ASA 5520 DRAM Upgrade

Hello

We have an ASA 5520 running the 8.x version which currently has 512 MB of DRAM.

I would like to upgrade memory 1 GB DRAM

Issues related to the:

1 how many slots slots DRAM the 5520 there?

2. I found this part:

http://www.MemoryX.NET/asa5520mem1gb.html

Seeking to be good. Is there anywhere I can OLA to be sure? I was looking and looking, but I can't find any hard documentation about the DRAM modules, I can use for my 5520.

Thank you 1 million,

Pedro

There should be four.

http://www.Cisco.com/en/us/docs/security/ASA/HW/maintenance/guide/procs.html#wp1076043

The only supported memory upgrade must come from Cisco ASA5510-MEM-512 = manufacturer

There is no 'Cisco' part number to memoryx in the price list of Cisco. Also I think it's for the AIP, not the chassis module. I think that the chassis only supports 512 MB chips. The link below is the one you want.

http://www.MemoryX.NET/ASA5520.html

It shows that he have a single good Bank. I have not a 5520 in lab to take a look, but the documentation must be accurate.

Tags: Cisco Security

Similar Questions

Upgrade to Cisco ASA 5520 8.2.5 to 9.1.7

Hello

I have an upgrade tonight for a customer to upgrade a StandAlone ASA 5520 in version 8.2.5 in 9.1.7. I have the same upgrade week next to the same client for a failover pair.

I already have this kind of process of 8.2.x upgrade to 9.1.x so I know the entire process, since I have to take a first step 8.2.5 8.4.6 then 9.1.7. In addition this customer has no statement of Nat therefore normally an easy process.

But today during my routine to prepare for the upgrade (I prefer to make a double or triple check before) I found this bug:

https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCuh19234;JSESSIONID=0A69...

This bug is fixed in version 8.4.7, and 8.4.6.99. But it is not recommended by the upgrade process for a 8.2.5 to 8.4.7 jump and I can not find the 8.4.6.99 version.

I don't want to have any problems during my upgrade with something I can avoid.

As I said I already have this updated in the past without any problem and with a more complex configuration.

Has anyone as a return to this process for the last months? Should I do an extra step? (before first 8.2.5 to 8.4.5 8.4.6 or 8.4.7)

Thank you in advance for your answer.

There are a few incidents reported for ASA 5520 8.2.5 hit this defect running.

You can go for an extra for 8.4.x upgrade as you mentioned to avoid default we can't say for sure if you will encounter this situation or not. 8.4.6.99 can be a picture of development so be unavailable unless you want to call TAC and confirm or obtain any other image in 8.4.x train.
Maybe add another upgrade code can't hurt as that hit the bug.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

The upgrade of ASA 5520

Has just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I copied the Flash files, but when I run "asdm image flash: / asdm521.bin ' I get an error that it is not an image file and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.

Try this,

To update/install the ASDM follow the example of the procedure,

ASA (config) # copy tftp flash

Address or name of remote host [xxxx]?

Source [pix704.bin] file name? ASDM - 504.bin

Destination file name [asdm - 504.bin]?

Access t... ftp://x.x.x.x/asdm-504.bin!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Writing flash file: / asdm - 504.bin...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

5958324 bytes copied in 165,460 seconds (36111 bytes/s)

ASA (config) #.

ASA (config) # sh flash

Directory of flash: /.

7 rw-5437440 21:12:42 pix704.bin 24 November 2005

5919340 - rw - 11 20:59:06 November 24, 2005 asdm - 504.bin

-7017 rw-13 14:00:58 22 July 2005 admin.cfg

ASDM - 504.bin is now copied into the flash. We should now set to use PIX

This image to load ASDM.

ASA (config) # asdm image flash: / asdm - 504.bin

Final steps involve configuration running record in memory as we

changes to boot files and reload the PIX.

ASA (config) # write memory

Building configuration...

Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b

4807 bytes copied in 3.20 seconds (1602 bytes/s)

[OK]

ASA (config) # reload

Once the PIX comes back to the top, we can check that upgradation succeeded

using the command 'show version '.

Consult the ASDM upgrade procedure

http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#T8

I hope this helps... all the best... the rate of responses if deemed useful...

REDA

Cisco ASA 5520, 8.02, 4GE SSM, IPS?

