I have two ASA 5510 with Security Plus license and Shared SSL VPN licensing enabled.
The problem is that the client get “Session could not be established: session limit of 25 reached” but ther is only 6 ssl vpn user connected with AnyConnect.The software on the firewall’s is 8.2(1)Is there any BUG in this software related to this problem?
I am quite new to firewall, in my company one asa 5510 firewall is there.I configured inside, outside, dns, dhcp and nating.I need to config bandwidth limit (1Mbps) for inside port and I restruct like facebook, youtube and pornsites..And I heard that some subscription is required, really is it required?
I have one firewall need to be configured in transparent mode. I have inside and outside router. What is the configuration of transparent firewall ASA8.2. I didn't find the configuration on Cisco site.
Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.
I am very confused on how I setup a Pix 515 that I just got to route traffic out a cable modem. First, let me give you a little details on my current network setup and what I am trying to accomplish with this Pix 515. Currently all my users go out the proxy for any internet access, however I have certain users that need to go out the cable modem instead of the proxy server. Below is an example of the current IP setup of a user A:The cable modem that we currently have has DHCP so I would need the external PIX address to accept a DHCP address. I also don't really understand what else I need to setup so if I have say four users hitting the cable modem through the pix how do I direct their web traffic to the correct computer (NAT ?),I will be plugging the PIX into a cisco switch that all ports are in VLAN 48 so hopefully a static internal address on the pix of 10.24.48.254 will keep me from having to do any routes since all traffic will be originating from the 10.24.48.0 network.
I am trying to set up my Cisco 520 router with a firewall that will: Allow port 80 traffic to the vlan 20,Block all other incomming ports to vlan 20 (unless initalised from inside),Allow all outgoing ports on vlan 20,Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)
I'm in the process of migrating a rather big NAT configuration from a customer running pre 8.2 ASA software.The customer has 2 Dynamic Policy NAT configured which have overlapping source addressesOther Dynamic Policy NAT has the destination address of "any"
Other Dynamic Policy NAT has a single host address as destination address towards InternetThe Dynamic Policy NAT configured with the "any" destination is applied to all translations for the source host towards Internet
What I'm interested in is the following
Since both NAT statements are equal in a sense (because they are of same type) what is the next deciding factor for ASA decides which translation rule to use?
Does the "nat_id" parameter define which rule is checked first? Is the NAT rule with the lowest "nat_id" value used regardless what the order of the NAT rules is when you check them on the CLI? (with "show run global" and "show run nat")I'm just interested on how the NAT operates in this case, even though were generally using 8.4 at the moment.
I upgraded my ASA 5520 with the latest image. Now I get an error upon launching ASDM.Your ASA image has a version number 7.2(4) which is not supported by ASDM 6.4(1), use Device Manager version 5.2(x)Continue Anyway?
What are the newest, recomended image versions of ASA and ASDM I should be using?I will also be using the SSM-20 module with this setup, so I would like to stay with a working version of ASDM.
I am looking into buying an ASA5505 but I would like to know if it is going to work in my setup. I have an Internet connection and 2 seperate networks. I know that the ASA5505 has 8 ports and I would like to know if I can assign each port to a different network zone? I dont want to use VLAN but physical networks. I know it is possible with ASA5510 and above but I want to make sure I can do the same with a ASA5505 (Without the security upgrade). I want to get an ASA5505 unlimited users.
So an Internet connection (with multiple IPs), 2 seperate networks, I want to filter traffic between all 3 and route between them also.
I am looking at upgrading an HA pair of ASA5520's from 8.2(2) to 8.3(1), and am just wondering why the huge upgrade in memory is needed. How are Cisco justifying where the additional memory is going to? Are there supposed to be some massive improvements in performance?
I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.
I have an ASA 5501 running latest code. Per the article at [URL], I need to open the below ports. I have 5 Xboxes (when people come over) and they all have a static IP. My network is 192.168.0.x and is a /24 network.Xbox LIVE requires the following ports to be open: Port 88 (UDP)Port 3074 (UDP and TCP)Port 53 (UDP and TCP)Port 80 (TCP)port 1863 (UDP and TCP) (Kinnect) I defined the various network ports as a service and then created 5 hosts called xbox1, 2, etc with a static IP. I dont have access from the command line (forgot telnet and ssh passwords) , so from the gui, what do I do next?
I have a 5505 configured with a active/standby dual wan setup using the sla tracked connection settings. Is there a way to configure the ASA to stay on the backup connection after activating? We had a situation where the main T1 was bouncing, so the backup connection was being activated and deactivated very often. The problem is that there is an app being used that does not allow users to reconnect to dropped connections immediately, so every time the asa switches wan connections it causes a significant disruption.I should note that I already set monitor options frequency to 240 seconds. I could set it higher, but then we have a longer delay when the main connection dies.
I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.
I have an issue with a Cisco ASA 5520. It seems to block some emails incoming from some recipients. The sender's mail server clearly reports my ASA as cause of the problem (see attached image). Unfortunately I have not the logs about that event and the time frame to close this issue is very narrow.
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
I am pretty new to cisco and the learning community forums is truely one of a kind.Actually, I work on a company which deals the Cisco products, Routers/Firewalls/Switches and stuffs. I am sure you get the picture. What confuses me is the product licensing of ASA5500. To be more specific, we are proposing certain things. And that came with the product pricing sets and all. But I amn't having a clear picture on ASA 5500 Strong Encryption License (3DES/AES). Does that come inbuilt(free) or should there be any pricing behind that!?
I like to set up a pix and router for this network for a small buss, but I need to know what type of cable do I need to set this connection to work straight through or a cross over cable? also I need a subgestion if a nat would work better on the pix or leave it on the router?
I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.
I got a project where I have to provide NATTED addresses to cutomers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here.
How can i determine the current PPPoE session duration on ASA 5500 Systems? If i use the different CLI commands like "show vpdn session state / show vpdn session pppoe state" the output says:
State: SESSION_UP Last Chg: 593595 secs.
The ISP is forcing a reconnect every 86400 seconds, so the value can't be the actual duration of the pppoe session. Does it only indicate the link duration to the attached modem or interface state? Is the only way to detect interruptions of the pppoe session with debug and syslog?