ASA supports hsrp?
Not ASA 5505 with IOS 8.x media HSRP? How to configure it?
Hello
Not the ASA does not support HSRP. It will pass the HSRP packets if the SAA is in transparent mode, but it's not the same.
What you're trying to do. The ASA supports failover - see attached link for more details
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html
Jon
Tags: Cisco Security
Similar Questions
-
Version of the IOS taken ASA supported with WSC, 4.3
Hello world
We will deploy CSM 4.3 in our network.
Need to know if we have ASA 5505 and 5515 and 5520 which version of IOS, we should have so that it can support CSM 4.3?
Also can we get Windows server for CSM 4.3 user?
Thank you
MAhesh
IOS runs on the routers and switches. The software on an ASA is simply called Software ASA.
4.3 CSM supports ASA versions 7.0 to 8.6, although many features require ASA 8.0 or later version. Full details are listed here. If you deploy a new CSM, you should switch to the newer version of 4.4. It adds support for the ASA software up to version 9.1 (1).
As described in the deployment guide (details here), CSM 4.3 requires Windows Server 2008 or 2008 R2. These requirements are the same for the WSC 4.4
-
ASA SHA2 support with self-signed certificates
Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.
Hi William,.
You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.
Here is the value for the same application:-
ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructureCSCuj67576
https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
How to configure the FWSM with HSRP support
Hi all
We have 2 * 6500 Series switches with each FWSM core installed.
There are some users of VLANs (each floor) and a lot of servers inside that belong to some other VLANs.
Basic switches have been configured with redundancy HSRP (active/passive).
Today, I am picky with FWSM routed mode configuration.
There is no problem with the default configuration and testing,
I mean assigning VLANS to FWSM and delete addresses IP of MSFC.
But unfortunately whenever I have such a configuration, do I lose naturally redundancy between switches.
In our situation HSRP is a must.
Is it possible to fix this design in routed mode, with support HSRP. ?
Thank you
Erdem.
Hi Erdem,
(correct me if I'm wrong, Jon) - If you remove all the Lass you must route all traffic of course the FWSM.
What we did was to create a transfer network (VLAN) with a SVI and FWSM inside external interface. Now, the default gateway on the FWSM is on the IP address of the SVI. So most of the range is configured on the switch.
Kind regards
Jürgen
-
I have 4 pairs of HA VPN in 4 different geographic regions of the world. Cisco ASA supports the Alliance of more than 2 VPN servers? Given that the AnyConnect client does not have the ability to store login as the old client IPSec profiles I need a way to provide 1 hostname which will be used for all 4 VPN servers. Any suggestions?
Eric
You will be very happy. Read this.
https://supportforums.Cisco.com/document/58711/AnyConnect-optimal-gateway-selection-operation
In short, AnyConnect can store profiles. However, it is best to create the same profile and store it on each VPN cluster allow users to shoot their next login.
On the modern Windows OS the XML profile is stored in:
%ProgramData%\Cisco\Cisco AnyConnect secure mobility Client\Profile
-
ASDM 6.4; ASA 5510 version 8.4 (1) - cannot access ASDM
Hello Experts,
I want access to ASDM since my PC of management. I can ping to MANAGEMENT PC as well as do SSH connection but I can't go ASDM browser.
Please guide me.
Here are the usful details:
Running configuration
See the ciscoasa # running: Saved:ASA Version 8.4 (1)!ciscoasa hostnameactivate 9jNfZuG3TC5tCVH0 encrypted password2KFQnbNIdI.2KYOU encrypted passwdnames of!interface Ethernet0/0nameif insidesecurity-level 90IP 192.168.1.1 255.255.255.0!interface Ethernet0/1ShutdownNo nameifno level of securityno ip address!interface Ethernet0/2ShutdownNo nameifno level of securityno ip address!interface Ethernet0/3ShutdownNo nameifno level of securityno ip address!interface Management0/0ShutdownNo nameifno level of securityno ip address!passive FTP modepager lines 24MTU 1500 insideICMP unreachable rate-limit 1 burst-size 1ASDM image disk0: / asdm - 641.bindon't allow no asdm historyARP timeout 14400Timeout xlate 03:00Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-registration DfltAccessPolicythe ssh LOCAL console AAA authenticationEnable http serverhttp 192.168.1.5 255.255.255.255 insideNo snmp server locationNo snmp Server contactServer enable SNMP traps snmp authentication linkup, linkdown warmstart of cold startTelnet timeout 5SSH 192.168.1.0 255.255.255.0 insideSSH timeout 5Console timeout 0a basic threat threat detectionStatistics-list of access threat detectionno statistical threat detection tcp-interceptionWebVPNusername admin privilege 15 encrypted password e1z89R3cZe9Kt6Ib!class-map inspection_defaultmatch default-inspection-traffic!!type of policy-card inspect dns preset_dns_mapparametersmaximum message length automatic of customermessage-length maximum 512Policy-map global_policyclass inspection_defaultinspect the preset_dns_map dnsinspect the ftpinspect h323 h225inspect the h323 rasReview the ip optionsinspect the netbiosinspect the rshinspect the rtspinspect the skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect the tftpinspect the sipinspect xdmcpglobal service-policy global_policycontext of prompt hostnamecall-homeProfile of CiscoTAC-1no active accounthttp https://tools.cisco.com/its/service/oddce/services/DDCEService destination addressemail address of destination [email protected] / * /destination-mode http transportSubscribe to alert-group diagnosisSubscribe to alert-group environmentSubscribe to alert-group monthly periodic inventorymonthly periodicals to subscribe to alert-group configurationdaily periodic subscribe to alert-group telemetryCryptochecksum:afe73d128f7510e1bf9463fd698fa7fb: endSuccessful PING Bothwaysciscoasa (config) # ping 192.168.1.1Type to abort escape sequence.Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:!!!!!Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 msciscoasa (config) # ping 192.168.1.5Type to abort escape sequence.Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:!!!!!Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 msoutput ciscoasa (config) #.Thank you :-)
Please let us know the output of:
view worm | I have 3DES
Show ssl
The bits of this production key would ensure that your license 3DES / AES is active and your ASA supports strong cryptographic algorithms (encryption).
