Cisco Firewall :: ASA5520 Use Management Interface As Regular

Oct 16, 2011

i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?

View 1 Replies


Cisco Firewall :: ASA5520 / How To Use Network Object NAT To Perform Regular Dynamic PAT And Identity NAT

Jun 19, 2011

this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.

for example, this is my configuration

**** first i configured Regular Dynamic PAT****
object network myinside
nat (inside,outside) dynamic interface 
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****


View 4 Replies View Related

Cisco Firewall :: Pix 525 Configuration - Regular Or Redundant Interface

Feb 14, 2012

I am configuring a pix 525,i just found out how to activate the subinterface on it so that's good,the box has a primary unit and secondary unit, both are connected from G0 to redundant switches,if i do a show failover, it says it's using the serial based lan failover, which is fine by me,however, do i need to create a single, regular interface.. or a redundant interface?,i.e. if i create a regular subinterface, will failover still apply to this interface?,or for failover to work, do i need to create a redundant interface (with a redundant id)? i do not seem to have the option to create a subinterface when adding a redundant interface.

View 7 Replies View Related

Cisco Firewall :: VPN Password Management - ASA5520?

Dec 15, 2012

I have password management configured on our 5520 for VPN users, and it is prompting and allowing me to change passwords.... however it seems the password change seems to not be replicating to AD.  I am able to access network resources using the old and new password.

View 1 Replies View Related

Cisco Firewall :: Management Of ASA5520 From ITsupport Subnet?

Sep 27, 2012

Currently have an ASA5520, management port is set to management only connected to a management vlan, inside, outside and dmz ports also in use for respective traffic, all is working well, the issue i have is that the ITsupport staff on there user vlan have to have access to manage the ASA with ASDM at all times, this all works fine as i have added a route for management to there subnet, problem is that from this vlan they can no longer ping the remote sites which connect via site to site vpn. For troubleshooting and management purposes this is required, is there any way around this?, if we make the management port not management-only how will this effect other traffic or routing?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: Can Ping ASA5520 Outside Interface But Cannot Connect To Other

Nov 5, 2012

So I have a client with an ASA 5520 running version 9.0 (was on 8.4) that I am trying to get either IPSec or SSL VPN configured on.  I got everything setup and tried to connect.  However, I couldn't connect to either.  I fired up the real time monitoring and didn't see any syslog messages referring to a VPN build up.  I also enabled SSH/Telnet on the outside interface and cannot connect to the ASA outside interface.  I can ping the outside interface and can ping the internet from the ASA.  I did set up a test ACL on the ASA and ran packet tracer on it and the results came back fine.
There is an IPS in the ASA as well, but I disabled the ACL for that and still am having these issues.  Part of me wonders if the ISP has something set up to block inbound traffic.  This should be a business class connection.

View 5 Replies View Related

Cisco Firewall :: Changing Subnet Mask In An ASA5520 Interface

Aug 8, 2012

We have an ASA 5520, working fine.One of the interfaces is connected to users PCs and printers mainly. Last months the number of devices has grown rapidly, and we would like to make some changes in it in order for it to be able to host new devices.We thought on change subnet mask of actual subnet ( to, so it can hold as many devices.I understand I have to make some changes in the ASA, but my question is:What will happend to the acces rules I have created?Will I need to create them again? There are some objects which carry information about subnet mask, so I suppose I will need to redefine them, but for those without any subnet mask information, will I have to redefine them?

View 2 Replies View Related

Cisco Firewall :: ASA5520 Intra-interface Communication And DNS Rewrite?

May 29, 2011

Recently, I deployed ASA 5520 as our company firewall, everything was working fine except two main problem I still can not resolve them after I did a lot of research.
1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as [URL] will resolve our wan ip address ( internal ip address is ).I used static (inside,Outside) tcp https https netmask  dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?
2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address, another subnet is behind the this router, for the users in subnet, they connect firewall inside interface directly.I added an static route and intra-interface permit route inside 1same-security-traffic permit intra-interface I also added access-list inside_nat0_outbound extended permit ip inside_nat0_outbound extended permit ip (inside) 0 access-list inside_nat0_outbound The internal users on can ping but can not telnet to 22. If I set as one of the workstation on default gateway, it can telnet to 22 without any problem.

View 2 Replies View Related

Cisco Firewall :: ASA5520 Routing Packets To Wrong Interface?

