Cisco Firewall :: ASA 5520 Configuration Backup With Archive?
Nov 15, 2011
On our cisco 3750 switches we can take config backups with the archive command. After every "write mem" it rights the config to our backup server. We would like to do this also for our asa 5520 with version 8.2(2). I also searched in the command reference guide, but I can't seem to find the proper command to do it.
i have two internet links each of which from different ISP and different real ip addresses.Want to make the second backup internet work for Internal and external (AnyConnect) users.
my question: is that applicable to register single A record with different real ip addresses? and also is the AnyConnect method the best solution for them?
note: i have single firewall 5520 behind the cable modems.
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
I'm having problems configuring an asa 8.2(1) with a backup isp. I followed the asdm instructions in this document: [URL]
I have my backup interface configured as DHCP and the static routes set. Pinging the gateway and other external IP address from the backup interfaces works normally. I have also tried configuring the backup interface as a static address but got the same results.
When removing the primary wan link, all traffic stops. When I ping a external DNS, I get these errors in the log: portmap translation creation failed for udp src inside: 192.168.13.23 dst backup:208.67.222.222_type 8, code0)
I though this type of error is related to a NAT problem, not sure where to look though.
I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
I have a not-so newly installed LMS4.2 Linux appliance. Here is my configuration archive summary:
Config Archival Status No. of Devices Successful 7 Failed 1338 Partially Successful0 Total1345 Configuration Never Collected 1338
[Code].....
Which seems to mean that SSH does not work, which is false as I manually connects to the device from the LMS host successfully. Network devices access is authenticated against ACS servers using TACACS+ so there should be no problem with credential discrepency here.
I have a question about a daily archive sync job. I have the job set to run by device type groups. My question is, when I delete or add devices, will they automatically be added to the job?
I'm working on setting up a backup link for our ASA 5505 and I've followed these directions: [URL]
The backup ISP gives us a dynamic address, however, when I enable the backup ISP's interface on the ASA, my vpn tunnels drop. As soon as I disable the backup interface, the tunnels come back up. I'm attempting to configure this across one of these tunnels, so obviously this is an issue, as is the fact that other people need the tunnels as well. I'm not sure what I did to make this happen, but I've been over the config many times and can't see anything different from the instructions in the link above.
I thought it might be trying to route traffic across the backup interface, but my primary interface is tracked and has SLA running on it, so I would assume it wouldn't roll over onto the backup interface.
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
I've inherited a server running Ciscoworks LMS 4.0 to manage our plethora of switches. Running 'Configuration > Configuration Archive > Synchronization' against a Catalyst 3750 switch called switch1 successfully retrieved the Running, Startup, and VLAN configs.Running the same command the following day on switch1 failed and returned this in the job execution result:Unable to get results of job execution for device. Retry the job after increasing the job result wait time using the option:Admin > Collection Settings > Config > Config Job Timeout Settings I modified the job result wait time setting to be 600 seconds, tried again and received the same timeout failure. I have also seen this same Failed message on other devices, but have never actually received the configs for them, so I feel switch1 is a better place to start.What are the first things I should check in CiscoWorks for a problem like this? Is there a particular software revision I should be on with LMS 4.0? What timeout value should be used for Archive Synchronization?
I must create a point-to-point vpn connection with two firewall cisco asa by using certificates. Do i have to buy 2 separate certificates or one is enough?
I am having a wierd case, where in i have a 5520 and i am not able to ssh into that firewall. When did a capture on that firewall it shows my connection is getting reset as soon as i try to ssh into the box. Given below is the config for ssh into the firewall.
My ASA confi are as follows. i cant to do use ASDM, HTTP, Telnet from my local interface and ip 192.168.0.46 &14.My ASDM is ok as i can connect other ASA. what mismatch here i cant understant.
I am trying to configure a server(192.168.5.50) in DMZ(192.168.5.0/24) to be able to communicate with a domain controller(10.5.44.220) in the inside network(10.5.44.0/24). I made some configuration using ASDM(not familiar with the CLI) but not working and it caused existing NAT not to work, for example RDP(TCP 3389) connection to 38.96.179.220
The things I am trying to achieve are
1. two way commucation between 192.168.5.50 in DMZ and 10.5.44.220 in Inside for SecureAuthPorts and SecureAuthOutbound service groups
2. NAT for 192.168.5.50 mapping 38.96.179.50 for the service groups mentioned above
I am trying to setup email alert on our ASA 5520 so that i can receive emails to my exchange account below is the configuration [code] The smtp server is in our internal network.first i am not able to ping 172.17.1.12 as ping is blocked.i did this confgi like two days before..but ca see alerts and error messages through asdm but no mail is coming in.
