Cisco ASA 5505 Limitations

Posted on 2011-05-03
Last Modified: 2012-05-11
Hi Experts
I have setup my site Firewall which is a 5505 to do Remote access VPN (IPSEC)
i want to use the Cisco client to connect to the network behind this device.
I have used the same setup as my 5510's on other sites around the world.
I am not thinking reading that the 5505 is not as straight forward just as it was not straght forward setting it up because of the VLANS etc and the way it works

Can i use a 550 for my staff to access the network from the Cisco VPN client

Question by:flowit
    LVL 33

    Expert Comment

    You can get an exact listing of features on the 5505 and how it compares to other models here:

    The most important detail is the Max vlan settings.    IF you have the 5505 sec plus lic, then you get 20 Vlans with trunking.    Standard 5505 does 3 VLans without trunking.
    LVL 57

    Accepted Solution

    >>Can i use a 550 for my staff to access the network from the Cisco VPN client

    If you mean can you use the 5505 then yes :)


    Author Comment

    sorry yes 5505 i am receiving an error connecting it's the same config with IP changes as what i have done on the 5510 series ASA.
    Can you take a look at my config to determine why it's not working

    Author Comment


    Author Comment

    ASA Version 8.2(1)
    hostname FSWE-ASA002
    domain-name *.local
    enable password * encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    name Perstorp_LAN
    name UK_Lan
    interface Vlan1
     nameif inside
     security-level 100
     ip address
    interface Vlan2
     nameif outside
     security-level 0
     ip address 62.20.*.*
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
     timeout 30
     domain-name fl*.local
    dns server-group uk
     timeout 30
    object-group network UK_Lan
     network-object UK_Lan
    access-list outside_1_cryptomap extended permit ip Perstorp_LAN
    access-list inside_nat0_outbound extended permit ip Perstorp_LAN
    access-list inside_nat0_outbound extended permit ip UK_Lan
    access-list inside_nat0_outbound extended permit ip
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit ip Perstorp_LAN
    access-list outside_2_cryptomap extended permit ip UK_Lan
    access-list flowvpnusers_splitTunnelAcl standard permit
    access-list flowvpnusers_splitTunnelAcl standard permit Perstorp_LAN
    access-list flowvpnusers_splitTunnelAcl_1 standard permit
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNREMOTEPOOL mask
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 dns
    access-group outside_access_in in interface outside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server LDA_Server_Grp protocol ldap
    aaa-server LDA_Server_Grp (inside) host
     timeout 60
     ldap-base-dn dc=fl*, dc=local
     ldap-scope subtree
     ldap-naming-attribute samAccountName
     ldap-login-password *
     ldap-login-dn fl*\administrator
    http server enable
    http inside
    http 62.7.*.* outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 62.*.8.*
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 1 set phase1-mode aggressive
    crypto map outside_map 1 set reverse-route
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set pfs group1
    crypto map outside_map 2 set peer 62.*.*.*
    crypto map outside_map 2 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy flowvpnusers internal
    group-policy flowvpnusers attributes
     wins-server value
     dns-server value
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value flowvpnusers_splitTunnelAcl_1
     default-domain value flowsweden.local
    username admin password * encrypted privilege 15
    tunnel-group 62.*.8.* type ipsec-l2l
    tunnel-group 62.*.8.* ipsec-attributes
     pre-shared-key *
    tunnel-group 62.7.*.* type ipsec-l2l
    tunnel-group 62.7.*.* ipsec-attributes
     pre-shared-key *
    tunnel-group flowvpnusers type remote-access
    tunnel-group flowvpnusers general-attributes
     address-pool VPNREMOTEPOOL
     authentication-server-group LDA_Server_Grp
     default-group-policy flowvpnusers
    tunnel-group flowvpnusers ipsec-attributes
     pre-shared-key *
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny  
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip  
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    : end
    asdm location Perstorp_LAN inside
    asdm location inside
    asdm location inside
    no asdm history enable

    Author Comment

    Anyone any ideas why the Cisco VPN client is not connection with this config

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now