ASA 5500 as a redirector IPSec

Dear Sir

I want to use ASA B as redirector between ASA and ASA C so that intranet A is correctly plugged since intranet C, something like it:

intranet a <-- asa="" a="" --="">internet <-- asa="" b="" --="">internet <-- asa="" c="" --="">C intranet

because the connections between A and B and between B and C are good, but the connections between A and C are bad.

I just finished the settings of IPSec between A and B and between B and C, but how should I say ASA A, B and C to work like this?

Thank you very much.

You have entries to routing for all networks at a distance in place? ASA B grouping allowed?

"permit same-security-traffic intra-interface"

Tags: Cisco Security

Similar Questions

  • Cisco ASA 5500 Series 4-Port GE SSM

    Currently, we have 2 asa 5510 firewall and need to add the

    Cisco ASA 5500 Series 4 - Port GE SSM extension module. Can it be added when the device is turned on and running or the firewall must be turned off to install the plug-in?

    Hello

    You could try to ask this question of the team of firewall, as this page from the community for the physical security and video surveillance.  The team of firewall is located here:

    https://supportforums.Cisco.com/community/NetPro/security/firewall

  • AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

    Hello guys,.

    The scenario is as follows:

    2 ASA 5500 with virtual contexts for failover.

    The ASA elementary school has the work of the AIP-SSM20.

    ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

    Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

    Now questions, documentation Cisco re-imaging view orders under ASA #.

    but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

    What is the solution? Is there documentation for it (with security contexts)?

    Thank you very much for reading ;) comment on possible solutions.

    Yes,

    Some things to keep in mind.

    (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

    (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

    (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

    (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

    (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

  • ASA 5500 model

    Hello

    Can what ASA 5500 model I use to replace my PIX515E companies with 6 interfaces.

    Hello o.oresotu,

    Looks like the Pix 515E Flyway is the ASA 5510.

    Take a look at the following links.

    Cisco ASA 5500 Series Migration quick look

    http://www.Cisco.com/application/PDF/en/us/guest/products/ps6120/c1031/cdccont_0900aecd80322caa.PDF

    Licenses for features and specifications

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00806b1c1c.html

    Hope that helps! If Yes, please rate.

    Thank you

  • ASA 5500 x new anyconnect VPN license structure

    I wonder if anyone can give me some insight on the new ASA VPN (SSL VPN) structure of license.  Currently, I have anyconnect premium license installed on the ASA 5500 series but want to buy the same type of license for x ASA 5500 series.  I understand the premium license is required for SSL VPN and webvpn.  Can someone find out if the premium anyconnect and anyconnect essentials license has been replaced by the Cisco Anyconnect Apex licence?

    The new AnyConnect Apex maps old Premium licenses. They are now focused on the term (1, 3-5 years) and have been approved by a single user (regardless of the number of devices) vs. concurrent users on the old regime.

    Apex (or the old premium) is required for clientless SSL VPN. Regular-based on the SSL VPN client AnyConnect requires no Apex but can be done by using only more licenses.

    The new AnyConnect Plus is the old Essentials plus mobile licenses. There is an option of perpetual and based on the duration.

    By single user licensing is a terms and conditions / EULA stuff and not enforced by technical means at the moment.

  • Cisco ASA 5500 CSC-SSM-20 Series

    How many subscribers maximum, sessions, licenses are allowed using Cisco ASA 5500 Series CSC-SSM-20 on ASA5540 module

    Use the following command 'See - activation key' to get maximum subscribers, sessions, details County licenses.

  • Step how to configure ASA 5500 Series Security Services Module-10 (model: ASA-SSM-10)

    Dear support,

    I need to configure Security Services Module-10 (model: ASA-SSM-10) on my ASA 5510 firewall. Could you provide configuration step and how to connect to the module?

    Here is the information on the module

    ciscoasa (config) # sh Details of module 1
    The details of the Service module, please wait...
    ASA 5500 Series Security Services Module-10
    Model: ASA-SSM-10
    Hardware version: 1.0
    Serial number: JAF1115066U
    Firmware version: 1.0 (11) 2
    Software version: 1.0000 E1
    MAC address range: 001a.e268.5aa9 to 001a.e268.5aa9
    App name: IPS
    App status. : to the top
    App status. / / Desc:
    App version: 1.0000 E1
    Data of aircraft status: Up
    Status: to the top
    Mgmt IP addr: 133.1.9.144
    Web to MGMT ports: 443
    Mgmt TLS enabled: true

    your help is very appreciate.

