ASA 5510 - tips for setting up - no internet

Hi all

I'll set up an ASA 5510 for the first time using the GUI.

I put 0/0 0/1 and outside as inside.

I set up outside with the static WAN address, and it is connected to my ISP.

But I can't do everything Internet works on the inner harbor. I've read elsewhere, I need to add a static route. Can someone please advise?

You must place a default route to carry traffic from inside to outside. Use the GUI to place a static route 0.0.0.0 0.0.0.0 for the ip address of your next hop ip of the connection to the ISP.

Sent by Cisco Support technique Android app

Tags: Cisco Security

Similar Questions

ASA 5510 - VPN for DMZ with static rule?

I have a 5510 ASA with a number of virtual private networks to other sites, allowing the traffic to and from the Interior of the networks.

I need to establish a VPN rule to another site, but they have very little access to resources on my local network. Because I am not in control of the SAA on this end permanently, I need to control that access on my 5510.

(the following is not my real IP, but I use them for this example)

My network: 10.100.1.x

My DMZ: 192.168.1.x

Internal network of other sites: 172.16.1.x

I wanted to try to create a VPN between the site and the specific address of DMZ on my side and then allow access to internal addresses using static rules. I decided to use a static rule to enable http access to a specific server (for example):

static (inside, dmz) 192.168.1.200 tcp 80 10.100.1.200 80

I need allow traffic here:

access-list permits DMZ_IN tcp host 172.16.1.10 host 192.168.1.200 eq 80

Access-group interface dmz DMZ_IN

And of course, rules of access list which allow traffic that I can apply to the VPN:

toSite host 192.168.1.200 ip access list permit 172.16.1.10

And I don't want that traffic THAT NAT had between my DMZ and the other site:

nonatDMZ of the host 192.168.1.200 ip access list permit 172.16.1.10

NAT (dmz) 0-list of access nonatDMZ

NAT (dmz) 1 0.0.0.0 0.0.0.0

And, of course, the corresponding rules on their ASA must be in place, allowing traffic to 192.168.1.200, not NAT it.

Everything is in place, but 172.16.1.10 to 192.168.1.200 http traffic never reaches 10.100.1.200. I know the following:

1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

2 packet trace shows me that traffic is allowed.

3. the works of static rule: to access the 192.168.1.200:80 of another host on the same interface, DMZ, which brings me to 10.100.1.200:80

4. in the process of running a sniffer package on 10.100.1.200 shows 172.16.1.10 traffic does not reach it.

So I'm banging my head against the wall here. I'm sure it's something simple I'm missing. Anything else I need to check? Should I go about this a different way?

Thank you.

What you are trying to reach is not supported. You cannot configure NATing between the inside and the demilitarized zone interfaces while your VPN connection is from the external interface. The static NAT (inside the dmz) that you have configured will only work if the connection is initiated from the inside towards the demilitarized zone and vice versa.

I think that what you are trying to reach is only allowing access on TCP/80 to10.100.1.200 for the VPN tunnel.

You must configure your option 1:

1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

You can configure vpn-filter to limit the traffic to the only TCP/80, and he attributed to group policy that you have assigned to this particular tunnel group then.

Example:

web access list - allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80

internal group-policy-strategy web

attribute group web-strategy strategy

value of VPN-filter web - allows

global-tunnel-group attributes

Group Policy - by default-web-policy

Here is an example configuration for your reference:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

ASA 5510 VPN for remote access clients are asked to authenticate on box

Don't know what's the matter, but my remote access users are invited to join the ASA before connecting to the tunnel. How can I disable this? Config is attached. Thank you all -

For remote access connections, you can turn off the prompt xauth (user/pass) with the following:

Tunnel ipsec-attributes group

ISAKMP ikev1-user authentication no

-heather

ASA 5510 Auth for site-to-site VPN users

Hello

is there a way we can get the ASA to prompt users VPN site-to-site to authenticate on ASA/RADIUS before access resources head behind ASA such as Sharepoint etc allowed in via respective VPN ACL?

