These are information that you can pull with SNMP out of the ASA. ... View more

You are coming from a completely outdated version 9.1(2) and want to move to the newest und likely unstable version 9.12(1)? Doesn't sound very logical to me ... But yes, you can directly update to the new version. But if you don't need any of the newest features in 9.12, I would upgrade to the latest interims-version of 9.10. That is likely more stable. ... View more

enabling routing is not enough. The SDM-template has to be switched to LANbase Routing:   Switch(config)#sdm prefer lanbase-routing After that a reboot is needed and static routing can be configured. One restriction is that only 16 static routes are supported.   ... View more

Are you working for a Cisco partner? There are tons of information on SalesConnect. Otherwise, I would start with the CiscoPress FTD-book: http://www.ciscopress.com/store/cisco-firepower-threat-defense-ftd-configuration-and-9781587144806 It does not cover the newest features but is a very good start. ... View more

It is specific to the device. The policy has to be applied somewhere. On Cisco devices it's typically on the outside interface. On a linux box it's probably somewhere else. ... View more

Can you show a terminal-log of what you did and a "show run" of your trustpoint?  ... View more

Just do a "show crypto pki certificate" and you should see your certificate. ... View more

The traffic will be sent into the tunnel. Just think about the flow of the data:   If you have the policy-based VPN, the processing starts when your crypto-map on the outside interface "sees" the traffic matching the crypto-acl. With an additional route-based VPN on that device, the traffic is routed into the tunnel before the crypto-map has any chance of getting that traffic. If the tunnel is established over the interface with the crypto-map, the crypto-map will still not act on the traffic as it's encapsulated traffic now. ... View more

On an IOS-router it would be possible. But on the ASA the VPN has to be terminated on the interface IP. Perhaps you can change your interface-IP to the IP that you want to use and use the former interfce IP in your NAT-statements. ... View more

Version 9.5 is not supported any more, you should move to 9.8(4). The DHCP-server on the ASA is not a full featured server, there are a couple of limitations and reservations are one of these. Here is the corresponding config-guide with some more infos: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/basic-dhcp-ddns.html ... View more

All mentioned messages were about weak crypto in TLS/SSL. When the webserver is disabled, the vulnerabilities are not exploitable any more. When you need the webserver anytime in the future, you should upgrade the switch and configure your TLS-settings according to your security-policy. ... View more

This is for an ASA Firewall, not for a switch ... ... View more

Do you really need the web-server on the switch? If not, disable it: no ip http server no ip http secure-server ... View more

I'm using OpenConnect myself and also with a couple of customers to build VPNs to the ASA. All without any problems. When deciding between OpenConnect and AnyConnect, keep in mind that you still need AnyConnect licenses even if you use a third-party client to download an AnyConnect-image to place it on the ASA. ... View more