HA firewall to single ASA

Greetings,
I have a client who is replacing a single firewall with dual HA firewalls (in different locations) connected by fibre.
The current connection is a single copper connection, using static routes.
Q: Is there a way to utilise the single ASA5510 we have and connect to both these firewalls and maintain connectivity in the event of a failure of their primary firewall ?
A picture is worth a 1,000 words. Apologies for not including sooner.

Hi Boucher ,
Yes it possible to run HA between two ASA with help of fiber link , the main criteria is you need to have two separate fiber link (one of fail over interface & another for Data monitoring interface) , similarly the network latency to reach other end via your fiber must be very least .
Failover link can be connected back to back directly /via switch to your asa failover interface , but for data interface you will have inside and outside interface which will be monitored for fail over status , for this connectivity you need have layer 2 switch at both end , passing both your inside & outside vlan of your firewall . The fiber link between this layer 2 swtich , should be used a trunk link .
Fiber link 1 - failover link
Fiber Link 2 - Data link for outside & inside interface of firewall , must be configured as trunk
You have to tweak failover polltime to standby device using below commands
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#prereq
Failover Polltime
In order to specify the failover unit poll and hold times, use the failover polltime command in global configuration mode.
The failover polltime unit msec [time] represents the time interval in order to check the standby unit's existence by polling hello messages.
Similarly, the failover holdtime unit msec [time] represents the setting a time period during which a unit must receive a hello message on the failover link, after which the peer unit is declared failed.
In order to specify the data interface poll and hold times in an Active/Standby failover configuration, use the failover polltime interface command in global configuration mode. In order to restore the default poll and hold times, use the no form of this command.
failover polltime interface [msec] time [holdtime time]
Use the failover polltime interface command in order to change the frequency at which hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interfacecommand in the failover group configuration mode instead of the failover polltime interface command.
You cannot enter a holdtime value that is less than 5 times the interface poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.
HTH
Sandy

Similar Messages

Identity firewall with Single Forest/Multi-Domain

I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.
Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:
I have 3 domains.
domain1.test.com
domain2.domain1.test.com
domain3.domain2.domain1.test.com
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2\user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.
The cisco documentation states the following:
•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine).
Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.
Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. I wanted to ask though before I blow everything up and start over. The instructions are not overwhelming clear on what needs to done in this scenario. Suggestions?

Hi Matthew,
If I understand your post correctly, the problem is that the ASA is unable to search users in domain2, correct? This portion of the communication is unrelated to the AD Agent, but it sounds like the Agent can talk to the DC just fine. The ASA searches for users directly on the DC via LDAP queries. The communication between the ASA and the Agent is all done via RADIUS.
If the above is correct, I would focus on why the LDAP queries are failing between the ASA and the domain2 DC. Feel free to open a TAC case on this as well for additional assistance from the AAA experts.
-Mike

Failover for Single ASA

Hi All,
I want to know what all fail-over I can build for single ASA. I am planning to connect as per the attached.
Please let me know all configuration that i can build. Do i need to assign 2 ip's for that 2 interfaces connected to inside,dmz and outside.
Please let me know if you any other design.
Regards,
Satya.M

Hi Satya,
You cannot assign IP's of the same subnet to two different interfaces of the ASA in the routed mode. So as per your diagram, you cannot connect Inside interface of the ASA to both the 6504E switches or to the DMZ switches as you have shown. If you want to do such a failover, you can use 2 ASA's with Active/Standby failover while connecting ASA-1 to 6504EGa and ASA-2 to 6504EGb. You can also do Active/Active failover.
Also with 1 ASA, if you want to configure 2 ISP's on 2 interfaces, please remember policy based routing is not supported on ASA so at any gien time only 1-ISP will be active for all the traffic going out. You can have the failover configured so that everything fail's over to the secondary ISP when Primary goes down with tracks etc.
I hope this helps. If not, can you please post your exact requirements for the failover so that we can suggest you better.
Best,
Raghav

Change from edge firewall to single network adapter.

