I am having an issue where I can't connect to VPN after upgrading the license. The license upgraded is related to AnyConnect VPN. I noticed from the newly upgraded license, the Encryption-3DES-AES is disabled whereas previously it was enabled.
ASA 5512-K9
Version 8.6(1)2
If you look at the data sheet for the 5512-X the High Availability section states "Not Supported; ActiveActive or ActiveStandby" while the ASA 5515-X states "ActiveActive or ActiveStandby". What does "Not Supported" mean for the ASA 5512-X? Does this mean HA does not work, or that I need to purchase an additional license to use the HA feature?
[URL]
I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool (which I have lots of connection licenses for "Total VPN Peers : 250".
* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
* Do I have to consider 3rd party vpn clients, outside Anyconnect?
I'm trying to access our ASA 5512-X via the Management port, but the address https://192.168.1.1/admin can't be displayed.
View 35 Replies View RelatedNot abe to upgrade the IOS image PIx7.0 from earlier version 6.3 in to my old Pix-525 FO(Secondary unit) license box .
Is it possible to upgrade without Primary unit (Unrestricted License) ?
I have a two ASA HA and I'd like to upgrade the license to ASA5500-SSL-250. I need to know if i have to purchase one license (ASA5500-SSL-250) for the Active unit and one license (ASA5500-SSL-250) for the standby unit.
View 3 Replies View RelatedI want to confirm if the upgrade license (ASA5505-SW-10-UL=) is backward compactible with PIX 501 firewall device? though pix 501is end of life bit i want to verify if the upgrade license for asa5505 will work with it?
View 4 Replies View RelatedI have a Cisco ASA 5505 device with basic (default) license, currently all my reirections, VPN's, VLAN's(3 Vlan's) etc are configured on the same and are working fine.Now i need to upgrade my basic license to "Security Plus" for some additional features, if i upgrade it directley is there any complications in present rules, below is my doubhts
1. if i upgrade, did it change any of my present configurations ?
2. is there any name change or property changes for VLAN's or VPN's
3. did it affect the firewall functions
4. If anything goes wrong, can i restore it in to my old state using my previous dump.
We want to upgrade one of our Cisco 5505 with Security Plus license. what is the difference between L-ASA5505-SEC-PL and ASA5505-SEC-PL upgrade licenses?
View 1 Replies View RelatedI have a firewall module in a Switch Catalyst 6500. I wan to upgrade its context capacity to a greater capacity. When I looked it in the Dynamic configuration, it send me following number parts:
FR-SVC-FWM-VC-T1=
FR-SVC-FWM-UPGR1=
The first one is the license to have 20 context and the next one is upgrade from 20 context to 50 context. My problem is that I haven't could find a service support contract associate them.I want to know if they have or not service contract, because I can´t find them.
Is it required for the 3des license upgrade for the asa5510 to reboot for the further configuration of site2site tunnels.
View 1 Replies View RelatedWhat's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.
View 1 Replies View RelatedI'm looking to make a possible configuration for a customer. They need a device to provide :- firewalling- bandwidth limiting based on protocols, IP, users- web content filtering- good reporting to see which device/users are consuming most of the bandwidth.I used to use cisco ASA as firewall but it's a while I last installed on and I'm nt uptodate which current state.So I thought of using an ASA 5512-X but I'd like to know if it comply with all the requirements .Most important being the reporting and bandwidth limiting capability. It would be great to have some configuration example regarding bandwidth management.
View 1 Replies View RelatedI have a windows 2003 server and an ASA 5512
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
On Friday people were connecting, but now I get a message "Login Error" in the browser. In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages AAA Marking LDAP server in group as FAILED AAA Marking LDAP server in group as ACTIVE
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
If I stop my IAS server on my Windows box i get the same error but much more quickly.
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
My collegue and I have been trying to figure out why we are unable to get this ASA to NAT Overload correctly. I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
ASA Version 8.6(1)2
!
hostname ASA5512-X-Remote
enable password ********** encrypted
passwd ********** encrypted
names(code)
I have a customer who needs a 5512-X set up with two ports on the "Outside" interface and act like a switch on the outside. This is very easy to do with the way the ASA 5505 works just by creating vlans and treating the ports as members of the vlan.
View 3 Replies View RelatedI am having soem difficulty getting documentation and setup procedures for the new ASA 5512-X (or X models in general) firewalls.I know the IPS sensor is a software-based one, but I'm not sure how much different the setup in than with a 5510 and IPS module.
