The config is highly insecure, but at least it looks correct for accessing the outside network. How do you test? Only with ping or also with real traffic? To make ping work you need the following config: policy-map global_policy class inspection_default inspect icmp Can you ping the internet from the ASA?   ... View more

Yes, that should work. The mGig-interface negotiates down to Gig and the Channel will end up with n*1G members. ... View more

As always: it depends ... ;-) Putting this rule in section three gives the easy possibility to overwrite this behavior for clients with "normal" NAT-needs. In section three it has to be above the general PAT-rule which is done with the number "1" in the nat-statement. But it all depends on the rest of the NAT-config and has to be evaluated accordingly. ... View more

Ok, the NAT-solution will work, but is not the best way to solve this problem. Better configure your firewall to deny this port. The ASA will send a TCP reset and the client will/should try the alternate port directly after that. ... View more

Do I understand you right that you want the following: Whenever a client on the inside network accesses any IP on the outside network with the port TCP/5222, then the destination port has to be changed to TCP/443? the you need to configure manual or twice NAT: object service TCP-5222 service tcp destination eq 5222 object service TCP-443 service tcp destination eq https object network ANY subnet 0.0.0.0 0.0.0.0 ! nat (inside,outside) after-auto source dynamic any interface destination static ANY any service TCP-5222 TCP-443 Here the source IP is changed to the ASA interface IP as the client typically has a private IP and for any destination the port is changed from 5222 to 443. ... View more

This client is End of Life for a very long time and not supported on Windows 10. It's time to move to AnyConnect or you can also try a client like the one from Shrew-Soft: https://www.shrew.net/download/vpn They also don't mention Windows 10, but perhaps you get that running. ... View more

With that setup, I would expect that you either didn't "no shut" the ASA-interface or just took the wrong interface of the ASA to connect to your LAN. There is not much that can be done wrong to get a basic connectivity. ... View more

What exactly do you mean with "can't see the ASA on the network"? Also show a diagram of your setup and the configuration of the ASA. ... View more

The name(s) in the certificate is completely independent of the ASA hostname. You just have to: pick two public FQDNs for the VPN Get a certificate with these two FQDNs configure these two FQDNs to point to your public IPs in DNS Add the certificate to the ASA and configure both outside interfaces to use this certificate ... View more

As the others mention, HA can be achieved with two of these devices. But it can be quite complex to implement, maintain and troubleshoot. You should really know what you are doing here or have someone available to help. Other solutions could be more easy to implement. Assuming that you also need firewalling, a pair of Meraki MX would probably be the simplest solution and still give a a very good redundancy. More powerful but more complex (still not as complex as two routers) would be a failover-pair of ASAs. ... View more

As usual there are multiple options to do that. I would configure an object-NAT with port forwarding on TCP/21. In addition to that, the outside ACL has to allow tcp/21 traffic to the internal IP address of the FTP server. ... View more

In that case I really would dump the router as it is not needed here. And I would replace the ASA as this device is EOL and operating an EOL security device puts your network at risk (and even worse, depending on the rights in your country, you could be legally responsible for that if something happens). My setup would be the following: ISP - ASA - L3 3750 - 5* 2960 and WLC ... View more