Inexpensive bandwidth charts for ASA 5500

We need to collect some BW usage charts for our ASA interfaces. 
We don't have the expensive Network monitoring software, and we are a very small shop. 
I only need BW and data-drop graphs.  
Any suggestions?

Cacti is open source and can query an ASA via SNMP to generate interface utilization and other graphs.
http://www.cacti.net/
It takes a bit more work to setup than some of the commercial products but the acquisition cost is free.
There is some good community-contributed documentaiton on the cacti.net site. For example, installation is covered step-by-step here:
http://www.cacti.net/downloads/docs/contrib/Cacti-Linux-How-To.pdf

Similar Messages

  • Best Practices for ASA 5500 Device Monitoring

    I have looked high and low and am unable to find anything on this topic. I am hoping that somebody here may be able to share some insight into what are considered the best practices for monitoring ASA's--specifically the 5510 with Sec+ License.
    My current monitoring application keeps reporting issues with outbound interface buffers being too high, but there are not any performance issues and I believe the thresholds are just set absurdly low.
    Thank you in advance for any assistance.

    Hi James,
    You probably won't be able to find any all-encompassing documentation for these types of best practices that cover all scenarios. The better method would be to define exactly what items you'd like to monitor and we can provide some guidance on how to best get that working for you.
    -Mike

  • How we archieve configuration for Cisco ASA 5500 series appliances

    Hi,
    We need to archieve configuration for Cisco ASA 5500 series appliances.
    We have Cisco works LMS 3.0.1.
    Device package installed is 4.2
    Any help would be appricated.
    Thanks in advance.
    Samir

    Hi ,
    Thanks for your answer.
    Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
    Cisoworks. Am I correct ?
    Waiting for your reply.
    thanks,
    Samir

  • How to configure firewall access for ASA 5510

    Hi,
    This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
    I want to do this using ASDM, How do I accomplish this?
    Thanks,
    Jojo

    Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
    •1.      Log into your ASA using ASDM.. on the top tabs look for "Configuration"
    •2.      Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall".  Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules".  You should see a list of access rules applied to your ASA.
    •3.      At the top you should see a green "+Add" to add a new access rule to your ASA.  Once clicked you should identify…
         •a.      Interface -  INSIDE or OUTSIDE
         •b.      Action - PERMIT or DENY
         •c.      Source - Subnet that needs to talk to destination address
         •d.      Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
         •e.      Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
    •4.     You can then enter a description of the specific access rule and enable logging.
    This should be it... let me know how this works out for you!! 

  • How to configure Cisco ASA 5500 to work with the iPhone

    We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
    http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
    We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
    After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
    Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
    I noticed that many people are having these problems.
    Please do not post to this topic if you have ANY OTHER Cisco device.
    Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
    Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
    It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
    Thank you!
    Oleg R

    We found the solution and a bug in Cisco firmware (seems to be a bug).
    First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set iphone esp-3des esp-sha-hmac
    crypto ipsec transform-set iphone mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
    crypto map outside_map 10 match address vpn
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 20
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    crypto isakmp nat-traversal 20
    group-policy iphone internal
    group-policy iphone attributes
     wins-server value <insert ip> <insert ip>
     dns-server value <insert ip> <insert ip>
     vpn-tunnel-protocol IPSec
     ipsec-udp enable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value iphone_splitTunnelAcl
     default-domain value <insert domain name>
    tunnel-group iphone type remote-access
    tunnel-group iphone general-attributes
     address-pool VPN-Pool
     authentication-server-group ActiveDirectory2
     default-group-policy iphone
    tunnel-group iphone ipsec-attributes
     pre-shared-key <insert pre-shared key>
    For iPhone you have to be using IPSec tab for configuration.
    We tried to set up this config using the wizards, but it would not work.
    Later it turned out that wizards by default set this setting:
    "crypto isakmp nat-traversal 20"
    equal to zero and there is no way to change it from the GUI.
    Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
    Please let me know how it works out for you.
    Message was edited by: Rogik
    Message was edited by: Rogik

  • Cannot ping inside IP behind sonicwall from Cisco ASA 5500

    I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
    The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
    I have another office that also has a sonicwall (same config)  and I can ping that inside IP from Site A.
    I can not see why I can ping one site and not the other.
    What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
    I prefer the wizard over the CLI.
    Thanks,

    Hi
    AFAIK No you can not make vpn, transparent and routing in the same unit.
    I would not want the DMZ and the outside interface to have overlapping ip address ranges.
    logging and trying to keep track of it all would be way to confusing for me.
    so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
    The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
    This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
    Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
    Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
    With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
    good luck
    HTH

  • Where Can I Find a Complete Reference for ASA 5505 Product IDs?

