Upgrading ASA 5510 IOS
I have recently come upon a ticket that requires functionality from a later version of the ASA 5510 IOS Firmware, upon researching how to do this upgrade I got caught in a catch 22 where I am unable to dowload ASDM or the ASA software, apparantly I need a service account? I'm looking at Ciscos software download page and searching ASDM which then brings up links to two pages which are ASA and ASDM. Can anyone verify that I do need a service account or point me in the right direction to get these software components?
Hello,
You need Smartnet contract for the ASA. With that, you can regester on cisco website and can download necessary software. Reachout to Cisco auth reseller or your account rep for more details.
hth
MS
Similar Messages
-
Upgrading ASA 5510 from 8.0.4 to 8.2.5
We want to implement Netflow so want to upgrade our 5510 to 8.2.5. But have a few questions.
This device has 64MB of flash and 256MB of DRAM. Would I need to upgrade RAM? Right now we have about 25 site to site VPNs running through this thing as well as a few remote clients. Is this enough to constitute a memory upgrade?
Right now we are running ASDM 6.4.7. Should we upgrade to a higher version?
And lastly, would the upgrade to 8.2.5 require the use of AnyConnect for our VPN client users? Our 5505 is on version 8.2.5 and doesn't require AnyConnect, but wanted to make sure.
Thank you for your time.Hi Michael,
The RAM upgrade is needed if you want to go to 8.3+ code. Although you might find that you are running low on RAM and that will impact your ability to run packet captures, so an upgrade doesn't hurt...
ASDM can be upgraded seperately and does not require a reboot + new ASDM versions are backwards compatible with older ASA codes...
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html#wp42231
ASA 8.0(4)
ASDM 6.1(3) and later.Recommended: 7.1(4).
ASA 8.2(5)
ASDM 6.4(3) and later.Recommended: 7.1(4).
Although the Cisco VPN Client is eol and the replacement is AnyConnect, you are not forced to go that direction in any code...
Patrick -
Advice on upgrading ASA 5510 from version 8.4(4)1
Hello all,
Due to an issue we need to upgrade our ASA. Cisco Support team recommended upgrading to version 8.4.7, but, as we'll upgrade, we'd like to upgrade to version 9.
We still use Cisco VPN Client for Remote Access VPNs so I'd like your advice on which version to install on ASA.
Would you recommend version 9.0.3? 9.1.X?
Thanks in advance,
IgorWe have a pretty huge ASA and ASASM complex, and we are just about finished upgrading from an assortment of 8.4.x, 8.5.x, and 8.6.x installs to 9.1.3 on everything. There is one gotcha on some systems in that there is a file system change or some sort of bug that is fixed in 8.4.5 I think. So you _may_ have to first upgrade to a newer version (8.4.7 would work) before going to 9.1.3.
Our Cisco team has recommended going to version 9.x, and this is supported by recent tickets I've had on our stuff still running on 8.x, as the TAC engineer often says we need to upgrade to version 9.
Four our setup, we had some fatal bugs in 8.4.6 and 8.4.7 that kept us running 8.4.5 for a very long time on some equipment.
Anyway, I would recommend going to 9.1.3, which is one removed from the recently recleased 9.1.4. Our AnyConnect VPN complex has been on 9.1.3 for a few months now with no issues. Be sure to read the release notes thoroughly as 9.x changes some command contexts, new features, etc.
Graham -
ASA 5510 NAT with IOS 9.1
Hi All,
Hoping someone can clear this up for me.
I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.
The ASA is connected inside the LAN to separate a second LAN.
Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)
I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN
I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?
If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.
Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.
If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.
Many thanksHi,
Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?
If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.
The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.
Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.
You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
Unable to see interface on ASA 5510 Firewall
Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.x YES CONFIG up up
Ethernet0/1 x.x.x.x YES CONFIG up up
Ethernet0/2 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.1.1 YES CONFIG up up
Please suggest what could be the reason.
Regards
PankajHi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1 : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2 : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3 : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0 : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik -
ASA 5510 VPN Peer License Question
I just got a new ASA 5510 Base Model and I have some questions I would love some help on.
1) I was under the impression that the ASA 5510 could support 250 VPN Peers. When I do a show version on this new unit I am told VPN Peers are only 50. I would like to have more than 50 L2L VPN Tunnels and RA clients connected at one. Where did I mess up with this understanding?
2) I am running ASA Software Version 7.0(6) this is how it was shipped to me. I hear that 7.2 is the latest? Can I get this upgrade from Cisco?Hi,
There a couple of points here which are a bit tricky - the first is the software versioning of PIX/ASA software. If we have a look at how it work in IOS (It would be useful if there was an equivalent paper for PIX/ASA...)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
The basic idea is that if you go from 7.0(1) to 7.0(2) you're getting more software fixes and less new features but if you go from 7.0(1) to 7.1(1) you're getting more major new features but less software fixes. On PIX/ASA there seems to be a fairly clear choice between stability and features. Don't forget that the 3 trains have releases independent of each other so it doesn't necessarily follow that the highest numbered release was the latest one, let alone the most stable one. Before 7.2(2) was released last November the latest release was 7.0(6) and we actually standardised on this because all releases above 7.0(6) were giving us issues (especially the 7.1 versions). We're trialling 7.2(2) at the moment and it seems to be as solid as 7.0(6) so that also looks like a good choice.
With that in mind we need to look at the feature sets of the various releases, and currently 7.2(2) gives you 250 maximum concurrent IPsec sessions whether or not you have the Security Plus license. I think this change happened during one of the 7.1 releases. If you only have 7.0 then you get 50 as standard and can upgrade to 150 if you have a security plus license. (With 7.2(2) you still need the security plus license to get failover and vpn load balancing - but not to get the 250 sessions.)
As to upgrading - it's possible 7.0(6) was actually the "latest" release when you purchased your box and unless you specified a particular version when you bought it this is what you normally get (you can ask for any version you like at no charge when you buy it initially). You really need smartnet for the ASA because the standard Cisco warranty is rubbish (90 days only and you wait 10 days for a replacement) so unless it's a test network you're pretty much forced to buy smartnet to be sure of a fast replacement (or any replacement at all after 90 days..) Also, the cost of a smartnet contract for a year if you only need NBD replacement is less than the cost of a one-off software upgrade AND you get to download any version you like for the year AND you can also log calls directly with the TAC.
So, I'd recommend buying a smartnet contract and then go through the release notes to find a suitable release to download - sounds like 7.2(2) might be what you need - at the very least you should be upgrading to get more sessions rather than sticking to 7.0 and buying a security plus license. (Because both the one-off upgrade and the security plus license are probably more expensive than smartnet!)
HTH - plz rate if useful
Andrew. -
Access from Inside to Outside ASA 5510 ver 9.1
Hi All,
I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
Thank you for the help!
ASA5510(config)# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.100 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
CISCO 2811:
Current configuration : 2601 bytes
! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RouterDeMitch
boot-start-marker
boot system flash
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
no aaa new-model
dot11 syslog
ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 172.16.20.1 172.16.20.49
ip dhcp pool Mitchs_Network
network 192.168.1.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 192.168.1.1
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 172.16.20.1
no ip domain lookup
ip name-server 199.195.168.4
ip name-server 205.171.2.65
ip name-server 205.171.3.65
ip name-server 8.8.8.8
multilink bundle-name authenticated
crypto pki token default removal timeout 0
redundancy
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
interface Dialer0
no ip address
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 199.195.168.0
no auto-summary
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
access-list 1 permit any
dialer-list 1 protocol ip permit
control-plane
line con 0
exec-timeout 0 0
password encrypted
login
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
scheduler allocate 20000 1000
endI made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIOSfzvir2g encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.123 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
object-group network PAT-SOURCE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.10.1.0 255.255.255.252
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Message was edited by: Mitchell Tuckness -
Remote access VPN with ASA 5510 using DHCP server
Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
LayFor RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config: Any Help would be appreciated.
show config
: Saved
: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
ASA Version 8.4(3)
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
<--- More --->
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
<--- More --->
object network obj-192.168.9.2
host 192.168.9.2
object network obj-192.168.1.65
host 192.168.1.65
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network Red-Condor
description Email Filtering
network-object host 66.234.112.69
network-object host 66.234.112.89
object-group service NetLink tcp
<--- More --->
port-object eq 36001
object-group network AECSouth
network-object 192.168.11.0 255.255.255.0
object-group service Email_Filter tcp-udp
port-object eq 389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_0 tcp
group-object Email_Filter
port-object eq pop3
port-object eq smtp
object-group network Exchange-Server
description Exchange Server
network-object host 192.168.1.65
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access extended permit tcp any object obj-192.168.9.2
access-list outside_access extended permit icmp any any
access-list outside_access extended permit tcp any object-group Exchange-Server eq https
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
<--- More --->
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
object network obj-192.168.9.2
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.65
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
<--- More --->
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
access-group outside_access in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server isaconn protocol radius
aaa-server isaconn (inside) host 192.168.1.9
timeout 5
key XXXXXXX
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
<--- More --->
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca server
shutdown
<--- More --->
smtp from-address [email protected]
crypto ca certificate chain _SmartCallHome_ServerCA
certificate
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.66.175.36 source outside prefer
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
<--- More --->
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-close
service-policy global_policy global
prompt hostname context
call-home reporting anonymousHello Scott,
So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
object network obj-192.168.1.65
"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
The ACL says
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
From witch ip addresses are you trying to send traffic to the exchange server?
Please do a packet-tracer and give us the output
packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
Regards,
Julio
Rate helpful posts!!! -
Upgrading ASA (5520) from 8.2(5) to 8.4(6)
Hi All,
I'm planing to upgrade my failover firewalls active/standby from 8.2.5 to 8.4.6. I read about the NAT and I think I'm ready for it cross fingers
My plane is
Upload the 8.4.6 and ASDM 7.1.3 for both firewalls then assgin the boot and ASDM image to the new files. After thaton the active firewall reload the standby and wait until its up and running (cross finger again) then force the active to be standby and reload the standby to get the new 8.4.6.
am I right about that? or should I upgrade to 8.3.1 or 8.3.1 first ?? please if it is, can you give me the full upgarde path?
Thanks in advance!!!I don't know if I'm going to answer your question. But here is my latest experience, about year ago. I just preformed an upgrade from 8.0.x to 8.4.4.1 on a pair of ASA 5510's in failover using CLI. The upgrade seem to go smooth from our end, but all connection did drop. We followed these steps here. NAT wasn't an issue for us.
Point is, there really isn't an upgrade path. Just reload stand-by unit, make it the active unit and watch the connections. Ours dropped don't know why.
Don't know if that helps,
Nick -
Cisco ASA 5510 Content Security bundle
Hello,
please help me to understand if i buy the Cisco ASA 5510 Content Security bundle for my network found there is 1 yr subscription for the content
security features. what are services included in it. Does URL blocking and filtering includ in this subscription or its a seperate features.
Thanks,
Saroj PradhanHere is the license for CSC module and it lists what is included in Basic and Plus CSC license:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc -
ASA 5510 9.1.x ACL/NAT issues
Forgoing some security concern have you tried "permit ip" instead?
Good afternoon.
I'm hoping one of you spiceheads might be able to help a fellow out. We upgraded our 5510 from 8.2 to 9.1 and now none of our NAT'd public servers are working.
we cleared out every thing and did step by step to create the new NAT connection and even though the ACL shows any4 for the private IP address, we are getting access denied.
access-list outside_access_1 extended permit tcp any4 host 10.201.0.130
We have the same config and IOS version running on our 5505 and don't have any issues.
Thoughts?
This topic first appeared in the Spiceworks Community -
Cisco asa 5510 Patch OpenSSL to 0.9.8j or later
Our PCI scan found the following bug "Patch OpenSSL to 0.9.8j or later"
We have an ASA 5510 running 8.2(2) with the following ssl: ssl encryption rc4-sha1 aes128-sha1 aes256-sha1
Reviewing the 8.2x OpenSSL notes in the releases documentation it specifices it is using 0.9.8 but not which version.
Can someone recommend which version to upgrade to?Cisco is still evaluating this and hasn't released fixed code yet:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl
-- Jim Leinweber, WI State Lab of Hygiene -
ASA 5510 - Memory : 1 Slot or 4 Slots?
Is there a way of ascertaining whether my 5510's have 1 memory slot or 4 memory slots without having to open the chassis?
I need to order the appropriate memory upgradfe kits.
Thanks.Manufacturing may be able to tell us if the unit was shipped with 1 or 4 slots with the serial number.
CSCtd80603 DOC: Only One Memory Slot Should be Used on ASA 5510
http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html#wp1075832
For memory upgrade in the Cisco ASA 5510 with
four memory sockets, use slot 1 - P13 and note that only one slot must
be populated at all times. For optimum performance in the
Cisco ASA 5520 and the Cisco ASA 5540 , install the DIMMs in slots P13
and P15, if you are populating only two slots.
[Wrap text] [Edit this enclosure]
R-comments: Added 03/12/2010 16:37:30 by sheema
[Unwrap text] [Edit this enclosure]
R-comments: Added 03/12/2010 16:37:30 by sheema
[Unwrap text] [Edit this enclosure]
N-comments: Added 02/26/2010 09:19:09 by aossipov
[Wrap text] [Edit this enclosure]
N-comments: Added 02/26/2010 09:19:09 by aossipov
[Unwrap text] [Edit this enclosure]
N-comments: Added 02/26/2010 09:19:09 by aossipov
[Unwrap text] [Edit this enclosure]
Release-note: Modified 02/26/2010 09:18:35 by aossipovSymptom:
Cisco ASA 5500 Series Adaptive Security Appliance Hardware Installation Guide mistakenly instructs to use slots 1 and 3 or slots 2 and 4 for memory upgrades on some ASA 5510 boxes with 4 memory sockets. On the contrary, the Dual In-line Memory Module (DIMM) should only be inserted in slot 1 on all ASA 5510 devices; slots 2-4 should not be used. This defect is filed to correct the documentation.
[Wrap text] [Edit this enclosure]
Release-note: Modified 02/26/2010 09:18:35 by aossipov
[Unwrap text] [Edit this enclosure]
Release-note: Modified 02/26/2010 09:18:35 by aossipov
[Unwrap text] [Edit this enclosure]
Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
[Wrap text] [Edit this enclosure]
Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
[Unwrap text] [Edit this enclosure]
Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
[Unwrap text] [Edit this enclosure]
MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
[Wrap text] [Edit this enclosure]
MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
[Unwrap text] [Edit this enclosure]
MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
[Unwrap text] [Edit this enclosure]
Eng-notes: Added 12/14/2009 09:42:14 by aossipov
[Wrap text] [Edit this enclosure]
Eng-notes: Added 12/14/2009 09:42:14 by aossipov
[Unwrap text] [Edit this enclosure]
Eng-notes: Added 12/14/2009 09:42:14 by aossipov
[Unwrap text] [Edit this enclosure]
I-comments: Added 12/14/2009 09:35:48 by aossipov
[Wrap text] [Edit this enclosure]
I-comments: Added 12/14/2009 09:35:48 by aossipov
[Unwrap text] [Edit this enclosure]
I-comments: Added 12/14/2009 09:35:48 by aossipov
[Unwrap text] [Edit this enclosure]
J-comments: Added 12/14/2009 06:19:04 by dwhitejrThis bug is not accurate. The doc is correct.
The original ASA-5510s shipped with 4 DIMM sockets. Only after production for
about a year was the 5510 re-worked and we came out with a cost reduced model
which reduced the DIMM sockets from 4 to 1. This was verified by MFG.
[Wrap text] [Edit this enclosure]
J-comments: Added 12/14/2009 06:19:04 by dwhitejr
[Unwrap text] [Edit this enclosure]
J-comments: Added 12/14/2009 06:19:04 by dwhitejr
[Unwrap text] [Edit this enclosure]
SS-Review: Added 12/13/2009 11:28:45 by aossipov
[Wrap text] [Edit this enclosure]
SS-Review: Added 12/13/2009 11:28:45 by aossipov
[Unwrap text] [Edit this enclosure]
SS-Review: Added 12/13/2009 11:28:45 by aossipov
-KS -
Cisco IPS SSM 10 Sensor can't update signature file from ASA 5510
Cisco ASA 5510 IPS Firewall with ASA-SSM-10 Module. I am trying to do a manual update of the signature file and get the following error:
Error: execUpgradeSoftware : couldn't connect to host
I have confirmed that I can ping the ftp server successfully from the ASA and the command I am trying to use from the configure terminal of the module is:
upgrade ftp://[email protected]//IPS-sig-S813-req-E4.pkg
I have also tried via http and it does not work as well. Any thoughts?to connect to ftp there should be username usually anonymous and password whitch can be any. check in ftp server
aip_ssm_card# copy ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key
User: anonymous
Password: *********
the username and/or the password are incorrect
aip_ssm_card# copy ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key
User: 123
Password: ***
File opening error
I made special user 123 on ftp server with password 123
aip_ssm_card# copy ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key
User: 123
Password: ***
aip_ssm_card#
and dont forget to rate post
Maybe you are looking for
-
How to stop Time Machine from deleting historical backups
So for the first time I encountered what happens when Time Machine runs out of room - IT DELETES THE OLDEST BACKUPS UNTIL IT HAS ENOUGH ROOM!!! That's terrible if you rely on those backups. We've been using it like an archive and it's been spectacula
-
CRM_ORDER_MAINTAIN / SAVE don't work?
Hello, I want to change the priority of a CRM order(e.g. Object-id: 9999000241 , Header-GUID: F3330F14B8A20A43BEEDDD3B6791395F). According to some threads here, I used three FMs: CRM_ORDER_MAINTAIN, CRM_ORDER_SAVE and CRM_ORDER_INITIALIZE. I pasted t
-
Do we need to have Robo Server to enable commenting?
I am sorting out the requirements re RoboAIR help. If we wish to have folks inside our firewall be able to enter comments, do we need to have RoboHelp server inplace? The help systems I am converting to Robo assist call center CSRs. A VP is looking f
-
AutoFill in Safari 1.3.1
Safari 1.3.1 doesn't want memorise some ID and Password (Yahoo and Hotmail) I have try almost everything to make it work without result. I couldn't remove anything from those website in AutoFill <Users names and Passwords> or <Other Forms> because th
-
Please help I'm trying to upgrade to the latest iTunes, but keep getting an error message C:\config.msi\7db625.rbf