SNMP and ASA 7.2 (2)
Hi all, I just put 7.2 2 software on an ASA 5540. I have some on the external interface snmp servers. When I configure the server there is no problem, but then I can't save configuration because I get an error:
# 1 wr mem
Building configuration...
Cryptochecksum: xxx
% Error reading system: / running-config (too long to configure line)
Error running command
[NOT]
Is this a bug or syntax changes?
This is a bug. Configure max 3 snmp servers, or max 6 snmp servers, this depends on the soft version.
Tags: Cisco Security
Similar Questions
-
Automatic configuration for routers, switches Catalyst and ASA backups
I am looking for a free solution to make monthly backups of my routers (2821), Catalyst (X 3650, 3750-X) switches and ASA (5510). I'm in a Windows environment and have you not mind doing a bit of coding.
I did some research looking at other popular solutions:
-SNMP and a combination of Bash scripts, but that does not support switches Catalyst from what I've read.
-Rance, on Linux & OS X, not something common in our environment
-Tools of Tao kiwi, not free
Is there something (or if applicable, somethings) that I am missing that will do this from a Windows environment for free?
Thanks in advance.
Kron seems to be supported on the routers only, ASA here is a good explanation on how to collect the backups regularly:
https://supportforums.Cisco.com/docs/doc-14958
If you are looking for a centralized solution and you machine to act as a collector, rancid is really the best option (if you can allow non-windows machines).
Kind regards
Ivan -
Difference between SNMP and agent installs
I'm curious to know the differences between the use of SNMP and agents.
We have a Ubuntu Server that must be monitored don't know the best way to monitor.
Hey Evan,
Here are the major issues. NMS you currently have is the snmp network Foglight solution. If you were to buy FMS, you could install the NMSAgent.car that retrieves data of the NMS system, you already have running.
I hope it's her. Networking FMS cartridge extracts data from SMN via web calls.
Best regards
Jonas
-
Differences of router QoS and ASA
Hi, I recently tested the QoS on an aid and 876 IPSEC tunnel and managed to limit participation effective and output rates using QoS on the router between two hosts.
This made me think to try it on a SAA. I tried this on a SAA without success, but he also says in aid, it cannot be applied to the 'exit '. Is there a difference in the implementation of QoS between a router and ASA?
Update - I had it at work but only when I use it all the traffic everything. If I select say 192.168.55.20-> all IT does rate limit.
outside_mpc list extended access permit ip host 192.168.55.20 all
class-map ROB_QOS (does not work)
corresponds to the outside_mpc access list
Class-map ROB_QOS (works)
match any
class-map inspection_default
match default-inspection-traffic
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Policy-map Rob_Policy
class ROB_QOS
Police output fall in line-action 2000-100000
global service-policy global_policy
Rob_Policy service-policy inside interface
Rob_Policy service-policy to the outside interface
Maybe its not working now because you have NAT on this 192.168.55.0 IP range? You use any NAT for this subnet?
Concerning
Farrukh
-
IPSEC with the router and asa 5510
Hi all
I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.
Thank you
Hello
Isakmp policy match on both devices? What version of ios is running on the router and the asa5510
Thank you
-
SNMP and DHCP requests on collector
Hello world
I want to see the SNMP and DHCP requests on the interface of collector.
How can I see these queries?
Y at - it logs through which we can see or some CLI to run on systems CASE.
Please help me on this and suggest.
Thank you
Abuzar
Hello
a newspaper would be quickly filled if she provided details on all packages.
The easiest way is to run a tcpdump on the collector.
tcpdump for example eth0-i
You can use tcpdump - help for more info.
Hope this helps,
Nicolas
===
Please note the answers that will help you
-
PIX and ASA static, dynamic and RA VPN does not
Hello
I am facing a very interesting problem between a PIX 515 and an ASA 5510.
The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.
The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.
Someone saw something like that?
Here is more detailed information:
HQ - IOS 8.0 (3) - PIX 515
ASA 5510 - IOS 7.2 (3) - remote provider
Several Huawei and Cisco routers dynamically connected via ADSL
Several users remote access IPsec
A VPN site-to site static between PIX and ASA - does not.
Here is the config on the PIX:
Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac
Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
Crypto dynamic-map Dyn - VPN 100 the value reverse-road
VPN - card 30 crypto card matches the ACL address / remote
card crypto VPN-card 30 peers set 20 x. XX. XX. XX
card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value
VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec
interface card crypto VPN-card outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
Thank you.
Marcelo Pinheiro
The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.
Make sure that the acl is reversed.
-
Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password
Hello
Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?
PS.
I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password
Thank you
The default password is marked as disabled after expiry
I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:
CSCtk32168: Add an option to change the password when the password expires (T + and Radius)
After you install this hotfix, you get an option to the user authentication settings is:
-Disable the user account
-Expire the password
When the expiration period is exceeded
If password is expired then user will be asked to change password next authentication
Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative
-
EIGRP running between the router and ASA by switch
Hello
Is that possible I can running an EIGRP between router and ASA by switch?
Router and ASA connected to the switch with static route.
Hi Tommy Chin.
It is possible, we must advertise to the route between the router and ASA.
Please provide your connectivity diagram to better explain.
For example...
interface GigabitEthernet0/0
Description links to WAN router
nameif OUTSIDE
security-level 50
IP 10.1.1.1 255.255.255.192 ensures 10.1.1.2
Summary-address eigrp 100 10.1.0.0 255.255.0.0 1
!
Confiuration Protocol EIGRP
standard access list eigrpACL_FR allow a
!
Router eigrp 100
eigrpACL_FR distribute-list in the interface outside
neighbor 10.1.1.3 OUTSIDE interface
neighbor 10.1.1.2 OUTSIDE interface
Network 10.1.1.0 255.255.255.192
redistribute connected
redistribute static
!
Kind regards
Srinivas.
Note: if it solves your problem it mark it as resolved.
-
I hope someone can help me to answer this question:
Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.
Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?
Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?
Thanks for your help.
-Joe
Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.
Here's the Q & A on ASA1000V which includes more information:
http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html
Hope that answers your question.
-
Installation of site to site VPN IPSec using PIX and ASA
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
I am a site configuration to site IPSec VPN using a PIX515E to site A and ASA5520 to Site B.
I have attached the lab diagram. Consider PIX and ASA are in default configuration, which means that nothing is configured on both devices.
According to the scheme
ASA5520
External interface is the level of security 11.11.10.1/248 0
The inside interface is 172.16.9.2/24 security level 100
Default route is 0.0.0.0 0.0.0.0 11.11.10.2 1
PIX515E
External interface is the level of security 123.123.10.2/248 0
The inside interface is 172.16.10.1/24 security level 100
Default route is 0.0.0.0 0.0.0.0 123.123.10.1 1
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
Could someone tell me how to set up this configuration? I tried but didn't workout. Here is the IKE protocol I have used.
IKE information:
IKE Encrytion OF
MD5 authentication method
Diffie Helman Group 2
Failure to life
IPSEC information:
IPsec encryption OF
MD5 authentication method
Failure to life
Please enter the following command
on asa
Sysopt connection permit VPN
on pix not sure of the syntax, I think it is
Permitted connection ipsec sysopt
What we are trying to do here is basically allowing vpn opening ports
Alternatively you can open udp 500 and esp (or port ip 50) out to in on the two firewalls
-
Question about authentication SDI on AnyConnct and ASA
Hi all
I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.
My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.
I understand that ASA provides two modes to allow authentication SDI.
Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.
So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).
The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...
I found the following information of CEC.
==========
When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
==========This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?
Your information would be appreciated.
Best regards
Shinichi
Shinichi,
I had a quick glance at the data sheet
http://www.RSA.com/node.aspx?ID=3481
I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)
Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)
Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.
Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.
Marcin
-
ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established
Hi all experts
We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?
I got error syslog 713902 and 713903, how to fix?
I got the following, when I type "sh crypto isakmp his."
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
Hugo
Hello
This State is reached when the policies of the phase 1 do not correspond to the two ends.
Please confirm that you have the same settings of phase 1 on both sides with the following commands:
See the isakmp crypto race
See the race ikev1 crypto
Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.
Finally, make sure you have a route suitable for the remote VPN endpoint device.
Hope that helps.
Kind regards
Dinesh Moudgil
-
We have a wireless control system, 3 WLC and 190 APs. I need to listen to 802.11 radios via SNMP. The system is running with LWAPP and APs are not accessible via SNMP (no response trying to access). I'm trying to send traps on the Server SNMP (Zabbix) but to disable the WLC 802.11 Radio, I don't see any trap regarding the status of the Radio or the admin down.
Are you looking for it any method to monitor the status of the radio via SNMP?
Thanks in advance,
OLAF
Hi Olaf,.
Lwapp APs are not snmp manageable but controllers takes care of this. You can query the WLC via SNMP and it will give you the status of all access points radio.
I suggest to use the tool of Cisco's MIB browser learn more about AIRESPACE mib that uses the WLC.
Nicolas
-
Version 7.0 of the PIX and ASA 5500
Hi all
Is ASA 5500 series identical a PIX 515 or 525 or 535 with version 7.0... I still see some areas where it confused between version 7.0 of the PIX and ASA 5500 series... If not, what are the benefits of ASA 5500 on the PIX 7.0?
ASA is not the same as PIX, ASA is different hardware architecture. Although both can run the same code. One of the benefits of the SAA is that you can have an IPS module in it to make the prevention of intrusions.
Search for comprarison on CCO.
Maybe you are looking for
-
How Swagbucks my default search engine?
When I turn on my default search engine, Swagbucks is not one of the choices. Visit this site did not do anything to add to the list of search engine options. It seems that Firefox only wants me to choose among search engine options they list - or wh
-
Eternal lands by playing on a Satellite L300-1AS
Hello all,.I try to get Eternal Lands currently running on a Toshiba L300-1AS with 4 GB of RAM.It has the graphic chip Intel GMA 4500 installed HDMProblem is that EL blocks because I try to connect with what seems to graphics problemsAnyone got any i
-
WARNING: another computer has the same IP address on this computer.
Original title: another computer has the same IPaddy on this computer. I received your warning. What can I do to stop this? I saw a warning you that there is another computer that I have Paddy as this computer (mine). What is that it appeaedn I do to
-
20 Mhz vs 40 Mhz compatibility with
Hello. I wonder if there is a difference in connectivity at 20 Mhz and 40 Mhz channels in 5 GHz... Assumptions: 1. I have configured Cisco Client band elect on my WLC 2. I activated the band Client elect on my wlan 3. my wifi dual card has a favorite
-
BlackBerry Smartphones work around the Director of office for Mac
OK- I found a solution for now. All synchronized for me EXCEPT for iCal. The software crashes when you try and use the advanced settings and check "Sync: all events"I could synchronize only 'future events', but this means that everything that happene