Also, is the IOS upgrade procedure different?
I am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
I installed a new ASA 5512-X over the weekend for a client. Their backup ISP connection is DHCP based. I need to use the 'dhcp client route track' command on the interface, but it is not available. However according the all the documentation I am looking at and even the ASDM says it should be available.
This is the version of ASA and ASDM they are running:
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
I did upgrade to the latest ASA software, so has this command been removed? If I do a '?' in the interface, there isn't a 'dchp' option.
I'm porting our configuration from a Pix 515 firewall to an ASA 5512x. What's vexing me right now is with the deprecation of the "static" command, I can't quite figure out the best way to Identity NAT my inside sub nets (multiple) to the DMZ sub net
So on the pix I have my identiy NATs as an example:
static (inside,dmz) <IntSubA> <IntSubA> netmask 255.255.255.0
static (inside,dmz) <IntSubB> <IntSubB> netmask 255.255.255.0
static (inside,dmz) <IntSubC> <IntSubC> netmask 255.255.255.0
Cisco's migration guide seems to do them one object at a time, which I guess is straightforward enough to do:
object network SubA
subnet <IntSubA> 255.255.255.0
[code]...
I'm thinking that there must be an easier way (aka less lines) to implement this for all the sub nets I want to Identity NAT to the DMZ.
1) Can I do this creating objects using a sub net with a net mask of 255.255.0.0 - one object to cover multiple internal sub nets?
2) Can I do this using object groups and trim this down to: (assuming I have to commands right)
Object-group network Inside_Subs
network-object <IntSubA> 255.255.255.0
network-object <intSubB> 255.255.255.0
network-object <intsubC> 255.255.255.0
nat (inside,dmz) source static Inside_Subs Inside_Subs no-proxy-ARP route-enabled. What would be the best way to translate my Identity NATs?
I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.I need to route my data & voice traffic separately. Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route separately.
View 7 Replies View RelatedWhat is the benefit of replacing 5512 for 5510.
View 1 Replies View RelatedI am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
Below are the respecive bits of my ASA config
interface GigabitEthernet0/0
description Management
speed 1000
[Code].....
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. how I can get this working ?
From what I can find the ASA does not support policy routing.
I have two VLANS that need to go to the same destination but different routes. Anyway to accomplish this on the ASA?
Configuration of inter-vlan routing on ASA 5512 ver 8.6? I have everything configured (un-nat, access-list, etc.) but still not working. When i do a packet capture, it says the traffic is denied by the implicit acl. Here is my config:
interface GigabitEthernet0/0.100
vlan 100
nameif data
security-level 100
[Code]...
where I can find detailed documentation on these two products. Particularly, I am looking for high availability capabilities and any license requirements.
View 1 Replies View RelatedI have a problem with random host's geting the wrong source address on a ASA 5512-X 8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
nat (any,outside) dynamic interface. (5.5.5.5)
object network H-192.168.25.10
nat (inside,outside) static H-6.6.6.6X(code)
I have ASA5540 with 1000 SSL-VPN License, then I would like upgrade from 1000 to 2000. Which part I have to add between
L-ASA-SSL-1000=
L-ASA-SSL-1K-2500=
ASA5500-SSL-1000=
We are currently preforming the upgrade from WCS v.7.0.230.0 no NCS 1.1. When we select the Lic file we get an error message "Unable to add any license without an NCS (L-NCS-1.0-K9) license." The file name is WCSUPG20121115142018448.lic.
View 2 Replies View RelatedMy client is having a 5505 which supports 2 SSL peers as per now and we want an upgrade . I had a look into GPL and I was confused with two of the following part numbers . Which one should I go for as both of these look same for me and there is a huge difference in price .
ASA5500-SSL-10
ASA 5500 SSL VPN 10 Premium User License
ASA-AC-E-5505
AnyConnect Essentials VPN License - ASA 5505 (25 Users)
Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
NAT and access rules are as follows:
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1
[code]....
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?
if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
I found different information on the Cisco web, the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6 [URL]
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) [URL]
Is the 5512 able to be field upgraded to a 5515 and so on through 5555? I.E. Can I add ram and other hardware to make the boxes more powerful as my requirements increase? I was hoping this would have been a new feature with the ngen firewalls.
View 3 Replies View Related