Cisco Firewall :: ASA-AC-M-5520 Migration To ASA-AC-M-5585?

Jan 23, 2013

I have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585

View 1 Replies


Cisco Firewall :: ASA 5585 / Identity Firewall With Single Forest / Multi-Domain

Dec 28, 2011

I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.

Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. 

View 1 Replies View Related

Cisco Firewall :: 5585 - CSC And AIP

Oct 7, 2011

Does the 5585X supports BGP ? What if someone wants to use Antivirus + IPS feature in that . I have seen IPS modules for 5585X but looks like the antivirus module is not avaliable for 5585X

View 1 Replies View Related

Cisco Firewall :: QOS Configuration On ASA 5585?

Nov 29, 2011

I want to configure Qos for 2 diffrent Vlan 2 , each vlan for 2 mbps bandwidth .(VLAN details VLAN 10 (10.10.x.x /24) and vlan 20(20.20.x.x/24) Is any difference regarding initials configuration B/w ASA 5520 and 5585

View 9 Replies View Related

Cisco Firewall :: Setup ASA 5585 Out Of The Box?

Jan 29, 2012

Am not conversant with Firewalling. however i have need to set up CISCO ASA 5585 out of the box.

View 3 Replies View Related

Cisco Firewall :: Upgrading PIX 525 With ASA 5585-X / SSP-10

Jun 24, 2012

We are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?

View 1 Replies View Related

Cisco Firewall :: 5585-x With IPS SSM 40 Module

Jun 2, 2013

We have installed 5585-x in active/active mode with transparent firewall. We have created two virtual sersors for vs1 and vs2 in IPS module and linked with ASA context C1(vs1), C2(vs2) and admin(vs0).

As firewall is working in transparent mode, we have bridge IP address for context C1 and for context C2

I have added default routed for context C1 .It is in the outside of asa and SVI on switch.For the other context C2

IP address range for the IPS module and what should be the gateway for IPS module.AS the traffic is coming from outside and going to inside interface of ASA.

View 1 Replies View Related

Cisco Firewall :: ASA 5585-X Licensing

May 6, 2012

I have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.
> Failover : Enabled > Encryption-DES : Enabled > Encryption-3DES-AES : Enabled > Security Contexts : 20 > GTP/GPRS : Disabled > AnyConnect Premium Peers : Default > Other VPN Peers : Default > Advanced Endpoint Assessment : Disabled > AnyConnect for Mobile : Disabled > AnyConnect for Cisco VPN Phone : Disabled > Shared License : Disabled > UC Phone Proxy Sessions : Default > Total UC Proxy Sessions : Default > AnyConnect Essentials : Disabled > Botnet Traffic Filter : Disabled > Intercompany Media Engine : Disabled > 10GE I/O Plus : Disabled(code)

View 4 Replies View Related

Cisco Firewall :: ASA 5585 HA Failover?

Sep 24, 2012

I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i  powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..

View 3 Replies View Related

Cisco Firewall :: ASA 5585 ASDM Won't Load

Jan 28, 2013

I have a new 5585x with only basic ip information on it.  I can't get the ASDM to load from any interface.  Browser just says cannot load page.  I upgraded to 9.1 and ASDM 7.11-52. (Also did not work before I upgraded)  I can ping the managment 0 interface and can tftp data to and from it.  Also unable to telnet to the management interface. [code]

View 2 Replies View Related

Cisco Firewall :: More Detailed Specifications For ASA 5585-X

Aug 29, 2012

Any document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..In the data sheet this information is not specified.

View 5 Replies View Related

Cisco Firewall :: 5585 - Getting ASA 8.4(2) ASDM-SSH Access From VPN?

Sep 21, 2011

I have a 5585 with version 8.4.2?I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following: -- addess assigned from the pool -- inside interface address in the ASA
1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.
group-policy pol1 attributes
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pol1_splitTunnelAcl


If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.

View 7 Replies View Related

Cisco Firewall :: CPU Usage Per Context On ASA 5585?

Jul 3, 2012

I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.

View 6 Replies View Related

Cisco Firewall :: 5585 - ASA Shared Licenses With 8.3?

May 2, 2011

Shared licensing of ASA?I have 2 ASA 5585 in cluster and I have to Implement SSL / VPN license  My question:Since I have a cluster in 8.3 version, can I use only one license VPN / SSL for two, without necessarily implement the Shared Server licenses and participant.

