cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4831
Views
17
Helpful
13
Replies

Lost Configuration on Power Outage

beatinger
Level 1
Level 1

Yesterday, a very strange incident occurred, which led to the partial loss of my ASA5540 configuration.  The building in which our servers are housed, suffered a power outage of some type, and when the power came back on, and the ASA5540 rebooted, it kept trying to load an older binary, asa803-k8.bin, in a continuous loop.  I drove out there to inspect what was happening, and found that the BOOT variable was setup to "try" the older version first, then the newer version (asa917-32-k8.bin).  Unfortunately, it would never try the new version, and instead would just keep failing on the older version.  Not sure how all of this came to be, but I couldn't resolve getting out of the loop until I pressed <ESC> to break out of it, and into the ROMMON.  Then, at the ROMMON, I typed "boot help", and it then loaded an even older version of the IOS, asa722-k8.bin.  When that happened, the existing configuration changed dramatically, and I lost most of my configuration.  I figured out how to change the BOOT variable so that only the newest IOS would load, but my configuration is still mostly gone.  I have cut and paste it here, to try to see if I can get some help as to why when this is loaded, I cannot gain access to the Internet.  I can ping outside, but none of my servers on the inside can gain internet access.  I believe it must have something to do with NAT.  I also lost most of my ACL list that I had built up for access into the servers.  Here is the configuration file, as it now exists, with some of the IPs masked for privacy:

 

ciscoasa5540(config)# show config
: Saved
:
: Serial Number: JMX1112L1JH
: Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
: Written by enable_15 at 14:50:20.086 UTC Sat Jul 25 2020
!
ASA Version 9.1(7)32
!
hostname ciscoasa5540
domain-name edenxxx.net
enable password Vkz0vtCccFeMll8t encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
passwd Vkz0vtCccFeMll8t encrypted
names
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)

name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
name 10.1.252.245 DNS-Server description Primary DNS Server (91)
name 10.1.252.190 VM-HyperV-Port4 description Ethernet Port 4 for VM Machine (87)
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.xx.xx.90 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.252.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa917-32-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone UTC -8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server DNS-Server
name-server 8.8.8.8
domain-name edenhosting.net
object network VM-HyperV-Port4
host 10.1.252.190
description Created during name migration
object network WebServerIIS10_1

host 10.1.252.250
description Created during name migration
object-group network IIS85Server
object-group network WebServerIIS80
object-group network WebServerIIS10
object-group network Sendmail
object-group network DNS-Server
object-group network DRAC-VirtualServer
object-group network SQLServer
object-group network ExchangeServer
object-group network NAS
access-list outside_access_in extended deny ip 51.222.38.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 65.197.196.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 212.70.149.0 255.255.255.0 any4
access-list outside_access_in extended permit icmp any4 any4 echo-reply

 

<THIS IS WHERE ALL OF MY FORMER ACLs USED TO BE AND ARE NOW GONE>


access-list outside_access_in extended permit tcp xx.xx.247.0 255.255.255.0 object VM-HyperV-Port4 eq 3395
access-list outside_access_in extended permit tcp xx.xx.247.0 255.255.255.0 object WebServerIIS10_1 eq 3395
access-list outside_access_in extended permit tcp xx.xx.247.0 255.255.255.0 object WebServerIIS10_1 eq 3389
pager lines 24
logging enable
logging asdm informational
logging from-address support@edenxxxx.net
logging recipient-address support@edenxxxx.net level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.xx.xx.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location

no snmp-server contact
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 management
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a

<Not Shown>

quit
telnet 10.1.252.0 255.255.255.0 inside
telnet timeout 10
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server WebServerIIS80 source inside prefer
!
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
!

!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ip-options
policy-map type inspect dns DNS-MediumSecurityLevel
parameters
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log

policy-map type inspect esmtp ExtendedSMTP
parameters
no allow-tls
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
drop-connection log
!
service-policy global_policy global
smtp-server 10.1.252.219 10.1.252.250
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f73b354382ad78753d07db0c1d94e1e5

 

Unfortunately, I do not know how to view the contents of that file.  I do have access to the firewall via ADSM.

To get the servers back up and running, I put our old Cisco PIX 515E back in, and we are up for now, but need to get back up on our ASA5540 as soon as possible.  I have a separate question regarding blocking a specific network subnet on the PIX 515E.  I have put the following in the old conduit list, but it is placed at the BOTTOM of all of the permits, so it doesn't work:

 

conduit permit tcp host 12.xx.xx.88 eq 3389 any
conduit permit tcp host 12.xx.xx.88 eq ssh any
conduit permit tcp host 12.xx.xx.88 eq ftp any
conduit deny tcp host 212.70.149.82 any
conduit deny tcp host 212.70.149.51 any conduit deny tcp any any
conduit deny udp any any

 

I know that the config needs to look like this, but I don't know how to get the lines up to the top:

 

conduit deny tcp host 212.70.149.82 any
conduit deny tcp host 212.70.149.51 any conduit deny tcp any any

conduit permit tcp host 12.xx.xx.88 eq 3389 any
conduit permit tcp host 12.xx.xx.88 eq ssh any
conduit permit tcp host 12.xx.xx.88 eq ftp any
conduit deny udp any any

 

Thank you all very much for your help!  It is most appreciated.

1 Accepted Solution

Accepted Solutions

Here are the objects I am refering to.  You only have two objects that have host IPs configured.  I am assuming that the others should not be empty and that they should be in use?

object network VM-HyperV-Port4
host 10.1.252.190
description Created during name migration
object network WebServerIIS10_1

host 10.1.252.250
description Created during name migration
object-group network IIS85Server
object-group network WebServerIIS80
object-group network WebServerIIS10
object-group network Sendmail
object-group network DNS-Server
object-group network DRAC-VirtualServer
object-group network SQLServer
object-group network ExchangeServer
object-group network NAS

 

Could you provide us with the IPs for these servers and then we can get started on the NAT and ACL configuration.  

here is an example of how to configure your NAT.

object network webserver
 host 10.1.1.10

 

nat (DMZ,outside) source static interface service tcp http

 

object network server_subnet

 subnet 10.1.1.0 255.255.255.0

 nat (DMZ,outside) dynamic interface

 

access-list outside-in extended permit tcp any host 10.1.1.10 eq 80

access-group outside-in in interface outside

 

There are several reasons that the ASA would try an older version...1. the existing version might have become corrupt. 2. The existing version, for whatever reason, may have been removed from the flash.  3. The configuration specified the older ASA version as 1st in the boot sequence to try.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

13 Replies 13

oh dear hell of a wild ride for you. you must consider open a TAC case with cisco. It should not revert back to old setup. I can completely understand your pain as network engineer. curious what cause the firewall to back into old day. seem like to it gone back to the past instead of back to the future. anyways jokes aside.

 

I never worked on Cisco PIX 515E cant assist on this but how much you have build the 5540. I noted there is no NAT commands if you need assistance to build the new unit happy to help you.

 

 

please do not forget to rate.

Hello Sheraz,
Thank you very much for your reply. Yes, this is one the strangest encounters I've been through. Why Cisco would design their software to not only try to load an OLDER IOS with no warning, and then wipe out an existing configuration, really baffles me. I am a software engineer myself (more so than a network engineer), so if I were them, I would build in plenty of "ARE YOU SURE?" prompts, etc., and at least offer a save of the existing configuration, and so on. This is truly a wild ride, and a very expensive one.
And yes, you are absolutely correct that all of the NAT configuration is missing. Here is what I get when I type "show nat:"
ciscoasa5540(config)# show nat
ciscoasa5540(config)#
Nothing at all...lol. Wow.

Unfortunately, I am not familiar enough with the new IOS to get all of my NAT instructions back in. Please let me know how I should proceed.
Most appreciated!

I can feel for you. Please let me know what is your network design happy to get spare time and help you to get this nat up and running again.

 

could you share the old firewall config change the IP addresses for security reasons I shall get them convert for you for your new unit ASA.

please do not forget to rate.

Hello Sheraz,
Okay, I have worked on the configuration today, and did my best to add the NAT commands back in.
I am now getting the following when I issue the "show nat" command:
ciscoasa5540(config)# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static SQL-Primary 12.43.6.87
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static Sendmail 12.43.6.92
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static DNS-Server 12.43.6.91
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static NAS 12.43.6.86
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static ExchangeServer 12.43.6.94
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static WebServerIIS80 12.43.6.93
translate_hits = 0, untranslate_hits = 0
7 (inside) to (outside) source static WebServerIIS10 12.43.6.88
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0



As this email is adding extra line breaks, I am going to cut and paste configuration on the post directly.