I never did, but you should be able to use authentication 'Cut Through'.

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/113363-ASA-cut-through-config-00.html

Basically, the user has little or no access, and the ASA intercepts a request, such as via HTTP and then authenticates the session. After that the user can access all that you allow them.

Tips for setting up of size of cache on Essbase on 64-bit server
We use the 64-bit version of Essbase under 64 bit Win 2003 environment. Understand that the memory space of a 64-bit version is much more that the 32-bit version, needs to change the cache size setting to speed up the performance of the Essbase system?

Currently we have 16 GB of RAM physical memory, and Essbase process only exhausted around 6 GB of RAM.

Thanks in advance!
Essbase 64 allows you to assign data cache and cache of data values greater than 4 GB with the command MEMSCALINGFACTOR in the Essbase.CFG file sizes

Note: do not increase the caches if not unnecessary, as a starting point: Cache of Index (size of yours. IND) / data file Cache (the size of yours. PAGs) / data Cahe (0.125 you.) PAGs)

Example: MEMSCALINGFACTOR appname dbname n

If you have enough RAM and the requirements of IT applications... Take your complete aplucation to memory

TEC. REF.:
----------
Description
When you run Essbase on 64-bit platforms, optimal data cache and data files cache parameters can be greater than 4 GB. Although you can specify parameters over 4 GB in Essbase customers, you can activate parameters more using the MEMSCALINGFACTOR configuration setting. When MEMSCALINGFACTOR is enabled, the cache settings are multiplied by the weighted sum, n. The values are the actual cache sizes used by Essbase.
Notes
The data cache and the cache of data files are put on the scale using the same factor.

ASA 5510 Configuration. How to set up 2 outside the interface.

Hello

I have Cisco ASA 5510 and the desktop, I want to create a new route to another (external) router to my ISP.

The workstation I can Ping ASA E0/2 interface but I cannot ping the router ISP B inside and outside of the interface.

I based my setup on the existing configuration. which so far is working

interface Ethernet0/0
Outside of the interface description
nameif outside
security-level 0
IP 122.55.71.138 address 255.255.255.2
!
interface Ethernet0/1
Inside the interface description
nameif inside
security-level 100
IP 10.34.63.252 255.255.240.0
!
interface Ethernet0/2
Outside of the interface description
nameif outside
security-level 0
IP 121.97.64.178 255.255.255.240
!

Global 1 interface (outside)

global (outside) 2 interface (I created this for E0/2)
NAT (inside) 0 access-list sheep

NAT (inside) 1 10.34.48.11 255.255.255.255 (work: router ISP inside and outside interface E0/0)

NAT (inside) 2 10.34.48.32 255.255.255.255 (work: E0/2 router ISP on the inside interface only but cant outside ping).

Route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (work)

Route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (the new Road Test)

Router ISP, that a job can ping and I can access the internet

interface FastEthernet0/0
Description Connection to ASA5510
IP 122.55.71.139 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
the interface S0/0
IP 111.54.29.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 122.55.71.139 111.54.29.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0

FAI 2

interface FastEthernet0/0 (SAA can ping this interface)
Description Connection to ASA5510
IP 121.97.64.179 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
interface E0/0 (ASA Can not ping this interface)
IP 121.97.69.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 121.97.64.179 121.97.69.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 E0/0

CABLES

ASA to router ISP B (straight cable)

Router ISP in the UDI (straight cable)

Hope you could give some advice and the solution for this kind of problem please

Hello

Are you able to ping the router IP of the interface of the device of the ASA? If so, try a trace of package on the device of the SAA for traffic to the IP address of the router.

Thank you and best regards,

Maryse Amrodia

Cisco Anyconnect/WebVPN license for ASA 5510

Hello

Someone could please check the licenses for ASA 5510 attachment and let me know. We currently have ASA 5510 with basic license. According to the table attached under VPN sessions, he mentions that "250 combined SESSIONS IPSec and WebVPN" and to "Max box of WebVPN Session" it is mentioned that 2nd meeting, exceeding that we must buy license optional webvpn. While we the 250 combined license for IPSec and webVPN. We must purchase additional anyconnect license to set up remote access for users who want to use the internal resources from outside the network. OrElse, we don't have to purchase license and can configure webvpn/anyconnect of existing combined license existing users basic ASA license? Waiting for your response. Thank you.