Apr 17, 2012

We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?

View 11 Replies View Related

Cisco Firewall :: ASA 5510 - Management Interface

Feb 13, 2012

I am having issues with the ASA 5510 management interface. I can't communicate with this interface. It is showing DOWN/DWON even if I type NO SHUT several times.
My existing config is as follows 
our-asa-01# sh run
ASA Version 7.2(5)
hostname our-asa-01
interface Ethernet0/0

View 5 Replies View Related

Cisco Firewall :: ASA5512-X Setup Using Management Interface

Jun 28, 2012

I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it.  However, the Management Interface is not working.  I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown.  So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?

View 2 Replies View Related

Cisco Firewall :: ASA5540 Management Interface IP Addressing?

May 9, 2011

How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed

View 1 Replies View Related

Cisco Firewall :: 5520 - Configuring ASA Management On Sub-interface

Jul 27, 2010

I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
I need to use 4 interfaces four data traffic
1- Inside
2- Outside
3- dmz-1
4- dmz-2
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
1- I used the management0/0 for The stateful failover.
2- I used gig 0 for outside
3- I used gig 1 for inside
4- I used gig 2 for dmz-1
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only

View 6 Replies View Related

Cisco Firewall :: Management Interface In Cluster ASA 5515x?

Jan 6, 2013

I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif


View 9 Replies View Related

Cisco Firewall :: ASA5510 - Cannot SSH Or ASDM To Management Interface

Jan 21, 2013

I try to SSH and get access denied.
I try to ASDM and get "Unable to launch device manager from"
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
login as: test
test@'s password:
Access denied


View 7 Replies View Related

Cisco Firewall :: ASA 5550 - Configuring Sub-interfaces On Management Interface

Nov 29, 2011

I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.

View 1 Replies View Related

Cisco Firewall :: Verification Of Management Interface Usage On 5510

May 24, 2012

I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 High Drop Count On Management Interface

Sep 4, 2012

I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.

View 1 Replies View Related

Cisco Firewall :: Provide Access To The Management Interface / Vlan On ASA 5505

Jun 8, 2011

I've got an ASA 5505 running 6.3 I've connected the management interface to our management vlan (which contains switch IPs, ilo's etc)Is there a way to allow access to this vlan from another?

View 1 Replies View Related

Cisco Firewall :: ASA5510 Static Routes For Management Interface Not Working

Mar 30, 2011

We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 1route management 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc: to management:"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10   <------------- this works
route management 10   <------------- this works too
Why won't a static route for work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address standby !interface Ethernet0/1 nameif inside security-level 100 ip address standby


View 3 Replies View Related

Cisco Firewall :: ASA 5510 / Management Interface Stopped Working After Upgrade?

Jun 24, 2012

After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.

View 7 Replies View Related

Cisco Switching / Routing :: 3560 - Management Port Used As Regular Port?

Jan 30, 2012

I have an all gigE  3560.  I don't use the management FE0 port on the back.  I was thinking to use that for a 100Mbps WAN connection. 

Seems to work just fine when I plugged in an test.  But I am not routing across that link yet as I still need to setup the far end.

Is there any reason this would not work?  I would like to not burn a gig port if the max throughput of the circuit is 100Mbps.

View 1 Replies View Related

Cisco Firewall :: ASA5520 To ASA5520 Via L2L Tunnel

May 31, 2011

Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.

View 1 Replies View Related

Cisco Firewall :: Regular Dynamic PAT Statements In ASA 8.3?

Feb 19, 2012

have 2 inside networks:
object network INSIDE_10.6
object network INSIDE_192.168
I grouped these 2 into 1 object-group:
object-group network INSIDE
network-object object INSIDE_10.6
network-object object INSIDE_192.168
Public IP address used for PAT:
object network PAT
host 152.x.x.x
I used the following statement to create Dynamic PAT to public IP address:
object network INSIDE_10.6
nat (any,any) dynamic PAT
object network INSIDE_192.168
nat (any,any) dynamic PAT   
Is that correct? Also I'm using one public address to PAT both inside networks. Is there any dvantage of using 2 different ones, so each inside network would be PAT to its own address?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Webfilter Using Regular Expression?

Oct 2, 2012

I have a ASA 5510, it does webfilter using regular expression. [URL]
I block "" and it was successfull. But somehow other users is using https to access to FB. how do i filter HTTPS?

