Cisco Firewall :: ASA5505 Lose Configuration If Upgrade Firewall
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
I want to confirm if the upgrade license (ASA5505-SW-10-UL=) is backward compactible with PIX 501 firewall device? though pix 501is end of life bit i want to verify if the upgrade license for asa5505 will work with it?
what the upgrade path is for 5505 ASA . I have one which is version 7.2 and need to upgrade it to 8.4(5). I have read that it needs to upgraded btwn major release versions.Not sure if I need to upgrade from 7.2 - 8.0 , then form 8.0 - 8.2, then from 8.2 - 8.3 and finally 8.3 to 8.4 or can I just upgrade from 7.2 - 8.2 and then from 8.2 - 8.4 .Also what is the minimum memory requirements for vers 8.4 .my ASA running on vers 7.2 currently has 256Mb Memory and I will be upgrading this to 512MB before I do the upgrade the image above?
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network.
I am trying to configure a trunk between the above two devices. I like to have vlan11 on ASA. Then I like to connect a host to my switch, and have it communicate with other devices in VLAN 11 or other vlans that reside on the ASA. Below is the config that I currently have.
ASA: ciscoasa# show run interface Ethernet0/1 ! interface Ethernet0/1
so we have been using our current ASA5505 for a long time. Since it only support up to 10 VPN licenses, so we buy a new ASA5505-SEC-BUN-K9(support up to 25 users).
the old ASA are running: 8.0.3 and ASDM 6.0.3 the new ASA are running: 8.2.5 and ASDM 6.4.5
I thought it would be simple as export and import the config file, but when i tried to restore, the new one is looking for a zip file but the old one doesn;t backup file in ZIP. It looks like i need to update the ASA version or/and ASDM?
I am pretty new to this and never upgrade any of these versions since I am aware of the upgrade may mess things up. So do I need to upgrade both the ASA version and the ASDM in order to restore my config? any effect if i do the upgrade? I also read some articles, we need to upgrade on the version one by one, like 8.0 to 8.1 then 8.2?
I am wondering if it's possible to convert a Pix 501 configuration running version 6.3(5) to a new ASA5505 which we just purchased? We have site to site VPN on this device and i am just trying to save some time. I believe Cisco TAC might have a tool to do this but i am not sure.
I’m trying to configure my ASA 5505, in order to allow my inbound and outbound mail communications. Here with this mail I’ve attached a diagram which illustrates my exact network setup along with ip addresses.
In this setup I’ve enabled port forwarding on my ADSL router (port 25 and 110) and configured the ASA accordingly, and my mail server is located inside my network.
My problem is currently I can send mails from my inside network to outside but my not receiving any mails which originate from outside. I’ve attached my current ASA configuration as well,
I am planning the upgrade of an ASA 5550 Active/Passive cluster from 8.0 to 8.2 according to the "zero downtime upgrade" documentation available in the web.
I do not have another cluster for comprehensive testing, but I executed a simple migration procedure on a tiny 5505 and neither licensing features nor the configuration (the command sintax) were affected by this process. I know this is something to care about if you go to 8.3, but this is not my case.I browsed the release notes of 8.2(5) and no special disclaimer was found by me with respect to this release. So everything should work just fine, but I would like to double check for input with respect to these two subjects:
1.Will the licensed features (vpn, concurrent connections, etc) be preserved? 2. Will the configuration be preserved ?
I am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
interface Ethernet0/0 description Connected To Internet Router switchport access vlan 10
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
Internet ISP -> Juniper SRX 210 Ge-0/0/0 Juniper fe0/0/2 -> Cisco ASA 5505 Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (126.96.36.199).
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30) 2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA. 2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop. 3. Allowed all services in untrust zone in bound traffic in Juniper SRX. 4. Viewed the logs when I was trying the ping 188.8.131.52 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (184.108.40.206).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver Cisco Adaptive Security Appliance Software Version 9.0(2) Device Manager Version 7.1(2) Compiled on Thu 21-Feb-13 13:10 by builders System image file is "disk0:/asa902-k8.bin"
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
I have a problem with an internet connection with a customer.They have a Zyxel 660 in bridge mode and the public ip is delivered to the eth0/0 outside interface of a 5505 ASA.They lose internet connectivity a couple of times per hour. What solves the problem immediately is disconnecting the ethernet cable from the eth0/0 and then directly plugging it back. Then it runs for 20-30 minutes or so.The isp doesnt't notice any errors on the dsl connection, only that they cannot ping the outside interface from time to time (duhhh)However, yesterday, when problem appeared for first time , I noticed that this Zyxel was very hot since it was placed on top of the ASA. Now it is set apart.In the meantime I already replaced all cables, but I think it's the Zyxel so I urged that the ISP send a new Zyxel.Though it sounds strange. [code]
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router: hostname sdc-1811-LocalLab ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy
We have an ASA with 8.4(5) version. we had detected that few ip's were getting shunned ,to overcome the problem no shun was used and the traffic normalised.But, the same problem re-occured a few days after that with logs showing traffic being shunned.
is there any fixed way to get rid of this. what commands can i use to verify related configuration on the firewall.
I have one firewall need to be configured in transparent mode. I have inside and outside router. What is the configuration of transparent firewall ASA8.2. I didn't find the configuration on Cisco site.
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1) firewall transparent names ! interface Ethernet0 [Code]....
I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.
I have recently gone to upgrade my firewall to version 8.4.4, but afte i upgraded this all the network objects have all got jumpled up, lost there descriptions lost there names and there are some duplicates.
After upgrade C7609S routers from:c7600rsp72043-adventerprisek9-mz.122-33.SRD4.bin to c7600rsp72043-adventerprisek9-mz.150-1.S3a.bin I lose interface with ip mpls configure form the MRTG SNMP pooling system. cfgmakre not see any more that interfaces (intrefaces fall on ($if_ok) filter). Other interface which not have a ip mpls configured is normally visible in the our MRTG monitoring system. From my site it is looks like that interface when I configure ip mpls go to unknown state for MRTG. That interfaces are not any more ethernet type.I can reach interface with configure ip mpls only with manual configure *.cfg file with ifindex value.
Setup new Cisco 861 and working well for a new BTNet line for the customer. Changed the firewall using CCP from Zone to Classic Firewall. Worked great all day and configured what I needed to do.Now, with CCP (version 2.6) have the following message.Cisco CP has detected that the router is configured with either legacy and Zone Policy Firewall (ZPF) or Legacy firewall. If you want to use Cisco CP to configure an zone-based firewall, you must first delete the Legacy configuration.
Is it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs? For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet. At the moment I can use the one usable IP from the /30 to NAT to the private LAN. The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also. Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no? In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config. Does the ASA support aliases? Maybe I have to do something with VLANs?