VPN with ASA 5500 VPN with PIX 515E vs
I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.
Craig
According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.
On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.
HTH
Rick
Tags: Cisco Security
Similar Questions
-
IPSEC VPN between Pix 515E and 1841 router
Hi all
BACKGROUND
We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.
PROBLEM
The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.
Any help much appreciated.
You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.
As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.
For a feature, it would be preferable to static IP addresses on both sides.
-
4240 IPS blocking queries with Pix 515E
I have activated the lock on the 4240 and put locking as our Pix 515E. When I look at the Configurations of Signature quite a few Signature Actions are set to alert only produce. If blocking is enabled you also go and the Actions of signing the Deny value or TCP Reset? So far my attackers show dosen't IPS refused and he detected the high level of traffic which I assume must now be blocked. Thanks John
Yes, go under the signatures that you want and enable blocking for them as an action. Globally blocking configuration (setting the blocking device, the interface, the connection of the device information, etc.), does not actually blocked on the sensor itself, we must still go and activate the blocking of this particular signature. When this particular GIS fires in the future, the sensor it will block on the device that you configured.
Be very careful with blocking, the reason that we're not blocking simply all the signatures, it is that it would be very dangerous to blindly add access lists to a device that will stop traffic. You must first make sure that you don't get any number of false positives on the signatures and end up blocking valid traffic. In addition, on a busy sensor you could easily overrun detector and locking to writing and deleting 1000's of top access lists. And finally, although probably not, blocking can even be used as an attack denial of service, where an attacker, if they know what signatures you block, can usurp packages past your sensor so that it denies traffic to our legitimate guests.
You have to look at what signatures you really want to block, and then enable blocking on them individually.
-
I configured a PIX 515E, OS 7.0 (1) f? PAT r dynamic of the inside of the network to the external ip address of the PIX. I also configured for icmp access lists from inside to outside and inside. All traffic (www, dns, ftp, etc.) works very well except ping. Whenever I do a ping from host inside to any address outside, I get the following error messages:
6. August 24, 2006 11:10:52 | 609002: duration of disassembly-outside local host: 193.222.224.104 0:00:10
6. August 24, 2006 11:10:52 | 302021: connection of disassembly ICMP for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0
6. August 24, 2006 11:10:50 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993
4. August 24, 2006 11:10:50 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:50 | 302020: ICMP connection built for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0
6. August 24, 2006 11:10:48 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992
4. August 24, 2006 11:10:48 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:48 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993
6. August 24, 2006 11:10:46 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991
4. August 24, 2006 11:10:46 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:46 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992
6. August 24, 2006 11:10:44 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990
4. August 24, 2006 11:10:44 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:44 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991
4. August 24, 2006 11:10:42 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:42 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990
6. August 24, 2006 11:10:42 | 609001: built outside local host: 193.222.224.104
What could be the problem?
Thank you, Meg
It's only to predict the responses of echo at all on the external interface. If you do the following ACL on the outside, it should work...
outside_access_in list extended access permit icmp any any echo response
-
Back on the cisco ASA 5500 series and PIX 500 series
Hello
I fund a site www http://www.searchsecurity.de/themenkanaele/plattformsicherheit/schwachstellenmanagement/allgemein/articles/106752/ (only in German). I have read that it is possible to make a denial of service on cisco PIX 500 series and series 5500 ASA, when the TTL value is enabled.
How can I check that? or solve the problem?
I thank you,
Mary
What version of the code you run the Pix or ASA. Refer to the "Products affected" section for more information on versions and the products concerned. This should point you in the right direction.
Also, listed in the URL is bypasses and fixed Versions that you may want to check.
Kind regards
Arul
-
Version 7.0 of the PIX and ASA 5500
Hi all
Is ASA 5500 series identical a PIX 515 or 525 or 535 with version 7.0... I still see some areas where it confused between version 7.0 of the PIX and ASA 5500 series... If not, what are the benefits of ASA 5500 on the PIX 7.0?
ASA is not the same as PIX, ASA is different hardware architecture. Although both can run the same code. One of the benefits of the SAA is that you can have an IPS module in it to make the prevention of intrusions.
Search for comprarison on CCO.
-
site to site vpn with ASA 5500 series SSL?
We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.
We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.
We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.
However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".
The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?
Thank you, Tom
Hi Thomas,
The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.
Federico.
-
VPN between PIX with dynamic IP
Can I make a VPN over the Internet with PIX or IOS VPN in each IP address dynamic and extreme (DHCP client) in the two extremes?
Thank you
If siempre sepas than las direcciones los extremos back there sets in el momento iniciar el tunel in peripheral los.
Distinto are TR UN extremo tiene IP fija y el otro dinamica (vpn easy for example you can help ahi)
--
Alexis Fidalgo
Systems engineer
AT & T Argentina
-
The VPN Site - to-many with PIX 6.3 (5) Can you do?
Hello
I set up a VPN tunnel between two PIX (for example, A PIX and PIX B) running 6.3 (5). It works very well. I then tried to add another VPN to PIX A tunnel to a new PIX C. It does not work! It seems that I can only assign a card encryption, and therefore a tunnel, in a phyical interface on the PIX. Is this good? I assumed that you can run several VPN tunnels since a single physical interface.
All advice warmly received!
Concerning
Paul
You can use something like this
map VPN-map 10 ipsec-isakmp crypto
VPN - 10 card crypto card matches the address B - VPN
card crypto VPN-map 10 set peer b.b.b.b
card crypto VPN-map 10 the transform-set ESP-AES256-MD5 value
card crypto VPN - ipsec-isakmp 20
VPN - card 20 crypto card matches the address C - VPN
card crypto VPN-card 20 set peer c.c.c.c
card crypto VPN-card 20 the transform-set ESP-AES256-MD5 value
-
PIX 515E and remote access VPN
I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.
I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.
Any help is appreciated,
Hello
Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7
Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18
There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue
-
Cisco VPN Client Authentication - PIX 515E-UR
Hi all
I need your expert help on the following issues I have:
1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.
2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?
3 can. what command I use to debug RADIUS authentication?
Thanks in advance for your help.
Hi vincent,.
(1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication
(2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...
(3) use the "RADIUS session debug" or "debug aaa authentication..."
I hope this helps... all the best... the rate of responses if found useful
REDA
-
Cisco VPN Client behind PIX 515E,-> VPN concentrator
I'm trying to configure a client as follows:
The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.
Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.
You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?
-
I can't get my Cisco VPN client to negotiate successfully with my ASA 5500. I went through several configs and have had no luck. I write my config info and current router debug in the hope that someone sees something obvious. It is not at the initial stage.
Thank you very much for your help.
Always difficulties, try to add...
part of pre authentication policy ISAKMP 65535
ISAKMP 65535 3des encryption strategy
ISAKMP policy 65535 sha hash
65535 2 ISAKMP policy group
ISAKMP strategy life 65535 86400
-
ASA 5500 SSL VPN Failover license
Hello
I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:
His question is:
Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby? I would therefore have a total of (4) licenses of SSL VPN to use?
This would also be true for two security contexts that are included with the firewall?
For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?
Here is my response to his request:
Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)
It was mentioned that:
"You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »
It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?
Thanks in advance!
Ice Flancia
Cisco partner Helpline Tier 2 team
Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.
2 SSL included license on SAA in failover pair is combined as 4 license SSL.
2 license of background on ASA in failover pair is combined as license frame 4.
Here's the URL on ASA combined license failover:
Hope that helps.
-
Hello
I have a PIX 515E current of execution to 7.
Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).
I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?
I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?
Is there a way to fix this?
Any help appreciated gratefully.
apply the commands below:
ISAKMP identity address
ISAKMP nat-traversal 20
If the problem persists, then please post the entire config with ip hidden public.
Maybe you are looking for
-
Lenovo M93P, second HARD drive
Hello! For Lenovo M93P, SFF, 10AJ Type of Machine, we need FRU / PN for support for a second hard drive that is inserted under the support of the hard disk existing. Could you please be so kind and help me get the right FRU / PN. Please find below th
-
OfficeJet Pro 8610: Scan photos Officejet Pro 8610
How better to analyze photos w OfficeJet Pro 8610 I saw on YouTube there is a possibility to configure settings on app scan to detect the sizes photo placed on the glass and also scan several photos. I can't find these settings when I open my scanni
-
Transport on printer hp470 stuck on the left
How can I get the transport towards the Middle I can change the cartridges? All two "ink empty" lights flash but the carriage will not move to part exposed if I put in new cartridges.
-
HelloI'm on jdev 11.1.2.4.I have a page of login.jsf containing a popup with the name of user and password fields and a command button in the dialog box. I use the 'Load' trigger type to show the popup page loading.I defined the defaultCommand proper
-
I've just updated my LR, but still can not read the new RAW files of my brand new Sony a6300. said 'impossible to read these files' is Adobe should update it program with new firmware to manage these new folders? Or something escapes me?