You are welcome.

1 Yes

2 AnyConnect requires no Java, but it can he use when connecting to one AnyConnect SSL VPN client and launch the Web browser option start Java-based. There was a bug with the AnyConnect old versions had later who should have addresses. You also have the option to launch via IE and using ActiveX or simply throw AnyConnect directly - neither of these two methods require Java.

Here is a document TAC on the Java questions if you want more details.

Please take a moment to note the useful messages and mark your answers questions.

All necessary licenses on ASA 5510 for old Cisco VPN Client

We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?

Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

Chrombook L2TP/IPSec for ASA 5510

Hello

I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

Run a debug crypto isakmp 5 I see the following logs (ip changed...)

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

1.1.1.1 = address remote chromebook NAT

2.2.2.2 = ASA 5510 acting as distance termintaion access point

3.3.3.3 = Chromebook private address

I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.

Can someone advise please

Thank you

Ryan

7.2 is old code. You can re - test with 9.0.x or 9.1.x.

https://support.Google.com/Chromebook/answer/1282338?hl=en

Allow specific access through the Interfaces ASA 5510

Hi all

In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

I have an ASA 5510:

WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Connected to the port E0/0 is a 2811 router

Connected to the port E0/1 is the (external) Internet

Connected to the port E0/2 is a 2821

(I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

I think it is best that I put the links to the files of text here.

Thank you!

You must remove the following statements on the two routers:
-# ip nat inside source... overload
-for each # ip nat inside/outside interface, if they have configured.

Remove ads rip of the networks that are not directly connected:
-2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
-2811: 199.195.xxx.0
-ASA: 128.0.0.0

No way should be added to the routers, since he is the one by default, put in scene to ASA.

Check the tables of routing on routers and the ASA.

On ASA:

-Remove:
object-group network # PAT - SOURCE
# nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

-create objects of the networks behind the LAN router and enable dynamic NAT:
network object #.
subnet
NAT (inside, outside) dynamic interface

-review remains NAT rules.

-to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

-Disable rip on the outside interface.

Split tunnel with ASA 5510 and PIX506.

Hello

I have the production between Asa 5510 (main office) and Pix 506 VPN tunnel. It is configured so that all traffic is encrypted and moves through the tunnel. This includes remote users behind Pix Internet traffic. I would like to use split tunnel and direct Internet traffic hitting the web directly from Pix instead of going through the tunnel. How can I do this safely? Please see current config Pix below:

:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 10baset
ethernet0 nameif outside security0
nameif ethernet1 inside the security100

clock timezone EDT - 5
clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00
No fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
No fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
no correction protocol tftp 69
names of
allow VPN 192.x.x.x 255.255.255.0 ip access list one
LocalNet ip access list allow a whole
pager lines 20
opening of session
monitor debug logging
logging warnings put in buffered memory
logging trap warnings
Outside 1500 MTU
Within 1500 MTU
IP address outside 24.x.x.x 255.255.255.0
IP address inside192.x.x.x 255.255.255.0
IP audit name Outside_Attack attack action alarm down reset
IP audit name Outside_Recon info action alarm down reset
interface IP outside the Outside_Recon check
interface IP outside the Outside_Attack check
alarm action IP verification of information
reset the IP audit attack alarm drop action
disable signing verification IP 2000
disable signing verification IP 2001
disable signing verification IP 2004
disable signing verification IP 2005
disable signing verification IP 2150
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list LocalNet
Route outside 0.0.0.0 0.0.0.0 24.x.x.x
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac AMC
map UrgentCare 10 ipsec-isakmp crypto
card crypto UrgentCare 10 corresponds to the VPN address
card crypto UrgentCare 10 set counterpart x.x.x.x
card crypto UrgentCare 10 value transform-set AMC
UrgentCare interface card crypto outside
ISAKMP allows outside
ISAKMP key * address x.x.x.x 255.255.255.255 netmask
ISAKMP identity address
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
SSH timeout 15
Console timeout 0
Terminal width 80
Cryptochecksum:9701c306b05151471c437f29695ffdbd
: end

I would do something by changing the acl that applies to your crypto card. You want to know what you want to support above the tunnel and then deny other networks.

