Cisco ASA - Popular Questions, Answers, Tips & Manuals

There isn't a set time. It is a good practice to turn it off long enough that the electricity can actually dissipate. It certainly won't hurt anything to leave it off for a minute before turning it back on. Even removing the power cord in between is ok.

Try to reset the device again and connect to a different power source.

Hi, Its simple, you have reboot with console connect, get into to ROM mode and change configuration registry so it will not load the saved configuration. Please refer Resetting the passwords on Cisco ASA 5510 Binary Royale Ltd for the step by step process

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html

I know that iKeyMonitor can also block sites on iPhone/iPad/iPod now. http://ikeymonitor.com/

this has been nicely explained here:http://www.computerfreetips.com/Cisco_router_tips/ASA-VPN-tunnel.html

HI, You shall do the same with MPF. Create a regex filter to identify the types of files you would like to block, e.g. 1 2 3 4 5 regex archive-type1 ".*\.([Zz][Ii][Pp]'[Tt][Aa][Rr]'[Tt][Gg][Zz]) HTTP/1.[01]" regex archive-type2 ".*\.([Tt][Aa][Rr].([Gg][Zz]'[Bb][Zz]2)'7[Zz]) HTTP/1.[01]" regex doc-type1 ".*\.([Dd][Oo][Cc]'[Xx][Ll][Ss]'([Pp]){2}[Tt]) HTTP/1.[01]" regex doc-type2 ".*\.([Pp][Dd][Ff]'[Oo][Dd][Tt]) HTTP/1.[01]" regex exe-type1 ".*\.([Ee][Xx][Ee]'[Vv][Bb][Ss]'[Vv][Bb][Aa]) HTTP/1.[01]" Create regex for Content-Type Application/* 1 2 regex application-header "application/*" regex content-type "Content-Type" Classify regex that matches the extension types class-map type regex match-any ext-types match regex doc-type1 match regex doc-type2 match regex archive-type2 match regex archive-type1 match regex exe-type1 Capture the http response that contains content-type and application/* header 2 class-map type inspect http match-all http-header-response match response header regex content-type regex application-header Capture http request packet that matches the class ext-types 1 2 class-map type inspect http match-all http-request match request uri regex class ext-types HTTP is the interesting traffic 1 2 3 4 access-list http-traffic extended permit tcp any any eq www access-list http-traffic extended permit tcp any any eq 8080 class-map http-traffic-class match access-list http-traffi Create policy to prevent download attempt via http request 1 2 3 4 5 6 7 policy-map type inspect http block-http-download parameters protocol-violation action drop-connection log class http-header-response drop-connection log class http-request reset log Apply policy on the interesting traffic 1 2 3 policy-map inside-http class http-traffic-class inspect http block-http-download Apply the policy onto interface to take effect 1 service-policy inside-http interface inside Hope this would help.

1. Load your Internet explorer
2. Click Tools
3. Click Internet Options
4. Click the Privacy tab
5. Under the Privacy window, Click Sites
6. Type in the site address that you want to Block and Click OK. Remember this technique only blocks on one site at a time. Parental control software will allow you to block multiple sites and categories.

And in the case of Mozila Firefox you have to download a addon(plugin) called 'Foxfilter' to block certain websites

You can not do content filtering with ASA firewalls with IOS. You will need to buy a content filtering solution, or sign up for a inexpensive content filtering with OpenDNS.org. This is a good content filtering basic system with white and black listing capability.

Good luck!

****

ASA's log is usualy stored localy on ASA itself, so easiest way to export that log is to go with telnet/ssh/console on it, do a command : show logging and copy/paste output into a new file.
but beware - this log is really short and as soon as ASA is rebooted - it's gone.
you could set asa to log to a syslog server (free on linux/freebsd or for windows use KIWI app).
that way all ASA log output is stored on pc/server running your syslog server.

First you need to convert the configuration from 6.3 to 7.2 format: Follow this guide:
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html
Then once you have it to 7.2 you can convert it to 8.3 Follow this guide: https://supportforums.cisco.com/docs/DOC-12690

HI,

· Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
· If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

show ipsec stats
this command was introduced in code 7.0
it will show the active tunnels, the previous tunnels and several other stats of inbound and outbound packets.....
for example:- IPsec Global Statistics ----------------------- Active tunnels: 2 Previous tunnels: 9 Inbound Bytes: 4933013 Decompressed bytes: 4933013 Packets: 80348 Dropped packets: 0 Replay failures: 0 Authentications: 80348 Authentication failures: 0 Decryptions: 80348 Decryption failures: 0 Decapsulated fragments needing reassembly: 0 Outbound Bytes: 4441740 Uncompressed bytes: 4441740 Packets: 74029 Dropped packets: 0 Authentications: 74029 Authentication failures: 0 Encryptions: 74029 Encryption failures: 0 Fragmentation successes: 3 Pre-fragmentation successes:2 Post-fragmentation successes: 1 Fragmentation failures: 2 Pre-fragmentation failures:1 Post-fragmentation failures: 1 Fragments created: 10 PMTUs sent: 1 PMTUs recvd: 2 Protocol failures: 0 Missing SA failures: 0 System capacity failures: 0

Easiest way to is so issue the following command on the cli:
more system:/run
This will get any preshared keys you have in the config.

if it is really deleted from FLASH, you will need to connect to ASA with a console cable, start up TFTP server on your pc, and in TFTP copy your ASA image file (.bin - on your CD that you got with ASA) so that you can get it from pc to asa.
then use tftpdnld command to set all the parameters on asa and start the download of the file from your pc .... after it has been done - just reboot asa :)

Hi!

Unfortunately, it's not possible with your firewall model...
You will need at least an ASA 5510 with an CSC-SSM module to filter URLs.

You can use an external URL filtering device with that ASA like WebSense/SmartFilter... For more info look here.

In case of a problem or clarification, don't hesitate to post me a reply before rejecting my answer.
If you are satisfied, rate my solution with the "thumbs" or (even better) add a testimonial.

Best regards,
Pelu.

What version of software are you running? I have noticed issue with ssh on version 8.2(3) and below.

You can try to remove all ssh access and then add it back. Also you can try zeroizing and regenerating the crypto key.

nat (inside) access-list <ACLNAME>