ASA supports hsrp?

Similar Questions

• Version of the IOS taken ASA supported with WSC, 4.3

  Hello world

  We will deploy CSM 4.3 in our network.

  Need to know if we have ASA 5505 and 5515 and 5520 which version of IOS, we should have so that it can support CSM 4.3?

  Also can we get Windows server for CSM 4.3 user?

  Thank you

  MAhesh

  IOS runs on the routers and switches. The software on an ASA is simply called Software ASA.

  4.3 CSM supports ASA versions 7.0 to 8.6, although many features require ASA 8.0 or later version. Full details are listed here. If you deploy a new CSM, you should switch to the newer version of 4.4. It adds support for the ASA software up to version 9.1 (1).

  As described in the deployment guide (details here), CSM 4.3 requires Windows Server 2008 or 2008 R2. These requirements are the same for the WSC 4.4

• ASA SHA2 support with self-signed certificates

  Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.

  Hi William,.

  You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.

  Here is the value for the same application:-

  ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructure
  CSCuj67576
  https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr
  
  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• How to configure the FWSM with HSRP support

  Hi all

  We have 2 * 6500 Series switches with each FWSM core installed.

  There are some users of VLANs (each floor) and a lot of servers inside that belong to some other VLANs.

  Basic switches have been configured with redundancy HSRP (active/passive).

  Today, I am picky with FWSM routed mode configuration.

  There is no problem with the default configuration and testing,

  I mean assigning VLANS to FWSM and delete addresses IP of MSFC.

  But unfortunately whenever I have such a configuration, do I lose naturally redundancy between switches.

  In our situation HSRP is a must.

  Is it possible to fix this design in routed mode, with support HSRP. ?

  Thank you

  Erdem.

  Hi Erdem,

  (correct me if I'm wrong, Jon) - If you remove all the Lass you must route all traffic of course the FWSM.

  What we did was to create a transfer network (VLAN) with a SVI and FWSM inside external interface. Now, the default gateway on the FWSM is on the IP address of the SVI. So most of the range is configured on the switch.

  Kind regards

  Jürgen

• ASA VPN Clustering

  I have 4 pairs of HA VPN in 4 different geographic regions of the world.  Cisco ASA supports the Alliance of more than 2 VPN servers?  Given that the AnyConnect client does not have the ability to store login as the old client IPSec profiles I need a way to provide 1 hostname which will be used for all 4 VPN servers.  Any suggestions?

  Eric

  You will be very happy.  Read this.

  https://supportforums.Cisco.com/document/58711/AnyConnect-optimal-gateway-selection-operation

  In short, AnyConnect can store profiles.  However, it is best to create the same profile and store it on each VPN cluster allow users to shoot their next login.

  On the modern Windows OS the XML profile is stored in:

  %ProgramData%\Cisco\Cisco AnyConnect secure mobility Client\Profile

• ASDM 6.4; ASA 5510 version 8.4 (1) - cannot access ASDM

  Hello Experts,

  I want access to ASDM since my PC of management. I can ping to MANAGEMENT PC as well as do SSH connection but I can't go ASDM browser.

  Please guide me.

  Here are the usful details:

  ASDM - setup.jpg

  

  Running configuration

  See the ciscoasa # running
  : Saved
  :
  ASA Version 8.4 (1)
  !
  ciscoasa hostname
  activate 9jNfZuG3TC5tCVH0 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  nameif inside
  security-level 90
  IP 192.168.1.1 255.255.255.0
  !
  interface Ethernet0/1
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  passive FTP mode
  pager lines 24
  MTU 1500 inside
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 641.bin
  don't allow no asdm history
  ARP timeout 14400
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  Enable http server
  http 192.168.1.5 255.255.255.255 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Telnet timeout 5
  SSH 192.168.1.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  username admin privilege 15 encrypted password e1z89R3cZe9Kt6Ib
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:afe73d128f7510e1bf9463fd698fa7fb
  : end
   
   
  Successful PING Bothways
   
  ciscoasa (config) # ping 192.168.1.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

  ciscoasa (config) # ping 192.168.1.5

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

  output ciscoasa (config) #.

