I have a large quantity of ASA5520's and ASA5540's that need to be quickly assessed and RTV'd (if need be) if they are found to be upgraded ASA5510's.
My concern is because of this recent release-note by Cisco: [URL]
Is there a way to check the amount of DIMM slots on a unit through console or do I have to physically check each and every one?
how can i check the memory chips in the DIMM slots on a Cisco 2800 router ,my intention is I need to upgrade the IOS on the router for which I need to upgrade the DRAM and flash. Any CLI command available for the same ,as it is not very feasible to open the remote routers to check the DIMM configuration.
View 1 Replies View RelatedDoes any one advise the current ASA 5510 is going to EOS ?
View 1 Replies View RelatedUsing any computer and AnyConnect, I can connect to our network via ASA5500. But when I use Cius or iPAD, I always get a No License error message.
View 3 Replies View RelatedASA-5510, inside, outside, and some DMZ.Some services published with Static NAT - no problem.Now we need to add a second outside connection, with a second provider.Internet navigation only through the first provider (default gateway to the provider router "A").I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.
View 6 Replies View RelatedShould we active IPS feature in ASA 5500-x by useing license?in the 5500-x ordering guide:IPS is only sold as ASA-IPS combo SKUs i.e., one cannot add IPS service as an option on top of ASA SKU. For example, if IPS service is desired on ASA 5515-X appliance, the relevant SKU is ASA5515-IPS-K8 or ASA5515-IPS-K9.But my customer has actived it by using the ASA5525-IPS-SSP on ASA5525-K9.
View 2 Replies View RelatedRecently i have configured ASA5550 with 2 Contexts in Transparent mode. Traffic can pass through a single Firewall context but through both contexts it couldn't.
View 0 Replies View RelatedI would like to schedule automatic backups of our ASA5500's OoO-hours:
1. SSH from secure server and create _FULL_ backup - what would be the CLI command(s) ?
2. SCP from secure server and retreive file(s) - what is the location of the file(s) ?
It's a problem about access ASA5500 Firewall mangement port. The customer request access ASA5500 by entering the default IP address https://192.168.1.1 to monitor data tracffic in Windows 7. But after entering the default IP in IE, no any page appear.
But that way can access ASA5500 magement port successfully in Windows XP. What the different between Windows 7 and Windows XP? Is there any way or any patch can access ASA5500 manemeng port in Windows 7?
I was wondering if it is needed to license the IPsec VPN clients in the ASA5500 firewalls...I know that you have license the SSL VPN peers (AnyConnect). I am almost sure that for the IPsec you don't have to.
View 1 Replies View RelatedI am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
[Code]...
I would like to know about asa 5500-x. Does it supports application visibility and granular control for different applications. Moreover bandwidth control based on different users and different applications
View 1 Replies View RelatedWe have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
View 3 Replies View RelatedI'm a little confused about doing a translation using static identitiy NAT.I have a prorietary router that I would like to move behind my firewall (ASA 8.2x). Right now it runs in parallel with my router from a DMZ switch. I have change ISPs and the location the connection comes into my building so this confiugration is less than desirable.The vendor requires a static public address. So I am hoping/assuming a regular NAT statement of:
static (Inside,Outside) 72.12.206.211 192.168.1.xx netmask 255.255.255.255 .will work since the routers inside interface connectes to my inside LAN network anyway.
However, if they insist on having a Non-Nat'ed Public IP how do you do that? I have researched Static Identity NAT that shows the following: 72.12. 206. 211 (outside) FW (inside) 72.12.206.211
and they show a static statement of static (Outside,Inside) 72.12.206.211 72.12.206.211 netmask 255.255.255.255.How do you set up the nat statements for this configuration? Do you assigne the "external" IP address to the router even though it is behind the firewall (which is what I am asuming).
