Cisco ASA SHA2 Support

Similar Questions

• ASA SHA2 support with self-signed certificates

  Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.

  Hi William,.

  You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.

  Here is the value for the same application:-

  ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructure
  CSCuj67576
  https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr
  
  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• What support DH Cisco ASA 14 group and more

  What support DH Cisco ASA 14 group and more.

  Model and IOS

  Hi John,.

  You must have ASA executes code 9.1 and above for DH group 14 and this only work for ikev2 only.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Is supported PPTP vpn cisco ASA 5520 firewall?

  Hi all

  I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn.

  Best regards

  MD.kamruzzaman

  Sorry, but the Cisco ASA firewall does not support PPTP VPN termination.

  You may terminate IPSec and SSL VPN but not of type PPTP.

  If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers.

• Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

  I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

  Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

  If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

  One way is not good and the other real harm.

• Cisco ASA vs 1941?

  Dear, I have a cisco Asa 5510, making the basic roles of firewall in the network. And router 1941 which is our internet router. We plan to provide VPN access and will also host a database that must be accessible from the internet. It would be useful that someone can advice on the following please.

  1. can I configure the requirements above in a cisco router 1941?

  2. do I need a separate firewall device as ASA?

  3. do I need a special permit to achieve?

  4 port transfers a better option for the publication of our database for external access? Wait at least 500 simultaneous (sometimes) users accessing the portal.

  Thank you.

  Hello..

  You can do this by using the Module of internal Service (VPN, ISM) and licensing support on your router and it supports maximum of 500 sessions at a time. But I think it will be more expensive, then do the port forwarding on your router.

  For more information

  http://www.Cisco.com/c/en/us/products/collateral/interfaces-modules/VPN-...

  The port forwarding for you just the database server...

  Please rate if you find this information useful.

  Kind regards!

• Filtering in Cisco ASA using module sfr Web

  Hello

  I have Cisco ASA 5515-x version 9.2 (2) and I use ASDM version 7.2 (2). I module 5.3.1 LICO of ASA. I want to activate the ASA web filtering feature. Previously, I used the method of expression regex in the SAA to perform url filtering, but it was not effective. Since then, I have the license for the management of firesight I want to use it.

  But I am confused as some cisco docs say to set the firesight management in vmware while others offer to run the boot image in the SAA itself. What is the right way to do it?

  The show module command, I see that my module of sfr is in place so that means the sfr module is pre-installed, and I can't do a lot of configurations?

  It would be better for me to run ASA itself, but if it does not work like that then I will configure in VM. So please me clearify that concerns my options and my best chance.

  If it should be installed on a virtual machine or ASA itself, then please give me the link to download the boot images and other files on cisco.com. I have the user name and password, but did not find the correct software.

  Thank you in advance.

  Your ASA 5515-x performs the minimum version required to support the fire power module (sfr). The module also runs the initial version of the software of the firepower for ASA-based module firepower.

  With this combination of Software ASA and firepower on your device, you will need to use an external administrator of firepower to manage module (create strategies, apply licenses, monitor events etc.).

  From ASA 9.5 (1) and firepower 6.0, you have the opportunity to make the most of the same functions via ASDM. You must upgrade the ASA (both ASDM) and firepower to achieve module.

  In both cases, you should Protect licenses and URL filtering for the module of firepower.

  The Quick Start Guide is here: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepo...

  See also the excellent vidoe Lab Minutes guides for firepower: http://labminutes.com/video/sec/ASA%20FirePower

  The ASA and ASDM software is here:

  https://software.Cisco.com/download/type.html?mdfid=284143128&flowid=31442

  Software module of firepower is here:

  https://software.Cisco.com/download/release.html?mdfid=286271171&flowid=...

  To run the power of fire management center VM, the software is here:

  https://software.Cisco.com/download/release.html?mdfid=286259687&flowid=...

  All the links above require a username cisco.com entitled (support agreement) to download the software.

• Integration of Websense with Cisco ASA

  Hello guys,.

  Little experience with a Cisco ASA so I want help from you.

  I have in my network of Websense solution worked with ASA firewall. It works perfectly fine, most discover that the ASA when working with Websense it sends only HTTPS IPthis causes some trouble in the report generated by Websense contained only the IP addresses instead of the names of the sites.

  Someone has already managed to integrate with Websense and did not go for it?

  Thank you all

  The reason why it only contains IP instead of the URL for the HTTPS traffic is that HTTPS is encrypted and the URL is in the encrypted session, so you see only IP instead of the URL.

  If Websense support HTTPS decryption, you'd be able to see the actual URL.

• Cisco ASA url filtering

  I have cisco ASA 5515 and it works fine. Now, I want to activate the url filtering so that I can filter websites such as facebook, youtube, torrents and so on. I don't have the license for filtering url, and in accordance with the document of cisco, he said that we have no need for this from the url filtering license. So how can I block them?

  Hello

  Yes, certainly, please visit this link:

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• IPSEC not Pkts on Cisco ASA

  Hi, please I need a help.

  I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.

  But I could not send pkts on this VPN.

  My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network

  ==========================

  FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
  address of the peers: 177.154.83.34
  Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20

  access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
  local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
  Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
  current_peer: 177.154.83.34

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
        #pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 1

  local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
  current outbound SPI: C1A13463
  current inbound SPI: 5B6B0EAB

  SAS of the esp on arrival:
  SPI: 0x5B6B0EAB (1533742763)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC1A13463 (3248567395)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  ===========================

  Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0

  Phase: 1
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DECLINE
  Config:
  Implicit rule
  Additional information:

  Result:
  input interface: outdoors
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: drop
  Drop-reason: flow (acl-drop) is denied by the configured rule

  ===============================

  FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
  outside_map0 card crypto 4 peers set 177.154.83.34
  internal GroupPolicy_177.154.83.34 group strategy
  attributes of Group Policy GroupPolicy_177.154.83.34
  tunnel-group 177.154.83.34 type ipsec-l2l
  tunnel-group 177.154.83.34 general-attributes
  Group - default policy - GroupPolicy_177.154.83.34
  IPSec-attributes tunnel-group 177.154.83.34

  ==============================

  FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
  network 172.31.2.2_32 object
  Home 172.31.2.2
  access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
  access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
  NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itinerary

  so you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.

  the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.

• AAA to circumvent the password to enable on the Cisco ASA

  Hi all. I'm having a problem where I get authenticated by the AAA server, but after authentication, that I am placed in user mode. AAA admin (I have no access to the AAA server) told me that he had all the users configured with priv level 15, which will lead them directly in the mode privilege on routers.

  My question is how can I configure my Cisco ASA to get around using a password to enable. See below the configuration of my

  AAA-server protocol Ganymede MYGROUP +.
  Max - a failed attempts 4
  AAA-server host 2.2.2.2 MYGROUP (inside)
  timeout 3
  key *.
  Console Telnet AAA authentication LOCAL MYGROUP
  Console to enable AAA authentication LOCAL MYGROUP
  privilege MYGROUP 15 AAA accounting command

  Looks like you want to directly access the exec privileges mode. This feature is not supported by the ASA. This is only possible on IOS devices.

  Rgds, jousset

  Note the useful questions.

• Questions of pre-installation on IPS on Cisco ASA Cluster

  Hello

  I'm looking for some configuration directives and IPS.

  I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up.

  We have a customer who requires their web servers to be protected with the IPS Module.  I have the following questions:

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  2. can you syslog alerts?

  3. is it possible to use snmp around alert also interrupts?

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  A lot of questions!  I hope someone can help

  Thanks a mill

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA)

  2. can you syslog alerts?

  N ° the cisco IPS OS doesn't support syslog.

  3. is it possible to use snmp around alert also interrupts?

  Yes. But you must set the 'action' on each signature that you want to send a trap.

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe.

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  No syslog. You can set alerts email on a per-signature basis.

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode.

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  No syslog.

  -Bob

• The profile number vpn that can be created in cisco asa 5540

  Hi all

  Want to know if there is a limit to how many anyconnect vpn profiles that can be created in a cisco asa 5540? TIA!

  https://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/g...

  Maximum connection profiles

  The maximum number of connection profiles (tunnel groups) that can support a safety device is a function of the maximum number of concurrent sessions of VPN for the + 5 platform. For example, an ASA5505 can support a maximum of 25 concurrent sessions of VPN to 30 tunnel groups (25 + 5). Attempt to add a group of additional tunnel beyond the results of limit in the following message: "ERROR: the limit of 30 groups configured tunnel has been reached.

  Table 32-2specifies the maximum VPN sessions and profiles of connection for each platform ASA.

  Table 32-2 maximum VPN Sessions and profiles of connection by ASA platform

  	5505 database / security more	5510/base/security Plus	5520	5540	5550
  Maximum VPN sessions	10/25	250	750	5000	5000
  Maximum connection profiles	15/30	255	755	5005	5005

• Cisco ASA 5510 - IOS upgrade 7.0 failing. Not found Flash BIOS

  Hello everyone

  I have a Cisco ASA 5510 in a lab with none of the configurations environment what so ever.

  Objective: upgrade the IOS current version 7.0 (8) to 7.1.1 (possibly go to 8.2 until memory upgrade on the SAA: 256 MB to 1 GB and then move to the latest version of 8.2 IOS).

  Output to see the attached Version.

  Output Flash attached show.

  asa711 - k8.bin is the file that has been copied from a TFTP server to flash.

  The following commands have been executed in order to update the IOS

  ciscoasa (config) # boot flash system: / asa711 - k8.bin
  INFO: Conversion of flash: / asa711 - k8.bin to disk0: / asa711 - k8.bin
  ciscoasa (config) #.
  ciscoasa (config) # end
  ciscoasa # write memory
  Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd
  2713 bytes copied in 1,450 dry (2713 bytes/s)
  [OK]
  ciscoasa # reload
  

  PROBLEM: the device ASA goes in an infinite loop (guard restart). This is the message on the console:

  The system boot, please wait...