If you have:

192.168.3.0/24

192.168.4.0/24

10.10.10.0/24

172.16.0.0/16

Do something like:

VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.3.0 255.255.255.0

VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.4.0 255.255.255.0

VPN access list allow 192.x.x.x ip 255.255.255.0 10.10.10.0 255.255.255.0

VPN access list allow 192.x.x.x 255.255.255.0 ip 172.16.0.0 255.255.0.0

Then when the traffic is destined for something other than these networks, it will go not to the ISP instead of the tunnel.

HTH,

John

ASA 5510 more and Port forwarding

Hallo,

I don't know if the thread title is correctly written, so I'll try to explain my problem.

I have an ASA 5510 more linking several external interface VPN tunnels to internal interface. they work very well. Now I want to access a server in the internal network of trust on the Internet via RDP.

I've set up a static NAT rule which translates by [my public ip phone]: 11111 on [the internal server ip]: 3389. Moreover, I met [my public ip phone] traffic: 11111 outside [the internal server ip]: 3389 inside via the access control list.

Yes, it does not. I made a few soft logic error?

Code:

static (exterior, Interior) [the internal server ip] tcp 3389 [my laptop public ip] 11111 netmask 255.255.255.255

Outside_access_in list extended access permit tcp host [my ip public notebook] [internal server ip] eq 3389

Best regards

EYAD Tayeb.

Hi... I might have a word here!

looking at your config you have

static (inside, outside) tcp 3389 11111 netmask 255.255.255.255

It should be

static (inside, outside) of the tcp 3389 3389 netmask 255.255.255.255 interface

Also... Make sure that the aplpied of the access list for the external interface in the outbound direction does not block traffic referred by your inside host with the public client that initiated the RDP session.

I hope this helps... Please, write it down if she does!

ASA/VPN tips

We currently hold double ASA 5510 s in c/o config on our main campus.

We would like to create a VPN tunnel on a branch campus. Trying to decide between a x 5505/5510/5512

We would like to extend many functions of our network on the campus of branch that will be 50 MB/10 MB 20-50 users on an internet connection.

Connect to the domain

Workstation System Center management

Cisco WCS

ShoreTel voip

(Cisco NAC?)

Several different VLAN for student traffic, personal traffic, voip, wireless comments traffic, etc.

That would be the best camera and should we get security more license with it?

Baseball stadium tips are very good. Probably not plan to make a/s there at the moment.

Thank you very much.

Hey,.

Seems to me the perspective or the bandwidth and users that you would be fine with one of these models.

When it comes to the amount of VLANS, the ASA5505 would require a security license more to be able to welcome more than 2 VLAN (Base license supports Vlan from DMZ limited 2 + 1).

Regarding the change to my knowledge, need you Security Plus matter model you have chosen.

I'd probably go with the model of ASA5512-X since
- Performance/throughput higher than other models
  - If trunk VLANS to the ASA and ASA let you act as gateway of the VLAN then you will need a rate on the SAA that really does not provide originals of series ASA5500
- New hardware
  - Original models of the ASA5500 series are endangered. But I must say that Cisco has always kept the wihtout ASA5505 EOL / EOS since its apparently been really popular that is quite natural since it is the least expensive model.
- Support for new services with the same box if you wish it someday
  - ASA CX
  - IPS
To my knowledge with current needs you wouldn't need the license of security more on the model of ASA5512-X as you do not want failover, security contexts (virtualization of the ASA) or the additional amount of connections taken in charge or amount of VLANs

Take a look at these pages for more information about the licenses of both ASA5500 and ASA5500-X series

Series ASA5500

http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp115318

ASA5500-X series

http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license_86.html#wp1230400

Also here are the specifications for both series

Series ASA5500

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.PDF

ASA5500-X series

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.PDF

Hope this helps

-Jouni

Cisco ASA 5510 VPN user Auth

Hi all.