View 5 Replies View Related

Cisco Firewall :: ASA 5510 - NAT Regular Translation Creation

Dec 4, 2012

I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 regular translation creation failed for icmp src inside: dst inside: (type 0, code 0)          
The problem server is on sub net and the server IP address is Every device on the sub net can hit the server, but devices on other sub nets cannot. For instance, a device on cannot reach, but can reach other devices on

View 1 Replies View Related

Cisco Firewall :: ASA 5510 / URL Paths And Regular Expressions In ASDM?

Apr 2, 2012

I've recently switched to an ASA 5510 on 8.4(3) coming from a Checkpoint NGX platform (let's say fairly quickly and without much warning ). I have a couple questions and they're kind of similar so I'll post them up. I've read docs about regex and creating them both via command line and ASDM, but the examples always seem to include info I don't need or honestly something I don't understand yet (mainly related to defining classinspect maps). If someone could provide a simple example of how to do these in ASDM that would be useful in understanding how regular expressions are properly configured. So here we go.

I know this is basic but I need to make sure I understand this properly - I have a single web server (so this won't be a global policy) where I need to allow access to a specific URL pathfile and that's it. So we'll call it est estfile.doc. Any other access to any other path should be dropped. What's the best way to do this in ASDM (6.4)? I think if I saw a basic example for this I could figure out next few questions but I'll post them as well just in case.

I have another single public web server (again this won't be a global policy) where I'd like to specify blocking file types, like .php, .exe., etc... again a basic example would be great.

Lastly, and this is kind of related, but we have a single office/domain and sometimes we get spam from forged addresses appearing to be from our domain. On Checkpoint I used to use its built-in SMTP security server and could define if it received mail from * to drop it because we would never receive mail externally from our own domain name. I saw something similar with ESMTP in ASDM and it looks kind of like how you set up the URL access mentioned above. Can I configure this in ASDM as well, and if so how?

View 1 Replies View Related

Cisco VPN :: ASA5520 Outside Interface Non Route-able Address

Aug 29, 2012

I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
I work for a state agency and our network connectivity is provided to us by another agency/department.  The firewall I want to use for VPN connectivity has an outside address of which is not routable outside the state's network.  I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication.  My DMZ network is setup as a local network and the ASA is performing NAT translations to the corresponding public IP addresses.
Putting in a NAT rule to translate one of the public IP addresses to the outside interface, but I wasn't sure if that would work.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Block Certain Websites (URLs) Using Regular Expressions

Jan 31, 2011

i have cisco asa 5510 as firewall, i was trying to block some site using the link provided below
and its working fine, but the problem i am having, when i go to download attachment from hotmail its not downloading, from gmail and other mails its

View 13 Replies View Related

Cisco Firewall :: ASA 5505 - Regular Translation Creation Failed For Protocol 47 SRC

Oct 10, 2011

We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
policy-map global-policy
inspect pptp
Now when the dmz client tries to connect back to there PPTP server I get the following error. 0 37624 Teardown dynamic GRE translation from dmz: to outside: duration 0:01:30 1069 1723 Deny TCP (no connection) from to flags PSH ACK  on interface dmz 63767 Teardown GRE connection 8393958 from dmz: to outside: duration 0:01:08 bytes [ code]...

View 7 Replies View Related

Cisco Firewall :: 5510 Block URLs Using Regular Expressions For Some Clients

Oct 20, 2012

i use ASA 5510 and i want to block some urls :

- to 79 allow every thing
-  to 89 : block facebook , myspace, twiter,
-  to 99 : block facebook , myspace, twiter,  youtube , dailymotion
- to 199 deny everting

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Block Website With Regular Expressions Affecting All Internet?

Dec 27, 2011

We have an ASA 5505 and I want to block for all users on the inside network.  I followed the instructions laid out in Cisco support document ID 100513 using regular expressions with MPF but am running into some problems.
Once the configuration has been changed based on these instruction is blocked.  However I can't access any other websites except my Google News home page comes up just fine for some reason. 

ASA Version 7.2(3)
hostname ciscoasa
domain-name default.domain.invalid
enable password 4nJloDG8uYd8w4D3 encrypted
interface Vlan1


View 18 Replies View Related

Copyrights 2005-15, All rights reserved