( Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought). Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewallĮxternally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. For each scenario here’s what I recommend you do OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. Petes-ASA(config)# crypto key generate rsa modulus 2048 So set the host name, domain-name, and then generate the keys like so That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). I appreciate a lot of you wont be using certificates, and even if you use An圜onnect you just put up with the certificate error. ! ASA Transferring Certificates From One ASA to Another OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup Nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET Tunnel-group ANYCONNECT-PROFILE webvpn-attributes Tunnel-group ANYCONNECT-PROFILE general-attributesĭefault-group-policy GroupPolicy_ANYCONNECT-PROFILE Tunnel-group ANYCONNECT-PROFILE type remote-access Split-tunnel-network-list value SPLIT-TUNNELĪnyconnect profiles value SSL-VPN-POLICY type user Group-policy GroupPolicy_ANYCONNECT-PROFILE attributes Group-policy GroupPolicy_ANYCONNECT-PROFILE internal Ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0Īnyconnect-essentials <-REMOVE THIS IT'S OBSOLETE anyconnect-win-2-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4 anyconnect image disk0:/anyconnect-macosx-i386-3-k9.pkg 2 <-REPLACE WITH ANYCONNECT 4 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml <-COPY OVER FIRSTĪccess-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0 (Do the reverse to get the file(s) into the new 5506).
CISCO ASA 5505 X PC
Tools > File Transfer > File Transfer > Between Local PC and Flash. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the An圜onnect settings in.īelow you can see I’ve got a profile on my 5505. In addition to getting new An圜onnect Packages and loading them into the new 5506.
CISCO ASA 5505 X SOFTWARE
I have to ring Cisco and use my employers partner status to get the client software ? With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I’m working on the assumption that we are going to load in the An圜onnect 4 packages and use those. Q: Does this mean I can’t use my An圜onnect 3 (or earlier) packages in the new 5506?Ī: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.
CISCO ASA 5505 X LICENSE
There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into An圜onnect 4 licensing, I’ve already written about that at length.Īn圜onnect 4 – Plus and Apex Licensing Explained On a 5506 they are actually called An圜onnect now, and it supports up to 50. The 5505 could support up to 25 SSL VPN connections. If you use An圜onnect then prepare for a little hand wringing. So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be ĪSA 5506-X Physical Interface configuration * UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).* Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN.
CISCO ASA 5505 X UPDATE
I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface. Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while).