Cisco Firewall :: Config Migration From ASA5540 To An ASA5545-X?

Jan 22, 2013

Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
 
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
 
They are going to be using it as a VPN concentrator primarily.
 
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5540 - EAL4 Transparent Firewall Config

Mar 14, 2011

I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?

View 1 Replies View Related

Cisco Firewall :: ASA5545 Connection Table Exhausting

Feb 21, 2013

ASA5545 :  Software Version 8.6(1)2Connection table (cfwConnectionStatValue) gradually increases and never goes down. Upon 750000 connections, user activity is hampered and the box claims that it can not support more connections.

View 4 Replies View Related

Cisco Routers :: RV042 Migration Utility Returns Config Create Fail Message

Aug 5, 2011

I upgraded my Linksys RV042 firmware to 1.3.12.19-tm and exported the config file, then tried to convert it using RV0xx_Migration_Utility_v1.0.2.2 in order to import it to a new Cisco RV042 (v3). The migration utility returns a config create fail message and fails to convert.
 
The LOG file ends with:
 
Get PORT_101 VLAN Group setting fail.
***log end***
 
how to make this work or how to move config file to v3?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5545 - Allow Tacacs Authentication

May 14, 2013

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
 
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
 
ERROR: Authentication Server not responding: No error.

View 20 Replies View Related

Cisco Firewall :: VPN Between ASA5540 And Router

Sep 10, 2008

I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.

View 28 Replies View Related

Cisco Firewall :: K-value Mismatch With EIGRP On ASA5540

Mar 7, 2011

I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary.   Here are the log messages I got:
 
Mar  8 15:11:08: %PIM-5-NBRCHG: neighbor 164.72.178.28 UP on interface Vlan150 (vrf default) Mar  8 15:11:08: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 164.72.178.28 on interface Vlan150 (vrf default)
Mar  8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.28 (Vlan150) isup: new adjacencyMar  8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) isup: new adjacency
Mar  8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) is down: K-value mismatch
 
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
 
What causes a K-value mismatch, and how to I rectify the situation?

View 1 Replies View Related

Cisco Firewall :: ASA5540 Configured With Standby IP

Aug 6, 2012

I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]

1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
 
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
 
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.

View 1 Replies View Related

Cisco Firewall :: One ASA5540 With Two 3750 Connections

Jan 9, 2013

i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
 
so, here is my questions:
 
1. does ASA5540 support multi vlan?

2. does it support spanning tree protocol?

3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

4. achive network redundancy

View 3 Replies View Related

Cisco Firewall :: ASA5540 Port 80 Redirect To Https

Dec 21, 2011

Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code

View 4 Replies View Related

Cisco Firewall :: ASA5540 Memory Upgrade - 3Gig

May 10, 2011

I upgraded our ASA5540 to 8.4, THEN noted the increased requirements for Memory. I purchased the 2Gig upgrade, but when installing in the Primary unit today, noted that there were 4 slots. Slots 1/3 had 512Mb modules, so I installed the 2 x 1Gig modules in slots 2/4.
 
The ASA5540 came up clean, and it "sees" the entire 3Gig of memory.
 
My question: Is this a SUPPORTED configuration? All documentation I have read only mentions 2Gig of memory. Also, If I had FOUR x 1Gig memory modules, would the ASA5540 support the 4Gigs of memory?

View 1 Replies View Related

Cisco Firewall :: Fails To Download File Through ASA5540

Dec 12, 2011

We have ASA 5540 with 8.2 SW. We are trying to download a file (3 MB pdf)  from https session which fails if done behind the firewall. In case, the client bypasses firewall, the file gets downloaded as usuall. Interesting thing here to note is that when client is behind the firewall, its takes a long time to download the file and the file size always 312 Bytes, of course its a corrupt file.

View 3 Replies View Related

Cisco Firewall :: ASA5540 Management Interface IP Addressing?

May 9, 2011

How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
 
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed

View 1 Replies View Related

Cisco Security :: Can Add SSM-4GE Module In ASA5540-AIP40-K8 Firewall

Dec 11, 2011

I have requirement received from one of my customer. the part number given as ASA5540-AIP40-K8, same time requesting for addition of another 4Port GE Module (i believe its SSM-4GE Module). Is any option to add this module in to the above specified model (ASA5540-AIP40-K8).
 
