Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2507
Views
10
Helpful
25
Replies

Cisco 5510 Startup-Config copy

Go to solution
Duong Nguyen
Level 1
Level 1

‎10-26-2012 03:36 PM - edited ‎03-11-2019 05:14 PM

I copied a Cisco 5510 startup-config to an identical Cisco 5510.

After copying through tftp, I executed a reload. 

Everything looks good. Line by line  compare results are the same.

The problem is I can no longer use ASDM or ssh to interface with Cisco 5510.

Telnet works fine.

I am fairly new to Cisco firewalls.

Please advise.

Labels:
0 Helpful
6 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-26-2012 03:47 PM

Hello,

Please provide the following:

Show run ssh

sh run asdm

sh flash  ( and look for the asdm image)

sh run ssh

Make sure you have created the RSA key, if not

crypto key generate rsa

Regards,

Remember to rate all of the posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-27-2012 02:10 AM

Hello,

Provide me the following:

show run ssl

show run http

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 10:52 AM

Hello,

No output from show run ssl .

Just in case add the following command:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

Then try to connect,

If this does not work please share the show run asdm

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 12:17 PM

Hello Duong,

Clear configure ASDM

asdm image:disk0:/asdm-621.bin


What java version are you running in your computer?

capture test interface inside match tcp any host inside_interface_ip eq 443

Then try to connect and send me

show cap test

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 01:06 PM

Hello Duong,

Well there are going to be some other things that you will need to check like the NAT statements ( Ip addresses on both sides might be different) SNMP communities, Syslog servers,etc.

Just stuff like that,

Regards,

Remember to rate all of the helpful posts ( If you do not know how to rate a post just let me know, I will help  u on that one as well )

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎12-11-2012 05:29 PM

Hello

So only do the following: Lets say new ip is 4.4.4.4

clear configure tunnel-group 2.2.2.2

tunnel-group  4.4.4.4 type ipsec-l2l

tunnel-group 4.4.4.4 ipsec-attributes

pre-shared key x.x.x.x

no crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set peer 4.4.4.4

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
25 Replies 25

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-26-2012 03:47 PM

Hello,

Please provide the following:

Show run ssh

sh run asdm

sh flash  ( and look for the asdm image)

sh run ssh

Make sure you have created the RSA key, if not

crypto key generate rsa

Regards,

Remember to rate all of the posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Julio Carvajal

‎10-26-2012 04:16 PM

I see now that sh flash is different and that crypto ket generate fixed my ssh issue.  Thank you!

Device 1

ASA5510-HQ# sh run ssh

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 55

Device 2

ASA5510-HQ# sh run ssh

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 55

Device1

ASA5510-HQ# sh run asdm

asdm image disk0:/asdm-621.bin

asdm location 12.221.201.117 255.255.255.255 outside

asdm group ftp-svr inside

asdm group PubSshSvr_real inside

asdm group PubWebSvr_real inside

asdm group ftp-svr_ref outside reference ftp-svr

asdm group PubWebSvr_real1 inside

asdm group PubWebSvr outside reference PubWebSvr_real1

asdm group PubSshSvr_real1 inside

asdm group PubSshSvr outside reference PubSshSvr_real1

asdm group BlockedOutsideIP outside

no asdm history enable

Device2

ASA5510-HQ# sh run asdm

asdm image disk0:/asdm-621.bin

asdm location 12.221.201.117 255.255.255.255 outside

asdm group ftp-svr inside

asdm group PubSshSvr_real inside

asdm group PubWebSvr_real inside

asdm group ftp-svr_ref outside reference ftp-svr

asdm group PubWebSvr_real1 inside

asdm group PubWebSvr outside reference PubWebSvr_real1

asdm group PubSshSvr_real1 inside

asdm group PubSshSvr outside reference PubSshSvr_real1

asdm group BlockedOutsideIP outside

no asdm history enable

Device1

ASA5510-HQ# sh flash

--#--  --length--  -----date/time------  path

   88  5511168     Dec 31 2002 16:06:56  asa707-k8.bin

   10  8192        May 13 2008 12:34:04  crypto_archive

   89  6161700     May 13 2008 12:36:58  asdm-507.bin

   91  11348300    Jun 07 2010 22:10:42  asdm-621.bin

   92  16275456    Jun 07 2010 22:19:50  asa821-k8.bin

    3  8192        Jun 07 2010 22:25:04  log

   13  8192        Jun 07 2010 22:28:32  coredumpinfo

   14  43          Oct 26 2012 14:54:14  coredumpinfo/coredump.cfg

   93  16410       Feb 18 2011 12:18:12  startup-config

   11  8192        Feb 26 2011 09:39:02  snmp

   12  4           Oct 12 2012 18:16:59  snmp/single_vf

   94  12335       Apr 15 2011 18:17:40  startup-config-2011-04-15-01

255426560 bytes total (215523328 bytes free)

