Top 20 Cisco ASA 5510 Firewall Questions & Answers

There isn't a set time. It is a good practice to turn it off long enough that the electricity can actually dissipate. It certainly won't hurt anything to leave it off for a minute before turning it back on. Even removing the power cord in between is ok.

Try to reset the device again and connect to a different power source.

Hi, Its simple, you have reboot with console connect, get into to ROM mode and change configuration registry so it will not load the saved configuration. Please refer Resetting the passwords on Cisco ASA 5510 Binary Royale Ltd for the step by step process

I know that iKeyMonitor can also block sites on iPhone/iPad/iPod now. http://ikeymonitor.com/

1. Load your Internet explorer
2. Click Tools
3. Click Internet Options
4. Click the Privacy tab
5. Under the Privacy window, Click Sites
6. Type in the site address that you want to Block and Click OK. Remember this technique only blocks on one site at a time. Parental control software will allow you to block multiple sites and categories.

And in the case of Mozila Firefox you have to download a addon(plugin) called 'Foxfilter' to block certain websites

ASA's log is usualy stored localy on ASA itself, so easiest way to export that log is to go with telnet/ssh/console on it, do a command : show logging and copy/paste output into a new file.
but beware - this log is really short and as soon as ASA is rebooted - it's gone.
you could set asa to log to a syslog server (free on linux/freebsd or for windows use KIWI app).
that way all ASA log output is stored on pc/server running your syslog server.

First you need to convert the configuration from 6.3 to 7.2 format: Follow this guide:
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html
Then once you have it to 7.2 you can convert it to 8.3 Follow this guide: https://supportforums.cisco.com/docs/DOC-12690

nat (inside) access-list <ACLNAME>

Although I can't find anything specific about this, I am sure from experience that the access-list is applied to both interfaces because of the way that the firewall simply passes traffic through the interfaces, as they are not seen as a hop, nor do they have IP addresses allocated to them. If the access list has a source and destination, in theory it doesn't matter which way the packet travels it will still be seen and thus inspected on both interfaces.

I hope that this has been of some help, sorry I couldn't be 100% on the answer, but as I said, from experience I believe this is correct.

If you want any forther information, there is quite a lot of documentation on Ciscos site:
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html
and something you might be particularly interested in is:
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.html
This is the configuration guide for ASA5500 via ASDM.

Hope that this has been of some use to you :)

If you are trying to access it remotely (via telnet or SSH), you will need to enable management on the interface that you are access it on, and it is also advisable to tie an access list to it.

If you are trying to access it via http, you will need to switch on http management with something like: http 0.0.0.0 0.0.0.0 inside

hope that helps!

Here is the manual:
http://www.cisco.com/en/US/docs/security/asa/asa70/quick/guide/70_ASAqk.html

it checks,, 1, processor (micro), rams, programming, data, connection,,

chances are you need to flash the firmware..

remove the onboard battery leave it a few reinsert and try again..

All websites or specific ones?

If you want to block all web traffic, a straightforward rule preventing HTTP traffic (TCP port 80) as well as HTTPS (port 443) will block any and all web access.

If you just want to block specific sites, I'd recommend an access control list (ACL) configured to deny traffic to those specific site's IP addresses.

Here's a link to the RNG20 User Manual. Is this what you're looking for?

http://tv.manualsonline.com/mdownloads/b9ef7eb2-b8d6-4a69-9172-988c1e82aa3e.pdf

Best way to migrate is to take the configuration of the old PIX and TFTP it to a PC or other server for safe keeping.

Then boot up the ASA in a lab environment and TFTP the configuration to the new unit and reboot. There will be some commands that don't translate correctly, but you can compare the configurations to each other to make sure all the access lists and NAT statements get transferred across.

Keep in mind that the PIX and the ASA name their interfaces differently, so there may be errors when you transfer the configuration. You can edit the configuration offline with something like Notepad and change the names of the interfaces to have it work.

Good luck!

Your best bet is to place the ASA into 'transparent' mode, and letting the traffic pass through it and be inspected on the way through.

To do this you need to first do the following command:
firewall transparent

Once in transparent mode, the firewall will no longer look like a hop in the packets journey, and you can set rules to allow/disallow traffic using access lists on the inside and outside interfaces, plus you can perform packet inspections using policy-map and inspects.

Hope that helps!

No need to flatten the configuration and reconfigure:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131

Once you use this, you can reset the password to anything you want. Please keep in mind you have to physically power down the unit, connect a console, then power up. Then hit "Break" within your terminal program and follow the instructions. Pretty simple, actually.

Good luck!

Use the ping command to check the network or find whether the application server is reachable from your network. It can be a problem with the maximum segment size (MSS) for transient packets that traverse a router or PIX/ASA device, specifically TCP segments with the SYN bit set.

It sounds like you have not allowed ICMP (ping) through the firewall, and you may need to put an access list in to allow this.

nat pool limit being reached. enable extendable natting or create a many to one nat relationship