Is ASA 5550 firewall supports BGP

Similar Messages

• ASA 5550 V05 Active/passive one stop work

  Hello,
  I have a client, that got 2x ASA 5550 V05 and they were configured to act as active/passive but some months ago they had problems with them, so they remove them from the network.
  Recently, I went there, and saw that one of the firewall (the one that was as passive) is not working, when I connect via console and reboot it I don't even see nothing, the boot starts, but suddenly, nothing shows up.
  The things is that the client wants to get back to use the ASAs, so is there any way to fix that?
  As an alternative we were thinking in acquire another ASA, to configure the two as active/passive again, the ASA that its working is:
  ASA 5550 V05 ; Cisco Adaptive Security Appliance Software Version 7.2(4) ; Device Manager Version 5.2(4) ; 8 Ports GB ( 4+4) ; asa724-k8.bin
  My question is, I need an exactly the same model ASA?
  I was thinking in put one ASA5555-2SSD120-K9. That would work?
  Or should I try anything else? I don't have many skills with ASA specially troubleshooting it.
  Thanks in advance

  Hi Diogo,
  The issue related to failed firewall could be related to a hardware issue, you may get some outputs from console session when the ASA is booting up. Try to boot up the firewall again, if this doesn´t work then you should open a TAC case so they can help you replacing the firewall(the ASA needs to be under an active contract).
  Regarding ASA model and failover, both firewalls must be the same model(hardware).
  See the below requirements for failover to work:
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#req
  Regards,
  Harvey.
  Please rate if this is correct answer.

• DMZ issues in ASA 5505 Firewall

  hi , i have asa 5505 firewall with ASA5505-UL-BUN-K9 license i have problem with DMZ. I am not able to create dmz. please suggest me what i need to do in order to be able to configure dmz. should i need to upgrade the license. please suggest.

  Hi,
  Is the currently licensed firewall something that you have had for sometime or is it a new purchase?
  Just wondering as it would seem unreasonable to just have bought something and then having to get a new license. Just wondering if you can somehow avoid spending extra money if this is a new purchase that wasnt what you were actually looking for.
  You can check this link for the differnent options the ASA5505 has
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
  You can also check this link for all the available licensed options on the ASA5505
  http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html#wp2124788
  This link contains also information on the ASA models
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  So essentially you would get 20 Vlan interfaces instead of 3 and also support for Trunking which would let you use a single physical link for several Vlans (if you wanted that is)
  Hope this helps
  - Jouni

• ASA 5550 IPv6 Compatibility

  Hi All,
  I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
  The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
  Thanks in Advance
  Sujit

  I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
  Here are some useful facts for you
  IPv6 address command appeared on 7.0.1
  IPv6 support on transparent mode appeared on 8.2.1
  IPv6 address support for an standby interface ( failover) appeared on 8.2.2
  In the latest 8.3 code support for L2L VPN for IPv6 scenarios have been added.
  9.0(1) Features
  OSPFv3  support.
  DNS inspection.
  NAT supported on IPv6 traffic and also from IPv4 to IPv6( From IPv4 to IPv6 NAT is not supported on Transparent Mode).
  DHCP for IPv6 (DHCPv6) relay.
  IPv6 VPN connections to its outside interface using SSL and IKEv2/IPsec protocols.
  Remember to rate all of the helpful posts
  Julio Carvajal

• IDS,ASA,PIX firewall monitoring and optimizing

  Dear All,
  Please let me know the products from Cisco to monitor and optimize the IDS, ASA, PIX firewall in the data centre and corporate networking environment.
  I believe that VMS 2.3 can be used.I like to know about the CS-MARS product from Cisco and its usage.
  Thanking you
  Swamy

