question of ASA

Similar Questions

• Question behaviour ASA

  Hi all

  I have a question in a test environment, mount the topology as the attachment and inserting the wing 172.16.2.0/24 road via 192.168.0.10 network the ping command works, but any protocol oriented to connect does not work. Monitors with the debug command and noticed that the parcel leaves the station whose 192.168.1.3 IP address to the IP 172.16.2.2 successfully, the package with the SYN flag arrives and when the 172.16.2.2 server responds with ACK flag returns without problem. But when the station which the IP 192.168.1.3 returns the package with flag SYN/ACK the Cisco ASA receives a packet and the acknowledgement of receipt is not returned by the ASA cisco asa result seems to lose the package and run a disassembly and the connection is not completed. I think it's because as the cisco asa can understand this behavior as a main-in-the-middle attack. Is there a way to disable this control in cisco ASA. I ask that the level of knowledge, because this scenario will not be used.

  Kind regards.

  8.4 is not a valid version of ASA. You can run 8.0 (4). This bypass feature state TCP is available after 8.2 (1) or after.

  "permit ip any any" simply States that all UDP and TCP connections are allowed. However, the ASA will always inspect two fittings for security of State and others. In the case of TCP, the first packet MUST be a SYN. otherwise without the SYN, we should never see a SYN - ACK packet. A syslog message, 'Right TCP (no relation)', would ensue if we saw the SYN - ACK without the SYN packet

  Best regards

  Kevin

• questions/active ASA

  If I have of the asa configured as active/active.

  1 - is treated as a single case? I mean I can only handle it with IDM?

  2. the 5520 can have 130 000 connections. If I use 2 of what is active/active configuration, I can say that will get 130, 000 X 2 = 260, 000 connections?

  Thank you.

  1 al ' SAA, active/active can be acrhived when the two ASA is in Mode of Multiple (security context) context. Several context logically divides the ASA in several virtual firewall. You can refer to the following configuration example.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787

  In your case, you must create 2 context in each ASA, for example context-A and context-B. ASA-1, it must be active for context-A and standby for context-B. ASA - 2, we sleep in context-A and active B context. You must be a separate set of configuration for each context.

  To manage the configuration, you can use ASDM.

  2. I'm sorry, I don't know who

• ASA firewall inbound

  Hello everyone.

  I have a question about ASA 5505 firewall.

  Output interface is dry level 0:

  interface Vlan10
  nameif outside
  security-level 0

  ACL created to filter traffic from site to site and filtering of tunnel triggered:

  No vpn sysopt connection permit

  network ipsec_subnet object
  subnet 192.168.11.0 255.255.255.248

  l2l-filter extended permit icmp any one access-list
  access-list l2l-filter extended permit tcp any object ipsec_subnet eq www
  access-list l2l-filter extended permit tcp any object ipsec_subnet eq https
  access-list l2l-filter extended permitted tcp ipsec_subnet eq ftp objects

  l2l-filter in interface outside access-group

  Since I was only working with routers, as far as I understand, in theory ipsec peers should not be able to establish ipsec with ASA tunnels since I did not allow UDP incoming 500,4500 and work to the ESP in l2l-filter ACL but in reality tunnels.

  Can you please explain why ACL entering on the external interface allows inbound ipsec connections.

  Thank you

  Kind regards

  Alex

  Hi Alex,

  The only way to block UDP 500 traffic is to use an ACL control plan.

  We see even hits on the ACL:

  Inbound_Filter of access list lengthened 2 line denies object-group IPSEC throughout a (hitcnt = 7)

  Have you tried the connection of compensation?

  Use 'clear conn address all the ' to delete the connection.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• How do you define your asa?

  Hi all

  I've known ASA is powerful, but normally, I put only NAT, access list, VPN, dhcp server, management interfaces, NTP, RPC connection account. I think I lost it.

  I knew that each task has different setting. But I want to know what function you always set on the device.

  If in doubt, always check the manufacturer database practices guide.

  Cisco Firewall best practices Guide:

  http://www.Cisco.com/Web/about/security/intelligence/firewall-best-pract...

  Not all that it applies in each case of use, but it is a very good starting point. I think about her often questioned rubbing ASA client configurations.

  In addition, to an existing firewall, I have looking for things like unused objects, access lists and access the entries in the list. The tunnelsup.cm tool is very good for this:

  http://www.tunnelsup.com/config-cleanup/

• View the ASA 5540 framework

  I have a question about ASA on the GUI, I have the choice to choose the framework which I wish to see. I have 2 one called mgmt and the other admin one. When I ssh into the asa all I can see is the context view admin how to look at the configuration of the display of the mgmt context?

  Warren,

  To implement a different context than the context admin you simply have to changeto context followed by the name of context mgmt which is your another context.

  e.i

  context of ASA #changeto

  Go to this link which explains how to navigate between context through the command line.

  See section change between contexts and space of system performance

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#changto

  HTH

  Rgds

  Jorge

• The ASA - Client to use SSL and connections options I have?

  We have a large site and have only allowed using IPSEC for all our branch in branch and the user tunnels. We tried SSL years but she limits so we stopped deployment. We must now begin the SSL VPN user and I have a few questions basic ASA.

  I have a unused ASA 5510 for tests that currently holds the 8.3.2 on it, Security code more license, 100 SSL VPN peers and 250 total peers of VPN, VLAN max 100, 2 seconds, active/active contexts, 2 proxies of phone CPU and everything else is disabled. We do not intend on using a SSL connection web anywhere (Anyconnect essentials?) and will not use the entire customer VPN SSL which will be hand loaded on machines or downloaded from the ASA and loaded on the computer if possible. I want to know is what version of the current code can install on my ASA without losing my existing SSL VPN 100 peers license and that the Anyconnect customer would be sustained? I've seen talk about premium Anyconnect but do not know its relationsonship. If I improve the ASA of new releases or versions of code my peer SSL VPN license turns into an Anyconnect Premium license?

  Any help to get started you in the right direction would be appreciated. I know I can spend days trying to understand Cisco licenses and traps and still get burned in the end with the function or the wrong license. Basically, I want to know what I have to install the end-user complete SSL VPN clients and I have to do with the ASA to provide this functionality with current license / feature set there. I also want to know what the end user should be used because it seems that Anyconnect Secure Mobile is the same if I use all its security features. Example - I am not able to check for firewall/malware etc programs but we currently have a policy in place which does not allow browsing the Internet or access when end users have connections VPN tunnel on our site. That restriction will always be kept if this is possible thanks to the SSL VPN connection also.

  Thank you

  Paul

  The SSL VPN client-based license will remain active on your box through Software ASA updates later. AnyConnect Essentials (which you already have) will work with the feature of SSL VPN license.

  You would be upgrading to AnyConnect Premium only if you wanted to add features like clientless SSL VPN (purely based on a browser) or other items such as Advanced Endpoint Assessment (AEA). AnyConnect Premium can coexist with Anyconnect Essentials on the SAA even if you can't mix and match licenses Premium and Essentials.

  Essential distinction or Premium is mainly directed towards the installation of the ASA. The same AnyConnect Secure Mobility client software (version 3.1 is the latest for Windows and OS X and is quite a nice new version) is used in both cases. Functional additional client plug-ins are things such as the AEA and the NAC 802.1 x. Your group policies based on the SAA as no split tunneling, etc. remain in force.

  If you intend to allow clients of mobile devices (iPhone, iPad, and Android (a very limited support for the last BTW)) to access your VPN, you will need to add the mobile on the SAA AnyConnect license and install the client from the respective AppStore. Note that Windows Phone and Blackberry don't are not supported as client AnyConnect.

• move the local ip address to a different server (problem natting)

  Dear,

  I have a local database server with a local ip 192.168.101.3 and cisco ASA 5500, I use nat static as below:

  #static (Interior, exterior) xx.xx.xx.xx 192.168.101.3 netmask 255.255.255.255

  the server has been broken, and we moved the data to another server and give him the exact address of the intellectual property.

  Now we can ping the actual ip side.

  Help, please.

  Thanks in advance.

  Hello Asad,

  I've seen this problem before, hosts with the firewall or anti virus windows will not respond to any other host that is not on their Local network.

  Customer think usually it is a question of ASA, but as soon as we set up a NAT (OUTSIDE) 10 your_public_ip

  Global (inside) 10 interface;   We can see how it works because the server will now receive the packets of the SAA within the interface

  Anyway glad to hear it works fine.

  Please check the question as answered so future users can pull of this

  Julio

• ASA5510-SEC-BUN-K9 bundle

  Hello. I have a question about ASA 5510 SEC-BUN-K9 bundle that our company has ordered a K9 bundle, but when I enter the command show version on the ASA, I see that the system image file is named asa706 - k8.bin.

  Is this normal or were there a mix to the top as on the box it says it's a bundle of K9.

  Igor

  It is not a mixup or a problem. It is normal that the name of the image to say k8 when ASA is described as a beam of K9. The names are incompatible, but the ASA should work as you expect it.

  HTH

  Rick

• that means (role: answering machine and role: initiator)?

  Dear all,

  I have a few questions about ASA 5500 error?

  a few times I saw the role: answering machine and a few times I've seen role: initiator

  what it means?

  and what is the problem?

  HQ # sh crypto isakmp his

  HIS active: 3
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 3

  1 peer IKE: 10.189.137.8
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: 10.189.137.10
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE
  3 peer IKE: 10.189.137.9
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE
  AC #.

  Answering machine means that the peer has initiated the VPN while initiator connection means that the VPN tunnel is started from this end.

  Hope that answers your question.

• ASA ACL question

  I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.

  For example:

  Access-List Corporate1 permit tcp any any eq www

  Access-List permits Corporate1 tcp everything any https eq

  Access list ip Inside_Out allow a whole

  Access-group Coprorate1 in interface outside

  Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?

  I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

  -Jon

  Working with ACLs imply always two steps:

  1. You configure the ACL (with possibly multiple lines but the same name).
  2. You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.

  (If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.

  In your example:

  If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one

   sh run | inc Inside_Out

  If the output shows only the ACL lines, it is unused and can be removed.

   clear configure access-list Inside_Out

  Or it is but not used must be used, and then apply the ACL for the desired purpose.

• question of mgt ASA

  Internet<>Global MPLS WAN to other sites

  Hello! We have the configuration above in our environment. The box of the ASA is used to establish the tunnel at our headquarters if the MPLS WAN is down.

  I have question Manager box of the ASA of the network (internal LAN from other sites) other internal local network. I can ping to the internal interface of the ASA from other sites, but when I try to ssh or use the ASDM to manage, I see that there is a msg "routing cannot locate the next hop for TCP to inside inside xxxx xxxx." There is no FW between sites (thru Global WAN MPLS). I can ping each other between sites, and ssh/asdm mgt + acl to allow lan local + world was added.

  I also noticed that I cannot ping other sites of the ASA cli. I can only Ping IP ranges configured as a static route to the inside interface of the box of the SAA.

  What I see, everything works fine, it's just that I'm not able to manage the ASA box from other sites.

  What could be the problem here?

  THX

  If the error message is that the SAA could not find a route, then of course it sounds like a routing problem. My first suggestion would be to look at the error message, take the destination address of the message and check to see if the ASA has a route to this address (and to ensure that the route passes through the Interior because the error message indicates that he thinks that the destination is inside the interface)

  HTH

  Rick

• Questions of pre-installation on IPS on Cisco ASA Cluster

  Hello

  I'm looking for some configuration directives and IPS.

  I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up.

  We have a customer who requires their web servers to be protected with the IPS Module.  I have the following questions:

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  2. can you syslog alerts?

  3. is it possible to use snmp around alert also interrupts?

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  A lot of questions!  I hope someone can help

  Thanks a mill

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA)

  2. can you syslog alerts?

  N ° the cisco IPS OS doesn't support syslog.

  3. is it possible to use snmp around alert also interrupts?

  Yes. But you must set the 'action' on each signature that you want to send a trap.

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe.

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  No syslog. You can set alerts email on a per-signature basis.

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode.

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  No syslog.

  -Bob

• Question about authentication SDI on AnyConnct and ASA

  Hi all

  I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.

  My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.

  I understand that ASA provides two modes to allow authentication SDI.

  Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
  RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.

  I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.

  So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).

  The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...

  I found the following information of CEC.

  ==========
  When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
  ==========

  This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?

  Your information would be appreciated.

  Best regards

  Shinichi

  Shinichi,

  I had a quick glance at the data sheet

  http://www.RSA.com/node.aspx?ID=3481

  I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)

  Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)

  Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.

  Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.

  Marcin

• QOS with ASA - corresponding to questions of packages

  I have a few questions of mote of ASA and QOS - level code 8.2.5

  Let's say I have the following...

  TG-NonVoice class-map

  corresponds to the tg-traffic-acl access list

  class-map-traffic TCP

  corresponds to the tcp-traffic-acl access list

  class-map voice-TG

  match dscp ef

  match tunnel-group x.x.x.x

  How to know the hierarchy of what the ASA uses to match a package?  Since a package can only correspond to a class-map, I created the access list to refuse statements to ensure that the packet matches what I want. Example - tcp-traffic-acl access list, I didn't include the traffic tunnel so I denied the traffic of the tunnel at the beginning of the access list. This is the correct procedure given that I did not know what order the ASA aligns packages to my access to my class-maps lists.  Y at - it an order?   TG-voice has priority in the plan of the policy is it automatically get used to match first?

  Second example:

  Let's say I

  TG-NonVoice class-map

  match flow ip destination-address

  match tunnel-group x.x.x.x

  class-map-traffic TCP

  corresponds to the tcp-traffic-acl access list

  class-map voice-TG

  match dscp ef

  match tunnel-group x.x.x.x

  Here I have only an access list.  How know if order used to filter packets?  If I don't want the tcp-traffic-acl include NOT packages that could possibly correspond in the VPN tunnel that I put a refusal at the beginning of the list of access for VPN traffic to be sure?  What would be the rate used by the ASA to determine if a packet matches a rule of class-card for a package would correspond to multiples, but from what I've read, that it does not get included in other once it corresponds to the first match. Understand?

  Thank you

  Hello

  I think that this price covers everything

  This is the best document I found on the web about the MPF.

  To take a reading

  http://blog.INE.com/2009/04/19/understanding-modular-policy-framework/

  Note all useful posts!

  Kind regards

  Jcarvaja

  Follow me on http://laguiadelnetworking.com