Questions tagged [cisco-asa]
The Cisco ASA (Adaptive Security Appliance) series of products provide Firewall and VPN functionality.
770 questions
1
vote
0
answers
63
views
Internet failover on Cisco ASA 5500 series Primary ISP is on DHCP address and so is backup. Always defaults to backup
I had SLA MONITOR setup on my ASA and working fine for months. All traffic was routing through my primary connection. I rebooted my ASA after a firmware upgrade.
When it came back, it would always ...
- 11
0
votes
1
answer
2k
views
site to site(IpSec) between AWS and Cisco is not working
I am trying to set up a site-to-site VPN connection between AWS and Cisco ASA, but the tunnel status is shown as "Down," and under the details section, the message is "IPSEC IS DOWN.&...
0
votes
1
answer
536
views
ansible backups for cisco asa devices: ERROR: % Invalid input detected at '^' marker
I have been tasked with backing up all of our network devices, so natuarally I chose ansible. I am no expert but I sure need help on this one! I have tried everything under the moon and cannot ...
- 3
-1
votes
1
answer
126
views
Cisco ASA to Watchguard
I have never worked with watchguard firebox firewalls in depth before and we are replacing a Cisco ASA 5515 with a Watchguard M390. I am having a hard time interpreting the configuration settings in ...
- 1
0
votes
0
answers
88
views
TCP Session drops because of FIN signal
I have two servers communicating with each other through ISO 8385 messages over TCP sessions. Basically host-to-host interface between two payment switches. The problem is that the session keeps ...
1
vote
1
answer
642
views
Client error after installing custom certificate
I've followed (I believe) all the right steps to install a trusted certificate on my ASA firewall:
install company root authority into ASA as a CA
issue a certificate for the ASA's hostname
install ...
- 1,003
1
vote
1
answer
539
views
Cisco ASA IPv6 single ::/64 prefix assignment
I am configuring public IPv6 (dual stack w/static IPv4 block) on an ASA 5506 ver 9.9(2)36. The ISP has assigned a single /64 prefix where 2001:2:3:4::1 (not actual IP) is their equipment and 2001:2:3:...
- 111
0
votes
1
answer
170
views
Port forwarding on ASA 5510 internal - internal
I have an ASA connected to the primary network and I'd like it to do an easy port forward so that when a pc tries to telnet the ASA on port 500, for example, the ASA forward the request to a server.
...
0
votes
0
answers
186
views
Can Cisco ASA PBR route to specific IP/port?
I am working on setting up PBR on our ASA-5505, and was trying to figure out if this scenario is possible.
Traffic coming in via one public externa IP on port 443.
ASA identify traffic via ACL and ...
- 248
2
votes
1
answer
391
views
Can VLAN traffic pass through an ASA?
Let's say I had the topology L3Switch1 -> ASA -> L3Switch2
Is it possible for the ASA to pass VLAN information to L3Switch2?
Example Setup
- 179
0
votes
0
answers
2k
views
Site-to-Site VPN from Cisco ASA 5505 to Amazon VPC
I am trying to establish a VPN connection from our on-premises rack to our Amazon VPC. The router/firewall that we have is a Cisco ASA 5505 running software version 9.1(7)23. According to Amazon's ...
- 1
0
votes
0
answers
1k
views
ASA allow DNS service inside to be accessed from outside
I have a shared networking environment for tenants on our building, the ASA sits between a small business internet modem and each tenant's network.
Gateway Modem Cisco ASA DNS ...
- 1
0
votes
1
answer
101
views
Squid proxy between two firewalls, need iptables solution
At the company I work for we need to implement what I think it's called transparent proxy.
How it's now:
A(lower secured area)--Cisco ASA-----Cisco ASA----B(higher secured area)
What we need:
A(...
- 1
0
votes
1
answer
1k
views
How Do I Reconfigure My Cisco ASA in order to Move it to a Colocation Facility?
My office DSL modem has a static IP address. In the ASA startup wizard, I connected to it using PPPoE.
I now have it configured VPN and NAT and tested it in this environment. This weekend, I am going ...
2
votes
0
answers
330
views
NIC bonding on Linux in redundant network topology
I want to implement NIC bonding on Linux server in redundant network topology as shown in the network diagram below.
Network topology
Both interfaces of the Linux server fa0 and fa1 would be in one ...
0
votes
2
answers
2k
views
Does factory reset for Cisco ASA 5505 keep the added licenses/features?
I bought a used Cisco ASA 5505 with existing SecurityPlus (and other) licenses already installed.
A factory reset (configure factory-default) from the console will reset just the config and not ...
- 323
0
votes
0
answers
109
views
ASA5506 VPN Client Blocked
I am setting a new CISCO ASA5506.
I am testing a CISCO VPN Client, IPSec/UDP, and it is being blocked. I'm not even prompted for a credentials.
The VPN Connection works just fine from another ...
- 137
1
vote
1
answer
2k
views
Getting VLAN to work between Polycom VVX phones and Cisco SG300 Switch
I followed instructions listed here --> https://community.polycom.com/t5/VoIP-SIP-Phones/FAQ-Utilizing-VLAN-s-with-Polycom-phones/td-p/38100. But came up short.
So I have computers (VLAN 1) and these ...
- 55
0
votes
2
answers
667
views
Is there a way to check the interface link up / down on the Cisco ASA?
Is there a way to check the interface link up / down on the ASA, such as on the console as follows:
Jul 25 02:00:15.268: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed ...
- 5
0
votes
0
answers
2k
views
Postfix pix workaround for short mail work fine, but for long mail not worked
My postfix send email without problems. But one client domain enabled PIX workarounds. If mail message is short mail send without problems. But if mail is long - in log file I see " conversation with ...
1
vote
0
answers
367
views
Cisco ASA5506: NAT issue (packet blocked even though permit rule exists)
We're having a problem with our ASA5506.
The public interface "outsideSub" has internet connection via PPPoE.
The ping test to a public DNS server from the outsideSub interface is successful.
...
- 111
2
votes
2
answers
1k
views
Cisco ASA 5505 can't talk to anything on Site-to-Site VPN
So I have a Cisco ASA 5505 Setup with 2 Site-to-Site VPN's and a Remote Access VPN, now anything connected (Hardwired, S2S VPN or RA VPN) can all talk to each other without a problem.
The problem ...
- 279
0
votes
2
answers
988
views
L2TP/IPSec: Linux can not connect to Cisco ASA (but Windows can)
Our partner provides a service that is available only through the L2TP/IPSec tunnel. We successfully connect to it from Windows, but the connection hangs dead a couple of times a week. Therefore, I ...
- 11
2
votes
1
answer
8k
views
Crypto Map Policy not found (but it's there.. promise!)
Sorry.. I'm new to Cisco IOS so if I need to present more info, please let me know.
Using IOS 9.1(6), ASDM 7.10(1) on a Cisco 5510, connecting to an Azure VNET. (Yes, UsePolicyBasedTrafficSelectors ...
- 121
0
votes
1
answer
474
views
Google Cloud VPN issue Cisco ASA Cryptomap
I am trying to set up an IPSec tunnel on a Cisco ASA. In my routes on google, I can see that only 172.0.99.0/24 and 172.0.100.0/24 should be routed through this tunnel.
Google seems to be requesting ...
0
votes
1
answer
578
views
Issues with Cisco IPSec VPN speed. Fast uploads, slow downloads from external to internal servers
We are using a Cisco ASA5516, configured with a IPsec (IKEv1) split tunnel VPN.
When uploading files to a server behind the firewall, the transfer speeds are normal (up to 10mbps).
When downloading ...
- 101
0
votes
0
answers
242
views
VPN IPSEC through an internet box on one side and preserving the internet connection on the other side
I want to setup a VPN IPSec tunnel between two sites, let's say PARIS and Toulouse.
The tunnel rose well and statues on VPN Gateway routers at both sides shows it's up and OK.
The problem is that I ...
- 111
1
vote
1
answer
745
views
WDS boot taking a long time over site-to-site VPN connection
We have three sites and a new server colocation facility that we are in the process of bringing online. We have several WDS servers at each site. We are moving servers from the smallest site to the ...
- 51
0
votes
1
answer
1k
views
CISCO ASA tunnel is up but no traffic
I have reviewed the very similar questions to mine, but my scenario seems different.
ASA Version 9.7(1)4
I had a VPN site-to-site ikev1 connection from a remote network in AWS to a remote network ...
- 11
-1
votes
1
answer
2k
views
Router work as IPsec client to Cisco ASA
Is it possible to configure mikrotik as IPsec vpn client to Cisco Asa? I have ASA connected with static IP to the internet and want to connect mikrotik router behind dynamic IP internet connection to ...
- 107
1
vote
0
answers
177
views
Cisco Bridge and MAC address blocking
I have two locations connected with two Cisco 861 routers. They are connected using a bridge. The subnet is the same 192.168.100.x.The routers are on E-line connection from provider.
Location A is ...
- 11
4
votes
2
answers
431
views
Monitoring for most recent version of Cisco Adaptive Security Appliance (ASA)
How does one automatically check if your Cisco ASA is running the most recent or non-vulnerable version with external monitoring?
With SNMP, you can get the version number of an ASA:
$ snmpget -v2c -...
- 8,389
0
votes
1
answer
2k
views
ASA Can ping between subnets, but not pass IP traffic (access rules in place, security levels ok)
I have tried getting my ASA to route traffic between subnets, i got it working for 10 minutes but after some changes (unfortunately not an ASA expert) i have broken something.
One example is 192.168....
- 1,130
1
vote
0
answers
2k
views
VPN Tunnel - Crypto map policy error
Good day!
GCP reports the following error: The peer gateway notifies: Proposal mismatch in CHILD SA (phase 2), Please look at peer logs.
On the ASA 5505 side I'm getting: Map Policy not found for ...
- 11
0
votes
1
answer
4k
views
Can't ping outside IP address
Our firewall is Cisco ASA and our switch catalyst 2960.
One computer keeps having the following problem :
Once for a while (in one or two days), the computer can't ping outside IP address like 4.2....
1
vote
1
answer
841
views
Can I use Linux iptables to replace the functionality of a Cisco ASA/PIX?
I know iptables can route packets like a router. I've read tutorials where a Raspberry Pi can replace a home router. iptables can allow only specific ports through. However, in my enterprise ...
- 293
0
votes
1
answer
198
views
Cisco AnyConnect disconnects when prompted by UAC
I have a secure network configured with Cisco AnyConnect SSL VPN and Cisco ISE for authentication. (VPN head is a Cisco ASA, AnyConnect v4.5, ISE v2.3)
The client VPN works perfectly except when a ...
- 101
0
votes
1
answer
9k
views
Strongswan to Cisco ASA with multiple right subnet
I've got an ikev2 tunnel up, initiated on the left from an ubuntu box with strongswan going to a cisco asa. Using ASA to ASA multiple networks work but I can not get it with strongswan.
#config setup
...
- 415
0
votes
1
answer
1k
views
FirePower Malware Notification - Track Destination
Good Morning,
I received a notification from FirePower that there was a MALWARE-CNC Win.Trojan.Gh0st variant outbound connection to our exchange server. I'm guessing there was an email sent to one ...
- 79
0
votes
1
answer
10k
views
Recently I configured a Site-2-Site VPN Tunnel and I'm getting this errors:
Recently I configured a Site-2-Site VPN Tunnel and I'm getting this errors:
3 Feb 27 2018 09:21:57 Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to ...
- 111
1
vote
1
answer
3k
views
Cisco ASA 5505 - Access to DMZ with one public IP
I am trying to configure my Cisco ASA 5505 firewall to allow access from the internet to DMZ web and mail server. I'm new to the Cisco world so excuse me if this is a newbie question. I know that this ...
0
votes
1
answer
715
views
Communication between ASA 5525X and a L3 switch 3750
I Have to make authorize communication between ASA 5525X and an L3 switch 3750,
in the switch I've created 3 VLANs, Vlan server, Vlan Workstation, and Vlan Interconnection (Vlan number 5)
the ...
-1
votes
1
answer
2k
views
Changing existing NAT rule on Cisco ASA
This is the exact line I want to edit
nat (inside,outside) source static thatplace thatplace destination static thisplace thisplace no-proxy-arp route-lookup
All I want to do is enable proxy-arp.
...
- 129
0
votes
1
answer
452
views
Is my VLAN configuration ideal for 2 subnets where one contains a hypervisor?
I’m not sure my VLAN is setup correctly or effectively. I’ve had my layer 3 switch for ages (Extreme Summit x450e-48p). Honestly I’ve just plugged everything into it and used it unmanaged. Before ...
- 654
2
votes
1
answer
880
views
Why is my IOS EzVPN client not connecting to my ASA EzVPN server?
I have a Cisco 867VAE connecting as an EzVPN NEM client to an ASA 5505 server which will not connect. The server ASA has the repeated messages:
4 Nov 01 2017 23:16:45 713903 ...
- 2,383
2
votes
2
answers
374
views
How to add access list to Cisco ASA?
I have the following rules configured at my Cisco ASA firewall:
access-list OUTSIDE_IN extended permit tcp any host xx.xx.xx.xx eq 3306
access-list OUTSIDE_IN extended permit tcp any host xx.xx.xx....
- 161
0
votes
1
answer
2k
views
Cisco ASA 5506-X - Inside to Outside Traffic
I'm unable to get traffic on one of my inside ports to route outside. I believe I have the proper NAT, route, and object configurations. The goal is to have web traffic be accessible on the inside ...
- 25
1
vote
1
answer
447
views
Google Cloud Platform VPN
Is there a way to change the lifetime in seconds for Phase 1 and Phase 2 of Ipsec? I am trying to connect to a Cisco ASA 5550 at a customer site and their lifetime in seconds setting is 86,400(Phase ...
google-cloud-platform
2
votes
1
answer
593
views
Cisco ASA v.s. pfSense - How packet inspection works with VPNs
We have a small office, about 75% of our infrastructure is cloud based including a pfSense deployment we use for remote access and site to site connections which is currently public facing. We've ...
- 131
0
votes
1
answer
531
views
Site to Site Ipsec VPN - Tunnel is Up but can't get to route packages from left to right
I have a working tunnel. Packages are being routed from right to left properly (Cisco side can reach my server).
Here's all the info. Any help, more than welcome.
Network Diagram
...
- 101