Cisco Firewall :: ASA 5510 Displays Error - Unable To Make Any Configuration Changes
Feb 4, 2012
I have turned on the aaa command authorization without applying adequate privileges to the user. I can now log in through that user but the ASA 5510 displays an error :ASA 5510# show running-config
I am unable to make any configuration changes on the firewall. Is there any default user through which I can log in and disable the aaa authorization ? if not, how can I resolve this situation ?
i have a 5510 with SDM 8.2.5 from clients connected to LAN i cant open a VPN connection! (using windows client L2TP or PPTP) there is not rules tho block this ports, why i cant connect?
I recently bought an all brand new ASA 5510 and it is here by my side. I'm trying to configure it but when entering https://192.168.1.1/admin I get Page Not Found error on IE. I'm able to ping 192.168.1.1 and have success telnet 443 port.
I am trying to add 89,462+ access list rules to an ASA 5510 running 8.2(5). I have added all the rules to an object group and when I try to apply the access list to an interface it gives me the following error:
ERROR: Cannot add policy to rule engine ERROR: Unable to assign access-list wan-out to interface wan
I have not tried not using an object group and just putting the rules in the access list. I want to be able to add to these rules if needed easily.
I think it's clear that i have exceeded the rule limit for the ASA. So my question is, what is the rule limit for an ASA 5510 and which ASA could I purchase that would handle this amount of rules?
I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
I have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside}) It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so...Basically this is the desired flow:
1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)
2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in [URL] and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)
3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).However, I do suspect that if I changed the route from default to static as such:
route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway) route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing. Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.
Here is the running-config:
ciscoasa# sho run : Saved : ASA Version 8.4(1) ! hostname ciscoasa domain-name marcjacobs.lvmh
I am attempting to set up FTP behind this new CISCO ASA 5510 we just bought. I haven't configured a cisco device in 5 years, so I am having issues., i think i am close. If I FTP from outside (fixed) IP it connects and takes the password but hangs on PASV and gives no data connection below is my configuration. It is simple since I seem to have the connection inside correct. and yes you can connect to the FTP server from inside without issue.
I have one Asa 5510 with base license. now we wish to add one back up ISP for VPN fail over, is this possible to configure backup ISP with this ASA 5510 and how ?
Check ASA features
Cisco Adaptive Security Appliance Software Version 8.2(2) Device Manager Version 6.2(1)
Compiled on Mon 11-Jan-10 14:19 by builders System image file is "disk0:/asa822-k8.bin" Config file at boot was "startup-config"
We have some users who use citrix outside corporate network through citrix web interface.These users are high priority users and we want to prioritize the citrix traffic. I want to make sure that my configuration will fullfill our requirements. Below is the configuration i was thinking to implement.:
ASA(config)# priority-queue outside ASA(config-priority-queue)# exit ASA(config)#access-list CTX-QoS extended permit tcp any 10.1.1.200 255.255.255.255 eq https ASA(config)# class-map CTX-QoS-CMAP ASA(config-cmap)# match dscp ef ASA(config-cmap)# match access-list CTX-QoS ASA(config-cmap)# exit ASA(config)# policy-map CTX-QoS-PolicyMap ASA(config-pmap)# class CTX-QoS-CMAP ASA(config-pmap-c)# priority ASA(config-pmap-c)# exit ASA(config)# service-policy CTX-QoS-PolicyMap interface outside
I have created the following config for an ASA 5510. I implemented a DMZ on it. Is this config as secure as I can get it. I want the web server in the DMZ to only be able to access port 80 and 1433 on the SQL box inside.
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output. ciscoasa# sh int ip br Interface IP-Address OK? Method Status Protocol Ethernet0/0 x.x.x.x YES CONFIG up up Ethernet0/1 x.x.x.x YES CONFIG up up Ethernet0/2 unassigned YES unset administratively down down Internal-Control0/0 127.0.1.1 YES unset up up Internal-Data0/0 unassigned YES unset up up Management0/0 192.168.1.1 YES CONFIG up up
BTW, the ASA is running version 7.0 (8) and I'm doing this through the command line.I've got a group of workers coming in a couple times per week that need wireless access to 1 printer on our network and internet access; I'll deny them access to the rest of our LAN.I've already configured an AP with WPA2 on a seperate subnet and put a router between it and our network. I've setup the router to apply an ACL to allow access to the printer's IP, deny to the rest of our main subnet, and permit everything else to go to our ASA 5510 that is serving as our gateway. From a laptop connected to the access point:I'm able to ping the printer's ipI'm not able to ping other workstations or our servers, as intendedI'm able to ping the ASA's inside interface The only part I can't seem to pull off is the final part of getting the ASA to translate the IP's from the new subnet to the outside interface.
