I have configured SSL-clientless vpn on asa5520(8.2-asdm-6.4)It is working.Only problem is how to add pcs to the vpn.That mean like someone need to access pcs via vpn.Servers with url can add without any problem.is there anyway to add pc/servers with ip addresses?
View 2 RepliesOur firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
we are trying to configure the vpn with our provider we are on Asa and the use Checkpoint , vpn seem to be established on phase 1 and phase 2 too.bur when i send ping packets seem to los on tunnel and other side do not see them.Asa is after a onother firewall and outside interface of this asa is nated on this perimeter firewall.
View 5 Replies View RelatedI'm trying to use a 5520 to test something but the bandwidth seems pretty low for the product I'm testing over it. Can anyone tell me if there is a bandwidth limitation by default? I'm seeing 1.5mb/s average with spikes to 6mb/s or so. On the ASA5550 I was seeing usage up to 80mb/s.
View 5 Replies View RelatedI'm trying to setup the SSL VPN portal:When I connect via HTTPS to the ASA5520 outside interface I get the login prompt and after successfully login it takes me directly to the Anyconnect client download (starts Anyconnect immediately) even though in the group policy is configured to not prompt the use to chose the post login and the post login is ste to go to Clientless SSL VPN Portal?
View 7 Replies View RelatedWe have a several SonicWall TZ 190 establishing VPN tunnels with a ASA5520. Pericodically random VPN tunnels will drop and can not re-establish a connection. In order to re-establish the dropped VPN tunnel, our firewall folks manually drop all VPN tunnels connected to the ASA (they use to physically power cycle the ASA). They claim this is the only way to resolve the problem and since the SonicWall Life Time seconds for Phase 1 and 2 are set to 28800, they reset the tunnels every 8 hours. Additionally, they claim that SonicWall IPSEC is different that Cisco IPSEC which is the main problem. Hence they are requesting a SONICWAll VPN concentrator..
View 4 Replies View RelatedI have a Cisco ASA5520 that we are going to use to allow users to connect to our network via the Anyconnect client, I have authentication set up to validate against AD via LDAP, but was wondering if there were any way to set up the profile to check the PC before they log in....we do not want users using their home PCs to attach to our corporate network, only PCs that were issued to them by the company. Nothing is jumping out at me in the config, we are running some fairly old sofware on the boxes (ASA - v8.2(2), Anyconnect - v2.5.3046) I plan on upgrading the Anyconnect to v3.1 but will probably need to keep running the 8.2(2) version on the ASA due to support issues.
View 2 Replies View RelatedI have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
!
interface GigabitEthernet0/0
nameif internet
security-level 0
[Code]....
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
I have a location where I have 2 WAN links, but without a dynamic routing protocol in between. I want to implement a kind of hub to 2 spokes VPN. But the spokes will actualy be on one single ASA firewall, each spoke on a different interface. One hub-spoke will be primary, the other one the secondary. When the WAN link for the primary VPN fails the secondary should be started on the hub to the other spoke.
View 1 Replies View RelatedWe have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out. If we are having no issues, is it best just to leave it as it is? I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.
View 1 Replies View RelatedI have a problem with RME 4.2 from CWLMS 3.1. I have configured SSH in my asa 5520 device but RME can't get the configuration file. I ran a job to sync archive but i get this message error:
*** Device Details for ASA_5520_VOZ_01 *** Protocol ==> Unknown / Not Applicable Selected Protocols with order ==> Telnet,TFTP,SSH Execution Result: CM0062 Polling ASA_5520_VOZ_01 for changes to configuration. CM00 Polling not supported on
[Code].....
I have one firewall ASA5520, are very slow
View 3 Replies View RelatedI have a cisco 3750 switch connected to the ASA5520 which is connected to the internet
LAN ----> Catalyst -----> ASA5520 ------> INTERNET
10.1.4.0 ---10.0.0.1 ----10.0.0.2 ------- 203.98.227.3
On my switch I have VLANs configured. From the 10.1.4.0 network, I'm able to ping switch gateway. I can ping insde of ASA .. See my ASA config below. I have allowed http and dns traffic outside but cannot browse internet from the 10.1.4.0 network.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.98.227.254 255.255.255.0
!
interface GigabitEthernet0/1
[code]....
I am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
View 5 Replies View RelatedWe want to use ASA5520 but both Firewall have different CPU. One has CPU Pentium 4 2400 MHz and another has Pentium 4 Celeron 2000 MHz. Can it be configured for replica / failover?
View 5 Replies View RelatedWe have 2 firewalls on PIX facing the Internet and connected to interface e1 (behind it) an ASA version 8.3 Both the PIX (Firewall facing) and the ASA are on the same subnet.
By using Routing statements and statics I have been able to reroute specific traffic to the ASA5520 version 8.3 Now I need to inverse the 2 devices. The ASA5520 will be facing the Internet and the PIX will be behind it.Unfortunately the ASA5520 is refusing to route the traffic to the PIX. The access-lists are open accordingly and a NAT on the ASA has been created.
i have my router connected to ISP then my router directly connected to my ASA5520....i use also ASA5520 as my DHCP Server and i was wondering with the DHCP Server function of ASA 5520 because if i use the ASA 5520 LAN ip ...all workstation will not be able to browse anything from the internet unless i use my ISP DNS IP which they gave me?
View 3 Replies View RelatedGet the following log message on secondary ASA console output when turning on the ASA failover function?
"Mate's service module (CSC SSM 6.6.1125.0) on slot 1 is different from mine (CSC SSM 6.6.1125.0)"
After that the secondary cannot join as a failover unit and shows in disabled status.We have the same model ASA & CSC module and each pair of them are in same firmware (CSC 6.6.1125.0 with ASA5520 8.4(4)1), when I shutdown both the csc modules, the ASA failover works fine.
I am using a squid proxy behind an ASA5520 firewall to collect the users to the internet. Squid is just necessary to log what is going on in order to find a quick solution when the internet slows down.
Considering that I have unlimited licenses and I would like to get rid of squid, I wonder if the ASA has some functionalities to track which websites are being used and how much traffic is generated. If there is not, I would like to know if Cisco offers a good product to replace Squid.
I have installed and setup cisco anyconnect on a win2008 server. It is able to authenticate successfully but upon trying to establish the vpn connection to the asa5520, it shows "unable to establish vpn". Other servers and pc from the same remote site is able to establish the vpn.
View 1 Replies View RelatedUpgraded an ASA5520 from 7.x to 8.4 in one step? Release notes for 8.4 state that you can "...upgrade from any previous release directly to 8.4..." I've read the previous version release notes and see the various changes in NAT etc that 8.3 made.
View 3 Replies View RelatedI have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code]....
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
I need to access remote users system for troubleshouting and I cannot ping or access anything on their laptop when they are connected to VPN. For example, a user would get an IP of 172.16.4.132 when logged into vpn but I cannot ping him from the CLI, or can I access his laptop via RDP. S 172.16.4.132 255.255.255.255 [1/0] via 207.x.x.x, dmz What could be the issue and how can I fix this? Im on 10.8.24.0/24 network S 10.8.0.0 255.248.0.0 [1/0] via 172.16.0.7, Internal which has a route to 172.16.0.0/16 C 172.16.0.0 255.255.0.0 is directly connected, Internal The ASA is 172.16.0.3 which i can ping from my desktop on 10.8.24.0. Device info: This platform has an ASA 5520 VPN Plus license. Cisco Adaptive Security Appliance Software Version 7.2(5) Device Manager Version 5.2(5) Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
View 1 Replies View RelatedMy customer had 2 asa5520 version:8.0(5)20 and LMS 4.0.1.Two Firewall are "unknow" on LMS, why ?Normally, LMS manages ASA with version 7 min.
View 1 Replies View RelatedI would like to have implementation of two ASA 5520 (in failover). Architecture Context
-The ASA are used as VPN concentrator only.In a first time ASA will be in charge to take in charge VPN IPSec Host-to-LAN connexion (with the IPSec VPN client) and I think VPN SSL anyconnect client will be setup in a near futur.
-We must define two categories of users (student and researcher), for each one we want define :
+ An IP address pool
+ ACL
+ Split Tunneling (only LAN traffic will go in the VPN tunnel)
-The ASA will perform authentification via RADIUS server (the radius server is linked with a LDAP server)
+ In the RADIUS server we want define the category of user (each one user is a student or a researcher)
-The VPN clients use the internal DNS to request LAN ressources.
-A timeout of the VPN if no traffic during 60 minutes
-The VPN user perform authentification with PSK (no certificate)
the RADIUS server software is IETF compatible (url...)The architecture is the following :
-One internet connexion
-A corporate firewall with 3 DMZ :
+ 1 DMZ Public ; which is connected the ASA "outside" interface (encrypted traffic)
+ 1 DMZ Private ; which is connected the ASA "inside" interface (uncrypted traffic)
+ 1 DMZ LAN ; there is some VLANs routed by 6500 routers.
-On the LAN there is the radius servers
-On the corporate firewall :
+The https and ipsec will be opened between the internet and the ASA
+The RADIUS traffic between ASA and the radius servers and the traffic between the pool VPN users and the LAN.
-What is the best solution to configure the ASA?
Any limits on the number of IPSec sessions an ASA5520 can support over a DSL connection?
Currently, as we increase the number of IPSec VPN tunnels, our LAN switches connected to the DSL/ASA start seeing CRC/input errors. Tried different LAN ports for both DSL/ASA connections - same reults (CRCs and errors). Swapped ASA for PC running 1 IPSEC w/HD video and no issues.
VPN connection bandwidth demand 50% of DSL capacity, so not exceeding DSL bandwidth. Errors get so bad that all VPN sessions drop - sometimes VPN sessions re-establish while other instances a DSL modem reboot is required.
cause of LAN switch connections seeing errors with 4+ VPN sessions established on ASA across a DSL Internet circuit?
I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
View 15 Replies View RelatedI have a pair of brand new 5520s I am in the middle of commission. After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2). How can I turn these "Not used" interfaces into useable ones?
View 2 Replies View RelatedIn HQ , we have cisco ASA 5520 . there is a data line which supplied by ISP for MPLS-VPN service with branch office. branch offices also have a data line which r supplied by ISP. And now, I want the branch office to access resource from HQ without site to site vpn configuration( because we don't have ASA or any device to configure L2L VPN) . so, I need to configure the hq firewall to allow the branch office accessing the resource at hq without any restriction.
View 3 Replies View RelatedI have Cisco ASA5520 with a 8.4 code in GNS3. I have a problem pinging to the internet. On the ASA console, I can ping to outside world, but on vpc I cannot ping the outside world. But I can ping the ASA Inside interface and other VLANs, no problem. [code]
View 3 Replies View RelatedI have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
View 1 Replies View RelatedI've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
View 2 Replies View Relatedhow do I verify if CG-NMS is enabled on ASA5520. I just need to know if it's enable/install to be enabled and used?Cisco Adaptive Security Appliance Software Version 8.0(5)28..Device Manager Version 6.1(5)51
View 1 Replies View Related