I have a 2811 with 512 of memory installed (two by 256). The router has been sitting spare for sometime and I know there was once a memory problem with it long ago. It has two 256M Non ECC DIMMs installed and seems to work fine. I recently tried to install a 512M DIMM ECC and all I get is 'Unsupported DIMM" error - same if I remove the other 256M DIMM leaving just the 512M. I have tried three different DIMMs - and all have the same error message. One of the DIMMs is 'cisco supported' and based on what I can find in the web - seems to be the correct spec. I have also tried non ECC 512 DIMM and 'unsupported DIMM" error message is still coming up. If I did not know better, I would say that there was something that needed changing in the config to allow 512M DIMMs to be installed.
View 6 Replies View RelatedI have a pair of ASA 5540 running 8.4 code. The firewall set has about 4500 rules. I am tasked to identify all unused/idel/inactive rules in the past 3 months.
View 2 Replies View RelatedI have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies View RelatedNew to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
My onboard eithernet quit working so I got PCI slot 1 and it doesnt work either I have 3 slots and none work. The pc won't even acknowledge that they are pluged in, but the lights on the card are flashing. Had it working once but when I moved it to my desk and booted it up nothing worked again. The PC will boot and run fine but no web. Clean install of XP and all is the same!
View 1 Replies View Relatedinternet on tv which has no Ethernet slot
View 3 Replies View RelatedWe have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.
I'm trying to learn a little about Cisco router setup, since I'm fairly well versed in configuration. I have an 1841 w/ K9 that I'd like to set up as a WAN Router to hot swap if one of ours goes down. I installed a VWIC2-1MFT-T1/E1 MultiFlex card in Slot 1 of the router.
Currently, if I run a "show diag", the VWIC2-1MFT-T1/E1 shows up in Slot 1 but in the configuration I can't see it or configure it. Am I missing an enable or something? I thought I had to declare card type but I can only do that on the existing card, the router doesn't seem to recognize that the card is there in any place other than "show diag".
I have some technical consultations that I would like to know which would be a better implementation.
I am seeking for clarifications whether putting VPN and firewall in a single software or separating both into separate software.
I have a private network behind a configured Cisco ASA 5510. I need to send data back and forth between a server on the inside network and a device on the outside network on port 44818. No amount of configuration is allowing this to happen. The packet tracer always fails on of the implicity "deny" rules, even though my other rule should explicitly permit it. I also realize I need to set up routing from my outside network to the inside network, but I cannot see from the documentation how to do that on this particular port without simultaneously breaking my outside connection.
The inside IP for the ASA is 192.168.25.1
The outside IP for the ASA 192.168.11.54
Here is my current configuration:
: Saved
: Written by enable_15 at 08:49:25.956 UTC Thu Feb 2 2012
!
ASA Version 8.2(5)
[Code]....
I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
View 1 Replies View RelatedIs there a way to forward a single port, while leaving the others alone? For instance I want to forward all https traffic on a public IP to an internal server on port 4443. At the same time traffic on all other ports for this IP needs to be forwarded on the original port. It looks like creating a Network Object will allow a single port to be forwarded, but what happens to the remaining traffic? I attempted to create Service Objects that I then assigned to NAT statements.
View 5 Replies View RelatedI am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
I would like to know if there is a way to apply in the Cisco asa 5510 traffic shaping not for a interface but a single IP address.For example i would like to limit the bandwith for the IP address of my FTP server.
View 4 Replies View Relatedwe are trying to use the SD Card Slot on an Cisco ME3600X (ME-3600X-24FS-M) IOS Version 15.2(4)S2. If i try to copy a file from the sd card slot to the flash there is no Option like "slot0:" or something alse and no syslog message appers while adding the SD Card.
View 5 Replies View RelatedCurrently using a CSS1506 for our reverse proxy SSL.I have a couple of questions
1 - Does the 11506 use an internal disk as well as the one in slot 0 ?
2 - I have a spare mem card in slot1, how can I copy all of the required boot files etc to slot 1 in case of a card failure in slot 0?
My laptop does not have a standard telepone line connecting socket. Is it possible to use a converter plug to use the boardband socket instaed?
View 2 Replies View Related