Can I change from Edge Firewall to SIngle Adapter mode? If possible, what do I need to take on consideration for doing it.
Thanks for advise

You can change the template by running the Getting Started Wizard (GSW). Do note that your configuration will be lost, you will have to export your configuration and then restore it piece by piece, e.g. you can't import the entire configuration
but rather objects (e.g. rules, network objects etc). Then you'd have to verify the imported configuration and if necessary modify it to a working state.
If the configuration isn't to complicated, I'd start over manually. If you go for the export/import I strongly recommend that you test this on a test system first to verify your procedure.
But yes, its doable.
Hth, Anders Janson Enfo Zipper

IOS Firewall vs. ASA

Is there a document that compares the security funtionaly and features of the ASA and the IOS firewall. I need to document why I would want to deploy ASA's at branch locations versus the firewall feature set on the WAN routers.

Hello Sonepar,
It really depends on the engineer’s viewpoint. Some prefer to have a single device do their routing and their security, while others prefer to have dedicated security devices. This reasoning, however, does not really determine what the “best” solution for your network is.
One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.
I think one of the main things to consider is the complexity of VPN features desired. The ASA’s feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option as the firewall does not support those. Of course by default, the ASA performs a little faster on VPN tunnels.
If you’re looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other, then you would benefit from something like DMVPN, thus your deployment would be greatly simplified using something like a 2800.
Policy Base Routing on ASA is not supported since it is a security device it only routes traffic through one active default gateway and it can not classify packets based on source/service like router does.
In my personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router…it can add a significant amount of complexity to your design…and ultimately, your troubleshooting.
Again; at the end all depends on your company requirements and what are you looking for.
Regards,
Juan Lombana
Please rate helpful posts.

Multiple Public IP's on single ASA 5510 - "Segment Traffic"

Hello,
I was told this is not possible on Cisco ASA, just wondering if its true.
Description: We are setting up 2 new exchange servers, they need to go out the same ASA on different interfaces to seperate Public IP's. We also have a 3rd Public IP for our Staff.
Basically we want our Staff to use the 10x5 slow internet connection (Public 3). We want Server 1 to use Public IP 1 and Server 2 Public IP 2.
Server 1 -----> Public IP 1
Server 2 -----> Public IP 2
Staff ------> Public IP 3
I was told PBR (Policy Based Routing) is not supported on Cisco ASA, which I understand. But is there a work around with the ASA, or will I HAVE to implement a layer 3 device infront of the ASA?
We also have a DMZ in the mix, I dont know if that changes anything.
I hope this makes sense, if not I can try and explain more, but any advice would be greatly appreciated! I dont want to expense another layer 3 device if possible!

Hi,
Here is a link to another discussion where a user wanted to direct a certain DMZ network traffic through another ISP
https://supportforums.cisco.com/thread/2209874
Naturally the NAT setup doesnt exactly match with your need but essentially in your case it would just slightly modifying the NAT configurations.
Naturally this is not something that is really suggestable for a production environment but it should work. Then again as Cisco doesnt officially support it there is no knowing what future updates might do to this or what would happen if you ran into problem with NAT related operation of the firewall.
Because of this way of NAT configuration the configurations would naturally come more complex and the ordering of NAT rules might need more close look when modifying them.
- Jouni

How to configure firewall access for ASA 5510

Hi,
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
I want to do this using ASDM, How do I accomplish this?
Thanks,
Jojo

Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
•1.      Log into your ASA using ASDM.. on the top tabs look for "Configuration"
•2.      Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall". Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules". You should see a list of access rules applied to your ASA.
•3.      At the top you should see a green "+Add" to add a new access rule to your ASA. Once clicked you should identify…
     •a.      Interface - INSIDE or OUTSIDE
     •b.      Action - PERMIT or DENY
     •c.      Source - Subnet that needs to talk to destination address
     •d.      Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
     •e.      Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
•4.     You can then enter a description of the specific access rule and enable logging.
This should be it... let me know how this works out for you!!

Inspect other firewall traffic using ASA 5585-X IPS SSP

Is it possible to inspect traffic from other firewalls (say checkpoint firewall) apart from the one the ASA firewall the ASA IPS SSP is running on?
Any help will be appreciated
O.

Hello Amit,
Can you share :
show ips detail
show module 1 details
show service-policy
Now, can you explain a little about this:
on the switch end port tengig 1/8 is connected on nexus and specific vlans are monotored on that interface. But as of now i am not able to see any traffic on that interface. I dont know what wrong i am doing as this is the firstime on this IPS module. there is no ports connected on the firewall. only port connected is tengig 1/8 which is on the ips module which is in promisucs mode.
I mean the firewall is the one that will redirect the traffic to the IPS sensor so not sure I follow you!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
Could the last CISCO Security Manager product help in this process ?
thanks in advance

Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
http://www.lumeta.com/
Also reference this thread, it may help.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
HTH
Jorge

Are mulitple modes allowed for SSLVPN on a single ASA 5540?

