317012 ASA instead of 622001

Similar Questions

• Multicast through remote access VPN (ASA)

  Hi all

  I have an ASA 5505 I want to use a device that will end for several clients for rheumatoid arthritis in so they can access our TEST network.  The problem is that the net TEST provides streams video multicast clients need to see.  I currently do with a Windows Server and Clients through L2TP.  How can I do this with the ASA instead?  I know, IPSEC does support multicast... can do something?

  Hello

  You can check the related multicast L2TP below mentioned example link...

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Concerning

  Knockaert

• SSH Client and ASA.

  We have started to introduce ASA instead of the PIX devices. When I try and SSH client Putty it gives 'server unexpectedly closed connection network '. Try customer lastest and defining SSH 1 and 2 but no joy.

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH timeout 5

  Everything that I do not forget to do?

  Make sure that you have generated RSA keys.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs

  Kind regards

  Arul

• automatic start of Tunnel VPN ASA.

  I was wondering if anyone had ideas for a problem I'm having.

  I had previously configured a router IOS which had a dynamic IP address from the ISP vpn to PIX headquarters. I got the PIX configured to address generic isakmp/crypto peer so he did not care what peer IP address attempted vpn handshake with him. But, in order to show the VPN, to be launched on the side IOS router because of the dynamics to static vpn LAN is configured.

  The problem I had initially was behind the IOS router on its side LAN I had cameras that has not generated any traffic by themselves, so the VPN is not never come to the top and how I had the time that was on the IOS router I set an IP address of the fake NTP server that was in the subnet through the VPN on the side of PIX and then source the The IOS NTP ethernet router so it would automatically take place of the tunnel by himself.

  Now we are trying to implement and ASA instead of and router IOS and the NTP commands are there including the source option that can be 'inside' or 'outside' but it does not work as did the IOS router. I also tried to create a kind of SNMP or SLA with some source options but who did not bring to the top of the tunnel either. It's as if he's not he sourcing from an IP address or interface that looks like to the interesting traffic.

  I wonder if it's something to with the fact that the ASA, we set up we did put the IP addresses on the local VIRTUAL network interfaces and then put the Ethernet Interfaces in the vlan access switchport special instead of putting on the Interfaces Ethernet IP addresses themselves.

  Someone has any ideas in order to automatically initialize the vpn tunnel to the ASA configuration?

  You may need to add outside of ASA interface as interesting traffic. That is usually when you want a remote ASA/pix syslog to a local syslog server. I know you do ntp, but should be the same. Looks like the same problem here. In any case it is worth it.

  Here is the doc for pix but it is similar to the ASA.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

• Configuration of CSC - SSM

  From what I've read on the subject the SSM module is that there is a Base license and a license again.

  The basic license allows the module SSM basic antivirus/spyware, control over your network. Most

  License allows the Base license, most Email Filtering and URL filtering.

  So, I guess the only way to block malicious websites and URL filtering is through the SSM?

  I guess you could also simply apply ACLs, but the best way would be through the SSM.

  If you higher purpose CSC - SSM with license and set up, will be there in no downtime associated with it.

  When you pass the traffic that is transferred to the SCC of the ASA instead of just out of the ASA and

  to the Internet?

  Thanks for your help guys

  Hi John,.

  I guess the only way to block malicious websites and URL filtering is through the SSM?

  I guess you could also simply apply ACLs, but the best way would be through the SSM?

  A / as the name says this is a content filtering device, it will apply policies based on what you've set up, on the other hand the IPS - SSM will allow al traffic refusing only those he finds is ilegal so I would say that, Yes, you are right.

  If you higher purpose CSC - SSM with license and set up, will be there in no downtime associated with it.

  When you pass the traffic that is transferred to the SCC of the ASA instead of just out of the ASA and

  to the Internet?

  A / without interruption at all, remember to have the SCC of installation above, a policy of relief would be great and finally simply redirect traffic to see it working. As soon as the CSC is running there will be a peace association

  Kind regards

  Don't forget to note all the useful messages

  Julio

• Cisco 1841 VPN

  Hello

  I have a router 1841 to site A is connected to site B (Fortinet FW) via the L2L VPN via internet. If a remote access user would connect to the site-A, through RA VPN over the internet, it would be able to connect to the site B as well? Is this also possible if I have a FW ASA instead of a 1841 router?

  Thank you! :)

  If his support, it would be the same as the ASA (in a crypto map configuration).

  Concerning

  Farrukh

• Should I block icmp on my edge router or my firewall?

  Originally, we were blocking icmp on our border router traffic (2811), but recently we changed this block on the firewall (ASA) instead. I have been informed that blocking on the router would cause too much overhead on the router, since it is now seen to inspect all traffic, and the firewall was better equipped for this.