-
Difference of RV and ASA series
Hello
I intend to build a tunnel vpn site-to-site connection of 2-3 satellite office and the main office.
After searching the product, I don't really understand the difference between the models like the ASA5505 and RV042
Can I need to use ASA5505 Office main RV042 while in the offices of smoking?
Or can I use RV042 (or higher) in the office and just as the vpn tunnel?
If this is the case, what is the advantage of the ASA over the RV series series?
Thank you for answering my stupid question, I am very new to cisco products.
Kind regards
Peter
In a Word, ASA5505 is an enterprise-class security apparatus, while the RV Show is the VPN routers designed for small businesses.
ASA supports CLI, while the RV series rely on web browsers for administrative tasks.
-
Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.
Switch(Config-if) #do show worm
Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Last update Mon 23 - Sep - 13 18:24 by prod_rel_teamCisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Some components of the Cisco IOS - XE software are
distributed under the GNU General Public License ("GPL") Version 2.0. The
software licensed code GPL Version 2.0 is a free software that comes
WITHOUT ANY WARRANTY. You can redistribute it and/or modify it
Code GPL under the terms of the GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "Mention of license" file that accompanies the IOS - XE software.
or the applicable URL listed on the brochure that accompanies the IOS - XE
software.ROM: IOS - XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
The availability of HK-CSW001 is 4 hours, 0 minutes
Availability for this command processor is 4 hours, 3 minutes
System return to the ROM to reload
System image file is "flash: packages.conf.
Reload last reason: reload the commandThis product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.htmlIf you need assistance please contact us by mail at
[email protected] / * /.License level: Ipbase
License type: Permanent
Then reload license level: IpbaseCisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
Card processor ID FOC2007U0YG
2 virtual Ethernet interfaces
28 gigabit Ethernet interfaces
4 ten interfaces Ethernet Gigabit
2048K bytes of non-volatile configuration memory.
K 4194304 bytes of physical memory.
250456K bytes of Crash crashinfo files:.
1609272K bytes of Flash Flash:.
0K bytes of Flash model to usbflash0:.
0K bytes of to webui::.MAC Ethernet base address: 00:cc:fc:d1:55:80
Motherboard Assembly number: 73-16297-04
Motherboard serial number: FOC20061W6G
Revision number of the model: Z0
Motherboard revision number: B0
Model number: WS-C3850-24 t
System serial number: XXXXXXXXXXXMy problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the
"interface vlan XXX".
"ip address subnet XXX.XXX.XXX.XXX.
command "watch version 2" is not available or the day before ipXXX XX. is not available either.
I'm stuck with this problem now, appreciate any help from you guys.
Thank you
The f
Hello Jeff,.
We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.
I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.
So, please try a newer version of the software.
See you soon
Ichnafi
Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0
-
Limit the bandwidth in the tunnel VPN on Cisco ASA
Hello
I have a site VPN tunnel to create with the local desktop client. I fear that the traffic in the tunnel in impacting the Internet bandwidth for the entire office. Is it possible to limit bandwidth on the speed VPN tunnel. I have attached a configuration that shows the configuration of the ASA at the local office.
Any help would be much appreciate. I watched QoS mapping but it's hard to make sense.
Thank you very much
Kind regards
Michael.
The ASA supported QoS features are:
Police, LLQ and Traffic ShapingTo avoid the individual flows hogging the bandwidth of the network, you can limit the maximum bandwidth used by flow (with the police)
The police is a way of ensuring that no traffic exceeds the rate (in bits per second) that you configure,
so make that person not traffic or the class can return to any of the resource.
When traffic is higher than the maximum rate, the ASA removes the excess traffic. Policy defines also the largest single burst of allowed traffic.Example of font options:
class policing_map_name hostname(config-pmap) #.
Police hostname(config-pmap-c) # {exit | entry} to compliance rates [conform burst]
[action in line [drop | send]] [action exceed [drop | send]]That is to say
HostName (config) # class - police-class card
HostName(config-CMAP) # match any
HostName(config-CMAP) # QoS_policy policy-map
class police_class hostname(config-pmap) #.
HostName(config-pmap-c) # exit police 56000 10500The configuration depends on the "this" base that you want to limit the connection.
Federico.
-
Cisco ASA - l2l IPSEC tunnel two dynamic hosts
Hello
I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?
Hello
ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcrOn ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.For routers, you can follow this link.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Cisco ASA &; T1 connection
The ASA supports WAN protocols to establish connections from T1?
Sorry, but the ASA does not offer any WAN interfaces such as T1. It offers only FastEthernet and GigEthernet right now.
-Eric
Be sure to note all the useful messages.
-
PIX / ASA, including the DNS name of the ACLS
Hello
PIX or ASA supported DNS names in ACL or only IPs? Everyone heard talk of plans to support?
As far as I know (D) DNS is only supported for VPN connections by saving the IPs of the box interface.
Best regards
Roberto
only ip addresses.
-
Cisco's ASA 5510 VPN configuration suggestion
Hello
We have a cisco ASA5510 and our client has a device of Juniper. We already have a vpn tunnel between two locations and its working fine.
Now they have networks that are in a safer area, if we add these subnets of the current tunnel we are not able to access it.
so, what they suggest we can reconfigure the VPN to be a road based on VPN instead of policy based OR configure a second VPN tunnel.
not sure about cisco ASA supports route according to the tunnels? ... Can we create a 2nd tunnel between the same devices (asa5510 and thei Juniper device) as remainders IP that identical, only the internal remote networks will change for me. is this possible?
do I have to make changes to the current tunnel?
Thank you
Smail
Hello
Cisco ASA does not support database path tunnels.
You must add new networks to crypto ACL. They add new VPN policies.
-
Cisco ASA cannot create several tunnels at the same address in hand?
We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices. I need these sites to be able to connect to several tell-contiguous subnets to our main office. This was done easily with smoothwall and linksys. You create a separate tunnel for each subnet, and voila, you're done. However, when I tried this with our ASA newly installed, it won't let me create several tunnels at the same address of the remote peer. It is a problem because these sites have only a single IP address public static. Did I miss something or ASA not allow connections to and from multiple subnets form a site with a unique address peer?
Resembles the limitation on the WRVS4400N as Cisco ASA supports several subnets by tunnel.
Is there anyway that you can configure a subnet more instead of specific subnets on the ACL?
For example:
If you 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23
-
Hello
The problem:
Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view. I wonder what kind of configuration changes must be considered to enable such a connection. The error returned when searching for the host name goes in the direction of the hostname not found. Error finding of intellectual property is related to the time-out.
Background information and specifications:
We are in the process of upgrading our servers from 5.2 to 6.2 connection. As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0. To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp. We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology. The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.
Preferred connection scenario:
User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office
.exe running on the client to view ThinApp:
It seems the ThinApp Client version view is only launching VMware - view.exe.
.exe running from the customer view full/thickness:
VMware - view.exe
-ftnlsv.exe
-vmwsprrdpwks.exe
-ftscanmgr.exe
There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel? We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.
We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel. A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client. Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade. Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.
Maybe you are looking for
-
I would like to know model whatipad it comes to A1489
-
Satellite L650 - eSATA/USB combo port does not work
I donot have esata devices. but as I know that I can still use this combo port to connect usb devices. However, I have tried mu esternal hd (2.5') and USB receiver usb (for mouse and keyboard) and some other usb for iphone and sgs2 cables. None of th
-
Install Redhat RHEL 6 on IdeaPad Z565 suspended
I have Redhat Linux RHEL 6, it blocks during the installation on the IdeaPad Z565, which I was surprised, others seen elsewhere?
-
Hi gentlemen, A customer asks us to find a power supply for a PS100, chassis Type 1403. When I search on the internet for information, I find a lot of PS100E. There are different models or is it the same thing? Thank you very much, have a nice day, J
-
Windows 7 problem - headphones Sennheiser PC 35 USB not recognized
Problem: I recently acquired a Windows 7 PC and tried to plug headphones Sennheiser PC 35 USB inside. Trying to solve the problem: * Connect all USB ports, result - the device remains unknown.* Use the fix for the problem stated in the site of the ma