Orders of standardization ASA config

Similar Questions

• Order of the ASA of the rule

  Hello

  I have a question: witch order cisco ASA 5520 cheque rules?

  1 course

  2 NAT

  3 ACL

  Kind regards

  Mary

  1 Nat

  2 LCD

  3. the road

  See

  http://www.netcraftsmen.NET/welcher/papers/IPSec2.html

• IPS modules in the ASA config for active/passive failover

  Hey guys,.

  We have two ASA in a situation of active/passive failover each with a module AIP-SSM-20 IPS.

  These modules are intended to synchronize their configs like the ASA do? Alternatively, they each have a separate entity and each need to be configured separately?

  Thanks for any help!

  Each will have their own IP address, and each must be configured separately.

  They will not communicate with each other and share no configuration.

  You will need to make sure the config is changed in one of the other.

  Monitoring station pull events from two sensors.

  The SSMs rely on the SAA for the TCP state tracking so they will work very well in a design of failover ASA.

• Copy to another ASA config

  We have a remote access VPN, using Cisco VPN client in our test environment.  Everything works fine.  We were able to connect to the Cisco VPN client and access to internal resources.  However, we want to copy the same configuration on an another SAA.  We want to use the same group strategies, same tunnel groups, etc.  We only need to change the outside interface IP and default gateway of the outside interface. Another word, we want to keep all the same.  If you copy the same configuration to another ASA (production), we need to change anything else?   Thank you.

  Well Yes, the nat rules, here is a small tip

  get all the config and open it in Notepad, do a find for the public ip or public ip network address and it will tell you what to replace

• How many group Supportepar ASA 5520 vpn for remote access

  Hello

  Howmany vpn group is supported on asa 5520 with configuraion vpn remote access.

  Concerning

  1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate."

  2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table.

• ASA 8.4.3 install the certificate for webvpn without CSR

  Hi guys,.

  I have spent a lot of time trying to install our wildcard certificate in the ASA for use with anyconnect, but was not permanently misserably. I red a lot of messages, but don't really know what I'm doing.

  Our Web server, I got DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a certificate wildcard for mycompany.com.

  The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on the Web site: https://www.digicert.com/digicert-root-certificates.htm
  with the series "0A5F114D035B179117D2EFD4038C3F3B".

  On the SAA, I checked that I have no present trustpoint. Orders: "sh ca crypto certificates" and "sh crypto ca trustpoints" give no output.

  OK, so lets get started to set up and are having problems:

  ASA (config) # crypto ca trustpoint star.mycompany.com

  Domain name full webvpn.mycompany.com ASA(config-ca-Trustpoint) #.

  ASA(config-ca-Trustpoint) # Terminal registration

  ASA(config-ca-Trustpoint) #-revocation checking no

  Output ASA(config-ca-Trustpoint) #.

  Authenticate the crypto ca ASA (config) # star.mycompany.com

  Enter the base-64 encoded certificate authority.

  End with the word "quit" on a line by itself

  -BEGIN CERTIFICATE-

  # CONTENT DigiCertCA.crt #.

  -CERTIFICATE OF END-

  quit smoking

  INFO: Certificate has the following attributes:

  Fingerprint: c68b9930 c8578d41 6f8c094e 6adb0c90

  Do you accept this certificate? [Yes/No]: Yes

  Trustpoint "star.mycompany.com" is a subordinate certification authority and is a non self-signed certificate.

  Certificate of the CA Trustpoint accepted.

  % Certificate imported successfully

  ASA (config) # crypto ca certificate star.mycompany.com import

  ATTENTION: Registration certificate is configured with a complete domain name

  that differs from the fqdn of the system. If this certificate will be

  used for VPN authentication, this can cause connection problems.

  You want to continue with this registration? [Yes/No]: Yes

  % The FQDN in the certificate name will be: webvpn.mycompany.com

  Enter the base 64 encoded certificate.

  End with the word "quit" on a line by itself

  -BEGIN CERTIFICATE-

  # CONTENT star.mycompany.com_cert.pem #.

  -CERTIFICATE OF END-

  quit smoking

  Could not import the certificate-

  Certificate contains a general practitioner of the device public key

  for point star.mycompany.com trust

  ERROR: Cannot analyse or check the imported certificate

  ASA (config) #.

  Please help me! I'm not a guru with certificates.

  Kind regards

  Tom van Leeuwen

  Tom,

  you create a container PKCS12 which includes certificates, and CA key.

  I don't know how to do with linux, no idea with Windows

  Michael

  Please note all useful posts

• Access Internet AnyConnect and ASA 8.3

  I have configured with ASA 8.3 AnyConnect and I am able to access everything on the internal LAN very well.  However, I can't connect to the Internet while I am connected to AnyConnect.  I tried different DNS servers in the AnyConnect profile, different parameters of Tunnel from Split.  I can't understand the issue of the Internet.  And the strange thing is that I can not solve them that addresses all the Internet, either through the AnyConnect connection.  When I try ping www.msn.com it just says that it cannot find the host www.msn.com.  Can someone please help with this question?

  Thank you

  Corey

  As well as the order, looking at the config that I feel need to add this as well after removing split tunnel configuration.

  network of the AnyConnect-INET object

  192.168.253.0 subnet 255.255.255.0

  interface NAT (outside, outside) dynamic source AnyConnect-INET

  Thank you

  Ajay

• How to enable ssh on ASA 5525

  Can I know how to set up remote to access the ASA 5525 via ssh

  I gave the following commands

  SSH 10.60.0.0 255.255.0.0 outside

  SSH 10.60.0.0 255.255.0.0 dmz

  SSH 10.60.0.0 255.255.0.0 inside

  SSH timeout 5

  but I am not able to access the ASA via ssh. I have to add any other command

  you need a public/private key pair:

  ASA (config) # crypto key generate rsa key general module 2048

  a user name:

  ASA (config) # username, password testuser testpass

  and the system needs to know where are your useraccounts:

  ASA (config) # aaa authentication ssh LOCAL console

  Edit: And not leaving SSHv2:

  ASA (config) # ssh version 2

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Inspection ASA DNS debugging

  How can I debug ASA (inspection of DNS 9.1 (1))?  Specifically, the ASA does not block queries associated with applications to dig as follows to never reach "the.name.server":

  dig @the.name.server t ptr 1.2.3.4.reverse.somedomain.com.

  And I would like to be able to see how he responds to the query (and decisive) to block.

  I'm really just one question for the instructions of debugging that might help me to solve this, but if someone can tell me what it is this query that the ASA does not like what would be very useful.  It blocks the request even with very basic inspection enabled:

  policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 4096 policy-map global_policy class inspection_default   inspect dns preset_dns_map

  If I have the dns preset_dns_map "inspect" in it the ASA blocks the request, but if I remove the dns preset_dns_map "inspect" the query works fine.

  (Just to be clear, the customer in question is located on the SAA within the interface and "the.name.server" is on the external interface).

  Hello

  I didn't do it myself at any time

  I found that there is at least 3 different debugging associated controls to "check the dns".

  • debugging inspect dns errors
  • debugging inspect dns events
  • debugging inspect dns packets

  Maybe some of them lighting up could bring some clarification to whats happening.

  Under the following configuration mode

  type of policy-map inspect dns parameters preset_dns_map - see more at: https://supportforums.cisco.com/thread/2201942?tstart=0#sthash.3j02GDqr.dpuf
  type of policy-map inspect dns parameters preset_dns_map - see more at: https://supportforums.cisco.com/thread/2201942?tstart=0#sthash.3j02GDqr.dpuf
  type of policy-map inspect dns parameters preset_dns_map - see more at: https://supportforums.cisco.com/thread/2201942?tstart=0#sthash.3j02GDqr.dpuf

  type of policy-card inspect dns preset_dns_map

  parameters

  There is an option called

  ASA(config-pmap-p) #?

  Strategy-card MPF parameter configuration commands:

  audit of the DNS Protocol-enforcement message format

  Weather disabling this default setting with "no protocol-enforcement" helps or whether it is better the purpose of having to 'check the dns' I don't know.

  -Jouni

• ASA 8.4 (6) "cannot retrieve or check the CRL.

  Hello

  I have configured our ASA to retrieve a list of Revocation provided through our Linux certification authority. The LCR is exported via Tinyca as a crl file and served by Apache.

  The file is accessible by the SAA and to date, I see an http 200 (OK). Despite this, I get an "impossible to extract or to check the Revocation list.

  The ASA is configured as follows:

  crypto ca trustpoint LINUX-CA-TP
  
      revocation-check crl none
  
      enrollment terminal
  
      crl configure
  
        policy static
  
        url 1 http:///issuingca.crl
  
        no protocol ldap
  
        no protocol scep
  

  Which allows to debug and try a "request for LRC crypto ca LINUX-CA-TP:

  ASA (config)# crypto ca crl request LINUX-CA-TP
  CRYPTO_PKI: CRL is being polled from CDP http:///issuingca.crl.
  Unable to retrieve or verify CRL
  
      vpn015pi(config)#
  
      CRYPTO_PKI: HTTP response header:
  
      HTTP/1.1 200 OK
  
      Date: Wed, 18 Dec 2013 12:49:01 GMT
  
      Server: Apache/2.2.22 (Ubuntu)
  
      Last-Modified: Wed, 18 Dec 2013 09:50:20 GMT
  
      ETag: ...
  
      Accept-Ranges: bytes
  
      Content-Length: 1170
  
      Connection: close
  
      Content-Type: application/x-pkcs7-crl
  CRYPTO_PKI: transaction HTTPGetCRL completed
  

  I'm a little puzzled. The error is not really tell where the ASA is exactly a failure!

  Thank you

  Hello.

  I know this is a late response, but I found the solution.

  My CA was created through openssl commands and LCR was coppied to the www server. I installed the CA ASA certificate and I tried to check the Revocation list. But he has failed. It's the debug output:

  CRYPTO_PKI: CRL is being polled from CDP http://x.x.x.x/ca/root-ca/root-ca.crl.crypto_pki_req(0x00007fff2b9e3900, 24, ...)CRYPTO_PKI: Crypto CA req queue size = 1.Crypto CA thread wakes up!CRYPTO_PKI: http connection openedCRYPTO_PKI: content dump count 81----------CRYPTO_PKI: For function crypto_http_sendGET /ca/root-ca/root-ca.crl HTTP/1.0Host: x.x.x.x
  
  CRYPTO_PKI: For function crypto_http_sendCRYPTO_PKI: content dump-------------------
  
  CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OKDate: Wed, 13 Jan 2016 08:10:01 GMTServer: Apache/2.4.7 (Ubuntu)Last-Modified: Tue, 12 Jan 2016 10:12:50 GMTETag: "31c-529204bc05097"Accept-Ranges: bytesContent-Length: 796Connection: closeContent-Type: application/x-pkcs7-crl
  
  CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20 | -----BEGIN X509 ...
  
  CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint3. Retrying with next CRL DP...

  Because the CRL file has been downloaded, I check my LCR with the command openssl on my linux server:

  openssl crl -inform PEM -text -in crl/root-ca/root-ca.crl Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer:  Last Update: Jan 12 10:09:33 2016 GMT Next Update: Jan 11 10:09:33 2017 GMT CRL extensions: X509v3 Authority Key Identifier:  keyid:E9:5E:25:61:EB:5D:9D:7E:2E:1A:3A:DA:71:B3:7B:C2:55:8D:59:66
  
   Authority Information Access:  CA Issuers - URI:http://x.x.x.x/ca/root-ca/root-ca.cer
  
   X509v3 CRL Number:  1No Revoked Certificates. Signature Algorithm: sha256WithRSAEncryption...
  
  -----BEGIN X509 CRL-----...-----END X509 CRL-----

  I founded CRL file is in PEM format. And because another available in LRC format is DER format I have converted to DER format and copied to the www server.

  openssl crl -inform PEM -outform DER -in crl/root-ca/root-ca.crl -out crl/root-ca/root-ca-der.crl

  After that I tried to download file CRL my ASA again and he succeeded.

   CRYPTO_PKI: CRL is being polled from CDP http://x.x.x.x/ca/root-ca/root-ca.crl.crypto_pki_req(0x00007fff2b9e3900, 24, ...)CRYPTO_PKI: Crypto CA req queue size = 1.Crypto CA thread wakes up!CRYPTO_PKI: http connection openedCRYPTO_PKI: content dump count 81----------CRYPTO_PKI: For function crypto_http_sendGET /ca/root-ca/root-ca.crl HTTP/1.0Host: x.x.x.x
  
  CRYPTO_PKI: For function crypto_http_sendCRYPTO_PKI: content dump-------------------
  
  CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OKDate: Wed, 13 Jan 2016 08:28:08 GMTServer: Apache/2.4.7 (Ubuntu)Last-Modified: Wed, 13 Jan 2016 08:25:54 GMTETag: "227-52932eb2c1926"Accept-Ranges: bytesContent-Length: 551Connection: closeContent-Type: application/x-pkcs7-crl
  
  CRYPTO_PKI: CRL data30 ...
  
  CRYPTO_PKI: Found suitable tpCRYPTO_PKI: Found suitable tpCRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795CRYPTO_PKI(select cert) subject = ...CRYPTO_PKI: Found a subject match - inserting the following cert record into certListCRYPTO_PKI: Storage context locked by thread Crypto CA
  
  CRYPTO_PKI: inserting CRLCRYPTO_PKI: set CRL update timer with delay: 31455520CRYPTO_PKI: the current device time: 08:30:53 UTC Jan 13 2016
  
  CRYPTO_PKI: the last CRL update time: 10:09:33 UTC Jan 12 2016CRYPTO_PKI: the next CRL update time: 10:09:33 UTC Jan 11 2017CRYPTO_PKI: CRL cache delay being set to: 3600000CRYPTO_PKI: Storage context released by thread Crypto CA
  
  CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!

• ASA SHA256 integrity for proposal of IPSEC IKEV2

  Hi team,

  I tried to configure SHA256 integrity for IPSEC IKEV2 and SHA256 proposal wasn't available, the version that we run is 9.0 (3). The model of the SAA is 5540 (Legacy). Could someone please help us identify if the same support in the firewall of the inheritance if we improve the IOS in 9.1 (6) as this is the last version available for the box.

  ASA(config-IPSec-Proposal) # integrity Protocol esp?

  Options/IPSec proposal mode controls:

  MD5 md5 hash value

  set null null of hash

  SHA-1 hash sha-1 game

  Thank you

  Vishnu

  Hay he...

  Book 3: Cisco ASA series VPN CLI Configuration Guide, 9.1 - IPSec and ISAKMP - creating a Configuration of Basic IPsec configuration -Note at the end of step 2:

  HA - 256... can also be used for the protection of the ESP integrity on the new platforms ASA (and not 5505, 5510, 5520, 5540 and 5550).

  Given that Cisco has announced the date of end of life for these older platforms

• ASA 5505 factory reset when it restarts

  I have an ASA 5505 that is set to zero by default whenever it restarts.  I write from memory each time, but as soon as the electricity is cut, or I charge it, it starts back like "ciscoasa' with the default settings.  Anyone know what would cause this?

  Thank you

  Hello

  I wonder if your ASAs Config registry value has been set so that it starts without taking into account the Startup Configuration.

  Can you check the output of the command 'show version' and copy / paste the line starting with 'registry setting's... " here.

  -Jouni

• PORT of Configuration.DEFAULT of ASA AnyConnect remote VPN access.

  Hello!!! Now, I need to configure the AnyConnect VPN remote access. And I have a question.

  The default 443 AnyConnect port, but the port is occupied on SAA. We use this port for another application.

  How to change the port to connect? Is this true? Thank you!!!

  Hi, please add the following configuration:

  1. Enable the WebVPN on the SAA feature:

     ASA(config)#webvpn

  2. Enable WebVPN services for the external interface of the ASA:

     ASA(config-webvpn)#enable outside

  3. Allow the ASA to listen WebVPN traffic on the custom port number:

     ASA(config-webvpn)#port <1-65535>

• Unable to connect to the ASA vpn Android client

  secHello, I have problem with android client. So I've solved many problems and finally could get the PHASE 1 and PHASE 1 COMPLETED messages in newspapers :). In any case, I have a problem different, even if the client of the phase 1 and 2 completed failed to connect again. Here are the logs:

  | 21456 | *** | 500 | Built of UDP connection entrants for outdoor 600577524: * / 21456 (* / 21456) identity: * / 500 (* / 500)
  | 27262 | *** | 4500 | Built of UDP connection entrants for outdoor 600577567: * / 27262 (* / 27262) identity: * / 4500 (* / 4500)
  Group = ANDROID_PROF, IP = *, automatic NAT detection status: remote endpoint IS behind a NAT device this end is behind a NAT device
  Group = ANDROID_PROF, IP = *, floating NAT - T of * port 21456 to * port 27262
  Group = ANDROID_PROF, IP = *, PHASE 1 COMPLETED
  Group = ANDROID_PROF, IP = *, IPSec initiator of the substitution of regeneration of the key time of 0 to 4608000 Kbs
  IPSEC: Remote access out HIS (SPI = 0x0429CEA7) between * and * (user = ANDROID_PROF) was created.
  Group = ANDROID_PROF, IP = *, the security negotiation is complete for user (Responder), Inbound SPI = 0xc95803fc outbound SPI = 0x0429cea7
  IPSEC: Incoming remote access between HIS (SPI = 0xC95803FC) * and * (user = ANDROID_PROF) was created.
  Group = ANDROID_PROF, IP = *, PHASE 2 COMPLETED (msgid = 9aab13ed)
  | 27262 | *** | 1701 | Built of UDP connection entrants for outdoor 600577657: * / 27262 (* / 27262) identity: * / 1701 (* / 1701)
  L2TP tunnel created, tunnel_id 24, remote_peer_ip is *, 1/ppp_virtual_interface_id, client_dynamic_ip is 0.0.0.0, user name is *.
  Tunnel L2TP deleted, tunnel_id = 24, remote_peer_ip = *.
  IPSEC: Remote access out HIS (SPI = 0x0429CEA7) between * and * (user = ANDROID_PROF) has been removed.
  IPSEC: Incoming remote access between HIS (SPI = 0xC95803FC) * and * (user = ANDROID_PROF) has been removed.
  Group = ANDROID_PROF, IP = *, Session is to be demolished. Reason: The user has requested
  Group = ANDROID_PROF, user name =, IP = *, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 07 s, xmt bytes: 1021, RRs bytes: 955, reason: the user has requested

  As you can see session was demolished immediately, said Android failure. The Android settings:
  Name: ANDROID_PROF

  Type: L2TP/IPsec Psk

  The IPsec identifier: ANDROID_PROF

  Pre-shared key IPsec: cisco

  The ASA config:

  attributes global-tunnel-group ANDROID_PROF
  address IPSEC_RA_POOL pool
  Group-LDAP LOCAL authentication server
  LDAP authorization-server-group
  NOACCESS by default-group-policy
  IPSec-attributes tunnel-group ANDROID_PROF
  IKEv1 pre-shared-key *.
  tunnel-group ANDROID_PROF ppp-attributes
  CHAP Authentication
  ms-chap-v2 authentication

  ANDROID_PROF_GP group policy attributes
  value of DNS server *.
  VPN - 4 concurrent connections
  Protocol-tunnel-VPN l2tp ipsec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list ANDROID_PROF_USERS
  Cisco.local value by default-field
  the address value IPSEC_RA_POOL pools

  Hello

  Your problem is with Android L2TP/IPsec client that connects to the AAS has been caused by: CSCug60492 (Android phone disconnected from l2tpoveripsec and reconnect asa hung)

  It is Android actually issue, not a bug of the SAA. This resolution is based on Android.

  I hope this helps.

  Thank you

  Vishnu

• CSCtq62715 - ASA should not allow EtherChannel configuration on 4 module SSM port - 1

  Hello

  Everyone knows about the opposite problem, etherchannel works fine on 4 GE SSM in module 1 of ASA5550 executes code 8.4, but is no longer works when upgrading to version 9.1?

  Options of configuration using 8.4 (4):

  ASAconfig) # int g1/0

  ASA(Config-if) #?

  The interface configuration commands:

  subcommands authentication authentication

  configuration of Etherchannel/port channel-group group

  DDNS Setup dynamic DNS

  Options of configuration using the 9.1 version 2:

  ASA(Config-if) # int g1/0

  ASA (config-if) #?

  The interface configuration commands:

  subcommands authentication authentication

  DDNS Setup dynamic DNS

  Thank you

  Gillian

  Hi Gillian,

  What you describe is what this bug was introduced in the address.  8.4, the CLI enabled one is used to configure an etherchannel on the GigE ports 4 module.  9.0/9.1 removed this feature in the CLI that the feature is not supported on the module.  Bug CSCtq62715 is the bug used to make this change.

  Sincerely,

  David.