Cisco Firewall :: ASA5510 Configuration Restore After Being Replaced By RMA
May 29, 2011
Have a 5510 in Routed mode, simple Static NAT to interface two networks (inside_1 is my private space, and outside_1 the larger intranet that hosts heavy traffic). outside_2 faces internet via pppoe just for VPN purposes.
It was operating fine for one year then one port broke (outside_2, internet), leaving no vpn. We followed RMA service replacement and the new unit came with upgraded SW (8.0.4) than the one the original config was created on (8.0.2).
To ease the replacement, I did downgrade the sw boot image. Then I did restore the config by tftp to the startup-config and then a reload. Everything seems to load fine.
Problem is that testing reveals some sort of issue: I can ping some of the intranet hosts but can't reach gateway, thus larger segment of hosts become unreachable. It seems as if the NAT mechanism can't find the next gateway where to hop. For debug practice, I've enabled all the icmp stuff so ping wasn't being blocked by the device.
Being given the fact that this config was up and running prior to the replacement, I've no reason to suspect any mysconfigured items (ie routes, NAT, access-list), but obviously I'm obfuscated and can't see what else I'm missing.
How is that possible that the PING only reaches certain hosts? Pinging to 10.15.5.90 works (Route is 0.0.0.0 0.0.0.0 to 10.15.5.126 (gw)), but pinging to the gateway itself doesn't (10.15.5.126) and even worse, hosts like 10.15.167.210 do not respond either.
I have the configuration file of the ASA 5505 I have another exactly model that asa is new but this my first time working with an ASA.
I going to configure it an ip address in the 0/0 interface and then use TFTP to upload the config to the start-up config and the save it and reload the ASA.
What is the easiest way to restore my config? I backed it up yesterday with my tftp server. Today I made some changes and messed some things up and need to restore the config from yesterday.
while configuring my ASA 5505 I changed the IP address range of the internal network. Obviously I made an error because I cannot reach the box neither at the old nor the new address. How can I restore the interface and firewall definitions or reset the box to its initial state ? I found a doc how to reset the password, but not explaining how to restore the complete initial config.
so we have been using our current ASA5505 for a long time. Since it only support up to 10 VPN licenses, so we buy a new ASA5505-SEC-BUN-K9(support up to 25 users).
the old ASA are running: 8.0.3 and ASDM 6.0.3 the new ASA are running: 8.2.5 and ASDM 6.4.5
I thought it would be simple as export and import the config file, but when i tried to restore, the new one is looking for a zip file but the old one doesn;t backup file in ZIP. It looks like i need to update the ASA version or/and ASDM?
I am pretty new to this and never upgrade any of these versions since I am aware of the upgrade may mess things up. So do I need to upgrade both the ASA version and the ASDM in order to restore my config? any effect if i do the upgrade? I also read some articles, we need to upgrade on the version one by one, like 8.0 to 8.1 then 8.2?
I have 30 IP cameras with a private IP address: 10.1.1.1 – 10.1.1.30. I have a Cisco ASA 5510 firewall. I want to be able to use one public IP address, example, 50.50.50.50
With a specific port to go to a different internal camera, Example 50.50.50.50:3001 should be NATTED to camera 10.1.1.1 50.50.50.50:3002 should be NATTED to camera 10.1.1.2 [code]....
How do I do this? I know how to create NAT… just not like this.
Is there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA? I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1). When I add static routes to the primary ASA the routes are not sent to the failover ASA. Is this to be expected or do I have a bug?
I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
The upgraded NAT rule and access list works fine at allowing external access to a web server.
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.
We are replacing our EOL Watchguard X1000 Firewall(s) with Cisco ASA 5510 unit - ASA Version 8.4(3). Following is the static NAT I have build and the corresponding access list.
access-list FW2Outside_access_in extended permit tcp any object BW_XSP1_Public object-group DM_INLINE_TCP_1
Unable to access the server on the inside interface via the public NAT address. Can you point me in the right direction as to what I might be missing to make this work?
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50
I'm trying to track down the installation and configuration procedures for the common criteria EAL4 evaluated ASA5510 but not having any joy.
The ASA Release 8.3.2 certification report [URL] identifies the required configuration documentation as the "Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Common Criteria Operational User Guidance and Preparative Procedures" but I can not find any reference to this on the Cisco web site.
So far I've only been able to locate the proceedures for the older 7.0 release. [URL]
How to locate the correct documentation needed to configure an ASA5510 to achieve the common criteria EAL4 evaluated configuration.
I try to setup a ASA5510, but without success. Actually, I have Cisco1800(192.168.96.1/21) from my ISP connected to a Cisco 3825 (via port with IP 192.168.96.2) all is working good. Now I want to insert a asa firewall between ISP router and 3825.
For that, I tried a more simple config : ISProuter (192.168.96.1/21) ---- ASA outside port(192.168.96.2/255.255.255.248) ASA INSIDE port (192.168.100.1/255.255.255.0) --- a pc with IP 192.168.100.2, netsmask 255.255.255.0, gateway 192.168.100.1 From my ASA, I can ping 192.168.96.1. but a "ping INSIDE 192.168.96.1" fail from py pc, can ping 192.168.100.1, but not 192.168.96.1 Here, my ASA config :
ASA Version 7.0(8)host name cisco asa enable password 8Ry2YjIyt7RRXU24 encrypted password 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 shutdown no nameif no security-level no ip address [code]....
A few weeks ago, I replaced a PIX 515E with a pair of ASA 5520's. We have a few basic web applications behind the ASA's. Nothing complex; just port 80/443 traffic. During the swap, we basically just copied the config from the PIX to the ASA. So the config is virtually identical.
Since the swap, we have one small set of users who gets timed out when trying to get to the application. This small set of users are scattered across the state of Alaska, and they are all accessing the Internet via a satellite connection. All other users across North America can access the application just fine.
Since the satellite connections are relatively slow, but they worked fine when going through the PIX, I suspect the issue is a difference in the default TTL (or similar parameter) between the PIX and the ASA.
I recently tested the process for a customer of defaulting a Cisco WLC to factory configuration and then restoring the configuration from Cisco NCS. It was not seamless to say the least and I wonder if I have just gone about it the wrong way.
Have have set the NCS platform to configuration sync with the 5508 controllers at 04:00 every day and prior to the controller defaulting I ensured that NCS also reported that the config was in sync. I have also set NCS to complete a tftp backup of the controller every night 23:00 - interestingly though I have no idea where this is stored on the NCS platform ( a VM appliance ) or what it's file name is.
Anyway my experiences where as follows:- 1. defaulted WLC and via serial CLI ended up at the configuration wizard. 2. Set the correct LAG, management IP, host name that NCS knew this controller by. 3. To test things just created a dummy WLAN ( SSID ) as I assumed this would be overwritten ( big mistake ! ).
At this point I connected the controller to the network and tried to restore the configuration from the config sync version.
First problem - you have to remember to set up the SNMP community string you were using as it is needed by the configuration sync process. After adding this to the controller I could push the configuration to the controller.
Second problem - failed to add the first WLAN from the backup as I have added the temporary dummy W LAN via the wizard and NCS reported a conflict. So had to delete WLAN ID 1 from the WLC GUI directly and then the config push no longer reported this error.
Third problem - for some reason did not add the TACACS server details - reported the error that it could not added them. I manually added these via a template via NCS and all was well.
Fourth problem - all but the first WLAN was in the disabled state - had to re-enable all of the WLANs.
Fifth problem - any default items I had disabled or removed have not been saved - therefore I have removed the public and private SNMP communities - but these were still on the WLC after the restore. I have disabled unused ports not in the LAG as they show an error in NCS - these where not disabled after the restore.
So all in all not a very satisfactory restore process from NCS to an defaulted WLC ( meant to simulate to the customer what would be needed if they had to replace a controller due to hardware failure ).
I messed up the IOS on the flash of CISCO881-SEC-K9. On reboot it booted to ROMMON which allowed me to tftp up a working IOS c880data-universalk9-mz.151-4.M3.bin. Unfortunately somewhere in my playing around the default startup configuration factory loaded on the routerhas been erased. I can load a new a config on the device but as I'm using the router to learn its useful to have the original config load when I factory reset the device. What is the factory start up config?
I have a WAG160N and its seems to have reset to factory defaults, no idea why, but when trying to restore the Configuration Backup all I get is "Restore Failure <Unmatched pid>"
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
how to configure IPSEC VPN, but unsuccessfully.At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink.
I am currently working on my first ASA5510 configuration and am running into some issues. The ASA is running 8.2(5). The network setup is as follows:Layer 3 switch with 4 VLANs with ip routing enabled.All systems are pointing to the 3560 as their default gateway. ip route 0.0.0.0 0.0.0.0 10.20.100.30 (asa)The ASA is directly connected to the L3 switch on one of the VLANs. The other VLANs are not established on the ASA, but static routes have been created for them on the ASA.I am able to ping the ASA from the switches, etc.I am able to ping the switches from the ASA When connected to VPN Client to ASA, I am unable to reach anything behind it. When at the office, I am unable to reach the internet from the ASA.The following NAT configuration is in place on the ASA;
One of our ASA5510s lost VPN site-to-site connectivity (ASA v8.2(2); ASDM v6.2(5)53) to one of our other sites last night. The checkbox for Access Interfaces on the Site-to-Site area in Connection Profiles lost its checkbox for the external interface.
I just replaced a printer on my network and assigned it the same IP address as the old printer. When our workstations were XP, all that I would have to do is apply the IP address to the new printer and, as long as the drivers were compatible, the printer would work.Now that we have Win7 on the workstations, it grays out the printer and wont let me re-enable it.
I need to replace a 4402 with a 2504 controller and put a 2504 controller in the DMZ for guest access. The 4402 would be replaced at a remote site (not hreap) and support a couple of wlans, one of those would not be local and would be anchored back to the 2504 in the DMZ for the guest services. All of my 5508's also would be hitting the 2504-DMZ to anchor the guest service as well. Is this still feesable in the 2504 series?
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
We have an ASA5520 with VPN working fine.We replaced the router, which upgraded the OS from v12.2 to v15.0. We duplicated all the addressing and routing statements from the old router. Now the VPN still connects but the outside host can't ping the inside host anymore. The outside host can't ping any further than the inside interface of the router (10.4.1.1). The Router can ping the outside host, so I know the tunnel is up.I suspect there is a difference in the OS versions that is tripping us up. Perhaps in the way that we have reused the 10.x.x.x address range?
I used to be able to set an uplink port with the interface command "port network" so that it would not learn all the mac addresses that are being flooded down to the switch. It does not seem to be there on the 2950's or 35XX switches.
Where did it go and what is replacing it? Interface is a Trunk port as well.
I have just recently replaced a WS-CE500-24LC switch with a SG200-50P. I have plugged in a Cisco 1760 router with a fast ethernet into the switch. On the console of the router I now see these messages: [code]
As far as I am aware both ends of the link are set to autonegotiate the speed and duplex.
Had a WNDR 3700, as I do, and replaced it with a 4500 and whether it was worth the upgrade.I can always use the 3700 as a wireless repeater in the living room, where I kind a need one anyway.
