Migration cisco concentrator to ASA
Hi,
we want to migrate from concentrator to ASA.
I know that there was a cisco internal tool to adapt the concentrator configuration.
Is this tool still internal or could it be downloaded somewhere?
Thanks for your help.
Hi Martin,
What version of Concentrator are you currently using? If you are using a VPNC 3000 series, you can view the recommended upgrade path to an ASA via the following link (see "Product Migration Options" at the bottom of the document)
http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html
Mike
Similar Messages
-
Migrating from FWSM to ASA Service Module (ASASM)
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM -
Context Migration from FWSM to ASA
Hi there ,
What would be best way to migrate a Context from FWSM to ASA (non SM) with minimal down time & effort .
I am thinking of these steps :
1) Preconfigure the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .
( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )
2) Shut the context specific interfaces on FWSM & bring up the Context specific interfaces on the ASA.
( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )
ThanksHi,
Well you probably have the option to configure the old FWSMs interface MAC address to the ASAs corresponding interface manually, this way there will be no change in the ARP from the perspective of the server/host.
I guess depending on if you have a single firewall or failover firewall the command is a bit different as you define either 1 or 2 MAC addresses.
I think this was the command to modify the MAC address
http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2111205
- Jouni -
VPN with Cisco 877 and ASA 5505
Hi Experts
this is my scenario :
remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
please i need your support to make this dream real lol.
i will poste my configuration step by step following your help.
many thanks.ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.
-
How To Migrate Cisco Clean Access to Cisco ISE
We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance). Does anyone have an idea on how to do this?
I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA. Backup the CCA and then restore/import the backup to the ISE.
Any help will be greatly appreciated?
Thanks.Hi Mate,
Refer to below instructions for hosting licenses on ISRs:
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
Rehosting a License
Prerequisites:
• Valid Cisco.com account (username/password)
• Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
• Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
– license save credential flash0:CredentialFileName
– more flash0:CredentialFileName
• The source device has rehostable licenses.
Rehosting a License with Cisco's Licensing Portal
This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
Summary Steps:
1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
3. The portal will display licenses that can be transferred from the source device.
4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c for any further help.ommands.
5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
7. Receive the license key via E-mail
8. Install the license key on the destination device.
You can also email [email protected]
-Terry
Please rate all helpful posts -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
Any one know about a tool to migrate watch gurad config to ASA
I've never come across such a tool.
I believe you'll need to do a manual configuration of the ASA to match the Watchguard settings. -
Migrating Cisco Unity Connection
Hi Experts,
I'm migrating CUC 7.1 in appliance model to CUC 9.x in a virtualized environment.
My question is, is there any consideration to take place during the migration? Will any issues happen when the exported files from CUC 7.1 to be imported in CUC 9.x?
Thanks in advance.No, just use COBRAS, or upgrade to, at least, 8.0(2) to use DRS.
Sent from Cisco Technical Support iPad App -
Migration Cisco Unified Communications Manager 6.1 to Cisco Small Business Edition 5000
Hello,
I want to know two things:
1) I want to know if I have 1000 dlu. how many licenses would be in the new licenses for Cisco Unified Communications Manager Business edtition? Because i have Cisco Ip Communicator, Cisco Personal Communicator, Video Advantage and unified Messaging.
2)To migrate data from my current CUCM what tool should I use? DMA?
ThanksI can't assist on #1 but #2 is pretty much a regular upgrade. The only CUCMBE before having the 3 flavors we have now, has turned into the 5K option.
There's no DMA as that's from Windows to Linux. It's either DRS (EXACT same source and destination version) or BAT.
HTH
java
If this helps, please rate
www.cisco.com/go/pdihelpdesk -
Help remove Vulnerability on Cisco concentrator
Hi, our last security scan, came back with this vulnerability, anyone know how to reduce the threat?
Cisco Internet Key Exchange Denial of Service Vulnerability
THREAT:
Cisco Internet Key Exchange (IKE) is exposed to a denial of service issue. This issue affects devices implementing IKE Version 1, and is due to resource exhaustion when handling a high rate of IKE requests. An attack of 10 packets per second at 122 bytes each is sufficient to cause denial of service conditions.
Cisco is tracking these issues with the following Bug IDs:
* CSCse70811 for Cisco IOS software
* CSCse89808 for Cisco VPN 3000 Concentrators
* CSCsb51032 for Cisco PIX firewalls
IMPACT:
A successful attack may lead to denial of service to legitimate users.
SOLUTION:
Cisco has information on a mitigation technique only for Cisco IOS software affected by this issue. Refer to Cisco Security Response 70810 for further details.