View 4 Replies View Related

Cisco Firewall :: ASA 5585-X Multicast Support?

Feb 23, 2011

Is it true, that the new ASA Platform 5585 does not support Multicast. Here on Page 7:[URL] because the old ASAs support Multicast.

View 2 Replies View Related

Cisco Firewall :: Visio Stencil For ASA 5585-X?

Aug 29, 2011

where I can get a visio stencil for a asa-5585-x.

View 3 Replies View Related

Cisco Firewall :: 5585 Can't Access ASA HTTP Server

Jun 20, 2011

I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.

View 4 Replies View Related

Cisco Firewall :: ASA 5585 Multiple Context Licensing

Apr 27, 2011

I am looking to deploy a cloud/borderless network solution and cannot get my head around how the licenses (AnyConnect Mobile and essentials) will be applied in a multiple context deployment. Any correct documentation.

View 1 Replies View Related

Cisco Firewall :: 5585 - Design ASA Connecting To Two Switches

Sep 15, 2011

ASA design. I have two Cisco ASA 5585 which are connecting to two Nexus 7K. I looked at one design and it seems I can make Redundant interfaces on ASA and put two physical interfaces (Link1-1/1-2) into it however the down side I can see is it will utilize one link out of 4 at one time. As per my understanding if I make redundant interface on ASA 1 and put 1-1/1-2 into it only one link would be active at one time. This will force Nexus2 to send all traffic to Nexus 1 in order to reach ASA. Ideally I want a solution where both switches could send traffic straight to Active Firewall and incase of failure both links to standby firewall.

View 5 Replies View Related

Cisco Firewall :: 5585 Configuration BVI Transparent FW And VLAN

May 28, 2013

I have a problem whit the configuration of a Firewall ASA 5585 whit the BVI Interface and transparent Firewall, I have 2 VLAN that i want to interconnect.

The problem is whit the configuration of VLAN. The traffic does not cross the FW.

View 1 Replies View Related

Cisco Firewall :: ASA 5585 Asdm - Block Team Viewer

Jan 3, 2012

I want to block team viewer using cisco ASA-5585 asdm..
How to block it using regular expression

View 1 Replies View Related

Cisco Firewall :: 5585 - BVI Doesn't Show Up In Multi Context ASA

May 7, 2013

I have an ASA 5585 in transparent mode, multi-context. It seems that the option to configure a BVI in one of the traffic contexts isn't there. In other words, while I see the option to configure a bridge group interface in the admin context, no such option comes up in the traffic context.

View 1 Replies View Related

Cisco Firewall :: 5585 / Have Context In Transparent And Routed Mode?

Apr 24, 2012

Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.?I am havin 5585-x and asa version 8.4?

View 8 Replies View Related

Cisco Firewall :: ASA 5585 - Advantage / Disadvantage For Using Multiple DMZs

Oct 16, 2011

we are planning to use multiple DMZ's in our organization, we are using cisco asa 5585, what is the advantage and disadvantage for using multiple DMZ's?. and which better to use one or two DMZ's or split every service in different DMZ ?

View 7 Replies View Related

Cisco Firewall :: ASA 5585 / SSP 40 - 10Gig Interface Needed For Log Server

Apr 26, 2013

We have deployed a few ASA 5585 SSP40 in our data centers to seperate different customer/security zones connected with 10Gig interfaces. Currently we have a dedicated log server attached to each ASA connected with a p2p 10Gig interface. While detailed log information is considered important I somehow have the gut feeling all this high end equipment and bandwidth is used a little too wasteful. I have little experience with these big firewalls and I have not yet seen the equipment in an attack situation, however I doubt a firewall could ever generate 10gig of log data, while doing the primary fire walling job at the same time. Looking at the typical packet size of a syslog message I don't even believe a 1 gig link could ever be saturated with pure syslog messages.

View 3 Replies View Related

Cisco Firewall :: ASA 5585- TCP Syslog / Logging Permit-Host Down

Jul 5, 2012

We have a firewall service environment where logging is handled with UDP at the moment. Recently we have noticed that some messages get lost on the way to the server (Since the server doesn't seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP. You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command being able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a mismatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message: "%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server are not reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic? 
- I configured the "logging permit-host down" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this? 
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this? 
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either. 
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation. 
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem. Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-host down" command didn't wor or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didn't have ANY logging configurations on. Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isn't corrected by any of the above measures we took (like the command "logging permit-host down" which is supposed to avoid this situation altogether).

