At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 188.8.131.52 service tcp/100 host2: 192.168.1.2 service tcp/200 >>>>> public ip 184.108.40.206 service tcp/200 host3: 192.168.1.3 service tcp/300 >>>>> public ip 220.127.116.11 service tcp/300
So people from remote just need to use 18.104.22.168 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
The ASA5505 I am working with has this from the show version:
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs : 3, DMZ Restricted Inside Hosts : 10Failover : Disabled VPN -DES : EnabledVPN-3DES-AES : Enabled VPN Peers : 10WebVPN Peers : 2Dual ISPs : Disabled VLAN Trunk Ports : 0 This platform has a Base license.
Does the Insides Hosts :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?
I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table · The TCP connection states · The UDP connection states · The ARP table · The Layer 2 bridge table (when it runs in the transparent firewall mode) · The HTTP connection states (if HTTP replication is enabled) · The ISAKMP and IPSec SA table · The GTP PDP connection database
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
In previous LMS versions the DCR could hold more devices then the licenses of the other other applications permitted and using the "user defined fields" we have used it as a general device repository for some customers, pushing only the supported cisco devices to the various applications.In LMS 4 cisco has removed all allocation possebilities from the various applications and replaced it by an all or nothing type of allocation.Does this now mean that any entry in the DCR is automatically counted as a used device license?
Any method to determine the maximum number of concurrently used SSL VPN licenses (sessions) on an ASA5540 over a period of time? For instance, over a week, the MAXIMUM number of concurrent users that were utilizing SSL licenses on the box. We are trying to determine current license capacity of the device.
We are running 8.2(5) on the ASA itself, and have 6.47 ASDM deployed.
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.
I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out
I wish to purchase Cisco Prime LMS 4.1, particularly Cisco part # R-LMS-4.1-500-K9 which support 500 Cisco nodes.We have about 360 Cisco switches/routers/ASA/FWs/WLCs so the 500 nodes license would seem to suffice for now & for future growth.We also have about 200 lightweight APs that are managed & monitored by our WLC/WCS/Navigator environment.According to the device support documentation for LMS, it supports and I assume will auto-discover these APs.Does that mean these APs will use up node licenses on LMS even though management of the APs is done by WLC/WCS? If so is there an easy way to suppress discovery of APs by LMS so we don’t have to purchase extra node licenses for LMS? Or, does LMS offer additional support features for wireless APs not already offered by WLC/WCS/Navigator?Just trying to understand how many network node licenses for LMS I have to purchase.
Getting the following alarm from my ISE:Cause:Base License Enforcement Details: Base concurrent users exceed license allowable count.Currently only using 1656 out of 2000 base licenses so I'm not sure what the issue is. Running 22.214.171.124 patch 3.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://126.96.36.199 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 188.8.131.52 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
I'm new to ASA and bought a used one from ebay but I cannot connect to the ASDM - I get an error in all the browsers.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Having browsed the support forums and Google - it seems I need the 3DES license. I have obtained an activation key from Cisco and applied it to my ASA 5505 however I get a warning about the device is licensed for a higher software level. the license on the ASA is Security plus. When I apply the activation key from Cisco most of the features are disabled.
DNS resolution works and I can surf the web without fail. But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts. I can ping anything from the ASA without fail.
I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (184.108.40.206 & 220.127.116.11) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]
I am able to connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. [code]
I have a Cisco ASA 5505 device with basic (default) license, currently all my reirections, VPN's, VLAN's(3 Vlan's) etc are configured on the same and are working fine.Now i need to upgrade my basic license to "Security Plus" for some additional features, if i upgrade it directley is there any complications in present rules, below is my doubhts
1. if i upgrade, did it change any of my present configurations ? 2. is there any name change or property changes for VLAN's or VPN's 3. did it affect the firewall functions 4. If anything goes wrong, can i restore it in to my old state using my previous dump.
I am planning to setup Clientless Web VPN on our ASA 5505 for secure access to a internal web resource from outside. When I checked the licensing details on the ASA using #sh ver I could notice thar Web VPN peers allowed is only 2 Does this mean that only two clientless simoultaneous connections are possible ?
Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted
One of our clients has recently purchased upgrade licenses for their cisco asa as follows
L-ASA5505-10-50= and L-ASA5505-SEC-PL=
after retrieving the activation key from the cisco website we tried entering the activation key to the asa both via ASDM and telnet when entering the command on telnet the shell becomes unresponsive when entering the command on ASDM we receive a "success" message followed by a request to restart ASDM and save the configuration after a minute or so i get an error screen saying "write mem" the asdm restarts and nothing changes.
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
I have a 5505 that currently has inside/outside interfaces and everything is working just fine. I am trying to create a DMZ that will essentially be just for vendors/guests. the DMZ will have full access to the outside (Internet) but no access to the inside. I am using the FW for DHCP, and 18.104.22.168 and 22.214.171.124 for DNS. I currently have 1 laptop in the DMZ vlan, and it is getting a correct IP, and it is showing 126.96.36.199 and 188.8.131.52 in ipconfig. I can ping/tracert 184.108.40.206/ 4.2. 2.2/220.127.116.11(what url... resolved to on a laptop connected to the inside vlan), but I cannot ping nor browse to url.... [code]
We recently purchases the Cisco ASA 5505 to get familiar with it, possibly buying more appliances for our branch offices. However, since the appliance is installed, our SIP telephones no longer register with our SIP service provider.
The SIP phones are all on 10.0.1.0/24 while the SIP provider is external via the outside network. I copied our configuration below. how to enable SIP for all 10.0.1.0/24 hosts and ports 5060, 5160, 5260, 5360?
gcxfw# show running-config : Saved : ASA Version 8.4(3)
I have a standard ASA 5505 with inside, dmz and outside with the default security levels, 100/50/0. we have an email server inside which has been NATed and is working fine. However users accessing the wireless on the dmz are unable to access their emails on https (443). How do I allow SSL access ONLY to users on the dmz using ASA 8.4 commands or ADSM 6.4?
I have 2 ASA and would like to build a Side-to-Side VPN between these ASA. So I can learn something about configure a ASA for different thinks. But now I don`t can Ping from a Client to the Internet-Router.My Configuration is:
I have a 5505 with Base license running ASA software v8.4(2) that has been working happily for a while with an inside and an outside VLAN.
The outside has a single statically configured public IP, and I have a number of static NAT rules to expose a few internal servers as well as Dynamic-NAT for all devices on inside to gain access to the Internet... the main bits of the config are below:
I now have a requirement to add a "dmz" VLAN for guests to have access to the Internet using a dedicated wireless AP, but not to any of the inside resources. As the ASA has a base license I have configured "no forward interface" to the inside vlan, which suits the purpose fine
interface Vlan12 description Used only for guests access to the Internet - no access to the corporate resources no forward interface Vlan1 nameif guests security-level 20 ip address 192.168.2.1 255.255.255.0
My problem is that when I try to add NATing from the dmz to the outside I get a:
ERROR: Address a.b.c.d overlaps with outside interface address. ERROR: NAT Policy is not downloaded
Having had a look at the ASA Configuration guides, all the examples I can see with several "internal" VLAN's being NAT'ed use one external IP per VLAN - is this a feature/restriction of the ASA software? Are there any workarounds? Or is the overlap in the error message really about the current NATing to the inside VLAN which is done on the "any" 0.0.0.0 subnet - would the following then work: