Upgrade 5510 ASA 7.0(7) ADSM 5.0(7)

Similar Messages

• SIP stops when upgrading from ASA from 8.4.1 to 8.4(2)8 w/ out config change? Why?

  I have to be missiong something small in my config.
  If I upgrade my ASA 5510 which I am routing and NATing off of, from 8.4.1 to 8.4.2.8, SIP stops. All phones go dead.
  If I roll bck to 8.4.1, SIP comes up.,... Go bck to 8.4(2)8 nd SIP goes down..... 
  This is without mking any config changes.
  I have looked at it so long, I must be overlooking something simple, simple, simple...

  Have spent sIx hours in past 24 w/ Cisco TAC and they have a tin of caps as have I but can't figure out why there is a denial of SIP from inside outside and outside inside to/from sip providers three IP addresses. Have created new access lists, new access groups to allow all 3 ip's in & out, increased timeout, bypassed IPS, have both sip UDP & tcp allowed in/out, specified inspection to approve any any for all sip protocols in/out to/from Lync & mediation and nada.
  To answer another question, yes I'm certain config doesn't change... I reloaded tge same running config from a bkup just to make sure.....
  What I see in the logs coming in/out is the call does make it all the way through the SSM to the ASA..
  What happens there is the head scratcher...
  SiP even though allowed and even though I've specified it to push through inspection On ASA side is denied based on inspection rule...
  I also tried using another one of my (unused) public IPs for only SIP thinking that maulybe there was a core conflict with multiple services NATd to the same public IP but that also did nothing.
  On topology I only have a single location so I'm using my 5510 to route as well...
  Have 1 IIS web server l, SQL, (ports clised except to obe vendor and am allowing via access list by their IP and ipsec,) Exchange, Lync, Ironport, Endpoint and everything else is 80/80...
  Everything is on Server 08r2 w/ exception of web server and two boxes ( one stand-alone & one VM on hyper-v)  I am running Server8 for Microsoft TAP engineering / validation airlift. Neither of those are attached to UC/UM at all...
  I'm using dynect from dyndns for outside network web services and just piggybacking on time Warner metro e for internal (no physical DNS server)
  When I look at caps everything is identical in the tcp and UDP trace even on sip except for the denial...
  Which caps/logs would 'y'all like to see and I'll post em when I get home....
  Is there a link to bug notes Jullio? Is it sip specific? Any possibility of it being just a name/cosmetic big I can force a work around to?
  I recall when Asa first was released I had to specify port 25  allow instead of being able to simply say allow smtp .. That took 2 weeks but it allowed for a work around so whatever I can do/try I'm willing!! Someone may wanna tell TAC if it's a bug because after 6 hours yesterday they are saying there's not a bug... :)
  Thanks all!!!!

• After i upgrade my ASA 5505 from 8.2 to 8.4 i can no longer connect to ASDM. showing connecting ..... please wait for hours now

  after i upgrade my ASA 5505 from 8.2 to 8.4 i can no longer connect to ASDM. showing connecting ..... please wait for hours now

  Ron
  I recently looked at this question with a customer who has been running 8.2 and needs to get some features in newer code. We decided that it made more sense to go to 8.4 than to 8.3.
  HTH
  Rick

• Transparent Firewalls and DHCP on a 5510 ASA

  I have a 5510 ASA running 8.2 configured in transparent mode and I am trying to allow devices on the inside network to acquire an IP address from a DHCP server on the outside.  I've seen several articles that indicate an ACL is necessary to permit outgoing traffic on port 68 and incoming traffic on port 67.  That actually works and the inside device gets an IP address.  The problem is that no other outbound traffic is allowed from the inside device.  The ACL put in place to permit DHCP, because of its implicit deny at the end of the ACL, denies all other traffic.  DHCP is now the ONLY thing allowed out.  What am I doing wrong here?

  In a default configuration the difference in security levels between the inside and outside interfaces would allow the DHCP requests out, and the UDP xlate entry created for the outgoing packet would allow the DHCP reply back in.  It would just work, but you would have very little control of packet flows, static NAT, or logging.
  Once you start applying ACL's to interfaces, you have to explicitly allow everything you want.  All of my firewall interfaces have inbound ACLs, and some also have outbound, so. E.g. subnets where I want to fairly permissive outbound get something like:
  access-list DMZ-INGRESS extended permit ip any object-group LOCAL-NAT0
  access-list DMZ-INGRESS extended deny ip any object-group RFC-5735-SPECIAL log
  access-list DMZ-INGRESS extended deny ip any object-group ALL-MCAST log
  access-list DMZ-INGRESS extended permit ip any any
  Since I happen to be running in routed mode rather than transparent, I have to configure DHCP relay instead of something like "permit udp any any".  I won't include the object groups unless someone asks.
  -- Jim Leinweber, WI State Lab of Hygiene

• After upgrading from ASA 8.2 to 9.1(2) not able to get web site

  Dears,
  ASA Version has been upgraded from 8.2 to 9.1(2). Since then, website is not accessible from outside.
  Diagnosis:
  Many web sites are deployed behind the ASA. When anyone accesses website from outside, the following error is reported: The page cannot be displayed. No issues have been reported with any other websites.
  In the ASA, two different public subnets are in use in order to allow accessing the website from the public domain. No issues have been reported so far with the first subnet. The website is mapped to a public address in the second subnet. When the website is mapped to an IP address in the working subnet, the website is accessible from outside. As a workaround, this is applied and the website is up and running.
  As the website is working fine with the second subnet, NAT and ACL configuration is fine. We have turned on logging in the ASDM, but no traffic was observed on the ASA for the non-working subnet. On the other hand, the traffic was noticed on the ASDM for the working subnet.
  The working subnet is XX.YY.XX.X
  Non working subnet is XX.YY.YY.X
  The outside interface ip is XX.YY.XX.X (Working Subnet)
  Tried to assign one ip address to the PC from non working subnet and connected to the Switch , its pinging from outside

  Hi
  Have you tried using packet tracer?

• Upgrade Cisco ASA from 8.4 to 9.1

  Hello,
  Can I upgrade ASA IOS from 8.4(1) to 9.1 without any impact to the configuration?
  I note that i have no NAT rule on my Firewall.
  ASA5510 / RAM: 1024 MB
  Thanks for your help !

  I hope that you will find this discussion of upgrade paths to be helpful.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-763574
  HTH
  Rick

• Reasons to upgrade cisco ASA

    HI
  I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.
  My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
  Thanks
  A.

  Ammar,
  Each version has Release Notes. For the ASA they are all posted here.
  In each Release Note there is a "Resolved Caveats" sections. That is where the fixes for all problems - vulnerabilities as well as functions/features - are listed.
  Besides higher encryption and Anyconnect client, you can also use IKE v2 (as of 8.4(1) ) which is more secure during session setup (apart from the level of encryption). You can also use identity-based features and a host of other features to further secure your remote access VPNs. On the other hand, if what you have now is meeting your needs, the only compelling reasons to upgrade are vulnerability and bug fixes (and perhaps a prettier version of ASDM that will run with the newest Java versions ).

• After upgrade of ASA software from 8.3.25 to 8.4.3,

  clientless SSL VPN users are denied connection.  Also, a pop up window appears with the following text message:
  "SSL VPN Relay mismatch, you need to log off Windows first."  Of course,  logging off and on WIndows per the message corrects the issue and
  allows the user to connect. 
  I am trying to understand why it is neccessary to log off Windows.  I can't say that I have seen this with prior upgrades i.e. from 8.2 to 8.3.
  Thanks in advance,
  Charles

  If you're already on 8.3(2) you've already gotten past the tricky bit - the new NAT syntax and access-list object use. There are some minor changes with identity NAT in going up to 8.4(3) as described here but that's about it as far as things to watch out for.
  The TAC is quite helpful and it is a good idea to open a case proactively just to have them on hand to take a quick look at any issues that come up. The TAC security team deals with these upgrades every day and is very adept at zeroing in on the root cause of  any issues you are having and setting things straight within in few minutes.

