ASA5505 – ‘This Licence Does Not Allow Configuring Of More Than 2 Interfaces’

KB ID 0001367

Problem

When attempting to bring up a ‘3rd VLAN’ on an ASA 5505 firewall you see an error like this;

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# int vlan 3
Petes-ASA(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
Petes-ASA(config-if)#

[/box]

Or if you work in the ASDM;

Or on much older versions;

 

Solution

This is because you have a ‘licence limitation’. The BASE licence on an ASA 5505 firewall lets you have three VLANS, BUT the 3rd vlan can only be accessed from OUTSIDE which gives it the name ‘DMZ Restricted’. It was designed for that very reason, (to let you host a DMZ.)  You can see that, by simply issuing a ‘show version‘ command’;

[box]

Petes-ASA(config)# show version
——Output removed for the sake of brevity——

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                     : 3, DMZ Restricted
Inside Hosts                 : 50
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

——Output removed for the sake of brevity——

[/box]

Or in the ASDM > Home  > Licence.

So if you need more VLANS, and you don’t simply want a DMZ, then you are going to need to upgrade the licence. But if you do need  a DMZ read on….

At command line you simply need to define the interface, (VLAN) that you want to BLOCK FORWARDING FROM. (i.e. the inside vlan, which is usually vlan1)

[box]

Petes-ASA(config)# interface vlan 3
Petes-ASA(config-if)# no forward interface vlan 1
Petes-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
Petes-ASA(config-if)# no shutdown
Petes-ASA(config-if)# ip address 192.168.100.254 255.255.255.0
Petes-ASA(config-if)# interface ethernet 0/3
Petes-ASA(config-if)# switchport access vlan 3
Petes-ASA(config-if)# no shut

[/box]

Note: Above I’m allocating VLAN 3 to the physical interface labelled 3 on the firewall.

In the ASDM, you need to do this on the ‘Advanced‘ tab when creating the interface, like so;

 

Note: If you ever try and remove the block, (without purchasing a licence.) You will see this error;

Related Articles, References, Credits, or External Links

NA

BT Business Hub 3 – And Cisco ASA 5500

KB ID 0000762 

Problem

Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution).

You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity

Solution

For this procedure I was running an ASA5505 (Unlimited) with version 8.4(5). You will need to know the public IP address range allocated to you by BT (and the IP allocated to the router/hub).

Allocating a Public IP address to an Internal Client with the BT Business Hub

1. Log into the router, (the password initially is on the pull out plastic tab on top of the router). Set the IP to the one allocated to the router by BT (from the IP range they have given you). Note: The router actually gets a different IP address externally, this is normal, don’t panic.

2. Apply > Wait for the changes to apply.

3. Under business Network > Devices> You should see your device listed > Select it.

4. Assign the public IP as shown, you need to select the two radio buttons before the drop-down list of IP addresses will work > Apply.

5. Note: additionally if you are installing a firewall you might want to disable the Business Hubs internal firewall. Settings >Port Forwarding > Firewall > “Allow all traffic…” > Apply.

Problem with Cisco ASA (Now Resolved: See below)

My firewall (after a reload) picked up the correct IP address, but was unable to connect to the internet. My laptop (also connected to the BT Business Hub) connected fine to the internet (both with an allocated public address, and using the public address of the router). The ASA could not get out at all, nor could it ping the IP address of the Business Hub. The ASA showed as disconnected for a while, then disappeared from the ‘Devices’ tab, even though it continued to get the correct IP address leased to it from the Business Hub, this persisted after a reload of the firewall – so the hub COULD see it. I tried giving the ASA the correct IP address statically, I also locked the speed and duplex of the ethernet interface (in case it was simply an auto-negotiation error), this did not resolve the problem. BT told me they had no record of anyone having the same problem, but that they would take a note in case it came up again. Luckily the client had his old 2Wire router as soon as I plugged that in everything worked fine.  

 

Update 210414 (and resolution)

Got an email from Nate Morris this week who had been working on this very problem, while debugging the ARP traffic he saw;

[box]

arp-in: request at external from 192.168.1.254 c0ac.54e4.d8d8 for 123.123.123.123 
0000.0000.0000 arp-in: Arp packet received from 192.168.1.254 which is in different subnet 
than the connected interface 123.123.123.123/255.255.255.248 

[/box]

This pointed to a known problem with Cisco ASA introduced in version 8.3(4). Cisco identified this as bug CSCty95468 (Cisco CCO Login required to view). To resolve this problem you need to allow the ASA to populate its ARP table from a non connected subnet. To do this you need to issue an arp permit-nonconnected command.

[box]

User Access Verification Password: 
Type help or '?' for a list of available commands. 
Petes-ASA> enable 
Password: ******** 
Petes-ASA# configure terminal 
Petes-ASA(config)# arp permit-nonconnected 
Petes-ASA(config)# exit 
Petes-ASA# write mem 
Building configuration... Cryptochecksum: 28790e0e 91da681e 7cf92e8a 85efb7ea 9449 bytes copied in 1.310 secs (9449 bytes/sec) [OK] 
Petes-ASA# 

[/box]

Update 260213

Got an Email from Andrew Joubert, to say that he had the same problem, and he was using the BT business hub via BT Infinity not ADSL.

Related Articles, References, Credits, or External Links

Original Article Written 26/02/13

Credit to: Nate Morris, for finding the resolution to the original problem.

Special thanks to Steve at BT, who rang me back on my mobile so I didn’t have wait in a queue, and then followed up afterwards to see what the outcome was, if I knew his surname I would publish it! He did a grand job, and does not get paid enough!

Also thanks to Chris at BT who pitched in and did as much as he could.

Cisco Firewalls Changing the Web Management Port

Cisco 5500 Changing the ASDM Port
Unable to Port Forward HTTPS

KB ID 0000268

Problem

You want to change the port that the Cisco ASDM runs over, or you are attempting to port forward https/ssl and see the following error

Error:
ERROR: unable to reserve port 443 for static PAT
ERROR: unable to download policy

You are trying to port forward (Create a static PAT entry) on a Cisco ASA for port 443 / https. This port is in use by the ASDM.

Solution

Change the Cisco ASA ASDM Port via Command Line

Connect to the ASA via command line. (In the following example I’ll change the ASDM to use TCP port 2456).

code?

Change the Cisco ASA ASDM Port via ASDM

1. Connect to the the Cisco ASDM > Configuration > Device Management > Management access > ASDM/HTTPS/Telnet/SSH > http Settings > Port Number > Change accordingly > Apply.

2. Save the new config > File > “Save Running Configuration to flash”.

Cisco PIX (Version 6) Firewalls – Disable Web Management

If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Original Article Written 25/03/11

Configure Cisco EasyVPN With Cisco ASA 5500

KB ID 0000337

Problem

Site to site VPN’s are great for main office to branch office connections, but for remote workers in a SOHO environment obtaining a static IP address can be expensive and time consuming. Traditionally remote workers will use either AnyConnect or IPSEC Remote VPN’s.

However Cisco have a system which lets you have a main site (or sites), with a static IP, that acts as the EasyVPN server, then remote sites with dynamic DHCP IP addresses can authenticate and connect via a hardware device. That remote hardware device can be another ASA (Note: Only ASA5505 can be used as an EasyVPN client), or a Cisco IOS router. In addition if you have any old PIX 501 or 506E firewalls laying around they can also be used as EasyVPN clients.

Solution

Step 1 Setup the EasyVPN server at the main site. (Example on ASA5510)

Step 2 Setup the EasyVPN client at the remote site. (Example on ASA5505)

Before you start – No other VPN’s can be running from this remote device, i.e. ISAKMP cannot be enabled on its outside interface.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Java RDP Error – Connection Exception Wrong modulus size! Expected64 +8got:264

KB ID 0000452

Problem

Seen while attempting to connect to to a Windows machine via the RDP plug in on a Cisco ASA firewall.

Error:
properJavaRDP error
Connection Exception Wrong modulus size! Expected64 +8got:264

Solution

1. I’ve seen some posts indicating that this can be caused by the version of Java that’s installed, however in my case that was NOT the problem.

2. Connect to the ASDM of the ASA firewall > Configuration > Clientless SSL VPN Access > Portal > Client Server Plug-ins. Ensure your RDP plug in is up to date, download and import the latest one (Cisco CCO account and valid support agreement required).

Note: At time of writing the latest is rdp2-plugin.090211.jar (released 14/08/09).

3. Ensure that the bookmark you are using is set to use rdp2 (not rdp). Under Portal > Bookmarks > Your bookmark list > Edit.

4. Your RDP session should now connect.

 

Related Articles, References, Credits, or External Links

NA

 

Allow access to VMware View through Cisco ASA 5500

KB ID 0000545 

Problem

To access VMware View though a firewall you need the following ports to be open;

In the following example I’m using 192.168.1.100 as the internal IP address of the View Server and the public IP address of the firewall is 123.123.123.123.

Which solution you use, depends on weather you are allowing access via a dedicated public IP that you will assign to the VMware View server, or if you do not have a spare public IP, you will need to use port forwarding.

Option 1 – You have a public IP that you want to assign to the VMware View Server

Option 2 – You want to use Port Forwarding (And your ASA is pre version 8.3)

Option 3 – You want to use Port Forwarding (And your ASA is version 8.3 or newer)

Solution

Option 1 – You have a public IP that you want to assign to the VMware View Server

As I’m using 123.123.123.123 on the outside of my ASA I’m going to use another public IP address for the VMware View server (123.123.123.124) and I will statically map that to its internal IP address. Then I allow the ports to that IP address, and finally apply the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from).

Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).

[box]static (inside,outside) 123.123.123.124 192.168.1.100 netmask 255.255.255.255
access-list inbound extended permit tcp any host 123.123.123.123 eq www
access-list inbound extended permit tcp any host 123.123.123.123 eq https
access-list inbound extended permit tcp any host 123.123.123.123 eq 4172
access-list inbound extended permit udp any host 123.123.123.123 eq 4172
access-group inbound in interface outside
[/box]

Option 2 – You want to use Port Forwarding (And your ASA is pre version 8.3)

Below I’m creating a static PAT entry for all the ports required, then allowing the traffic with an access-list, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)

Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).

Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port. The following two commands would change the ASDM to port 2345 for example:

no http server enable
http server enable 2345

[box]static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255.255.255
static (inside,outside) tcp interface 4172 192.168.1.100 4172 netmask 255.255.255.255
static (inside,outside) udp interface 4172 192.168.1.100 4172 netmask 255.255.255.255
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 4172
access-list inbound permit udp any interface outside eq 4172
access-group inbound in interface outside
[/box]

Option 3 – You want to use Port Forwarding (And your ASA is version 8.3 or newer)

Below I’m creating a network object for all the ports required and statically NATTING the ports required to them, then I’m allowing the traffic to reach that network object, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)

Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).

Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port: The following two commands would change the ASDM to port 2345 for example:

no http server enable
http server enable 2345

[box]object network VMWare-View-T80
host 192.168.1.100
nat (inside,outside) static interface service tcp www www
object network VMWare-View-T443
host 192.168.1.100
nat (inside,outside) static interface service tcp https https
object network VMWare-View-T4172
host 192.168.1.100
nat (inside,outside) static interface service tcp 4172 4172
object network VMWare-View-U4172
host 192.168.1.100
nat (inside,outside) static interface service udp 4172 4172
access-list inbound permit tcp any object VMWare-View-T80 eq www
access-list inbound permit tcp any object VMWare-View-T443 eq https
access-list inbound permit tcp any object VMWare-View-T4172 eq 4172
access-list inbound permit udp any object VMWare-View-U4172 eq 4172
access-group inbound in interface outside
[/box]

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding Using Command Line, ASDM and PDM

ASA – Memory Error (Post upgrade to version 8.3)

KB ID 0000553 

Problem

I’ve split this article away from this one, as it tripped me up this week again, so I think it deserves an article of its own.

Some ASA firewalls that shipped prior to February 2010 may need a hardware memory upgrade, before you can update them to version 8.3 and beyond. If not you will see the following;

Memory Error as seen on an ASA5510

[box]

*************************************************************
**
** *** WARNING *** WARNING *** WARNING *** WARNING ***
**
** ----> Minimum Memory Requirements NOT Met! <---- **
**
** Installed RAM: 256 MB **
** Required RAM: 1024 MB **
** Upgrade part#: ASA5510-MEM-1GB= **
** **
** This ASA does not meet the minimum memory requirements needed to **
** run this image. Please install additional memory (part number **
** listed above) or downgrade to ASA version 8.2 or earlier. **
** Continuing to run without a memory upgrade is unsupported, and **
** critical system features will not function properly. **
** **
**************************************************************

[/box]

Memory Error as seen on an ASA5505

[box]

**************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING ***
** **
** ----> Minimum Memory Requirements NOT Met! <---- **
** **
** Installed RAM: 256 MB **
** Required RAM: 512 MB **
** Upgrade part#: ASA5505-MEM-512= **
** **
** This ASA does not meet the minimum memory requirements needed to **
** run this image. Please install additional memory (part number **
** listed above) or downgrade to ASA version 8.2 or earlier. **
** Continuing to run without a memory upgrade is unsupported, and **
** critical system features will not function properly. **
** **
***************************************************************

[/box]

ASDM Memory Error as seen on an ASA5505

Solution

ASA Memory Requirements

ASA 5500 Memory Requirements for version 8.3 and Later
Cisco ASA

Mem
(Pre 8.3)

Mem
(Post 8.3)
New ASA
(after Feb 2010) shipped with
Memory Part Number
5505 10 User
256MB
256MB
512MB
 
5505 50 User
256MB
256MB
512MB
 
5505 Unlimited
256MB
512MB
512MB
ASA5505-MEM-512=
5505 Sec Plus
256MB
512MB
512MB
ASA5505-MEM-512=
5510
256MB
1GB
1GB
ASA5510-MEM-1GB=
5510 Sec Plus
256MB
1GB
1GB
ASA5510-MEM-1GB=
5520
512MB
2GB
2GB
ASA5520-MEM-2GB=
5540
1GB
2GB
2GB
ASA5540-MEM-2GB=
5550
4GB
4GB
4GB
 
5580-20
8GB
8GB
8GB
 
5580-40
12GB
12GB
12GB
 

Fitting the Memory Upgrade to an ASA5505

Fitting the Memory Upgrade to an ASA5510

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From ASDM)

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}

Cisco ASA 5500 – Reset / Recycle VPN Tunnels

KB ID 0000586 

Problem

I’ve been asked this before and it came up on EE today, basically you have a site to site VPN tunnel and you either want to restart it or reset it.

Solution

Cisco ASA Reset ALL VPN Tunnels

1. Connect to your ASA, then to reset ALL your ISAKMP VPN tunnels use the following command;

[box] clear crypto isakmp sa [/box]

In the example below I’ve reset ALL my tunnels. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

WARNING: This will reset ALL ISAKMP VPN tunnels (both site to site, and client to gateway).

Cisco ASA Reset One VPN Tunnel

1. If you just want to reset one site to site VPN then you need to reset the IPSEC SA to the peer (IP Address of the other end of the tunnel). Use the following command;

[box] clear ipsec sa peer X.X.X.X [/box]

Unlike above, in the example below I’ve reset just ONE tunnel. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

Cisco ASA Check VPN Uptime

Just to prove this isn’t all smoke an mirrors, after the tunnel has re-connected you can check its uptime with the following command;

[box] show vpn-sessiondb detail l2l [/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA5500 Site to Site VPN from ASDM

 

IP Address Conflicts with VMware ESX and Cisco ASA

KB ID 0000635

Problem

My colleague was setting up a DMZ server for one of our clients, it was a virtual server that was presented to the DMZ of a Cisco ASA 5510. Every time he gave it a static IP address it popped up an IP address conflict (no matter what the IP address was).

Windows has detected an IP address conflict
Another computer on this network has the same IP address as this computer. Contact your network administrator for help resolving this issue. More details are available in the Windows event log.

He asked me to set up DHCP for the DMZ to see if that would cure the problem, which I did. However that also refused to work either.

Windows IP Configuration
An error occurred while renewing interface Local Area Connection : The DHCP client has obtained an IP address that is already in use on the network. The local interface will be disabled until the DHCP client can obtain a new address.
An error occurred while releasing interface. Loopback Pseudo-Interface 1 : The system cannot find the file specified.

Solution

Turns out this is a known problem, and is pretty easy to rectify.

Option 1 (On the ASA)

1. Connect to the ASA via command line, log in and then go to enable mode

[box]

Password:******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********

[/box]

2. Enter configure terminal mode then disable proxy ARP on the interface that’s presented to the problem network, (in this case the interface is called DMZ).

[box]

PetesASA# configure terminal
PetesASA(config)# sysopt noproxyarp DMZ

[/box]

3. Save the changes.

[box]

PetesASA# >write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box] Note: You can also disable proxy arp in the nat tranlation, with the no-proxy-arp like so; [box] PetesASA(config)# nat (inside,DMZ) source static Inside-LAN Inside-LAN destination static Inside-LAN Inside-LAN no-proxy-arp [/box]

Option 2 (On the affected machine)

Note: This is is for Windows based clients. 1. Start > Run > regedit {Enter}. 2. Navigate to;

[box]

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

[/box]

3. Create a new DWORD value called ‘ArpRetryCount’ and set its value to 0 (Zero).

4. Reboot.

Related Articles, References, Credits, or External Links

NA