Migration cisco concentrator to ASA

Similar Messages

• Migrating from FWSM to ASA Service Module (ASASM)

  I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
  With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
  In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
  Thanks in advance.

  So long as the chassis has enough power to power these modules you are good.
  Upto 4 FWSMs can be installed in a chassis.
  Upto 4 ASA-SM modules can be installed in a chassis.
  FWSM:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
  • Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
  ASA-SM
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
  Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
  A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
  -Kureli
  Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
  BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA 
  Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

• Context Migration from FWSM to ASA

  Hi there ,
       What would be best way to migrate a Context from FWSM to ASA (non SM)  with minimal down time & effort .
  I am thinking of these steps :
  1) Preconfigure  the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .
       ( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )
  2) Shut the context specific interfaces on FWSM & bring up the Context specific interfaces on the ASA.
     ( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )
  Thanks

  Hi,
  Well you probably have the option to configure the old FWSMs interface MAC address to the ASAs corresponding interface manually, this way there will be no change in the ARP from the perspective of the server/host.
  I guess depending on if you have a single firewall or failover firewall the command is a bit different as you define either 1 or 2 MAC addresses.
  I think this was the command to modify the MAC address
  http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2111205
  - Jouni

• VPN with Cisco 877 and ASA 5505

  Hi Experts
  this is my scenario :
  remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
  i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
  i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
  if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
  please i need your support to make this dream real lol.
  i will poste my configuration step by step following your help.
  many thanks.

  ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

• How To Migrate Cisco Clean Access to Cisco ISE

  We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance).  Does anyone have an idea on how to do this?
  I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA.  Backup the CCA and then restore/import the backup to the ISE.
  Any help will be greatly appreciated?
  Thanks.

  Hi Mate,
  Refer to below instructions for hosting licenses on ISRs:
  http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
  Rehosting a License
  Prerequisites:
  • Valid Cisco.com account (username/password)
  • Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
  • Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
  – license save credential flash0:CredentialFileName
  – more flash0:CredentialFileName
  • The source device has rehostable licenses.
  Rehosting a License with Cisco's Licensing Portal
  This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
  Summary Steps:
  1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
  2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
  3. The portal will display licenses that can be transferred from the source device.
  4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c  for any further help.ommands.
  5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
  6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
  7. Receive the license key via E-mail
  8. Install the license key on the destination device.
  You can also email [email protected]
  -Terry
  Please rate all helpful posts

• Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access

  Hello folks,
  I need your help.
  We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
  So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
  But I was not successull to establish it.
  Here is the pix config. the acl?s are only for testing and will be replaced if it works.
  PIX Version 6.3(4)
  interface ethernet0 10baset
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxx
  passwd xxx
  hostname PIX-AU
  domain-name araukraine.ua
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside permit ip any any
  access-list inside_access_in permit ip any any
  pager lines 24
  logging on
  logging monitor warnings
  logging buffered warnings
  mtu outside 1456
  mtu inside 1456
  ip address outside pppoe setroute
  ip address inside 192.168.x.x 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm location 192.168.x.x 255.255.255.224 inside
  pdm logging warnings 500
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group outside in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.x.x 255.255.x.x inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet 192.168.x.x 255.255.x.x inside
  telnet timeout 5
  ssh 194.39.97.0 255.255.255.0 outside
  ssh timeout 5
  management-access inside
  console timeout 0
  vpdn group pppoe_group request dialout pppoe
  vpdn group pppoe_group localname [email protected]
  vpdn group pppoe_group ppp authentication pap
  vpdn username [email protected] password *********
  encrypted privilege 15
  vpnclient server 212.xx.xx.xx
  vpnclient mode network-extension-mode
  vpnclient vpngroup vpntest password ********
  vpnclient username pixtest password ********
  terminal width 80
  on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
  And that?s all.
  I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
  What can be wrong ?
  Thanks for the replies

  This sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

• Migration watch Guard to asa

  Any one know about a tool to migrate watch gurad config to ASA

  I've never come across such a tool.
  I believe you'll need to do a manual configuration of the ASA to match the Watchguard settings.

• Migrating Cisco Unity Connection

  Hi Experts,
  I'm migrating CUC 7.1 in appliance model to CUC 9.x in a virtualized environment.
  My question is, is there any consideration to take place during the migration? Will any issues happen when the exported files from CUC 7.1 to be imported in CUC 9.x?
  Thanks in advance.

  No, just use COBRAS, or upgrade to, at least, 8.0(2) to use DRS.
  Sent from Cisco Technical Support iPad App

• Migration Cisco Unified Communications Manager 6.1 to Cisco Small Business Edition 5000

  Hello,
  I want to know two things:
  1) I want to know if I have 1000 dlu. how many licenses would be in the new licenses for Cisco Unified Communications Manager Business edtition? Because i have Cisco Ip Communicator, Cisco Personal Communicator, Video Advantage and unified Messaging.
  2)To migrate data from my current CUCM what tool should I use? DMA?
  Thanks

  I can't assist on #1 but #2 is pretty much a regular upgrade. The only CUCMBE before having the 3 flavors we have now, has turned into the 5K option.
  There's no DMA as that's from Windows to Linux. It's either DRS (EXACT same source and destination version) or BAT.
  HTH
  java
  If this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Help remove Vulnerability on Cisco concentrator

