On the new ASA 5512X series firewall the IPS module is built in to the firewall. When you first start configuring the firewall the IPS module does not load. To load the module so it starts up and you can configure it you must enter the following commands:
ASA(config)#sw-module module ips recover configure image disk0:”file name”
Then:
ASA(config)#sw-module module ips recover boot
The IPS module should then boot and you can check the status of it by entering the command:
ASA#show module ips details
Hope this helps!
Ran into an issue today where we could not connect via HTTPS to the ASDM on a 5512X ASA. We had issued the following comands:
ASA(config)#http server enable
ASA(config)#asdm image disk0:/asdm-661.bin
but it still would not connect. Internet Explorer was not giving any errors, but Chrome was showing the following: Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
Turns out the issue is that the ASA did not enable the ciphers that my browsers were trying to use. To fix the issue you must issue the following command:
ASA(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1
This will fix the issue. Hope this helps!
Recently Cisco has just released its 5500-X series Firewalls. These are context aware firewalls, that deliver everything we loved about the previous generation ASA’s, but include multigigabit performance, flexable interface options, and optionally provide broad and deep network security without the need for additional hardware modules. I am really looking forward to working with these.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.pdf
Many times this has been a sticking point for ASA code upgrades, but the time is coming where the 8.3 code update is going to be a requirement (as I have found with the AIP modules).
HUGE reminder that the upgrade from 8.2 to 8.3 is not an easy or simple upgrade.
There is also no skipping ahead. You have to go from 8.2 to 8.3, you can’t jump over 8.2, you have to upgrade to 8.2 first if you aren’t already there.
There are a lot of changes to the code, but none as noticeable as the new NAT statements.
Another big reminder is to disable nat-control BEFORE you perform the upgrade. This is the feature that made it so that you had to configure NAT statements between the different interfaces.
Below is a chart comparing the configuration steps from 8.2 to 8.3 for NAT statements.
| NAT Feature |
pre-8.3 Configuration |
8.3 Configuration |
| Static NAT |
static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255 |
Option 1 (Preferred)object network obj-10.1.1.6host 10.1.1.6
nat (inside,outside) static 209.165.201.15
Option 2
object network server_real
host 10.1.1.6
object network server_global
host 209.165.201.15
!
nat (inside,outside) source static server_real server_global |
| Dynamic PAT |
nat (inside) 1 10.1.1.0 255.255.255.0global (outside) 1 209.165.201.254 |
object network internal_netsubnet 10.1.1.0 255.255.255.0!
object network internal_net
nat (inside,outside) dynamic 209.165.201.254 |
| Dynamic NAT with Interface Overload |
nat (inside) 1 10.1.1.0 255.255.255.0global (outside) 1 interface
global (outside) 1 209.165.201.1-209.165.201.2 |
object network NAT_Poolrange 209.165.201.2 209.165.201.50object network internal_net
subnet 10.1.1.0 255.255.255.0
!
object network internal_net
nat (inside,outside) dynamic NAT_Pool interface |
Read more >>
I recently ran into a question that I have rarely thought about when it comes to SSL VPN certificates… Can you install a wildcard certificate on a Cisco ASA?
Well, the answer is yes!!! And here’s how….
Read more >>
