Upgrade license ASA 5505

Hi guys, currently I use basic ASA 5505-license and what I know are by default it supports only 10 VPN peer and plan to upgrade, so in this case, contact 2 of the seller, and they give me different about 10 peers, I 1 seller provide me ASA5505-SW-10-50 = and 2 seller provide me with L-ASA5505-SEC-PL =. so my question what part number, should I get if I want to spend 10 VPN peer? I thank in advance

ASA5505-SW-10-50 = license only gives you more in-house bot users VPN-peers either. You need the update of the license more than VPN-peers SecPlus (L-ASA5505-SEC-PL =). But who will give more internal users if they are also too small. If you need increase these too, you need these two licenses.

Tags: Cisco Security

Similar Questions

Confused about licensing ASA 5505

The ASA 5505 base license not limited somehow how 'inside' subnets you can have if they are configured on a layer 3 switch that is connected to the ASA5505? I know that I can configure only 3 VLAN on the ASA - but I don't think that it forbids me to use several VLANS on my switch...

No it does not limit the number of subnets behind it. According to your user license it will limit the number of users can go through the firewall. A version see show how many users are you licensed it. Also make sure you have all routing in place in your ASA.

ASA 5505 SSL VPN license update

Hi all.

Our ASA 5505 with DATABASE default license allowing only 10 simultaneous vpn sessions (including 2 Anyconnect + IPsec). attached a TXT file with the license information. This Firewall is's use only for vpn access, and we less vpn tunnel vpn IPSec-L2L, anyconnect client SSL and IPSec client access configurations vpn to the top and race walk,.

We are in terms of upgrading vpn license to archive IPSec 10 and 10 Anyconnect and 1 anyconect mobile VPN sessions in time. so my questions are;

1. can I buy "ASA5500-SSL-10 =" accounting and to upgrade our ASA 5505 without having to buy "L-ASA5505-SEC-PL =" license of pus of security.

2. asa use to upgrade only Anyconnect SSL vpn license while keeping 10 vpn IPSec comes with the base license.

Thank you & you expects value comment

Thank you

JCK

1. Yes.

2.Yes.

If you want to keep Clientless SSL VPN you do not want to continue with the addition of the ASA5500-SSL-10 = part. If you can do without client (including the conversion the two existing ones), more economically, you can opt for Security Plus and AnyConnect Essentials licenses. (US$ 800 vs price $1250).

In both cases, the Mobile requires the AnyConnect Mobile (ASA-AC-M-5505) license.

Selection of ASA 5505 license and Smartnet

Hello

We bought an ASA 5505 (ASA5505-BUN-K9) and more recently bought the license to upgrade from 10 to 50 users (L-ASA5505-10-50).

I want to provide remote access to users via AnyConnect - specifically, AnyConnnect under Windows as well as iPhone/iPad and Android. My understanding is that I should buy the Anyconnect Essentials (L-ASA-AC-E-5505) and permits Anyconnect Mobile (L-ASA-AC-M-5505). Is this correct? If I do this, simultaneous remote access VPN connections (via the Anyconnect customers) how the ASA will then support?

In addition, we did not purchase initially Smartnet with this device, but I want to do to access the software updates. Y at - it a document or a site where I can locate the SKU # s Smartnet contracts that would be appropriate with our device? Or could someone provide a few example SKU #?

The output of 'see the version' is below:

Cisco Adaptive Security Appliance Software Version 8.3 (1)

Version 6.3 Device Manager (1)

Updated Friday, March 4, 10 16:56 by manufacturers

System image file is "disk0: / asa831 - k8.bin.

The configuration file to the startup was "startup-config '.

asa1 until dry 42

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

0: Int: internal-Data0/0: the address is 649e.f3b3.c2bb, irq 11

1: Ext: Ethernet0/0: the address is 649e.f3b3.c2b3, irq 255

2: Ext: Ethernet0/1: the address is 649e.f3b3.c2b4, irq 255

3: Ext: Ethernet0/2: the address is 649e.f3b3.c2b5, irq 255

4: Ext: Ethernet0/3: the address is 649e.f3b3.c2b6, irq 255

5: Ext: Ethernet0/4: the address is 649e.f3b3.c2b7, irq 255

6: Ext: Ethernet0/5: the address is 649e.f3b3.c2b8, irq 255

7: Ext: Ethernet0/6: the address is 649e.f3b3.c2b9, irq 255

8: Ext: Ethernet0/7: the address is 649e.f3b3.c2ba, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 50 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: activated perpetual

SSL VPN peers: 2 perpetual

Counterparts in total VPN: 10 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

AnyConnect Essentials: Disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

---

Thank you!

Yes you are right, you must purchase the license key AnyConnect and AnyConnect Mobile, and you can run 25 maximum simultaneous AnyConnect

Here are the compatible Android devices for your reference:

http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect25/release/notes/RN-AC2.5-Android.html#wp1159723

For Smartnet, whereby the service level you need, here are a few examples for ASA5505:

-SMARTnet Premium 24 x 7 x 4 (SNTP): SNTP-CON-AS5B50K9

-SMARTnet 8x5xNBD (SWW): CON-SNT-AS5B50K9

ASA 5505 host under license limit has been exceeded

I'm receive syslog message 450001 - host license limit has been exceeded.

To see the version on my ASA 5505 (8.0.2), inside hosts are limited to 10. The limit of 10 corresponds to the limit (10) syslog error message.

How is this calculated number of hosts? Show arp represents 6 addresses glued to the inside interface.

Hello

Don't use "show arp", use "local host" instead.

Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

In routed mode, hosts inside (business and home VLAN) account in the limit only when communicating with the outside (Internet, VLAN).

Internet hosts are not counted toward the limit. Also, guests who initiates the traffic between businesses and home are not counted toward the limit. The interface

partner with the value default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are taken into account in the limit.

In transparent mode, the interface with the smallest number of hosts is counted within the limits of the host. See the show local-host command to view the host

limits.

Kind regards

Dandy

Issue of ASA 5505 VPN licenses

I have three places that I want to connect via vpn site-to-site deployed on three ASA 5505. How is the term 'Peers' in the text of license, affecting my script? Each peer ASA in a solution from site to site, or each transmission of user data in the established tunnel also counted?

Users, passing through the tunnel of site to another are not counted. Only the peers themselves.

ASA 5505 license question

Hello

So I have two asa 5505 routers. Lets say 'router' 50 licenses a user and "router B" has 10. What it boils down to: I have two routers autour. The office where the router B and visa versa will router has.

I wonder how licensing works, is it embedded in the device?

If I copy the current configuration of the router A to router B, router B (the same physical box as before, just with A router config) are always 10 licenses? If I copy the current configuration of the router for A router, router B has should have still 50 licenses, right?

Thank you!

-John

Hi John,.

Licenses are always the serial number specific so even if you change the configs. 10 criticism would be has a license of 10 reviews, regardless of the configuration on it. So yes, even if change you the config, 50 user would remain user 50 and 10 critics would remain 10 reviews.

Hope that helps

Thank you

Varun

ASA 5505 Security Plus license question

Hi all!

I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):

The activation key running is not valid, using the default

......

This platform includes a basic license.

......

Unable to retrieve the activation key permanent flash

I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?

Thank you!!!

-ken

ciscoasa # sh - activation key

Serial number: JMXXXXXXHU

Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

The activation key running is not valid, using the default settings:

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 10 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: disabled perpetual

AnyConnect Premium peers: 2 perpetual

AnyConnect Essentials: Disabled perpetual

Counterparts in other VPNS: 10 perpetual

Total VPN counterparts: 25 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

Unable to retrieve the activation key permanent flash.

The permanent activation key flash is the SAME as the key permanent running.

Hi Ken,

If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.

If you have lost the key, you'll want to open a support case to get it retrieved.

Hope that helps.

-Mike

licenses for ASA 5505, site-to-site vpn

Hi, gang,

I've not worked on ASA for a few years, so a little rusty on the issuance of licenses. my client has 5 locations, a few computers at each location. 4 tunnels vpn site-to-site will be implemented, so that 1 Server @ main location of accounting is accessible from other. simple configuration. I wonder if I have to purchase additional licenses? This is the part number of the device that I'm aiming for:

ASA5505-BUN-K9
Cisco ASA 5505 Adaptive Security Appliance 8 ports Fast Ethernet Switch with 10 user licenses

Thank you!

Jonathan

Your license for the VPN is perfectly fine as the Base license supports 10 VPN-peers. The 10 user license is what could restrict more.

And if the 5505 is not yet bought, go directly to the ASA 5506 - X as the 5505 is a legacy device and will probably go little EOS.

ASA 5505 Licensing / clarification of encryption

Hello

I have an ASA 5505 Security more than licenses. The specific entry, that I focus on when I do a 'show' version is:

AnyConnect Premium peer: 25 perpetual
AnyConnect Essentials: 25 perpetual

For my IPSEC IKEV2, I have:

IKEv2 crypto policy 1
aes-256 encryption
integrity sha512
Group 21
FRP sha512
seconds of life 10000

Bringing a L2L VPN, I'm able to establish IPSEC/IKEV2 with DH group 21 without problem.
But when I try to connect a remote client with Cisco Anyconnect, I get the following message:

An IKEv2 remote access connection failed. Attempt to use an encryption without an AnyConnect Premium license of NSA Suite B (Group ECDH) algorithm.

After research, I see that 19 Diffie-Hellman groups + are considered Next Gen NSA algorithms. I guess that I don't have the correct license to support this with the AnyConnect client, so I edited my police ikev2 as follows:

IKEv2 crypto policy 1
14 21 group

My problem is that I still get the same error. Shouldn't the low AnyConnect - negotiate to group 14? And shouldn't the L2L negotiate at the highest possible, group 21?

All advice is appreciated.

When you have licenses for AnyConnect Essentials and premium as ASA you must choose one or the other type for all customers AnyConnect.

We see it in general where a customer started with the Essentials license, then later added Premium. When you do this, you must set up "no anyconnect essentials" in order to use features that require the level of Premium license.

All Essentials customers should continue to work in your case, since the number of authorized users is equal on both types of licenses. On larger devices, licenses Premium can be less CALs Essentials since the former is sold by number of users (and can get very expensive on the larger machines because they are potentially 1000s of users) and the second is a relatively good cheap license which covers all of the device according to its material capacity.

On the 5505 maximum capacity is 25 and you have same number already registered for the premium. (The premium SKU license available for this platform are 10 and 25).

Unable to connect to ASA 5505 with AnyConnect after upgrade to 8.2

I just bought a license of VPN AnyConnect Essentials for my ASA 5505. I had to spend to 8.2 ASA.

Now that I updated and installed the license, the AnyConnect client will connect is no longer. It gives the following error: "failed to process the response.

You can provide any help would be appreciated. I am pleased to provide you with the configuration information that might be useful if you can provide the CLI commands, you want that I run.

Looks like he doesn't like THEM too, you can change the encryption algorithm to 'not' include in your strategy:

3des-sha1-aes128-sha1 sha1 aes256 encryption SSL

In general is not very safe anyway, and the choice of encryption above will provide you with the best encryption strategy.

Hope that helps.

ASA 8.4 (1) user AnyConnect Premium upgrade license

Before version 8.4 (1), Cisco has called their license name for SSL/VPN Premium AnyConnect SSL VPN users and currently the new name of the license is simply AnyConnect Premium. In addition, the IOS show name amount users VPN/SSL enabled via your license (Exodus 2, 10, 25, 50,...) by running a 'show activation code"went under SSL VPN peers to peers Premium AnyConnect.

That said, my question is if the upgrade license 10 users to 25 users (L-ASA-SSL-10-25 = -

ASA 5500 SSL VPN 10 to 25 user Premium upgrade license) on a SAA before 8.4 (1) and an ASA with 8.4 (1) is always topical and the good part number make these upgrades for the two ASAs. The description of this part number throws me because it says SSL VPN for Premium user, which was the name before 8.4 (1). I couldn't find any documentation about this part number or to modernize the two ASAs 10 users to 25 users.

Can someone check this part number is perfectly fine to make these upgrades? I appreciate any help or advice.

' L ASA-SSL-10-25 ' of Cisco is indeed part number correct to use for the upgrade of an ASA with 8.4 (1) a user of 10 to 25 AnyConnect Premium license user.

I agree that it would be clearer if they simply called it a "AnyConnect Premium" instead of SSL VPN license. This makes it much more confusing since the AnyConnect Essentials and Premium supports the SSL VPN client-oriented. Based on a browser (without customer) is a feature you get with Anyconnect Premium

How can I get voice and data to work with the ASA 5505?

Here's the issue I'm having. Can I get a Cisco 7940 to work behind one site to another configured ASA 5505 and I can also get data to work behind it. However, when I try to create a separate Vlan for voice and data, it does not work. Our voice VLANs on our remote sites are 172.30 and data are 172.31, when I put the inside interface with 172.31 data will work and when I on it 172.30 voice will work. I upgraded to a security more license and tried vlan3 created as voice. I have the data to the top and work but I can't get vlan3 to work. Any help would be greatly appreciated. Thank you

Here is my current config:

hostname TESTvpn
activate the password xxxxx

passwd xxxxx

username admin password xxxxx privilege 15

name Corp_LAN 10.0.0.0
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn

object-group network SunVoyager
host of the object-Network 64.70.8.160
host of the object-Network 64.70.8.242

the Corp_Networks object-group network
network-object Corp_LAN 255.0.0.0
object-network Corp_Voice 255.255.255.0

interface vlan2
nameif outside
security-level 0
IP address dhcp setroute
No tap

interface vlan1
nameif inside
security-level 100
IP 172.31.155.1 255.255.255.0
No tap

interface vlan3
nameif Corp_Voice
security-level 100
IP 172.30.155.1 255.255.255.0
No tap

output
interface Ethernet0/0
switchport access vlan 2
No tap

interface Ethernet0/7
switchport access vlan 3
No tap

output

dhcpd allow inside
dhcpd address 172.31.155.10 - 172.31.155.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd sun.ins area inside interface
dhcpd allow inside

enable Corp_Voice dhcpd
dhcpd address 172.30.155.10 - 172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd interface of sun.ins of the Corp_Voice domain
enable Corp_Voice dhcpd
dhcpd option 150 ip 192.168.64.4 192.168.64.3

Enable logging
exploitation forest buffer-size 10000
monitor debug logging
logging buffered information
asdm of logging of information

outside_access_in list extended access allow all unreachable icmp
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit icmp any one time exceed
access extensive list ip 172.31.155.0 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access allow icmp 172.31.155.0 255.255.255.0 any
Access extensive list ip 172.30.155.0 Corp_Voice_access_in allow 255.255.255.0 any
Corp_Voice_access_in list extended access allow icmp 172.30.155.0 255.255.255.0 any

VPN access list extended deny ip 172.31.155.0 255.255.255.0 object-group SunVoyager
extended VPN ip 172.31.155.0 access list allow 255.255.255.0 any

inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group Corp_Voice_access_in in the Corp_Voice interface

Global 1 interface (outside)
NAT (inside) 0-list of access VPN
NAT (inside) 1 172.31.155.0 255.255.255.0

Enable http server
http 172.31.155.0 255.255.255.0 inside
http 172.30.155.0 255.255.255.0 Corp_Voice
http 192.168.64.0 255.255.255.0 Corp_Voice
http 10.0.0.0 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
SSH 10.0.0.0 255.0.0.0 inside
SSH 172.31.155.0 255.255.255.0 inside
SSH 65.170.136.64 255.255.255.224 outside
SSH timeout 20

management-access inside

dhcpd outside auto_config

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN
crypto map outside_map 1 is the VPN address
peer set card crypto outside_map 1 66.170.136.65
card crypto outside_map 1 the value transform-set VPN
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
lifetime 28800

tunnel-group 66.170.136.65 type ipsec-l2l
IPSec-attributes tunnel-group 66.170.136.65
pre-shared-key xxxxx

output
int eth 0/1
close
No tap
int eth 0/2
close
No tap
int eth 0/3
close
No tap
int eth 0/4
close
No tap
int eth 0/5
close
No tap
int eth 0/6
close
No tap
int eth 0/7
close
No tap

Peter,

Note that access list names are case-sensitive, so you've actually done something different from what I proposed.

Please do:

no nat (Corp_Voice) 0-list of access vpn

No list of vpn access extended permitted ip TESTvpn 255.255.255.0 everything
IP 172.30.155.0 255.255.255.0 extended vpn access do not allow any list all

extended VPN ip 172.30.155.0 access list allow 255.255.255.0 any

NAT (Corp_Voice) 0-list of access VPN

In the case where you did deliberately, for example to separate the 2 acl: note that acl VPN (upper case) is also used in the encryption card, where you cannot add a second LCD.

So if you want to separate you, you will need 3 access lists:

list of access data-vpn ip TESTvpn 255.255.255.0 allow one

voice-vpn ip 172.30.155.0 access list allow 255.255.255.0 any

access-list all - vpn ip TESTvpn 255.255.255.0 allow one

access-list all - vpn ip 172.30.155.0 allow 255.255.255.0 any

NAT (inside) 0-list of access vpn data

NAT (Corp_Voice) - access list 0 voice-vpn

outside_map 1 match address all vpn crypto card

Don't know if this was also clearly to my previous message, I recommend you to replace the "all" (in each of the ACL lines) to something more specific (i.e. a remote network, or group of objects that contain the remote networks).

HTH

Herbert

ASA 5505 DMZ for the guest wireless access

Hello

Here is my delima:

I'm deploying an Apple Airport Extreme BaseStation with Airport Express 7 "repeaters" throughout my network/building. Apple only allows only two wireless networks, public and private. Your selection of only can 192.168.x.x, 172.13.x.x or 10.10.x.x for each subnet. NO tagging VLAN.

It wasn't my decision... Apple CEO hs fever.

So Im stuck on how to implement this without VLAN. The comments/public subnet needs to be isolated outside access. While the private subnet requires access to both.

Any suggestion would be greatly apprecaited.
```
What will the Security Plus license allow me to do?
```
Security over the license allows the use of circuits for the ASA 5505. It also increases the maximum number of VLANS configurable at 20. Allows active failover / standby and increases the number of authorized IPsec VPN tunnels.

The problem with the basic license is that you can have 3 VLAN configured and the 3rd VLAN is a VLAN 'restricted '. This means that you can not pass traffic to or from inside VLAN on the 3rd VLAN (or DMZ VLAN if you prefer to call it that.) So this VLAN DMZ won't be able to communicate with the internet.

So, if your private wireless network and the local network will be on the same subnet your public wireless network can be in VLAN 3. If this isn't the case, you will need to get the security over the license.

--
Please do not forget to rate and choose a good answer

ASA 5505 transparent mode dosnt pass traffic

Hi all

need help

ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

ciscoasa # sh ver

Cisco Adaptive Security Appliance Version 8.2 software (5)

Version 6.4 Device Manager (5)

Updated Saturday, May 20, 11 16:00 by manufacturers

System image file is "disk0: / asa825 - k8.bin.

The configuration file to the startup was "startup-config '.

ciscoasa until 55 minutes 31 seconds

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8

VLAN: 3, restricted DMZ

Internal guests: 10

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

SSL VPN peers: 2

The VPN peers total: 10

Double ISP: disabled

Junction ports VLAN: 0

Sharing license: disabled

AnyConnect for Mobile: disabled

AnyConnect Cisco VPN phone: disabled

AnyConnect Essentials: disabled

Assessment of Advanced endpoint: disabled

Proxy sessions for the UC phone: 2

Total number of Sessions of Proxy UC: 2

Botnet traffic filter: disabled

This platform includes a basic license.

Registry configuration is 0x1

Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

ciscoasa #.

ciscoasa #.

ciscoasa # sh run

: Saved

:

ASA Version 8.2 (5)

!

transparent firewall

ciscoasa hostname

activate 8eeGnt0NEFObbH6U encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

I haventerface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

Shutdown

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

passive FTP mode

outs_in of access allowed any ip an extended list

outs_in list extended access permit icmp any one

pager lines 24

Within 1500 MTU

Outside 1500 MTU

no ip address

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

outs_in access to the interface inside group

Access-group outs_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

: end

ciscoasa #.

ciscoasa #.

ciscoasa #.

ciscoasa # sh - access list

access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

alert interval 300

outs_in list of access; 2 elements; hash name: 0xd6c65ba5

permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

ciscoasa #.

Hello

Exactly... Good to know it works now.

Do you know why he needs the IP address (such as a transparent firewall)?

The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

Please check the question as answered, so future users can pull of this

Julio Carvajal

Costa Rica

Upgrade license ASA 5505

Similar Questions

Maybe you are looking for