If ASA5525 with ASA8.6(1)2 can be browsed using ASDM7.0(1), as currently i'm running ASDM6.6(1) if it will work, any document how to do the upgrade using GUI screen?
View 8 Replies
I have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?
View 1 Replies View RelatedI don't seem to be able to find a migration utility for PIX rel 8.0.4 to ASA 8.6 is there one available will save a lot of time
View 1 Replies View RelatedI know the 5510 & 5520s support the CSC-SSM module for Content Filtering (Anti-Phishing, Anti Spam, URL filtering, Anti-Spyware & Antivirus), but what about content filtering for the ASA5525-K9.The problem that I have is that I need a firewall that supports up to 1 Gbps Maximum Firewall Throughput and to support 250 users with Content Filtering described above.I'm using the following doc for sizing and came across the ASA5525-K9 for 1 Gbps, but not sure about the Content filtering: url...
View 3 Replies View RelatedI'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?
old config on 8.2 and earlier
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 216.19.84.5
[code]....
i never see this before, but on newly purchased just configured firewall.when i do wrtie standby.All interfaces on standby unit flaps.is it some IOS bug? my firewalls are [code] what could be the reason? FYI i am using LAN base failover and not doing any statful fail-over.
View 3 Replies View RelatedGot an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
View 7 Replies View RelatedI am not seeing the IKE Policy configuration screens while configuring IPSEC VPN on ASA 5510. (Using ver 9.1(1) / ASDM 7.1) following the wizard after step 8, I am expecting the screen where you configure DES/3DES ,etc the screen does not show up - Have the right (3DES) licence.
View 2 Replies View RelatedToday I got a pack of 7 Cisco T1 DSU/CSU WAN Interface Card (WIC-1DSU-T1-V2). I installed 6 of them (4 on a 2811 router and 2 on an 1841 router) and none of them would light up, show up in show controllers, or show up in show ip interface brief. Is there something I have to do aside from just inserting them in like getting software or entering in certain commands? (I installed the cards while the routers were powered off).
View 4 Replies View RelatedI have a wireless adapter WMP54G for a long time, but recently i updated to windows 7 and the problems begun.
After read a lot of stuffs about this problem, i downloaded a driver by RALINK and installed de adpter. But......on the installation, show two hardware: one is the adapter Linksys WMP54G...and the other can't be installed. So..on the Device manager appear like "unknown device" on the three of "USB controllers"
So...i'm already try a lot of things and can't install this adapter
I have a Dell Vostro 3460 laptop with Windows 7, 64-bit. My wireless driver is Dell Wireless 1704.802.11b/g/n. I just got this computer in December, and it worked fine for a couple of months, then about a month ago, I started having these problems.
Whenever I turn off or put my computer to sleep and turn it back on, my wireless connection doesn't work. The wireless indicator light on the front of the laptop is not on, and I push the FN+F2 button (which is supposed to turn on wireless), but it does nothing. I checked under the device manager, and the wireless adapter is not there.
After the first time I ran the diagnostics, I reinstalled the driver. The I restarted the computer, and the wireless was working. However, that night I turned of the computer, and when I turned it back on the next morning, the wireless was not working again.Other things I have discovered that sometimes work as a temporary fix:
Sometimes, if I wait 5 or so minutes, the wireless indicator light will come on, and then I can restart my computer and connect to a network, but most of the time, I can wait for hours and it never comes on.If I start in computer into safe mode or the BIOS screen or diagnostic screen, sometimes the wireless will start working after I exit that mode and start into normal operating. For example, one of the times that I ran the PSA diagnostics, the wireless started working afterwards, but stopped working again the next day. Another time, I started the computer in safe mode with networking to see if that would work, and the wireless did not work while I was in safe mode, but then I restarted the computer in normal mode, and the wireless came on.
One time, I went under Device Manager and did "Scan for Hardware Changes." After that, the wireless indicator light came on, and I restarted the computer and was able to connect to a network.However, all of these solutions were temporary, and some of these solutions only work one time but not again.I called Dell Support a couple of weeks ago, and they said that my antivirus program might be stopping the wireless driver from starting up. I have Trend Micro, which came with the computer.
My current ASA 5525-X is licensed with Anyconnect premium = 2 and 750 "Other VPN" What does other mean? Also does this mean that only two clients with Anyconnect can use the ASA for VPN? Or is Premium different than Anyconnect alone?
View 5 Replies View RelatedIPsec VPN configured between ASA5525-X and Linksys RV042 ,While transfering some exe from ASA5525-X side to Linksys RV042 side over VPN hash-sum of this file changes, so, when you open transferred file, you have an error message "File is corrupted". If you try to transfer file from Linksys side, hash-sum is ok. Also, work with oracle application is interrupted because of unknown reason. IPsec works only if using router instead of ASA.
View 2 Replies View RelatedI have several ASA-5505 units with the SecurityPlus license. These are running older OS versions and I would like to upgrade them. I am wondering if I will lose the SecurityPlus if I upgrade the image to 8.3
View 4 Replies View RelatedI found my CSC module installed in ASA 5510 unresponsive. I tried to recover / re-image the module with .bin file. but I think it is not possible to re-image because there is no rechability with CSC module, and session 1 command also doesn't work,
you can see the response here.
CS-ASA# session 1
Opening command session with slot 1.
Card in slot 1 did not respond to session request.
CS-ASA#
In this case how to enter into the module?
