Cisco Firewall :: ASA5520 Unit Not Accessible On Network For Initial Configuration
Dec 15, 2011
We received an ASA5520-K8 through Cisco's Loan program so we could demo it as a replacement for our aging Cisco 3005 VPN appliances. Given that we are a non Cisco shop (except for specific appliances like concentrators and wireless access points), I don't have a great deal of experience with Cisco gear.I started to set to setup the appliance this morning but immediately ran into issues. The 5520 doesnt seem to be acting as a DHCP server, and worse yet, I can't access the unit even if I hard code the IP on the PC being used for configuration. I have to say that I feel kinda stupid having to post this, since I actually followed the documentation avaiable for this menial task and I fully expect the problem to be a simple one. Namely, I am using two specific sources of info for connections.
View 20 Replies
ADVERTISEMENT
May 21, 2012
This is my 1st time trying to configure an ASA.
I'm trying to establish a very basic connection (ping) between 2 laptops, one sat on the outside interface, and one on the inside as per the diagram below:
I can ping back and forth from the ASA to 192.168.1.4, and to 10.1.1.1. However, what I'm trying to achieve is to be able to ping from 10.1.1.1 to 192.168.1.4 and vice versa.
I have attached the configuration file with this post as well.
View 4 Replies
View Related
Oct 9, 2011
We have a pair of ASA5520 firewalls setup in a very inefficient fashion, and I wish to convert them to an active/passive cluster. Trouble is, there are a number of configuration option I will need to re-implement (VPN tunnels, remote users etc), and trying to capture the configuation with a simple "show running-config" or "show running-config all" or even "show startup-config" doesn't get me things like the pre-shared-key from the VPN configurations - and I don't know them all, so I can't simply re-enter them.Is there any way to get a dump of the running (or startup) config which shows the hidden settings like pre-shared keys and OSPF message digest keys?
View 5 Replies
View Related
Mar 7, 2011
I am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
View 5 Replies
View Related
Jul 18, 2011
I am in the process of migrating my config from my PIX running 8.0(4) to my ASA5520 running 8.2(1). I have converted the config so that it is ready for the ASA. I noticed the "boot system flash:" and "asdm image flash:" command references the old PIX files. Do I need to update these or will they be updated when the ASA reboots with the new config?
View 2 Replies
View Related
Jan 9, 2013
On a recommendation from a network engineer, I got a used Cisco 891. Having worked with small business routers most of my working life, I thought this should not be a problem. However, I had no clue these things used a console and command line to initialize. I have the console cable, am able to console into the device, but am haphazardly issuing command lines straight out of the PDF manual but cannot get Cisco CP to discover the device.
From what I can tell, I am stuck at the point where the manual tells me to enable http server. I ran the command lines several times, executed write mem where available, but when I run the show services command, http is not enabled.
And if you do refere to command lines, I was reading some other forums and they were speaking of "run this command, run that command" but I could not make out the correct syntax, in what mode, whether it be config or config t, etc. So I might need a wee bit of handholding.
I'm hoping that once I can get Cisco CP or CPE to discover the device, I can make my way through the GUI to configure since those usually do make sense to me. As of now, I'm in the thick of it ...
View 3 Replies
View Related
Mar 3, 2013
I will now install a Cisco WLC 2504 and 18 AP´s ( 1142n).
Client has a Cisco infrastruture with Cisco Switch´s 3750x and others.
We expected to have :
1. Managment Vlan to add WLC 2504 and the AP´s ( DHCP server should be reached on this Vlan)
2. Configure a trunk in the switch port where the WLC will connect, allowing vlan´s that we choose to reach.
3. configure WLC ( ssid´s, Vlan´s, interfaces).
4. Configure AP´s.
Is there any basic setup that i missed for things to run ?
Normally I create DHCP reservations for AP`S and for Clients in diferent Vlan´s:
Mgmt Vlan 100: 192.168.0.xx
AP´s vlan 101: 192.168.1.xx
Clients Vlan 102: 192.168.2.xx
All this ones should be created as interfaces on WLC?
View 11 Replies
View Related
Nov 27, 2012
I have configured the box and done the usual wr, copy run start, and the box keeps coming up with the initial config dialog?
View 4 Replies
View Related
Mar 27, 2012
I'm trying to set up a new ASA 5510. I have a pretty simple set up with one /24 on the inside NATed to a DHCP address on the outside. Everything on the inside works and I can ping the outside interface from external devices. No matter what I do I can't get anything internal to route across the border to the outside and back. To try and eliminate ACL issues as a possibility I added permit any any rules to the incoming access lists on the inside and outside interfaces. Here's the sh run.