Can you configure both clientless and sslvpn client (svc) on the same device? Can a user access both? That is, for example if you configure clientless for OWA and svc for another application, will a user be able to access/use both?
Thanks!!

Yes you can, the way we did it was to create a group policy for each with an alias for each and to enable the drop down box for group policy selection for the user. So when a user accesses the WebVPN site under the username and password boxes there is a box to select which way they want to connect.

ASA Identity Firewall

Hi,
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.
I have installed the ADAgent on a domain member Win2008 and configured as follows:
aaa-server ADAGENT_SERVER protocol radius
ad-agent-mode
aaa-server ADAGENT_SERVER (VPN) host 172.17.v.x key *****
I have configured the LDAP connection to the DC as follows:
aaa-server DOMAIN_SERVER protocol ldap
aaa-server DOMAIN_SERVER (VPN) host 172.17.v.z
ldap-base-dn DC=YYY,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn vvvvv
server-type microsoft
The identity config is as follows:
user-identity domain YYY aaa-server DOMAIN_SERVER
user-identity default-domain YYY
user-identity action netbios-response-fail remove-user-ip
user-identity logout-probe netbios local-system
user-identity ad-agent aaa-server ADAGENT_SERVER
user-identity user-not-found enable
access-list 122 extended permit ip user YYY\ashdew any any
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.
The ADagent has been properly tested and ASA can register to it.
The ASA can connect to AD DC controller and query user database.
I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity
Do I need to add extra rules in the access-list 122 to permit trafic to DC?
Can I check on the AD Agent if it can retrieve the user to ip mapping ?
Thanks
Ashley

Thanks Karsten,
Great its clear now. I know the DMZ seems a bit odd. Actually, the DMZ is only accessible through the any-connect VPN.
In the DMZ, we will have a citrix farm to access internal resources through identity management.
We are testing with a laptop in the first place.
Now, we have allowed in the acl to access AD, the laptop authenticates in the domain but then all connections are refused since the AD Agent is not retrieving the mapping.
Is there a way to check if the ADAgent is properly retrieved the mapping. We suspect the problem is here.
We did a capture on the ASA and we have found that the ASA contact the ADAgent when the user authenticates but then ADAgent does not return any ip mapping. The ASA sees the user as ip as user-not -found .
Thanks again for your help,
Ashley