  What is the standard of the industry? Cisco recommend that?

  Something like that, although I recommend you this announcement on the forum of firewall for confirmation.

  ! refuse the Fragments non-initial ICMP

  access-list 101 deny icmp any any fragment

  ! permit messages "dest unreachable."

  access-list 101 permit icmp any 3

  ! allow the message "time exceeded".

  access-list 101 permit icmp any any 11

  ! allow the message "source quench"

  access-list 101 permit icmp any 4

  ! license problem message "parameter.

  access-list 101 permit icmp any any 12

  ! allow "echo reply" messages

  access-list 101 permit icmp any any 0

  ! refuse all other icmp

  access-list 101 deny icmp a whole

  You could consider strengthening the unreachable destination too. They should look like this for each type and code that you want to allow:

  ! allow messages 'dest unreach - unreach port.

  Acccess-list 101 permit icmp any any 3 of 3

  See here:

  http://www.IANA.org/assignments/ICMP-parameters

• SSL vpn through the same internet connection to another site

  Hi, I have a network with a box of Juniper SSL that connect to port DMZ ASA5510, wher outside the ASA is the same outside the box of SSL vpn.

  To access issues eno hav network internal at all.

  Now, I need VPN SSL Juniper box remote users and internal conenct o my remote sites, who take the client connection through an internet router (Cisco throug site to site vpn IPSec) again to the th eremote site.

  Is it possible, my hunch is Yes "can be done."

  Currently, I'm fitting get no where, I get no hits ASA DMZ ACL if I try to access the remote site of the SSL vpn client resources.

  Schema attached

  Any help would be appreciated

  Shouldn't be a problem.

  On the Juniper SSL, you must check if the roads has been added to the remote IPSec LAN point to the ip address DMZ ASA instead of pointing to the internet through the Juniper SSL box.

  You need to configure NAT exemption on the ASA box between the pool SSL subnet to the Remote LAN of IPSec. As a result, you must also include the SSL subnet to Remote LAN subnets in the crypto ACL and mirror image ACL on the remote site ACL Cryptography.

  Hope that helps.

• Third-party VPN client

  Cisco ASA is used VPN concentrator and I published that users do not use the CIsco VPN client for instablish a tunnel VPN with the ASA instead they use third-party applications that works when you import the configuration file into it.

  So my question is:

  1-is there a way to prevent this to happen and restrict to use the Cisco VPN client?

  2 - What are the concerns of security to use a third party application?

  Kind regards

  Hesham.Yousry

  There is not a way to avoid this with respect to the third party IPSec client.

  I don't think that there are security problems when using third party IPSec client until it establishes the secure connection.

• Binds two ISP ASA to remote VPN Client to connect to instead of creating two profiles on the remote client

  Hello

  just a quick,

  TOPOLOGY

  ASA isps1 - 197.1.1.1 - outside

  ASA ISP2 - 196.1.1.1 - backup

  LAN IP - 192.168.202.100 - inside

  I have configured Tunnel on the interfaces (external and backup), but is to link both legs public to serve a thare as redundancy for vpn users and users of the vpn tunnel leave pointing inside IP whenever they want to establish vpn sssion, we want it to be one, so if an interface fails vpn users will not know , but he will try the second for the connection. instead of creating the profile for the two outside of the leg on the vpn client.

  is this possible?

  Hi Rammany.

  In your case, you have only an ASA that connects with 2 ISP in another segment IP... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your condition is you want to have the VPN client who must be consulted with backup. If 196.x.x.x link fails, it should automatically take 197.x.x.x link. That too we should not have the config set in the VPN client backup server. You don have the possibility of having standby active also in asa single.

  I think n so it will work with your current design.

  This option is if your VPN client supports host name resolution (DNS). You can have the VPN created for both the public IP address share the same host name keeping the bond as the primary address 1 and 2 a secondary address. It will work alone.

  Hope someother experts in our forum can help you with that.

• ASA 5505 host under license limit has been exceeded

  I'm receive syslog message 450001 - host license limit has been exceeded.

  To see the version on my ASA 5505 (8.0.2), inside hosts are limited to 10. The limit of 10 corresponds to the limit (10) syslog error message.

  How is this calculated number of hosts? Show arp represents 6 addresses glued to the inside interface.

  Hello

  Don't use "show arp", use "local host" instead.

  Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

  In routed mode, hosts inside (business and home VLAN) account in the limit only when communicating with the outside (Internet, VLAN).

  Internet hosts are not counted toward the limit. Also, guests who initiates the traffic between businesses and home are not counted toward the limit. The interface

  partner with the value default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are taken into account in the limit.