  Hi,
  CS-MARS is a security product that mainly used to analyse, correlates and produce/recommed mitigation action based on the log analysis.
  You need to send your syslog, snmp or NetFlow to CS-MARS from all/selected network devices in the network to enable it to have visibility of the network activities. It has built-in signatures or rules that trigger incidents, and allows you can create your own rule to monitor certain segment or devices. Notification is available in the form of email, sms, pager, snmp and syslog.
  CS-MARS does not replace the function of IDS/IPS or antivirus, but as a critical security complimentary product to allow you to stop any detected malicious incidents/activities from a nearest point, e.g shutting down switch port where a PC is detected trying to launch network attack, virus or trojans. The concept more or less similar to 'Forward Defense' used by certain country today.
  http://www.cisco.com/en/US/partner/products/ps6241/products_data_sheet0900aecd80272e64.html
  CS-MARS is measured by its capabilities to handle received Event and Netflow logs per second. This include the HDD capacity. You can have single unit (Local Controller) or multiple unit that centrally managed by Global Controller.
  CS-MARS support wide range of networking and security products.
  http://www.cisco.com/en/US/partner/products/ps6241/products_device_support_tables_list.html
  Rgds,
  AK

• ASA 5550 Console (Serial) TACACS

  I have a ASA 5550 running multiple contexts, but having the AAA authentication serial console (TACACS Server Name) LOCAL allows a tacacs challenge on connecting to the console but I am then unable to issue any commands i.e. enable or Show Run - message command autherixation failed
  Has anyone setup console (serial) TACACS and got it working?
  Thanks                  

  Hi Simon,
  The below are the commands which requires with respect to the console access.
  aaa-server TACACS+ protocol tacacs+
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  So you should have both serial console and enable console for you settings. If you have these settings in your firewall. Also please check in the tacacs server end if privelage level is set properly for the same.
  Please do rate if the given information helps.
  By
  Karthik

• ASA 5550 failover configuration

  I have two identical ASA 5550 firewalls that I need to set up for Active/Standby failover so I can then upgrade them with zero downtime.  I am running them in single, routed mode so I would have to configure failover for Active/Standby.  Can I do a cable-based configuration? The documentation states that is only available on the PIX 500 Security Appliance.  Going through the Support Community forums it appears I can.  Who is right?  If I can do cable-based configuration do I have to turn off the secondary ASA to do the inital configuration?  Thanks much.

  Hello James,
  Yes, you can do cable-based (if you mean connect the devices via a cable without a switch.. That will not be a problem)
  Cisco recommends use a switch between the units for troubleshooting purposes but it's not a MUST.
  Configuration wise, same procesure nothing different so just follow the regular process.
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

  Hello,
  I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  ip address outside xxx.xxx.xxx.94 255.255.255.224
  ip address inside 192.168.1.1 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

  Hey Craig,
  Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
  On 8.4 for interface defining use below mentioned example :
  int eth0/0
  ip add x.x.x.x y.y.y.y
  nameif outside
  no shut
  int eth0/1
  ip add x.x.x.x y.y.y.y
  nameif inside
  no shut
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
  If you're still not able to reach.Paste your entire config and version that you are using on ASA.

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• Question of my asa if it support anyconnect vpn

  does my asa current license support using cisco any connect
  or
  easy  vpn cisco ??
  http://www9.0zz0.com/2014/03/04/11/979253014.png

  CSCO,
  Looks like you have an ASA 5505. Usually you can have up to 2 Anyconnect peers unless you specifically purchase more.
  I'm not sure aout Easy VPN though.

• Firewall Support of Discoverer 4i

  We have been trying to set up dial-up access to Oracle Discoverer 4i.
  When our Firewall Administrator opened access to all ports it worked perfectly and very fast but obviously such a configuration is far from ideal. Our Administrator noted
  that when monitoring which ports were being utilised, Discoverer kept accessing different and random
  ports each time a connection was made. These were the ports utilised :-
  15000
  1104 XRL
  5432 Unassigned
  2267
  2358
  2280 lnvpoller
  2305 MT Scale server
  2327 xingcsm
  2368 opentable
  Which ports need specifically to be opened as surely this is not the proper manner that this should work? Our firewall is CheckPoint 4.1 Srv Pack 3.
  Thanks
  Stephanie Farrugia.

