Cisco Security :: Can Add SSM-4GE Module In ASA5540-AIP40-K8 Firewall
Dec 11, 2011
I have requirement received from one of my customer. the part number given as ASA5540-AIP40-K8, same time requesting for addition of another 4Port GE Module (i believe its SSM-4GE Module). Is any option to add this module in to the above specified model (ASA5540-AIP40-K8).
As per my understanding the ASA5540 have the option to add 1 additional module only, so if we AIP-SSM module, we don't have any free slot left with to add another SSM-4GE Module in the firewall.
i am not getting even the option to add SSM-4GE in the ASA5540-AIP40-K8
One of my client want to upgrade its already installed ASA5540-bun-k9 by adding CSC-20 Module. As per below link CSC-20 is supported with ASA5540. but for any reason the ASA5540 bundle option with CSC Module is not available that create confusion.Will CSC-20 Module work with ASA5540-bun-k9 [URL]
I run a website for a local football team using Serif Webplus X6. On uploading the weekly updates of the site the process seems ok for a few minutes with progress bars showing uploading of files but then it all stops and I have to reset my wireless network adaptor 1703 and it continues but I can't just leave it to work on its own. Device manager says that the drivers are up to date but I'm fed up with having to nurse the adaptor. This didn't happen with previous computers.
Why packets overrun are incrementing on the ASA even when I've only 40Mbps of throughput traffic?All interface are 1000- Full Duplex, both on ASA and on Catalyst3750.I've test the ASA5540 generating GET HTTP, about 40Mbit of traffic.When I use one ingress interface and one egress interface, interface input overrun counter is zero.When I use the same traffic with 3 ingress interfaces(slot0) and 3 egress interfaces(slot1), interface input overrun counter increase(60k overrun in only 2 minutes).
Using AnyConnect Secure Mobility Client, logging into ASA5540. After I put my credentials in, I get the banner message (from group policies). After I accept that, I get another pop message stating:It looks like a pre-set message. Where can I disable and/or edit this message?
I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?
I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.
I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary. Here are the log messages I got:
Mar 8 15:11:08: %PIM-5-NBRCHG: neighbor 184.108.40.206 UP on interface Vlan150 (vrf default) Mar 8 15:11:08: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 220.127.116.11 on interface Vlan150 (vrf default) Mar 8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 18.104.22.168 (Vlan150) isup: new adjacencyMar 8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 22.214.171.124 (Vlan150) isup: new adjacency Mar 8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 126.96.36.199 (Vlan150) is down: K-value mismatch
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
What causes a K-value mismatch, and how to I rectify the situation?
I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
so, here is my questions:
1. does ASA5540 support multi vlan?
2. does it support spanning tree protocol?
3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?
Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code
I upgraded our ASA5540 to 8.4, THEN noted the increased requirements for Memory. I purchased the 2Gig upgrade, but when installing in the Primary unit today, noted that there were 4 slots. Slots 1/3 had 512Mb modules, so I installed the 2 x 1Gig modules in slots 2/4.
The ASA5540 came up clean, and it "sees" the entire 3Gig of memory.
My question: Is this a SUPPORTED configuration? All documentation I have read only mentions 2Gig of memory. Also, If I had FOUR x 1Gig memory modules, would the ASA5540 support the 4Gigs of memory?
We have ASA 5540 with 8.2 SW. We are trying to download a file (3 MB pdf) from https session which fails if done behind the firewall. In case, the client bypasses firewall, the file gets downloaded as usuall. Interesting thing here to note is that when client is behind the firewall, its takes a long time to download the file and the file size always 312 Bytes, of course its a corrupt file.
I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 188.8.131.52 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 184.108.40.206 to 220.127.116.11 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!
I have an inside network using PAT to one outside address. Our DNS server is on another local, but outside address. I can't get the inside network to successfully get addresses.I have another inside address that just uses the wirewall and gets addresses just fine from the same server.I have the box checked in ASDN that enables DHCP on the inside interface and points to the correct DHCP server,PAT service is working properly if I use a hard coded address for a machine on the inside network.This is an ASA5540 with 8.3(2)
My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall. [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?
I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout". What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?
I have Cisco ASA 5510 with CSC-SSM-10. ASA anti-virus service can not update the Base and Plus lisense. No Activation Code required for renewal. I go to "Administration> Product License" in the CSC SSM console and click "Check Status Online" to get the latest expiration date.In the module on the Check Status Online has reported the following error when: Base License status could not be checked because of a license server failure. "Please try again later", "Plus License status could not be checked because of a license server failure. Please try again later". UPDATE manual virus database can be seen in the latest available version, can not be upgraded because the service expired.
We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have to do in ASA5540 .
I have a ASA5540 firewall set-up with an interface MTU of 1500.
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this. Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA# JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA# JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
how can i discover product actual part number from the device through console.I have a bought a cisco ASA5540-AIP20-K9 and i want to check either is the product is shipped us as a right product.And i want to check total BoM requriements from entering the ASA console through any CLI Command.Below My Cisco ASA BoM which i purchased.
ASA5540-AIP20-K9ASA 5540 Appliance w/ AIP-SSM-20, SW, HA, 4GE+1FE, 3DES/AES1CAB-ACUAC Power Cord (UK), C13, BS 1363, 2.5m1SF-ASA-8.3-K8ASA 5500 Series Software v8.31SF-ASA-AIP-7.0-K9ASA 5500 Series AIP Sofware 7.0 for Security Service Modules1ASA-VPN-CLNT-K9Cisco VPN Client Software (Windows, Solaris, Linux, Mac)1Included: ASA5540-VPN-PRASA 5540 VPN Premium 5000 IPsec User License (7.0 Only)1Included: ASA5500-ENCR-K9ASA 5500 Strong Encryption License (3DES/AES)1Included: ASA-AIP-20-INC-K9ASA 5500 AIP Security Services Module-20 included w/ bundles1Included: ASA-180W-PWR-ACASA 180W AC Power Supply1Included: ASA-ANYCONN-CSD-K9ASA 5500 AnyConnect Client + Cisco Security Desktop Software1CON-SU1-AS4A20K9IPS SVC, AR NBD ASA5540 w AIP-SSM-20,4GE + 1FE,3DES/AES1
I installed a CSC-SSM-20 module on ASA 5510. After policy services have been enabled, services works well for a few minutes, after that the cpu usage's module rise to 100% and all http traffic is wholy blocked, till the cpu usage go down.This happens very frequently and traffic stay blocked for such a long time that it makes the csc-ssm module unusable. It's disabled right now. ASA version is 8.2(1)and CSC-Module version is 6.6.1172.0.
I have installed CSC-SSM-10 on cisco ASA 5520.I am facing two problems
1 : When I send traffic from ASA to SSM module then internet connection becomes slow and sometimes internet session disconnected. 2. When I try to manual update then following erros shows please see attachment .
I have a 1941 that I am going to deploy with a HWIC-D-9ESW switch module (I only need 3 switch ports but need the PoE). I am going to hang a 1262 autonomous AP off one of the ports but I need to configure MAC address port-security so that only that AP can pass traffic. I know the switch modules are 'almost' exactly like a switch for commands but I can't seem to enable or configure any port-security settings. Is port-security no available on the switch modules?
I have a couple of ASA 5510 firewalls configured and working. I'm now charged with configuring the IPS modules. I'm having to do this remotely. Since the IPS module hasn't been configured I'm guessing it's on 192.168.1.2 with the default username/password.
I'm told that the workstation I access from connects through a switch to the ASA and to the IPS.
I've set the ASA management port to 192.168.1.1. I can't ping 192.168.1.2 - not sure I'm supposed to be able to. In the ASDM, Configure IPS prompts for an IP address. Entering 192.168.1.2 returns "IP address of the management port is unreachable".