I have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
I am trying to configure multi context on the 5520 ASA , how can i configure 1 outside and 1 inside for the 2 context or how to configure both outside from the same subnet and insides also from the same subnet , i did the below configuration but didn't work . [code]
I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520? Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ? [code]
Cisco ACS 5.x appliance?How to back up Config?What is best way, via TFTP? COPY Startup-config tftp:?COPY Running-config tftp:?I currently use Solarwinds CatTolls to back my Cisco Switches, can I use this for Cisco ACS also?
how to backup the configuration of ACS 5.3 then restore it on the secondary ACS 5.3 Appliance in order to save time without configure the 2nd Appliance?
I'm busy on configuring the backup of the configuration from Nexus switches 5K and 7K.I have installed COPSSH on my windows server and try to confiugre the sftp credentials. [code] I have tested from the CLI from the switch and i have the issue but if i use the default vrf 'default' it works fine.How can i change the command sent by DCNM to the Nexus in order to specify vrf default and not vrf management ?
Is it possible to create a job what automatically export the devices configs that are in the folder CSCOpxfiles medemushadow? It would be wonderdul if CW could export the .cfg files into a .rar and send in email or something like this.
I recently tested the process for a customer of defaulting a Cisco WLC to factory configuration and then restoring the configuration from Cisco NCS. It was not seamless to say the least and I wonder if I have just gone about it the wrong way.
Have have set the NCS platform to configuration sync with the 5508 controllers at 04:00 every day and prior to the controller defaulting I ensured that NCS also reported that the config was in sync. I have also set NCS to complete a tftp backup of the controller every night 23:00 - interestingly though I have no idea where this is stored on the NCS platform ( a VM appliance ) or what it's file name is.
Anyway my experiences where as follows:- 1. defaulted WLC and via serial CLI ended up at the configuration wizard. 2. Set the correct LAG, management IP, host name that NCS knew this controller by. 3. To test things just created a dummy WLAN ( SSID ) as I assumed this would be overwritten ( big mistake ! ).
At this point I connected the controller to the network and tried to restore the configuration from the config sync version.
First problem - you have to remember to set up the SNMP community string you were using as it is needed by the configuration sync process. After adding this to the controller I could push the configuration to the controller.
Second problem - failed to add the first WLAN from the backup as I have added the temporary dummy W LAN via the wizard and NCS reported a conflict. So had to delete WLAN ID 1 from the WLC GUI directly and then the config push no longer reported this error.
Third problem - for some reason did not add the TACACS server details - reported the error that it could not added them. I manually added these via a template via NCS and all was well.
Fourth problem - all but the first WLAN was in the disabled state - had to re-enable all of the WLANs.
Fifth problem - any default items I had disabled or removed have not been saved - therefore I have removed the public and private SNMP communities - but these were still on the WLC after the restore. I have disabled unused ports not in the LAG as they show an error in NCS - these where not disabled after the restore.
So all in all not a very satisfactory restore process from NCS to an defaulted WLC ( meant to simulate to the customer what would be needed if they had to replace a controller due to hardware failure ).
(result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
reference [URL]
create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
I have a Cisco LMS 4.2.1 on a Windows 2008 Server R2 platform and I would like to backup the configuration of my WS-C4503-E version cat4500e-universalk9.SPA.03.03.01.SG.151-1.SG1I create the job in Configuration > Configuration Archive > Synchronization and after the execution of the job, I check th status in Admin > Job > Browser: I don't know why the archive doesn't exist. It's a newly install.
I am currently stuck to setup an automated configuration backup for ACE Blades. I found a script to backup the ACE from the Cisco ANM box but unfortunately I am not very familiar with Linux. (script) in place, to "pull" the ACE config from a Microsoft system ?
I have 2960G that in rommon status.I need that the switch work in 0x2102 (regular mode).I don't have a backup to configutratuio in my PC.I do wr before the switch go to rommon (startup config).What to do in order to the switch will be in 0x2102 (regular mode) with the same configuration( before the switch go to rommon)?