I have an ASA 5520 with 4GE SSM module.

The ASDM, I see IPS basic signatures... anyway to upgrade these signatures, add to, etc.?

Not really, you must purchase the AIP - SSM module for this.

Concerning

Farrukh

ASA 5520 and MPF

Hi all. In our company we have recently upgraded our PIX 515 firewall to ASA 5520, and we started to live a thing strange event. On one of the sites we host, I saw a lot of outdated SSM messages popping up and I think that they are the source of the problem when they surf the site (mainly surfing works fine, but sometimes people cannot content etc.).

I found the Cisco solution for this problem by using the MPF, but one thing confuses me. If I ask a MPF allowing adults MSS on the external interface of the ASA does this political conflict with the comprehensive policy that is on the SAA by default or can they both at the same time?

Thanks in advance for any help.

You can have a single policy per interface and another - global, that by default applies to default-inspection-traffic.

See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for more details.

UPDATED TO VERSION 8.2 ASA 5520 TO 9.0

Hello friends,

I am planning to upgrade my ASA 5520 with version 8.2 to 9.0, so I'll enjoy the benefits of anyconnect for mobile devices. Clearly, I understand that I must pay special attention to:
- NAT rules.
- Memory RAM: 2 GB.
- Add references to the rule over the new versions for mobile and anyconnect
  
  L-ASA-AC-E-5520 =
  
  ASA-AC-M-5520 =.
am I missing anything else? Requirement of Flash? Or pay attention to some other configurations?

Any comments or document will be appreciated.

Kind regards!

You can run the latest version of the AnyConnect client - including mobile clients - with these licenses, even on a SAA with the current code of 8.2-8.2 (5) from now on. While it is a bit old and lack some of the new features, it is a strong and stable version.

That could save you the trouble to migrate the configuration of your NAT (and other songs) and the upgrade memory.

Since the series ASA 5500 (5510, 5520 etc.) is end of sales past you have a future limited on these platforms. For example, ASA 9.1 (x) is the last series of releases of code which will be available for them. (The current software on the 5500-X is 9.3 (1).)

IPSec VPN to asa 5520

Hello

First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.

The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.

I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.

I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:

4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry

5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!

6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)

and this, in the journal of customer:

Cisco Systems VPN Client Version 5.0.02.0090

Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 5.1.2600 Service Pack 3

24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002

Start the login process

25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "213.94.x.x".

27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B

Attempts to establish a connection with 213.94.x.x.

28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x

29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

Retransmit the last package!

36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017

Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B

IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014

Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025

Initializing CVPNDrv

41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046

Set indicator established tunnel to register to 0.

42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001

Signal received IKE to complete the VPN connection

43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.

Can you see what I'm doing wrong?

Thank you

Sam

Pls add the following policy:

crypto ISAKMP policy 10

preshared authentication

the Encryption

md5 hash

Group 2

You can also run debug on the ASA:

debugging cry isa

debugging ipsec cry

and retrieve debug output after trying to connect.

Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE

I can't find any reference to anywhere else.

We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.

We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.

I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.

When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.

Is this a bug?

I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?

I'm building a Rube Goldberg?

Thank you

George

Hi George,.

It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ? A package tracer could clarify wha that the ASA is actually sending.

In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly. For example; Source NAT (all, outside) static...

It may be useful

-Randy-

ASA 5520 to Juniper ss505m vpn

I'm having a problem with the vpn site to site between a asa 5520 and Juniper ss 505 m. The tunnel rises, but we seem unable to pass traffic through the vpn tunnel. It appears on the remote side makes a connection to the ftp server on the Local Server, but is never prompt identification of connection information.

April 19, 2016 13:27:13 SQL-B2B-01: % ASA-4-402116: IPSEC: received a package ESP x.x (SPI = 0xD167A5E8, sequence number = 0xD).