As per my understanding the ASA5540 have the option to add 1 additional module only, so if we AIP-SSM module, we don't have any free slot left with to add another SSM-4GE Module in the firewall.
 
i am not getting even the option to add SSM-4GE in the ASA5540-AIP40-K8

View 1 Replies View Related

Cisco Firewall :: Interoperability ASA5540 Routing And Nat With The Same Zones?

May 18, 2011

I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 192.0.0.200 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 192.0.0.200 to 192.0.0.20 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!

View 10 Replies View Related

Cisco Firewall :: ASA5540 Can't Get DHCP Service From Outside To Inside Network

Jun 13, 2012

I have an inside network using PAT to one outside address. Our DNS server is on another local, but outside address.  I can't get the inside network to successfully get addresses.I have another inside address that just uses the wirewall and gets addresses just fine from the same server.I have the box checked in ASDN that enables DHCP on the inside interface and points to the correct DHCP server,PAT service is working properly if I use a hard coded address for a machine on the inside network.This is an ASA5540 with 8.3(2)

View 2 Replies View Related

Cisco Firewall :: How To Clear Input Errors In ASA5540 Interface

Feb 26, 2013

My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall.   [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?

View 4 Replies View Related

Cisco Firewall :: ASA5540 Dropping Packets On Large FTP Transfer

May 23, 2011

I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout".  What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?

View 1 Replies View Related

Cisco Firewall :: ASA5540 - No ICMP Reply From Inside Sub-interface

Apr 28, 2013

I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
 
 I need to ping the 192.168.10.250 from the 192.168.5.55:
  
ASA Version 8.0(5) 
interface GigabitEthernet0/1
nameif inside

[Code].....

View 2 Replies View Related

Cisco Firewall :: PIX To ASA 8.3 Migration?

Mar 8, 2011

As we are all aware that the ASA8.3 has quite some changes interms of configuration method.
 
I would like to know if it is possible to use the pix to Asa conversion tool for 8.3 purpose.

View 2 Replies View Related

Cisco Firewall :: ASA5540 - Disabling Anti-Replay For Specific Tunnel

Sep 23, 2012

We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have  to do in ASA5540 .

View 4 Replies View Related

Cisco :: ASA5540 - Run Firewall To Display MTU Packet Size Being Received On Interface?

Jul 5, 2012

I have a ASA5540 firewall set-up with an interface MTU of 1500.  
 
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this.  Any command that can be run on the firewall to display the MTU packet size being received on an interface?
 
We are also running Solar Winds so could query an OID if such a variable exists.

View 1 Replies View Related

Cisco Firewall :: ASA 8.0 Configuration Migration To 8.6

Feb 12, 2013

I have old ASA with 8.0 configuration that includes huge number of ACL, NAT , VPNs , we got a new ASA with 8.6 , and we are planning to move the configuration to the new box , I'm wondering what is the best approach to do this , I'm thinking of one of the following scenarios1- downgrade the new ASA to 8.3 , the apply the config , remove the identity nat commands and names then upgrade to 8.6 and after that reconfigure the NAT rules and object groups .2- convert the old config manually to 8.6 code including NAT , object-group ,ACL and apply it to the new ASA ( this is going to be huge task). What are the commands that I have to look at when I convert to 8.6 and will the VPN configuration be affected ?

View 5 Replies View Related

Cisco Firewall :: Migration PIX 515 8.0(3) To ASA 5525-X

May 28, 2012

I have a PIX 515 with version 8.0(3). We buy a ASA 5525-X for replace the PIX.
 
The question is, what is the better method to migrade the configurations? Manually?

What is the better version for 5525-X? 8.6.1?

View 4 Replies View Related

Cisco Firewall :: ASA5540 In Multiple-context SNMP / Icmp Doesn't Work

Jun 10, 2013

what´s going on with an asa540 configure in multiple-context mode.   I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
 
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
 
If I try to ping returns the same error:
 
CISCOASA/CONTEXTA#
 JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
   
Following attached the conf of my asa   My question is Why I can´t ping or even use snmp ?

View 5 Replies View Related

Cisco Firewall :: ASA5540-AIP20-K9 / Discover Actual Product Part Number

Nov 16, 2011

how can i discover product actual part number from the device through console.I have a bought a cisco  ASA5540-AIP20-K9 and i want to check either is the product is shipped us as a right product.And i want to check total BoM requriements from entering the ASA console through any CLI Command.Below My Cisco ASA BoM which i purchased.
 
ASA5540-AIP20-K9ASA 5540   Appliance w/ AIP-SSM-20, SW, HA, 4GE+1FE, 3DES/AES1CAB-ACUAC   Power Cord (UK), C13, BS 1363, 2.5m1SF-ASA-8.3-K8ASA   5500 Series Software v8.31SF-ASA-AIP-7.0-K9ASA   5500 Series AIP Sofware 7.0 for Security Service Modules1ASA-VPN-CLNT-K9Cisco   VPN Client Software (Windows, Solaris, Linux, Mac)1Included:   ASA5540-VPN-PRASA   5540 VPN Premium 5000 IPsec User License (7.0 Only)1Included:   ASA5500-ENCR-K9ASA   5500 Strong Encryption License (3DES/AES)1Included:   ASA-AIP-20-INC-K9ASA   5500 AIP Security Services Module-20 included w/ bundles1Included:   ASA-180W-PWR-ACASA   180W AC Power Supply1Included:   ASA-ANYCONN-CSD-K9ASA   5500 AnyConnect Client + Cisco Security Desktop Software1CON-SU1-AS4A20K9IPS   SVC, AR NBD ASA5540 w AIP-SSM-20,4GE + 1FE,3DES/AES1 

View 6 Replies View Related

Cisco Firewall :: Migration Error Upgrading To ASA 8.4.4

Oct 25, 2012

I was trying to upgrade an ASA to from 8.2.4 to 8.4.4, and I began receiving the following migration errors (the IP addresses have been changed to protect the innocent):
 
ERROR: MIGRATION: The following ACE is partially/not migrated to Real IP, as it could result in more permissive policy. Please manually migrate this ACE. permit esp host 1.1.1.1 host 2.2.2.2    
 
I got a TON of these, in fact the migration, and these errors ran for over 24 hours before I gave up, powercycled the unit and forced 8.2.4 to boot through ROMMON.  This was a secondary unit, that's why I let it go this long.
 
What I don't understand is that we do not have anything in the configuration for ESP.

View 1 Replies View Related

Cisco Firewall :: Migration Utility For PIX 515 8.0 To ASA5525 8.6

Oct 3, 2012

I don't seem to be able to find a migration utility  for PIX rel 8.0.4 to ASA    8.6 is there one available will save a lot of time

View 1 Replies View Related

Cisco Firewall :: PIX 515E To ASA5515 Migration?

Aug 26, 2012

Looking at migrating from the following:
 
PIX-515EPIX Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)51
 
to
 
ASA5515Cisco Adaptive Security Appliance Software Version 8.6(1)Device Manager Version 6.6(1)
 
Is this migration directly supported, or do I need to downgrade first?

View 5 Replies View Related

Cisco Firewall :: ASA-AC-M-5520 Migration To ASA-AC-M-5585?

Jan 23, 2013

I have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585

View 1 Replies View Related

Cisco Firewall :: ASA 8.3 - Migration Changes Hosts To Objects?

Sep 24, 2012

I'm testing upgrading an ASA from 8.2.5 to 8.4.4.  During the the upgrade, it change all of my ACL host entries to objects.  But I noticed that the keyword "host" is still a valid option when creating an ACL.
 
I'm trying to understand why this change is made during the migration.

View 3 Replies View Related

Cisco Firewall :: ASA 5550 To ASA 5555-X Migration

Apr 23, 2013

I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.

View 4 Replies View Related

Cisco Firewall :: PIX515 To ASA5510 8.4(5) Migration?

Dec 18, 2012

We're migrating as mentioned in the subject and this new format is quite a departure from previous iOS versions so I thought I'd post the configs of the PIX and the ASA and ask if someone is willing to compare them and verify that it is correct and should be basically plug and play. The xxx.xxx.xxx are outside IP addresses and the yyy.yyy.yyy are inside addresses. .
 
Existing PIX config
PIX Version 6.3(4)
interface ethernet0 100full

[Code]......

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved