Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510-K8 device we required AES and 3DES license

 
We have ASA5510-K8 device have default DES only but we required AES and 3DES license  when i try to download trail version it is given part number  ASA5500-ENCR-K9  but  not more than ninety (90) days we need permanent licence for this we try to buy this license distributors tell us the part code is not get order able separately please suggest the part code for this .

 

 

 
 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You have an acess-lsit for

You have an access-list for your remote access VPN users' address pool but you also need to reference it with a NAT exemption.

Try:

     nat (inside) 0 access-list nonat

Here's a good reference to use.

15 REPLIES
Hall of Fame Super Silver

If you go to the Cisco self

If you go to the Cisco self-service licensing portal, you can request the activation key for a permanent AES-3DES license.

On that page, choose "Get New > IPS, Crypto, Other Licenses". The select "Security Products" and then "Cisco ASA 3DES/AES License". enter your unit's serial number and click Next. After submitting you should receive the activation key via email within a few minutes.

Once received, simply log into the ASA and enter "activation-key <the provided alphanumeric key>".

New Member

Dear Sir,

Dear Sir,

Thanks for your replay i downloaded new license and i getting key but it is also for 90 days only

Please see below details from Cisco.

Limited Warranty

Cisco warrants that commencing from the date of shipment to Customer (but in case of resale by an authorized Cisco reseller, commencing not more than ninety (90) days after original shipment by Cisco), and continuing for a period of the longer of (a) ninety (90) days or (b) the software warranty period (if any) set forth in the warranty card accompanying the Product (if any): (a) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (b) the Software substantially conforms to its published specifications.   The date of shipment of a Product by Cisco is set forth on the packaging material in which the Product is shipped.   Except for the foregoing, the Software is provided AS IS. This limited warranty extends only to the Customer who is the original licensee. Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers and licensors under this limited warranty will be, at Cisco's option, repair, replacement, or refund of the Software if reported (or, upon request, returned) to Cisco or the party supplying the Software to Customer, if different than Cisco. In no event does Cisco warrant that the Software is error free or that Customer will be able to operate the Software without problems or interruptions.   In addition, due to the continual development of new techniques for intruding upon and attacking networks, Cisco does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack.

Restrictions. This warranty does not apply if the Software, Product or any other equipment upon which the Software is authorized to be used (a) has been altered, except by Cisco, (b) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Cisco, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence, or accident; or (d) is licensed, for beta, evaluation, testing or demonstration purposes for which Cisco does not charge a purchase price or license fee.
Hall of Fame Super Silver

The text you pasted in refers

The text you pasted in refers to the product (software) warranty.

The 3DES-AES license / activation-key does not expire - it is "perpetual". You can validate that by typing the following at the cli while in enable mode:

    show activation-key | i 3DES

You should see something like:
     VPN-3DES-AES                      : Enabled        perpetual

New Member

sh versionCisco Adaptive

sh version

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

kunauto up 6 days 3 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is f866.f2c4.bcde, irq 9
 1: Ext: Ethernet0/1         : address is f866.f2c4.bcdf, irq 9
 2: Ext: Ethernet0/2         : address is f866.f2c4.bce0, irq 9
 3: Ext: Ethernet0/3         : address is f866.f2c4.bce1, irq 9
 4: Ext: Management0/0       : address is f866.f2c4.bce2, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 50
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 0
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

New Member

# show activation-key | i

# show activation-key | i 3DES
VPN-3DES-AES                   : Enabled

 

New Member

dear Mr.Marvin RhoadsAs per

dear Mr.Marvin Rhoads

As per below config remote vpn and site to site vpn remote vpn users unable to access local network please suggest me any config required  

 

Local server ip 192.168.215.4 not able to ping this server remote vpn connectivity working fine but local network not able to ping from vpn users. 

 

ASA Version 8.2(2)
!
hostname 
domain-name kunchevrolet
enable password r8xwsBuKsSP7kABz encrypted
passwd r8xwsBuKsSP7kABz encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group dataone
 ip address pppoe
!
interface Ethernet0/1
 nameif inside
 security-level 50
 ip address 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
 nameif Internet
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
 domain-name kunchevrolet
same-security-traffic permit intra-interface
object-group network GM-DC-VPN-Gateway
object-group network net-local
access-list sptnl extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.215.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Internet 1500
ip local pool vpn_users 192.168.2.1-192.168.2.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http x.x.x.x 255.255.255.252 outside
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65500 set transform-set myset
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
crypto map ASA-01 10 set peer 221.135.138.130
crypto map ASA-01 10 set transform-set myset
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 192.168.215.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group dataone request dialout pppoe
vpdn group dataone localname bb4027654187_scdrid
vpdn group dataone ppp authentication chap
vpdn username bb4027654187_scdrid password ***** store-local
dhcp-client client-id interface Internet
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11-192.168.215.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
 enable outside
 tunnel-group-list enable
group-policy kun internal
group-policy kun attributes
 vpn-simultaneous-logins 8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value kunchevrolet
username test password P4ttSyrm33SV8TYp encrypted
username kunauto password bSHrKTGl8PUbvus/ encrypted privilege 15
username kunauto attributes
 vpn-group-policy kun
 vpn-tunnel-protocol IPSec
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
 address-pool vpn_users
 default-group-policy kun
tunnel-group vpngroup webvpn-attributes
 group-alias vpngroup enable
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *****
tunnel-group test type remote-access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto#

 

Hall of Fame Super Silver

You have an acess-lsit for

You have an access-list for your remote access VPN users' address pool but you also need to reference it with a NAT exemption.

Try:

     nat (inside) 0 access-list nonat

Here's a good reference to use.

New Member

Dear Mr.Marvin Rhoads ,Thanks

Dear Mr.Marvin Rhoads ,

Thanks for your replay

As per this command nat (inside) 0 access-list nonat applied from firewall i able to ping but trough vpn client connected we are not able to ping local server 192.168.215.4 

(config)# ping 192.168.215.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
kunauto(config)#

 

Hall of Fame Super Silver

I noticed your address pool

I noticed your address pool for VPN clients (192.168.215.1-250) overlaps your inside interface (192.168.215.2). Please adjust the pool range to exclude that and any other hosts addresses you have statically configured in that subnet. We typically recommend a unique subnet be used for VPN clients to minimize the potential for such confusion.

Can you run:

packet-tracer input outside icmp <your VPN client address> 0 0 192.168.215.4

New Member

Please find the below report

Please find the below report

 show capture cap_test

20 packets captured

   1: 04:26:57.419274 192.168.2.2 > 192.168.215.4: icmp: echo request
   2: 04:27:01.932858 192.168.2.2 > 192.168.215.4: icmp: echo request
   3: 04:27:06.933347 192.168.2.2 > 192.168.215.4: icmp: echo request
   4: 04:27:11.931897 192.168.2.2 > 192.168.215.4: icmp: echo request
   5: 04:27:16.934064 192.168.2.2 > 192.168.215.4: icmp: echo request
   6: 04:27:21.931378 192.168.2.2 > 192.168.215.4: icmp: echo request
   7: 04:27:26.930371 192.168.2.2 > 192.168.215.4: icmp: echo request
   8: 04:27:31.932370 192.168.2.2 > 192.168.215.4: icmp: echo request
   9: 04:27:36.939023 192.168.2.2 > 192.168.215.4: icmp: echo request
  10: 04:27:41.931882 192.168.2.2 > 192.168.215.4: icmp: echo request
  11: 04:27:46.933850 192.168.2.2 > 192.168.215.4: icmp: echo request
  12: 04:27:51.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
  13: 04:27:56.930615 192.168.2.2 > 192.168.215.4: icmp: echo request
  14: 04:28:01.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
  15: 04:28:06.930860 192.168.2.2 > 192.168.215.4: icmp: echo request
  16: 04:28:11.930844 192.168.2.2 > 192.168.215.4: icmp: echo request
  17: 04:28:16.931561 192.168.2.2 > 192.168.215.4: icmp: echo request
  18: 04:28:21.929105 192.168.2.2 > 192.168.215.4: icmp: echo request
  19: 04:28:26.929593 192.168.2.2 > 192.168.215.4: icmp: echo request
  20: 04:28:31.429497 192.168.2.2 > 192.168.215.4: icmp: echo request
20 packets shown

kunauto# packet-tracer input inside icmp 192.168.215.4 8 0 192.168.2.2

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.2.2     255.255.255.255 outside

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip inside 192.168.215.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 358
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any outside any
    dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
    translate_hits = 524205, untranslate_hits = 98146
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any outside any
    dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
    translate_hits = 524205, untranslate_hits = 98146
Additional Information:

Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 546896, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hall of Fame Super Silver

So your cap_test shows the

So your cap_test shows the packets from the VPN client at 192.168.2.2 to the server at 192.168.215.4. That's good.

Can you check if replies are coming back via the firewall? (i.e setup a different cap_test to look for the icmp echo replies). If they aren't you may have either a host firewall or routing issue.

 

hi,marvin is right, the 3DES

hi,

marvin is right, the 3DES/AES license is free and its permanent.

could you also post the output of show version to see if it's enabled and if you have other time-based licenses?

New Member

sh versionCisco Adaptive

sh version

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(1)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

kunauto up 6 days 3 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is f866.f2c4.bcde, irq 9
 1: Ext: Ethernet0/1         : address is f866.f2c4.bcdf, irq 9
 2: Ext: Ethernet0/2         : address is f866.f2c4.bce0, irq 9
 3: Ext: Ethernet0/3         : address is f866.f2c4.bce1, irq 9
 4: Ext: Management0/0       : address is f866.f2c4.bce2, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 50
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 0
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Hall of Fame Super Silver

As I noted above, "show

As I noted above, "show activation-key | i 3DES" will further indicate the license is perpetual.

New Member

Hi tnrs_tnrs, i see that you

Hi tnrs_tnrs, i see that you are looking at getting the AES/3DES license for your ASA5510-K8. Feel free to message me for options on how you can get the license. Hope to hear from you soon! :)

536
Views
0
Helpful
15
Replies