• Startup config error after upgrading to ASA from PIX

  Hey guys.  I get the following startup-config errors when reloading our ASA.  A pix->asa conversion was just done on it.  The ASA is currently running 8.2(5), and I am trying to get ready to update it to the most stable release, and wanted to make sure all my ducks are in a row.  What is going on with the "will be identity translated for outbound"? This is part of the VPN configuration, and I understand nat0 is saying to not nat it.  Is this something that I should be worried about?  The ASA is not in production currently.
  Let me know if you need further information
  Thanks,
  .........nat 0 10.37.0.116 will be identity translated for outbound
  *** Output from config line 406, "nat (inside) 0 10.37.0.1..."
  nat 0 xx.xx.xx.xx (PUBLIC IP) will be identity translated for outbound
  *** Output from config line 431, "nat (inside) 0 xx.xx.xx..."
  Line 406
  nat (inside) 0 10.37.0.116 255.255.255.255
  Line 431
  nat (inside) 0 xx.xx.xx.xx (PUBLIC IP) 255.255.255.255
  Corresponding global
  nat (outside) 0 access-list outside_inbound_nat0_acl outside
  nat (inside) 0 access-list inside_outbound_nat0_acl
  ACL
  access-list outside_inbound_nat0_acl extended permit ip 172.16.16.0 255.255.255.0 any
  access-list inside_outbound_nat0_acl extended permit ip any 172.16.16.0 255.255.255.0
  access-list inside_outbound_nat0_acl extended permit ip 10.37.0.0 255.255.0.0 172.16.16.0 255.255.255.0
  access-list inside_outbound_nat0_acl extended permit ip 172.31.0.0 255.255.0.0 172.16.16.0 255.255.255.0

  Hi,
  I would imagine that there is no problem as the firewall has not given any kind of error message.
  I do personally wonder sometimes why is it so (atleast in the 8.2 softares etc) that the firewall shows a message on the CLI when you are for example configuring a "global" / "nat" command pair.
  I wonder if this falls into the same category.
  The configuration format for NAT has stayed pretty same leading to the 8.2 softwares. I'm not totally sure what software you are going to go for but you seem to have the latest 8.2 series software so next steps are already 8.3 / 8.4 / 9.0 / 9.1
  ALL of the above mentioned softwares introduce a completely new NAT configuration format to the ASA. While the ASA automatically converts the configurations its not always 100% process not to mention that the NAT configuration probably is far from optimal.
  - Jouni

• Advice on upgrading ASA 5510 from version 8.4(4)1

  Hello all,
  Due to an issue we need to upgrade our ASA. Cisco Support team recommended upgrading to version 8.4.7, but, as we'll upgrade, we'd like to upgrade to version 9.
  We still use Cisco VPN Client for Remote Access VPNs so I'd like your advice on which version to install on ASA.
  Would you recommend version 9.0.3? 9.1.X?
  Thanks in advance,
  Igor

  We have a pretty huge ASA and ASASM complex, and we are just about finished upgrading from an assortment of 8.4.x, 8.5.x, and 8.6.x installs to 9.1.3 on everything. There is one gotcha on some systems in that there is a file system change or some sort of bug that is fixed in 8.4.5 I think. So you _may_ have to first upgrade to a newer version (8.4.7 would work) before going to 9.1.3.
  Our Cisco team has recommended going to version 9.x, and this is supported by recent tickets I've had on our stuff still running on 8.x, as the TAC engineer often says we need to upgrade to version 9.
  Four our setup, we had some fatal bugs in 8.4.6 and 8.4.7 that kept us running 8.4.5 for a very long time on some equipment.
  Anyway, I would recommend going to 9.1.3, which is one removed from the recently recleased 9.1.4. Our AnyConnect VPN complex has been on 9.1.3 for a few months now with no issues. Be sure to read the release notes thoroughly as 9.x changes some command contexts, new features, etc.
  Graham

• Cisco ASA Upgrade from 7.0(8) to 8.2(1)

  Hi,   i need to upgrade my 5510 ASA from 7.0(8) to 8.2(1)       ( Please note its different query from my last thread)
  what i found online is i will have to do this upgrade in sequence, that is
  7.0.x -> 7.2.x --> 8.0.x --> 8.2.1
  is that correct?
  or i will go to 7.1.x first? like this
  7.0.x--> 7.1.x -> 7.2.x --> 8.0.x --> 8.1.x--> 8.2.1
  Please guide, Also i am assuming, reboot required after every upgrade right?

  ok, i found something on another Cisco document. that is what i thought
  To ensure that your configuration updates  correctly, you must upgrade to each major release in turn. Therefore, to  upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1,  then from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1  was only available on the ASA 5580). "

• ASA IOS upgrades

  Hi All,
  I'm looking for some information and the benefits of others expereince. I'm looking to upgrade 2 ASAs, 5520 & 5510 to IOS Version 8.6(1)2. The ASAs are ASA 5520 Version 8.0(5)
  ASA 5510 Version 7.2(4)33
  Has anyone taken on such a task?? If so what were the challenges involved with such and upgrade
  Lookign forward to any guidance I can get with this.
  Thanks
  Deena

  You can't upgrade the ASA5500 series to version 8.6.x.
  Version 8.6.x is meant to be just the new ASA5500-X series.
  Here is the release notes for your reference:
  http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn86.html
  For the existing ASA5500 series (inc. 5510 and 5520), you can upgrade it to the latest version of 8.4.x.
  Pls kindly be advised from version 8.3 onwards, you would need to have the upgraded memory on your ASA, and there are major feature change from version 8.3 onwards (ie: NAT and ACL in particular).
  Here is the memory requirement for version 8.3 and above:
  http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp310503
  Here is the complete release notse for version 8.3:
  http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html
  (Pls check out the new feature section).
  And here is the release notes for version 8.4:
  http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
  Hope that helps.

• Repeated ASA 5510 failed vulnerability scan (OpenSSL error)

  We are getting vulnerability scanned by a PCI company and keep getting failures that state "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG".  I've opened two TAC cases and TAC said that this vulnerability was addressed several versions back (we're currently running version 8.2.2 on our 5510 ASA).  TAC made several small changes to attempt to address this issue but we keep failing with the same message.  Has anyone ever failed their scan with this error and if so, what did you do to address this error?
  Here is the detailed error:
  OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
  Ciphersuite Change Issue
  Synopsis :
  The remote host allows resuming SSL sessions.
  Description :
  The version of OpenSSL on the remote host has been shown to allow
  resuming session with a different cipher than was used when the
  session was initiated. This means that an attacker that sees (e.g.
  by sniffing) the start of an SSL connection can manipulate the OpenSSL
  session cache to cause subsequent resumes of that session to use a
  cipher chosen by the attacker.
  See also :
  http://openssl.org/news/secadv_20101202.txt
  Solution :
  Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later.
  Risk factor :
  Medium / CVSS Base Score : 4.3
  (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
  Plugin output :
  Session ID :
  4e4c1b0b13d5e48b5421479419da1c95f8ca01da3f83eed7494f2d254389c9ec
  Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)
  Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  CVE : CVE-2010-4180
  BID : 45164
  Other references : OSVDB:69565
  Thanks,
  John

  Hi John,
  The Cisco bug ID filed to track this vulnerability is CSCtk61443. You can read the details here:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk61443
  The vulnerability will be fixed in an upcoming release of 8.2.4.8. Please open up a TAC case to request this image for your ASA.
  Hope that helps.
  -Mike

• ASA 5510 traffic from inside to outside

  Hello,
  I'm working on a basic configuration of a 5510 ASA.
  inside network of 192.168.23.0 /24
  outside network 141.0.x.0 /24
  config is as follows:
  interface Ethernet0/0
   nameif OUTSIDE
   security-level 0
   ip address 141.0.x.0 255.255.255.0
  interface Ethernet0/1
   nameif INSIDE
   security-level 50
   ip address 192.168.23.1 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list OUTSIDE_access_in extended permit icmp any any
  access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
  access-list INSIDE_access_in extended permit icmp any any
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 192.168.23.0 255.255.255.0
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
  In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
  I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
  So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
  Any ideas please?

  Version of FW:
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.3(1)
  Output of Packet-Trace Command is:
  SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   141.0.x.0      255.255.255.0   OUTSIDE
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group INSIDE_access_in in interface INSIDE
  access-list INSIDE_access_in extended permit icmp any any
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  class-map inspection_default
   match default-inspection-traffic
  policy-map global_policy
   class inspection_default
    inspect icmp
  service-policy global_policy global
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 104, untranslate_hits = 0
  Additional Information:
  Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 107, untranslate_hits = 0
  Additional Information:
  Phase: 10
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 141, packet dispatched to next module
  Result:
  input-interface: INSIDE
  input-status: up
  input-line-status: up
  output-interface: OUTSIDE
  output-status: up
  output-line-status: up
  Action: allow

• ASA 5510 Configuration. how to configure 2 outside interface.

  Hi 
  I Have Cisco 5510 ASA and from workstation I want create a new route to another Router (Outside) facing my ISP.
  From Workstation I can Ping ASA E0/2 interface but I cant ping ISP B router inside and outside interface.
  I based all my configuration on the existing config. which until now is working 
  interface Ethernet0/0
   description outside interface
   nameif outside
   security-level 0
   ip address 122.55.71.138 255.255.255.2
  interface Ethernet0/1
   description inside interface
   nameif inside
   security-level 100
   ip address 10.34.63.252 255.255.240.0
  interface Ethernet0/2
   description outside interface
   nameif outsides
   security-level 0
   ip address 121.97.64.178 255.255.255.240
  global (outside) 1 interface
  global (outsides) 2 interface ( I created this for E0/2)
  nat (inside) 0 access-list nonat
  nat (inside) 1 10.34.48.11 255.255.255.255 (Working: To E0/0 to Router ISP A inside and outside interface)
  nat (inside) 2 10.34.48.32 255.255.255.255 (Working: To E0/2 to Router ISP A inside interface only but outside cant ping).
  route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (Working)
  route outside 10.34.48.32 255.255.255.255 121.97.64.179  1 (Test For New Route)
  ISP Router A working Can ping and I can access the internet
  interface FastEthernet0/0
   description Connection to ASA5510 
   ip address 122.55.71.139 255.255.255.248
   no ip redirects
   no ip proxy-arp
   ip nat inside
   duplex auto
   speed auto
  interface S0/0
   ip address 111.54.29.122 255.255.255.252
   no ip redirects
   no ip proxy-arp
   ip nat outside
  ip nat inside source static 122.55.71.139 111.54.29.122
  ip http server
  ip classless
  ip route 0.0.0.0 0.0.0.0 Serial0/0
   ISP 2
  interface FastEthernet0/0 ( ASA Can ping this interface)
   description Connection to ASA5510 
   ip address 121.97.64.179 255.255.255.248
   no ip redirects
   no ip proxy-arp
   ip nat inside
   duplex auto
   speed auto
  interface E0/0 ( ASA Can 't ping this interface)
   ip address 121.97.69.122 255.255.255.252
   no ip redirects
   no ip proxy-arp
   ip nat outside
  ip nat inside source static 121.97.64.179 121.97.69.122 
  ip http server
  ip classless
  ip route 0.0.0.0 0.0.0.0 E0/0
  CABLES
  ASA to ISP Router B ( Straight through Cable)
  ISP Router to IDU ( Straight through Cable)
  Hope you could give some tips and solution for this kind of problem thanks

  Hi,
  You can only use a single Default route on the ASA device.
  Now , as per your requirement ,
  route outside 10.34.48.32 255.255.255.255 121.97.64.179  1 (Test For New Route)
  (Why do you have this route on the ASA device ?) I see this in the Inside interface Subnet.
  Route lookup would be Destination based.
  Are you looking to route specific traffic out thru the "outsides" interface ?
  If yes , this configuration would not work unless you use some workaround configuration on the ASA device.
  Refer:-
  https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa
  https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options
  Thanks and Regards,
  Vibhor Amrodia