Issue of ASA 5510

Similar Questions

• NAT issue ASA 5510

  Just upgraded my ASA 5510 of 8.2 (1) 8.4 (4) 1.  Well, everything seems to work with one big exception.

  NAT statements I had previously remained in force and even seem to reproduce in some cases.

  Now, my question is I've set up a DMZ (security 50) interface and requiring a few servers to connect to the inside interface (Security 100).  I created the necessary NAT statements within the ASDM to allow the DMZ servers to connect to a single inside the server.  However, all the servers in the DMZ can still ping and connect to ALL inside servers.

  An easy way to limit it?  I try to limit the number of servers on the internal network that can access the demilitarized zone, but it seems that the DMZ has free rein at the present time.

  Am happy to post my configs. I opened a case of TAC, but this firewall is still so new, the assistance contract has not yet been addressed by Cisco.

  Thanks in advance.

  I'll look when get home, but it is a quick answer.

  If 192.168.1.0/24 is DNZ and 10.1.1.0/24 is inside

  ! - can only accommodate 192.168.1.40 DMZ host centimeters inside the network 10.1.1.25
  dmz_access_in ip 192.168.1.40 host access list permit 10.1.1.25
  ! - deny everthing else inside the network
  dmz_access_in list access deny ip 192.168.1.0 255.255.255.255 10.1.1.0 255.255.255.0
  ! - allow access to internet of the DNZ
  dmz_access_in 192.168.1.0 ip access list allow 255.255.255.255 any

  Samuel Petrescu

• ASA 5510 routing issue.

  Forgive me if this get confused.

  I have a new ASA 5510, I set it up to use VPN. I can via IPSEC vpn and connect to 2 of my et.64 sous-reseaux.0 (we have 4 subnets in our range) I can ping, http, connect to the shares, SSH, etc. I use the ACL of our outgoing VPN module, so I have nothing here should be bad. The problem I have is learning to our network of laboratories located on the sous-reseau.128. I can't ping, connect, http anything.

  Is there some special routing I need to do so that people that VPN in to see this subnet? (For test purposes the ASA is located behind the firewall and connected directly to the sous-reseau.0 so I know this isn't the firewall and everything else on that subnet can see our lab).

  Thanks for helping on the new guy.

  Shawn

  Shawn-

  Your sous-reseaux.0 &.64 is considered to be "interesting traffic" (by an ACL) and they are not NAT had sent through the VPN tunnel. You must add the sous-reseau.128 two the ACL that says no NAT and that specifies traffic interesting. If you encounter some snags, post a sanitized config and we will be able to give a more detailed response.

  HTH

• Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

  I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

  Thank you!

  Jeremy

  Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

  And it is also on my site, with a tar of scripts to:

  http://www.LHB-consulting.com/pages/apps/index.html

  Good luck.

  -Lisa

• IPSEC with the router and asa 5510

  Hi all

  I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.

  Thank you

  Hello

  Isakmp policy match on both devices? What version of ios is running on the router and the asa5510

  Thank you

• All necessary licenses on ASA 5510 for old Cisco VPN Client

  We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with?  No matter what special config that needs to be done on the 5510?

  Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

  You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

• Cisco ASA 5510 - IOS upgrade 7.0 failing. Not found Flash BIOS

  Hello everyone

  I have a Cisco ASA 5510 in a lab with none of the configurations environment what so ever.

  Objective: upgrade the IOS current version 7.0 (8) to 7.1.1 (possibly go to 8.2 until memory upgrade on the SAA: 256 MB to 1 GB and then move to the latest version of 8.2 IOS).

  Output to see the attached Version.

  Output Flash attached show.

  asa711 - k8.bin is the file that has been copied from a TFTP server to flash.

  The following commands have been executed in order to update the IOS

  ciscoasa (config) # boot flash system: / asa711 - k8.bin
  INFO: Conversion of flash: / asa711 - k8.bin to disk0: / asa711 - k8.bin
  ciscoasa (config) #.
  ciscoasa (config) # end
  ciscoasa # write memory
  Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd
  2713 bytes copied in 1,450 dry (2713 bytes/s)
  [OK]
  ciscoasa # reload
  

  PROBLEM: the device ASA goes in an infinite loop (guard restart). This is the message on the console:

  The system boot, please wait...

  CISCO SYSTEMS
  Embedded BIOS Version 1.0 (11) 15:11:51.82 5 08/28/08
  Memory: 631ko
  Memory: 256 MB
  PCI device table.
  Bus Dev Func VendID DevID class Irq
  00 00 00 8086 2578 host Bridge
  00 01 00 8086 2579 PCI to PCI bridge
  00 03 00 8086 PCI bridge to PCI 257 b
  00 1 00 8086 PCI bridge to PCI 25AE
  1 d 00 00 8086 25A 9 Serial Bus 11
  1 00 01 8086 25AA Bus series 10 d
  1 d 00 04 8086 25AB system
  1 d 00 05 8086 25AC IRQ controller
  1 d 00 07 8086 25AD Bus series 9
  1E 00 00 8086 PCI bridge to 244th PCI
  1F 00 00 8086 25A 1 ISA Bridge
  1F 00 02 8086 25 IDE controller has 3 11
  1F 00 03 8086 25A 4 Bus series 5
  1F 00 05 8086 25A 6 Audio 5
  02 01 00 8086 1075 Ethernet 11
  03 01 00 177 D 0003 encrypt/decrypt 9
  03 02 00 8086 1079 Ethernet 9
  03 02 01 8086 1079 Ethernet 9
  03 03 00 8086 1079 Ethernet 9
  03 03 01 8086 1079 Ethernet 9
  04 02 00 8086 1209 Ethernet 11
  04 03 00 8086 1209 Ethernet 5
  Evaluate the BIOS Options...
  Launch of the BIOS Extension installation ROMMON
  Cisco Systems ROMMON Version (1.0 (11) 5) #0: Thu Aug 28 15:23:50 CDT 2008
  Platform ASA5510
  Use BREAK or ESC to interrupt the boot.
  Use the SPACE to start boot immediately.
  Start the program boot...
  Startup configuration file contains 1 entry.

  Load disk0: / asa711 - k8.bin... The starting...

  256 MB OF RAM
  Total of SSMs found: 0
  Total cards network found: 7
  mcwa i82557 Ethernet to irq 11 MAC: 0024.974a.65af
  mcwa i82557 Ethernet to the irq 5 MAC: 0000.0001.0001
  Not found BIOS flash.
  Reset...

  The only way for me to do things to normal is if I BREAK the sequence starting with ESC and go into ROMMON mode. I then issue a start command for the SAA to start with 7.0 (8) default IOS Image.

  Please can someone explain what is the problem here?

  Apologies if I'm missing something obvious that I'm not an expert of the SAA.

  Looks like that the ASA is hitting a field notice: fn62378. The FN, it's because of the incompatible version of hardware and software. Please upgrade to version 7.1.2 instead of 7.1.1. If you plan to spend in 8.2. So instead of going 7.1.2 you could go to 7.2.5 (recommanded), then 8.2.5

  http://www.Cisco.com/c/en/us/support/docs/field-notices/620/fn62378.html

  It will be useful.

  Kind regards

  Akshay Rouanet

  Remember messages useful rate.

• Unable to connect to server vpn behind ASA 5510 with windows clients

  Hi all

  I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.

  This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.

  Within the ASDM:

  (1) Server Public created for Protocol 1723

  (2) Public created for the GRE protocol Server

  3) created two public servers have the same public and private addresses

  (4) the foregoing has created config Public Private static route in the section NAT firewall

  (5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE

  When you try to connect, I get the following entry in the debug log.

  6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)

  but nothing else.

  The server shows not attempting a connection so I think I'm missing something on the firewall now.

  Also inside interface there is a temporary rule:

  Source: no

  Destination: any

  Service: IP

  Action: enabled

  This should allow all outbound traffic only as far as I know...

  Any help would be greatly appreciated.

  Chris

  Hi Chris,

  ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.

  1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.

  is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.

  Ufuk Güler

• IPS in ASA 5510 killing upload speed

  I've recently updated by a circuit of ethernet metro 20 MB for a 100 Mb connection.  My ASA 5510 severely limits the my download speed.  I narrowed down it to the IPS module.  If I stop to send traffic to the IPS, I get speeds of download between 50-85 Mbps.  If I start sending through again, my download speeds are between 3-7 Mbps.  In both cases, my speeds range between 70-92 MB/s, so it's really affecting only my upload speed.  Is there anything I can do for my traffic IPS, so I can still use my modules and still take advantage of the speed upload huge we pay for?

  Here is some info from my ASA:

  I am matching all traffic:

  allow traffic_for_ips to access extensive ip list a whole

  Here is my policy and class parameters:

  class-map inspection_default
  match default-inspection-traffic
  class-map-botnet-DNS
  match eq field udp port
  class-map ips_class_map
  corresponds to the traffic_for_ips access list
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the ftp
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the preset_dns_map dns
  class ips_class_map
  IPS inline help
  botnet-policy policy-map
  botnet-DNS class
  inspect the snoop-filter-dynamic dns
  !
  global service-policy global_policy
  service-policy botnet-policy to the outside interface

  If anyone has any ideas, I'd love to hear them.  Thank you.

  Created: May 13, 2011 18:49 created by: Chevrel, customer Aastha(AACHAUDH,265429) was experiencing slow download speeds (3-7 Mbps) on in ASA 5510 IPS module. Download the range of speeds between 70-92 MB/s

  Used the workaround for the bug No. CSCsv69844 , i.e. to set the depth of Regex to 800000 (Please note that this workaround should not serve with the recommendation and approval of the ATC.)

• Updated AIP-SSM-10 on ASA 5510

  Hello

  I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

  1. What is the version of the software on the question of the ASA?
  2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
  3. AFAIK redefinition to wipe the device so I just reload the config after, right?
  4. I guess I can apply any update after going to E4?
  5. Can you give me links for this upgrade?

  see you soon

  Let me give some clarification on a few points:

  2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

  5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

  For upgrades via the CLI:

  http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

  Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

  6.2 (3) E4

  7.0 (4) E4

  You can go directly to each output.

  Scott

• Review of the ASA 5510 Config

  Hi all, I'm about to replace an existing a new ASA 5510 firewall.  The environment is pretty simple, just an external and internal interface.  I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems.  I am concerned mainly with my NAT statements.  Nothing in the following config (sterilized) seems out of place?  Thank you!!

  ------------------------------------------------------------

  ASA 4,0000 Version 5

  !

  ciscoasa hostname

  enable the encrypted password xxxxxxxxxx

  XXXXXXXXXX encrypted passwd

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 40.100.2.2 255.255.255.252

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 10.30.0.100 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  Shutdown

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  boot system Disk0: / asa844-5 - k8.bin

  passive FTP mode

  permit same-security-traffic inter-interface

  network of the 10.10.0.78 object

  Home 10.10.0.78

  Nospam description

  network of the 10.10.0.39 object

  Home 10.10.0.39

  Description exch

  network of the 55.100.20.109 object

  Home 55.100.20.109

  Description mail.oursite.com

  network of the 10.10.0.156 object

  Home 10.10.0.156

  Description

  www.oursite.com-Internal

  network of the 55.100.20.101 object

  Home 55.100.20.101

  Description

  www.oursite.com-External

  network of the 10.10.0.155 object

  Home 10.10.0.155

  Ftp description

  network of the 10.10.0.190 object

  Home 10.10.0.190

  farm www Description

  network of the 10.10.0.191 object

  Home 10.10.0.191

  farm svc Description

  network of the 10.10.0.28 object

  Home 10.10.0.28

  Vpn description

  network of the 10.10.0.57 object

  Home 10.10.0.57

  Description cust.oursite.com

  network of the 10.10.0.66 object

  Home 10.10.0.66

  Description spoint.oursite.com

  network of the 55.100.20.102 object

  Home 55.100.20.102

  Description cust.oursite.com

  network of the 55.100.20.103 object

  Home 55.100.20.103

  Ftp description

  network of the 55.100.20.104 object

  Home 55.100.20.104

  Vpn description

  network of the 55.100.20.105 object

  Home 55.100.20.105

  app www description

  network of the 55.100.20.106 object

  Home 55.100.20.106

  app svc description

  network of the 55.100.20.107 object

  Home 55.100.20.107

  Description spoint.oursite.com

  network of the 55.100.20.108 object

  Home 55.100.20.108

  Description exchange.oursite.com

  ICMP-type of object-group DM_INLINE_ICMP_1

  response to echo ICMP-object

  ICMP-object has exceeded the time

  ICMP-unreachable object

  Exchange_Inbound tcp service object-group

  EQ port 587 object

  port-object eq 993

  port-object eq www

  EQ object of the https port

  port-object eq imap4

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  object-group service DM_INLINE_SERVICE_1

  will the service object

  the purpose of the tcp destination eq pptp service

  the DM_INLINE_NETWORK_1 object-group network

  network-object, object 10.10.0.190

  network-object, object 10.10.0.191

  the DM_INLINE_NETWORK_2 object-group network

  network-object, object 10.10.0.156

  network-object, object 10.10.0.57

  DM_INLINE_TCP_2 tcp service object-group

  port-object eq www

  EQ object of the https port

  object-group service sharepoint tcp

  port-object eq 9255

  port-object eq www

  EQ object of the https port

  outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group

  outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp

  outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group

  outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1

  outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28

  outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2

  outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-649 - 103.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78

  NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39

  NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109

  NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156

  NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57

  NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155

  NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28

  NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190

  NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191

  NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1

  Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 10.10.0.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Telnet timeout 5

  SSH 10.10.0.0 255.255.255.0 inside

  SSH timeout 5

  SSH group dh-Group1-sha1 key exchange

  Console timeout 0

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  source of NTP server outside xxxxxxxxxx

  WebVPN

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:40cee3a773d380834b10195ffc63a02f

  : end

  Hello

  You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.

  The ACL configuration is fine, Nat is fine, so you should have problems,

  Kind regards

  Julio

• Cisco ASA 5510 + license + AIP - SSM

  Hello.

  I have this box.

  I have a few questions about it.

  (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

  (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

  (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

  (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

  Please help me.

  (1) you must Smartnet in order to download the software from the download from cisco.com site.

  (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

  (3) Yes, the basic license is OK for the AIP module.

  (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

  Hope that answers your questions.

• ASA 5510 - display block URL Page

  Dear,

  I have Cisco ASA 5510, I have already configured Block_Sites using regular expressions and it works fine. I need to display a Page blocked for any one trying to access blocked sites. Example: I need to display page contains our company Logo and less it shows that "the Site is blocked.

  I can do it on Cisco ASA 5510?

  Thank you

  No, the ASA alone cannot do. To do this, you need a will end UP with appropriate license or a proxy (such as the WSA).

• Allow specific access through the Interfaces ASA 5510

  Hi all

  In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

  I have an ASA 5510:

  WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

  Connected to the port E0/0 is a 2811 router

  Connected to the port E0/1 is the (external) Internet

  Connected to the port E0/2 is a 2821

  (I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

  I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

  I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

  How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

  Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

  I think it is best that I put the links to the files of text here.

  Thank you!

  You must remove the following statements on the two routers:
  -# ip nat inside source... overload
  -for each # ip nat inside/outside interface, if they have configured.

  Remove ads rip of the networks that are not directly connected:
  -2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
  -2811: 199.195.xxx.0
  -ASA: 128.0.0.0

  No way should be added to the routers, since he is the one by default, put in scene to ASA.

  Check the tables of routing on routers and the ASA.

  On ASA:

  -Remove:
  object-group network # PAT - SOURCE
  # nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

  -create objects of the networks behind the LAN router and enable dynamic NAT:
  network object #.
  subnet
  NAT (inside, outside) dynamic interface

  -review remains NAT rules.

  -to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

  -Disable rip on the outside interface.

• How many interfaces in asa 5510

  can someone pls tell me how many interfaces in asa 5510.and we can add more interfaces to it.

  concerning

  Assane

  Hi assane,.

  When you order the ASA5510, you can choose between (option Setup/Noo-Noo fixed to add more ports interface):

  1 ASA5510 device comes with 3 x FastEthernet, more 1xmanagement port (FastEthernet)

  ASA5510-BUN-K9: Cisco ASA 5510 Firewall Edition includes 3 Fast Ethernet interfaces, 250 peers IPSec VPN, SSL VPN 2 peers 3DES/AES license, or

  2 ASA5510 comes with 5xFastEthernet, most 1xmanagement port (FastEthernet).

  Cisco ASA 5510 Security Plus Firewall Edition includes 5 interfaces Fast Ethernet, 250 VPN IPSec peers, 2 peers of SSL VPN, high availability active / standby, 3DES/AES license

  http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd802930c5.html

  Rgds,

  AK