The upgrade of ASA 5520

Similar Questions

• UPDATED TO VERSION 8.2 ASA 5520 TO 9.0

  Hello friends,

  I am planning to upgrade my ASA 5520 with version 8.2 to 9.0, so I'll enjoy the benefits of anyconnect for mobile devices. Clearly, I understand that I must pay special attention to:

  • NAT rules.
  • Memory RAM: 2 GB.
  • Add references to the rule over the new versions for mobile and anyconnect
    

    L-ASA-AC-E-5520 = ASA-AC-M-5520 =.

  am I missing anything else? Requirement of Flash? Or pay attention to some other configurations?

  Any comments or document will be appreciated.

  Kind regards!

  You can run the latest version of the AnyConnect client - including mobile clients - with these licenses, even on a SAA with the current code of 8.2-8.2 (5) from now on. While it is a bit old and lack some of the new features, it is a strong and stable version.

  That could save you the trouble to migrate the configuration of your NAT (and other songs) and the upgrade memory.

  Since the series ASA 5500 (5510, 5520 etc.) is end of sales past you have a future limited on these platforms. For example, ASA 9.1 (x) is the last series of releases of code which will be available for them. (The current software on the 5500-X is 9.3 (1).)

• Upgrade to Cisco ASA 5520 8.2.5 to 9.1.7

  Hello

  I have an upgrade tonight for a customer to upgrade a StandAlone ASA 5520 in version 8.2.5 in 9.1.7. I have the same upgrade week next to the same client for a failover pair.

  I already have this kind of process of 8.2.x upgrade to 9.1.x so I know the entire process, since I have to take a first step 8.2.5 8.4.6 then 9.1.7. In addition this customer has no statement of Nat therefore normally an easy process.

  But today during my routine to prepare for the upgrade (I prefer to make a double or triple check before) I found this bug:

  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCuh19234;JSESSIONID=0A69...

  This bug is fixed in version 8.4.7, and 8.4.6.99. But it is not recommended by the upgrade process for a 8.2.5 to 8.4.7 jump and I can not find the 8.4.6.99 version.

  I don't want to have any problems during my upgrade with something I can avoid.

  As I said I already have this updated in the past without any problem and with a more complex configuration.

  Has anyone as a return to this process for the last months? Should I do an extra step? (before first 8.2.5 to 8.4.5 8.4.6 or 8.4.7)

  Thank you in advance for your answer.

  There are a few incidents reported for ASA 5520 8.2.5 hit this defect running.

  You can go for an extra for 8.4.x upgrade as you mentioned to avoid default we can't say for sure if you will encounter this situation or not.  8.4.6.99 can be a picture of development so be unavailable unless you want to call TAC and confirm or obtain any other image in 8.4.x train.
  Maybe add another upgrade code can't hurt as that hit the bug.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ASA 5520 DRAM Upgrade

  Hello

  We have an ASA 5520 running the 8.x version which currently has 512 MB of DRAM.

  I would like to upgrade memory 1 GB DRAM

  Issues related to the:

  1 how many slots slots DRAM the 5520 there?

  2. I found this part:

  http://www.MemoryX.NET/asa5520mem1gb.html

  Seeking to be good. Is there anywhere I can OLA to be sure? I was looking and looking, but I can't find any hard documentation about the DRAM modules, I can use for my 5520.

  Thank you 1 million,

  Pedro

  There should be four.

  http://www.Cisco.com/en/us/docs/security/ASA/HW/maintenance/guide/procs.html#wp1076043

  The only supported memory upgrade must come from Cisco ASA5510-MEM-512 = manufacturer

  There is no 'Cisco' part number to memoryx in the price list of Cisco. Also I think it's for the AIP, not the chassis module. I think that the chassis only supports 512 MB chips. The link below is the one you want.

  http://www.MemoryX.NET/ASA5520.html

  It shows that he have a single good Bank. I have not a 5520 in lab to take a look, but the documentation must be accurate.

• the upgrade of IPS chains, ASA-SSM - 10 module

  I'll have a difficult time, the upgrade of the module ASA IPS SSM-10. I down loaded the IPS-GIS-s327-req - e1.pkg to the FTP Win XP (my workstation). The following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt

  "error: execUpgradeSoftware: connection failed. Any suggestion would be appreciated.

  Also, have you been able to update your signature?

• Steps from the date of the beginning of the planning of a DMZ on ASA 5520

  Hi all

  Can someone direct me to a good documentation planning and creation of a DMZ on an ASA 5520? Any advice or suggestions are greatly welcome.

  TIA,

  Gary

  Hi Gary

  Take a look at the following link,

  http://www.Cisco.com/en/us/products/ps6120/products_getting_started_guide_chapter09186a00805e2922.html

  I hope this helps.

  Cordially MJ

• ASA 5520 8.0 (4) port depending on the ACLs vpn works not

  Hi all

  I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)

  Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.

  THX in advance

  Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

• How to accompany the IDS in ASA 5505 and 5520?

  Dear All;

  We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

  Part number:	Description	QTY.
  ASA5505-BUN-K9	ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES	1
  CON-SNT-AS5BUNK9	SMARTNET 8X5XNBD ASA5505-BUN-K9	1
  SF-ASA5505 - 8.2 - K8	ASA 5505 Series Software v8.2	1
  CAB-AC-C5	Power supply cord Type C5 U.S.	1
  ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	1
  ASA5505-PWR-AC	ASA 5505 power adapter	1
  ASA5505-SW-10	ASA 5505 10 user software license	1
  SSC-WHITE	ASA 5505 hood SSC of the location empty	1
  ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	1

  Part number:	Description	QTY.
  ASA5520-BUN-K9	ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES	2
  CON-SNT-AS2BUNK9	SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES	2
  ASA5520-VPN-PL	ASA 5520 VPN over 750 IPsec User License (7.0 only)	2
  ASA-VPN-CLNT-K9	Cisco VPN Client (Windows Solaris Linux Mac) software	2
  SF - ASA - 8.2 - K8	ASA 5500 Series Software v8.2	2
  CAB - ACU	Power supply cord (UK) C13 BS 1363 2.5 m	2
  ASA-180W-PWR-AC	Power supply ASA 180W	2
  ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	2
  ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	2
  SSM-WHITE	ASA/IPS SSM hood of the location	2

  Thanks in advance.

  Rashed Ward.

  Okay, I was not quite correct in my first post.

  These modules - modules only available for corresponding models of ASA.

  They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

  When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

  When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

  In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

  To better understand, familiarize themselves with this link:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html

• Problems encountered during the upgradation of windows7 for windows8 in my laptop Dell Inspiron 5520.

  I'm halfway to the upgradation of windows7 for windows8 in my laptop Dell Inspiron 5520. I wonder to uninstall software for USB 3.0, Dell stage, Bluetooth, ports etc. of windows7, citing compatibility problems. How do I proceed? Similar software will be installed during the process once I have finished installing windows8? Because now, my internet connection is through the USB data card. Please advice of emergency

  What I suggest you do is download Windows 8 and create a bootable on a Flash DRIVE or DVD you can do an offline installation. Although the wizard upgrade of Windows 8 is the first download before to actually copy the files.

  You can uninstall the proposed components that affect the download installation files.

  See:

  http://techingiteasy.WordPress.com/2012/11/06/part-1-how-to-upgrade-using-the-Windows-8-Upgrade-Assistant/

  then:

  http://techingiteasy.WordPress.com/2012/11/07/part-2-How-to-upgrade-using-the-Windows-8-Upgrade-Assistant/

• the upgrade of 7.2 to 8.0 (3) firmware on asa 5505

  I'm about to upgrade from my asa to version 8 of 7.    I see a lot of instructions on the use of tftp to achieve this.  I also see in the GUI where I can download the image files for version 8.  is there a downside to use the GUI instead of a tftp server?  Everything seems easier through the GUI.

  With TFTP, you will be able to see the progress of the file transfer as well as the upgrade and with the ASDM, it will not really give you any progress and you can just wait blindly.

• Cisco ASA 5520, 8.02, 4GE SSM, IPS?

  I have an ASA 5520 with 4GE SSM module.

  The ASDM, I see IPS basic signatures... anyway to upgrade these signatures, add to, etc.?

  Not really, you must purchase the AIP - SSM module for this.

  Concerning

  Farrukh

• The upgrade 25 users VPN license for 50 users.

  Hello

  Currently I have ASA5500-SSL-25 = license installed on my ASA 5520.

  I want the same for 50 users now.

  Please help me with the part number for a 25 to 50 users upgrade path.

  The order code is "L-ASA-SSL-25-50 =".

• ASA 5520 and MPF

  Hi all. In our company we have recently upgraded our PIX 515 firewall to ASA 5520, and we started to live a thing strange event. On one of the sites we host, I saw a lot of outdated SSM messages popping up and I think that they are the source of the problem when they surf the site (mainly surfing works fine, but sometimes people cannot content etc.).

  I found the Cisco solution for this problem by using the MPF, but one thing confuses me. If I ask a MPF allowing adults MSS on the external interface of the ASA does this political conflict with the comprehensive policy that is on the SAA by default or can they both at the same time?

  Thanks in advance for any help.

  You can have a single policy per interface and another - global, that by default applies to default-inspection-traffic.

  See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for more details.

• Update software remotely active / standby ASA 5520

  Hello

  We have a pair of 5510 s and a pair of 5520 s, each active mode / standby.  I would like to upgrade the ASDM and ASA software on these, but can't find any documentation that advise on how this can be done without physical access to devices.  There I am on the site, but we will deploy these all throughout our network and I would like to be able to perform this type of maintenance without having to travel to each site.

  We use CSM and ASDM to manage these most of the time, but are certainly capable of configuration via the CLI.

  The question may be my understanding lack the foundations of the ASA, but I really don't understand how the software can be copied to the ASAs individual of the pair so that they can be reloaded and updated continuously.  My lack of understanding also makes a difficult word question, so please forgive me that.  With a remote SSH connection to the pair, I only copy the correct software to the ASA Active?  Or y at - it a way to get the software on each disk individually in the only SSH connection?  I'm not sure how to handle the ASA ensures no comfort in it... If I can get to remote software at each ASA (copy on different disks? i.e. disk0: and disk1:?), while I will also meet a problem to update startup for each statement individually, but to solve that I guess I could just remove the old software, but cela seems bad practice before confirming the new software is ok.

  If there is an easier way to deploy the new code via ASDM or CSM, I am certainly open to that.

  Any advice or resources that anyone could offer would be extremely useful and appreciated.

  Thank you

  Justin

  Justin,

  This is exactly why. If you are using version prior to version 8.4.1, routing table information is not replicated between the devices.

  Information that is not transmitted to the rescue unit when the rollover is enabled includes these:

  • The HTTP connection table (except if the HTTP replication is enabled)

  • The user authentication (uauth) table

  • The routing tables

  • Status information for the security service modules

  http://Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

  If your gateway of default route is learned via EIRGP and you are trying to access from the internet, you won't be able to get to the secondary unit.

  Workaround solution, put the default gateway static with a metric higher while it appears on the running configuration and sent to the secondary unit.

  Of the questions let me know.

  Mike

• IPSec VPN to asa 5520

  Hello

  First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.

  The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.

  I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.

  I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:

  4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry

  5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!

  6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)

  and this, in the journal of customer:

  Cisco Systems VPN Client Version 5.0.02.0090

  Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 5.1.2600 Service Pack 3

  24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "213.94.x.x".

  27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with 213.94.x.x.

  28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x

  29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014

  Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

  40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.

  Can you see what I'm doing wrong?

  Thank you

  Sam

  Pls add the following policy:

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  You can also run debug on the ASA:

  debugging cry isa

  debugging ipsec cry

  and retrieve debug output after trying to connect.