COMPLIANCE:
Not Applicable
RESULT:
Detected service isakmp and os Cisco VPN 3000 Concentrator
http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtmlYou can turn it off so that no tunnel can ever negotiate to use it, but you can't disable it entirely. You can deactivate all IKE proposals that have DES encryption specified, leaving only the IKE proposals that have 3DES or AES. Go to: Configuration | Tunneling and Security | IPSec | IKE Proposals
and deactivate any and all IKE Proposals that reference DES. -
Auto install VPn client via Cisco concentrator, anyone done this before?
This is beginning to frustrate me, I must be missing something.
I have downloaded update-5.0.01.0600-major-K9.zip and unzipped the 3 files to an internal website the VPN users can access. The 3 files are:
binary_config.ini
sig.dat
vpnclient-win-msi-5.0.01.0600-k9.exe
On the concentrator I have added http://webserver/vpn/5.0/
user only get a manual method to update when they connect, I have also tried
http://vogbs010/vpn/5.0/vpnclient-win-msi-5.0.01.0600-k9.exe
Which doesn't work
All want to try and get the Auto-install screen pop which tells the user the update has been downloaded. I'm testing this on VPN client version 4.8.
Hope you can advise.You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi
(Using Shrew VPN is a possible workaround.) -
Migrating Cisco WLAN Controller 2106 to 2504
Hello everybody,
i made a backup of the configuration of the 2106 and uploaded it into the 2504.
It loaded the configuration successfully.
But now there is a problem:
I can't login anymore.
In another thread someone had the same problem and solved it by reconfiguring the passwords.
https://supportforums.cisco.com/thread/2151881
So i investigated how to reconfigure the passwords without resetting the configuration to factory defaults.
Among others, i came to the following page:
http://www.cerritos.edu/glazor/CIS%2070/Cisco/CLI%20Password%20Recovery.htm
So i have to access rommon to reconfigure the passwords.
But there's the next problem:
I can't access rommon.
When i press ctrl + break while the WLC is loading the primary image, it keeps on booting until the login prompt.
I tried it with Hyperterminal and Tera Term. Both Terminals recognize the ^C command, but the WLC remains unimpressed.
I also tried "How to simulate a Break Key sequence" from this site unsuccessfully:
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080174a34.shtml
What do i do wrong?
Best regardsYou have the config, so it's easier to just hit esc when prompted during boot at to erase the configuration. When you take your config from the 2106, make sure you open the file in a text editor and change the password command. When you make a backup, it's hashed, change it so its in plain text when you upload it and it should work. That us one thing I make sure I do when transferring configs between different models of WLC's.
Sent from Cisco Technical Support iPhone App -
the server is a windows 2008 R2 over ESX 5.1., Prime lms 4.2.0 works fine but some bug as the automatic backup doen't work.
So i want to patch it to 4.2.2 and then 4.2.4.
i tried 4.2.1 idem.
the installation block always after the calcls.exe whitch is done.
i look for the rights on the ciscopx directory , the rights are well done for the administrator and and causers.
is there anyone witch have the same problem.Any idea.
Here is attached the file of install , and the no error pop juste setup.exe is running and nothing change during 1 day. (no prossing,no wrighting on install-log.
Ce message a été modifié par: ROGER LE VERGEHello i have finally
uninstalled prime lms4.2.0 , an then
reinstalled,without changement on the windows sytem.
and then i have restored databases.
the i could install patch prime lms4.2.2
and then 4.2.4
and finaly it works fine ! -
IAS and Cisco Concentrator 3000 series?
Is anyone authenticating their VPN users via Windows IAS, if so how. I would like them to be only to get on the network if they are in a particular Active Directory group (not local IAS users)
ThanksHi,
Yes , it works fine. For network access you need to set up group policy.
Regards,
~JG -
Cisco PIX to Cisco ASA Migration Tool
Hello,
I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
Thanks in Advance
Francisco AlmeidaAs a registered user, go to the download page for Pix Software here.
Navigate on the menu tree to "Version 1.0" and you should see the software available to download:
Maybe you are looking for
-
I was downloading monthly statements from mutual fund firms. Firefox 4.0 worked fine with the T Rowe Price web site (they must not do anything tricky), but does not work with Fidelity. Firefox doesn't seem to recognize that what Fidelity is offering
-
When I try to open iTunes, I get this error message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I've been able to uninstall all Apple products except iTunes as I get t
-
I created a screen in the screen painter and it works fine . Now i want when i push a button to display a small selection criteria in a window subscreen (?) so to take some result. I dont know if this can happen . Is there any FM to do this ? Thanks
-
Chinese subtitle not showing on Apple TV
My ATV2 doesnt display Chinese subtitle on the movie rented but i see Chinese subtitle in Preview. How come?
-
Hi All, I am working on the MDM SERVER 5.5 ( 5.5.40.83 ) Can anyone tell me which MDM_TECH Package i should install on the R/3 so that it should be compatible with my server. Through this package i am going to access MDM Server. Because in the SAP SE