  Hi, our last security scan, came back with this vulnerability, anyone know how to reduce the threat?
  Cisco Internet Key Exchange Denial of Service Vulnerability
  THREAT:
  Cisco Internet Key Exchange (IKE) is exposed to a denial of service issue. This issue affects devices implementing IKE Version 1, and is due to resource exhaustion when handling a high rate of IKE requests. An attack of 10 packets per second at 122 bytes each is sufficient to cause denial of service conditions.
  Cisco is tracking these issues with the following Bug IDs:
  * CSCse70811 for Cisco IOS software
  * CSCse89808 for Cisco VPN 3000 Concentrators
  * CSCsb51032 for Cisco PIX firewalls
  IMPACT:
  A successful attack may lead to denial of service to legitimate users.
  SOLUTION:
  Cisco has information on a mitigation technique only for Cisco IOS software affected by this issue. Refer to Cisco Security Response 70810 for further details.
  COMPLIANCE:
  Not Applicable
  RESULT:
  Detected service isakmp and os Cisco VPN 3000 Concentrator
  http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtml

  You can turn it off so that no tunnel can ever negotiate to use it, but you can't disable it entirely. You can deactivate all IKE proposals that have DES encryption specified, leaving only the IKE proposals that have 3DES or AES. Go to: Configuration | Tunneling and Security | IPSec | IKE Proposals
  and deactivate any and all IKE Proposals that reference DES.

• Auto install VPn client via Cisco concentrator, anyone done this before?

  This is beginning to frustrate me, I must be missing something.
  I have downloaded update-5.0.01.0600-major-K9.zip and unzipped the 3 files to an internal website the VPN users can access. The 3 files are:
  binary_config.ini
  sig.dat
  vpnclient-win-msi-5.0.01.0600-k9.exe
  On the concentrator I have added http://webserver/vpn/5.0/
  user only get a manual method to update when they connect, I have also tried
  http://vogbs010/vpn/5.0/vpnclient-win-msi-5.0.01.0600-k9.exe
  Which doesn't work
  All want to try and get the Auto-install screen pop which tells the user the update has been downloaded. I'm testing this on VPN client version 4.8.
  Hope you can advise.

  You should be able to install the 64 bit version of the Cisco VPN software
  Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
  You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
  http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
  If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
  MicrosoftFixit50842.msi
  (Using Shrew VPN is a possible workaround.)

• Migrating Cisco WLAN Controller 2106 to 2504

  Hello everybody,
  i made a backup of the configuration of the 2106 and uploaded it into the 2504.
  It loaded the configuration successfully.
  But now there is a problem:
  I can't login anymore.
  In another thread someone had the same problem and solved it by reconfiguring the passwords.
  https://supportforums.cisco.com/thread/2151881
  So i investigated how to reconfigure the passwords without resetting the configuration to factory defaults.
  Among others, i came to the following page:
  http://www.cerritos.edu/glazor/CIS%2070/Cisco/CLI%20Password%20Recovery.htm
  So i have to access rommon to reconfigure the passwords.
  But there's the next problem:
  I can't access rommon.
  When i press ctrl + break while the WLC is loading the primary image, it keeps on booting until the login prompt.
  I tried it with Hyperterminal and Tera Term. Both Terminals recognize the ^C command, but the WLC remains unimpressed.
  I also tried "How to simulate a Break Key sequence" from this site unsuccessfully:
  http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080174a34.shtml
  What do i do wrong?
  Best regards

  You have the config, so it's easier to just hit esc when prompted during boot at to erase the configuration. When you take your config from the 2106, make sure you open the file in a text editor and change the password command. When you make a backup, it's hashed, change it so its in plain text when you upload it and it should work. That us one thing I make sure I do when transferring configs between different models of WLC's.
  Sent from Cisco Technical Support iPhone App

• After migration cisco lms4.01 to prime lms 4.2.0 , upgrade to 4.2.1 or 4.2.2 failed

  the server is a  windows 2008 R2 over ESX 5.1., Prime lms 4.2.0 works fine but some bug as the automatic backup doen't work.
  So i want to patch it to 4.2.2 and then 4.2.4.
  i tried 4.2.1 idem.
  the installation block always after  the calcls.exe whitch is done.
  i look for the rights on the ciscopx directory , the rights are well done for the administrator and and causers.
  is there anyone witch have the same problem.Any idea.
  Here is attached the file of install , and the no error pop juste setup.exe is running and nothing change during 1 day. (no prossing,no wrighting on install-log.
  Ce message a été modifié par: ROGER LE VERGE

  Hello i have finally
  uninstalled prime lms4.2.0 , an then
  reinstalled,without changement on the windows sytem.
  and then i have restored databases.
  the i could install patch prime lms4.2.2
  and then 4.2.4
  and finaly it works fine !

• IAS and Cisco Concentrator 3000 series?

  Is anyone authenticating their VPN users via Windows IAS, if so how. I would like them to be only to get on the network if they are in a particular Active Directory group (not local IAS users)
  Thanks

  Hi,
  Yes , it works fine. For network access you need to set up group policy.
  Regards,
  ~JG

• Cisco PIX to Cisco ASA Migration Tool

  Hello,
  I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
  http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
  Thanks in Advance
  Francisco Almeida

  As a registered user, go to the download page for Pix Software here.
  Navigate on the menu tree to "Version 1.0" and you should see the software available to download: