I just learned that the licensing structure for the ASAs is changing, but I don't have any details. We have roughly 30 ASAs (from 5505s to 5585s). If there's a licensing change, I need to do an impact assessment and plan accordingly.
View 5 RepliesI have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.
> Failover : Enabled > Encryption-DES : Enabled > Encryption-3DES-AES : Enabled > Security Contexts : 20 > GTP/GPRS : Disabled > AnyConnect Premium Peers : Default > Other VPN Peers : Default > Advanced Endpoint Assessment : Disabled > AnyConnect for Mobile : Disabled > AnyConnect for Cisco VPN Phone : Disabled > Shared License : Disabled > UC Phone Proxy Sessions : Default > Total UC Proxy Sessions : Default > AnyConnect Essentials : Disabled > Botnet Traffic Filter : Disabled > Intercompany Media Engine : Disabled > 10GE I/O Plus : Disabled(code)
I am looking to deploy a cloud/borderless network solution and cannot get my head around how the licenses (AnyConnect Mobile and essentials) will be applied in a multiple context deployment. Any correct documentation.
View 1 Replies View RelatedI'm trying to configure policing and/or shaping on a setup of 2 x ASA 5505 Sec Plus. The units are placed in office A and office B and each have a ISP connection to the internet and a leased line with a capacity of 4/4 Mbit/s for interoffice communication.
On each ASA there's four subnets. VLAN 200 is used to connect the offices through the leased line.
Subnets:
Outside = 2
Data = 10
Voice = 100
Linknet = 200
I've read a lot of articles and posts about shaping and policing on the ASA but still can't get it to work like I wan't to. I'm trying to limit all traffic besides IP-telephony traffic to 3 Mbit/s and thus reserving 900 Kbit/s for voice traffic. I tried setting a service-policy on the linknet interface on each ASA and set Traffic match to Any traffic and QoS settings for both input and output.
I can see traffic passing the policy when I run the "show service-policy police" command but it never seems to be high enough to be policed which is strange since the ASDM monitoring shows that I'm pushing 3900 kbit/s. I file transfers verifies that policing does'nt work.
I am in need of some information regarding licesnes on the ASA 5505.I have a client who is connecting their main office to a DR site via a site-to-site VPN. I understand that the standard license for the ASA 5505 is for 10 clients.Does the site-to-site connection consume one of these licenses?Does each endpoint communicating over the site-to-site VPN consume one license also?For example, if I have the site-to-site VPN and 10 servers on each side, would that mean that I need 21 licenses; 1 for the VPN and 20 for each server on each side?
View 4 Replies View Relatedso I look up ASA5505 licensing and for VLAN support see: 3 (no trunking support)/20 (with trunking support)*
I need 3 VLANs...inside, outside, and DMZ..but when it is creating the third (DMZ) it says I am only allowed to have 2 VLANs and can only create the third if its set to not forward traffic. ?
I've two sites, the branch with an ASA 5505 and on the corporate office i've an ASA 5510.I need to make a easy vpn tunnel between this to sites and I've made some configuration, but for now, the ikev1 isn't working.
View 1 Replies View RelatedI'm looking for automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.
[code]....
We have to make disaster recovery site EasyVPN tunnels on Cisco 5505 ASA firewalls. Now there is only one main site and 3 remote sites.For DR we have to use the same subnet as it is on the main site because the Vmware virtual machines will be replicated to DR.For DR we are using Double Take software.What is the best solution for this? I think that we could use Destination NAT on ASAs. The other sites (HQ and remote) will se only the NAT address of theDR and not the real one which is the same as on the main site.We are using IPSec VPN? In packet-tracer on ASA I see that the packet is first NATed and then encrypted, so it should work, yes?
View 2 Replies View RelatedI'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362. Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500. If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
View 1 Replies View RelatedWe have an ASA 5505 and are changing ISPs so we'll be getting a new static IP address. How do I change the external IP address using ASDM? (I haven't done it in 5 years so I'm rusty and just want ot make sure.) The ASA and ASDM are up to date.Am i correct in that I only need to change the external address in the configuration under Interfaces, then under Routing - Static Routes - Gateway IP I just need to enter the new WAN gateway address?
View 2 Replies View RelatedI have site-to-site VPN using two ASAs 5505. I can ping between two computers C1 and C2. Now I want to add subnet 192.168.1.0. How do I configure routes on ASA so that I can ping between computers C3 and C2?
View 5 Replies View Related We have a site with two inbound circuits, one for internet and one for our MPLS. Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall. For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts. OSPF is the routing protocol between all the routers and ASA's and routing is working. In fact, ICMP is working as well. From an inside host (172.16.0.81), we can ping anything on the MPLS network. But when I try to use telnet (for example), the connection fails. If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
Both ASAs are running 8.4(3), and have the following commands:
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside
[Code]....
And from the MPLS nodes, I can see a tcp request is made.
I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process.
I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?
I'm working on a BoM for a customer and i need to offer an ASA5525-X pair in HA with AVC and WSE subscritption, I've two question:
1) In order to use AVC and WSE I need the ASA bundle that includes the SSD HD right? (ASA5525-SSD120-K9)
2) In order to have both ASA's in HA, do i need to order two Suscriptions (ASA5525-AW3Y-PR) or only one that is "shared" in the cluster?
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
Does the 5585X supports BGP ? What if someone wants to use Antivirus + IPS feature in that . I have seen IPS modules for 5585X but looks like the antivirus module is not avaliable for 5585X
View 1 Replies View RelatedI bought a Cisco ASA 5510 (P/N: ASA5510-BUN-K9) and i would like to know if i have to buy some license,What i mean is, for the basics, it still being necessary aquire some license?
View 3 Replies View Relatedwe have a customer with 2 x ASA5510-SEC-BUN-K9 running in an active/active HA mode. On the primary ASA he has 25 SSL premium licenses, but on the secondary ASA he has only 10 SSL licenses. Is there a need that both ASA´s has the same kind of licenses?
View 5 Replies View RelatedI want to configure Qos for 2 diffrent Vlan 2 , each vlan for 2 mbps bandwidth .(VLAN details VLAN 10 (10.10.x.x /24) and vlan 20(20.20.x.x/24) Is any difference regarding initials configuration B/w ASA 5520 and 5585
View 9 Replies View RelatedAm not conversant with Firewalling. however i have need to set up CISCO ASA 5585 out of the box.
View 3 Replies View RelatedWe are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?
View 1 Replies View RelatedWe have installed 5585-x in active/active mode with transparent firewall. We have created two virtual sersors for vs1 and vs2 in IPS module and linked with ASA context C1(vs1), C2(vs2) and admin(vs0).
As firewall is working in transparent mode, we have bridge IP address for context C1 10.1.1.1 and for context C2 10.2.2.1.
I have added default routed for context C1 10.1.1.2 .It is in the outside of asa and SVI on switch.For the other context C2 10.2.2.2.
IP address range for the IPS module and what should be the gateway for IPS module.AS the traffic is coming from outside and going to inside interface of ASA.
I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..
View 3 Replies View Related I have a customer who has purchased a Cisco 5510 and after we received it and all the necessary VPN, 3DES etc. licensing for it, then informed us that they order 2 T1 lines so they can have Internet failover.
My question is: Does this require an additional specialized license from Cisco in order to enable and configure it? And if so, what that part number is?
I am pretty new to cisco and the learning community forums is truely one of a kind.Actually, I work on a company which deals the Cisco products, Routers/Firewalls/Switches and stuffs. I am sure you get the picture. What confuses me is the product licensing of ASA5500. To be more specific, we are proposing certain things. And that came with the product pricing sets and all. But I amn't having a clear picture on ASA 5500 Strong Encryption License (3DES/AES). Does that come inbuilt(free) or should there be any pricing behind that!?
View 5 Replies View RelatedI have a new 5585x with only basic ip information on it. I can't get the ASDM to load from any interface. Browser just says cannot load page. I upgraded to 9.1 and ASDM 7.11-52. (Also did not work before I upgraded) I can ping the managment 0 interface and can tftp data to and from it. Also unable to telnet to the management interface. [code]
View 2 Replies View RelatedI have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585
View 1 Replies View RelatedAny document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..In the data sheet this information is not specified.
View 5 Replies View RelatedI have a 5585 with version 8.4.2?I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following:
10.8.251.30 -- addess assigned from the pool
10.8.251.4 -- inside interface address in the ASA
1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.
group-policy pol1 attributes
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pol1_splitTunnelAcl
[code]....
If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.
I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
Shared licensing of ASA?I have 2 ASA 5585 in cluster and I have to Implement SSL / VPN license My question:Since I have a cluster in 8.3 version, can I use only one license VPN / SSL for two, without necessarily implement the Shared Server licenses and participant.
View 4 Replies View RelatedIs it true, that the new ASA Platform 5585 does not support Multicast. Here on Page 7:[URL] because the old ASAs support Multicast.
View 2 Replies View Related