Cisco Firewall :: Migrate Two ASA 5520 Stateful From 8.0 To 8.4

Jul 7, 2011

We try to migrate two ASA stateful Active / Passive from version 8.0 to 8.4 but many of acl rules and Nat no longer working. We must go through the version 8.2? The release 8.4 changes everything and seems to me not too stable, it'sl best to stay in 8.2 or 8.3 !!!

View 3 Replies


Stateful Firewall In Wifi Router?

Mar 8, 2013

Are stateful firewalls available in SOHO wifi routers? assume they have to be configured. Do they? are they any value without a config?

View 1 Replies View Related

Cisco :: IOS Zone - Firewall Stateful Failover?

Aug 3, 2011

I've seen you can configure stateful failover between two routers running ip inspect classic firewall: url...Can the same be done yet for zone-firewall? I cannot find any documentation on it.

View 1 Replies View Related

Cisco Firewall :: R75-20 / Migrate From Checkpoint To ASA?

Sep 11, 2012

what's required for the migration from Checkpoint R75-20 Splat install to the Cisco ASA firewall, links to documentation - step-by-step.

View 3 Replies View Related

Cisco Firewall :: Migrate From 887 Router To ASA5505?

Dec 7, 2012

I have two router Cisco 887 with vpn site-to-site:
Site A:
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key ********* address 85.34.AAA.AAA  
crypto ipsec transform-set strong esp-3des esp-md5-hmac

I want to remove VPN configuration from the router and put VPN Configuration on Cisco ASA 5505.The scheme would be: ASA5505(vpn site-to-site) -> 887 -> INTERNET this for both sites.My problem is that I do not know what ip put on interface Outside of firewall. For example on Site A delete all VPN configuration from 887 and leave only ATM0.1 point-to-point, on intereface Outside of ASA put ip of loopback(of router 887) and as default route 85.34.2.XXX. Right?

View 12 Replies View Related

Cisco Firewall :: Migrate Static Nat From PIX804 To ASA845?

Jan 23, 2013

I have configuration on PIX804 :
On Pix804
 interface Ethernet2
nameif ins10


On PIX515T(804) in packet-tracert option no Phase 1 - Route-lookup and both static nat works fine. May I disable on ASA phase route-lookup, that it not send packet on wrong interfaces ?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Migrate Flash Cards

Jun 22, 2011

I need to upgrade the compact flash of my ASA 5510 from 256MB to 512MB. A friend's recommendation was to buy a card reader, copy all of the data from the existing card and paste it to the new compact flash. I have a hard time believing that it's that straight forward.
Any safer, more foolproof way of migrating between flash cards?

View 8 Replies View Related

Cisco Firewall :: Migrate Multiple Static NAT From ASA 7.x To IOS Router?

Feb 24, 2012

I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration.  Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden.  For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why.  Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 To Migrate Single Checkpoint

Dec 18, 2012

I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall.  The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap.  At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here.  The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that.  There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration.  A lot of it has to do with Checkpoint having no concept of interface security level while ASA does.  I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment.  The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic. 
My question is that can the ASA 5510 handle 1.5 million lines of configuration?  Are there any limitations on this?  I know there are limitations with FWSM but since I don't have an 5510 to test.

View 1 Replies View Related

Cisco Firewall :: 5550 Migrate From Multiple Context To Single

Aug 12, 2012

I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2).  Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed.  I would like to now migrate to single mode before I go about patching them to the latest software.

View 4 Replies View Related

Cisco Firewall :: Migrate Checkpoint Configurations To ASA 5585 Using SCT Tool

Oct 28, 2011

I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it

View 14 Replies View Related

Cisco Firewall :: ASA 5550 - Migrate From Multiple Context To Single

Jun 13, 2012

I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2).  Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed.  I would like to now migrate to single mode before I go about patching them to the latest software. 

View 2 Replies View Related

Cisco Firewall :: Migrate To Multiple Context Mode On ASA 5520s Cluster?

Jun 4, 2012

I have a pair of ASA 5520s in active/standby failover mode, single context.  I'll be migrating to multiple context mode later this week.  Do I need to break failover first?  Or if I don't need to, should I?  Or can I do this while maintaining failover?  Can either of these scenarios will work (or fail).  I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA


View 1 Replies View Related

Cisco Firewall :: Migrate Standby ASA 5540 To Backup Data Center?