  CISCO SYSTEMS
  Embedded BIOS Version 1.0 (11) 15:11:51.82 5 08/28/08
  Memory: 631ko
  Memory: 256 MB
  PCI device table.
  Bus Dev Func VendID DevID class Irq
  00 00 00 8086 2578 host Bridge
  00 01 00 8086 2579 PCI to PCI bridge
  00 03 00 8086 PCI bridge to PCI 257 b
  00 1 00 8086 PCI bridge to PCI 25AE
  1 d 00 00 8086 25A 9 Serial Bus 11
  1 00 01 8086 25AA Bus series 10 d
  1 d 00 04 8086 25AB system
  1 d 00 05 8086 25AC IRQ controller
  1 d 00 07 8086 25AD Bus series 9
  1E 00 00 8086 PCI bridge to 244th PCI
  1F 00 00 8086 25A 1 ISA Bridge
  1F 00 02 8086 25 IDE controller has 3 11
  1F 00 03 8086 25A 4 Bus series 5
  1F 00 05 8086 25A 6 Audio 5
  02 01 00 8086 1075 Ethernet 11
  03 01 00 177 D 0003 encrypt/decrypt 9
  03 02 00 8086 1079 Ethernet 9
  03 02 01 8086 1079 Ethernet 9
  03 03 00 8086 1079 Ethernet 9
  03 03 01 8086 1079 Ethernet 9
  04 02 00 8086 1209 Ethernet 11
  04 03 00 8086 1209 Ethernet 5
  Evaluate the BIOS Options...
  Launch of the BIOS Extension installation ROMMON
  Cisco Systems ROMMON Version (1.0 (11) 5) #0: Thu Aug 28 15:23:50 CDT 2008
  Platform ASA5510
  Use BREAK or ESC to interrupt the boot.
  Use the SPACE to start boot immediately.
  Start the program boot...
  Startup configuration file contains 1 entry.

  Load disk0: / asa711 - k8.bin... The starting...

  256 MB OF RAM
  Total of SSMs found: 0
  Total cards network found: 7
  mcwa i82557 Ethernet to irq 11 MAC: 0024.974a.65af
  mcwa i82557 Ethernet to the irq 5 MAC: 0000.0001.0001
  Not found BIOS flash.
  Reset...

  The only way for me to do things to normal is if I BREAK the sequence starting with ESC and go into ROMMON mode. I then issue a start command for the SAA to start with 7.0 (8) default IOS Image.

  Please can someone explain what is the problem here?

  Apologies if I'm missing something obvious that I'm not an expert of the SAA.

  Looks like that the ASA is hitting a field notice: fn62378. The FN, it's because of the incompatible version of hardware and software. Please upgrade to version 7.1.2 instead of 7.1.1. If you plan to spend in 8.2. So instead of going 7.1.2 you could go to 7.2.5 (recommanded), then 8.2.5

  http://www.Cisco.com/c/en/us/support/docs/field-notices/620/fn62378.html

  It will be useful.

  Kind regards

  Akshay Rouanet

  Remember messages useful rate.

• "" Cisco ASA multiple defects remote control let users deny Service and bypass the security controls ".

  Recently we have heard people talk of "Cisco ASA several flaws let users deny remote Service and bypass the security controls" under the securitytracker. However, as everyone knew, ASA 8.3 need a lot more resources on ASA HW to run. I checked that the bugs associated to above problem "CSCtg69742, CSCth36592, CSCtg61810, CSCte53635, CSCte46460, CSCte20030, CSCtf29867, CSCte14901, CSCsz80777, CSCsz36816" in the Cisco Bug Toolkit. None of them show any information if there is a fix for ASA 8.2 (x).

  This means that Cisco starts to stop supporting 8.2 (x) and to push customers to their "so-called" best image 8.3 version (x) as a strategy of "marketing?

  Cisco is best to find a solution for this problem on 8.2 (x) rather than push customers to something Cisco "love." It may not be the best interest of the customers AT ALL. Instead of pushing customers to ASA 8.3 (x), Cisco likely to push customers to its big competitor Juniper:)

  Sean,

  I did a quick search on the Bug Toolkit for CSCtg69742 and found the following result.

  Fixed in
  8.2 (3)
  8.3 (1.5)
  8.3 (2)
  8.2 (2.15)
  8.2 (2.107)
  100,7 (0.17) M
  100.5 (5.16) M
  8.3 (1,100)
  100.7 (6.1) M
  8.4 (0.99)

  This was posted in the column on the left side of the search results page.

  I recommend you research each ID of Bug Bug Toolkit (http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs) for the version name (number) that contains the fix for this bug.

  HTH

  Amol