I removed and inserted the module and tried to reach to it .. but couldnt solve . I just wanted to know whether hardware is dead or not.
We have just installed a Cisco RV120W behind a third party firewall. All works correctly now, but we are struggling to get the Quick VPN clients connected. I have enabled port forwarding for PPTP & L2TP over IPSEC on the third party router, but still cannot connect (the RV120W was previously used as a primary router & worked perfectly). What ports do I need to open on the third party router to get this to work correctly?
View 4 Replies View RelatedI have Asa 5510 with base license and no 3des free license installed on to it.Will it be required for both the licenses to be installed on it for site to site tunnels to establish.This firewall is not taking the below commands to give and the tunnel is not getting through.tunnel-group x.x.x.x type ipsec-l2ltunnel-group x.x.x.x ipsec-attributes.
View 3 Replies View RelatedI have installed a new SSL certificate on our ASA 5500. I removed the old one, installed the new one. And associated the trust points with the interface we use for Web Connect and Any Connect connections.
They are still seeing the old expired certificates. Users can still log in and authenticate but I would rather them see the correct certificate.
Have a Site to Site VPN link up between two ASA (8.4) boxes, one of which is on a static IP (on campus) and the other a dynamic IP (remote). The link is up and functional and works flawlessly as I need it to, however, on the dynamic end, there is only one device behind the remote ASA, a point of sale terminal.
The POS terminal / server works like this. The terminal has a static IP on the private network behind the remote ASA, and our financial server knows this IP, and connects out from our campus to the remote terminal. The terminal itself never calls home. Because of how this works, if the VPN link goes down, the terminal never tries to reconnect back home, which would force the remote ASA to rebuild the link, and if the link is down, because the remote end is dynamically addressed, our campus ASA doesn't know to bring the link back up.
Is there a way to ensure, or at least attempt, to keep this VPN link up indefinitately? With keepalives or timeout settings or whatnot? I want the link to never, ever, ever get torn down, unless something catastrophic has happened.
I have FSWM active/standby installed in 6509-E core switches running following FWSM Firewall Version 3.1(3) Device Manager Version 5.0(2)F..I want to upgrade to latest FWSM version as well as ASDM, I downloaded asdm-622f.bin and c6svc-fwm-k9.4-1-5.bin from cisco portal. When i checked the show version of FWSM, it says..The Running Activation Key is not valid, using default settings: Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
I have gone through threads on CSC about how to upgrade FWSM in failover mode, now my concern is, Do i have to take care about activation key or keep as it is ? I have maintenance contract with cisco for all devices.
I work in a company, and we had to make a site to site VPN. Everything is working good, except that packets sent from my site are NATed, in other words: the firewall of the other site (site_B) see only the IP address of my firewall (Site_A).
I tried to resolve the problem but no success,I think that the Nating of the VPN's packets is the problem.
Here is my current running config:
ASA Version 8.3(2)
!
hostname ciscoasa
enble password 9U./y4ITpJEJ8f.V encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
extended permit ip any any log warnings (code)
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I restarted my pix firewall cisco pix 515 and when i start it again the Act lamp and the firewall didn't work .
View 1 Replies View RelatedI am trying to enable Ftp traffic through our firewall at work. We have a Cisco 5505 ASA and we cannot access any Ftp servers outside our network. We are running 8.3(2). Any have commands I can run to allow us to connect to ftp sites?
View 6 Replies View RelatedI am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is
- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem.
- however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]
We have Cisco ASA 5520 with csc ssm 10 (product ver. Trend Micro InterScan for Cisco CSC SSM 6.6.1125.0)in Web>Global settings> URL filtering > Rules > Communications and Search> Social Networking category is set to block during work time and allow during leisure time(see the attachement), but rule for this category won't work. I mean social networking sites are always remain allowed.
View 2 Replies View RelatedI have an asa 5520 that works fine if you are using passive ftp and ftp inspection is on globally. It is not working for an active ftp session. I tried allowing all ports back to the external ip address of the internal client as a test and this did not work either.
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.2(3)
policy-map Global_Policy
[Code].....
I read another article saying that this command needs to be on the asa "fixup protocol ftp 21"
If this is enabled will it show on the firewall? How do I enable it?
I can't telnet from a host(Ubuntu 12.10) in our DMZ to an outside MX on port TCP 587. Inspection for ESMTP not enabled. Port 587 enabled for host in DMZ to any.
View 12 Replies View RelatedI am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.
I've been use to managing our ASA's on firmware 8.2, however we have got a couple of ASA's on firmware 8.4 for a new project and the NAT area especially in the ASDM is very different now, I feel like I know nothing. On these new ASA's on 8.4 that will be in active/standy mode I will be creating a sub interfaces off these by attaching a 3750 and I wondered how the NAT exempts will work.
I will have to use exempts as I don't want the source IP to change when going from one interface to another in certain situations and this setup described works well on 8.2, but how can I do this on 8.4 as I don't even see the option for creating NAT exempts, looks like a different world?
I have a server on the inside of my network (with a internet Routable IP). It has been requested to me that people from the internet access port 80, and that is translated at the firewall to port 7080. I have set up a temp Access rule to allow access to 7080 from the outside and it is accessable. I am not sure what I am doing wrong, but I am tion from 80 not able to get the translato 7080 to work.
View 1 Replies View RelatedI have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
Here is my config:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
[code]....
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.