  You can configure the port that the Plus applet will communicate thru the firewall using the GateKeeper configuration tool ("gkconfig"). There's a chapter on firewall support in the Discoverer 4i Configuration Guide that should be helpful.
  BTW, it should be (by default) communicating over port 15000.
  null

• ASA 5550 RESET

  I have an ASA 5550 and the console port suddenly stopped allowing me to console and the management port no longer allows me to conole in. So that there is now question, The network cables and console cables work fine on other ASA's and network devices. I tried to reset the device by pushing the reset button but it doesn't appear to do anything, even after I reboot. Any help would be appreciated.

  Hello Marco,
  At this point it looks more like a hardware failure. Do you see the ASA lights green?
  If you don’t have console access you may need to get a replacement unit via TAC or your reseller.
  Regards,
  Juan Lombana
  Please rate helpful posts.

• ASA 9.x support PBR?

  Hi Cisco Soldiers,
  I'd like to know if the new version for ASAs (9.x) support PBR (Policy-Based Routing).
  Regards
  Alek

  Hi,
  No, PBR is not officially supported on the ASA.
  The only way to achieve something like that is to play around with the NAT. Even though it usually works, as its not officially supported (atleast yet) theres naturally always a risk that it stops working because of some change.
  I have tried this for example in a situation where the user had 2 ISP links and wanted one DMZ network to use the other ISP for all outbound connections while the rest used the other ISP.
  - Jouni

• ASA 5525 firewall Trace Route.

  Hi,
  We are Having  ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
  ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
  PLease help me to resolve this issue.
  Regards,
  Dheeraj

  Hi Dheeraj,
       firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
  Make the Firewall Show Up in a Traceroute in ASA/PIX
  ciscoasa(config)#class-map class-default
  ciscoasa(config)#match any
  !--- This class-map exists by default.
  ciscoasa(config)#policy-map global_policy
  !--- This Policy-map exists by default.
  ciscoasa(config-pmap)#class class-default
  !--- Add another class-map to this policy.
  ciscoasa(config-pmap-c)#set connection decrement-ttl
  !--- Decrement the IP TTL field for packets traversing the firewall.
  !--- By default, the TTL is not decrement hiding (somewhat) the firewall.
  ciscoasa(config-pmap-c)#exit
  ciscoasa(config-pmap)#exit
  ciscoasa(config)#service-policy global_policy global
  !--- This service-policy exists by default.
  WARNING: Policy map global_policy is already configured as a service policy
  ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
  !--- Adjust ICMP unreachable replies:
  !--- The default is rate-limit 1 burst-size 1.
  !--- The default will result in timeouts for the ASA hop:
  Cheers,
  Naveen

• Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

  Recently i have installed ASA 5520 firewall, Below is the detail for my network
  ASA 5520 inside ip: 10.12.10.2/24
  Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
  Cisco Call Manager 3825 IP: 10.12.110.2/24
  The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
  the Default Gateway for Data user is 10.12.10.2/24 and
  for the voice users is 10.12.110.2/24
  now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

  Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
  ASA Version 8.2(1)
  name x.x.x.x Mobily
  interface GigabitEthernet0/0
   nameif inside
   security-level 99
   ip address 10.12.10.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address x.x.x.x 255.255.255.252
  object-group service DM_INLINE_SERVICE_1
   service-object tcp-udp
   service-object ip
   service-object icmp
   service-object udp
   service-object tcp eq ftp
   service-object tcp eq www
   service-object tcp eq https
   service-object tcp eq ssh
   service-object tcp eq telnet
  access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
  access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
  access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu mgmt 1500
  ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
  ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-641.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 Inside-Network 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 Mobily 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Mgmt-Network 255.255.255.0 mgmt
  http Inside-Network 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  telnet Inside-Network 255.255.255.0 inside
  telnet timeout 5
  ssh Inside-Network 255.255.255.255 inside
  <--- More --->              ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RA_VPN internal
  group-policy RA_VPN attributes
   dns-server value 86.51.34.17 8.8.8.8
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value RA_VPN_splitTunnelAcl
  username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
  tunnel-group RA_VPN type remote-access
  tunnel-group RA_VPN general-attributes
   address-pool VPN-Users
   default-group-policy RA_VPN
  tunnel-group RA_VPN ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
  : end