241.90 (user = X.X.241.90) at X.X.167.230. Inside the package décapsulés does not match policy negotiated in the SA. The

package specifies its destination as its Protocol TCP, its source such as X.X.2.68 and X.X.167.233. SA specifies its loc

proxy of Al X.X.167.233/255.255.255.255/tcp/5376 and his remote_proxy as X.X.2.68/255.255.255.255/tcp/5376.

list of remote ip-group of objects allowed extended West Local Group object

NAT static Local_Pub Local destination (indoor, outdoor) static source Remote

Crypto ipsec ikev1 transform-set esp-aes-256 Remote esp-sha-hmac

West-map 95 crypto card is the Remote address
card crypto West-map 95 set peer X.X.241.90
map West-map 95 set transform-set Remote ikev1 crypto
card crypto West-map 95 defined security-association life seconds 28800

Juniper-

"Remote-ftp" X.X.167.233 255.255.255.255

Gateway proposal P1 preshare "[email protected]/ * /" proposal "pre-g2-aes256-sha-28800.

P2-proposal "no-pfs-esp-aes256-sha-28800" No. - pfs esp aes256 sha-1 second 28800

----------------------

the top of the policy of "Trust" to "Untrust" "X.X.2.68/32" "Remote-ftp' 'ftp' vpn"Remote-vpn"tunnel log

put on top of the "Untrust" policy to the "Trust" "Remote-ftp' 'X.X.2.68/32' 'ftp' vpn"SonoraQ-vpn"tunnel sign

I do not know Juniper, but it seems that it is trying to negotiate the use of only 5376/tcp on the tunnel, when it should be negotiated just Protocol "ip".

VPN site to site & outdoor on ASA 5520 VPN client

Hi, I'm jonathan rivero.

I have an ASA 5520 Version 8.0 (2), I configured the site-to-site VPN and works very well, in the other device, I configured the VPN Client for remote users and works very well, but I try to cofigure 2 VPNs on ASA 5520 on the same outside interface and I have the line "outside_map interface card crypto outdoors (for VPN client). , but when I set up the "crypto map VPNL2L outside interface, it replaces the command', and so I can have only a single connection.

the executed show.

ASA1 (config) # sh run

: Saved

:

ASA Version 8.0 (2)

!

hostname ASA1

activate 7esAUjZmKQSFDCZX encrypted password

names of

!

interface Ethernet0/0

nameif inside

security-level 100

address 172.16.3.2 IP 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

IP 200.20.20.1 255.255.255.0

!

interface Ethernet0/1.1

VLAN 1

nameif outside1

security-level 0

no ip address

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/5

Shutdown

No nameif

no level of security

no ip address

!

2KFQnbNIdI.2KYOU encrypted passwd

passive FTP mode

object-group, net-LAN

object-network 172.16.0.0 255.255.255.0

object-network 172.16.1.0 255.255.255.0

object-network 172.16.2.0 255.255.255.0

object-network 172.16.3.0 255.255.255.0

object-group, NET / remote

object-network 172.16.100.0 255.255.255.0

object-network 172.16.101.0 255.255.255.0

object-network 172.16.102.0 255.255.255.0

object-network 172.16.103.0 255.255.255.0

object-group network net-poolvpn

object-network 192.168.11.0 255.255.255.0

access list outside nat extended permit ip net local group object all

access-list extended sheep allowed ip local object-group net object-group net / remote

access-list extended sheep allowed ip local object-group net net poolvpn object-group

access-list splittun-vpngroup1 extended permitted ip local object-group net net poolvpn object-group

pager lines 24

Within 1500 MTU

Outside 1500 MTU

outside1 MTU 1500

IP local pool ippool 192.168.11.1 - 192.168.11.100 mask 255.255.255.0

no failover

ICMP unreachable rate-limit 100 burst-size 10

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 access list outside nat

Route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

Route inside 172.16.0.0 255.255.255.0 172.16.3.2 1

Route inside 172.16.1.0 255.255.255.0 172.16.3.2 1

Route inside 172.16.2.0 255.255.255.0 172.16.3.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

86400 seconds, duration of life crypto ipsec security association

Crypto ipsec kilobytes of life security-association 400000

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

card crypto VPNL2L 1 match for sheep

card crypto VPNL2L 1 set peer 200.30.30.1

VPNL2L 1 transform-set ESP-3DES-MD5 crypto card game

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 20

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

!

!

internal vpngroup1 group policy

attributes of the strategy of group vpngroup1

banner value +++ welcome to Cisco Systems 7.0. +++

value of 192.168.0.1 DNS server 192.168.1.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value splittun-vpngroup1

value by default-ad domain - domain.local

Split-dns value ad - domain.local

the address value ippool pools

username password asa1 VRTlLlJ48/PoDKjS encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

IPSec-attributes tunnel-group 200.30.30.1

pre-shared-key *.

type tunnel-group vpngroup1 remote access

tunnel-group vpngroup1 General-attributes

ippool address pool

Group Policy - by default-vpngroup1

vpngroup1 group of tunnel ipsec-attributes

pre-shared-key *.

context of prompt hostname

Cryptochecksum:00000000000000000000000000000000

: end

ASA2 (config) #sh run

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life security-association 400000
card crypto VPNL2L 1 match for sheep
card crypto VPNL2L 1 set peer 200.30.30.1
VPNL2L 1 transform-set ESP-3DES-MD5 crypto card game
VPNL2L interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 20
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

tunnel-group 200.30.30.1 type ipsec-l2l
IPSec-attributes tunnel-group 200.30.30.1
pre-shared key cisco

my topology:

I try with the following links, but did not work

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080912cfd.shtml

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml

Best regards...

"" I thing both the force of the SAA with the new road outside, why is that? ".

without the road ASA pushes traffic inward, by default.

In any case, this must have been a learning experience.

Hopefully, this has been no help.

Please rate, all the helful post.

Thank you

Rizwan Muhammed.

Steps from the date of the beginning of the planning of a DMZ on ASA 5520

Hi all

Can someone direct me to a good documentation planning and creation of a DMZ on an ASA 5520? Any advice or suggestions are greatly welcome.

TIA,

Gary

Hi Gary

Take a look at the following link,

http://www.Cisco.com/en/us/products/ps6120/products_getting_started_guide_chapter09186a00805e2922.html

I hope this helps.

Cordially MJ

nat ASA 5520 problem

Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897

LAN to LAN service interface is called: lan2lan
one of the internal interfaces is called: colo

I think that is problem with Nat on the SAA but I need help with this.

Config:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
OSPF cost 10
OSPF network point-to-point non-broadcast
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.50
VLAN 50
nameif lb
security-level 20
IP 10.1.50.11 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet0/1,501
VLAN 501
nameif colo
security-level 90
eve of fw - int 255.255.255.0 172.16.2.253 IP address
OSPF cost 10
!
!
interface GigabitEthernet1/1
Door-Lan2Lan description
nameif lan2lan
security-level 0
IP 10.100.50.1 255.255.255.248
!
access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
pager lines 24
Enable logging
host colo biggiesmalls record
No message logging 313001
External MTU 1500
MTU 1500 lb
MTU 1500 Colo
lan2lan MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
NAT-control
Global 1 interface (external)
interface of global (lb) 1
Global (colo) 1 interface
NAT (lb) 1 10.1.50.0 255.255.255.0
NAT (colo) - access list 0 colo_nat0_outbound
NAT (colo) 1 10.1.13.0 255.255.255.0
NAT (colo) 1 10.1.16.0 255.255.255.0
NAT (colo) 1 0.0.0.0 0.0.0.0
external_access_in access to the external interface group
Access-group lb_access_in in lb interface
Access-group colo_access_in in interface colo
Access-group management_access_in in management of the interface
Access-group interface lan2lan lan2lan
!
Service resetoutside
card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
lan2lan_map 51 crypto map set peer 10.100.50.2
card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
crypto lan2lan_map 51 set reverse-road map
lan2lan_map interface lan2lan crypto card
quit smoking
ISAKMP crypto identity hostname
ISAKMP crypto enable lan2lan
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
enable client-implementation to date
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 General-attributes
Group Policy - by default-site2site
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet timeout 5
!

The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

p.s. you should affect the question of the security / VPN forum.

Change of SSL/TLS group Diffie-Hellman on ASA 5520

dh-group SSL control was introduced in 9.3 (2) which is not available to ASA 5520. Is others possible to force ssl vpn to use the diffie-hellman > 1024 bits on this system?

Sorry miss-read the question. As far as I know, we can't specify the Diffie-Hellman on the SAA group before 9.3 (2).