I search the internet to find a way or all first, whether it is possible to do what I want to do, but I can't find anything corresponding to what I'm looking for. Possible that I don't have the right keyword.

We change our old Pix 515e this weekend and for any new ASA 5510.

With this new facility, I want to implement Radius Authentication for the user remote vpn. Change the firewall of the company is an important factor and for the first phase, the user will keep authenticate locally but I need that in phase 2, they will be authenticated through a radius server.

Is there a way to configure both user authentication remote vpn?

For example.

All users will be authenticated locally unless the service member COMPUTER that is authenticated by the radius to the testing server.

I have remote vpn users anywhere in the world if I don't want these users are blocked by the radius authentication test. What I want is that users in Group1 will be authenticated locally on the SAA and users in group2 will be authenticated by the RADIUS. During the test will be done, all users will gradually transfer for radius authentication.

Is it possible

Thank you

Jonathan

Network administrator

Hi Jonathan,.

The best way to go about this would be that you set up another group strategy & corresponding tunnel group named Test and set up Radius Authentication for VPN group using the link below: -.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

Ones you have done test and feel confident, you can change the type of authentication for the Production Group. The reverse could be implemented double authentication as RADIUS and if it does not use local but personally I'll put up a group of test and then those I am confident, that I'll change the strategy of Production Group to use the Radius Server to auth.

Manish

Site to Site VPN - ASA 5510 / 851 router - no Sas?

We have installed an ASA 5510, version 1.0000 software running. In a remote area, we have a Cisco router to 851 with tunneling IPSec VPN for a PIX 515e. I try to open a backup between the 851 and ASA connection new, and I have a problem. I used ASDM on the side of the ASA and CCP on the side 851 and created a new VPN site to site on both, with PSK encryption algorithms, etc.. I checked the connectivity between the external interfaces of the two devices, and the associated ACLs are simple, because they allow all IP traffic on the internal side of the two devices to talk with each other.

When I do a "crypto isakmp to show his" on the SAA, I get "there is no its isakmp. When I do the same on the 851 router, I see only the existing connection to the PIX. It seems that the tunnel does not run again. I turned on debug various crypto and sent a series of pings, and I don't see any tunnel initiaion even be attempted.

CCP has a VPN to test the tool built in to the router. ASDM has a similar feature? Here's the relevant configs (at least I think... the SAA is enough Greek to me):

ASA 5510 (within the network of 10.20.0.0/16. The perfectly functional PIX is also on this network, with a different public IP address)

access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 !

nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside

crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400

tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes

!
851 router (within the 10.192.4.0/24 network)

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key si9bw1u8woaz address 65.42.15.142

crypto isakmp key 123 address 12.49.251.3

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set transform-set ESP-3DES-SHA1

match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to12.49.251.3

set peer 12.49.251.3

set transform-set ESP_3DES_MD5

match address 102

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255

Michael,

Since you are using the same ACL, subnets, even and even while on your router to your VPN 1 tunnels config and 2, your second VPN tunnel will not succeed because the router already has a tunnel with the PIX for the same traffic.

If you want to configure the ASA as peer backup scratch the second card encryption and instead, add the public IP ASA as a second peer under the original crypto configuration.

Like this:

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set peer 12.49.251.3

game of transformation-ESP-3DES-SHA1

match address 102

The router will attempt to connect to the PIX and if this fails (which means that the PIX has never responded) then it will try to connect to the ASA.

To test it, you could do either of two things: 1. taking the internet conection low PIX will make the router try to connect to the secondary host. 2: change (temporarily) on the router address peer of the PIX to a bogus IP that won't respond, when only one omits the router must try to negotiate with the ASA.

I hope this helps.

Raga

ASA 5510 - tips for setting up - no internet

Similar Questions

Maybe you are looking for