: Saved
:
ASA Version 8.4(3)
!
hostname gateway
domain-name xxx.local
[code]....
View 7 Replies
View Related
Jun 24, 2012
I am interested in learning and setting up VPN IPSec with Cisco ASA 5505. I've managed to successfully setup VPN andcan connect to it from outside and browse securely to the outside/internet via tunnel. However, once I am connected to VPN, I cannot access any of my internal hosts/servers via VPN client. I am wondering it its a missing ACL/NAT...ASA Version 8.2(5)
!
hostname ciscoasa
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
[code]....
View 1 Replies
View Related
May 26, 2011
Trying to get this linksys router working on my network. It is a wrt54gs. The machine that i'm configuring it with is running a 64-bit version of windows 7. I run the disc and it seems as if no matter what i try it will not connect to the internet. Can plug modem directly to pc and connect no problem. Can connect to router no problem. But cannot connect to the internet through the router.I made sure that ip addresses are assigned dynamically through dhcp and cloned the mac address of the pc i'm using to do the initial setup.
View 4 Replies
View Related
Jan 2, 2013
I am slowly working my way though the setup and configuration of our new 4900m switch. The switch will have a pretty basic operational configuration. We are simply going to network 3 servers together through the swtich. Anyhow, I have been fallowing the guide at this site: [URL]
Basically the switch is brand new and I just setup things such as the clock, the banner, and the hostname. Anyhow, at various points in the guide such as the configuration of the telnet password and especially the interface gigabitethernet I get the "invalid input detected at '^' marker". I also did a show interfaces and noticed there was not any gigabitethernet interfaces but there was a
"FastEthernet1 is down, line protocol is down Hardware is Fast Ethernet for out of band management, address i"
Anyhow, my thinking is continuing on with the guide and at least try to setup the interface for the management port so I can then use the cisco network assistant gui to then configure the rest of the switch.
View 1 Replies
View Related
Dec 22, 2011
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
Jan 9, 2013
Equipment used:
VBrick Systems Inc., Model HPS 7102 HS-HD
Cisco ASA5520 Firewall
I have been trying to take a vBrick RTSP stream and stream it outside of our network:Inside our network, If I were to open VLC, and go to “Media”, “Open Network Stream” and paste rtsp://123.123.157.10/vbStream1S1 the stream works, audio and video. Outside our network nothing. I have opened ALL UDP and TCP ports to the vBrick 123.1123.157.10 on our firewall and tried from outside of our network:
access-list access-in extended permit tcp any host 123.123.157.10 range 1 65535
access-list access-in extended permit udp any host 123.123.157.10 range 1 65535
After adding this to the access list, the web gui http://123.123.157.10 (uses port 80) and ftp ftp://123.123.157.10 (uses port 21) is functional outside of our network...just not the rtsp stream which works fine internally.
View 3 Replies
View Related
Aug 4, 2011
I have a new Cisco ASA 5505 which I am trying to just setup so that all computers on the LAN can get to the internet (browsing and ping). My current setup attached.
View 1 Replies
View Related
May 9, 2012
I have a D-Link DSL-2520u ADSL2+ modem. When I access the page 192.168.1.1, it prompts for a username and password. Upon successful authentication, I see the modem configuration page.
If I am on a different network, I can also access the modems configuration via its public IP address.How can I restrict access to the configuration page via the public IP address and only allow access via the internal IP address?
View 1 Replies
View Related
Aug 23, 2012
I am on version 8.2(1) of ASA Code.When accessing a SQL server on a secure internal interface,(Traffic is sourcing from DMZ) i'm getting some timeouts on the initial connection on port 1433. All subsequent connections work fine. Packet tracer shows the connection builds properly, and shouldn't have a connectivity issue. The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues. Here are my timeouts, from the config
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
arp timeout 14400
I've seen a couple articles about increasing the tcp timeout to 3 hours for the DMZ interface?
View 1 Replies
View Related
Oct 30, 2011
I have a new pix 515e for Home practice.
1. I couldn't telnet the switch after configuring. should i have to use cross cable or not to connect PC-PIX? (as new switches and routers run through straight cable). more importantly i couldn't even ping the inside ip which is telnet and ssh enabled.
