. Also don't hope too much to find migration guide :)
  You may use some design guides for CSM module and try to apply a part of it to ACE (Topology will be simmilar for ACE and CSM, but with ACE you additionaly have possibility of virtualization/contexts).
  But, pay attention, becouse ACE and CSM have completely different config command syntax and configuration philosophy!
  I did not quite understand your dilemma regarding migration?
  Personally, I have not yet had a chance to implement SSL offload on ACE, but it sounds logical to move the server farm that will use SSL offload behind ACE, and do SSL termination and load-balancing for that server farm on ACE. Then, gradually you can move other servers behind ACE...
  You will have to decide based on conditions and requirements in your network, and after reading thousands of pages of documentation... ;)
  Good luck!
  Best regards,
  Jasmina

• Form button does not work when a program is moved from Windows 8.2 to Windows 7

  Hi,
  I have a few Excel programs which use the ODBC to get data from Access and which have macros which writes data to an external program, MYOB.
  When the macros tries to write the data to MYOB it fails if I am not running the program in administrator mode.   It seems that Windows 8.2 has a different level of security than Windows 7 and must be run in administrator mode for the ODBC to work. 
  I have had issues after running the program in administrator mode (testing) if I simply do a save (in administrator mode) and then send it to the customer.   The issue is that it just will not work on the customer's site.   I have gotten
  around this in the past by saving any changes, going back out of excel, loading the program again (not in administrator mode) and saving it - before sending it to the customer.   This worked until now.
  For some unknown reason, the last time I sent a program to the customer and carried out the above process, the program stopped working.   Originally I thought that the macro just wouldn't work on windows 7, but eventually found that it is the form button
  that will no longer work when the program is moved from 8.2 to 7.
  Does anyone know why there is an incompatibility between 8.2 and Windows 7 and what I should be doing to ensure that my programs work in my customers environment(windows7)?
  In the meanwhile, I have changed the form button to an activex button and the program works fine in both environments.
  Thanking you in advance,

  there is some OP report after Windows update Dec 2014 macro stop responding ( I cant confirm if this is also related to your issue) its because security update for Office maybe conflict with the active-x that you are installed
  try to
  Close Excel
  Start Windows Explorer.
  Select your system drive (usually C:)
  Use the Search box to search for *.exd
  Delete all the files it finds.
  Start Excel again
  Open that file and save it, and try open at Windows 7
  to get more detail about this issue, I suggest also contact Office forum
  this case also will be solve installing kb3025036
  good luck