    Thank you

    Best regards

    Hi Sothengse,

    Please find the samlpe on AIP SSM module configurations. You can go through this to begin with.

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    https://www.YouTube.com/watch?v=FgYU5ZXwk4g

    Concerning

    Knockaert

  • ASA 1000V and ASA 5500

    I hope someone can help me to answer this question:

    Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

    Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

    Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

    Thanks for your help.

    -Joe

    Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

    Here's the Q & A on ASA1000V which includes more information:

    http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

    Hope that answers your question.

  • Client VPN to ASA 5500

    I can't get my Cisco VPN client to negotiate successfully with my ASA 5500. I went through several configs and have had no luck. I write my config info and current router debug in the hope that someone sees something obvious. It is not at the initial stage.

    Thank you very much for your help.

    Always difficulties, try to add...

    part of pre authentication policy ISAKMP 65535

    ISAKMP 65535 3des encryption strategy

    ISAKMP policy 65535 sha hash

    65535 2 ISAKMP policy group

    ISAKMP strategy life 65535 86400

  • VPN with ASA 5500 VPN with PIX 515E vs

    I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

    Craig

    According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

    On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

    HTH

    Rick

  • ASA 5500 and static NAT 1-to-1

    We currently have a pair of s ASA 5500 failover providing firewall & nat with inside, outside and the dmz interfaces. We do PAT interface for most of the internal to the external and static connections 1-to-1 NAT for specific hosts that need to accept connections from the outside inside. The space of the static nat is a 27 which includes the address of the external interface. It's that everything is working properly.

    However, we are out of space for the static NAT to this/27. I would like to be able to add a different network, probably another 27, for the more static NAT but I'm a hard time to find the best way to do it. Is this possible with a network that does not include the external interface on the ASA?

    Here are some of our current NAT config:

    Global interface 10 (external)

    NAT (inside) 10 0.0.0.0 0.0.0.0

    (dmz1, outside) static dmz1-net-net dmz1 netmask 255.255.255.224

    static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

    static (inside, dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

    static (inside, outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255

    static (inside, outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255

    static (inside, outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255

    static (inside, outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255

    Thank you very much...

    Hello

    The correct syntax for the proxyarp activation will be

    No outside sysopt noproxyarp

    http://www.Cisco.com/en/us/products/ps6120/products_command_reference_chapter09186a00805fb9e9.html#wp1111405

  • ASA 5500 SSL VPN Failover license

    Hello

    I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

    His question is:

    Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

    This would also be true for two security contexts that are included with the firewall?

    For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

    Here is my response to his request:

    Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

    It was mentioned that:

    "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

    It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

    Thanks in advance!

    Ice Flancia

    Cisco partner Helpline Tier 2 team

    Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

    2 SSL included license on SAA in failover pair is combined as 4 license SSL.

    2 license of background on ASA in failover pair is combined as license frame 4.

    Here's the URL on ASA combined license failover:

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

    Hope that helps.

  • ASA 5500 10 GB

    ASA 5500 series safety devices does support 10 GB?

    Hello

    10 GB is currently not an option:

    http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

    HTH

    Andrew.

  • Version 7.0 of the PIX and ASA 5500

    Hi all

    Is ASA 5500 series identical a PIX 515 or 525 or 535 with version 7.0... I still see some areas where it confused between version 7.0 of the PIX and ASA 5500 series... If not, what are the benefits of ASA 5500 on the PIX 7.0?

    ASA is not the same as PIX, ASA is different hardware architecture. Although both can run the same code. One of the benefits of the SAA is that you can have an IPS module in it to make the prevention of intrusions.

    Search for comprarison on CCO.

  • Cisco ASA 5500 Series end of life

    Hello

    I noticed that all 5500 series (5510,5520,5540,5550,5580) ASAs are all end-of-life announced in March 2013. However, I don't see ASA 5505 on the list. Can anyone confirm that 5505 EOL has not announced?

    http://www.Cisco.com/c/en/us/support/security/ASA-5505-Adaptive-Security...

    Thanks in advance

    The 5505 is not yet announced EOS/EOL, but the announcement can * t be extreme as 5506-X will be available soon (well, I hope... ;-)).

Maybe you are looking for