Cisco ASA Upgrade Path and Memory Requirements

29. September 2015 Cisco ASA 4,864
See the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version. Current ASA Version First Upgrade to: Then Upgrade to: 8.2(x) and earlier 8.4(6) 9.2(1) or later 8.3(x) 8.4(6) 9.2(1) or later 8.4(1) through 8.4(4) 8.4(6), 9.0(4), or 9.1(2) 9.2(1) or ...

Configuring Cisco ASA SSL Ciphers

28. September 2015 Cisco ASA 2,795
A few of my clients get audited for compliance.  The ASA’s seem to get reported for having faulty or insecure SSL Ciphers.   My first thought was to keep the OS updated.  Although that helps with the audits, they were still getting flagged for having lower ciphers open. To protect against SSL vulnerabilities it is ...

Cisco AnyConnect error: The file ‘Manifest Tool.exe’ is not marked for installation

28. September 2015 Cisco ASA 4,655
The error: “The file ‘Manifest Tool.exe’ is not marked for installation” occurs during installation of Cisco AnyConnect. Usually, this is the result of a failed upgrade. Steps for solution: First, uninstall any versions of Cisco AnyConnect that are currently installed. Then edit the registry key: Click Start and type “regedit” in the box. A dialogue box ...

Upgrade an Active/Standby Failover Configuration

12. April 2015 Cisco ASA 2,668
This information is based off a CLI upgrade procedure.. Complete these steps in order to upgrade two units in an Active/Standby failover configuration: Download the new software to both units, and specify the new image to load with the boot system command. Reload the standby unit to boot the new image by entering the failover ...

Cisco ASA 9.x Capture

09. December 2014 Cisco ASA 2,941
Running the capture command on the new ASA ios is a little different in the 8.2 code. Older 8.2 code access-list CAP permit ip host 10.1.0.2 any access-list CAP permit ip any host 10.1.0.2 capture CAP access-list CAP interface inside Newer 9.x code. access-list CAP permit ip host 10.1.0.2 any access-list CAP permit ip any4 ...

Policy NAT through L2L VPN Tunnel

11. September 2014 Cisco ASA 2,208
I’ve come across a few times where we had to NAT our subnet over to another company when building a LAN-2-LAN VPN because it may overlap with their subnet or another site they have a VPN Tunnel to.  In any case, here’s a simple method to NAT your subnet to them. There’s some VPN configuration ...

NONAT issues on a L2L VPN Tunnel with 9.1+

11. February 2014 Cisco ASA 2,357
Today I  just have to vent a little.  I spent the last hour troubleshooting a simple L2L VPN ASA configuration between a 5510 & a new 5505. Upgraded the IOS to 9.1.4  on the 5505 along with the ASDM to the latest for the customers sake. Forgot the main ingredient for NO NAT to work through ...

LDAP Authentication from ASA to Active Directory with VPN Group for AnyConnect or Cisco VPN Client

10. February 2014 Cisco ASA 1
Configure LDAP authentication instead of using Radius.  Using LDAP eliminates the issue of configuring IAS and/or Radius on the server.  It generally doesn’t require any additional server modifications unless you have your server locked down tight. In this example we created a group in the root of the Active Directory domain called VPNUsers and users in ...

Simple Cisco ASA NAT 8.3+

30. January 2014 Cisco ASA 2,257
Since Cisco ASA 8.3+ IOS, the NAT has changed compared to earlier versions.  Here’s a quick tidbit to permit the inside subnet out to the Internet. In this scenario, our LAN subnet is 172.16.1.0/24 object-group network Local_LAN  network-object 172.16.1.0 255.255.255.0 nat (inside,outside) source dynamic Local_LAN interface In the above example, the NAT calls for the object-group we ...

ASA PAT Redirect Different Port Numbers back inside

22. January 2014 Cisco ASA 4,752
This covers Cisco ASA versions 8.3+ 8.4+ 9.0+ 9.1+, and any others past the 8.3+ chain. Only have 1 usable public IP? You can share it for access inbound using different port numbers. In this example, You want to RDP to two servers in your office. But you can’t share the same TCP port and ...