Upgrading ASA 5510 from 8.0.4 to 8.2.5

We want to implement Netflow so want to upgrade our 5510 to 8.2.5. But have a few questions.
This device has 64MB of flash and 256MB of DRAM. Would I need to upgrade RAM? Right now we have about 25 site to site VPNs running through this thing as well as a few remote clients. Is this enough to constitute a memory upgrade?
Right now we are running ASDM 6.4.7. Should we upgrade to a higher version?
And lastly, would the upgrade to 8.2.5 require the use of AnyConnect for our VPN client users? Our 5505 is on version 8.2.5 and doesn't require AnyConnect, but wanted to make sure.
Thank you for your time.

Hi Michael,
The RAM upgrade is needed if you want to go to 8.3+ code. Although you might find that you are running low on RAM and that will impact your ability to run packet captures, so an upgrade doesn't hurt...
ASDM can be upgraded seperately and does not require a reboot + new ASDM versions are backwards compatible with older ASA codes...
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html#wp42231
ASA 8.0(4)
ASDM 6.1(3) and later.Recommended: 7.1(4).
ASA 8.2(5)
ASDM 6.4(3) and later.Recommended: 7.1(4).
Although the Cisco VPN Client is eol and the replacement is AnyConnect, you are not forced to go that direction in any code...
Patrick

Similar Messages

  • Advice on upgrading ASA 5510 from version 8.4(4)1

    Hello all,
    Due to an issue we need to upgrade our ASA. Cisco Support team recommended upgrading to version 8.4.7, but, as we'll upgrade, we'd like to upgrade to version 9.
    We still use Cisco VPN Client for Remote Access VPNs so I'd like your advice on which version to install on ASA.
    Would you recommend version 9.0.3? 9.1.X?
    Thanks in advance,
    Igor

    We have a pretty huge ASA and ASASM complex, and we are just about finished upgrading from an assortment of 8.4.x, 8.5.x, and 8.6.x installs to 9.1.3 on everything. There is one gotcha on some systems in that there is a file system change or some sort of bug that is fixed in 8.4.5 I think. So you _may_ have to first upgrade to a newer version (8.4.7 would work) before going to 9.1.3.
    Our Cisco team has recommended going to version 9.x, and this is supported by recent tickets I've had on our stuff still running on 8.x, as the TAC engineer often says we need to upgrade to version 9.
    Four our setup, we had some fatal bugs in 8.4.6 and 8.4.7 that kept us running 8.4.5 for a very long time on some equipment.
    Anyway, I would recommend going to 9.1.3, which is one removed from the recently recleased 9.1.4. Our AnyConnect VPN complex has been on 9.1.3 for a few months now with no issues. Be sure to read the release notes thoroughly as 9.x changes some command contexts, new features, etc.
    Graham

  • Upgrading ASA (5520) from 8.2(5) to 8.4(6)

    Hi All,
    I'm planing to upgrade my failover firewalls active/standby from 8.2.5 to 8.4.6. I read about the NAT and I think I'm ready for it cross fingers
    My plane is
    Upload the 8.4.6 and ASDM 7.1.3 for both firewalls then assgin the boot and ASDM image to the new files. After thaton the active firewall reload the standby and wait until its up and running (cross finger again) then force the active to be standby and reload the standby to get the new 8.4.6.
    am I right about that? or should I upgrade to 8.3.1 or 8.3.1 first ?? please if it is, can you give me the full upgarde path?
    Thanks in advance!!!

    I don't know if I'm going to answer your question.  But here is my latest experience, about year ago.  I just preformed an upgrade from 8.0.x to 8.4.4.1 on a pair of ASA 5510's in failover using CLI.  The upgrade seem to go smooth from our end,  but all connection did drop.  We followed these steps here.  NAT wasn't an issue for us. 
    Point is, there really isn't an upgrade path.  Just reload stand-by unit, make it the active unit and watch the connections.  Ours dropped don't know why.
    Don't know if that helps,
    Nick

  • Upgrading ASA 5510 IOS

    I have recently come upon a ticket that requires functionality from a later version of the ASA 5510 IOS Firmware, upon researching how to do this upgrade I got caught in a catch 22 where I am unable to dowload ASDM or the ASA software, apparantly I need a service account? I'm looking at Ciscos software download page and searching ASDM which then brings up links to two pages which are ASA and ASDM. Can anyone verify that I do need a service account or point me in the right direction to get these software components?

    Hello,
    You need Smartnet contract for the ASA. With that, you can regester on cisco website and can download necessary software. Reachout to Cisco auth reseller or your account rep for more details.
    hth
    MS

  • Upgrade ASA Software from 8.3.2 to 8.4.3

    Hi,
    does anybody did an Upgrade from an 8.3 version to the new version 8.4.3 and can give some hints or links to read?
    I only have a production system and nothing to test and I don' want to get a nasty surprise...
    Thanks a lot in advance

    If you're already on 8.3(2) you've already gotten past the tricky bit - the new NAT syntax and access-list object use. There are some minor changes with identity NAT in going up to 8.4(3) as described here but that's about it as far as things to watch out for.
    The TAC is quite helpful and it is a good idea to open a case proactively just to have them on hand to take a quick look at any issues that come up. The TAC security team deals with these upgrades every day and is very adept at zeroing in on the root cause of  any issues you are having and setting things straight within in few minutes.

  • Zero downtime Upgrade ASA 8.0(4) TO 8.4(7)

    Hi All,
    I checked a few blogs and upgrading ASA 5520 from 8.0(4) to 8.4(7) following below path. I will be upgrading  RAM to 2GB at version 8.2.5. Reason for 8.4.6 is we may get an error message ""No Cfg structure found in downloaded image file" Error Message" if we upgrade directly to 8.4.7.
    Please advise if we can perform Zero downtime upgrade if I follow below path and will they still be in HA? Active/standby
    8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
    8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
    I believe below one should not be a problem.
    8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
    Thanks in advance.
    Regards

    8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
    HA will work...as in the units will failover.  But due to changes in configuration syntax you could run into problems with config synchronisation. And could also cause issues in traffic flow if a failover occurs.  So it is best to upgrade the second ASA to the new version ASAP.  It is also the reason cisco recommend using the same Major and Minor software versions.
    8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
    Same as above.
    8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
    This should be fine
    Please remember to select a correct answer and rate helpful posts

  • ASA 5510 9.1.x ACL/NAT issues

    Forgoing some security concern have you tried "permit ip" instead?

    Good afternoon.
    I'm hoping one of you spiceheads might be able to help a fellow out. We upgraded our 5510 from 8.2 to 9.1 and now none of our NAT'd public servers are working.
    we cleared out every thing and did step by step to create the new NAT connection and even though the ACL shows any4 for the private IP address, we are getting access denied.
    access-list outside_access_1 extended permit tcp any4 host 10.201.0.130
    We have the same config and IOS version running on our 5505 and don't have any issues.
    Thoughts?
    This topic first appeared in the Spiceworks Community

  • Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

    We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.
    show config
    : Saved
    : Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.5 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    <--- More --->
      no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object network obj-192.168.5.0
    subnet 192.168.5.0 255.255.255.0
    object network obj-192.168.0.0
    subnet 192.168.0.0 255.255.255.0
    <--- More --->
    object network obj-192.168.9.2
    host 192.168.9.2
    object network obj-192.168.1.65
    host 192.168.1.65
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0
    object network obj-192.168.6.0
    subnet 192.168.6.0 255.255.255.0
    object network obj-192.168.8.0
    subnet 192.168.8.0 255.255.255.0
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq ftp
    port-object eq www
    port-object eq pop3
    port-object eq smtp
    object-group network Red-Condor
    description Email Filtering
    network-object host 66.234.112.69
    network-object host 66.234.112.89
    object-group service NetLink tcp
    <--- More --->
      port-object eq 36001
    object-group network AECSouth
    network-object 192.168.11.0 255.255.255.0
    object-group service Email_Filter tcp-udp
    port-object eq 389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_0 tcp
    group-object Email_Filter
    port-object eq pop3
    port-object eq smtp
    object-group network Exchange-Server
    description Exchange Server
    network-object host 192.168.1.65
    access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
    access-list outside_access extended permit tcp any object obj-192.168.9.2
    access-list outside_access extended permit icmp any any
    access-list outside_access extended permit tcp any object-group Exchange-Server eq https
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit icmp any any
    <--- More --->
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    object network obj-192.168.9.2
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.65
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.2.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.3.0
    <--- More --->
      nat (inside,outside) dynamic interface
    object network obj-192.168.6.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.8.0
    nat (inside,outside) dynamic interface
    access-group outside_access in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
    route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server isaconn protocol radius
    aaa-server isaconn (inside) host 192.168.1.9
    timeout 5
    key XXXXXXX
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    <--- More --->
    http server enable
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca server
    shutdown
    <--- More --->
      smtp from-address [email protected]
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate
      quit
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 208.66.175.36 source outside prefer
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    <--- More --->
    class-map global-class
    match access-list global_mpc
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
    <--- More --->
       inspect netbios
      inspect tftp
      inspect ip-options
    class global-class
      csc fail-close
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous

    Hello Scott,
    So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
    object network obj-192.168.1.65
    "nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
    The ACL says
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    From witch ip addresses are you trying to send traffic to the exchange server?
    Please do a packet-tracer and give us the output
    packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
    Regards,
    Julio
    Rate helpful posts!!!

  • Cisco IPS SSM 10 Sensor can't update signature file from ASA 5510

    Cisco ASA 5510 IPS Firewall with ASA-SSM-10 Module.  I am trying to do a manual update of the signature file and get the following error:
    Error: execUpgradeSoftware : couldn't connect to host
    I have confirmed that I can ping the ftp server successfully from the ASA and the command I am trying to use from the configure terminal of the module is:
    upgrade ftp://[email protected]//IPS-sig-S813-req-E4.pkg
    I have also tried via http and it does not work as well.  Any thoughts?

    to connect to ftp there should be username usually anonymous and password whitch can be any. check in ftp server
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: anonymous
    Password: *********
    the username and/or the password are incorrect
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: 123
    Password: ***
    File opening error
    I made special user 123 on ftp server with password 123
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: 123
    Password: ***
    aip_ssm_card# 
    and dont forget to rate post

  • Internet Access from Inside to Outside ASA 5510 ver 9.1

    Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
    I get errors like this when I try Packet Tracer:
    (nat-xlate-failed) NAT failed
    (acl-drop) Flow is denied by configured rule
    Version Information:
    Cisco Adaptive Security Appliance Software Version 9.1(4)
    Device Manager Version 7.1(5)
    Compiled on Thu 05-Dec-13 19:37 by builders
    System image file is "disk0:/asa914-k8.bin"
    Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
    Thank You!
    Config:
    ASA5510# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    domain-name
    inside.int
    enable password <redacted> encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd <redacted> encrypted
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.199.199.123 255.255.255.240
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.199.199.4
    domain-name
    inside.int
    object network inside-net
    subnet 10.0.0.0 255.255.255.0
    description Inside Network Object
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    access-list OUTSIDE-IN extended permit ip any any
    access-list INSIDE-IN extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (Inside,Outside) source dynamic any interface
    object network inside-net
      nat (Inside,Outside) dynamic interface
    access-group INSIDE-IN in interface Inside
    access-group OUTSIDE-IN in interface Outside
    router rip
    network 10.0.0.0
    network 199.199.199.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username <redacted> password <redacted> encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
      parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
       inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http
    https://tools.cisco.com/its/service/oddce/services/DDCEService
       destination address email
    [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
       subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    password encryption aes
    Cryptochecksum:
    <redacted>
    : end
    SH NAT:
    ASA5510# sh nat
    Manual NAT Policies (Section 1)
    1 (Inside) to (Outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    Auto NAT Policies (Section 2)
    1 (Inside) to (Outside) source dynamic inside-net interface
         translate_hits = 0, untranslate_hits = 0
    SH RUN NAT:
    ASA5510# sh run nat
    nat (Inside,Outside) source dynamic any interface
    object network inside-net
    nat (Inside,Outside) dynamic interface
    SH RUN OBJECT:
    ASA5510(config)# sh run object
    object network inside-net
    subnet 10.0.0.0 255.255.255.0
    description Inside Network Object
    Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

    Hello Mitchell,
    First of all how are you testing this:
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    Take in consideration that the netmask is /30
    The Twice NAT is good, ACLs are good.
    do the following and provide us the result
    packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
    packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
    And provide us the result!
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    Note: Check my website, there is a video about this that might help you.
    http://laguiadelnetworking.com

  • Access from Inside to Outside ASA 5510 ver 9.1

    Hi All,
    I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
    Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
    I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
    Thank you for the help!
    ASA5510(config)# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.195.168.100 255.255.255.240
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    management-only
    shutdown
    nameif management
    security-level 0
    no ip address
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.195.168.4
    name-server 205.171.2.65
    name-server 205.171.3.65
    domain-name internal.int
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    router rip
    network 10.0.0.0
    network 199.195.168.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    CISCO 2811:
    Current configuration : 2601 bytes
    ! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    hostname RouterDeMitch
    boot-start-marker
    boot system flash
    boot-end-marker
    ! card type command needed for slot/vwic-slot 0/0
    no aaa new-model
    dot11 syslog
    ip source-route
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.49
    ip dhcp excluded-address 172.16.10.1 172.16.10.49
    ip dhcp excluded-address 172.16.20.1 172.16.20.49
    ip dhcp pool Mitchs_Network
    network 192.168.1.0 255.255.255.0
    dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
      default-router 192.168.1.1
    ip dhcp pool VLAN10
    network 172.16.10.0 255.255.255.0
    default-router 172.16.10.1
    dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
    ip dhcp pool VLAN20
    network 172.16.20.0 255.255.255.0
      dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
    default-router 172.16.20.1
    no ip domain lookup
    ip name-server 199.195.168.4
    ip name-server 205.171.2.65
    ip name-server 205.171.3.65
    ip name-server 8.8.8.8
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    redundancy
    interface FastEthernet0/0
    description CONNECTION TO INSIDE INT. OF ASA
    ip address 10.10.1.2 255.255.255.252
    ip nat outside
    ip virtual-reassembly in
      duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface FastEthernet0/1.1
    encapsulation dot1Q 10
      ip address 172.16.10.1 255.255.255.0
    interface FastEthernet0/1.2
    encapsulation dot1Q 20
    ip address 172.16.20.1 255.255.255.0
    interface FastEthernet0/1.3
    description Trunk Interface VLAN 1
    encapsulation dot1Q 1 native
      ip address 192.168.1.1 255.255.255.0
    interface Dialer0
    no ip address
    router rip
    version 2
    network 172.16.0.0
    network 192.168.1.0
    network 199.195.168.0
    no auto-summary
    ip default-gateway 10.10.1.1
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    access-list 1 permit any
    dialer-list 1 protocol ip permit
    control-plane
    line con 0
    exec-timeout 0 0
    password encrypted
    login
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    transport input all
    scheduler allocate 20000 1000
    end

    I made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
    ASA5510# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd liqhNWIOSfzvir2g encrypted
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.195.168.123 255.255.255.240
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    management-only
    shutdown
    nameif management
    security-level 0
    no ip address
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.195.168.4
    name-server 205.171.2.65
    name-server 205.171.3.65
    domain-name internal.int
    object-group network PAT-SOURCE
    network-object 172.16.10.0 255.255.255.0
    network-object 172.16.20.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    network-object 10.10.1.0 255.255.255.252
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
    router rip
    network 10.0.0.0
    network 199.195.168.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    Message was edited by: Mitchell Tuckness

  • After i upgrade my ASA 5505 from 8.2 to 8.4 i can no longer connect to ASDM. showing connecting ..... please wait for hours now

    after i upgrade my ASA 5505 from 8.2 to 8.4 i can no longer connect to ASDM. showing connecting ..... please wait for hours now

    Ron
    I recently looked at this question with a customer who has been running 8.2 and needs to get some features in newer code. We decided that it made more sense to go to 8.4 than to 8.3.
    HTH
    Rick

  • Problems after upgrading ASA from 8.4.5 to 9.1.1

    Hi,
    We are having problem with behavior of nat statement after upgrading ASA. Here are results of packet tracer in our testing environment:
    object network onBK028VRRP
    host 1.1.1.111
    object network onSIEMServers
    host 1.1.1.1
    object service osSyslog
    service tcp source eq telnet
    object-group network ognBK028ClientsOutside
    network-object 10.0.0.0 255.0.0.0
    nat (inside,outside) source static onBK028VRRP onSIEMServers destination static ognBK028ClientsOutside ognBK028ClientsOutside service osSyslog osSyslog
    ASA 8.4.5
    packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   1.1.1.0         255.255.255.0   inside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group IZOUTSIDE in interface outside
    access-list IZOUTSIDE extended permit tcp any any eq www
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xce99ccc8, priority=13, domain=permit, deny=false
            hits=0, user_data=0xc91bc540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
            input_ifc=outside, output_ifc=any
    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb53d948, priority=0, domain=inspect-ip-options, deny=true
            hits=42, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=outside, output_ifc=any
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    in  id=0xcb561758, priority=0, domain=inspect-ip-options, deny=true
            hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    Phase: 5
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 43, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Module information for reverse flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_tcp_normalizer
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat 
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: allow
    ASA 9.1.1
    packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   1.1.1.0         255.255.255.0   inside
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (no-route) No route to host
    Which option change this?
    BR,  M.

    Looks like you are hitting the following bug: CSCud64705
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud64705

  • After upgrade of ASA software from 8.3.25 to 8.4.3,

    clientless SSL VPN users are denied connection.  Also, a pop up window appears with the following text message:
    "SSL VPN Relay mismatch, you need to log off Windows first."  Of course,  logging off and on WIndows per the message corrects the issue and
    allows the user to connect. 
    I am trying to understand why it is neccessary to log off Windows.  I can't say that I have seen this with prior upgrades i.e. from 8.2 to 8.3.
    Thanks in advance,
    Charles

    If you're already on 8.3(2) you've already gotten past the tricky bit - the new NAT syntax and access-list object use. There are some minor changes with identity NAT in going up to 8.4(3) as described here but that's about it as far as things to watch out for.
    The TAC is quite helpful and it is a good idea to open a case proactively just to have them on hand to take a quick look at any issues that come up. The TAC security team deals with these upgrades every day and is very adept at zeroing in on the root cause of  any issues you are having and setting things straight within in few minutes.

  • Accessing the SMTP from outside network through ASA 5510

    hello good people,
    I have an issue with my mail server(SME Server) which is behind a Cisco ASA 5500(firewall)  problem is that if one leaves my network they can receive but can not  send email via my SMTP also internal people can only send if they use  the IP address of the server rather than the domain (mail.xxxx.com) any pointers will be appreciated.
    here is my layout
    ISP - ASA 5510 - LAN (includes mailserver)
    Kind regards

    Hello George,
    If you have public DNS , in order to access the servers hosted inside using their fqdn, then you need  to have dns doctoring. but unfortunately, you are using port address translation ( not a one to one nat) which doesnt work well with dns doctoring..
    I assume you can solve this issue with alias command as follows
    alias (inside) 199.199.199.99    255.255.255.255
    Also, for the other issue can you try to configure an SMTP inspection as follows
    policy-map type inspect esmtp esmtp_map
    parameters
    allow-tls
    policy-map global_policy
    class inspection_default
    inspect esmtp
    Hope this helps
    Regards
    Harish

Maybe you are looking for

  • Time machine full after restore

    Hi all I recently suffered the 'pleasure' of a HD failure in my 2008 24".  An apple engineer replaced the drive and reinstated my data from time machine - all good so far.  However, my mac doesnt want to relink with my existing backups and continue t

  • SSIS.Pipeline : Warning: Could not open global shared memory to communicate with performance DLL

    I am getting the following warning for my SSIS08 package: Could not open global shared memory to communicate with performance DLL; data flow performance counters are not available.  To resolve, run this package as an administrator, or on the system's

  • [ACS 5.2] Reports only 100 pages?

    Hello, Our Cisco ACS logs more than 50 000 authentications per day. If I want to see today's authentications with reports viewer, "only" 100 pages are displayed. (few hours...) How can I retrieve all authentications for a specified day? Thanks for yo

  • Subcontracting Scenario - PDS

    In case of a Sub Contracting Scenario, how is the PDS name read in case of a WUF transaction? I entered PDS in object type and product and location in the attribute type. The Output is shown as PDS number. But I am not able to decipher the sourcing l

  • New Tcodes for COPA Reports from KE31

    Hi All. I have created several report for COPA from KE31. Now i want to create seperate TCodes for each report. So please kindly guide me how can i generate TCode for these reports. I will be thankful.