I have got a working 5505 running 8.3.1 firmware and 6.3.1 ASDM.I have now purchased a second unit and ensured that both units are running the same firmware levels etc.
I have via the ASDM created a backup of the working units configuration, and now i want to load this configuration onto the second unit.I have connected the consiole cable up to the second unit and tried pasting in the contents of the configuration file but no joy.I want to ensure that my configuration will work on this unit before i configure the two units in Active/Passiove configuration.
I save the configuration in the ASA 5505 using write memory or using copy run start but whe i unplug the power cord and plug it back in the ASA gets its factory default configuration.. then what i do is a copy start run to get the configuration active..
I used my Pix config to setup the ASA 5505.Everything seems to be right. I used ASDM to view settings and it seems right. I am missing something minor, but I am going blind looking at it.
I can remote into the network from outside, but internatlly I cannot get out of network. No internet or email is passing through.
I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output: object network DrJones host 10.81.220.90object network LAN-10.81.220.0 subnet 10.81.220.0 255.255.255.0 "sh run nat" output: object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN-10.81.220.0 nat (inside,outside) dynamic interface "sh run access-list" output: access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343
I have a ASA 5505 that I test with which originally came with the Security Plus license. I recently erased flash and loaded the latest asa841-k8.bin version of IOS along with asdm-642.bin. Everything booted fine and came up as it does when freshly wiped however I noticed that i was now only running a base license. If I issue the sh activiation-key command, I noticed the following messages (full output is at the bottom):
The Running Activation Key is not valid, using default setting ...... This platform has a Base license. ...... Failed to retrieve flash permanent activation key
Did I somehow kill my Security Plus licensing when I did the erase flash? If so how do I recover it?
ciscoasa# sh activation-key Serial Number: JMXXXXXXHU Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The Running Activation Key is not valid, using default settings:
Licensed features for this platform: Maximum Physical Interfaces : 8 perpetual VLANs : 3 DMZ Restricted Dual ISPs : Disabled perpetual VLAN Trunk Ports : 0 perpetual
[code]...
This platform has a Base license.Failed to retrieve flash permanent activation key.The flash permanent activation key is the SAME as the running permanent key.
We are in the process of upgrading Cisco LMS 3.2 to Cisco Prime 4.2.While restoring the database, we are getting attached msg. We tried by removing security policies from folder but still the error is same.
Can I check I've understood the ACS backup and restoration procedure?A backup run from exec as "backup <filename> repository <repository name>" is the same command run automatically by "System Administrator -> Scheduled Backups" in the GUI, just scheduled for me...That backup is enough to completely restore ACS to its state at the time of the backup, including ACS config (Users, Devices, NDGs, etc.) and the View database (reports, historical data, etc.)It's entirely separate from the backups ACS View makes as part of it's purging action. (I only need those if I want to go way back in time, I don't need them to restore a functioning ACS with the recent reports and logs) if I still have a working ACS left after the primary dies, is it not just easier to promote the survivor to primary and then add the replacement in as a secondary and let replication restore the configs? Perhaps re-promote the new box to primary afterwards?
I think I understand purging in ACS5 now:Purging occurs when the database either gets too large or when data is too old (up to 12 months, although I assume you can leave the setting blank and no age related purging takes place?)Data is purged by making incremental backups and deleting the backed up data from the local database until the size/age pressure is relieved.So, my question is, how do I later look at the purged data? If I suddenly need to look at logs from last year what am I supposed to do? If I restore it surely I'm just going to go over the size limit again and it'll just get purged, no?
I'm trying to restore backup after upgrading Cisco Prime v4.1 to v4.2. However, getting the following error in the log. [code] The log shows the error is a continuous one and affraid it may be a loop. Currently my restore progress is stuck at 70%RME restoration.[code]
i tried to restore backup from LMS3.2.1(windows) to LMS4.2 virtual appliance. once the back up is completed, the home page takes forever to load. i opened TAC case, and the only way out seems to be configuring from scratch after importing the devices. i, imported the devices and this didn't cause any problem. But, making the configuration from scratch is something i would like to avoid if possible.
Creating an image is almost always a success. However, when restoring, sometimes the process gets stuck somewhere (the client reboots prematurely if that happens) and more than often the clients can't boot into Windows anymore.All clients have the exact same hardware.Now I know the image can't be the problem, as I've restored this exact image to a client two days ago and it booted perfectly fine. Everything worked.I tried to image two clients at the same time. The first thing I noticed was that the method used was NFS and not UDPCAST, which it should be. Now I know it wasn't using multicast because the imaging went asynchronous.
I've run into an interesting problem trying to migrate my production config from my redundant ACE20's (A2(3.4)) to the new ACE30's (Tried (A4(1.0) and A5(1.0)). Everything on the ACE30 is working fine with a base config, but when the restore all is run from the ACE20 backup (backup all), the SSL files are not restored and return errors. All the contexts are restored correctly, along with the startup-config, but the running config fails due to no SSL.
All the crypto certs/keys are exportable and are present in the backup .tgz file.
Our client ( a webhost, they have a lot of servers ) has a an older Cisco Pix, everything works fine with the PIX. They have a Cisco ASA 5500 with ASA version 8.3 , to replace the PIX. Upon migrating the PIX config to the ASA we are running into issues with Dynamic NAT. The static NAT entries are working flawlessly (there is a lot of them), however when Dynamic is enabled for the remainging hosts, outside communication works then drops off. The remaining hosts need outside access for updates. We have access lists set up but I dont se ehow that could cause a problem when the original ACL's were working fine with the PIX, they have not been altered.
