Cisco Firewall :: ASA5510 Can't Be Accessed For Management
Mar 13, 2013
I am trying to get an ASA5510 working in transparent mode, multi-context. I am on revision 8.2.5, so there are no bridge groups (those are enabled in 8.4). I first set it to transparent mode, then set it to multi-context mode. I am doing trunking through the Ethernet0/0 to Ethernet0/1, and have two vlans on subinterfaces of each interface. These interfaces are in the 2nd and 3rd contexts, and all trunking between vlans is working correctly in transparent mode.
But I can't telnet or ssh to the ASA itself.
I have an IP address on the inside vlan interface in
View 4 Replies
ADVERTISEMENT
Jan 21, 2013
I try to SSH and get access denied.
I try to ASDM and get "Unable to launch device manager from 172.16.252.100"
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
login as: test
test@172.16.252.100's password:
Access denied
[Code].....
View 7 Replies
View Related
Mar 30, 2011
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
View 3 Replies
View Related
May 19, 2013
I'm trying to setup a SSLVPN Portal for our customer which will authenticate against Active Directory using LDAP over SSL and with the portal have the ability to change password if it has expired. I have managed to setup everything now except for the password reset which is giving me a headache. This is the message that's presented by the portal when i try to change the password even though the same password works when i change it on a PC instead of using the portal.
"Cannot complete password change because the password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements."
And below is the output of ldap debug on the ASA5510 the Portal is running on.
[473] Session Start
[473] New request Session, context 0xadbe760c, reqType = Modify Password
[473] Fiber started
[473] Creating LDAP context with uri=ldaps://x.x.x.x:3269
[473] Connect to LDAP server: ldaps://x.x.x.x:3269, status = Successful
[473] supportedLDAPVersion: value = 3
[code]....
View 5 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Nov 29, 2011
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Feb 18, 2012
I'm slightly concerned about my Cisco SRP-547W... there are times when it will cease to allow certain websites to be accessed and for a SONOS system to access Napster/Spotify. When i look in the administration part, the CPU usage shows 100%. I then have to restart the router, where it will settle back down to between 20% and 40% CPU load.Whats odd is it's not something that happens once every hour, it can be fine for days and then suddely go.
View 1 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
Jul 31, 2011
I've got 3 identical PC's that were bought and configured at the same time, all running Windows 7 off a Netgear router. Though all 3 machines can successfully ping each other, one machine can't be accessed by the other two through windows explorer meaning it can't participate in LAN games or share files with the other 2 machines.
I also seem unable to register my copy of Starcraft II because it doesn't recognise any return data from the Starcraft servers, though it works fine on another machine (not sure if this is related). I've disabled the firewall on the unaccessible machine and believe file sharing is activated but it hasn't worked.
View 3 Replies
View Related
Jun 27, 2012
I have cisco 3825 router with two interface one with public ip 182.50.190.140 and the other with private ip 192.168.1.1 and the DNS is 66.28.0.45, I configured NAT overload on it to access internet I can ping public ip nad default gateway but cannot ping dns and neither internet can be accesed. following are the configurations. [code]
View 2 Replies
View Related
May 4, 2012
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
View 4 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies
View Related
Apr 16, 2012
I have recently installed a new router (DLink Dir-615) and it seems that certain sites will not render for me. They simply show up as blank pages, or they will attempt to load, flash a few times and end in a the site cannot be reached. However, if I am running Fiddler, all of the sites work. The issue also occurs with various components on certain sites, i.e., video. The videos either do not play or will continuously skip to the next clip when Fiddler is not running.
I am completely baffled as to why this is happening and is there some setting on my new router that I need to enable?
View 1 Replies
View Related
Dec 3, 2011
Bought DIR-655 from Amazon. Rev. B. Come with 2.00NA firmware. Updated to latest one, and there are a lot of problems, to most of them, I was not able find any solution. Here they start:
1. WIFI SPEED PROBLEMS.No matter what speed, parameters, channel, mode, etc I select, router keeps working on 20mhz channel width. So I never get speeds above 65 mbit. In absolutely same conditions, my DIR-300 B1 (with DD-WRT firmware) gives me stable 150mbit. SO I KINDLY ASK, MAYBE THERE IS A WAY TO FORCE "40 MHZ ONLY" OPTION?
2. PASSWORD PROBLEMS.Router came with no admin password, I enter new password, hit "update" it says - wait 20 sec, after that, login page is displayed, but, new pasword does not works! since it asks again for empty password!
3. FILTERING PROBLEMS.I need to block certain IP address to be accesed by all my computers. Say this is 111.111.111.111 . So I added inbound filter rule, to block access to that IP. It does not works - IP is still accesible.
4. MORE FILTERING PROBLEMS.Since above mentioned method does not works, I have to use "ACCESS CONTROL" feature. It does works, but it causes another problem, with access control enabled, all webpages with form submit stop to work. For example, if I'll have that feature enabled, when I press "post" on this webpage, it instantly will go to "this page cannot be displayed".
I bought this router solely for one purpose - I was happy with speed of my DIR-300, but I needed gigabit for my computers. So I thought, instead of buying separate switch, I'd better buy a router with gigabit. I was suggested to get TP-LINK 1043, since it's quite popular, alternate firmwares available and so on, but I refused to buy it, since I thought that some chinese company does not worth my attention. So I bought this D-Link (for almost 2x price of TP-Link) and having huge problems as you can see.
View 9 Replies
View Related
Jul 13, 2009
I have a WRT54GC v2.0, that was working perfectly till yesterday.I cannot access the router no more, either thru cable nor wireless, all lights are flashing.I thought it would be the power source but i have measured it with my fluke multimeter and there is 3.5v, it is probably working well.
View 9 Replies
View Related
Sep 30, 2012
I have 20 mbps internet link and I have ASA 5505 . I have to divide this bandwidth 10-10 mbps each for Voice and Data . So that both can work properly. because when I am using it for both on same interface, I am getting Voice disturbance..
View 1 Replies
View Related
Nov 7, 2011
I have interfaces defined on the 5505:
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
[Code].....
I only need one interface to connect to a single host on the inside (VLAN1) and then connect E0 to a DSL.
Is it possible (are what are the commands required) to take one of the other interfaces and create a Management port on the local office LAN?
View 2 Replies
View Related
Jul 24, 2012
i have 16MB internet speed, i want to give inside interface in my ASA only 2MB to use how can i assign it ?
ASA Version 8.2(5) !hostname ConcordeASAenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface
[Code].....
View 2 Replies
View Related
Jun 9, 2013
I am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
View 1 Replies
View Related
Feb 13, 2012
I am having issues with the ASA 5510 management interface. I can't communicate with this interface. It is showing DOWN/DWON even if I type NO SHUT several times.
My existing config is as follows
our-asa-01# sh run
Saved
ASA Version 7.2(5)
hostname our-asa-01
names
dns-guard
interface Ethernet0/0
[code]....
View 5 Replies
View Related
Dec 15, 2012
I have password management configured on our 5520 for VPN users, and it is prompting and allowing me to change passwords.... however it seems the password change seems to not be replicating to AD. I am able to access network resources using the old and new password.
View 1 Replies
View Related
Jan 8, 2012
Or, does the data only go over the WAN connection when the camera is accessed via myDlink? I ask because I have this camera installed in my mountain home and the WAN connection is a 5GB/month Verizon USB modem. It seems to be chewing up a LOT of data.
View 2 Replies
View Related
Aug 22, 2012
unresponsive / lockups with Cisco ASA 5505 remote management ?
I think it happens like this:
1) With ASDM (Java Web Start), add new crypto map (it could be anything, just happens to be what i added the last time this happened)
2) Click apply
3) ASDM hangs (at this point the Java client becomes entirely unresponsive)
4) ASDM.jnlp refuses to connect and eventually timeout dialog appears. However, VPN connections are still accepted.
5) After a few hours (over night), the ASA refuses all incoming traffic including VPN connections.
View 5 Replies
View Related
Mar 21, 2012
I'm attempting to configure remote management (and, sometime soon, SNMP) for a newly-deployed WRVS4400N v.2.At the Basic Settings page, I enabled Remote Management, and left the port # at the default. Remotely I entered the public (static) IP for the router in the address bar of IE8 similar to this: 67.203.???.??:8080. IE8's response is, "The webpage cannot be displayed." I'm using a public wi-fi access point, and don't know how the local router is configured, so it's possible that the local router has a blocking rule in the firewall.I'll try again using another remote router that I manage.
View 3 Replies
View Related
Sep 27, 2012
Currently have an ASA5520, management port is set to management only connected to a management vlan, inside, outside and dmz ports also in use for respective traffic, all is working well, the issue i have is that the ITsupport staff on there user vlan have to have access to manage the ASA with ASDM at all times, this all works fine as i have added a route for management to there subnet, problem is that from this vlan they can no longer ping the remote sites which connect via site to site vpn. For troubleshooting and management purposes this is required, is there any way around this?, if we make the management port not management-only how will this effect other traffic or routing?
View 3 Replies
View Related
May 21, 2012
I have a remote ASA5505 running 8.4(3) with a working site 2 site VPN tunnel to my main office. (The main office is running an ASA 5510 with OS 8.4.3 as well). The encryption domain is all private IP on main site vs. 172.16.10.0/23 on remote site.
Relevant config of the remote ASA:
interface Vlan1
nameif inside
security-level 100
[Code].....
I can manage the ASA on the outside interface (outside of the site 2 site VPN) using the TACACS credentials I can also ping my management station from the ASA using the inside interface, but as stated, the other way around does not work. I have not yet tested if management from the local 172.16.10.0/23 subnet works, but I will try this next.
View 5 Replies
View Related
Jun 28, 2012
I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it. However, the Management Interface is not working. I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown. So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?
View 2 Replies
View Related
May 9, 2011
How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed
View 1 Replies
View Related