Device2

ASA5510-HQ# sh flash

--#--  --length--  -----date/time------  path

  100  16275456    Jul 30 2012 04:44:14  asa821-k8.bin

   10  8192        Sep 08 2008 02:13:08  crypto_archive

  101  16280544    Jul 22 2012 22:54:06  asdm-645.bin

    3  8192        Jul 22 2012 23:08:46  log

   13  8192        Jul 22 2012 23:09:02  coredumpinfo

   14  43          Oct 26 2012 06:21:58  coredumpinfo/coredump.cfg

  103  8192        Dec 31 1979 16:00:00  FSCK0000.REC

  104  24576       Dec 31 1979 16:00:00  FSCK0001.REC

  105  8192        Dec 31 1979 16:00:00  FSCK0002.REC

  106  32768       Dec 31 1979 16:00:00  FSCK0003.REC

  107  8192        Dec 31 1979 16:00:00  FSCK0004.REC

  108  8192        Dec 31 1979 16:00:00  FSCK0005.REC

  109  24576       Dec 31 1979 16:00:00  FSCK0006.REC

  110  8192        Dec 31 1979 16:00:00  FSCK0007.REC

  111  32768       Dec 31 1979 16:00:00  FSCK0008.REC

  112  8192        Dec 31 1979 16:00:00  FSCK0009.REC

   11  8192        Aug 07 2012 04:49:12  snmp

   12  4           Oct 26 2012 06:09:17  snmp/single_vf

255426560 bytes total (222150656 bytes free)

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-26-2012 04:56 PM

Hello,

My pleasure,

Please mark the question as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Julio Carvajal

‎10-26-2012 06:25 PM

Do you know why asdm no longer works?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-27-2012 02:10 AM

Hello,

Provide me the following:

show run ssl

show run http

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Julio Carvajal

‎10-29-2012 10:39 AM

sh run ssl  ==> no return

sh run http ==>

http server enabled

http:0.0.0.0 0.0.0.0 inside

http: 0.0.0.0 0.0.0.0  management

I changed IP to zeros.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 10:52 AM

Hello,

No output from show run ssl .

Just in case add the following command:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

Then try to connect,

If this does not work please share the show run asdm

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Julio Carvajal

‎10-29-2012 12:01 PM

ASA5510-HQ# sh run asdm

asdm image disk0:/asdm-621.bin

asdm location 12.221.201.117 255.255.255.255 outside

asdm group ftp-svr inside

asdm group PubSshSvr_real inside

asdm group PubWebSvr_real inside

asdm group ftp-svr_ref outside reference ftp-svr

asdm group PubWebSvr_real1 inside

asdm group PubWebSvr outside reference PubWebSvr_real1

asdm group PubSshSvr_real1 inside

asdm group PubSshSvr outside reference PubSshSvr_real1

asdm group BlockedOutsideIP outside

no asdm history enable

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 12:17 PM

Hello Duong,

Clear configure ASDM

asdm image:disk0:/asdm-621.bin


What java version are you running in your computer?

capture test interface inside match tcp any host inside_interface_ip eq 443

Then try to connect and send me

show cap test

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Julio Carvajal

‎10-29-2012 12:24 PM

clear configure asdm worked.

You are so awesome, thanks for everything!

0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Duong Nguyen

‎10-29-2012 12:59 PM

Can I expect many other configurations will not stay the same or stop working?

This was a direct copy of startup-config of another 5510 firewall.

Is there anything else I should consider?

We are moving and the idea was to get an identical firewall to copy things over.

To limit downtime.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 01:06 PM

Hello Duong,

Well there are going to be some other things that you will need to check like the NAT statements ( Ip addresses on both sides might be different) SNMP communities, Syslog servers,etc.

Just stuff like that,

Regards,

Remember to rate all of the helpful posts ( If you do not know how to rate a post just let me know, I will help  u on that one as well )

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Duong Nguyen
Level 1
Level 1
In response to Julio Carvajal

‎10-29-2012 01:23 PM

Yes please show me how to rate a post.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Duong Nguyen

‎10-29-2012 01:28 PM

Hello Duong,

Sure, my pleasure to help.

Just go to one of the community users post and on the bottom you will see a 5 stars range (1 being bad 5 being good) so you can mark as many as you want

Now if you have any other question on problem regarding this ASA change just let me know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card