View 4 Replies View Related

Cisco Firewall :: ASA 5585 Transparent Mode With Multiple Contexts

May 6, 2013

We are deploying the Cisco ASA 5585 in transparent mode with multiple contexts, the port-channel was configured to connect to the core switches using  dot1q trunk. We are experiencing an issue which is the core switches are configured loop guard globally, therefore the port-channel connected to the firewalls will be put into inconsistent state when the failover happen, and the two firewalls' failover can not fulfill the failover at last.
I have two queries below: 

1. Does the firewall allow the BPDU passing through when it is in standby mode, for example, secondary firewall is active for group 2 and standby for  group 1.  does the secondary firewall block the BPDU from the vlans under group1 ?   
2. Can we disable the loop guard feature on the switch port-channel or is there any other way to solve this issue ?

View 1 Replies View Related

Cisco Firewall :: Migrate Checkpoint Configurations To ASA 5585 Using SCT Tool

Oct 28, 2011

I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it

View 14 Replies View Related

Cisco Firewall :: ASA 5585 Running 8.4 - Asymmetric NAT Rule For Remote VPN?

Jun 7, 2013

We have several L2L tunnels with remote networks that access networks inside. I am using object-groups to define the networks, then using the same object-groups in the twice-nat so the networks are accessible. For example:
Remote Network - defined as object "RemoteA"
Inside Subnet - defined as object "LocalA"
 object-group network RemoteVPN
network-object object RemoteA
network-object object RemoteB

I receive the "Asymmetric NAT rules matched for forwared and reverse flows" error, inidcating Source of "RemoteA" IP and destination of "LocalA" IP. Typically this indicates a missing twice-nat; however they are in the object-groups that are a part of the twice-nat specified above. The only way I have been able to clear the errors is to create a new twice-nat using the individual subnet objects. If I do a "show nat object-group LocalVLANS detail", all the subnets are displayed accordingly.
I have many twice-nat statements using object-groups, and working for over a year now. I only started recently having issues with this error; and am concerned it is related to some cap on using object-groups in twice-nat.

View 10 Replies View Related

Cisco Firewall :: ASA 5585 -Advertising Public Subnets Used By NAT Using OSPF

May 27, 2013

ASA 5585-x10, ver 9.1. I have about 10 public sub nets that will be used for NAT translation on the outside interface.  These sub nets are different from the sub net the outside interface. Is there a way to advertise these routes using OSPF from the ASA? 
I tried to redistribute a static route, but can't make the destination router an interface that is on the ASA. I  don't own or control the upstream router.

View 1 Replies View Related

Cisco Firewall :: 5505 / 5585 - Licensing Change On ASAs

Jan 16, 2013

I just learned that the licensing structure for the ASAs is changing, but I don't have any details. We have roughly 30 ASAs (from 5505s to 5585s).  If there's a licensing change, I need to do an impact assessment and plan accordingly. 

View 5 Replies View Related

Cisco Firewall :: 5585 - Two Different Subnets Assigned To Single Bridge Group

Apr 9, 2013

We are deploying two Cisco 5585 in transparent mode and multiple contexts. they are running Active-Active fail over.
There are a lot of V LANs need to be added in the contexts, we are trying to use least contexts to fulfill.
ASA supports 8 bridge groups for each contexts, and maximum 4 interfaces for each bridge group.
We have assigned four interfaces in different V LANs , set two of them as a pair with one IP sub net and the other two interfaces are in another IP sub net.
For example :
Bridge group 1:
inside1  and  outside1    ------->
inside2  and  outside2    ------->
However, we can only make one sub net(V LAN pairs ) work when the BVI is set to that IP sub net. If the BVI set to, the inside1 and outside1, the other pair not work. If the BVI set, then only inside2 and outside2 work. 
Since the BVI can only be assigned to either of the sub net, Is it possible to make both vlan pairs work ? Or we only can have one sub net in one bridge group ?

View 1 Replies View Related

Cisco Firewall :: ASA 5585 - Enable Same Security Level Interfaces To Communicate

Jul 14, 2012

I have ASA 5585 with SSP20. I want to enable same security level subinterfaces (routed mode) to communicate with each other. 
I have put below command at global level but somehow it is not happening.
hostname(config)# same-security-traffic permit inter-interface
Do I also need to check for NATing or some other things apart from above command?

View 2 Replies View Related

Copyrights 2005-15, All rights reserved