Hi ASA configuration looks clean. No DHCP on ASA would suggest to apply captures on DHCP client and server to  check the DORA process for DHCP. ASA wont be interfering in DHCP process here, to verify further please paste "show tech" and "show run all sysopt" from ASA. Further would suggest to check the DORA process between the impacted client and Server with the help of captures. Cheers Naveen ... View more

Hi What software version are you using ? As 8.3 and above wont require NAT for this to work. Please post the current configuration of ASA Cheers Naveen ... View more

Hi Johnny, The Ip addresses that we assign in failover are for active and standby unit, they are not assigned as primary and secondary units. So as the role of a unit in the failover pair changes the IP addresses and the MAC also changes accrodingly. So what you are seeing is normal. further the same is documented as well: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#acti Hope this helps, Cheers, Naveen ... View more

Hi Denis,      I agree with Jouni on this why would you need to establish VPN for internal resources when you can directly access them internally. Logically that defeats the purpose of VPN. To add if you want to access Clientless VPN from internal network, you would need to enable it on internal interface. External interface wont give you the requisite. Hope it helps. Cheers, Naveen ... View more

Hi, Try formatting the flash and load the image again as the procedure that you are using is correct, it's an issue with either image itself or the flash where you are storing it. Though it looks to me that its an issue with image. Hope it helps Cheers, Naveen ... View more

Hi Md, As per the logs dispatch unit is utilizing the max CPU, this process is related to traffic on ASA, Get the following Outputs: Please follow the following documents: show process cpu-usage sorted non-zero show tech Cheers, Naveen ... View more

Hi Lee,      what happens to the status light ? I think you would need to replace the device, still would like to clarify the status light situation when the firewall boots. Cheers, Naveen ... View more

Hi Dom, You need a NAT to translate and an ACL as you have an access-roup binded to inside interface. I do see both of them configured and should allow the traffic You wont need a Twice NAT as the static NAT rules are bi directional. Please get the output of following to troubleshoot further: packet-tracer input inside tcp (SOURCE IP) 1034 (DESTINATION IP THAT YOU WANT TO TELNET) 21 detailed If this shows traffic allowed, please apply captures on ingress and egress interface and share the outputs. You can use the following to apply captures: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml Cheers, Naveen ... View more

Hi Rohit,      By the output of packet tracer we could confirm if the firewlal rules are allowing or blocking the traffic in different phases of packet processing. Further applying captures on firewall ingress interface and egress interface can also be used to verify if the netflow traffic is even reacing the firewall and is getting transmitted across or not. Please use following link for applying captures on ASA: https://supportforums.cisco.com/docs/DOC-17814 Cheers, Naveen ... View more

Hi Reuven, Go through this troubleshooting document and collect the outputs mentioned in the same: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml Get us the outputs for further analysis Cheers, Naveen ... View more

Hi Machi,      Please let me know if i understand your problem correctly: you want to connect a machine to management interface and want to access internet from there. For this you would need to make the management interface to be able to use as a data interface by "no management-only" and it you are using Private IP addressing in management interface than you need to add a dynamic NAT for the traffic else we dont need to NAT the traffic. Please explain the issue with the help of a topology diagram if above is not the case. Cheers, Naveen ... View more

Hi,      Please verify if the following fits into your requisite : https://supportforums.cisco.com/docs/DOC-15622 Else PBR as such is not supported on ASA; and you would need a Router as mentioned by Julio Cheers, Naveen ... View more

Hi All,      CWS and IPS are two differnet things. CWS is not a module in itself and is rather a feature. So yes you can use both of them. Both have different phased processing in the packet flow on ASA. And thats correct that X-series firewall are software based and we can use both IPS and CSC on a single device based on the license. Check for the limitation of CWS on ASA as below: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1326437 Cheers, Naveen ... View more