    I've spent way too much time exploring the Internet looking for a definitive reference to pin down and completely explain all of the Cisco product ID mumbo jumbo . . . specifically for the ASA 5505 security device.  In general I'd like to have this information for all things Cisco.  It is driving me crazy not to know this information IN TOTAL.  Yes, there's bits and pieces out there, but no offical guide or reference that details everything.  This is what I want to see. 
    For example:  for the ASA5505 there's . . . ASA5505-50-BUN-K9, ASA5505-SEC-BUN-K9, ASA5505-UL-BUN-K9, etc.
    What is the "BUN", "K9", "SEC", etc.  Not just what does it stand for (we can deduce that), but where did this come from and how can I quickly reference a new acronym which may show up in completely differnce Cisco device.  Also, specifically for the ASA 5500 line, I want to see a COMPLETE list of ALL of these IDs and want a legend to reference each part.  This is critical in my opinion for a project manager to make an informed decision about hardware.  Cisco documentation is grossly lacking for this (or at least I'm unable to find it).  The closest I've come was to discovery this whole notion of the Unique Device Identifier (UDI) which is the Cisco' product identification standard for labeling hardware products. 
    This is explained some here . . .
    http://www.cisco.com/en/US/products/products_identification_standard.html
    It's a good start but, it only creates more questions.  Where can I find ALL the PIDs and what does each acronym stands for?  What about the VIDs? . . . Where is a list of these what does each section mean?.  Why in the world is there no single source where all of this is pinned down.  With all of the mind-numbing Cisco documentation out there loaded with cryptic details about things many of us will never care to know . . . why not put out this much needed, practical reference of Product IDs which would have a wide appeal and could be useful to everyone from product specialist to system engineers?  It would make researching Cisco solutions to new projects exponentially less painful to know very quickly exactly what we're looking at when we encounter all of this product "code."
    Am I the only one who feels this way?  I'm thinking not.  What say you?  Am I missing something?
    LT

    There is no such published reference guide. The closest thing would be the global price list but it's generally not distributed. (What Jouni mentioned was probably an extract of that very large document.)
    Due to the broad range of products (and associated bundles and services), Cisco uses online configuration and ordering tools (Cisco Commerce Workspace or CCW) internally and with its partners. The information in it is very dynamic and can change day to day as the tens of thousands of products Cisco offers are introduced, deprecated (i.e., Approaching or at End of Sales), offered in different promotional bundles, etc.
    When a Cisco salesperson or partner solution advisor talks with a customer, they take the customer's input and build equipment, software and services configuration sets supporting the proposal. CCW will validate the required items are ordered and generate a configuration set that has not only the product IDs (PIDs, generally referred to as SKUs or Stock Keeping Units in this context) but also the plain language descriptions of what each PID means.
    They should be conveying that information to you (or any customer they are engaged with) to enable you to make the informed decision you mention.

  • Please tell me part numbers for ASA and VPN licence order

    Hi all
    I wish to order a ASA 5515-X firewall with 250 vpn ssl licences plus the licences for mobile devices
    Can anyone tell me the part numebers for this ?
    cheers
    Carl

    I was expecting pooch pooch's recommendation to be the cheaper, but I get a slightly lower price this way, BUT check with your own in-country Cisco partner first!
    SKU
    Description
    Quantity
    ASA5515-K9
    ASA 5515-X with SW 6GE Data   1GE Mgmt AC 3DES/AES
    1
    ASA5500-SSL-250
    ASA 5500 SSL VPN 250 Premium User License
    1
    ASA-AC-M-5515
    AnyConnect Mobile - ASA 5515-X (req. Essentials   or Premium)
    1
    ASA5525VPN-PM250K9 is a VPN bundle for the 5525-X that might be worth a look. As you probably realise, there isn't a 5515-X VPN bundle for 250 connections.

  • VPN between ASA 5500 and Cisco 871

    Hello.
    I recently bought a Cisco 871 and an ASA 5500 device. I would like to configure a VPN connection (LAN-to-LAN), and I would like some help about the ports that need to be opened into both firewalls, ASA and 871.
    Thank you.

    Thank you. The routers where not syncronized.
    I have installed on my CA server also an NTP server and everything works now.
    I have one more question: how can I connect the CA server to separate zone on my ASA device? Let's say a DMZ zone?
    I have 2 public IPs and I want to use one (let's say PRIMARY_IP) for the VPN tunnels, and the other one (let's call it SECONDARY_IP) for the CA server...In other words I want the SECONDARY_IP to be ?assigned? to the CA server; if someone wants to make requests for NTP, or SCEP, or ...let's say TFTP to the SECONDARY_IP, those requests to be forwarded behind the ASA, to the CA.
    Can you help me?

  • VLAN with ASA 5500 appliance

    We have a CME 4.0 setup and getting ready to configure VLAN's for Voice and data. Our LAN gateway is ASA 5500 security appliance. Do we need a router behind the ASA appliance to do VLAN trunking?
    or can the ASA appliance do VLAN trunk?
    We use 4503 Chassis for Core and 3560 switches for other buildings.
    We use 3845 Router with CME 4.0. Do we make this the LAN gateway and configure default GW on this router as the ASA appliance?
    Thanks
    AD

    Hi,
    You may configure the very CME Router as the InterVLAN Trunking device. If the phones are directly connected to the CME Router, nothing has to be done to the ASA configuration. Remember to configure the CME Router and the phones´ports in the switch as trunk ports.
    Regards.

  • Windows 7 and Windows 8 Driver Availability Chart for Creative's products

    Hello Everyone,
    There is a Knowledge base article that contains the Windows 7 and 8 Driver Availability Chart for Creative's products.
    Thank you.
    Mod Notes: Updated the link and include Windows 8.

    For Windows 7
    To run the Hardware and Devices troubleshooter in Windows 7, follow these steps:
    Open the Hardware and Devices troubleshooter by clicking the Start button , and then clicking Control Panel.
    In the search box, enter troubleshooter, and then click Troubleshooting.
    Under Hardware and Sound, click Configure a device.

  • App Store on the iPad (iOS 6), can you view the Top Charts for iPhone?

    In the App Store on the iPad (iOS 6) can you view the Top Charts for iPhone? It used to be possible in a previous version of iOS.

    disregard post.

  • Windows 7 - Driver Availability Chart For Creative Products is nearly useless

    <span class="text">[url="http://support.creative.com/kb/showarticle.aspx?sid=605">Windows 7 - Driver Availability Chart For Creative Products[/url] is outdated Windows pre-release drivers (at least for the Audigy SB0090 series) back from July. This appear to be revamped Vista drivers that are not usable for W7 RTM. MS made changes to W7 where most Vista drivers do not work properly any more.
    When I try to install the drivers through the installer I get the incompatibility error and the installer quits, then I get the failed install pop-up for W7.
    What I would like to know is when Creative plans on releasing drivers that work with W7 RTM? Llinking drivers that worked for W7 RC is not helping and really should be removed.
    I have used Creative sound cards since just before the SB6 came out. I have been a loyal Creative customer from early on. But if Creative can not deali'ver a fully working driver suit for my sound card by the end of the month (November) I would appreciate knowing so I can start looking for another a replacement, which won't be a Creative product.
    Even though my last 3 MBs have had good built-in sound, I have went out and bought Creative sound cards because I wanted the best, which Creative has previously provided.
    I need to upgrade my MB so I have put of buying a new sound card until I do. But if I'm forced to buy a new sound card because Creative says it will provide drivers that work with W7 RTM and for what ever reason can not do so, I will not be buying another Creative product.
    I maintain 4 PCs of my own so that will be 4 cards bought from a competitor since Creative has completely dropped the ball. All major component manufacturers have been able to release stable drivers at the same time as W7 RTM release , or within days after release. Why hasn't Creative been able to do so? Creative was able to release suitable drivers for RC in a timely fashion, what happened with W7 RTM? Did they recently fire all the programs and techs?
    Please do not link useless info. Please find out what is going on and tell the powers-that-be at Creative they have some really upset customers and ask them to tell us what is happening here. Tell them we would like to know when Creative plans on releasing drivers for W7 RTM so we can make the decision to wait it out or buy replacements.

