ASA5510

I tried without success to have my ASA5510 recognized by ONPlus through the portal and regular or the beta version of the firmware.

I manually select the device driver, but it fails. I saw the post on ASA5505, but I think that 5505 is different, then all the other ASA, ASA largest with no direct access on the web only CLI and ASDM.

An interesting thing is it seems to be magically collecting stats WAN of the SAA, even if I never set up netflow, Donna onplus credentials or anything else.

Hi Brandon,.

The agent network OnPlus try to climb the ASA 5510 using the https protocol. You can check if it works by trying this:

https://asa_address/exec/show%20clock

The web browser should ask you identification information - enter the same ones that you assigned to the OnPlus.

If you get a valid answer, we must dig a little deeper.

If you do not get a response, you must enable the http server on your device.

Finally, and this is a bug from us - if ever, you enter the incorrect credentials, you have to cross a little painful procedure to correct the problem.

(1) on the device driver page, disable the selected device driver by opening the menu drop down and navigate all the way to the top of the list.

(2) go to the login page and check the box "delete existing credentials service.

(3) to apply the changes and wait a minute.

(4) now go back, enter your correct credentials, select the appropriate device driver, then click on apply.

If all these steps fail you again, we will have to pull a few traces to see what is happening.

-Mark

Tags: Cisco Support

Similar Questions

Question about ASA5510 with AIP10

I installed ASA5510-AIP10 with on our customer site. But I have 2 problems.

First of all, I don't see no giga0/1(backplane interface) AIP10 traffic.

Can I configure ASA5510 configuration? I already configured configuration associated AIP10 group virtual sensor and interface of remote sensing. Unfortunately, I can not all traffic.

When I entered 'show int gi0/1' 10 AIP, it displays a number of the traffic count is zero.

Secondly, AIP10 cannot do update of signature on automatic ftp server. When I inspected the package through tool Ethereal, disconnected AIP10 Server ftp after ftp 'LIST' command session is submitted to the ftp server. Maybe, I think that AIP10 didn't present 'Get sig.pkg' after her present "LIST".

What should I do? Is - this hardware problem of the AIP? I would like to know about the above.

Kind regards

Get monitored traffic requires two configuration on the ASA and the SSM.

It seems that you have completed the configuration of DFS.

Now you need the corresponding configuration of ASA.

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

This is more easily by adding the lines of configuration "ips" in your policy map existing on the SAA itself.

Once the ASA is configured, then the package counts on gig0/1 interface of the MSS should begin to increase.

With regard to the problems of FTP server with automatic upgrade:

The first thing to do is use the command 'upgrade' to the CLI to do a manual upgrade from the FTP server. This will ensure the name of user and password and directory settings are all correct for what you're trying.

Once the manual works, then use the same settings for the automatic update.

If the automatic update does not work, then check that this directory Unix style listing is used. The automatic update does not work when the style of the output of the Windows directory list is used. It is usually configurable on most Windows FTP servers.

Also check out the "events to see the" while the sensor is to check the ftp server. The sensor will report on its findings. If he says that no updates have been found, check that you have a new update on the ftp server and ALSO make sure that the updated name is exactly as it appears on the ORC. Some users have inadvertently changed the name or the ftp client changed file names. The biggest problems we have seen is that capital letters are made lowercase.

ASDM on ASA5510 problem

Hello

I try to access Cisco ASA5510 using ASDM but without success. The running configuration file is attached. I tried to debug ASDM and HTTP and got the following error...

HTTP: treatment given to the legacy server admin / [admin]
HTTP session: checked = [0]
HTTP: URL GET treatment "/ admin' host 6.6.6.10"
HTTP: redirect to: /admin/public/index.html
HTTP session: checked = [0]
HTTP: treatment GET URL ' / admin/public/index.html' host 6.6.6.10
HTTP: authentication is not required
HTTP: file not found: public/index.html
HTTP: treatment given to the legacy server admin [/ favicon.ico]
HTTP session: checked = [0]
HTTP: treatment GET URL ' / favicon.ico' host 6.6.6.10
HTTP: required authentication, no authentication information was provided

I tried my best to solve problems but does not succeed. Please help solve the problem.

Jean Marc

Hi John,.

The problem should be linked to the compatibility of version asdm, you use a version of asdm incompatibility with your version of ios ASA. ASA 8.2 (1) requires asdm version 6.2 (1) or later, and the recommended version would be the 7.3 (1).

Kind regards

Aref

ASA5510 software update

Hi all

I don't have much information about ASA but now I want to learn as much as possible as I can.

I have an ASA5510 on which I can practice... but first, I have to do the up-gradation of 7.0 software (6) 8.2 (5)

need a document to

Yes, you can do it.

Copy the image to the internal flash memory card (disk0 :) and change (or add) a ' system boot disk0: /'command in config'. ") Write mem"and"reload"and watch it start (console will you show the auto test market and, in case of problem, give you an indicator of the problem).

You must also copy an update of ASDM image and set it as the image to be used in the config. The last ASDM (7.1 (6)) is recommended and compatible with ASA 8.2 (5)

Connectivity VPN IPSec Client to ASA5510

I have an ASA5510 at a remote site. I used the IPSec VPN Wizard to configure remote access for developers in the portion of the DMZ network 192.168.100.0/24.

I can connect using two the last customer Cisco Windows and using VPNC on my Linux machine. A tunnel is created, I get a valid IP within the 192.168.100.0 subnet and everything is great.

But when I try to ssh to one of the servers, the SYN package times out. I can see the connection tries to establish by looking at the logs on the firewall.

There is no problem with Linux servers themselves to who I am trying to connect. I've ridden iptables and even tried to connect without any firewall rule. Still no dice.

I can post my running-config here if necessary.

Thank you.

Well just ensure that ISAKMP desired on your firewall policy is at the top. This will reduce the time for negotiation for Phase 1. Also, make sure that there is no fragmentation (MTU issues).

Concerning

Farrukh

Installation of CSC-SSM-20 on ASA5510

Hello

Is it good idea to run a CSC-SSM20 on and ASA5510, and I must have 2 gigabytes of Ram on the ASA5510?

I was wondering too, for filtering of the web. If all Internet users are behind a proxy, the CSC - SSM says that there is only one user.

I would appreciate any advice.

Thank you

.

Hello

There is no specific memory requirements for the installation of module on ASA CSC, CSC does not use the memory of ASA, the only thing he uses is the bottom of basket ASA, so the ASA can redirect internet traffic to CSC management ip for filtering. CSC has its own memory and CPU it uses.

For the second question, if trhe users behind a proxy then definitely the SCC would see demand originating from a single IP address, so you would not be able to filter the traffic at the granular level.

Hope this answer your questions.

Thank you

Varun

Impossible to activate ports Gigabit Ethernet on ASA5510

The ASA5510 has the Security license and running version 8.2 (5).

When I put two Ethernet 0/0 (my inside interface) or Ethernet 0/1 to 1000 Full, the port stops on the switch and the ASA.

If I put so many AUTO and AUTO, they work very well, but only 100 MB.

I tried all possible combinations between the switch and the ASA and nothing works except for AUTO and AUTO.

The switch is a 3750 G-48TS stacked with 3750 G-48PS.

Is there a problem with the ASA or am I missing something here?

Hello

Thanks for the heads up, it happens to all of us all the time.

Please check the question as answered so future users can learn about it.

Check out my blog at http:laguiadelnetworking.com for more information.

See you soon,.

Julio Segura Carvajal

Configure two Ports on an ASA5510 with 2 different inside networks

How can I configure two ports on an ASA5510 (version 8.4 (5)) or with 2 different inside networks out interface or two inside and two on the inside outside routing to an outside and inside another for the rest outdoors?

Specifically, I had all three interfaces with dhcp and basic configuration of all, I got one (10.1.0.0) inside out successfully from the internet (208.83.73.193 for example), but I'm not sure of the second internal interface (192.168.1.0) out to the internet.

I need VPN or any connection between the two internal networks.

This is the basic configuration of may:

interface Ethernet0/0

nameif Internet

security-level 0

IP 208.83.73.x 255.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

IP 10.1.1.1 255.255.0.0

interface Ethernet0/2

Guest Network Interface Description

nameif GuestNetwork

security-level 100

IP 192.168.1.1 255.255.255.0

Route Internet 0.0.0.0 0.0.0.0 208.83.73.206 1

Route Internet 192.168.1.0 255.255.255.0 208.83.73.206 1

dhcpd address internal 10.1.5.100 - 10.1.5.254

dhcpd dns 10.1.2.7 10.2.1.200 internal interface

dhcpd wins 10.1.2.7 interface internal

interface of lease 432000 dhcpd internal

field of dhcpd

xxx.xxxxx.xxxx.gov

internal interface

enable dhcpd internal

dhcpd address 192.168.1.2 - 192.168.1.50 GuestNetwork

dhcpd dns 208.67.222.222 208.67.220.220 interface GuestNetwork

enable GuestNetwork dhcpd

network object obj - 10.1.0.0

dynamic NAT interface (internal, Internet)

I tried to configure nat for the guest network the same way that I have it set to the 10.1.0.0 network and also nat static and that it did not work (maybe I did wrong).

