01-15-2013 01:34 PM - edited 03-11-2019 05:47 PM
Hello
We have a pair of cisco Asa 5520 currently running multiple context mode. We wish to change to single context mode for following reason
We will migrate infrastructure to hosted vendor . I was thinking of configuring site to site . Current Asa we pal to kee since wireless sits in our DMz and we have net screen that hosts tunnel for erp
1. Is context change required for running site to site
2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
3. How to retrieve admin context password
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
01-15-2013 02:31 PM
We are planning to extend l2 through managed services which I believe would traverse mpls network
This would be inside segment in our firewall Asa 5520. My concern is about dmz to route through to new fw wherever it will be
In my opinion, every provider-network (and so also MPLS) is untrustworthy. So a VPN is good to use.
Reg context , is upgrade only way to then run site to site? We are running Asa in active standby . Could you direct me to upgrade procedure.
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/admin_swconfig.html#wp1496328
And since I don't ave admin access can you tell me where to look for context config from a normal context ?
That doesn't work. "normal" contexts is what the customers can access. And they shouldn't have insight into the ASA itself or other contexts. You need direct control to the box for that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-16-2013 01:28 AM
There is no default user or pass that you can use. You need to go through password recovery:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1049302
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-15-2013 02:06 PM
1. Is context change required for running site to site
Beginning with ASA version 9.0 site-to-site VPNs are also available in the security-contexts.
2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
If the traffic flows over an untrusted network, then it's the way to go.
3. How to retrieve admin context password
Ask the admin ... ;-) Ok, probably you wouldn't ask if it was that easy.
In the ASA system excecution space (the "box" where you create the contexts) there you specify a path for the context-config. Thats pure plaintext and you can read the config from there. But the passwords are hashed and not readable.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-15-2013 02:17 PM
Thanks
We are planning to extend l2 through managed services which I believe would traverse mpls network
This would be inside segment in our firewall Asa 5520. My concern is about dmz to route through to new fw wherever it will be
Reg context , is upgrade only way to then run site to site? We are running Asa in active standby . Could you direct me to upgrade procedure. And since I don't ave admin access can you tell me where to look for context config from a normal context ?
Sent from Cisco Technical Support iPad App
01-15-2013 02:31 PM
We are planning to extend l2 through managed services which I believe would traverse mpls network
This would be inside segment in our firewall Asa 5520. My concern is about dmz to route through to new fw wherever it will be
In my opinion, every provider-network (and so also MPLS) is untrustworthy. So a VPN is good to use.
Reg context , is upgrade only way to then run site to site? We are running Asa in active standby . Could you direct me to upgrade procedure.
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/admin_swconfig.html#wp1496328
And since I don't ave admin access can you tell me where to look for context config from a normal context ?
That doesn't work. "normal" contexts is what the customers can access. And they shouldn't have insight into the ASA itself or other contexts. You need direct control to the box for that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-15-2013 02:36 PM
I need admin context access into the box for which we have user level access to. The box is in our premise only. How to get access to admin context ? Can console access give more info about it
Sent from Cisco Technical Support iPad App
01-15-2013 02:38 PM
If you have access to the console, then you can see the location of the context-configs with a "show run". Most often these configs are located in the local flash.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-16-2013 01:24 AM
Now tricky situation, how do i recover console access to ASA 5520?
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
This firewall was managed by some other company before. Does a default console password exist?
I tried to connect in console and my username credentials that I use to connect on ssh dint work!
01-16-2013 01:28 AM
There is no default user or pass that you can use. You need to go through password recovery:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1049302
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-16-2013 01:45 AM
Thank you , But I am unable to open the page. Get a 403 error
01-16-2013 01:50 AM
Got it anyways thanks.
I hope I will be able to change the console password through this procedure.
01-16-2013 01:52 AM
I (again and as usual) forgot to remove the "/partner" from the url ... Is corrected now.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-31-2013 01:30 PM
Hello
Thanks for the steps but my only concern is I don't have a lab to test
Does this procedure apply for multiple context mode as well
Is there any risk in doing this procedure
What would you recommend as steps to follow to change console password and to recover admin context password ?
Sent from Cisco Technical Support iPad App
02-01-2013 01:08 AM
I believe this procedure also works for multiple mode as well, the risk of doing this is that your ASA will boot ignoring the startup config. This way you can bypass the password and set a new password for the admin context.
02-01-2013 03:15 AM
thanks all,
I managed to get access to the admin context and all is working well..
One thing I am not able to do is create a SVI on a physical interface that exists and is being used.
I would like to create a new interface gigabiteternet 1/2.168. It doesnt list g1/2 as a phy interface when i try to create the svi.
how do i do it?
02-01-2013 03:45 AM
where are you creating the subinterface from? is it in a context? you will need to define/create it first before able to assign/allocate that subinterface to a context. are you using ASDM or CLI to configure it? and which version are you using?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide