I have recently upgraded a customer ASA5510 to version 8.3.
After upgrade web access etc is working fine however VPN is down. The config looks very different after the upgrade plus what looks to be duplicate entries.
I suspect its an access list issue but I'm not sure.
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
[Code].....
I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working.
View 7 Replies View RelatedAn ASA5510 (with 1 webserver behind it, just starting to build the cluster) was functioning OK with version 8.2: I was able to log in using RDP to the server bhind it from some trusted IP's.
I updated ASDM to the latest version 6.4.7, and then the ASA-software to 8.3.2. After reloading, I could not access the server anymore. I saw that changes were made to the config. Then I updated to version 8.4.3, same results of course, and this is the config. [code]
we have ASA 5510 which we need to upgrade from 8.0(3) to 8.2.5. can we directly switch to 8.2.5 from 8.0(3) , if not what all versions we need to go from.
What all point needs to check before that following is show flash output.
97 14635008
Jan 01 2003 14:12:16 asa803-k8.bin 98 4096
May 14 2008 21:22:10 tmp 2 4096
Apr 20 2008 02:21:46 log 6 4096
Apr 20 2008 02:22:16 crypto_archive 99 6851212
[Code] .....
I am having ASA5510 firewall which has 1GB RAM currently. I want to upgrade to 2GB. When I opened the box, I can see only 1 slot to insert the RAM. I searched in Cisco website and I got to know that I need to use 2 x 1 GB RAM. So, I need to have 2 slots to do that. But, I am having only 1 slot in the box.
View 5 Replies View RelatedWe are about to upgrade our ASA's from 7.04 to 8.2. Obviously I will be opening a TAC case to assist with the upgrade and I will also be upgrading ASDM software at the same time. These production firewalls are paired with an active --> failover scenario and not active --> active. I had previously engaged cisco regarding the upgrade and they have recommended an upgrade path to ensure success. Also, I have a pair of test ASA's that I've gone through the upgrade process with - documenting the changes in commands and any changes in my config (I didn't notice any).So, the reason for my post is this: What are the gotcha's that you may have run into when upgrading your ASA's?These are fairly high visibility ASA's and any downtime due to the upgrade needs to be mitaged as much as possible.
View 1 Replies View RelatedUpgrade from firmware 8.21 5o 8.31? I am installing 1GB of memory in my ASA 5510 and in the process I have upgrade the firmware.
- Will the upgrade change my configuration or will I have to change this manually myself at some point
- What is the meaning of "Real IP" I am not sure what the means (reading up on it now)
- What else should I be concerned about during the upgrade?
i have a cisco ASA5510 FW using in my network .The present Flash Mem is 256 mb and want to upgrade to 512mb,
View 3 Replies View Relatedi have bought the below licenses for the ASA5510 to upgrade from 2 to 250 users and yet i can give access to 2 users only.
L-ASA-AC-M-5510=
L-ASA-AC-E-5510=
Kindly find attached the "show version"
We currently have a central hub using an ASA5510 and then a few site-to-site VPN connections to our support staff homes. The devices at the homes are Cisco routers. We were running version 8.25 on the ASA and all was working fine. We recently upgraded to version 8.42 and although all the functionality of the network is ok and it does what it should, our support staff cannot ping, ASDM or telnet to the ASA inside interface anymore whereas they could before the upgrade. The home VPNs all run on a 10.30 subnet (i.e. 10.30.1.x, 10.30.2.x etc etc). I can post our config (security edited of course), but it is quite a big config. The command management-access inside is specified and the 10.30.0.0/16 subnet is permitted to ASDM and Telnet. Are there any extra things that have to be done in version 8.42 to get this to work as the support staff do have to access the firewall for configuration purposes. At the moment, they have to telnet to one of the routers on the local LAN and then Telnet to the firewall from there.Prior to the upgrade, they were all able to ping the inside ASA interface and also telnet and HTTPS to it from their PCs at home. Now they cannot and the only change made was an upgrade to 8.42. Immediately after the upgrade none of them can ping the interface anymore and it seems it can only be accessed from the local LAN. I cannot find any access-lists that might be blocking the packets so can only assume it's something in the way 8.42 works.
View 8 Replies View RelatedI am a bit unclear as to the upgrade path I should take - I have 2 ASA 5510s in active/standby running 8.0(4)34 and would like to upgrade to 8.2.5. Do I need to first upgrade to 8.0.(5) before upgrading to 8.2.5, or can I just jump straight to 8.2.5?