If get this accomplished is possible I would very much apreciate a configuration example of what do I do

Help, please

I also found this two articles from Cisco that applies to the ASA Version 8.3 and I guess she could apply to Version 8.4 (5), please let me know if yes:

http://www.Cisco.com/en/us/products/ps6120/product s_configuration_example09186a0080b7c939.shtml

http://www.Cisco.com/en/us/products/ps6120/product s_configuration_example09186a0080b1ee95.shtml

Thank you

two inside networks to one outside is no different to a demilitarized zone and inside outwards. Both come from a security level higher and go to a lower level of security. In your case, there is the second inside network for guest users, I would use a lower level of security as the guest network is probably not as trustworthy as the internal network.

The second requirement (two inside and two outside) would need a form of routing that the ASA does not support the way in which you want to use based on policy (there are some hacks with NAT, but it's really horrible). That you could use for this are security contexts. A context with inside1/outside1, the other context with inside2/outside2. Here, you can easily route traffic inside2 to outside2 and inside1 to outside1.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Remote access ASA5510

Hello guys,.

I have to configure an ASA 5510 as server of remote access for Windows XP machines. I tried to configure L2TP and IPSec, but not worked. I was referred to a correct document by a member of this forum (appreciated), but it seems that XP machines do not like L2TP and they more readily accept PPTP. Someone can reffer me a document how to configure ASA5510 with PPTP remote access. I checked the unit and see no option to use PPTP instead of L2TP. Guys thank you very much in advance.

Kind regards

RVR

! - Identifies the encryption and hash IPsec algorithms

! - to be used by the game of transformation.

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

! - Because the Windows 2000 L2TP/IPsec client uses IPsec transport mode,.

! - define the mode of transport.

! - The default is tunnel mode.

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

! - Specifies the transformation affects to be used in a dynamic crypto map entry.

Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

! - Requires a given crypto map entry to refer to a pre-existing

! - dynamic crypto map.

map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

! - Apply a defined encryption card previously set on an external interface.

outside_map interface card crypto outside

crypto ISAKMP allow outside

Crypto isakmp nat-traversal 20

! - Specifies the protocol IKE Phase I parameters of strategy.

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

! - Create a group of tunnel with the tunnel-group command, and specifies the local

! - name of the address pool used to assign the IP address to the client.

! - Associated with the AAA (VPN) server with the Group of the tunnel group.

attributes global-tunnel-group DefaultRAGroup

address clientVPNpool pool

Vpn server authentication group

! - Link the name of the group to the default tunnel

! - Tunnel group general attributes mode group.

Group Policy - by default-DefaultRAGroup

! - Use the command of tunnel group ipsec-attributes

! - to enter the mode of configuration of ipsec-attribute.

! - The value of the preshared key.

! - This key must match the key configured on the Windows machine.

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

. - Configure the PPP authentication with the type of authentication protocol

! - tunnel ppp-attributes group mode command.

tunnel-group DefaultRAGroup ppp-attributes

No chap authentication

ms-chap-v2 authentication

Assign the virtual sensor in the MODE SINGLE ASA5510-AIP10SP-K9

Hello

I install asa 2 ASA5510-AIP10SP-K9 in standby mode active failover. I know how to assign virtual devices to the contexts of the ASA in multiple mode (active/active failover). But I want it to be done in simple mode (active/standby failover). Any idea will be welcomed.

OK, now I understand what you need.

Most users need only the single default «vs0» virtual sensor

To get traffic from the ASA to send to the SSM for follow-up here are the basic steps:

(The assumption is that you have already previously connected and changed the password and went through the steps in "setup" to set the IP address, network and other settings on your sensor mask.)

(1) in the AIP - SSM (telnet or ssh) session as the default user "cisco".

(2) adding interface backplane of the AIP - SSM GigabitEthernet0/1 in the virtual sensor default "vs0" using these commands:

Configure the terminal

service-analysis engine

vs0 virtual sensor

phyiscal-interface GigabitEthernet0/1

output

output

Answer Yes when prompted

output

NOTE: The above could also be done through the advanced configuration command, or could be done through ASDM or IDM. To put it simply I just give you the CLI commands.

3) connect to the ASA CLI. If you're "ridden" on the SSM, then an exit from your session will respond to the ASA CLI. If connect you via the console through a ssh or telnet or ASA ASA.

(4) set the ASA to send traffic to the AIP - SSM.

To do this, you would create an ACL for the traffic you want to monitor. This ACL is then used to create a class map. The plan of the class is then added in a political map. The political map is applied.

Here's an example of how you can get any traffic to monitor histocompatibility of the AIP - SSM:

conf t

IPS ip access list allow a whole

my class-map-ips-class

corresponds to the IP access list

Policy-map global_policy

My ips-category

IPS overcrowding relief

global service-policy global_policy

NOTE: The foregoing will send all IP packets to the SSM for surveillance of promiscuity. To change monitoring online simply substitute "inline" instead of promiscuity in the line of configuration of IP addresses.

Note 2: The service-policy command is a reptition of the command that should already be in your configuration of ASA by default. So, it will probably generate an error/warning letting you know that the policy is already applied.

IF you do not use the default configuration on the SAA and instead create your own policy, then you can use the steps above, but add the class to your own policy rather than the value default 'global_policy '.

(4) repeat steps 1 and 2 on the MSS of your Eve ASA.

The configuration of the AIP - SSM does NOT automatically copied between the AIP-SSMs. If you need to do the configuration manually on the two AIP-SSMs.

(5) connection to standby you ASA and check tha the configuration in step 3 is automatically copied to your Eve ASA.

The steps above are in force at step 4/5 in your original list.

Your AIP - SSM should now be followed by traffic.

You can now proceed to step 6 of your original list.

ASA5510 and the encryption password

Hello

In the configuration of an ASA5510 firewall file, the password is encrypted.

You know the type of encryption is used?

Thanks for your help.

Best regards

Configured passwords that match the locally configured user accounts are hashed using an owner hash algorithm. The ASA then stores these hash values in the configuration file instead of the plain text values. When you put your password the hash is calculated again and checked history one stored.

I hope it helps.

PK

ASA5510 - good enough for small businesses?

Hello.

We currently intend to change our FW Point check to a Cisco ASA5510.

We are about 100 employees, have 15 counterparts IPsec VPN and 50 VPN clients. I see ASA5510 takes many different forms and licenses and I can't seem to find the right one for us.

Has all the same material ASA5510? What is the difference between these models:

(1) security more Firewall edition ASA5510

(2) edition ASA5510 IPsec VPN

(3) ASA5510 Antix Edition

(4) ASA5510 Bundle of IPS Solution

I'm going to need a FW that can handle 15-30 Ipsec VPN peers, up to 100 concurrent clients of VPN, and who has a good IPS/IDS solution. and also, it must support the AES 256 encryption algorithm and have the opportunity for SSL VPN peers.

Which edition do you think will be much better suited for us? Any thoughts?

Thank you

Hello

Regarding the question above, the material is still only change of license and modules that provide additional IP addresses, only ANTIX can be installed, the ASA5510 can scale up to 250 SSL VPN on each Cisco ASA 5510 counterparts by installing a SSL VPN upgrade license; 250 counterparts IPsec VPN are supported on the base platform. Resilience and capacity VPN can also be increased by taking advantage of the Cisco ASA 5510 VPN and load balancing features clustering (available if a security license is installed). The Cisco ASA 5510 supports up to 10 devices in a cluster, supporting a maximum of 2500 SSL VPN peers or 2500 counterparts IPsec VPN by cluster.

With your specifications above, I'll watch the next ASA5510-AIP10-K9 (Cisco ASA 5510 IPS Edition includes the AIP-SSM-10, 5 Fast Ethernet interfaces, 2 peers of SSL VPN, 250 counterparts IPsec VPN, firewall services) and as you said "and have the option for SSL VPN peers", you can enable SSL at a later date.

AIP SSM-10 - concomitant threat of mitigation flow (Firewall + IPS Services)

• 150 Mbps with Cisco ASA 5510

I hope this helps...

Cordially MJ

ASA5510 VPN L2L cannot reach hosts on the other side

Hello experts,

I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

Add these two lines to the NAT 0 access list:

inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

Test and validate results

HTH

Sangaré

Pls rate helpful messages

Need help with VPN (Cisco831 + ASA5510)

Hello

We are trying to set up a VPN site-to site between a Cisco831 and an ASA5510.

I have attached two units configuration files and file of the SAA.

on the 831, we get:

KED1CSPSVPNr01 #.

* 19 Mar 22:17:48.743: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 8.10.15.130

I can't figure out where the problem. Could someone help please?

Thank you.

try to add to the ASA...

card crypto outside_map 1 set pfs

Trying to set up the VPN Client with crossed on ASA5510

Hello

I'm putting in place our ASA5510 so that users can connect to our LAN to work and surf the Internet as well.

I followed the guide from Cisco, I connect and I give myself a 192.168.10.x necessary address but I can't connect what on our network of 10.0.0.0/24 or surf the Internet work.

Could someone please check my config and see what's wrong, there's also a vpn L2L here in a 192.168.3.0 network, but that works without problems

Thank you very much

Chris

Hello Chris,

Add after access list statement.

INSIDE_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

And for the aggregation of internet traffic add following command:

permit same-security-traffic intra-interface

Verify and validate the results.

HTH

Sangaré

pls rate helpful messages

ASA5510

Similar Questions

Maybe you are looking for