ASA 5540 FW running version 7.0 (5)
I'm upgrading to PIX new pair of ASA 6.3.5 tonight. I wonder if anyone knows of any pitfalls that I need to know... I also want to know if this version of the code for the ASA are stable. Thanks in advance
We have migrated so a few Pix 520 s v. 6.3.5 to ASAs 7.0.5 running. I recommend their running in parallel and the migration of your servers, and virtual private networks slowly. We did this and it's paid off I crushed the ASAs several times because of software bugs. The sound of ASAs grand to integrate features of the hub VPN, IPS, etc but I'm now firmly to separate these services and their execution on different boxes.
We met EZVPN 831 'NEM' connection problems and it's malforming SCCP IP phones. We took the chance and upgraded to 7.2.1 in the hope that it would resolve due to improved Skinny improvements. Now stateful failover does not work "CSCse81232". So I'll still with another Pandora's box :)
So in summary if you use just the ASAs as a basic firewall 7.0.5 is stable. It's not worth the risk to pass the first major version just because of new features.
P.S. If you use make it sure ASDM you click on apply after each change. Do not a bunch of changes and then hit apply as this will crash 7.0.5. "CSCse22853" this bug was discovered by me and was not specific to just the cmds of DHCP relay.
Tags: Cisco Security
Similar Questions
-
How can I get an ASA 5540 return to the default configuration?
Is there an easy way to re-apply the default that comes with a new ASA 5540? I would like to have the our ASA 5540 to return to its default to 192.168.1.1 inside the interface and act as a DHCP server, so I connect a PC to start the initial configuration using the ASDM.
The ASA 5540 is running on asa723 - k8.bin.
factory default setting
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c4_72.html#wp2039866
a simple "write erase/recharge" would also do the trick.
-
WRVS4400N ASA 5540 L2L IPSec connection
I have a remote WRVS4400N with a dynamic outside the address that opens a connection to an ASA 5540 with a static address.
I'm all set on the side of the ASA. My questions concern the 4400N. It does not seem to have a very robust configuration/configuration available for L2L tunnels. For one my encryption is limited to 3DES.
But I wonder if I'm missing something in the config. I have to configure L2L tunnels to two other firewalls. One firewall has 3 non-contiguous networks, and the other has 2. I have 5 tunnels configuration, this is the only way? What I'd like to see is 2 tunnels, one for each firewall distance, but then each tunnel would have access to networks (like on the side of the ASA), is anyway to do this? Perhaps a useful command line for this unit?
My other question concerns the tunnel-groups I've implemented on my ASA, and I do not want to use the proper names... However I can't seem to find a way to allow this to happen on the side of 4400N... I mean, I need a way to create a 'keyword' identifier or a "firewall identifier" on the 4400N and I do not see an appropriate field in the web interface. Someone at - it ideas?
Thanks in advance.
Hi WS, the WRVS router does not support a complete tunnel configuration or routes to have a multi site configuration. You would need a separate tunnel for each location.
Traditionally, the WRVS router was not a good game on any platform ASA. In most cases, I saw when a tunnel has put in place will be the router WRVS crash in an hour or less due to low memory. If you run a scenario where the WRVS stops responding or the tunnel down, this is the likely scenario.
I highly recommend is not to use the WRVS router for all tunnel with the ASA. If you are looking to stay in the field of small business, a RV220W or a RV042 router would be a much more suitable match.
-Tom
Please mark replied messages useful -
ASA - 5540 used for IPSec VPN only - I can do away with Nat 0?
I'll use an ASA 5540 as our head of VPN endpoint only - and not as a firewall.
Also, we have a class for our company internal address space routable B address, so we don't need NAT. I would like to disable the function NAT 0 if I can so I always add NAT 0 to ensure that the 5540 does not NAT.
Y at - it an easy way to disable the need using NAT 0?
Are there any of the draw to do that?
You can disable the use of nat 0 disabling the nat control.
To achieve this, go to the global configuration mode and use this command:
no nat control
To check whether you have it turned on, you can check it with:
SH run nat-control
See you soon!
-Butterfly
-
We had problems to install and run Version 29 on various PC platforms (portable and desktop computers) all running 64-bit Windows 7 SP2. The product appears to install correctly, but then simply of does. We had to go back to the Version 28, and that sometimes takes a lot of tweaking to get this working as well (i.e., first duty \Mozilla directory Program Files (86) and then reinstall).
In addition to this difficulty, myself and other users are not too crazy about the new look. In particular, the absence of the Mozilla little 'globe' in the upper-left hand corner of the screen that allows a double click Close Program. This is where many users are accustomed to the closure of a Windows program, and that the habit is hard to break. I looked for alternatives and programs that make the Version 29 more like previous versions, but have not seen this addressed peculiarity. So I stick to 28 V until she returns.
W. Carl Miller, Director of Network Services
ESD Olympic 114
National 105 Avenue North
Bremerton, WA 98312
(360) 405-5815
[email protected]You can show the title bar via the button on the title bar in the lower left corner of the palette to customize window (button '3-bar' menu of the Navigation toolbar > customize).
I don't think that it is possible to get there for the existing profiles, so you should ask users to make this change.
See also:
-
Guard gmail move me to safe mode says that I am running version 3.6
I'm running worm. 11 Firefox but Gmail keeps, saying: I am running version 3.6.
I turned it off, but I always get "a few important features may not work in this version of your browser, if you have been directed to the basic HTML version. Upgrade to a modern, like Google Chrome browser. »
AFAIC, 3.6 IS a modern browser.
They do this just to make me use Chrome?
I am running Windows XP SP3We will do this:
in your address bar, type "subject: config ' (without the quotes) and press ENTER. Click on the button "I'll be careful, I promise". Type "Useragent" in the search box, press ENTER. If something shows "User Set" right click, then click 'Reset' restarts Firefox. Then, go to help, on Firefox and install updates that you see there. It works now? It looks like a toolbar may have damaged your user agent, making gmail think you're using Firefox 3. -
Communication between subinterface on ASA 5515 X with version 9.1.
Hello
I have an ASA 5515 - X with version 9.1.
I created 5 secondary interfaces in my 0/1, with different subnets while the firewall is the front door of my user.
0/0 - outside - WAN
0/1.1 - inside16 - 172.16.16.1/23
172.16.30.1/24 - inside30 - 0/1.2
0/1.3 - inside33 - 172.16.33.1/24
0/1.4 - inside40 - 172.16.40.1/24
172.16.128.1/24 - inside128 - 0/1.5
0/2 - test - 10.10.10.1/24
10.x/24 network my internet works fine. But, while this does not work for my secondary interfaces. They communicate with themselves.
When I try to trace a package. I've been out below attached.
Please suggest.
Kind regards
Emilie
You use the (necessary) command:
permit same-security-traffic inter-interface
-
The profile number vpn that can be created in cisco asa 5540
Hi all
Want to know if there is a limit to how many anyconnect vpn profiles that can be created in a cisco asa 5540? TIA!
https://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/g...
Maximum connection profiles
The maximum number of connection profiles (tunnel groups) that can support a safety device is a function of the maximum number of concurrent sessions of VPN for the + 5 platform. For example, an ASA5505 can support a maximum of 25 concurrent sessions of VPN to 30 tunnel groups (25 + 5). Attempt to add a group of additional tunnel beyond the results of limit in the following message: "ERROR: the limit of 30 groups configured tunnel has been reached.
Table 32-2specifies the maximum VPN sessions and profiles of connection for each platform ASA.
Table 32-2 maximum VPN Sessions and profiles of connection by ASA platform
5505 database / security more5510/base/security Plus552055405550Maximum VPN sessions
10/25
250
750
5000
5000
Maximum connection profiles
15/30
255
755
5005
5005
-
VPN site to site by using the host name on cisco asa 5540 - dyndns
Can someone help me configure VPN site to site on cisco asa 5540. The other end is seen configured dyndns and so should set up her counterpart with the host name.
If the other end is a dynamic IP address, you must configure a dynamic map and then use in the encryption card
See the following example.
-
IPSec tunnel do not come between two ASA - 5540 s.
I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.
Did I miss something that will prevent the tunnel to come?
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)
ROC-ASA5540-A # sh run
!
ASA Version 8.0 (3)
!
CRO-ASA5540-A host name
names of
10.10.1.135 GHC_Laptop description name to test the VPN
10.10.1.155 SunMed_pc description name to test the VPN
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.129 255.255.255.240
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.145 255.255.255.248
!
!
outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc
!
ASDM image disk0: / asdm - 603.bin
!
Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto game 2 outside_map0 address outside_2_cryptomap
outside_map0 crypto map peer set 2 10.10.1.147
card crypto outside_map0 2 the value transform-set ESP-3DES-SHA
outside_map0 card crypto 2 set nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
Group Policy Lan-2-Lan_only internal
attributes of Lan-2-Lan_only-group policy
VPN-filter no
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.147 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.147
pre-shared-key *.
!
ROC-ASA5540-A #.
----------------------------------------------------------
ROC-ASA5540-B # sh run
: Saved
:
ASA Version 8.0 (3)
!
name of host ROC-ASA5540-B
!
names of
name 10.10.1.135 GHC_laptop
name 10.10.1.155 SunMed_PC
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.147 255.255.255.248
!
outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop
!
ASDM image disk0: / asdm - 603.bin
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map2 1 match address outside_cryptomap
outside_map2 card crypto 1jeu peer 10.10.1.145
outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map2 card crypto 1jeu nat-t-disable
outside_map2 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal Lan-2-Lan group strategy
Lan Lan 2-strategy of group attributes
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.145 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.145
pre-shared-key *.
!
ROC-ASA5540-B #.
On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."
Please reconfigure the ASA and let me know how it goes.
Kind regards
Arul
* Please note the useful messages *.
-
NAT-control over ASA 5540 v8.3.2?
Is there an equivalent command in 8.3.2 disable NAT; That is to say. no control NAT?
