Showing results for 
Search instead for 
Did you mean: 

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

Community Manager
Community Manager

Read the bioWith Prashanth Goutham R.


Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 


Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.


Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response. 


Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.


Prashanth Goutham R.

Thank you very much for answering my questions. Very appreciated.I hope other users did benefit from your detailed/tested replies.



Hello Prashanth,

I've setup a ASA 5505 with 3 servers behind it. Riunning Exchange 2007 and RD Gateway behind NAT.

Port  443 is opened to allow Outlook Anywhere so the Domain users can access  mail from outside the office without setting up a VPN tunnel. Also I use  the RD Gateway so the users can access their worksations in the LAN and  also the TS server (remote desktop)

This  was working with the old firewall (D-Link Netdefend) but now the users  get prompted with user/password popup from Outlook. The RD Gateway has  also stopped working only telling the users "Logon Attempt Failed".

That means that Outlook failed to access the server using NTLM auth. and need to use "basic auth" instead.

So my question:

Does the ASA 5505 allow NTLM Passthrough? If not, what will I need to buy ?

Hello Johan,

This forum is specifically for the Failover Discussion on Cisco Firewalls, however to answer your question, Yes ASA supports NTLM Passthrough:

The ASA supports the following Single Sign On (SSO) methods:

  • Kerberos Constrained Delegation (KCD)
  • Computer Associates Siteminder (Netegrity)
  • RSA Access Manager (ClearTrust)
  • Security Assertion Markup Language (SAML v1.1)
  • Basic/NTLM/FTP/CIFS authentication pass-through
  • Forms-based authentication pass-through;HTTP-POST via variable substitution (macros)

Do let me know what troubleshooting you have done so far... Hope that helps.


As I can read on the provided URL those auth methods is supported on the "Single sign-on (SSO) for clientless SSL VPN users" section...

And I am not talking about building any VPN solution.

But can that be the issue? That the ASA is picking up the NTLM for the VPN? Not possible to disable the VPN feature somehow?

Troubleshoting done:

With D-Lnk it works. With Cisco it doesn't.

(Both devices redirects the TCP 443 to the internal IP of the server. Nothing else done)