New ASA 55xx
I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.
I'm considering upgrading to a ASA 55xx box.
I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.
I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?
Thanks...
I would use one ASA with the AIP-SSM module.
And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.
There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)
Regards
Farrukh
Similar Messages
-
Upgrade from 8.2 to 8.6 for new ASA 5515X
Hello,
My customer has a rather complex configuration on an ASA 5510 running version 8.2
They are migrating to new ASA 5515X models which of course only version support 8.6
How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
The X series seems to be a great option for new deployments but what about replacements of existing older models?
Thanks for any ideas everyone!
ChrisHello,
I would say go to 8.4 From there you will have the same syntax.
There will be new commands and features on 8.6... That for sure but you are going to be on the same path.
Any other question..Sure ..Just remember to rate all of the helpul posts
Julio -
Hi
i'm starting to read about ASA 55xx in Cisco website. But after some good reading, I have some questions.....
In Cisco Docs about ASA55xx, I see the "Maximum concurrent AnyConnect or clientless VPN sessions" and "Maximum concurrent site-to-site and IPsec IKEv1 VPN sessions" (e.g. 750 both): well, the maximux concurrent sessions are 750+750 (anyconnect + site-to-site), so I have to add the two types of sessions? Or what are the maximum concurrent sessions (of each type) in ASA5520?
So, at this point, if I want 750 AnyConnect Session and 750 site-to-site Session which license do i need to buy? ASA5500-SSL-750 ? ASA-VPNS-1000? or whatelse?
then, what are the "shared" license? When and where do i need to buy them?
thanks in advance.
ByePlatform capabiliites and required licensing are as noted in the product data sheet:
Up to 750 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5520 by installing an Essential or a Premium AnyConnect VPN license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 AnyConnect and/or clientless VPN peers or 7500 IPsec VPN peers per cluster.
Reiterating:
The ASA 5520 750 site-site VPN capability is in the base license / product (Part number ASA5520-BUN-K9 or ASA5520-K8 depending on whther you are eleigible to pruchase the strong encryption (-BUN-K9) version)
The AnyConnect user licenses required depend on whether you need Anyconnect Essentials or Premium. The Anyconnect data sheet outlines the differences. Essentials is one license that allows up to 750 clients to use the appliance simultaneously. Premium (which cannot be loaded at the same time as Essentials) requires the licenses to be purchased according to the tiered per user scheme.
Shared licenses are shared among ASAs in a cluster (2 or more units configured together).
There is the concept of licenses in a failover (2-unit) cluster. That is automatic - i.e. the license numbers are additive and shared up to the platform capability. the ASA5500-SSL-750 part would be used in that setup.
There is also the concept of an anyconnect Premium Shared Server. In that scheme, the shared server allocates licenses in 50 unit blocks to the cluster membes ars they need them. The ASA-VPNS-1000 part number you mention is used in that sort of setup. -
File system check recs on new ASAs
Just curious if anyone knows why I'd be seeing these on a new ASAs. The last two I received had these fsck records:
f-monona-1# sh flash
--#-- --length-- -----date/time------ path 182 16275456 Dec 13 2010 16:46:02 asa821-k8.bin 223 15962112 Feb 01 2011 16:40:15 asa832-k8.bin 183 49152 Jan 01 1980 00:00:00 FSCK0000.REC 13 2048 Dec 13 2010 16:47:20 coredumpinfo 14 43 Feb 01 2011 16:47:11 coredumpinfo/coredump.cfg 184 11348300 Dec 13 2010 16:47:54 asdm-621.bin 3 2048 Dec 13 2010 16:51:36 log 12 2048 Dec 13 2010 16:51:44 crypto_archive 224 15841428 Feb 01 2011 16:43:34 asdm-641.bin 186 2048 Jan 01 1980 00:00:00 FSCK0001.REC 187 12105313 Dec 13 2010 16:52:00 csd_3.5.841-k9.pkg 188 2048 Dec 13 2010 16:52:02 sdesktop 225 0 Dec 13 2010 16:52:02 sdesktop/data.xml 189 2857568 Dec 13 2010 16:52:02 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 190 3203909 Dec 13 2010 16:52:04 anyconnect-win-2.4.1012-k9.pkg 191 4832344 Dec 13 2010 16:52:06 anyconnect-macosx-i386-2.4.1012-k9.pkg 192 5209423 Dec 13 2010 16:52:08 anyconnect-linux-2.4.1012-k9.pkg 193 2048 Jan 01 1980 00:00:00 FSCK0002.REC 194 2048 Jan 01 1980 00:00:00 FSCK0003.REC 195 92160 Jan 01 1980 00:00:00 FSCK0004.REC 196 2048 Jan 01 1980 00:00:00 FSCK0005.REC 197 2048 Jan 01 1980 00:00:00 FSCK0006.REC 198 2048 Jan 01 1980 00:00:00 FSCK0007.REC 199 675840 Jan 01 1980 00:00:00 FSCK0008.REC 200 2048 Jan 01 1980 00:00:00 FSCK0009.REC 201 677888 Jan 01 1980 00:00:00 FSCK0010.REC 202 30720 Jan 01 1980 00:00:00 FSCK0011.REC 203 30720 Jan 01 1980 00:00:00 FSCK0012.REC 204 2048 Jan 01 1980 00:00:00 FSCK0013.REC 205 2048 Jan 01 1980 00:00:00 FSCK0014.REC 206 4096 Jan 01 1980 00:00:00 FSCK0015.REC 207 4096 Jan 01 1980 00:00:00 FSCK0016.REC 208 4096 Jan 01 1980 00:00:00 FSCK0017.REC 209 4096 Jan 01 1980 00:00:00 FSCK0018.REC 210 6144 Jan 01 1980 00:00:00 FSCK0019.REC 211 6144 Jan 01 1980 00:00:00 FSCK0020.REC 212 6144 Jan 01 1980 00:00:00 FSCK0021.REC 213 22528 Jan 01 1980 00:00:00 FSCK0022.REC 214 38912 Jan 01 1980 00:00:00 FSCK0023.REC 215 34816 Jan 01 1980 00:00:00 FSCK0024.REC 216 43008 Jan 01 1980 00:00:00 FSCK0025.REC 217 2048 Jan 01 1980 00:00:00 FSCK0026.REC 218 26624 Jan 01 1980 00:00:00 FSCK0027.REC 219 2048 Jan 01 1980 00:00:00 FSCK0028.REC 220 26624 Jan 01 1980 00:00:00 FSCK0029.REC 221 2048 Jan 01 1980 00:00:00 FSCK0030.RECI have seen the same issues on many multiple NEW ASA's and DON'T think this is a problem with the received ASA's flash card or file structure. I have deleted and reformatted many of these flash cards and not experienced any new FSCK files. The flash cards from new ASA's have all passed.
This leads me to belive that the master flash card used in manufacturing, that was used for the creation of the imaged flash cards, in final production had corruption at times. And these FSCK files that were on the master used for duplicating, were then copied with its FSCK files, to the flash of the shipping ASA's. -
Hello,
We have a new ASA box configured and one of the user is using his IPad to connect to it.
It is asking for secret password while he trys to connect it.
ArunHi Marvin,
I am attaching the running config.
The user is from the group MDW(You can see it in the config).
=====================================================================================
sh run
: Saved
ASA Version 8.2(5)
hostname nmtasav001
domain-name internal.XXX.com
enable password xxx encrypted
passwd xxx encrypted
names
name 10.4.5.5 NetflowAnalyzer
name 10.4.5.6 Challenger
name 10.4.237.0 Net-10.4.237.0 description ASA Client VPN
name xxx Net-xxx description Hosting
name 10.4.4.50 mtcdnsw001
name 10.4.4.51 mtcdnsw002
name xxx nmtasav001-outside
name 172.16.0.0 Net-172.16.0.0
name 192.168.0.0 Net-192.168.0.0
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.4.1.20 255.255.255.224
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address nmtasav001-outside 255.255.255.0
interface GigabitEthernet0/2
nameif lab
security-level 100
ip address 192.168.105.193 255.255.254.0
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server mtcdnsw001
name-server mtcdnsw002
domain-name internal.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj-SSL-pool
network-object 10.2.31.0 255.255.255.0
object-group network obj-inside-LAN
network-object 10.4.1.0 255.255.255.224
object-group network INTERNAL-DNS
network-object host mtcdnsw001
network-object host mtcdnsw002
object-group network Net-PrivateRFC1918
network-object 10.0.0.0 255.0.0.0
network-object Net-172.16.0.0 255.240.0.0
network-object Net-192.168.0.0 255.255.0.0
access-list mngmt-in extended permit ip any any
access-list INSIDE_nat0_outbound extended permit ip any 192.168.105.194 255.255.255.254
access-list INSIDE_nat0_outbound extended permit ip any 10.2.31.0 255.255.255.0
access-list no_nat extended permit ip 10.2.31.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list no_nat extended permit ip any 10.0.0.0 255.255.255.0
access-list tcp_bypass extended permit tcp host 10.4.4.38 any
access-list DAP-Test extended deny ip 10.2.31.0 255.255.255.0 host Challenger
access-list MDW-Contractors extended permit ip Net-10.4.237.0 255.255.255.0 Net-xxx 255.255.224.0
access-list MDW-Contractors extended permit udp Net-10.4.237.0 255.255.255.0 object-group INTERNAL-DNS eq domain
access-list MDW-Contractors extended deny ip any object-group Net-PrivateRFC1918
access-list MDW-Contractors extended permit ip Net-10.4.237.0 255.255.255.0 any
access-list MDW-ST-TEST extended permit ip any any inactive
access-list MDW-ST-TEST2 standard permit host xxx
pager lines 24
logging enable
logging asdm informational
flow-export destination INSIDE NetflowAnalyzer 2055
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu lab 1500
mtu management 1500
ip local pool IPPool 192.168.105.194-192.168.105.195 mask 255.255.254.0
ip local pool TestPool 10.0.0.1-10.0.0.254 mask 255.255.255.0
ip local pool OUTSIDE-TEST 10.2.31.2-10.2.31.254 mask 255.255.255.0
ip local pool MDW-Contractors 10.4.237.206-10.4.237.210 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list no_nat
nat (OUTSIDE) 1 Net-10.4.237.0 255.255.255.0
access-group mngmt-in in interface management
route OUTSIDE 0.0.0.0 0.0.0.0 xxx 1
route INSIDE 10.0.0.0 255.0.0.0 10.4.1.4 1
route INSIDE Net-172.16.0.0 255.240.0.0 10.4.1.4 1
route INSIDE Net-192.168.0.0 255.255.0.0 10.4.1.4 1
route INSIDE Net-xxx 255.255.224.0 10.4.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Default Success"
dynamic-access-policy-record Employees
user-message "Employees DAP Good"
network-acl DAP-Test
aaa-server Internal_LDAP protocol nt
aaa-server Internal_LDAP (INSIDE) host 10.4.4.40
nt-auth-domain-controller 10.4.4.40
aaa-server CryptoCard protocol radius
aaa-server CryptoCard (INSIDE) host 10.4.5.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server INTERNAL_AD protocol nt
aaa-server INTERNAL_AD (INSIDE) host 10.4.4.40
nt-auth-domain-controller 10.4.4.40
aaa-server AD_LDAP protocol ldap
aaa-server AD_LDAP (INSIDE) host 10.4.4.38
server-port 389
ldap-base-dn ou=xxx,dc=internal,dc=xxx,dc=com
ldap-group-base-dn ou=xxx,dc=internal,dc=xxx,dc=xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapquery@xxx
server-type microsoft
aaa-server BlackShield protocol radius
aaa-server BlackShield (INSIDE) host 10.4.4.253
key *****
authentication-port 1812
accounting-port 1813
aaa-server BlackShield (INSIDE) host 10.4.4.254
key *****
authentication-port 1812
<--- More --->
accounting-port 1813
aaa-server Hosting-LDAP protocol ldap
aaa-server Hosting-LDAP (INSIDE) host xxx
server-port 636
ldap-base-dn ou=People,dc=xxx,dc=xxx
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password *****
ldap-login-dn cn=VPN,ou=Auth Accounts,dc=xxx,dc=xxx
ldap-over-ssl enable
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.105.192 255.255.255.255 lab
http Challenger 255.255.255.255 lab
http 10.0.0.0 255.0.0.0 lab
http 10.0.0.0 255.0.0.0 INSIDE
http Net-192.168.0.0 255.255.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map lab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map lab_map interface lab
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=nmtasav001
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 17ffe14e
308201d7 30820140 a0030201 02020417 ffe14e30 0d06092a 864886f7 0d010105
05003030 31133011 06035504 03130a6e 6d746173 61763030 31311930 1706092a
864886f7 0d010902 160a6e6d 74617361 76303031 301e170d 31313132 30393132
34363231 5a170d32 31313230 36313234 3632315a 30303113 30110603 55040313
0a6e6d74 61736176 30303131 19301706 092a8648 86f70d01 0902160a 6e6d7461
73617630 30313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
8181009a 6917bd8f e740f061 92d7a6fe 93407ac8 0449a07d 65da57c8 ce4954d4
2260f2b5 ab4df14c 5ad4c326 83a5d44f 61c1fcf1 4b297cfd 99b5d476 1c448acf
1939e5aa 8b994aba 4a6cd5ee dc9add18 92677696 773d581c 3b8bc39b 3257c32c
cf1288d2 9a2addce 76b3fd5c 90207513 c4f2c662 771dfbe7 4b6ce8a3 5ec886a4
3ec27d02 03010001 300d0609 2a864886 f70d0101 05050003 8181008e 36d02573
df2277dd d0902fa8 83b6efb1 183c3df1 2d305cd8 c3eb6c15 f21534e1 12252077
f9d92978 7477cd70 b0e5cf6a db9401ea b02b1ece ace0ed55 7b84bddc cb86e9af
306c1033 ed52c294 ea59a284 0e6f63e6 d1c6f3c8 ace8b8ba 158e38a1 2923cbc2
27895b29 549ce80a 66170c58 b4e493d5 879c44d5 860ed20d 96d05d
quit
crypto isakmp enable OUTSIDE
crypto isakmp enable lab
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh Net-192.168.0.0 255.255.0.0 INSIDE
ssh 10.0.0.0 255.0.0.0 lab
ssh Net-192.168.0.0 255.255.0.0 lab
ssh Challenger 255.255.255.255 lab
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.4.4.35 source INSIDE prefer
ssl trust-point ASDM_TrustPoint0 lab
webvpn
enable OUTSIDE
csd image disk0:/csd_3.5.841-k9.pkg
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 4
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 5
svc enable
group-policy RSA-TEST internal
group-policy RSA-TEST attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec
default-domain value internal.xxx
group-policy DfltGrpPolicy attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value internal.xxx
group-policy GroupPolicy4 internal
group-policy GroupPolicy4 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-filter value MDW-Contractors
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc
default-domain value internal.xxx
group-policy EmployeeGrpPolicy internal
group-policy EmployeeGrpPolicy attributes
wins-server none
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol svc webvpn
default-domain value internal.xxx
webvpn
url-list value Challenger
group-policy OUTSIDE-REMOTEACCESS internal
group-policy OUTSIDE-REMOTEACCESS attributes
dns-server value 10.4.4.50 10.4.4.51
vpn-tunnel-protocol IPSec svc
default-domain value internal.xxx
username user1 password spqkEUN2dW2Uq2B3 encrypted
username user2 password CiPqkZGHO77wSa/e encrypted privilege 0
username user2 attributes
vpn-group-policy RSA-TEST
username xxx password xxx encrypted
username neteng password xxx encrypted privilege 15
username neteng attributes
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OUTSIDE-TEST
authentication-server-group INTERNAL_AD
secondary-authentication-server-group CryptoCard use-primary-username
tunnel-group CompanyOwnedComputer type remote-access
tunnel-group CompanyOwnedComputer general-attributes
address-pool OUTSIDE-TEST
authentication-server-group INTERNAL_AD
secondary-authentication-server-group BlackShield use-primary-username
default-group-policy EmployeeGrpPolicy
tunnel-group CompanyOwnedComputer webvpn-attributes
group-url https://xxx/employees enable
tunnel-group MDW type remote-access
tunnel-group MDW general-attributes
address-pool MDW-Contractors
authentication-server-group Hosting-LDAP
authorization-server-group Hosting-LDAP
default-group-policy GroupPolicy4
tunnel-group MDW webvpn-attributes
group-url https://xxx/mdw enable
tunnel-group OUTSIDE-REMOTEACCESS type remote-access
tunnel-group OUTSIDE-REMOTEACCESS general-attributes
address-pool OUTSIDE-TEST
default-group-policy OUTSIDE-REMOTEACCESS
tunnel-group OUTSIDE-REMOTEACCESS ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group RSA-TEST type remote-access
tunnel-group RSA-TEST general-attributes
address-pool TestPool
default-group-policy RSA-TEST
tunnel-group RSA-TEST ipsec-attributes
pre-shared-key *****
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
authentication-server-group (INSIDE) Internal_LDAP
default-group-policy GroupPolicy2
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
service-policy global_policy global
service-policy tcp_bypass_policy interface INSIDE
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8ebf55bf0eac5187d701d62352d57e6f
: end
nmtasav001# -
Move configure from old ASA to new ASA 5515x?
Dear All,
Could you let me know how can i move my configuration from ASA 5510 v.8.0 to the new ASA 5515-x V9.1.1?
i used copy running to TFTP and apply to the new ASA but it has some error like nat and Certificate.
could i export my certificate the old ASA and import to the new ASA, that are different version. Does has any solution without donwtime ?
Best Regards,
RechardRechard
I do not believe that there is a way to do the transition from old ASA running 8.0 to new ASA running 9.1 without some downtime. But is is possible to minimize the downtime. I have recently done a transition like that and it was not an easy one. As you have discovered if you attempt to copy the old config to the new ASA it will reject as invalid syntax much of the access lists and all of the nat.
The easier way to do the transition is to have an ASA running the old code with the old config and to upgrade that ASA to 9.1. In this process the 9.1 code should read the config from startup and will do a conversion to the new syntax. I have done this going from 8.0 to 8.4 and see no reason why 9.1 would be different. You then only need to check the accuracy of the conversion. And then you can take the converted config and load it on the new ASA. In my recent conversion we did not have an extra ASA with old code, the new ASA does not support the old version, and the downtime to do this on the existing ASA was not acceptable. So I took the access lists and nat and did a manual translation from old to new. I loaded the modified config on the new ASA and did some checking. We then just switched connections from old ASA to new ASA and the downtime was minimal.
HTH
Rick -
New ASA v9.0.1 & ASDM v7.0.1 released
This has been moved to:
https://supportforums.cisco.com/community/netpro/network-infrastructure/remote-access/blog/2012/11/02/new-asa-v901-asdm-v701-released
Thanks.So if you update to 9.0.1 with a base license... ASDM/HTTP will not work!
-
Causing some network problem after connecting the new ASA to my network
Hi everyone,
Hope you can help on this issue.... It is strange to me...but may not be to you
Currently, I have a subnet connects to my primary network. All the internet travel thru a router there in turn thru a pair of ASA failover firewall (ie Subet -> router -> Subnet ASA -> Pirmary network ASA -> Primary network router -> Internet).
Now we try to setup a internet pipe so the subnet can go to internet by its own. So...for security purpose, we put another new ASA in between.the subnet and the new internet. This will be the first, and the old path to Interent would be the back up route.
NOW
I have not even make any route cahgnes on the router yet. What I did was to connect the new ASA to the subnet. Again, I do not change any routes, or any gateway settings on all the computers yet in the subnet!! I just connect the asa. That is it...please remember this.
However, problem happens. I have a application server in the same subnet.... that keeps kick out users. I also have continuous ping to it... I saw that the server has requesdted time out...it did not come back up until about 10 to 20 seconds later. The server, in fact, is a cluster server. Although I can ping the physical server, I cannot ping the virutal server.
In order to fix the problem, I really need to unplug the new ASA from the network, and reload the cluster server. Then it starts to work.
ANother symptom is that...people complaint the log on is obviously slower than usual.
May I ask why the new ASA will cuase this trouble?? Again, no routes on the router have been change. And all PCs in the subnet are still using old gateway, and did not nkow about the new ASA.
Any ideas would be great!! Very strange to me. Thank you very much for your help.
RiderfaizFirst guest would be proxy ARP.
Proxy ARP is enabled by default on the ASA. The new ASA might be proxy ARPing for whatever reason.
OR the new ASA might have been configured with an ip address that belongs to another device by mistake. -
Hi Everyone,
I am setting up new ASA for testing purposes.
So far it has single interface Active which is management.
I can ssh to ASA fine but ASDM is not working.
sh run http shows
sh run http
http server enable
http 172.31.20.0 255.255.255.0 management
sh run ssh
ssh 172.31.20.0 255.255.255.0 management.
Regards
MAheshHi Julio,
sh run ssl foed not sjow any output
show flash | include asdm
111 16280544 Jun 29 2011 12:10:58 asdm-645.bin
sh run asdm
no asdm history enable
sh ver shows
up 2 days 2 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is e8b7.483d.0d68, irq 9
1: Ext: GigabitEthernet0/1 : address is e8b7.483d.0d69, irq 9
2: Ext: GigabitEthernet0/2 : address is e8b7.483d.0d6a, irq 9
3: Ext: GigabitEthernet0/3 : address is e8b7.483d.0d6b, irq 9
4: Ext: Management0/0 : address is e8b7.483d.0d6c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Regards
MAhesh -
Certificate Install in new ASA
Previous ASA crashed and burned. We need to take the certificate and move it to the new ASA.
Can this be done simply by moving the cert to the new ASA? And if so, what is the process?
Or do i need to start from scratch and just have the CA reissue a new cert from a new CSR?If you have the old certificate, you can simply restore it into the new appliance assuming you are replacing the old configuration as well (i.e. same fqdn and trustpoints etc.).
This is noted in a dated, but still valid, tech note here. -
Simple ASA 55xx to 55xx-X upgrade question
I have an older model ASA 5500-series and I've purchased a new 5555-X. If they are both at roughly the same up-to-date software version, can I simply copy the config from the old ASA to the new one?
I know that I will possibly have to make minor changes such as changing the interface names (ethernet or fa to gi) but are there any significant command structure changes that would cause problems? (problems caused specifically by moving from a 55xx to a 55xx-X)?It really depends what you have configured and what version you are running on the old ASA compaired to the new one. For example, is the old one running 9.1 and the new one running 9.2?
If you don't have any thing very specific or special configured for your network, ie. you just have ACL, Objects / object-groups, NAT etc. then you will be fine with copying the configuration straight over with possibly a few minor changes (as you have already mentioned).
Please remember to select a correct answer and rate helpful posts -
How do I use Ubuntu and PuTTY to login to a new ASA
I have a laptop with Ubuntu 12.4 and a serial port. I also have the rollover cable from Cisco to console-in. What do I need to get access to new firewall? Thanks
Hi,
I dont know about Ubuntu but you should be able to Console to an ASA with Putty wihtout changing any settings on it by simply choosing the "Serial" option in the Putty and clicking "Open"
Naturally you might have to give some username/password information on the Putty CLI depending on how the AAA has been configured on the ASA.
- Jouni -
New ASA generation support PBR or no & ISPs links redundancy
Please i need to know if the cisco ASA next generation specially ASA 5515X support PBR or no
If yes please tell me how to implement it , and if no then what is the solution here (any solution if possible please)??????
Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation, please if yes provide me how to implement it or give me any configuration example.Hi,
To my understanding there is still no official support for PBR on the ASA.
When I was at Cisco Live! 2013 London, they talked about PBR in one session and told it might be coming. On the other hand I heard from elsewhere that its not currently in the plans for ASA. I am not really sure what to believe.
To this date all the solutions related to dividing traffic between different ISP links has had something to do with NAT configurations on the ASA.
I have actually tested a setup on the original ASA5500 series devices with new software and have been able to select the outgoing interfaces of the traffic based on the source address using NAT. I have not implemented this in production environment as I dont know what will happen to it when I next upgrade the device maybe. I rather used methods that are officially supported than rig something to production network.
I am not sure exactly what kind of setup you are trying to implement. Using a 2 ISP setup where only 1 ISP link is active at a time is pretty basic I suppose. There you track the main ISP link and when it fails you move traffic to use the Secondary ISP.
When we implement Dual ISP setups for our customers we naturally have both links connected to our network in separate parts of the core network. Therefore the customer can keep the same public IP address space through both links. Though naturally in these cases the routers in front of the ASAs handle the Primary and Secondary connection routing and not any Cisco firewall. I have never configured an 2 ISP solution using ASA directly in a production enviroment. Its always been handled by the routers in front of the ASA.
So to answer in short, you should be able to configure a Dual ISP setup where 1 of the links is Active on pretty much any ASA model. To my understanding the ASA5505 is perhaps the only limitation but I am not 100% sure.
Here is one (old) basic configuration guide for Dual ISP setup with PIX/ASA
Naturally the NAT configuration format is different but it doesnt really play a big role in this setup
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
- Jouni -
New Asa 5505... Anyway to set up behind home router with no internal DNS?
Since the home router is the DNS server, the Asa has no internal DNS which is probably the cause of no internet. Is there any way around this?
Can you not simply use the ASA as the DHCP server and include the DNS server in your DHCP configuration ?
Jon -
NEW ASA 5510 8.4 -- internet is not working
Hi Experts,
I implemented a ASA5510 with latest software version.
I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.
But internet is not working.
Did i miss any configuration?
i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
Please advice.
Thanks
VipinYes thats correct, but if it is not working then we might need to take a look at the complete configuration and also take captures to verify where the packets are being dropped.
Thanks,
Varun
Maybe you are looking for
-
ICal sends multiple emails for invites and updates to event attendees - HELP!
Every time I create or send an event in iCal, it sends multiple emails to each attendee (2-3 duplicate emails) with the same event. So if I have 3 event invitees, they get 3 emails each. All the emails are sent from the correct account in Apple Mai
-
Dear All, We are having 3 clients Golden(500), Unit testing(100) and Quality(200) for one of my ongoing project. All the configurations are done in Golden Client and for doing unit testing we are transporting the transport request by transaction SCC1
-
Data conversion- GL , GL Open Line Item Upload
Hi, For Objects GL Upload , GL Line item Upload : LSMW- BAPI,IDOC Methods possible .Is any standard Bapi , Idoc available. And also share the advantage and disadvantage in using Ecatt for dataconversions. Please share link which gives details for
-
EDT and BDT data transfer tool...
Hi, I am working in insurance module of SAP. There is a business object called Business Partner which we need to migrate from legacy to R/3. Now for migration of Business partner generally LSMW is not used. People here use EDT (External data transfer
-
I have loaded Mountain Lion Operting System on to my iMac. I am absolutely appalled at the suystem. It has been a disaster. Pages keep disappearing. No scroll functions.