I think it was in v7.2 but can't find in in 8.3.2. I use this stricktly 5540 for a VPN IPSec lan lan 2 head of tunnel and do not NAT at all. If I disable NAT, I won't have to deal with the obnoxious ACL nat_0 which grows and grows and grows. Is this possible in 8.3.2?
Hello
The control of nat command has been removed in version 8.3
The command to control NAT is discouraged. In order to maintain the requirement that all traffic from a security interface than a security interface lower translate, a NAT rule will be inserted at the end of article 2 for each interface ban all remaining traffic. Nat-control command was used for NAT configurations defined with older versions of the Adaptive security appliance. The best practice is to use access rules to control access rather than rely on the absence of a NAT rule to prevent traffic through the Adaptive security device.
Click on the following link for nat-control migration information:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/upgrading/migrating.html#wp60212
Federico.
-
Firefox continues to ask to update, I am running version 26?
I downloaded Firefox Setup Stub 26.0 and installed three times, each time that it restarts, I see a message saying: there is a newer version of Firefox, when I click the link it asks me to download the same file again? I'm running with windows vista with Firefox as my default browser, I hope you can help because it becomes quite annoying with the constant popup telling me to update, thank you, John.
Where my reference was confusing, here's a direct link to the article with the measures to clear false information about your version of Firefox: websites say that Firefox is obsolete or incompatible, even if it's the latest version.
-
I am running Windows 7 64-bit OS, and I currently version 12 of Firefox are installed (updated in May). I am building a browser vs. OS compatibility matrix, so I did a little 'Googling' today to see what Firefox versions are currently supported. When I opened Firefox to see if I was running the latest version, I got a prompt to upgrade to 14.0.1, yet the latest version is 17. This causes me some confusion. In addition, some sites offer Firefox 64-bit is not supported in WIndows and others say that it is in the Act supported. Could someone please confirm or deny this?
How many times have you run Firefox in the last 4 months? Remember that any postponement of this update? If this update has been previously downloaded, but never installed, maybe the installer wants to finish this work before check you for a newer version.
Mozilla does not have a 64-bit version of Firefox for Windows release. The 32-bit version works well on the 32-bit and 64-bit Windows versions.
There is a version of 64-bit third-party named Waterfox you could look in, but I suspect that any gain in the ability to use memory would be offset by reduced with modules compatibility...
-
I ran the beta before, recently I downloaded version 3.6.8 and replaces the beta version. How can I download and run each as separate application without a crash?
IS S/O
Thank you, for choosing Mozilla for us to better help you come join us on live chat in 29 minutes if possible otherwise just on the live chat whenever you can.
-
MS Visual C++ - ok to run versions of old/multiple?
Hello
I'm troubleshooting an application problem where, when you attempt to start we get a "program".
error cannot start MFC80U.dll is missing on your computer.
The laptop is running W7 - 32-bit and is up-to-date with all MS Security updates
During troubleshooting, I downloaded the MS Visual C++ Redistributable package on this site:
http://www.Microsoft.com/en-US/Download/details.aspx?ID=26347
This seems to have solved the problem with the application (I can start now with or without error, but)
is not unfamiliar with the application I need someone to make sure it works properly).
Current version of Visual C++ installed on the laptop is:
1 MS Visual C++ 2005 Redistributable
2 MS Visual C++ 2005 x 86 Redistributable - 10.0.40219
With the version 2005 present on the laptop will cause problems?
(if it's important, the application we are trying to install is: Highjump RouteXpressW32 c. 01.02.125)
Thank you and please let me know if there is additional info, I provide.
See you soon,.
Jim
Jim
Applications that need C++ need a specific version it is therefore necessary to use. In my case I 2005, 2010 & 2012
Maybe you are looking for
-
Help!I can't configure toshiba common modules. Error message: unable to copy the files.I removed all visible programs toshiba and reinstalled Windows XP SP2. Always the same message appears.Is there a reverse.The laptop can not run on batteries, as t
-
Why do I get "Unable to connect" page when I am connected to the internet?
My operating system is XP. I go to most of my pages without the "unable to connect" tab. When I go to the Microsoft page, it displays, but I'll get the "unable to connect" when I try to download Windows Media player. URL of affected sites http://www.
-
Vizard of missing Toshiba Recovery
Hello! I have a problem. My cell phone was in the service of repair and so they have restored Windows only, but the rest is deleted. Even the office license and now I want to put computer to factory settings. There is no recovery toshiba vizard. I un
-
Re: Sat Pro P300 - setting for the user account problems
Hi guys, the fact that someone knows what this means when the main user (who is the administrator of the computer) will not connect?It comes up with an error: the user profile service is unable to open. Profile of user cannot open.I can connect with
-
Why do I get a message "You missed A Print" with the Universal Crossword Print Widget?
The Universal Crossword Print Widget has been interrupted, and there will be no new content. However, you can still receive the crossword: Universal print by registering on the front of your web compatible HP printer, or by visiting HPConnected.com (