Cisco ASA 5505 not able to access flash

Hi All:
I have searched and searched all over the net for an answer to this question and have decided to just post it. I have a 5505 that was given to me by my job to use for working on my CCNA Sec. cert and did the following:
I plugged it in and booted it up just fine. Made config changes as I followed along with the examples in my CCNA Security book. Got to the point in chapter 14 where the initial setup happens to configure it for working with ASDM. I never did a write mem on it and decided to take it back to square one by unplugging it to allow it to lose the changes that I made. This is where things got ugly.
When it booted back up it got stuck in a bootup loop and couldn't find an IOS. After following all kinds of steps to boot to rommon and tftp another IOS and such (several times) I decided to follow another posting that said that the flash could be corrupted and to just delete it and start anew. Did that and through rommon as it would not boot up normally any more. After trying this over and over for the last couple hours I realized that it would boot from tftp so I did that in hopes of fixing the flash issue.
I've tried deleting it, and re-initializing it and formating it. But the thing is that it no longer SEES the disk0: mount point. I've used two different flash cards...the one that came with it and the one that I already had. With the cover off I can see that there is no activity light next to the flash drive when I issue a delete or initialize or format command.
Here is a copy of some of the output file. Any help or suggestions are greatly appreciated.
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Use ? for help.
rommon #0> format disk0:
Invalid or incorrect command. Use 'help' for help.
rommon #0> ADDRESS=10.10.10.110
rommon #1> GATEWAY=10.10.10.1
rommon #2> SERVER=10.10.10.98
rommon #3> IMAGE=asa914-k8.bin
rommon #4> tftp
ROMMON Variable Settings:
ADDRESS=10.10.10.110
SERVER=10.10.10.98
GATEWAY=10.10.10.1
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa914-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp [email protected] via 10.10.10.1
Received 27076608 bytes
Launching TFTP Image...
Cisco Security Appliance admin loader (3.0) #0: Thu Dec 5 19:38:43 PST 2013
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9956
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Currently, only 1 or 2 FATs are supported, not 42.
dosfsck(/dev/hda1) returned 1
mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
Processor memory 343932928, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0023.339e.2a90
88E6095 rev 2 Ethernet @ index 07 MAC: 0023.339e.2a8f
88E6095 rev 2 Ethernet @ index 06 MAC: 0023.339e.2a8e
88E6095 rev 2 Ethernet @ index 05 MAC: 0023.339e.2a8d
88E6095 rev 2 Ethernet @ index 04 MAC: 0023.339e.2a8c
88E6095 rev 2 Ethernet @ index 03 MAC: 0023.339e.2a8b
88E6095 rev 2 Ethernet @ index 02 MAC: 0023.339e.2a8a
88E6095 rev 2 Ethernet @ index 01 MAC: 0023.339e.2a89
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0023.339e.2a91
INFO: Unable to read firewall mode from flash
       Writing default firewall mode (single) to flash
INFO: Unable to read cluster interface-mode from flash
       Writing default mode "None" to flash
Verify the activation-key, it might take a while...
Failed to retrieve permanent activation key.
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual
This platform has a Base license.
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
Cisco Adaptive Security Appliance Software Version 9.1(4)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to [email protected].
******************************* Warning *******************************
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young ([email protected])
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.
This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.
Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenseSee User Manual (''Licensing'') for details.
libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Cisco Adapative Security Appliance Software, version 9.1,
Copyright (c) 1996-2013 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.1 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. You can
redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpl-2.1.html). See User Manual for licensing
details.
                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706
Insufficient flash space available for this request:
Size info: request:32 free:0 delta:32
Could not initialize system files in flash.
config_fetcher: channel open failed
ERROR: MIGRATION - Could not get the startup configuration.
INFO: Power-On Self-Test in process.
INFO: Power-On Self-Test complete.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_200804300128.log'
Pre-configure Firewall now through interactive prompts [yes]? n
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Initializing partition - done!
Creating FAT16 filesystem
mkdosfs 2.11 (12 Mar 2005)
System tables written to disk
Format of disk0 complete
ciscoasa# format disk:
                 ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa# format flash:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "flash:". Continue? [confirm]
Initializing partition - done!

Yeah...I think I found that one out the hard way already. I'll cross that bridge when I get to it. I want to get this issue fixed before I start thinking about the license issue.
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh flash
--#-- --length-- -----date/time------ path
2403 0           Apr 30 2008 02:00:56 test
2285 196         Apr 30 2008 01:28:20 upgrade_startup_errors_200804300128.log
2283 0           Apr 30 2008 01:28:20 coredumpinfo
2284 59          Apr 30 2008 01:28:20 coredumpinfo/coredump.cfg
2280 0           Apr 30 2008 01:27:56 crypto_archive
2267 0           Apr 30 2008 01:27:38 log
0 bytes total (0 bytes free)
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh disk0
--#-- --length-- -----date/time------ path
2403 0           Apr 30 2008 02:00:56 test
2285 196         Apr 30 2008 01:28:20 upgrade_startup_errors_200804300128.log
2283 0           Apr 30 2008 01:28:20 coredumpinfo
2284 59          Apr 30 2008 01:28:20 coredumpinfo/coredump.cfg
2280 0           Apr 30 2008 01:27:56 crypto_archive
2267 0           Apr 30 2008 01:27:38 log
0 bytes total (0 bytes free)
ciscoasa#

ASA 5505 VPN Group Policies (RADIUS) and tunnel group

I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username     : kaisaron78             Index        : 1
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 518483                 Bytes Rx     : 37549
Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:59:33 CEDT Mon Aug 18 2014
Duration     : 0h:00m:23s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username     : manintra               Index        : 2
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 238914                 Bytes Rx     : 10736
Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 11:01:02 CEDT Mon Aug 18 2014
Duration     : 0h:00m:05s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare Giuliani

Ok, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani

IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

hi all,
I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
thanks for your input!
Samuel

Samuel,
Did you ever find an answer to your question? I have a similar scenario.
Any input would be appreciated.

NAC VPN and ASA

Hi
I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
Thanks
Pat

You can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
VGW Example
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Real IP example
Integrating with Cisco VPN Concentrators
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
Regards,
Dan Laden

HA firewall to single ASA

Similar Messages

Maybe you are looking for