  Thank you :-)

  Please let us know the output of:

  view worm | I have 3DES

  Show ssl

  The bits of this production key would ensure that your license 3DES / AES is active and your ASA supports strong cryptographic algorithms (encryption).

• Difference of RV and ASA series

  Hello

  I intend to build a tunnel vpn site-to-site connection of 2-3 satellite office and the main office.

  After searching the product, I don't really understand the difference between the models like the ASA5505 and RV042

  Can I need to use ASA5505 Office main RV042 while in the offices of smoking?

  Or can I use RV042 (or higher) in the office and just as the vpn tunnel?

  If this is the case, what is the advantage of the ASA over the RV series series?

  Thank you for answering my stupid question, I am very new to cisco products.

  Kind regards

  Peter

  In a Word, ASA5505 is an enterprise-class security apparatus, while the RV Show is the VPN routers designed for small businesses.

  ASA supports CLI, while the RV series rely on web browsers for administrative tasks.

• HSRP in Cisco IOS - XE

  Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.

  Switch(Config-if) #do show worm
  Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Last update Mon 23 - Sep - 13 18:24 by prod_rel_team

  Cisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
  All rights reserved.  Some components of the Cisco IOS - XE software are
  distributed under the GNU General Public License ("GPL") Version 2.0.  The
  software licensed code GPL Version 2.0 is a free software that comes
  WITHOUT ANY WARRANTY.  You can redistribute it and/or modify it
  Code GPL under the terms of the GPL Version 2.0.
  (http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
  documentation or "Mention of license" file that accompanies the IOS - XE software.
  or the applicable URL listed on the brochure that accompanies the IOS - XE
  software.

  ROM: IOS - XE ROMMON
  BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
           
  The availability of HK-CSW001 is 4 hours, 0 minutes
  Availability for this command processor is 4 hours, 3 minutes
  System return to the ROM to reload
  System image file is "flash: packages.conf.
  Reload last reason: reload the command

  This product contains cryptographic features and is under the United States
  States and local laws governing the import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third party approval to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. laws and local countries. By using this product you
  agree to comply with the regulations and laws in force. If you are unable
  to satisfy the United States and local laws, return the product.

  A summary of U.S. laws governing Cisco cryptographic products to:
  http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

  If you need assistance please contact us by mail at
  [email protected] / * /.

  License level: Ipbase
  License type: Permanent
  Then reload license level: Ipbase

  Cisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
  Card processor ID FOC2007U0YG
  2 virtual Ethernet interfaces
  28 gigabit Ethernet interfaces
  4 ten interfaces Ethernet Gigabit
  2048K bytes of non-volatile configuration memory.
  K 4194304 bytes of physical memory.
  250456K bytes of Crash crashinfo files:.
  1609272K bytes of Flash Flash:.
  0K bytes of Flash model to usbflash0:.
  0K bytes of to webui::.

  MAC Ethernet base address: 00:cc:fc:d1:55:80
  Motherboard Assembly number: 73-16297-04
  Motherboard serial number: FOC20061W6G
  Revision number of the model: Z0
  Motherboard revision number: B0
  Model number: WS-C3850-24 t
  System serial number: XXXXXXXXXXX

  My problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the

  "interface vlan XXX".

  "ip address subnet XXX.XXX.XXX.XXX.

  command "watch version 2" is not available or the day before ipXXX XX. is not available either.

  I'm stuck with this problem now, appreciate any help from you guys.

  Thank you

  The f

  Hello Jeff,.

  We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.

  I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.

  So, please try a newer version of the software.

  See you soon

  Ichnafi

  Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0

• Limit the bandwidth in the tunnel VPN on Cisco ASA

  Hello

  I have a site VPN tunnel to create with the local desktop client. I fear that the traffic in the tunnel in impacting the Internet bandwidth for the entire office. Is it possible to limit bandwidth on the speed VPN tunnel. I have attached a configuration that shows the configuration of the ASA at the local office.

  Any help would be much appreciate. I watched QoS mapping but it's hard to make sense.

  Thank you very much

  Kind regards

  Michael.

  The ASA supported QoS features are:
  Police, LLQ and Traffic Shaping

  To avoid the individual flows hogging the bandwidth of the network, you can limit the maximum bandwidth used by flow (with the police)
  The police is a way of ensuring that no traffic exceeds the rate (in bits per second) that you configure,
  so make that person not traffic or the class can return to any of the resource.
  When traffic is higher than the maximum rate, the ASA removes the excess traffic. Policy defines also the largest single burst of allowed traffic.

  Example of font options:
  class policing_map_name hostname(config-pmap) #.
  Police hostname(config-pmap-c) # {exit | entry} to compliance rates [conform burst]
  [action in line [drop | send]] [action exceed [drop | send]]

  That is to say

  HostName (config) # class - police-class card
  HostName(config-CMAP) # match any
  HostName(config-CMAP) # QoS_policy policy-map
  class police_class hostname(config-pmap) #.
  HostName(config-pmap-c) # exit police 56000 10500

  The configuration depends on the "this" base that you want to limit the connection.

  Federico.

• Cisco ASA - l2l IPSEC tunnel two dynamic hosts

  Hello

  I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

  Hello

  ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
  i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

  On ASA, it is not possible to configure the tunnel between two dynamic peers.
  You will need to have a static end to configure static to dynamic IP.

  For routers, you can follow this link.
  I hope this helps.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Cisco ASA & T1 connection

  The ASA supports WAN protocols to establish connections from T1?

  Sorry, but the ASA does not offer any WAN interfaces such as T1. It offers only FastEthernet and GigEthernet right now.

  -Eric

  Be sure to note all the useful messages.

• PIX / ASA, including the DNS name of the ACLS

  Hello

  PIX or ASA supported DNS names in ACL or only IPs? Everyone heard talk of plans to support?

  As far as I know (D) DNS is only supported for VPN connections by saving the IPs of the box interface.

  Best regards

  Roberto

  only ip addresses.

• Cisco's ASA 5510 VPN configuration suggestion

  Hello

  We have a cisco ASA5510 and our client has a device of Juniper. We already have a vpn tunnel between two locations and its working fine.

  Now they have networks that are in a safer area, if we add these subnets of the current tunnel we are not able to access it.

  so, what they suggest we can reconfigure the VPN to be a road based on VPN instead of policy based OR configure a second VPN tunnel.

  not sure about cisco ASA supports route according to the tunnels? ... Can we create a 2nd tunnel between the same devices (asa5510 and thei Juniper device) as remainders IP that identical, only the internal remote networks will change for me. is this possible?

  do I have to make changes to the current tunnel?

  Thank you

  Smail

  Hello

  Cisco ASA does not support database path tunnels.

  You must add new networks to crypto ACL. They add new VPN policies.

• Cisco ASA cannot create several tunnels at the same address in hand?

  We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices.  I need these sites to be able to connect to several tell-contiguous subnets to our main office.  This was done easily with smoothwall and linksys.  You create a separate tunnel for each subnet, and voila, you're done.  However, when I tried this with our ASA newly installed, it won't let me create several tunnels at the same address of the remote peer.  It is a problem because these sites have only a single IP address public static.  Did I miss something or ASA not allow connections to and from multiple subnets form a site with a unique address peer?

  Resembles the limitation on the WRVS4400N as Cisco ASA supports several subnets by tunnel.

  Is there anyway that you can configure a subnet more instead of specific subnets on the ACL?

  For example:

  If you 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23

• View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3

  Hello

  The problem:

  Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view.  I wonder what kind of configuration changes must be considered to enable such a connection.  The error returned when searching for the host name goes in the direction of the hostname not found.  Error finding of intellectual property is related to the time-out.

  Background information and specifications:

  We are in the process of upgrading our servers from 5.2 to 6.2 connection.  As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0.  To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp.  We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology.  The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.

  Preferred connection scenario:

  User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office

  .exe running on the client to view ThinApp:

  It seems the ThinApp Client version view is only launching VMware - view.exe.

  .exe running from the customer view full/thickness:

  VMware - view.exe

  -ftnlsv.exe

  -vmwsprrdpwks.exe

  -ftscanmgr.exe

  There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel?  We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.

  We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel.  A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client.  Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade.  Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.