View 4 Replies View RelatedI am using Cisco ASA5510 Firewall in my network. Upgraded the Memory and Flash to 1GB and 512MB.But the 5 interfaces ports are 10mbps.Can it possible to upgrade the module of Interfaceses from 10mb to 1gb?
View 2 Replies View RelatedCurrently my ASA5510 has a 64MB internal flash. Does the ASA require a higher capacity flash for an IOS upgrade from 7.2(x) to 8.2(x)? The Cisco Release Notes does not state any internal flash requirement, but just wanted to double check.
View 2 Replies View RelatedI tried last night to upgrade the memory in my old 5510. It's about 5 years old and has the single memory socket. I followed the instruction included in the kit:
Mfr. Part#: ASA5510-MEM-1GB
I did wear an ESD wrist strap (genuine Cisco at that!) and ensured the memory was fully seated, the handles locked in.Upon restarting the ASA, for over 15 minutes, it stayed in mode: Power LED steady, Status LED flashing, other LEDs off. No response to attempts to SSL via Putty. I powered it off, verified the memory was indeed fully seated, and re-installed the original 256 MB module. It powered up normally in less than 5 minutes. Is there anything else to try before returning the memory? Tonight, I can try the same new memoy module and see if it works.
[code] I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base.I think I was wrong option selected in the process of upgrading, how should I do to be successful upgrade
View 2 Replies View RelatedI have created a new DMZ and a LAN on my ASA5510.My Ethernet DMZ port is connected directly to a server (192.168.220.10) This server is able to get to the internet properly.Gateway ASA router: 192.168.220.222..My Ethernet LAN port is connected to a L3 switch, This L3 switch is connected to a server (192.168.210.11). This server is able to get to the internet properly.My issues is that I cannot communicate from my 192.168.210.11 server to my DMZ server 192.168.220.10. From my 192.168.210.11 server I can ping my gateway 192.168.210.1 and 192.168.210.222. But I cannot ping 192.168.220.222. [code]
View 7 Replies View Relatedi contact Cisco support. They told me that VPN between a Blackberry and ASA5000 is not supported. Today 14 fév 2013 they don't have any date on when Anyconnect for Blackberry will be available. So we cannot use a Z10 because exchange server is beind the ASA. Protected with the ASA. Apple and Android work well with the AnyConnect and certificat.URL
View 2 Replies View RelatedI have open my 25, 110, 80 port on my Server from local i can telnet all those via my private ip but from public ip its not responding.
2nd thing I can ping both ips of My server through private ip and through public ip.
I am trying to get an ASA5510 working in transparent mode, multi-context. I am on revision 8.2.5, so there are no bridge groups (those are enabled in 8.4). I first set it to transparent mode, then set it to multi-context mode. I am doing trunking through the Ethernet0/0 to Ethernet0/1, and have two vlans on subinterfaces of each interface. These interfaces are in the 2nd and 3rd contexts, and all trunking between vlans is working correctly in transparent mode.
But I can't telnet or ssh to the ASA itself.
I have an IP address on the inside vlan interface in each context, and can ping tthe IP in context 2 and context 3. There is an IP also in the admin context, but I am unable to ping this. I have tried putting it in the same vlan as the 2nd context, and putting it on the management interface, but since there is a global IP only in transparent mode, I don't think the management interface is used (even though it is in the admin contexts included interfaces).
Since I can't connect to the ASA, I can't easily get the running config to post it here, even though that would likely
To summarize:
- transparent mode
- multi-context
- trunking (dot1q) through Eth0/0 and Eth0/1, so each interface has four sub-interfaces, each in its own vlan
- these VLANs are in each of the contexts except the admin context
- the IP of each conext is able to be pinged, but can't telnet or ssh to it
- telnet and ssh are setup for allowing a /16 subnet range access, in each context
- access-list is setup for permit ip any any and permit icmp any any on the inside and outside interface of each context
- all thru-traffic is passing correctly, but can't manage the ASA other than sitting at the console of it
What I'm going to try now is putting the admin context into one of the vlans in the trunk and see if I can use it that way.
I not familiar with the ASA 5510 product. I having trouble since last 24 hours and still cant find out the root cause yet. Here is my scenario, my network should be
WAN --- ASA5510 (FW) --- SERVER (192.168.1.0/24)
Now I face the problem, all the NAT static 1-to-1 is working OK. All my public IP can be ping from outside internet. But the problem happen when I try to telnet to port 80 on each server. I had try telnet from my PC to public IP 124.xxx.179 80, it's work fine, but failed on 124.xxx.180 80, then on 124.xxx.181 80, its work fine.