2. Receiving the following after executing each and every command on global mode.
-Configuration Replication is NOT performed From standby Unit to Active Unit
-Configurations are no longer synchronized.
View 9 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
Sep 9, 2012
I have some technical consultations that I would like to know which would be a better implementation.
I am seeking for clarifications whether putting VPN and firewall in a single software or separating both into separate software.
View 3 Replies
View Related
Mar 8, 2012
I've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
View 4 Replies
View Related
Jan 29, 2012
I'm trying to do some research on the Dispatch Unit process. It seems High CPU and this process go hand in hand. I haven't figured out an effective way of determining what underlying issue is the actual source. How to understand what the Dispatch Unit process is doing? I have an ASA 5550. I have seen the cpu hover around 85% +- 5% for sustained long periods, 30 - 60 min +. I have always been under the impression that around 80% cpu and you're probably dropping packets (that could be an out-dated belief).
View 58 Replies
View Related
Feb 4, 2012
Did setup iaw instructions. got to step 9 where it went into configure mode. last few messages
192.168.1.5 to 192.168.1.1 (BUILT IN BOUND TO TO IDENTIFY), then
192.168.1.5 START SSL HANDSHAKE FOR TLSW1 SESSIN, THEN
192.168.1.5 COMPLETED HANDSHAKE, THEN
[Code].....
now i am unable to do anything with the 5505. can not log in , can not get a ping of 192.168.1.1, can not get into the unit and do a factory reset
View 3 Replies
View Related
May 12, 2011
What process I need to follow to rebuild my failover unit? I've had to turn it off because it seems that both the primary and secondary were thinking they should both be the active unit. I'm not sure why. But in turning off the failover, I had internet access again. So I think I want to rebuild the secondary unit's configuration. Do I need to turn off failover from the primary unit first? Disconnect the secondary unit, console into it and remove the configuration (command to remove from flash?)? Rebuild the interfaces..all interfaces or just STATE between the units? Just trying to get a list of the process
View 1 Replies
View Related
Aug 10, 2010
I have a problem with RME 4.2 from CWLMS 3.1. I have configured SSH in my asa 5520 device but RME can't get the configuration file. I ran a job to sync archive but i get this message error:
*** Device Details for ASA_5520_VOZ_01 *** Protocol ==> Unknown / Not Applicable Selected Protocols with order ==> Telnet,TFTP,SSH Execution Result: CM0062 Polling ASA_5520_VOZ_01 for changes to configuration. CM00 Polling not supported on
[Code].....
View 2 Replies
View Related
Jan 25, 2012
I have just noticed that my Cisco ASA 5510 cpu utilization increasing upto 30-35 % and when i issue sh processes cpu-usage, i have found dispatch unit occupied most of utilization.
View 4 Replies
View Related
Jan 2, 2012
So i setup a failover active / passive with 2 ASA5520's
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
output of secondary asa
:
Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active
[Code]......
View 1 Replies
View Related
Jun 11, 2009
we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
View 6 Replies
View Related
Nov 12, 2011
I am normally only doing IOS config. I have little problem when trying to setup this unit.,It boots ASA software 8.0.4 fine.,When i go to enable mode and into configuration mode and try to configure ip on an interface i have a problem.,
ciscoasa(config)# intciscoasa(config)# interface manciscoasa(config)# interface management 0/0ciscoasa(config-if)# ?,Interface configuration commands: default Set a command to its defaults description Interface specific description dhcp Configure parameters for DHCP client duplex Configure duplex operation exit Exit from,interface configuration mode Interactive help for interface subcommands no Negate a command or set its defaults shutdown ,Shutdown the selected interface speed Configure speed operationciscoasa(config-if)#
I did try to upload the new software 8.4.2 from rommon using TFTP. ,It boots 8.4.2 fine, but have same problem as in 8.0.4.,I did try to create a user haveing priv 15 and logging on as that user. It gives the same.,The firewall is not in transparent mode.
View 3 Replies
View Related
Nov 20, 2011
I have a single production 5510 with 2 contexts. Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall? How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?
For example, do I need to add the following on the secondary or will it be sync'd from the primary?
admin-context NAME
context NAME
allocate-interface Ethernet0/0.14
[Code].....
View 3 Replies
View Related
Sep 7, 2011
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
View 10 Replies
View Related
Aug 21, 2012
i hav asa5520 i copying configuration from PIX to ASA5520 (7.2) everything working fine bt problem is that after sometime my DMZ interface losing connectivity ...
View 1 Replies
View Related