    Again, yes Device Manager has no problem detecting the card and W7 has no problem loading the default Window drivers for it.
    Since I had to replace my TV Tuner Card, I used Device Manager to remove it and my Audigy card and then shut the PC down. My new TV Tuner Card is a PCI-E x so I installed it in an open slot and move the Audigy to the PCI slot where the old TV Tuner Card was.
    When I started my PC again, W7 detected the Audigy card and loaded the defeult drivers. I again tried to use the installer and had the same error.
    The sound works, but I only have basic Windows functions/controls.
    It is most definately not a hardware issue.
    The online auto update detects it, just the installer does not detect it.
    I am currently awaiting a response from CS now. Of course the problem there is that you have to wait/respond, wait/respond, wait/respond just to cover the same ground that has been gone over a hundrd times already.
    I put every step I have done in the email. As usual, it was a waste to type because you are asked questions already answered and to preform steps already done.
    It would be nice if CS would realize that some of us are only contacting CS because we have already done all the standard steps without success and now need to move onto the advanced ste
    ps.

  • Windows 7 Driver Availability Chart for Creative's products

    Hello Everyone,
    There is a Knowledge base article that contains the Windows 7 Driver Availability Chart for Creative's products. Please note that the date in the chart may vary from time to time in accordance to Microsoft's plans on Windows 7 release.
    Thank you.

    For Windows 7
    To run the Hardware and Devices troubleshooter in Windows 7, follow these steps:
    Open the Hardware and Devices troubleshooter by clicking the Start button , and then clicking Control Panel.
    In the search box, enter troubleshooter, and then click Troubleshooting.
    Under Hardware and Sound, click Configure a device.

  • Dundas Chart for Reporting Services in SSRS 2012

    We are in the process of upgrading our servers to 2012 and though I find many things about converting or upgrading dundas controls to 2008, I can't find anything about upgrading/converting to SSRS 2012.  After converting the development machines to
    SQL Server/SSRS 2012 the reports now simply show "The custom Report Item Type DundasChartControl is not installed".  The only Dundas Chart installation I can find is for SSRS 2008.  Does a 2012 version not exist?  Am I supposed to
    convert these into Microsoft charts?
    Thanks in advance,
    Robb Melancon

    Hi Robb,
    It seems that you are using Dundas Chart Control for SQL Server 2008 R2 Reporting Services not the Dundas Chart Control 2005 that Microsoft has purchased.
    Microsoft purchased the license to use Dundas Chart Control 2005 in Reporting Services 2008 and above. Therefore the supported upgrade is from Reporting Services 2005 Dundas Charts to SSRS 2008 (R2) and SSRS 2012 Charts.
    If you are using a particular component released by Dundas for SSRS 2008 R2, you won’t be able to upgrade Reporting Services 2008 R2 Reports with Dundas Charts to Reporting Services 2012 Charts.
    To confirm this, please check the details of this assembly “DundasRSChart.dll” located under the /Report Server/bin directory.
    If the Product Name is “Dundas Chart for Reporting Services 2008 R2”, it indicates that this is a new version of Dundas Chart for SSRS 2008 R2 (i.e. a third party control). If the Product Name is “Microsoft SQL Server”, it indicates that this is the version
    that Microsoft has purchased.
    In this condition, you have to migrate the DundasRSChart.dll to the SSRS 2012 instance and reference it as the custom assembly in the reports. Please make sure to rename the DLL file so that it won’t replace the native DundasRSChart.dll installed by SQL
    Server 2012.
    For more information about referencing custom assembly in a report, please see:
    Using Custom Assemblies with Reports
    Regards,
    Mike Yin
    If you have any feedback on our support, please click
    here
    Mike Yin
    TechNet Community Support

Maybe you are looking for