Then I do try on my colleague PC, in same network as mine, I face another case where the public IP 124.xxx.179 80 cannot be telnet, but it's ok for 124.xxx.180, then failed on 124.xxx.181 80.
FYI.. all our PC can ping to the Public IP and no packet lose.
The scenario is very weird, I cant find any other solution as had review my configuration few times.
check does my configuration is working perfectly or not.
ASA Version 8.2(5)
!
hostname fw-asa
enable password xxx encrypted
[Code].....
I configured my cisco client with the info from the vpn wizard and get the following error :
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
I'll explain briefly what I'm trying to do here :
* Remote vpn with windows users having cisco clients
* Group authentication and in the asa5510 LOCAL authentication
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
ASA Version 8.2(5)
!
hostname xxxx
domain-name xxxx
[Code].....
I have a problem with an ASA5510 (8.0.4) firewall in South Africa (I'm in the UK).It's a replacement firewall that I am trying to configure remotely through a serial device with an internet facing connection, but the enable password is not working.I can connect to the device OK, type 'en' and when propted for the password whatever I use (blank, cisco, Cisco etc.) I get an 'invalid password' message.
View 2 Replies View RelatedCannot access to cisco asa5510 asdm nor ssh thru anyconnect vpn, attached is the current configuration. user authetnicaties aaa locally and has admin service-type. When vpn session is established, it lets me go thru the certificate warning and when trying to install the asdm laucher its failing. ssh access is enabled but not working. i can access both asdm and ssh from the inside network, and from a pc on that network.
View 9 Replies View RelatedI set up Anyconnect on ASA5510 and enabled secure connect in CUCM. I did everything as written in jabber for android administration guide and end user guide. But when secure connect configured on my mobile, secure connect entry never created even though I entered all correct parameters such as gateway address, authentication group, username and password. Provided that jabber is working fine internally
ASA log says:
SVC message: 16/NOTICE: The user has requested to disconnect the connection.
SVC closing connection: User Requested.
WebVPN session terminated: User Requested.
I succeeded in connecting via Anyconnect app on iPhone. So I believe Anyconnect Vpn connection has no problem. License checked.
Anybody succeeded in implementing secure connect using AAA authentication?
My mail server is not in my network, it's over internet elsewhere.After installing the ASA 5510, i can not get my mails any more.
View 7 Replies View RelatedI have an ASA5510 that was working in a HA config that is now constantly rebooting itself. Here is a copy of the dump of traceback messages:
Booting system, please wait...
CISCO SYSTEMSEmbedded BIOS Version 1.0(11)5 08/28/08 15:11:51.82
Low Memory: 631 KBHigh Memory: 256 MBPCI Device Table.Bus Dev Func VendID DevID Class Irq 00 00 00 8086 2578 Host Bridge 00 01 00 8086 2579 PCI-to-PCI Bridge 00 03 00 8086 257B PCI-to-PCI Bridge 00 1C 00 8086 25AE PCI-to-PCI Bridge
[Code] .........
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies View RelatedWhen we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
after an upgrade of NCS 1.1.1.24 to CPI 1.2 on green field, it was not possible to reuse the GUI. During the upgrade, I''ve shortly seen an oracle DB error, but the upgrade was going through, without problems.At the end, it was not possible to use the GUI, and every trial to start the services was stopped with errors.I've found the following severe Bug ID's in the support forum: Bug CSCuc29378 Prime Infrastructure 1.2 won't start after a db restore/Upgrade from NCS1.1.1.24 Oracle DB bug as well: CSCtw59460.I see only a new installation from scratch (1.2) as solution, but the bug is not resolved in V1.2, as seen in the bug tool.
- As the customer has an v.1.0 license who worked with NCS 1.1.1, do I need an upgrade order to be able to activate an installation from the v 1.2 ova (new PAK)??
- I'm searching for a one year CPI partner license, because I heard about in some Cisco Live sessions, but I did not find a way to acces´s to it.
we recently upgraded our ASA 5510 active/standby cluster from ASA Version 8.3.2 to 8.4.1(11). Unfortunately the standby ASA is now crashing a few seconds after the configuration was synchronized from the active ASA.
Also completely disabling HA, bringing the default config to standby ASA again and activating HA afterwards did not work. Also tried through the Wizard provided by ASDM to be sure to have no errors with requirements.
How to solve this without doing a downgrade back to 8.3.2. ?