So we have:
Laptop > Wireless AP > Router with ACL > Primary LAN > ASA5510 > internet
PAT is working fine for the primary LAN, but the laptop can't hit the internet.
i want to configure asa 5510 to send syslog messages to syslog server which i placed in my inside interface. also if enableing syslog will inrease the cpu utilization or memory? the necessary configuration parts?
creating a DMZ with my current configuration. Most of my configuration has been through the ASDM as I am still learning. I'm looking for a good tutorial through the ASDM to get me on my way. What I need to accomplish is this:
I have an internal GIS server which needs to have a constant database connection to an remote GIS Server which is already configured. I've got a separate VLAN setup on my 3750 switch which connects to the DMZ configured port on my ASA with a security level of 50. My GIS server has been placed in the DMZ VLAN which is accessible from my internal clients. I have a /30 Internet block which is being used for Internet and VPN. I have a separate /28 block that I'm assuming I'll need for the DMZ to work properly.
I'm working on getting a ASA 5510 set up and am having major difficulties. I'm really new to ASA and coming over from Microsoft ISA. Below is my configuration, how to get this all sorted out. As of nwo it doesn't appear that any traffic is going through whether it's incoming or outgoing. [code]
I've a problem with syslog logging on my Cisco ASA 5510 version 8.2(1). I need to:
- 1) log some ACL with warning level to log deny access. - 2) log some ACL with informational level to log permit and deny access (notification level log only deny access and not permit access). - 3) not log others ACL.
For 1), I configured the syslog server with warnings level and i enabled the logging rules with default level (syslog default level) logging enable logging trap warnings logging host "interface" "host" . access-list "interface" extended permit ip any any log default.
For 2), I enabled the logging rules with specific level (informational). access-list "interface" extended permit ip any any log 6 interval 300.
For 3), I disabled the logging rules. access-list "interface" extended permit ip any any log disable
My problem is that the syslog logging level bypass the ACL logging level. Even if some ACL are configured with informational level, the ASA send only warnings logs to the syslog. I tried to configure the syslog default level to warnings, to remove the ACL and then put it back again with the specific logging level but I still have the problem.
I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.
I have Cisco 877-K9 router which sits behind an ASA 5510 FW. The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB ) || ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL) || Switch || LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa. I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site. I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
I have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
interface Redundant1 description *** INSIDES NETWORK *** member-interface Ethernet0/1 (This is a 1000Mbps Port) member-interface Ethernet0/2 (This one is 100Mbps) no nameif no security-level no ip address [code]....
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail Interface Redundant1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off [code]...
It's transfer correctly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back. I issued this command again BW remain 100Mbps.
ASA5510# show interface redundant 1 detail Interface Redundant1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) [ code]....
I did manually shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
I want to configure ASA 5510 with complete redundancy first time. I have already studied all material from cisco web site. but there are avalible alot of material. and i'm confused about the exact my requirment material.
This is current configuration:
active# sh running-config : Saved : ASA Version 8.2(5)
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
I follow the steps according to the basic settings provided by Cisco Support forum, but still failed to access the internet,
ASA5510# sh run: Saved:ASA Version 8.2(1)!hostname ASA5510domain-name xxx.comenable password passwd names!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248 ospf cost 10!interface Ethernet0/1 nameif inside security-level 100 ip address 10.161.9.14 255.255.255.0 ospf cost 10!interface Ethernet0/2 no nameif no security-level no ip address!interface Ethernet0/3 no nameif no security-level no ip address!interface(code)
I have not worked with ASDM in a while. I have a 5510, with asdm-645.bin in the flash. The device runs version 8.4(2). I can download ASDM from the http interface of the firewall from the management interface. But I can not log in. I have used blank username and password, no username and enable password, blank username with enable password and a few other permutations. I then tried to connect to the asdm interface from inside also. But I can not connect. Needless to say, I have enabled http, and updated the http access-list. The only logging I have enabled is buffered. Is there any configuration that I am missing? Shall I cut and past the config?
when I try to run debugs on a pair of our firewalls. Error Message: ERROR: No memory for debug trace buffer. Debugs not available..Cisco ASA 5510 8.2(5)
My problem is that I have 10 public address connected to ASA and each public address is redirectioned to an internal IP address. An of these public address is the ip address of mi ASA.
how to configure and access-list and an NAT, the others I will configure.
interface Ethernet0/0 description Interface_WAN_World-Ttrends speed 100 duplex full nameif outside(code)