Oct 11, 2012

We have backup data center where I am now  planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) . I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.

Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room

View 6 Replies View Related

Cisco VPN :: Configure IPsec Stateful Failover On 891?

Sep 15, 2011

We have purchased a couple of Cisco 891 routers - both are running IOS 15.0(1) M5 licensed with advanced IP services (default). The literature for these devices on Cisco's website claims they support IPsec stateful failover on advanced IP services.
Our intention is to configure them with HSRP and IPsec stateful failover to provide a highly-available default gateway and VPN end-point.
I have configured HSRP and that seems to work fine. My problem is that I cannot configure IPsec stateful failover. The documentation that I have found implies that I need to configure inter-device redundancy on a particular HSRP group and use the physical IP addresses on the interfaces within that group to allow stateful failover communication between the routers however the routers do not recognise the 'redundancy' command in config mode...
(config)# redundancy inter-device
% Invalid input detected at '^' marker.

View 5 Replies View Related

Cisco VPN :: Configuring Stateful Failover Between Two 3845 Routers?

Aug 6, 2012

I have an issue with configuring the VPN Stateful failover between two cisco routers 3845. The stateful HA is not up.
Below is the topology
Configuration on HA-1
interface GigabitEthernet0/0
  ip address
ip accounting output-packets
duplex auto
speed auto


View 1 Replies View Related

Cisco VPN :: HSRP IPSec Stateful Failover On 2800 Platform

Mar 26, 2012

I have 2 C2811 ISRs runnning c2800nm-advsecurityk9-mz.124-15.T17.bin and having on board: 1 Virtual Private Network (VPN) it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes? I get different infos from Cisco sources. url...All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)

View 5 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Cisco Firewall :: Launch LAND Attack Against Firewall ASA 5520

Apr 15, 2013

I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.

View 1 Replies View Related

Cisco Firewall :: 5520 Single Firewall With 2 Core Switches

Jan 4, 2012

Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.

View 8 Replies View Related

Cisco Firewall :: ASA 5520 - NTP Server For Firewall Clock Setting

May 22, 2013

I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
Can I use the following command to set ntp server?
ntp server source outside.

View 3 Replies View Related

Cisco Firewall :: Make Communication Between 2 Vlans On Firewall 5520 ASA 8.2

Jan 1, 2012

communication between 2 vlans.i have 2 vlans
Vlan 100
ip add
Vlan 200
ip add 
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Corporate Firewall Crash

Feb 27, 2011

I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =   0x084A619E  0x084A6512  0x084A70E1  0x084A7987  0x084A7AAA  0x08558B9B  0x08558E8A  0x083D3518  0x083CA145  0x080659D1  0x089196D9  0x08919790  0x089FF711  0x08A27468

Here the sh crash info command on module 0, after last reboot:
[Code] ......

View 12 Replies View Related

Cisco Firewall :: 5520 Firewall Management Port

Nov 29, 2011

we are having a firewall asa 5520 .we have connected the  management port and inside port to internal network and dmz port to dmz we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - NAT And Firewall Access Control

Oct 4, 2012

I have an ASA 5520 in my company which does all our NAT and Firewall access control.  Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created.  This is a test before the web app is released live.  Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through.  Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - VPN Traffic Is Getting Dropped Through Firewall

Apr 8, 2011

Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09    Local4.Info    %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE: to inside: duration 0:27:49 bytes 18653

View 1 Replies View Related

Cisco Firewall :: 5520 - Firewall Behind Two GLBP Routers

May 29, 2012

I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Result: DROP
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)

View 1 Replies View Related

Cisco Firewall :: Does ASA 5520 Have Layer 7 Firewall

Oct 24, 2012

Need to know if ASA  5520 does Layer 7 firewall or  not?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 (Ver 8.2) - HTTP Behind Firewall

Jan 26, 2012

Two days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.
Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.

View 5 Replies View Related

Cisco :: Migrate From WCS To Prime NCS

Mar 12, 2012

Is there anyway to migrate off of WCS to Prime NCS? We have a fully built WCS system with maps and all configs and was wondering if there was a way to restore to NCS.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved