Cisco ASA – Changing the Outside IP Address

KB ID 0001081 

Problem

I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection.

What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime?

Note: If you get your all your outside IP details via DHCP, and no one speaks you you from outside (i.e. The ISP always reserves and issues the same IP details to you because you have a mail server or have VPN connections etc). Then you can probably simply plug into the new Router/Modem/Socket and reboot the ASA.

Solution

Time spent on reconnaissance is seldom wasted.

OK lets not run to the comms rack with a laptop and get stuck into the problem, get all your ducks in a row first.

1. Your Current Internet Connection: I know you’re going to turn this off, but if there’s a problem and everything ‘goes to hell in a hand cart’, you might need to connect back to this one in a hurry, (best not to look like a clown because you deleted all those settings and don’t know what they are). As a bare minimum have the following;

  • ISP Name.
  • ISP Tech Support phone number.
  • IP Address(s) allocated to you from the ISP. (Including the subnet mask and IP of their router if applicable).
  • Username and Passwords for your Internet Connection (if applicable i.e. for ADSL, PPPoE etc).
  • The details, of any public DNS records that point to you i.e. The MX records for your email, or URLs for any web services you host etc. If you have a web portal for managing this make sure you can log in. Or if your ISP handles this, get the information on how you can change your host records to point to the new IP address, (i.e. a fax on company headed notepaper, or a call to your account manager etc).

Setting up the Correct DNS Records for your Web or Mail Server

Then ring the old ISP make sure you can log a technical call without having to give them a password, (that everyone’s forgotten), or the only person who they will talk to left the company five years ago. (Get the feeling I’ve done this a lot!)

2. Your New Internet Connection: See everything you did above? get all the same information for the new ISP.

3. Backup: You are only ever as good as your last backup, make sure the ASA is backed up before you start, and backup to TFTP, or via the ASDM NOT by copy pasting the config into Notepad (this tends to hide shared secrets etc).

Backup and Restore a Cisco Firewall.

4. Test The New Internet Connection: I’ve had many a call from a colleague, that they can’t get an ASA working through a new Internet connection. And when I tell then to turn off the ASA and plug their Laptop into the Router/Modem/Socket guess what? Yes, the connection that the salesmen at the ISP said was live, really isn’t!

Warning: Sometimes you find that if you have used the public IP your ISP gave you on your laptop, that when you plug in the ASA it won’t work, (this happens because the router ‘caches’ the MAC address of the Laptop, and get confused when the ASA uses the same IP). So if possible use a different IP for testing, (if you have more than one IP). Or turn the ISP equipment off for a while after testing.

5. Who talks to you? What speaks to the ASA from outside? Do you have a web server, email server, FTP server, public facing service. Do have other offices that connect to you via VPN? Do you have remote workers that connect via VPN/AnyConnect?

5a. What Other Public IP’s Do You Use? You may have covered this in point 5 but now I’m talking about the public IP addresses that are in use but NOT assigned to the outside interface. Typically these are used in what we call static NAT.

If you have other sites with VPNs to you, they will need changing to point to the new public IP address.

Cisco ASA – Changing VPN IP Addresses

 

Changing The ‘Outside’ IP of the ASA

Now you’ve read all the above, you have a better appreciation of what you might break, and how much downtime to expect. The outside interface of the ASA is exactly the same as any network connection it needs an IP address, a subnet mask, and a default route (same as default gateway for you Windows types).

Again never assume the outside interface is called ‘outside’, I’ve seen all sorts of naming outside, Outside, Public, WAN etc. You already know the public IP so let’s see what the interface name that’s using it is;

Connect to the ASA

From CLI;

[box]

Petes-ASA> enable
Password: ********
Petes-ASA# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                91.91.91.1      255.255.255.248 CONFIG
GigabitEthernet1         inside                 192.168.1.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                91.91.91.1      255.255.255.248 CONFIG
GigabitEthernet1         inside                 192.168.1.1     255.255.255.0   CONFIG
Petes-ASA#

Or on an ASA 5505

Password: ********
Petes-ASA# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Vlan1                    inside                 192.168.1.1     255.255.255.0   CONFIG
Vlan2                    outside                91.91.91.1      255.255.252.248 CONFIG  
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Vlan1                    inside                 192.168.1.1     255.255.255.0   CONFIG
Vlan2                    outside                91.91.91.1      255.255.252.248 CONFIG  
Petes-ASA#

Notice: On smaller ASA's the IP address is allocated to a VLAN, on larger ones the IP
is allocated to a physical interface. Also the 'Method' says 'CONFIG', if it said DHCP
then you are getting these settings dynamically from your ISP.

[/box]

From ASDM;

Configuration > Device Setup > Interfaces.

Now we know out interface name and where the IP address and the subnet mask are. Now we need to locate the default route for the ‘outside’ interface, (or whatever yours is called).

From CLI;

[box]

ASA-1# show run route
route outside 0.0.0.0 0.0.0.0 91.91.91.2 1
ASA-1#

Or to get the same information from the routing table;

Petes-ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.2.2.10 to network 0.0.0.0

C    91.91.91.0 255.255.255.248 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 91.91.91.2 outside
Petes-ASA# 

[/box]

From ASDM;

Configuration > Device Setup > Routing > Static Routes.

Now you know the interface name, you know know its physical name, (GigabitEthernet0, Vlan 2, etc.) You have all the information you need to change the IP address, subnet mask and default route.

From CLI;

[box]

Petes-ASA> enable
Password: *********
Petes-ASA# Configure Terminal
Petes-ASA(config)# int gigabitEthernet 0
Petes-ASA(config-if)# ip address 60.60.60.1 255.255.255.240
Petes-ASA(config-if)# exit

You can only have one 'Default route', so you can't just add the new one, (or it will error)
so you need to remove that route, (by prefixing the command with a 'no'). Then add the new
default route in.

Note: If there's a number at the end of the route command, you can leave that off it's just
a routing metric number.

Petes-ASA(config)# no route outside 0.0.0.0 0.0.0.0 91.91.91.2
Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 60.60.60.2

[/box]

From ASDM;

In the ASDM you go to the same sections you did above, select the interface or route, click edit, then make the change. Note if you are going to use PPPoE read the following article.

Cisco ASA 5500 – Configuring PPPoE

Don’t forget to click Apply!

Test – The New Public IP Address

Before we look at anything else we need to make sure the ASA has connectivity to the Internet, and THE ASA can ping a public ip address (Note: I said the ASA, not something on your network). I usually ping 8.8.8.8 (Google DNS server) because it always responds.

[box]

User Access Verification

Password: *******
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
Petes-ASA# 

[/box]

If this fails, ensure you can ping your ISP router (default route IP) this should be pretty easy to troubleshoot with the assistance of the ISP.

Once the ASA can connect to the Internet make sure your internal clients can, remember if you are going to use ping to test connectivity though the firewall you need to have ICMP inspection setup see the following article;

Cisco Firewalls and PING

 

Cisco ASA – Migrating Other Public IP Addresses

If you are performing ‘port forwarding‘ from the outside interface, i.e. taking all SMTP (TCP Port 25) traffic and forwarding it to an internal host, then the firewall should require no further configuration as that should be done from the interface name NOT the old public IP address.

You can quickly setup port forwarding if it’s stopped by reading the following article;

Cisco PIX / ASA Port Forwarding

If you have public IP addresses statically mapped to public IP addresses from your old ISP range then these will need to be changed. here you can see Ive got a static NAT for an internal server;

[box]

Petes-ASA# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Obj-Web-Server 91.91.91.3
    translate_hits = 101, untranslate_hits = 100
2 (inside) to (outside) source dynamic PAT-Internal interface
    translate_hits = 999, untranslate_hits = 52
Petes-ASA#

Petes-ASA# show run nat 
!
object network PAT-Internal
 nat (inside,outside) dynamic interface
object network Obj-Web-Server
 nat (inside,outside) static 91.91.91.3
ASA-1#

To Change

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Web-Server
Petes-ASA(config-network-object)# no nat (inside,outside) static 91.91.91.3
Petes-ASA(config-network-object)# nat (inside,outside) static 60.60.60.3   
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# clear xlate
INFO: 453 xlate deleted
Petes-ASA(config)# 

[/box]

To do the same in the ASDM, is a little more convoluted you need to check every NAT rule and see if you have one thats type is ‘static’ and has an IP address from your old ISP range, then you can change it accordingly.

Configuration > Firewall > NAT Rules

Don’t forget to click Apply!

For more information on Static (One to One) NAT see the following article;

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

 

Cisco ASA – Migrating VPN’s Post IP Address Change

Site to Site VPN

If you have site to site (IPSEC) VPN’s then these will have gone down when the public IP address changed. If the device at the other end is a Cisco ASA/PIX then follow the advice in the following article;

Cisco ASA – Changing VPN IP Addresses

Client VPN

For remote workers using the older IPSEC VPN client, you will need to send them a new PCF file to import into their VPN client with the new IP address in it, (unless they are pointing at your public DNS name, then you simply need to change the IP address that the DNS name points to). PCF files are explained in the following article;

Working with the Cisco VPN Client. (IPSEC)

AnyConnect

As above if your AnyConnect clients connect directly to a public name like vpn.yourbusiness.com then just change that record to point to the new public IP address. Just be aware if you have set the AnyConnect profile to point to your old IP address, then your remote clients will automatically break themselves every-time they connect and download the profile, change it to the new IP address, or even better a public name/URL.

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.

 

Dont Forget: Save any changes you have made to the firewall either with a ‘write mem‘ command, or File > Save running configuration to flash, if you’re in the ASDM.

I think I’ve got most stuff covered, if I’ve missed something that’s caused you problems let me know, and I will update this article accordingly (contact link below).

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses

 

 

Cisco AnyConnect Error (iPhone)

KB ID 0000362

Problem

While using the Apple/Cisco Anyconnect App/Client you receive the following error.

Error:

The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.

 

Solution

The most pertinent information above is the last two words of the error message “No License”

This DOES NOT mean you have ran out of SSL/AnyConnect Licences!

This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!

AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.

Update 2017: Applying a modern AnyConnect (v4) licence, will also enable the mobile feature as well.

Once the correct licences are installed this is what it SHOULD look liike.

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding Licenses

Android AnyConnect Error

Android AnyConnect Error

KB ID 0000537

Problem

While using the Android/Cisco Anyconnect App/Client you receive the following error.

Error:

The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.

Solution

The most pertinent information above is the last two words of the error message “No License”

This DOES NOT mean you have ran out of SSL/AnyConnect Licences!

This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!

AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.

Once the correct licences are installed this is what it SHOULD look liike.

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding Licenses

Cisco AnyConnect Error (iPhone)

Replace an ASA 5505 with an ASA 5506-X

KB ID 0001091 

Problem

Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.

Solution

Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?

A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.

The ASA 5506 Interfaces are different.

  • Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
  • The 5506 Interfaces are the opposite way round (left to right).
  • The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*

*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;

Cisco ASA 5506-X: Bridged BVI Interface

So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;

[box]

 ASA 5505 VLAN and Physical Interface configuration

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
 !
 interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 interface Vlan3
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
 !
 interface Ethernet0/0
 switchport access vlan 2
 !
 interface Ethernet0/1
 !
 interface Ethernet0/2
 switchport access vlan 3
 !
 interface Ethernet0/3
 !
 interface Ethernet0/4
 !
 interface Ethernet0/5
 !
 interface Ethernet0/6
 !
 interface Ethernet0/7
 !

[/box]

VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.

Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.

To convert that (Assuming you are NOT going to use the BVI interface, (see link above!);

[box]

ASA 5506-X Physical Interface configuration

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
 !
 interface GigabitEthernet1/3
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
 !

[/box]

AnyConnect Has Changed

If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSL VPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.

There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.

AnyConnect 4 – Plus and Apex Licensing Explained

Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?

A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.

I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software 🙁

In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.

Below you can see I’ve got a profile on my 5505.

Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).

Note: You can also do this from CLI by copying the file to a TFTP server.

Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.

[box]

ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
 enable outside
 anyconnect-essentials <-REMOVE THIS IT'S OBSOLETE
 anyconnect-win-3.1.05152-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.04063-k9.pkg 2 <-REPLACE WITH ANYCONNECT 4 
 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml <-COPY OVER FIRST
 anyconnect enable
 tunnel-group-list enable
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
!

group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 vpn-tunnel-protocol ssl-client
 dns-server value 10.0.0.10 10.0.0.11
 wins-server none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect profiles value SSL-VPN-POLICY type user
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
 address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET
 OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

ASA Transferring Certificates From One ASA to Another

I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;

[box]

ciscoasa# configure terminal
Petes-ASA(config)# hostname Petes-ASA
Petes-ASA(config)# domain-name petenetlive.com
Petes-ASA(config)# crypto key generate rsa modulus 2048

INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Petes-ASA(config)# 

[/box]

OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;

Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall

Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).

If you have purchased a certificate you will have already gone though the process below;

Cisco ASA 5500 – Using a Third Party Digital Certificate

The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;

Cisco ASA Export Certificates From ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.

Cisco ASA Export Certificates From Command Line.

To do the same at CLI the procedure is as follows;

[box]

Get Your Trustpoint(s) Names


Petes-ASA# show crypto ca trustpoints 

Trustpoint ASDM_TrustPoint0:
    Not authenticated.

Trustpoint PNL-Trustpoint-1:
    Subject Name:
    cn=PNL-DC-PROD-CA
    dc=petenetlive
    dc=com
          Serial Number: 5ec427e4910fa2bf47e1269e7fdd7081
    Certificate configured.

Then Export the Certificate(s) for that Trustpoint

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca export PNL-Trustpoint-1 pkcs12 Password123

Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5

{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}

mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
Petes-ASA(config)#  

[/box]

Cisco ASA Import Certificates From ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.

Cisco ASA Import Certificates From Command Line.

To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca import PNL-Trustpoint-1 pkcs12 Password123

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5

{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}

mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully
Petes-ASA(config)#  

[/box]

 

Assorted Firewall Migration ‘Gotchas’

Time (Clock Setting)

If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.

Cisco ASA – Configuring for NTP

ARP Cache

Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).

 

ASA 5505 to 5506 Config To Copy And Paste

Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.

 

[box]

hostname Petes-ASA
 domain-name petenetlive.com
 enable password H4ejVQF2DI/W9sLZ encrypted
 xlate per-session deny tcp any4 any4
 xlate per-session deny tcp any4 any6
 xlate per-session deny tcp any6 any4
 xlate per-session deny tcp any6 any6
 xlate per-session deny udp any4 any4 eq domain
 xlate per-session deny udp any4 any6 eq domain
 xlate per-session deny udp any6 any4 eq domain
 xlate per-session deny udp any6 any6 eq domain
 passwd 2GFQnbJIdI.2KYOU encrypted
 names
 !
 interface Ethernet0/0
 switchport access vlan 2
 !
 interface Ethernet0/1
 !
 interface Ethernet0/2
 switchport access vlan 12
 !
 interface Ethernet0/3
 !
 interface Ethernet0/4
 !
 interface Ethernet0/5
 !
 interface Ethernet0/6
 !
 interface Ethernet0/7<
 !
 interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 !
 interface Vlan2
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.252
 !
 DONT COPY OVER THE BOOT SYSTEM PATHS FROM THE OLD FIREWALL
 !
 boot system disk0:/asa903-6-k8.bin
 boot system disk0:/asa902-k8.bin
 ! 
 ftp mode passive
 clock timezone GMT/BST 0
 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
 dns server-group DefaultDNS
 domain-name petenetlive.com
 same-security-traffic permit inter-interface
 same-security-traffic permit intra-interface
 !
 NOTE ALL THE OBJECTS AND OBJECT GROUPS CAN BE COPIED OVER
 !
 object network obj_any
 subnet 0.0.0.0 0.0.0.0
 object network Obj-INT-Server1
 host 192.168.1.10
 object network Obj-Ext-Public_1
 host 123.123.123.124
 object network VPN_Pool
 subnet 10.253.253.0 255.255.255.0
 object service Obj-ApplicationX-Ports-TCP
 service tcp destination eq 1234
 object-group icmp-type Obj-ICMP
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
 !
 NOTE ALL THE ACCESS-LISTS CAN BE COPIED OVER
 !
 access-list inbound remark traffic allowed to Server1
 access-list inbound extended permit tcp any object Obj-INT-Server1 object-group Obj-ApplicationX-Ports-TCP
 access-list inbound extended deny ip any any log disable
 access-list outbound remark traffic allowed from Server1
 access-list outbound extended permit ip object Obj-INT-Server1 any
 access-list outbound extended deny ip any any log disable
 !
 no pager
 logging enable
 logging asdm debugging
 logging mail critical
 logging from-address netalerts@petenetlive.com
 logging recipient-address externalalert@petenetlive.com level critical
 mtu inside 1500
 mtu outside 1500
 ip local VPN-POOL 10.253.253.1-10.253.253.50 mask 255.255.255.128
 !
 IF YOU EXECUTE A NO FAILOVER IT WILL COMPLAIN IF YOU DON'T HAVE A FAILOVER LICENCE
 !
 no failover
 ! 
 icmp unreachable rate-limit 50 burst-size 10
 icmp permit any inside
 icmp permit any outside
 no asdm history enable
 arp timeout 14400
 no arp permit-nonconnected 
 !
 NAT COMMANDS ARE FINE IF THE SOURCE IS NEWER THAN VERSION 8.3
 !
 nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
 !
 object network obj_any
 nat (inside,outside) dynamic interface
 object network Obj-INT-Server1
 nat (inside,outside) static Obj-Ext-Public_1
 !
 access-group inbound in interface inside
 access-group outbound in interface outside<
 !
 route outside 0.0.0.0 0.0.0.0 123.123.123.124 1
 route inside 192.168.1.0 255.255.255.0 192.168.1.50 1
 timeout xlate 3:00:00
 timeout pat-xlate 0:00:30
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 timeout tcp-proxy-reassembly 0:01:00
 timeout floating-conn 0:00:00
 dynamic-access-policy-record DfltAccessPolicy
 !
 aaa-server AD protocol kerberos
 aaa-server AD (Inside) host 192.168.1.10
 kerberos-realm PETENETLIVE.COM
 aaa-server AD (Inside) host 192.168.1.11
 kerberos-realm PETENETLIVE.COM
 aaa-server AD-LDAP protocol ldap
 aaa-server AD-LDAP (Inside) host 192.168.1.10
 server-port 636
 ldap-base-dn OU=Users, OU=PETENETLIVE, DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password Password123
 ldap-login-dn cn=ciscoasa, OU=Service Accounts, OU=Service, DC=petenetlive, DC=com
 ldap-over-ssl enable
 server-type microsoft
 ! 
 user-identity default-domain LOCAL
 aaa authentication enable console LOCAL 
 aaa authentication http console LOCAL 
 aaa authentication ssh console LOCAL 
 aaa authentication telnet console LOCAL 
 aaa authentication serial console LOCAL 
 http server enable 2456
 http 192.168.1.0 255.255.255.0 inside
 http 245.245.245.0 255.255.255.0 outside
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 sysopt noproxyarp inside 
 sysopt connection tcpmss 0
 crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
 crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
 crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
 crypto map outside_map interface outside
 crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 enable outside client-services port 443
 crypto ikev1 enable outside
 crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
 crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
 crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
 !
 crypto ca trustpoint PNL-Trustpoint-1
 enrollment terminal
 fqdn remote.petenetlive.com
 subject-name CN=remote.petenetlive.com,OU=IS,O=PeteNetLive,C=GB,St=Teesside,
 L=Middlesbrough,EA=admin@petenetlive.com!
 keypair PNL-NEW-KEYPAIR
 crl configure
 crypto ca trustpool policy
 crypto ca certificate chain ASDM_TrustPoint1
 certificate ca 33f5d6ed96a558bc45f43f6c9b8fd82d
 30820397 3083027f a0030201 02021033 f5d6ed96 a558bc45 f43f6c9b 8fd82d30 
 0d06092a 864886f7 0d010105 05003052 31133011 060a0992 268993f2 2c640119 
 16036e65 74311b30 19060a09 92268993 f22c6401 19160b70 6574656e 65746c69 
 7665311e 301c0603 55040313 15706574 656e6574 6c697665 2d504e4c 2d44432d 
 4341301e 170d3133 31313131 31313135 30305a17 0d323331 31313131 31323530 
 305a3052 31133011 060a0992 268993f2 2c640119 16036e65 74311b30 19060a09 
 92268993 f22c6401 19160b70 6574656e 65746c69 7665311e 301c0603 55040313 
 15706574 656e6574 6c697665 2d504e4c 2d44432d 43413082 0122300d 06092a86 
 4886f70d 01010105 00038201 0f003082 010a0282 010100c8 2d21e8cb 317741d7 
 e4eb4af4 2561f92a efec293a 9202bc38 e9d25eb7 3a0ff9e0 7c7ee9b3 8e76f328 
 df115581 3f70ac45 91b402b4 dba25c80 6dee49da eb904bda f2fbb21f 5661ba2a 
 81f9cd37 87d87811 05cce829 8112495b 0587b272 12b6d3c1 107d9529 e860900b 
 947af212 0b72eb0e de2f5891 87be7172 1fc02f38 ba82d0c9 ec3351b2 c6fe216a 
 0f674e81 608ba7f9 5fd9343a 4d815a12 0dbc0747 854211ba c0a32cdb 18fe8a92 
 bc5dd319 f4fba969 ed95c7d6 a51620f3 d3510b56 17471ece 89c2393d c14b42b9 
 2d4fc2c5 7f47b9b0 c4645c60 00d02e1c e54669b9 e54d0d49 1b6a4a09 e5f1ad5c 
 e2f901d9 b679ef5a 27de98bf 089c79b4 6723295a 436db902 03010001 a3693067 
 30130609 2b060104 01823714 0204061e 04004300 41300e06 03551d0f 0101ff04 
 04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604 
 146baa8b 30599cfb d5a0b40a 33a9c296 f4f24ec2 80301006 092b0601 04018237 
 15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101007a d4edaf88 
 6bd0d3d5 916c9c1c 3d67d551 f78b41f6 75740965 f6dca8df 30878d56 65b900c8 
 cb27aa65 9092c9f0 c3bdc080 ded23cb0 10715db9 af8cd39c 5416d8d2 a0ee7ae2 
 ceb09be7 145a0969 1bf672db e0c532d2 26a27e8a f897f474 e9e638e1 bf12e385 
 3bb9af1e bdaadecd cbcf5a61 23c5b68f a040a5e0 70150541 d190eeef 3d72d702 
 b0d9d3fa 0241802a b87505c6 a217c714 e9f55692 b9bdd84f 25351f18 35bf53c1 
 b24d10be 876ef392 c971dee4 10a5d244 d08624eb 6d29975a 2f35e3d1 38260a1d 
 51e6b661 f0c709a7 0e072039 530a26b8 78d00f22 a754c0f7 90fb58a0 5d564259 
 ceafe29f 22e95391 7ea10a81 629f384c 7ed8d009 02f65068 e93ff0
 quit
 crypto ca certificate chain PNL-Trustpoint-1
 certificate 1a000000056df312597af00c80000000000005
 3082062a 30820512 a0030201 0202131a 00000005 6df31259 7af00c80 00000000 
 0005300d 06092a86 4886f70d 01010505 00304b31 13301106 0a099226 8993f22c 
 64011916 03636f6d 311b3019 060a0992 268993f2 2c640119 160b7065 74656e65 
 746c6976 65311730 15060355 0403130e 504e4c2d 44432d50 524f442d 4341301e 
 170d3135 30363135 31353131 32325a17 0d313730 36313531 35323132 325a3081 
 c9312530 2306092a 864886f7 0d010902 13167265 6d6f7465 2e706574 656e6574 
 6c697665 2e636f6d 310b3009 06035504 06130247 42311130 0f060355 04081308 
 54656573 73696465 31163014 06035504 07130d4d 6964646c 65736272 6f756768 
 31143012 06035504 0a130b50 6574654e 65744c69 7665310b 30090603 55040b13 
 02495331 1f301d06 03550403 13167265 6d6f7465 2e706574 656e6574 6c697665 
 2e636f6d 31243022 06092a86 4886f70d 01090116 1561646d 696e4070 6574656e 
 65746c69 76652e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 
 0f003082 010a0282 010100ed 6403f970 5c3d8f90 c106cc7a 85b69965 05ac5a50 
 2f3f0351 984e28aa d68d1f28 88d44ae6 99997b06 cc7ca9a0 573db801 d8277276 
 b6e7d7a7 6863da35 29156dcd fbe063f2 9855bf75 b5529c22 ecbd87f0 9be50cc4 
 cf5d245f 9e7b4443 6e8afe02 9442f79d 16f0d4e6 09cdb3f4 0771173d 707a0cae 
 9facd254 a9ba4401 d3ce14fe 1ecee991 b83f7ca8 f11f549f b4b0f302 6d09eec7 
 b522d7b7 97af7648 a2f99b93 207c3f0c 62800df7 532478ad 9020c6e6 87fb956c 
 d20289f6 68efe7ff a7914fea 7b28d9f4 e8504c40 48f65d88 dffcfa3e 5ecbc50a 
 b28b07dc 792ce53d 0475ef96 12c3d402 d2ad7fcb b1099266 1fb5087b 71910dd4 
 d0b33dcf 7cc585c7 af0b4702 03010001 a3820286 30820282 300e0603 551d0f01 
 01ff0404 030205a0 30210603 551d1104 1a301882 1672656d 6f74652e 70657465 
 6e65746c 6976652e 636f6d30 1d060355 1d0e0416 0414e3d5 5aaa3004 d607bd3f 
 13384329 1acf7f21 92f3301f 0603551d 23041830 16801495 d2ae01e1 45769582 
 39b946bf a2799ccd c5d28a30 81d40603 551d1f04 81cc3081 c93081c6 a081c3a0 
 81c08681 bd6c6461 703a2f2f 2f434e3d 504e4c2d 44432d50 524f442d 43412c43 
 4e3d504e 4c2d4443 2d50524f 442c434e 3d434450 2c434e3d 5075626c 69632532 
 304b6579 25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 
 6f6e6669 67757261 74696f6e 2c44433d 70657465 6e65746c 6976652c 44433d63 
 6f6d3f63 65727469 66696361 74655265 766f6361 74696f6e 4c697374 3f626173 
 653f6f62 6a656374 436c6173 733d6352 4c446973 74726962 7574696f 6e506f69 
 6e743081 c406082b 06010505 07010104 81b73081 b43081b1 06082b06 01050507 
 30028681 a46c6461 703a2f2f 2f434e3d 504e4c2d 44432d50 524f442d 43412c43 
 4e3d4149 412c434e 3d507562 6c696325 32304b65 79253230 53657276 69636573 
 2c434e3d 53657276 69636573 2c434e3d 436f6e66 69677572 6174696f 6e2c4443 
 3d706574 656e6574 6c697665 2c44433d 636f6d3f 63414365 72746966 69636174 
 653f6261 73653f6f 626a6563 74436c61 73733d63 65727469 66696361 74696f6e 
 41757468 6f726974 79303d06 092b0601 04018237 15070430 302e0626 2b060104 
 01823715 0885fbfb 0d83ea8c 0c83e187 2282c9d9 5783d9e2 675c86b2 fd3486f3 
 8d1b0201 64020104 30130603 551d2504 0c300a06 082b0601 05050703 01301b06 
 092b0601 04018237 150a040e 300c300a 06082b06 01050507 0301300d 06092a86 
 4886f70d 01010505 00038201 01002154 6bf54ea2 23a10a75 77df1b15 65c4c2b9 
 f17ff795 1cc28834 f41e6d88 3e03f18a 6e2bdc05 f1da80b3 10ccf096 eeec10c4 
 07dccb0a 0791a99f afda01ac 6cc7d985 82060c56 9e871a56 136805b3 7c277162 
 ae034197 addfe623 2bb814dd a401b053 b44fd7a6 302237ac f5bcc024 a25d3f84 
 d8d3ecb4 de0d9c7e 51e56c95 5e2ebf7a fee86ac6 26dcbaf8 09e4864f f3956447 
 398ed790 8cba02c3 bddca424 3777d625 3e39ed27 8b2778b8 20414b5d 30d1b20a 
 ee1e2771 deea6f40 e2ed07de 8e66e2b6 651d7b19 4f3594d6 8acc0713 fd4436cc 
 c38e9f92 b0ebc89a f39c599d 28a23040 d46dd8ad 80fec713 d38987f5 0c473098 
 5584e2de 3a1be0e3 72c24d48 90de
 quit
 certificate ca 5ec427e4910fa2bf47e1269e7fdd7081
 30820371 30820259 a0030201 0202105e c427e491 0fa2bf47 e1269e7f dd708130 
 0d06092a 864886f7 0d010105 0500304b 31133011 060a0992 268993f2 2c640119 
 1603636f 6d311b30 19060a09 92268993 f22c6401 19160b70 6574656e 65746c69 
 76653117 30150603 55040313 0e504e4c 2d44432d 50524f44 2d434130 1e170d31 
 35303631 32313231 3935375a 170d3330 30363132 31323239 35365a30 4b311330 
 11060a09 92268993 f22c6401 19160363 6f6d311b 3019060a 09922689 93f22c64 
 0119160b 70657465 6e65746c 69766531 17301506 03550403 130e504e 4c2d4443 
 2d50524f 442d4341 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 
 3082010a 02820101 00ad6ce6 b3d3852b 6524ee38 bab2beb8 1184f717 0bcebe1f 
 7b590260 6f0d0503 6d3409cb fcc7af7c f197cc74 91de290f cd65da5b cb5715b9 
 5c975ad6 20ba8573 4e4058fc 383f40d2 08f6390d f4c5c3e5 c7fc8571 ba7613a4 
 5e0dafde b98b8641 f9b5ba7f c50142c6 7854a785 22fa94d8 2f648590 0a0287ab 
 568fcac4 e6fde0aa 11cafe44 beadd840 7c1fa631 89be34c0 bf15858e c44f78be 
 c1140f04 f1b89eb0 23442430 bacd9b9d a3b2620b 5d0e59c1 520b39e2 f95c9e91 
 305bd92b 4eab53b6 bfee551d 57e1f864 a043a757 39150ca7 bfdfb6ab 77510fa9 
 c8c35eec 02a59c75 460cdd61 7cae7949 9879e472 970bb444 25d01556 336b1a86 
 1ec95330 cac03f5e 01020301 0001a351 304f300b 0603551d 0f040403 02018630 
 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041495 d2ae01e1 
 45769582 39b946bf a2799ccd c5d28a30 1006092b 06010401 82371501 04030201 
 00300d06 092a8648 86f70d01 01050500 03820101 005c4437 216d5cc1 38a0e3bb 
 8af4657d 83fca1a3 57483d54 4a73a663 c8bf8c2a b0280cc4 155f4a15 72da34ee 
 6e67ae3f c503b73f 3e267f05 b1be022e 2e979295 b661e942 ef8d2039 4da5e555 
 a1babc03 33792b4d 85272d81 0484c36c fd49c383 dd95b1a3 64dbca14 b01bc48a 
 61b6cb84 38128fbe 2860097c 1a0e15a1 6a3c409a be6074fb be64d87a 6d46b11e 
 8548fb44 dfc35483 1c7668cd e72828fa 102a2069 8939f613 11ec5bb6 341a70fc 
 a6a85bc6 a93cdc73 59b36756 cba6f787 957d3eca 1ef9a057 31c2ae9c 26ab72f5 
 096129c6 0ed0bc05 0a7bca34 ae6fd90a 1e86cf91 49f558ea e174de18 dc8cb428 
 922bb233 ee5cf072 98a78f60 1a98f540 7c227063 e2
 quit
 !
 telnet 0.0.0.0 0.0.0.0 inside
 telnet timeout 5
 ssh 192.168.1.0 255.255.255.0 inside
 ssh timeout 5
 ssh version 2
 console timeout 0
 !
 YOUR NEW FIREWALL HAS A MANAGEMENT INTERFACE, YOU MIGHT NOT WANT TO COPY THIS OVER
 ! 
 management-access Inside
 !
 tls-proxy maximum-session 24
 !
 threat-detection basic-threat
 threat-detection statistics port
 threat-detection statistics protocol
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 ntp server 87.194.255.141 source outside
 ntp server 194.117.157.4 source outside prefer
 ssl encryption 3des-sha1
 webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles SSL_VPN disk0:/Petenetlive-profile.xml 
 anyconnect enable
 tunnel-group-list enable
 ! 
 group-policy DefaultRAGroup internal
 group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.12 192.168.1.13
 vpn-tunnel-protocol ikev2 l2tp-ipsec 
 default-domain value petenetlive.com
 group-policy DfltGrpPolicy attributes
 dns-server value 192.168.1.12 192.168.1.13
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 address-pools value VPN_Pool
 !
 username user1 password G0=2iYoApombmlE5de7 encrypted
 username user1 attributes
 service-type remote-access
 !
 tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect tftp 
 inspect icmp 
 inspect pptp 
 inspect ipsec-pass-thru 
 inspect icmp error 
 class class-default
 set connection decrement-ttl
 !
 service-policy global_policy global
 smtp-server 192.168.1.41 192.168.1.42
 prompt hostname context
 no call-home reporting anonymous
 call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily 
 no call-home reporting anonymous
 : end

[/box]

 

Related Articles, References, Credits, or External Links

NA