Hello there.  Following is the current configuration listing:

 

ciscoasa5540(config)# show config
: Saved
:
: Serial Number: JMX1112L1JH
: Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
: Written by enable_15 at 18:22:38.870 UTC Tue Jul 28 2020
!
ASA Version 9.1(7)32
!
hostname ciscoasa5540
domain-name edenhosting.net
enable password Vkz0vtCccFeMll8t encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
passwd Vkz0vtCccFeMll8t encrypted
names
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
name 10.1.252.245 DNS-Server description Primary DNS Server (91)
name 10.1.252.190 SQL-Primary description Primary MS-SQL Server (87)
name 10.1.252.254 Cisco-5540 description Cisco 5540 Firewall (90)
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.43.6.90 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address Cisco-5540 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3

shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa917-32-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone UTC -8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server DNS-Server
name-server 8.8.8.8
domain-name edenhosting.net
object network SQL-Primary
host 10.1.252.190
object network WebServerIIS10
host 10.1.252.250
object network WebServerIIS80
host 10.1.252.249
object network Sendmail
host 10.1.252.219
object network ExchangeServer
host 10.1.252.247
object network DRAC-WebServer
host 10.1.252.191
object network NAS
host 10.1.252.246
object network DRAC-VirtualServer
host 10.1.252.192
object network DNS-Server
host 10.1.252.245
object network SQL-Server
host 10.1.252.190
object network Cisco-5540
host 10.1.252.254
access-list outside_access_in extended deny ip 51.222.38.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 65.197.196.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 212.70.149.0 255.255.255.0 any4
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any4 host 12.43.6.93 eq www

access-list outside_access_in extended permit tcp any4 host 12.43.6.93 eq https
access-list outside_access_in extended permit tcp any4 host 12.43.6.88 eq https
access-list outside_access_in extended permit tcp any4 host 12.43.6.88 eq www
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 host 12.43.6.88 eq 3389
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 host 12.43.6.87 eq 3389
access-list outside_access_in extended permit tcp any4 host 12.43.6.91 eq domain
access-list outside_access_in extended permit udp any4 host 12.43.6.91 eq domain
access-list outside_access_in extended permit tcp any4 host 12.43.6.92 eq smtp
access-list outside_access_in extended permit tcp any4 host 12.43.6.92 eq 587
access-list outside_access_in extended permit tcp any4 host 12.43.6.92 eq 465
access-list outside_access_in extended permit tcp any4 host 12.43.6.92 eq pop3
access-list outside_access_in extended permit tcp any4 host 12.43.6.86 eq www
access-list outside_access_in extended permit tcp any4 host 12.43.6.86 eq https
access-list outside_access_in extended permit tcp any4 host 12.43.6.86 eq 5001
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 host 12.43.6.93 eq 3389
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 host 12.43.6.90 eq ssh
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 host 12.43.6.90 eq telnet
pager lines 24
logging enable
logging asdm informational
logging from-address support@edenhosting.net
logging recipient-address support@edenhosting.net level errors
mtu outside 1500
mtu inside 1500

mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network SQL-Primary
nat (inside,outside) static 12.43.6.87
object network WebServerIIS10
nat (inside,outside) static 12.43.6.88
object network WebServerIIS80
nat (inside,outside) static 12.43.6.93
object network Sendmail
nat (inside,outside) static 12.43.6.92
object network ExchangeServer
nat (inside,outside) static 12.43.6.94
object network NAS
nat (inside,outside) static 12.43.6.86
object network DNS-Server
nat (inside,outside) static 12.43.6.91
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 management

 

There is more, but I believe this is the pertinent stuff.

 

And the show nat now shows the following:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static SQL-Primary 12.43.6.87
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static Sendmail 12.43.6.92
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static DNS-Server 12.43.6.91
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static NAS 12.43.6.86
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static ExchangeServer 12.43.6.94
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static WebServerIIS80 12.43.6.93
translate_hits = 0, untranslate_hits = 0
7 (inside) to (outside) source static WebServerIIS10 12.43.6.88
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0

 

Does this look correct now?

 

Also, how do I go about with the rating process?  Sorry that I am still quite the beginner with all this!

Do you not have a backup of the configuration you had on the ASA?  If not then I suggest that once this is up and running again, get a daily or weekly backup service up and running.

In addition to missing NAT statements, almost all the objects you currently have configured are empty.  Start by filling in those values and once they are populated get NAT in place.  Once those two are done work on getting the ACLs restored.

 

Have you checked the startup config to make sure that your old configuration is there?

For furture referece, If you face a similar issue you can select which image to boot from that is stored in flash from ROMMON by using the command boot <file path>  replace file path with the location where the file is (for example boot disk0:asa-file-image.bin)

Optionally you can try to boot from a TFTP server.  And as a last effort you can try to edit the confreg so that the ASA will ignor the configuration upon boot.  Change the confreg value to 0x41.  When done change it back to 0x1.

--
Please remember to select a correct answer and rate helpful posts

Hello Marius,

 

Thank you for your reply.  Unfortunately, I do not have the configuration backed up, which is really surprising, which is one of the very first things that I do upon completion of a setup.

 

I read your reply, and I dont' fully understand what this means: "In addition to missing NAT statements, almost all the objects you currently have configured are empty. Start by filling in those values and once they are populated get NAT in place. Once those two are done work on getting the ACLs restored."

 

I am not sure where to start, as once I had gotten this configured, I went on to doing a huge programming project, and I am totally lost at this point.  Unfortunately, I am getting old, and having a lot of sleeping issues, so my memory just isn't what it used to be.  I am not sure where to start, or what to do at this point.  Thank you very much for your help.

Here are the objects I am refering to.  You only have two objects that have host IPs configured.  I am assuming that the others should not be empty and that they should be in use?

object network VM-HyperV-Port4
host 10.1.252.190
description Created during name migration
object network WebServerIIS10_1

host 10.1.252.250
description Created during name migration
object-group network IIS85Server
object-group network WebServerIIS80
object-group network WebServerIIS10
object-group network Sendmail
object-group network DNS-Server
object-group network DRAC-VirtualServer
object-group network SQLServer
object-group network ExchangeServer
object-group network NAS

 

Could you provide us with the IPs for these servers and then we can get started on the NAT and ACL configuration.  

here is an example of how to configure your NAT.

object network webserver
 host 10.1.1.10

 

nat (DMZ,outside) source static interface service tcp http

 

object network server_subnet

 subnet 10.1.1.0 255.255.255.0

 nat (DMZ,outside) dynamic interface

 

access-list outside-in extended permit tcp any host 10.1.1.10 eq 80

access-group outside-in in interface outside

 

There are several reasons that the ASA would try an older version...1. the existing version might have become corrupt. 2. The existing version, for whatever reason, may have been removed from the flash.  3. The configuration specified the older ASA version as 1st in the boot sequence to try.

--
Please remember to select a correct answer and rate helpful posts

Hello Marius,
Thank you very much for helping me out with this. To further complicate things, I am suffering from insomnia and withdrawals from Lunesta, which destroys your memory and cognitive abilities. Doctor didn't inform me of this really bad side-effect. So, I'll be going back out to the server room tomorrow, and will get up tomorrow morning and start trying to piece this back together again. Again, I really appreciate your input, very much.

Hello,

 

Based upon the information that both of you kind gentlemen pointed out, I was able to get this firewall working again.  I had some difficulty with the ACLs, and had to change them to using the network objects rather than specifying a host. As in the following example:

 

access-list outside_access_in extended permit tcp any4 object WebServerIIS80 eq https

 

I also had to add this NAT instruction:

 

nat (inside,outside) after-auto source dynamic any interface

 

And now everything is finally working again.  Thank you very much for your assistance!

I am going to post a new question about getting VPN going, as that is the next item on my list to work on.

 

Thank you again!

Hello there,

I was wondering why I stopped hearing from both of you with regards to this case.  I want to make sure that I am doing the right thing when it comes to giving you the proper credit for helping.  Can you please let me know how I go about doing that, or if I didn’t do that, or if I did something wrong or something?  Thank you very much!

The answer or answers you feel is the correct answer, you can mark as a correct answer. Other posts you found helpful you can assign points to.

When it comes to reporting a bug to Cisco, you need to open a TAC case as they need to see the issue for them selves as well as collect data to analyze.

--
Please remember to select a correct answer and rate helpful posts

Oh, and I would like to add that indeed, the Cisco IOS has a lot of bugs, that I should be reporting to them somehow.  I just don't know how.  I found several more while going through this nightmare.  Really stupid stuff like the IOS thinking that "10.1.252" and "10.10.1" are the SAME SUBNET.  Wow, that one had me laughing.  I had to revert to using "172.16.1." on an interface instead, just to get around this.  Please let me know how to report to Cisco, and I'll do that.  Thank you again!

Review Cisco Networking for a $25 gift card