Using RADIUS to expiry on an ASA 5520

I would like to know where I would attribute the RADIUS to expiry on a SAA for a VPN group? Is this possible on ADSM as well?

Thank you

Dwane

In my view, it is now called 'password-management '.

Yes, it can be done in the ASDM.

Config-> VPN-> edit-> tab general/Basic tunnel group

Check "Enable notification at the end of the password allowing the user to change the password"

Please evaluate the useful messages.

Tags: Cisco Security

Similar Questions

SSL VPN using ASA 5520 mode cluster - several problems

I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

Any suggestions?

To disable the drop-down menu, you can turn it off with the command

WebVPN

no activation of tunnel-group-list

This will take care of your last issue.

***************************

You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

**************************

Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

*****************************

Using Cisco Client to site VPN on a behind a NAT ASA 5520

I apologize if this has been asked and we answered in the forums. I looked, and while I found a large number of entries that were dancing all around this question, I never found nothing which addressed this specific issue. We currently use an ASA 5520 as the head end of a relatively large customer to site IPSEC VPN (approximately 240 users, not consecutively). This ASA is currently sitting behind a Checkpoint firewall with a real publicly addressable IP address on its public interface. All of our customers use the legacy Cisco VPN (not the one anyconnect) client. We plan to a few controllers F5 link set up between ISPS and firewalls. For VPN connectivity F5 recommends that we NAT IP address (called a broad IP) to point back to a private IP address on the ASA and F5. My question is, will this work? I've always heard say that the head of line needed to have a public IP address on this subject because this is what will be placed in packages for the client to respond to.

For further information, here's what we have now and what we are invited to attend.

Current

ISP - router - firewall-fire - ASA (public IP address as endpoint)

Proposed

ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - Firewall - ASA (10.X.X.X as its external interface)

Proposed alternative

ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - ASA (10.X.X.X as its external interface)

All thoughts at this moment would be greatly appreciated. Thank you!

Hello

If there is a static NAT one by one on F5 to the external interface of the ASA, then I don't think they would be any problems.
Because when the client will attempt to connect to IKE to the translated public IP, F5 will redirect the request to ASA outside interface that is configured for the VPN.

In addition, to ensure the udp500, 4500 and esp is allowed and then you should be good to go.

HTH

Concerning
Mohit

ASA 5520 - VPN using LDAP access control

I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.

My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.

The Version of the software on the SAA is 8.3 (1).

My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.

https://supportforums.Cisco.com/message/3232649#3232649

Thanking all in advance for everything offered thoughts and advice.

Configuration (AAA LDAP, group policy and group of tunnel) is below.

AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP

AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!

attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policy

Hello

The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)

The following link will explain how to set up the same.

http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Routing with Cisco ASA 5520 VPN

I have installed IPsec vpn remote users in the Cisco ASA 5520 using RADIUS in my main network. Works very well. I have a site to my Cisco ASA5520 tunnels going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I wish that my users VPN remote IPSec to be able to navigate in these tunnels is a site to access remote subnets attached to these tunnels. Do I need to use a combination of routing and the ACL? Or can I just use ACL only? Or just use routing only?

Thank you

Carlos

Hello

The key to set up here is the two ACL of VPN L2L end points that determine the 'interesting' traffic to connect VPN L2L. You will also need to confirm that the connection of the VPN Client is configured so that traffic to the remote sites have sent to the connection of the VPN client. There are also other things that you should check on your ASA plant

Here most of the things you usually have to confirm
- Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration
  - This setting will allow connections to form between the hosts that are connected to the same interface on the ASA. In this case, applies because the VPN client users are connected to the interface 'outside' of the ASA and also remote sites are connected to the ASA to "external". If the traffic between the remote VPN Client and VPN L2L sites will be to enter and exit the same interface
- You will need to check how the customer if configured VPN connection. Split or full Tunnel tunnel
  - If the connection of the VPN Client is configured as Split Tunnel then you need to add all the networks from the remote to the Split Tunnel, so that the connections between the VPN Client is transmitted to the ASA and from there connections VPN L2L
  - If the connection of the VPN Client is configured as full Tunnel, then there no problem that all traffic is transferred to the Client VPN connection all its assets
- Define the VPN pool in the ACL of VPN L2L
  - You should make sure that the pool network VPN Client is defined in the ACL that define 'interesting' traffic to connect VPN L2L. So, you need to add the pool VPN VPN L2L configurations on the sites of Central America and remote control
- Configure NAT0 / NAT exempt for remote VPN Client to L2L VPN Site traffic at both ends of the VPN L2L
  - You must ensure that the NAT0 / exempt NAT rules exist for the VPN Client for Remote Site traffic. This will have to be configured on the SAA "outside" interface. Format of configuration varies naturally a bit on the ASA Central his software level.
These should be the most common things to set up and confirm for traffic to flow between the VPN Client and Remote Sites

Hope this helps please rate if yes or ask more if necessary.

-Jouni

Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE

I can't find any reference to anywhere else.

We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.

We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.

I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.

When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.

Is this a bug?

I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?

I'm building a Rube Goldberg?

Thank you

George

Hi George,.

It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ? A package tracer could clarify wha that the ASA is actually sending.

In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly. For example; Source NAT (all, outside) static...

It may be useful

-Randy-

ASA 5520 to Juniper ss505m vpn

I'm having a problem with the vpn site to site between a asa 5520 and Juniper ss 505 m. The tunnel rises, but we seem unable to pass traffic through the vpn tunnel. It appears on the remote side makes a connection to the ftp server on the Local Server, but is never prompt identification of connection information.

April 19, 2016 13:27:13 SQL-B2B-01: % ASA-4-402116: IPSEC: received a package ESP x.x (SPI = 0xD167A5E8, sequence number = 0xD).

241.90 (user = X.X.241.90) at X.X.167.230. Inside the package décapsulés does not match policy negotiated in the SA. The

package specifies its destination as its Protocol TCP, its source such as X.X.2.68 and X.X.167.233. SA specifies its loc

proxy of Al X.X.167.233/255.255.255.255/tcp/5376 and his remote_proxy as X.X.2.68/255.255.255.255/tcp/5376.

list of remote ip-group of objects allowed extended West Local Group object

NAT static Local_Pub Local destination (indoor, outdoor) static source Remote

Crypto ipsec ikev1 transform-set esp-aes-256 Remote esp-sha-hmac

West-map 95 crypto card is the Remote address
card crypto West-map 95 set peer X.X.241.90
map West-map 95 set transform-set Remote ikev1 crypto
card crypto West-map 95 defined security-association life seconds 28800

Juniper-

"Remote-ftp" X.X.167.233 255.255.255.255

Gateway proposal P1 preshare "[email protected]/ * /" proposal "pre-g2-aes256-sha-28800.

P2-proposal "no-pfs-esp-aes256-sha-28800" No. - pfs esp aes256 sha-1 second 28800

----------------------

the top of the policy of "Trust" to "Untrust" "X.X.2.68/32" "Remote-ftp' 'ftp' vpn"Remote-vpn"tunnel log

put on top of the "Untrust" policy to the "Trust" "Remote-ftp' 'X.X.2.68/32' 'ftp' vpn"SonoraQ-vpn"tunnel sign

I do not know Juniper, but it seems that it is trying to negotiate the use of only 5376/tcp on the tunnel, when it should be negotiated just Protocol "ip".

nat ASA 5520 problem

Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897

LAN to LAN service interface is called: lan2lan
one of the internal interfaces is called: colo

I think that is problem with Nat on the SAA but I need help with this.

Config:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
OSPF cost 10
OSPF network point-to-point non-broadcast
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.50
VLAN 50
nameif lb
security-level 20
IP 10.1.50.11 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet0/1,501
VLAN 501
nameif colo
security-level 90
eve of fw - int 255.255.255.0 172.16.2.253 IP address
OSPF cost 10
!
!
interface GigabitEthernet1/1
Door-Lan2Lan description
nameif lan2lan
security-level 0
IP 10.100.50.1 255.255.255.248
!
access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
pager lines 24
Enable logging
host colo biggiesmalls record
No message logging 313001
External MTU 1500
MTU 1500 lb
MTU 1500 Colo
lan2lan MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
NAT-control
Global 1 interface (external)
interface of global (lb) 1
Global (colo) 1 interface
NAT (lb) 1 10.1.50.0 255.255.255.0
NAT (colo) - access list 0 colo_nat0_outbound
NAT (colo) 1 10.1.13.0 255.255.255.0
NAT (colo) 1 10.1.16.0 255.255.255.0
NAT (colo) 1 0.0.0.0 0.0.0.0
external_access_in access to the external interface group
Access-group lb_access_in in lb interface
Access-group colo_access_in in interface colo
Access-group management_access_in in management of the interface
Access-group interface lan2lan lan2lan
!
Service resetoutside
card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
lan2lan_map 51 crypto map set peer 10.100.50.2
card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
crypto lan2lan_map 51 set reverse-road map
lan2lan_map interface lan2lan crypto card
quit smoking
ISAKMP crypto identity hostname
ISAKMP crypto enable lan2lan
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
enable client-implementation to date
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 General-attributes
Group Policy - by default-site2site
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet timeout 5
!

The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

p.s. you should affect the question of the security / VPN forum.

Change of SSL/TLS group Diffie-Hellman on ASA 5520

dh-group SSL control was introduced in 9.3 (2) which is not available to ASA 5520. Is others possible to force ssl vpn to use the diffie-hellman > 1024 bits on this system?

Sorry miss-read the question. As far as I know, we can't specify the Diffie-Hellman on the SAA group before 9.3 (2).

--

Please do not forget to select a correct answer and rate useful posts

With an ASA 5520 port forwarding

Hi all

I recently bought a Cisco ASA 5520 on eBay for study and I decided to only use it as a firewall between my home LAN and Internet. Wow, what a learning curve! I managed to add my internal networks as objects and create a rule (thanks to youtube) NAT to PAT my internal devices out of the Internet with ASSISTANT Deputy Ministers, but I am really struggling to do the following:-

-allow all incoming traffic that hits the outside interface for port 38921 and nat at 10.1.10.101:38921

-allow all incoming traffic that hits the outside interface for port 30392 and nat at 10.1.10.101:30392

Can someone guide me on how to do it, because I have a couple of services that run behind these ports on a server I want to get when I'm not at home? My (rather messy) config is as follows:-

hostname FW1

activate the encrypted password

encrypted passwd

names of

!

interface GigabitEthernet0/0

Description * externally facing Internet *.

nameif outside

security-level 0

IP address dhcp setroute

!

interface GigabitEthernet0/1

Description * internal face to 3750 *.

nameif inside

security-level 100

IP 10.1.10.2 255.255.255.0

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

!

passive FTP mode

the VLAN1 object network

subnet 192.168.1.0 255.255.255.0

Legacy description

network of the WiredLAN object

10.1.10.0 subnet 255.255.255.0

Wired LAN description

network of the CorporateWifi object

10.1.160.0 subnet 255.255.255.0

Company Description 160 of VLAN wireless

network of the GuestWifi object

10.1.165.0 subnet 255.255.255.0

Description Wireless VLAN 165 comments

network of the LegacyLAN object

subnet 192.168.1.0 255.255.255.0

Description Legacy LAN in place until the change on

the file server object network

Home 10.1.10.101

Description File Server

service object Service1

tcp source eq eq 38921 38921 destination service

1 service Description

the All_Inside_Networks object-group network

network-object VLAN1

network-object, object WiredLAN

network-object, object CorporateWifi

network-object, object GuestWifi

network-object, object LegacyLAN

object-group service Service2 tcp - udp

port-object eq 30392

object-group service DM_INLINE_TCPUDP_1 tcp - udp

port-object eq 30392

Group-object Service2

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

Outside_access_in list extended access allowed object-group TCPUDP any inactive FileServer object-group DM_INLINE_TCPUDP_1 object

Outside_access_in list extended access allowed object Service1 any inactive FileServer object

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

MTU 1500 internal

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 714.bin

don't allow no asdm history

ARP timeout 14400

service interface NAT (inside, outside) dynamic source FileServer Service1 inactive Service1

NAT (all, outside) interface dynamic source All_Inside_Networks

Access-group Outside_access_in in interface outside

Internal route 10.1.160.0 255.255.255.0 10.1.10.1 1

Internal route 10.1.165.0 255.255.255.0 10.1.10.1 1

Internal route 192.168.1.0 255.255.255.0 10.1.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 10.1.160.15 255.255.255.255 internal

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Telnet 10.1.160.15 255.255.255.255 internal

Telnet timeout 5

SSH timeout 5

Console timeout 0

interface ID client DHCP-client to the outside

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

username privilege of encrypted password of Barry 15

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:19be38edefe8c3fd05e720aedee62c8e

: end

1. This is just one example of configuration and another option with to reason and avoid to send us the complete configuration of NAT:

network of the 10.1.10.101 object

Home 10.1.10.101

service object 38921

tcp source eq 38921 service

service object 30392

tcp source eq 30392 service

NAT (inside, outside) 1 static source 10.1.10.101 38921 38921 service interface

NAT (inside, outside) 1 static source 10.1.10.101 30392 30392 service interface

Let me know if it works

ASA 5520 Infiltration of DNS query

Is the operation of TCPDUMP, simular to Sindwinder FW (example below), possible through ASA 5520 and AIP-SSM-10 (IPS) module? Reference and the answer to my question are appreciated.

•tcpdump options for DNS

-Internal Burba: tcpdump - ntpi em0 port 53

-External Burba: tcpdump - ntpi em1 port 53

tcpdump for SMTP options:

Burba internal: tcpdump - ntpi em0 port 25

External Burba: tcpdump - ntpi em1 port 25

You can use the iplog command to capture a PCAP file on the module AIP - SSM (assuming that you sent the traffic you with capture or through the module AIP - SSM IPS). It will capture based on the source IP address.

http://www.Cisco.com/en/us/docs/security/IPS/6.0/command/reference/crCmds.html#wp466857

If you want TCPdump granularity, make a service account on the sensor, open a session in the Linux system, able to root and tcpdump away.

ASA 5520 DRAM Upgrade

Hello

We have an ASA 5520 running the 8.x version which currently has 512 MB of DRAM.

I would like to upgrade memory 1 GB DRAM

Issues related to the:

1 how many slots slots DRAM the 5520 there?

2. I found this part:

http://www.MemoryX.NET/asa5520mem1gb.html

Seeking to be good. Is there anywhere I can OLA to be sure? I was looking and looking, but I can't find any hard documentation about the DRAM modules, I can use for my 5520.

Thank you 1 million,

Pedro

There should be four.

http://www.Cisco.com/en/us/docs/security/ASA/HW/maintenance/guide/procs.html#wp1076043

The only supported memory upgrade must come from Cisco ASA5510-MEM-512 = manufacturer

There is no 'Cisco' part number to memoryx in the price list of Cisco. Also I think it's for the AIP, not the chassis module. I think that the chassis only supports 512 MB chips. The link below is the one you want.

http://www.MemoryX.NET/ASA5520.html

It shows that he have a single good Bank. I have not a 5520 in lab to take a look, but the documentation must be accurate.

ASA 5520

I have an ASA 5520 and master mechanic wants me to a login account via CLI that the helpdesk will just display but makes no changes. I can do this, or what I need to use the ASDM software. Thanks in advance and have a nice day

Eric,

Follow this example in link, specific scenario you need, simply create local account in asa with the privilege level 5... see link PLS.

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=firewalling&TopicId=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2c575/4

Concerning

ASA 5520 8.0 (4) port depending on the ACLs vpn works not

Hi all

I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)

Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.

THX in advance

Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

ASA 5520 and MPF

Hi all. In our company we have recently upgraded our PIX 515 firewall to ASA 5520, and we started to live a thing strange event. On one of the sites we host, I saw a lot of outdated SSM messages popping up and I think that they are the source of the problem when they surf the site (mainly surfing works fine, but sometimes people cannot content etc.).

I found the Cisco solution for this problem by using the MPF, but one thing confuses me. If I ask a MPF allowing adults MSS on the external interface of the ASA does this political conflict with the comprehensive policy that is on the SAA by default or can they both at the same time?

Thanks in advance for any help.

You can have a single policy per interface and another - global, that by default applies to default-inspection-traffic.

See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for more details.

Using RADIUS to expiry on an ASA 5520

Similar Questions

Maybe you are looking for