i'm having issues with ASDM 6.3 on my ASA 5500.When i try to add a policy under firewall --> service policy rules (Add Service Policy Rule Wizard - Rule Actions), i'm not able to add a netflow policy as I'm not presented with a dialogue box after I press "add".i've tried this from multiple computers mac os and windows.
View 9 Replies
I cannot logon with adsm anymore.when I run adsm, I type in my pw, and the screen keeps displaying "contacting the device". No timeout, just stays this way.I've updated the java version, no luck.I can connect with SSH with no problem. device = asa5550, 8.2(1) asdm 6.2(1) [code]
notice that there is no "with cookie-based authentication" here -- is this relevant?
Rebooting the device is not really an option.
I am running into a issue that I cannot seem to figure out. I have a asa 5505 with the Security Plus license. I setup a native vlan where all of my network devices sit on. ie my Wireless Access point has an ip of 192.168.3.2, my switch .3. I have no issues managing these devices from any vlan I am on (permitting firewall access rules). When I try to access my ASA via ASDM/SSH. I have to use the gateway of the vlan I am on. For instance. If I am on vlan 10 I have to use 192.168.10.1 for access, if I am on vlan 20 I type 20.1...etc...etc If I type in 192.168.3.1 I get an error in the ASDM logs that states TCP reset by appliance. This is for any gateway I type except for the gateway of the vlan that I am connected to. I am posting a sanitized config. How can I configure the ASA to permit access via any gateway.
View 3 Replies View RelatedI am trying to veiw my PIX515e via the ASDM, but I am unable to...Can you review my config and make sure I have everything setup the way it is supposed to?
PIX Version 8.0(4)32
!
hostname pixfirewall
domain-name jkkcc.com
enable password DQucN59Njn0OjpJL encrypted
passwd DQucN59Njn0OjpJL encrypted(code)
Trying to get port forwarding going using ASDM 6.4 on a Cisco 5510
I want to forward port 25/Smtp to 192.168.1.10
I have added all the rules as outlined in the link below. [URL]
But when running an open port checker on [URL]
It says the port is closed, I have noticed that under Access Rules under the Hits columns it says 52 ?
I recently upgraded my Pix 515e from 6.3 to 7.08. Upgraded pmd to adsm. If I do a show ver, it states 7.08. But, if I do show config, it still shows 6.3.Why would they be different? Since adsm runs fine, I know that the upgrade went fine.
View 2 Replies View RelatedI am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
None of them ever removed any lines from the configuration, and none did any documentation. When examining the actual configuration from a CLI perspective:
1. Does an ADSM- created access list end with any specific ADSM- added suffix?
2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?
I have just logged into the ASDM for my 5520 and can see under the "Firewall Dashboard" tab that I can enable these graphs/stats, why would they be disabled? So I was wondering if I enable these and they use alot of memory how can I disable them again?
View 3 Replies View RelatedI have just logged into the ASDM for my 5520 and can see under the "Firewall Dashboard" tab that I can enable these graphs/stats, why would they be disabled? So I was wondering if I enable these and they use alot of memory how can I disable them again?
View 1 Replies View RelatedI am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?
View 5 Replies View RelatedI have encountering a problem with a new installation at my clients side recently.We have a 5508 wlc and a bunch of Laps connected to it.Recently we associated a 1142ap to the same controller.The issue we are facing is that , the client laptops that are connected to THIS ap are showing maximum of only 54mbps in their network information dialogue box.Initially i couldn't understand why this could happen.But after a bit of research , i came to know that this could happen because of ``unticked`` data rates in the controller , or because of not using wpa2 with aes as the security standard for N-series access points.Now i have enabled all data rates in the High Throughput section as well as enabled the correct encryption standard.But still the issue persists.We have checked with multiple laptops , to rule out the possibility of a faulty n/w card
View 3 Replies View RelatedFor weeks guest access to my e3000 worked fine. Today I have a friend come over, his XP connects to the guest wi-fi, but his computer does not get a prompt for a password.
View 6 Replies View RelatedCan any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.
I purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)
We have an ASA running 8.2.2 (adsm 6.2.5). VPN connections are working well.But it's not possible to use a SIP client (phone or software) through an SSL tunnel.So today I've tried to look in detail on this problem. I installed an ubuntu system,openconnect and ekiga as softphone. In our network everything is working without any error. I used an external DSL connection to test everything over the VPN tunnel.I can ping the SIP server and I can access the https frontend of the the SIP Server.The client "seem's" to connect as well. I can call the ekiga client, it's ringing and i can speak and hear everything (most times).Dialing from the ekiga client ALWAYS fails. On the ASA there is no policy allowing or denying those connections. How can I trace it on the ASA ?
View 2 Replies View Relatedi have to open ports for vedio conferencing in my Firewall configuration ,
View 1 Replies View RelatedI have two ASA 5510 with Security Plus license and Shared SSL VPN licensing enabled.
The problem is that the client get “Session could not be established: session limit of 25 reached” but ther is only 6 ssl vpn user connected with AnyConnect.The software on the firewall’s is 8.2(1)Is there any BUG in this software related to this problem?
I would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.
View 23 Replies View RelatedI still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. Following is passing traffic and everything else works just fine.
JEREMY-ASA# show ver
Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 7.1(1)52
JEREMY-ASA# show run asdm
asdm image disk0:/asdm-711-52.bin
no asdm history enable
[Code]...
I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.
View 1 Replies View RelatedI have an issue with a Cisco ASA 5520. It seems to block some emails incoming from some recipients. The sender's mail server clearly reports my ASA as cause of the problem (see attached image). Unfortunately I have not the logs about that event and the time frame to close this issue is very narrow.
View 5 Replies View RelatedWe have to set up voip for our network(for 50 phones not he cisco phones).
I need to just the route the voip traffic to gateway address of telephonic company(1.1.5.7) where they provide us the connectivity for the setination call.
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
We are using only voip for asa and no data or other traffic should be allowed.
inside adrees: 10.10.10.0/24 for all voip phones
outside:121.21.22.1
telephoneic gateway: 1.1.5.7
Is there a way to shut down the AUX port on the ASA?
View 1 Replies View RelatedWe are now using image 8.0(4) for my ASA 5510. Later on, I would like to upgrade the image to 8.4(3).May I have to know what difference for those images, what should I take care of the script?
View 1 Replies View RelatedDoes ASA 5500 has stateless filter to drop packet even when 3-way handshake is finished
For example,
1: 3-way handshake is done
2:client send data to server
3:I apply a statless filter to the incoming interface to drop the packet from the client
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
I am pretty new to cisco and the learning community forums is truely one of a kind.Actually, I work on a company which deals the Cisco products, Routers/Firewalls/Switches and stuffs. I am sure you get the picture. What confuses me is the product licensing of ASA5500. To be more specific, we are proposing certain things. And that came with the product pricing sets and all. But I amn't having a clear picture on ASA 5500 Strong Encryption License (3DES/AES). Does that come inbuilt(free) or should there be any pricing behind that!?
View 5 Replies View RelatedWe have setup new ip camera system and as per our vendor to access the camera from outside we need to open,TCP ports and in firewall and forward to our camera server.
Let say our public ip address is 207.114.111.22 and our local ip address for the camera is 11.11.1.30. We have cisco asa 5510.
I'm not quite ready for the Automatic Failover feature that the ASA 5520 support. For now we have a cold stand by unit. I was wondering if I can change the mac addresses of the standby unit's interfaces to be exactly the same as the primary unit. I see an active/standby mac address section in ADSM, but I think that is used in the automatic failover function.
View 12 Replies View RelatedHow can i determine the current PPPoE session duration on ASA 5500 Systems? If i use the different CLI commands like "show vpdn session state / show vpdn session pppoe state" the output says:
State: SESSION_UP Last Chg: 593595 secs.
The ISP is forcing a reconnect every 86400 seconds, so the value can't be the actual duration of the pppoe session. Does it only indicate the link duration to the attached modem or interface state? Is the only way to detect interruptions of the pppoe session with debug and syslog?
I would like to send my ASA 5500 logs to more than one syslog server - is this possible? I can't seem to find it in the documentation.
View 3 Replies View RelatedOn the inside interface and network, we have a server at, (as an example) 192.168.87.1, which acts as an email server.
The outside ip address of the ASA is, say, 200.0.0.1.
The ASA directs any imap requests from the outside interface to 192.168.87.1, which works fine from the outside. Users simply open up email, and collect emails etc.
When they come inside the office, their machine of course attempts to contact the ip address 200.0.0.1. the ASA knows it is outside interface, so they are unable to collect emails.
that any internal IMAP requests from machines on the inside to 200.0.0.1 are directed to the machine inside on 192.168.87.1?
Since the 5500X series firewalls use a software IPS SSM that is set up differently from the old ones, I am a little confused on the initial setup.
[URL]
we see a proposed setup for L3 management of the IPS
interface GigabitEthernet0/0
nameif outside security-level 0
ip address 203.0.113.1 255.255.0.0
[Code].....