  In transparent mode, the interface with the smallest number of hosts is counted within the limits of the host. See the show local-host command to view the host

  limits.

  Kind regards

  Dandy

• ASA status interface failover: Normal (pending)

  I've been struggling with this, I have two ASA running 8.6 that show the interfaces being monitored as well.

  I'm under 9.2 on these and tell waiting interfaces. Also can I disable SPI monitored? I ask only the cause at the time where the IPS is a module of the SAA, if I had to restart, the units would be tipping. I don't know if it's the same now with the IPS is a software based inside the ASA running on a separate hard drive.

  ASA5515-01 # show failover
  Failover on
  Unit of primary failover
  Failover LAN interface: FAILOVER of GigabitEthernet0/5 (top)
  Frequency of survey unit 1 seconds, 15 seconds holding time
  Survey frequency interface 5 seconds, 25 seconds hold time
  1 political interface
  Watched 3 114 maximum Interfaces
  MAC address move Notification not defined interval
  Version: Our 9.2 (2) 4, Mate 4 9.2 (2)
  Last failover at: 03:55:44 CDT October 21, 2014
  This host: primary: enabled
  Activity time: 507514 (s)
  slot 0: ASA5515 rev hw/sw (1.0/9.2(2)4 State) (upward (Sys)
                    Interface to the outside (4.35.7.90): Normal (pending)
                    Interface inside (172.20.16.30): Normal (pending)
  Interface Mgmt (172.20.17.10): Normal (pending)
  Slot 1: IPS5515 rev hw/sw (N/A 7.1 (4) E4) State (to the top/to the top)
  IPS, 7.1 (4) E4, upward
  Another host: secondary - ready Standby
  Activity time: 0 (s)
  slot 0: ASA5515 rev hw/sw (1.0/9.2(2)4 State) (upward (Sys)
                    Interface (0.0.0.0) outdoors: Normal (pending)
  Interface (0.0.0.0) inside: Normal (pending)
  Interface (0.0.0.0) Mgmt: Normal (pending)
  Slot 1: IPS5515 rev hw/sw (N/A 7.1 (4) E4) State (to the top/to the top)
  IPS, 7.1 (4) E4, upward

  Failover stateful logical Update Statistics
  Relationship: unconfigured.

  ASA5515-01 # poster run | failover Inc.
  failover
  primary failover lan unit
  LAN failover FAILOVER GigabitEthernet0/5 interface
  failover interface ip FAILOVER 10.10.1.1 255.255.255.252 ensures 10.10.1.2
  ASA5515-01 # ping 10.10.1.2
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.10.1.2, time-out is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
  # ASA5515-01

  ------------

  I read also not to use a design where a cable is directly connected to each unit, and instead each interface must connect on a downstream switch port so that the status of the link is still up to a firewall interface if the other firewall interface fails. Otherwise, the two units detects a link down condition and assume that their own interface is down. Never really thought about it in that sense. Anyone use a direct attached cable and have problems?

  Hello

  I rarely troubleshoot failover configurations so I am little rusty with associated with these problems.

  First thing that comes to mind is that configurations under interfaces has "standby" configured IP address? I wondered as the changeover seems to be configured and the link between the units is fine but the unit ready standby shows just 0.0.0.0 for each interface.

  -Jouni

• Interfaces of AIM - SSM and ASA 5510

  All, someone can explain if and how routing works between the ASA and the map of the IPS?

  (1) is the single NIC in the card IPS management purposes only?

  (2) is the IP address configured in the process of installing the card for that one NIC?

  (3) should it have no routing between for example the management of the ASA or any other interface and card management interface or can they reside on completely separate networks?

  Thank you

  Jonathan

  Map of the IPS has 3 interfaces.

  The management interface is an external interface that you plug a network cable in. The IP address is configured by the user during installation.

  Sniffing is the internal interface of data backplane ASA. No IP address is never assigned to this interface.

  Interface control plan is an internal control ASA management interface, so that the SAA can communicate internally to the SSM (the session command runs through this interface). The IP address of the control plan is controlled by the ASA and not user configurable,

  The management interface's management only.

  The IP address that is configured during installation is only for this management interface.

  Regarding the routing between the ASA and the SSM, it's completely up to the user.

  All communications from the ASA to the SSM are made internally through interface control plan and therefore the SAA itself has no need to know how to communicate on the SSM management IP.

  The SSM, however, must communicate from IP management is one of the ASA interfaces to Shunning/blocking on the SAA. Shunning/blocking is not through the control plan.

  When you use IDM or ASDM for configuration as java Web applet access to DFS management IP so the computer that runs the IDM or ASDM must be on the local network of the MSS management port, or routable network.

  Some scenarios:

  (1) only one machine (IDS MC/s LUN) communicating with the SSM. In this scenario, you could take a crossover cable and connect directly one machine to the MSS.

  The SSM can communicate only on this computer into one.

  (2) a secure network to manage security devices that is NOT routable from the other networks.

  In this scenario the box management, DFS management port and the management of the ASA port would be all placed in a network.

  The SSM would be able to communicat with the box management and the ASA management port.

  The ASA management port is configured as a management only for the ASA port will not route input/output of the management network.

  While management on this local network zone can communicate with the SSM, and no distance box cannot connect directly to the SSM.

  (NOTE: blocking/Shunning will work here because the SSM can speak to the ASA)

  (3) a secure network which IS routable from the other networks.

  Similar to option 2 above, but in this case the ASA management port is configured to NOT be a 'single management' port and is instead treated as any other port on the firewall. In this configuration, the management port of the ASA CAN road entrance/exit to the management network.

  NOTE: In most cases the ASA will need to configure a NAT for the SSM management IP address if users want to connect on the SSM management IP remotely from the Internet (such as running ASDM of the main network of the company on the internet to set up the SAA and the SSM on a remote site)

  (4) SSM management IP on one of the normal networks behind the ASA. In this screenplay DFS management port would be connected to a switch or a hub where other internal machines are connected (like jumping in the DMZ switch / vlan). The ASA point of view of the management port SSM would be treated as any other web and ssh server behind the firewall.

• ASA url registration

  Hello

  I try to make our ASA journal URL and I'm getting some successes. However, the present output IP address instead of the real domain, for example, when you browse on imdb, he is recorded as:

  November 16, 2009 14:12:35: % ASA-5-304001: 30.30.30.30 consulted the URL 209.85.229.148:/ad

  j/imdb2. Consumer.homepage /; TILE = 2; SZ = 468 x 60, 728 x 90, 1008 x 150, 9 x 1; p = t; s = 32; o RD = 99

  73051011677648

  instead of imdb.com. (or something like that happens to be).

  How the ASA to log the area rather than the corresponding IP address?

  http://www.Cisco.com/en/us/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related

  says the ASA needs to run to 8.0.4.24 or later, our 8.2 (1).

  Thank you

  Scott

  Well, I spoke too soon. Here's a way to connect all of the query, with host and URI. I found this on CCIE_Security Archives of the mailing list. Basically, define you a regular expression to match the sites that you want to open a session. I used a simple point "." to match anything.

  regex matchall "."
  
  !
  
  class-map type regex match-any DomainLogList
  
  match regex matchall
  
  class-map type inspect http match-all LogDomainsClass
  
  match request header host regex class DomainLogList
  
  class-map inspection_default
  
  match default-inspection-traffic
  
  !
  
  !
  
  policy-map type inspect http http_inspection_policy
  
  parameters
  
  class LogDomainsClass
  
    log
   

  Then check your record:

  20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 157.166.255.19:http://cnn.com/
  20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 157.166.226.26:http://www.cnn.com/
  20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/common.css
  20 Nov 09:27:08 10.19.30.10 asa % ASA-5-304001: 192.168.200.2 URL Accessed 198.78.220.126:http://i.cdn.turner.com/cnn/.element/css/3.0/main.css

  Caution - This saves each HTTP request that sees the ASA. I have no idea how much charge this implies an ASA with the important HTTP traffic. As described in the post of the related mailing list, you can create more specific lists of regex to match specific hosts and/or URIs and can take measures other than logging, including blocking/resetting.

• Logging in on a 5525 ASA IPS module

  Hi all

  Quick question here. I have a new ASA 5525 - X with IPS module.

  The PPE must be configured as an ID and told me that without fire view management controller, we can apply a license.

  I have also told me that with the 5525, we cannot install log in module to install the licenses. Please can someone confirm if I can install the licenses for the module? If so, how can I connect to the IDS to implement? Is this possible at all?

  Kind regards

  Riou

  That you listed is the legacy model, which is the end of the sale April 26, 2015. See this notice.

  They have their own Start Guide quick here.

  For these former IPS modules, you do not have licenses. Instead, your Smartnet must be the right kind of contract that includes coverage of subscription for the IPS signature updates.

  Legacy devices management IPS is via ASDM/IDM or, for slightly better visibility, through IPS Manager Express (IME). (There is also the option of Cisco Security Manager for the largest deployments).

  Signature update and software updates for older IPS modules can be done manually or automatically (assuming that you have a valid support contract, which includes the right of the subscription). Instructions for that are here.