Tag Archives: Cisco ASA

Cisco Firepower Forbidden- you don’t have permission to access

After re-image FPR2110 from FTD to ASA9.8.2, the chassis (FXOS) mgmt interface UI become unaccesible giving the following error “Forbidden- you don’t have permission to access / on this server”.

In a nutshell, i could access FXOS via SSH and ASA (SSH & HTTPS) but the FXOS Chassis Management was broken. After spend some time, the only way to get this sorted was upgrade for the version 9.9.x

After upgrade, everything was working again.

 

AnyConnect Package on the secure gateway could not be located

This error message is because your Cisco ASA doesn’t have the AnyConnect image for your WebVPN profile. These images can be downloaded from cisco.com .This example is for ASDM 7.6, but if you run version 6.x you can do using ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Binary

anyconnect_package_error

anyconnect_package_error4  anyconnect_package_error2

anyconnect_package_error3

Mate’s license (Licensed Cores ) is not compatible with my license (Licensed Cores )

I’ve configured many clusters using Cisco ASA gear, but this time i got a strange message bringing the cluster UP (active/passive) using a pair of 5510 (code asa842-k8.bin).

Error message:

Mate’s license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.
Understanding Licensing models it´s always hard, because of the product evolution. But i was wondering even with same License (Security Plus) could be because of having different AnyConnect seats? After generate a demo license didn’t work, so my last guess was look to release notes and Bingo! Affected by CSCtj87870

After upgrade to 8.4(7) it worked!

Firewall 1

FW1# show activation-key
Serial Number: JMXyyyyyyyy
Running Permanent Activation Key: 0x0f19ee7b 0x2cf2fb8c 0x4ce23d7c 0xb0d4587c 0x013d09beLicensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

Firewall 2

FW2# show activation-key
Serial Number: JMXxxxxxxx
Running Permanent Activation Key: 0xfe13ca68 0xd8bc8063 0x697114e4 0xccd4b0c0 0x4004cbb6Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 50 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

FW1/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 110 maximum
failover replication http
Version: Ours 8.4(7), Mate 8.4(7)
Last Failover at: 19:24:17 GMT/BDT Jul 13 2015
This host: Primary – Active
Active time: 72212 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(7)) status (Up Sys)
Interface outside (185.11.166.209): Normal (Not-Monitored)
Interface inside (10.1.1.254): Normal (Not-Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(7)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface inside (0.0.0.0): Normal (Not-Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         10714600   0          9605       1
sys cmd         9605       0          9605       1
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        265004     0          0          0
UDP conn        9540443    0          0          0
ARP tbl         488430     0          0          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    3          0          0          0
VPN IKEv1 P2    146        0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     410969     0          0          0
Route Session   0          0          0          0
User-Identity   0          0          0          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       8       9606
Xmit Q:         0       122     10979540

Cisco ASA Compatibility Matrix

This is the amazing Matrix for Cisco ASA wicht  has compatibility about ASA OS, ASDM, Modules, Memory Kits with new and old boxes. I would add a Licensing bullet on this Cisco Doc, but is just my opinion.

This document lists the Cisco ASA software and hardware compatibility and requirements.

 

ASA and ASDM Compatibility

This section lists ASA and ASDM compatibility for current and lecisco asagacy ASA models.

References:

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Upgrade Cisco ASA 8.3

Efectuar upgrade de firmware nos Cisco ASA para a versão superior à 8.3 não é uma tarefa fácil devido ás diversas dependências existentes: memória RAM, Configs (ACL, NATs), Steps entre versões.

Aqui ficam alguns links para analisar antes de efectuar o Upgrade:

https://supportforums.cisco.com/docs/DOC-12690

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Training Configuring ASA and PIX Security Appliances

Formação sobre Como Configurar as Appliances Cisco ASA/PIX

Migrating from PIX Security Appliance

Migrating from PIX 500 to ASA 5500  Launch module

Firewall Services

Utilizing the Packet Tracer Feature on the Cisco ASA  Launch module

Simplifying Access Control Policies on PIX 500 and ASA 5500 Launch module

IPS Services

Intrusion Prevention Services in ASA 5500  Launch module

VPN Services

Configuring The Easy VPN Hardware Client feature on the Cisco ASA 5505 Launch module

Configuring the L2TP/IPSEC feature on the Cisco ASA Launch module

Using Cisco ASA 5500 Series SSL VPN for Clientless Access (WebVPN) Launch module

Using Cisco Secure Desktop to Provide Endpoint Security for SSL VPN Launch module

SSL VPN Client Access on ASA 5500 Launch module

Using Citrix™ with SSL VPN Clientless Access on ASA 5500 Launch module

VPN Clustering for ASA 5500 Launch module

Anti-X Services

Cisco ASA 5500 Series Content Security and Control SSM (CSC-SSM): Installation, Setup and Activation Launch module

Configuring the ASA 5500 Series with the CSC-SSM Launch module

Monitoring the ASA 5500 Series CSC-SSM Launch module

Configuring the Base License Features of the CSC-SSM in the ASA 5500 Series Launch module

Configuring the Plus License Features of the CSC-SSM in the ASA 5500 Series  Launch module

Policies

Modular Policy Framework on PIX 500 and ASA 5500 Launch module

High Availability

Active/Active Failover for ASA 5500 Launch module

Active/Standby Failover for ASA 5500 Launch module

Voice Services

Securing VoIP applications using the enhanced features of the Cisco ASA Launch module

Basic Features Services

Configuring Basic Features on the Cisco ASA 5505 Launch module