I’m not quite sure what you are asking. MD5, SHA1, and SHA256 are encryption algorithms used in a variety of ASA features including VPNs, digital certificates, and the NTP protocol, to name a few. What in particular were you looking for?
I have missed out your email. These are list of Indicators of Compromise (IOC) as attached. Have to scan in our network particular in firewall and DNS servers .
If any hit found, need to block it.
After doing some research, I have found that the Cisco ASA supports such IoC indicators when coupled with FirePOWER. You can take a look at this Cisco documentation that specifies more about how to configure it for an ASA.
This Cisco blog also talks about how it can be implemented on both network and endpoint devices:
However, it seems that without FirePOWER, implementing these IoC indicators on an ASA is not possible.
I hope this gives you some more information about what you need. (Also, it seems that your zip file attachment is empty). If you need more information, please clarify your question so that we can respond to them specifically.
Dear Laz,
Our Asdm version dont have this Firepower module. Attached asdm and asa version for your reference.
Kindly advice is there upgrade is required to ASDM to get this firepower module.
There are several ways in which FirePOWER can be incorporated into the use of an ASA device. This can be done either using the Firepower Management Center (FMC), which is a standalone software that manages multiple FirePOWER-enabled ASAs. In this scenario, ASDM is not used at all, but is replaced by the FMC. More info about this type of implementation can be found here:
Alternatively, you can enable an ASA with FirePOWER and manage it using the ASDM software. More about how this can be done can be found in the following Cisco documentation:
FMC is considered an “off-box” solution, which means that the intelligence of FirePOWER is found within the independent server while ASDM is considered the “on-box” solution because both FirePOWER and ASDM are installed and run from the ASA device itself.
Thank you for your help provided.
Good day. Currently 10 physical interface have added in the FW. One of the customer have needs one more network have to add in the firewall. When i want to add interface it look like there is no hardware port is available. Does the model can support to create one more hardware port ? If Yes means how to make enable the hardware port.
Each firewall interface can have only one subnet connected to it. If a customer requires more subnets within their network, they will have to have a router or layer 3 switch that performs the routing between their internal networks. Then, any traffic going outbound via the firewall can be forwarded to the physical interface of the firewall connected to their network.
Alternatively, if you want to provide them with multiple subnets that actually terminate on the firewall, you can create subinterfaces. However, this will cause the firewall to act as a router for traffic travelling between subnets of that particular customer, something that will take up more CPU and memory resources of your firewall.
For more information about subinterfaces on an ASA firewall, take a look at this lesson:
Have two core switch configured with HSRB . , User switch hv connected to the Nexos 5k switches and then it is connected with core switch where fw and router r connected. Customer network connected to the end switch. One segment server is connected in the firewall . Instead adding the sub interface , I have to add another subnet for server to the core switch ? Any idea how to make the configuration and connection as well?
And firewall cant see the physical interface in CLI or GUI. And physically noticed TenGig0/8 . 10G port is used for few customers as trunk which is connected in Core switch which is also Trunk port 10G.
Another 10g connection have 3 more networks TenGi0/9 -
One of the interface named as SEC . and VLAN is 282
6 networks configured as below with one 10g port.
nameif SEC
security-level 90
ip address 172.25.185.129 255.255.255.192 standby 172.25.185.130
DCR8R1-N7K01# sh mac address-table |i 00a0.c917.0101
* 40 00a0.c917.0101 dynamic 0 F F Eth1/31
* 88 00a0.c917.0101 dynamic 0 F F Eth1/31
* 276 00a0.c917.0101 dynamic 0 F F Eth1/31
* 278 00a0.c917.0101 dynamic 0 F F Eth1/31
* 282 00a0.c917.0101 dynamic 0 F F Eth1/31
* 291 00a0.c917.0101 dynamic 0 F F Eth1/31
interface Ethernet1/31
description <to ASA01 Te0/8>
switchport
switchport mode private-vlan trunk promiscuous
logging event port link-status
switchport private-vlan mapping 40 476,487,491
switchport private-vlan trunk allowed vlan 1-3967
switchport private-vlan mapping trunk 40 476,487,491
no shutdown
DCR8R1-N7K01#
If they previously configured as Sub interface how to verify it ?
Model is ASA5585-SSP-20
How to add additional one sub interface ?
Any idea please help two methods to connect new network.
It would be very helpful if you could include a diagram with your explanation as it is difficult to follow and understand your topology. However, concerning this question:
If you want to find out more about how to configure, or how to understand a configuration of subinterfaces on the ASA, take a look at the following lesson:
I await your clarifications to be able to answer the rest of your questions.
I have to know how to add additional sub inter face for another segments on context based asa 5585 -SSP-20 ?
if cant how to connect new segments in core switch NEXUS 7K ?
As long as the ASA version is up to date, you should have no problem using either one of those devices. The 5506 is newer and has no end of life date as of yet, but the 5505 device is supported by Cisco until August of 2022. Even so, Cisco devices have been known to be used for many years after their end of life or end of support dates. And the concepts in the lessons are valid for both ASAs.
For most labs, a single ASA is enough, except for active/standby labs where you will need two firewalls. As for the number of hosts, if you have one host in each of the INSIDE, OUTSIDE, and DMZ networks you should be OK. You may need a switch or a router also, just so you can complete the topologies in the labs. But remember, you can always connect your ASA to an emulated GNS3 topology as well. This GNS3 post describes how this can be achieved:
Which router and switch models will I need? I have access to 3560X switches and I think one or 2 C892 Routers and some 2800 series… Will these be sufficient?
It depends on the certification you’re looking to achieve. If you’re talking only about the ASA labs on the site, then the equipment you have access to is more than sufficient to perform all the ASA labs on the site. This equipment is also enough for most (about 85%) of the CCNP ENCOR and ENARSI stuff, except for wireless, and maybe some automation. At least 2 routers are needed, but if you can get a third that would be ideal.
With what you describe, I think you’re all set. Take a look at these lessons for additional suggestions:
I haven’t worked directly with these two devices, but having done some research, I find that both of them run the fundamental FirePower Threat Defence (FTD) OS. The 9300 runs it on top of the FXOS modular OS, while the 8350 runs it as part of the FirePower Management Center (FMC). Fundamentally, the CLI for both devices is similar, but differs only in the additional features that the 9300 offers.
You can find more information at the following links:
When you refer to path selection, I assume you mean routing in general. As far as routing goes, an ASA will function much the same as a router using either a static or dynamic routing. Things get a little more complicated when NAT is involved. Take a look at this post which describes this further. This post also includes information about order of operations, something that is intricately connected to routing decisions on ASAs.
If you have any additional questions, feel free to ask!
