I have an issue with the LMS 4.0, i added manually the ASA Fws 5520 and 5510, and i see them there, but i cannot see the configuration, inventory and technology details.Telnet is deactivaved in ASA´s, ssh and snmp v3 are enabled.Routers and switches were added without issues.
View 3 Replies I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.
Running-config of my ASA5520:
ciscoasa# show run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names !
interface GigabitEthernet0/0
[Code] ........
After reading the post titled "ASA 5520 nat access-list query for internet access" I realized the object-group command could and should be used to make a more efficient and cleaner configuration. My current environment is very small and straight forward consisting of one FTP server in the DMZ. Though the guide: [URL] is straight forward, my inexperience hinders me from seeing how to use the commands effectively. A summary of the configuration is at the bottom of this post
Question: How can I clean up my current configuration? I have two references to the same server, dmz-rdp and dmz-ftp, created for port forwarding ports 3389 and ftp through the outside interface. I can combine them into one object statement, right? for each port I want to forward through the outside interface?
object network dmz-rdp
host 10.10.10.4
nat (DMZ,outside) static interface service tcp 3389 3389
[Code]....
I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
Static mappings (again from config):
static (inside,outside) 73.13.198.211 11.2.1.33 netmask 255.255.255.255
static (inside,outside) 73.13.198.212 11.2.1.29 netmask 255.255.255.255
Original access list:
access-list outside_access_in extended permit tcp 64.19.0.0 255.255.240.0 host 73.13.198.212 eq smtp
access-list outside_access_in extended permit tcp host 67.228.177.117 host
[Code]....
Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
[URL]
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"
We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
View 3 Replies View RelatedI have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
WebVPN
Anyconnect
Plug-ins
IPSEC tunnels
NAT
is it possible to configure a webfiltering on ASA 5505,5510,5520 ? So if its possible can you provide us a configuartion template.
View 3 Replies View RelatedAre the ASA memory DIMMs created for specific models? Would a 1GB 5510 Memory stick work in a 5520?
View 1 Replies View RelatedIs it possible to import the config of a 5510 to a 5520. Trying to replace two 5510's with 5520's and wondering is there a way import the existing config files for the 5510's into the 5520's?
View 3 Replies View RelatedHow many user accounts i can create to a Cisco ASA box? Say for example a Cisco ASA 5510 or Cisco ASA 5520?
View 5 Replies View RelatedI have this firewall working as active/standby. Everything seemed to be ok, but we noticed that confirgurations are not being replicated by saving configuration either copy run start or write. The workaround here is write standby command. Below the configs and stats, plus the show version, which is the same in both equipments:
Header 1
failover
failover lan unit primary
[Code].....
I have an ASA 5505 without any IPS module.While copy/pasting some configurations from another 5510 with IPS I copied my mistake the some of the IPS configurations part. Now I can't remove it.When ASA starts I get this Warning:
...WARNING> IPS policy is configured without an SSM card.
*** Output from config line 828, " ips inline fail open"
Those lines are:
policy-map Outside_Policy
class IPS_class
ips inline fail-open
When I try to do "no ips inline fail-open" I get an "invalid input detected".If I try a no class IPS_class I get that is being in use.What can I do to clean up those lines?
I'm trying to move some configurations over to an ASA5510 and some of the commands are a bit different than I'm used to (worked on old pix before)
I've configured the following on the device:
Outside interface: 65.66.64.34/28
DMZ : 65.66.64.49/28
Inside : 10.2.3.3/26
===========================
The current firewall has the below configured on it (old Juniper)
10.2.3.0/24 gateway 10.2.3.15 **10.2.3.15 is the IP for 3750 switch on the inside LAN**
10.0.0.0/24 gateway 10.2.3.4 **10.12.175.4 internal vpn- will remove later but thats a different discussion**
0 0 gateway 65.66.64.33 **to internet
10.0.1.0 gateway 10.2.3.2 **10.2.3.2 represents mpls traffic
[code]...
The current set up for this network has an mpls router and a vpn concentrator as part of the network my aim currently is to replace the juniper with an asa5510 the changing of the vpn tunnels will be for a different time:
work station ===> switch (3750) DG to =====> MPLS (vendor owned and managed) ====> non mpls traffic ====> vpn concentrator ===>firewall ===> router
The above will need acls to go with the routes, which I should manage ok just want to make sure the routing is configured properly
I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
View 14 Replies View RelatedI'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.
Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.
What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad1c4500, priority=70, domain=encrypt, deny=false
hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0
src ip=10.20.0.0, mask=255.255.0.0, port=0
dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0
I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.
More usefull info:
SITE C
object-group network NoNatDMZ-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
[Code] ......
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedI'm trying to export identity certificates from an ASA 5510 to 5520, I'm exporting in pkcs12 format and specifying a passphrase. When attempting to import to the 5520, I get "error import pkcs12 operation failed" from cli or asdm.
View 1 Replies View RelatedI'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedWe are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies View RelatedTwo different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedI have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies View RelatedI have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies View RelatedOur Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)
Need to know if ASA 5520 does Layer 7 firewall or not?
View 2 Replies View RelatedTwo days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.
Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.
My devices configurations are not getting backed up.
View 1 Replies View Related