Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1705
Views
0
Helpful
22
Replies

cisco Asa 5520 context

Go to solution
TGF_Cisco
Level 1
Level 1

‎01-15-2013 01:34 PM - edited ‎03-11-2019 05:47 PM

Hello

We have a pair of cisco Asa 5520 currently running multiple context mode. We wish to change to single context mode for following reason

We will migrate infrastructure to hosted vendor . I was thinking of configuring site to site . Current Asa we pal to kee since wireless sits in our DMz and we have net screen that hosts tunnel for erp

1. Is context change required for running site to site
2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
3. How to retrieve admin context password


Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to TGF_Cisco

‎01-15-2013 02:31 PM 

We are planning to extend l2 through managed services which I believe would traverse mpls network

This would be inside segment in our firewall Asa 5520. My concern is about dmz to route through to new fw wherever it will be

In my opinion, every provider-network (and so also MPLS) is untrustworthy. So a VPN is good to use.

Reg context , is upgrade only way to then run site to site? We are running Asa in active standby . Could you direct me to upgrade procedure.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/admin_swconfig.html#wp1496328

And since I don't ave admin access can you tell me where to look for context config from a normal context ?

That doesn't work. "normal" contexts is what the customers can access. And they shouldn't have insight into the ASA itself or other contexts. You need direct control to the box for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to TGF_Cisco

‎01-16-2013 01:28 AM

There is no default user or pass that you can use. You need to go through password recovery:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1049302

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
22 Replies 22

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2013 02:06 PM 

1. Is context change required for running site to site

Beginning with ASA version 9.0 site-to-site VPNs are also available in the security-contexts.

2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?

If the traffic flows over an untrusted network, then it's the way to go.

3. How to retrieve admin context password

Ask the admin ... ;-) Ok, probably you wouldn't ask if it was that easy.

In the ASA system excecution space (the "box" where you create the contexts) there you specify a path for the context-config. Thats pure plaintext and you can read the config from there. But the passwords are hashed and not readable.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to Karsten Iwen

‎01-15-2013 02:17 PM

Thanks

We are planning to extend l2 through managed services which I believe would traverse mpls network

This would be inside segment in our firewall Asa 5520. My concern is about dmz to route through to new fw wherever it will be


Reg context , is upgrade only way to then run site to site? We are running Asa in active standby . Could you direct me to upgrade procedure. And since I don't ave admin access can you tell me where to look for context config from a normal context ?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to TGF_Cisco

‎01-15-2013 02:31 PM 

We are planning to extend l2 through managed services which I believe would traverse mpls network

This would be inside segment in our firewall Asa 5520. My concern is about dmz to route through to new fw wherever it will be

In my opinion, every provider-network (and so also MPLS) is untrustworthy. So a VPN is good to use.

Reg context , is upgrade only way to then run site to site? We are running Asa in active standby . Could you direct me to upgrade procedure.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/admin_swconfig.html#wp1496328

And since I don't ave admin access can you tell me where to look for context config from a normal context ?

That doesn't work. "normal" contexts is what the customers can access. And they shouldn't have insight into the ASA itself or other contexts. You need direct control to the box for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to Karsten Iwen

‎01-15-2013 02:36 PM

I need admin context access into the box for which we have user level access to. The box is in our premise only. How to get access to admin context ? Can console access give more info about it

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to TGF_Cisco

‎01-15-2013 02:38 PM

If you have access to the console, then you can see the location of the context-configs with a "show run". Most often these configs are located in the local flash.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to TGF_Cisco

‎01-16-2013 01:24 AM

Now tricky situation, how do i recover console access to ASA 5520?

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL

This firewall was managed by some other company before.   Does a default console password exist?

I tried to connect in console and my username credentials that I use to connect on ssh dint work!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to TGF_Cisco

‎01-16-2013 01:28 AM

There is no default user or pass that you can use. You need to go through password recovery:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1049302

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to Karsten Iwen

‎01-16-2013 01:45 AM

Thank you , But I am unable to open the page. Get a 403 error

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to TGF_Cisco

‎01-16-2013 01:50 AM

Got it anyways thanks.

I hope I will be able to change the console password through this procedure.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to TGF_Cisco

‎01-16-2013 01:52 AM

I (again and as usual) forgot to remove the "/partner" from the url ... Is corrected now.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to Karsten Iwen

‎01-31-2013 01:30 PM

Hello

Thanks for the steps but my only concern is I don't have a lab to test

Does this procedure apply for multiple context mode as well

Is there any risk in doing this procedure

What would you recommend as steps to follow to change console password and to recover admin context password ?


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to TGF_Cisco

‎02-01-2013 01:08 AM

I believe this procedure also works for multiple mode as well, the risk of doing this is that your ASA will boot ignoring the startup config. This way you can bypass the password and set a new password for the admin context.

0 Helpful

Go to solution
TGF_Cisco
Level 1
Level 1
In response to TGF_Cisco

‎02-01-2013 03:15 AM

thanks all,

I managed to get access to the admin context and all is working well..

One thing I am not able to do is create a SVI on a physical interface that exists and is being used.

I would like to create a new interface gigabiteternet 1/2.168. It doesnt list g1/2 as a phy interface when i try to create the svi.

how do i do it?

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to TGF_Cisco

‎02-01-2013 03:45 AM

where are you creating the subinterface from? is it in a context? you will need to define/create it first before able to assign/allocate that subinterface to a context. are you using ASDM or CLI to configure it? and which version are you using?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card