The NAT config may be wrong or cluttered, have a look at the full NAT config.
The static NAT addressing is the same, example 207.11.129.65 will equal 10.10.10.65
saw that we can secure ripv2 via authentication (simple and MD5) ,i undertand that simple is not quite secure because we can see the plain text when capturing RIP packets
however even with MD5 i can see the authentication data (output of MD5) and i think hacker can copy it and paste it in one RIP packet that he will generate !! isn't it ? so how much MD5 is secure ?
I have ASA 5505 that has two inside security level 100 interfaces and an outside interface.On the inside interface we have corporate domain subnet with DC and 30 hosts. On the inside2 interface I have few servers that runs specific application important for our business needs, and dumb terminals that are connected to them.I have a laptop user that periodically needs access from our corporate vlan1 to one of the servers on inside 2 vlan via remote desktop or some other remote viewer client,so he can view reports etc.I have enabled same-security-traffic intra-interface command and added nat exempt command pointing specific laptop host machine to that specific server.
Now my main concern is regarding security. This user carries his laptop home, browses the web, puts USB memory, and you can imagine how this machine is susceptible to all kind of malicious software. Inside2 vlan is very important and until now it has been a very secure environment.This is no longer the case since all traffic between this inside sec level 100 vlan host and corresponding inside2 sec level 100 server is now allowed because of the enabled same level interface traffic and nat exemption rule. Do I have another solution that would allow communication based on just a tcp port number for this host? Something like port forwarding from outside to inside Vlan interface?
i have asa 5505 adaptive security plus. and i have only 3 vlans . outside , inside , DMZ restricted.so it's working fine but i want to connect to my inside another private network, or do i need to buy License.and how i can activate the license key.
I try to configure my CISCO ASA 5505 for remote access vpn, and I encounter the following issue : Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding. [code]
I have had the ASA 5505 set up for over 5 years, no problems. For some reason there is one website that my users cannot access. [url].... (173.161.122.9). Why it is being blocked.
I still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. Following is passing traffic and everything else works just fine.
JEREMY-ASA# show ver Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 7.1(1)52 JEREMY-ASA# show run asdm asdm image disk0:/asdm-711-52.bin no asdm history enable [Code]...
I am new to networking and configuring a ASA 5505. I have one public IP and would like to know if I can Nat this ip to 2 private IP addresses. Both addresses will be passing similar traffic.
I was given a 510 PIX Ver 6.3(1)to reconfigure but have no information on the existing configuration and need to wipe it clean and start over how can I do this to get back to the factory default settings. I have tried the "monitor>" but I don't know the IP address of the PIX interface.and am not sure how to do the setup for recovering the password.
We have had an ASA5505 for close to two years. About a year ago, we added a second ISP ("BOB") which became our primary and our old one (SBC) became our backup. I successfully modified the config for this and it's been working well.
Now we're changing our primary ISP to Comcast and getting rid of BOB, so right now we actually have 3 ISPs coming into our building.
I removed the BOB interface and routes, then added an interface for Comcast using an IP address from the range they provided as well as a static route to the gateway they provided - everything is analagous to the previous interfaces and routes, but it doesn't work. If I physically disconnect the Ethernet cable going to the Comcast cable modem, then the ASA does fail back to the SBC interface as expected. If I put the BOB interface & route back in there, it works again through BOB.
If I connect a PC to the Comcast cable modem and use an IP/Gateway they provided, the Internet connection *does* work. Using this same exact IP info in the ASA doesn't work.
Is there some other configuration item besides interfaces and static routes that I should be modifying? Is there some way I can dig deeper into the ASA to see exactly what is failing?
i hav asa5520 i copying configuration from PIX to ASA5520 (7.2) everything working fine bt problem is that after sometime my DMZ interface losing connectivity ...
I just upgraded to a E3000 from a WRT54G and I am having some issues with network speed.I have no special settings and have even tried restoring factory defaults and upgrading to the latest firmware to no avail.The time I notice the biggest hit is when transferring files locally on the network (WiFi and LAN).Let me note that I do know the difference between MB/s & Mb/s and the like.I have Comcast 20Mb/s Down, 1.5Mb/s Up (just a FYI, the main issue is local transfers)
With default settings my Laptop (ASUS N82JQ, Atheros AR9285 Wireless Network Adapter), connects to the router at only 65Mb/s (with full signal).Upload seems to be more decent ~600KB/s (Transferring files from wireless n laptop to the gigabit desktop).Download seems to be limited to ~150KB/s (Copying files from the wired gigabit desktop to the wireless n laptop).These speeds are horrible! ~5hrs to transfer 3GB of data!
One of my laptops had a card that was capable of both 2.4 & 5Ghz and I was previously getting ~2000-5000KB/s (2-5MB/s) transfers with this router (But I had to do a system restore on it and reset the router). My ASUS laptop seems to only work with 2.4Ghz though. If I change the 2.4Gh Wireless settings on the router to "Auto(20MHz or 40MHz)" the laptop will connect at 150Mb/s, but the speeds are the same slow speeds as above.
How can I achieve this. I am obviously a novice cisco user and really fight my way around. I just want to grant access to a vendor to connect to his vpn. What ports need opened and what else do I need to do?
