SNMP and ASA 7.2 (2)

Similar Questions

• Automatic configuration for routers, switches Catalyst and ASA backups

  I am looking for a free solution to make monthly backups of my routers (2821), Catalyst (X 3650, 3750-X) switches and ASA (5510). I'm in a Windows environment and have you not mind doing a bit of coding.

  I did some research looking at other popular solutions:

  -SNMP and a combination of Bash scripts, but that does not support switches Catalyst from what I've read.

  -Rance, on Linux & OS X, not something common in our environment

  -Tools of Tao kiwi, not free

  Is there something (or if applicable, somethings) that I am missing that will do this from a Windows environment for free?

  Thanks in advance.

  Kron seems to be supported on the routers only, ASA here is a good explanation on how to collect the backups regularly:

  https://supportforums.Cisco.com/docs/doc-14958

  If you are looking for a centralized solution and you machine to act as a collector, rancid is really the best option (if you can allow non-windows machines).

  Kind regards
  Ivan

• Difference between SNMP and agent installs

  I'm curious to know the differences between the use of SNMP and agents.

  We have a Ubuntu Server that must be monitored don't know the best way to monitor.

  Hey Evan,

  Here are the major issues. NMS you currently have is the snmp network Foglight solution. If you were to buy FMS, you could install the NMSAgent.car that retrieves data of the NMS system, you already have running.

  I hope it's her. Networking FMS cartridge extracts data from SMN via web calls.

  Best regards

  Jonas

• Differences of router QoS and ASA

  Hi, I recently tested the QoS on an aid and 876 IPSEC tunnel and managed to limit participation effective and output rates using QoS on the router between two hosts.

  This made me think to try it on a SAA. I tried this on a SAA without success, but he also says in aid, it cannot be applied to the 'exit '. Is there a difference in the implementation of QoS between a router and ASA?

  Update - I had it at work but only when I use it all the traffic everything. If I select say 192.168.55.20-> all IT does rate limit.

  outside_mpc list extended access permit ip host 192.168.55.20 all

  class-map ROB_QOS (does not work)

  corresponds to the outside_mpc access list

  Class-map ROB_QOS (works)

  match any

  class-map inspection_default

  match default-inspection-traffic

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Policy-map Rob_Policy

  class ROB_QOS

  Police output fall in line-action 2000-100000

  global service-policy global_policy

  Rob_Policy service-policy inside interface

  Rob_Policy service-policy to the outside interface

  Maybe its not working now because you have NAT on this 192.168.55.0 IP range? You use any NAT for this subnet?

  Concerning

  Farrukh

• IPSEC with the router and asa 5510

  Hi all

  I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.

  Thank you

  Hello

  Isakmp policy match on both devices? What version of ios is running on the router and the asa5510

  Thank you

• SNMP and DHCP requests on collector

  Hello world

  I want to see the SNMP and DHCP requests on the interface of collector.

  How can I see these queries?

  Y at - it logs through which we can see or some CLI to run on systems CASE.

  Please help me on this and suggest.

  Thank you

  Abuzar

  Hello

  a newspaper would be quickly filled if she provided details on all packages.

  The easiest way is to run a tcpdump on the collector.

  tcpdump for example eth0-i

  You can use tcpdump - help for more info.

  Hope this helps,

  Nicolas

  ===

  Please note the answers that will help you

• PIX and ASA static, dynamic and RA VPN does not

  Hello

  I am facing a very interesting problem between a PIX 515 and an ASA 5510.

  The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.

  The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.

  Someone saw something like that?

  Here is more detailed information:

  HQ - IOS 8.0 (3) - PIX 515

  ASA 5510 - IOS 7.2 (3) - remote provider

  Several Huawei and Cisco routers dynamically connected via ADSL

  Several users remote access IPsec

  A VPN site-to site static between PIX and ASA - does not.

  Here is the config on the PIX:

  Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

  Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

  Crypto dynamic-map Dyn - VPN 100 the value reverse-road

  VPN - card 30 crypto card matches the ACL address / remote

  card crypto VPN-card 30 peers set 20 x. XX. XX. XX

  card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value

  VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec

  interface card crypto VPN-card outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  Thank you.

  Marcelo Pinheiro

  The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.

  Make sure that the acl is reversed.

• Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

  Hello

  Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

  

  PS.

  I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

  Thank you

  The default password is marked as disabled after expiry

  I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

  CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

  After you install this hotfix, you get an option to the user authentication settings is:

  -Disable the user account

  -Expire the password

  When the expiration period is exceeded

  If password is expired then user will be asked to change password next authentication

  Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

• EIGRP running between the router and ASA by switch

  Hello

  Is that possible I can running an EIGRP between router and ASA by switch?

  Router and ASA connected to the switch with static route.

  Hi Tommy Chin.

  It is possible, we must advertise to the route between the router and ASA.

  Please provide your connectivity diagram to better explain.

  For example...

  interface GigabitEthernet0/0

  Description links to WAN router

  nameif OUTSIDE

  security-level 50

  IP 10.1.1.1 255.255.255.192 ensures 10.1.1.2

  Summary-address eigrp 100 10.1.0.0 255.255.0.0 1

  !

  Confiuration Protocol EIGRP

  standard access list eigrpACL_FR allow a

  !

  Router eigrp 100

  eigrpACL_FR distribute-list in the interface outside

  neighbor 10.1.1.3 OUTSIDE interface

  neighbor 10.1.1.2 OUTSIDE interface

  Network 10.1.1.0 255.255.255.192

  redistribute connected

  redistribute static

  !

  Kind regards

  Srinivas.

  Note: if it solves your problem it mark it as resolved.

• ASA 1000V and ASA 5500

  I hope someone can help me to answer this question:

  Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

  Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

  Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

  Thanks for your help.

  -Joe

  Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

  Here's the Q & A on ASA1000V which includes more information:

  http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

  Hope that answers your question.

• Installation of site to site VPN IPSec using PIX and ASA

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  I am a site configuration to site IPSec VPN using a PIX515E to site A and ASA5520 to Site B.

  I have attached the lab diagram. Consider PIX and ASA are in default configuration, which means that nothing is configured on both devices.

  According to the scheme

  ASA5520

  External interface is the level of security 11.11.10.1/248 0

  The inside interface is 172.16.9.2/24 security level 100

  Default route is 0.0.0.0 0.0.0.0 11.11.10.2 1

  PIX515E

  External interface is the level of security 123.123.10.2/248 0

  The inside interface is 172.16.10.1/24 security level 100

  Default route is 0.0.0.0 0.0.0.0 123.123.10.1 1

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  Could someone tell me how to set up this configuration? I tried but didn't workout. Here is the IKE protocol I have used.

  IKE information:

  IKE Encrytion OF

  MD5 authentication method

  Diffie Helman Group 2

  Failure to life

  IPSEC information:

  IPsec encryption OF

  MD5 authentication method

  Failure to life

  Please enter the following command

  on asa

  Sysopt connection permit VPN

  on pix not sure of the syntax, I think it is

  Permitted connection ipsec sysopt

  What we are trying to do here is basically allowing vpn opening ports

  Alternatively you can open udp 500 and esp (or port ip 50) out to in on the two firewalls

• Question about authentication SDI on AnyConnct and ASA

  Hi all

  I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.

  My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.

  I understand that ASA provides two modes to allow authentication SDI.

  Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
  RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.

  I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.

  So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).

  The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...

  I found the following information of CEC.

  ==========
  When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
  ==========

  This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?

  Your information would be appreciated.

  Best regards

  Shinichi

  Shinichi,

  I had a quick glance at the data sheet

  http://www.RSA.com/node.aspx?ID=3481

  I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)

  Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)

  Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.

  Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.

  Marcin

• ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

  Hi all experts

  We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

  I got error syslog 713902 and 713903, how to fix?

  I got the following, when I type "sh crypto isakmp his."

  Type: user role: initiator

  Generate a new key: no State: MM_WAIT_MSG2

  Hugo

  Hello

  This State is reached when the policies of the phase 1 do not correspond to the two ends.

  Please confirm that you have the same settings of phase 1 on both sides with the following commands:

  See the isakmp crypto race

  See the race ikev1 crypto

  Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

  Finally, make sure you have a route suitable for the remote VPN endpoint device.

  Hope that helps.

  Kind regards

  Dinesh Moudgil

• SNMP and cisco Aironet 1131AG

  We have a wireless control system, 3 WLC and 190 APs. I need to listen to 802.11 radios via SNMP. The system is running with LWAPP and APs are not accessible via SNMP (no response trying to access). I'm trying to send traps on the Server SNMP (Zabbix) but to disable the WLC 802.11 Radio, I don't see any trap regarding the status of the Radio or the admin down.

  Are you looking for it any method to monitor the status of the radio via SNMP?

  Thanks in advance,

  OLAF

  Hi Olaf,.

  Lwapp APs are not snmp manageable but controllers takes care of this. You can query the WLC via SNMP and it will give you the status of all access points radio.

  I suggest to use the tool of Cisco's MIB browser learn more about AIRESPACE mib that uses the WLC.

  Nicolas

• Version 7.0 of the PIX and ASA 5500

  Hi all

  Is ASA 5500 series identical a PIX 515 or 525 or 535 with version 7.0... I still see some areas where it confused between version 7.0 of the PIX and ASA 5500 series... If not, what are the benefits of ASA 5500 on the PIX 7.0?

  ASA is not the same as PIX, ASA is different hardware architecture. Although both can run the same code. One of the benefits of the SAA is that you can have an IPS module in it to make the prevention of intrusions.

  Search for comprarison on CCO.