--

Please do not forget to select a correct answer and rate useful posts

With an ASA 5520 port forwarding

Hi all

I recently bought a Cisco ASA 5520 on eBay for study and I decided to only use it as a firewall between my home LAN and Internet. Wow, what a learning curve! I managed to add my internal networks as objects and create a rule (thanks to youtube) NAT to PAT my internal devices out of the Internet with ASSISTANT Deputy Ministers, but I am really struggling to do the following:-

-allow all incoming traffic that hits the outside interface for port 38921 and nat at 10.1.10.101:38921

-allow all incoming traffic that hits the outside interface for port 30392 and nat at 10.1.10.101:30392

Can someone guide me on how to do it, because I have a couple of services that run behind these ports on a server I want to get when I'm not at home? My (rather messy) config is as follows:-

hostname FW1

activate the encrypted password

encrypted passwd

names of

!

interface GigabitEthernet0/0

Description * externally facing Internet *.

nameif outside

security-level 0

IP address dhcp setroute

!

interface GigabitEthernet0/1

Description * internal face to 3750 *.

nameif inside

security-level 100

IP 10.1.10.2 255.255.255.0

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

!

passive FTP mode

the VLAN1 object network

subnet 192.168.1.0 255.255.255.0

Legacy description

network of the WiredLAN object

10.1.10.0 subnet 255.255.255.0

Wired LAN description

network of the CorporateWifi object

10.1.160.0 subnet 255.255.255.0

Company Description 160 of VLAN wireless

network of the GuestWifi object

10.1.165.0 subnet 255.255.255.0

Description Wireless VLAN 165 comments

network of the LegacyLAN object

subnet 192.168.1.0 255.255.255.0

Description Legacy LAN in place until the change on

the file server object network

Home 10.1.10.101

Description File Server

service object Service1

tcp source eq eq 38921 38921 destination service

1 service Description

the All_Inside_Networks object-group network

network-object VLAN1

network-object, object WiredLAN

network-object, object CorporateWifi

network-object, object GuestWifi

network-object, object LegacyLAN

object-group service Service2 tcp - udp

port-object eq 30392

object-group service DM_INLINE_TCPUDP_1 tcp - udp

port-object eq 30392

Group-object Service2

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

Outside_access_in list extended access allowed object-group TCPUDP any inactive FileServer object-group DM_INLINE_TCPUDP_1 object

Outside_access_in list extended access allowed object Service1 any inactive FileServer object

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

MTU 1500 internal

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 714.bin

don't allow no asdm history

ARP timeout 14400

service interface NAT (inside, outside) dynamic source FileServer Service1 inactive Service1

NAT (all, outside) interface dynamic source All_Inside_Networks

Access-group Outside_access_in in interface outside

Internal route 10.1.160.0 255.255.255.0 10.1.10.1 1

Internal route 10.1.165.0 255.255.255.0 10.1.10.1 1

Internal route 192.168.1.0 255.255.255.0 10.1.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 10.1.160.15 255.255.255.255 internal

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Telnet 10.1.160.15 255.255.255.255 internal

Telnet timeout 5

SSH timeout 5

Console timeout 0

interface ID client DHCP-client to the outside

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

username privilege of encrypted password of Barry 15

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:19be38edefe8c3fd05e720aedee62c8e

: end

1. This is just one example of configuration and another option with to reason and avoid to send us the complete configuration of NAT:

network of the 10.1.10.101 object

Home 10.1.10.101

service object 38921

tcp source eq 38921 service

service object 30392

tcp source eq 30392 service

NAT (inside, outside) 1 static source 10.1.10.101 38921 38921 service interface

NAT (inside, outside) 1 static source 10.1.10.101 30392 30392 service interface

Let me know if it works

ASA 5520 Infiltration of DNS query

Is the operation of TCPDUMP, simular to Sindwinder FW (example below), possible through ASA 5520 and AIP-SSM-10 (IPS) module? Reference and the answer to my question are appreciated.

•tcpdump options for DNS

-Internal Burba: tcpdump - ntpi em0 port 53

-External Burba: tcpdump - ntpi em1 port 53

tcpdump for SMTP options:

Burba internal: tcpdump - ntpi em0 port 25

External Burba: tcpdump - ntpi em1 port 25

You can use the iplog command to capture a PCAP file on the module AIP - SSM (assuming that you sent the traffic you with capture or through the module AIP - SSM IPS). It will capture based on the source IP address.

http://www.Cisco.com/en/us/docs/security/IPS/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, open a session in the Linux system, able to root and tcpdump away.

ASA 5520 DRAM Upgrade

Similar Questions

Maybe you are looking for