AAA/Identity/Nac :: 5585X ASA Anyconnect VPN IP Allocation
Sep 1, 2011
Starting a project where they customer has ASA 5585X with SSP40 with 10K SSL Premium Lic and ACS5.1.The cust wants IPSec, and Anyconnect Client terminations. The number of users will be close to 6000 and will scale.Due to the huge scale of users, i am not able to finalize a design. Have the following doubts.
1. Will ACS have any issues in supporting a database this huge. OR is it better to go with the AD/LDAP integration.
2. What is the best way to allocation IP address. Does ACS 5.1 support dynamic allocation form an IP pool.
I have been browsing through the forum, couldnt find anything concrete.
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.
I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.
My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.
Im sure this has been asked before but a quick search has not yielded any exact results so here goes
I have anyconnect up and working great on for vpn users using local authentication. Im going over the white papers and seeing a lot of options for NT domain, LDAP, tacacs+ etc
we would like remote vpn users to autherticate using their windows domain password, but Im not sure which would be the easiest and quickest option to configure, and I cant find a guide for asdm setup for this topic that doesnt cause more questions than answers . The white papers Im finding are confusing since I am a rookie at this topic.
what is the easiest/quickest way to setup windows domain authentication via asdm?
I'd like to add an RDP to the vpn portal page on our 5585x. Looking for the rdp plugin in the 5585x download area but there is no page for Remote access plugins. Would the plugin be the same as any of the 5500 ASAs? Could I just download the rdp_09.11.2012.jar file from the 5505 download area?
I am wondering what is Latency value for Cisco ASA 5585X and 5555X . I can see on websites that it says "low latency firewall" but I dont see any value.
Looking to replace an "all-in-one" type firewall (UTM/Firewall, SSL VPN) with a cisco product - the issue i'm running into is that we have multiple ISPs plus WAN and DMZ - overall more than 5 ports on mid-range ASA devices - and from what i read, adding 4-port module precludes me from adding CSC module.
Is there an solution to that other than going for 5585-x model? (kind of over our budget, granted we need 2 for failover)
I have a circuit that will be delivered to a client next week and we are installing an ASA 5585x for them. They will have a circuit coming in with a few VLANs configured on it. One VLAN for the Internet and one for connectivity to another client.
So does the ASA allow you to create the "outside" interface on a subinterface?
I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACl.
I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
Is it possible have Content Security and Control Security in a ASA 5585-X? I´m asking because the CSC-SSM is only supported in ASA 5540, 5520 and 5510 and I dont know how it feature ca be supported on a new ASA 5585-X.
I am trying to find out wether it is possible to allocate bandwidth on a per-vlan basis.
We have multiple satellite connections coming into our infrastructure over a single gig ethernet cable from another service provider. The provider provides the connectivity on layer 2 and we are responsible for layer 3 connectivity for the clients on the other side of the satellite connections. The single gig ethernet cable is currently plugging into a Mikrotik 1100 router on our side, setup with VLAN ID and IP Addresses and everything works perfectly. The challenge now is that whilst we only have the one satellite client connecting, we can limit the bandwidth on the ethernet port to 512k for example which limits the client to only have 512k internet breakout. In the future, we need to be able to limit bandwidth as multiple VLAN IDs will be coming over that single ethernet cable and I'm not sure if one can do this at all.
I want to configure 5585x Active/Standby with 2 nexus switches utilizing VPC technology. New ASA 8.4 supports etherchannel so I want to plugin 2 cables from ASA1 to sw1 and sw2 and 2 cables from ASA2 to sw1 and sw2? Is this a valid design? how would I configure that? Any design document on that?
We have a pair of ASA 5585X firewalls that need to connect to a pair of Avaya VSP9000 switches. The Cisco docs refer to doing spanned etherchannel with a Cat 6500 switch using VSS or a Nexus switch using VPC. Does spanned etherchannel work with non Cisco switches or is this proprietary? The etherchannel on the ASA is setup using LACP. Here's applicable configuration:
I have my wan connection on the eth0. The bandwidth is 2mbps. I am running qos on that interface saying 192.168.200.0/24 can use 80% of the bandwidth and 192.168.201.0/24 can use 20% of the bandwidth. I Also have vtun VPN inteface to our branch office. I also wan to run some qos on that interface. How do i go about allocating the bandwidth on this interface? it is actually going via the eth0 interface, but the system actually see's it a an independent interface on its own right, so it requires it's own qos policy.
I have an internet connection (landline and wifi modem) at my parent's summerhouse as I need it for work. Nobody else does around here so I get constant nagging from neighbours to give them the password. I can't say no however I'm afraid they may use up too much of my bandwith connection which could lead to alot of money being lost from my part. Constant and stable internet is a must for my work. how can I limit the bandwith I give to them? Can I create a second public network with limited bandwith or something like that?
We have a DSL line at work which a few people share for Internet access.Sometimes if someone is doing a Windows Update or big download etc, the connection is maxed out and slow for everyone else.Is there a way to give everyone a set amount of bandwidth via a Cisco router (2811) or will I need to use something like a packeteer?
We have a WLC 5500 connected to a 2960 acting as core switch. there is a server attached to the switch , bearing all dhcp pools for lan and wireless users. Can the wlc or the switch be configured in such a way that the wireless users associating to the wlc get their ip addresses from the dhcp pool configured on the server. Can the configuration can be shared for such a setup.
I have a cisco ASA firewall 5510.Just i have configurd for 1st port as nameif ouside witch public ip, 2nd port as a nameif inside with local ip, and done the nating, dhcp and dns. now i am able to get internet from inside port, which is getting dhcp.up to that it is ok.
And I want to restrict bandwidh 1Mbps for local port (2nd port) how to config 1Mbps banwidth allocation for port no 2, I mean nameif inside should have 1Mbps limet.
I have Cisco 2851 router & need to allocate bandwith based on IP's. eg. 192.168.1.1 should use 7 Mbps & 192.168.1.2 should use 2 Mbps & 192.168.1.3 should use 1 Mbps. Let me know the configuration on how to execute it on a router.
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
I am using Linksys WRT54G router on my broadband internet connection. I want to know, is there any way to allocate more or less bandwidth to any PC connected to my network?
I am running IOS version 8.0(5) in cisco ASA 5520. This issue i am facing is that when the memory utilzation reaches 49 percent, the web-vpn users are not able to login as they are getting a blank page. The only error which is getting in the output " sh mem webvpn allobjects" is ERROR: Memory allocation failed?
I am using a Pix515E with 8.0(3) and 128MB RAM. It ran OK for months but has recently had several episodes during which it produced streams of memory allocation failures (syslog 211001). When in this condition I could not log into the VPN. It was still operating but some users were having problems and I eventually had to restart it.
The traffic load is typically 10Mbps, and the max number of connections is around 10,000 but typically 5,000. The CPU usage is 10%-20%. There is 1 VPN with normally 1 client. The memory usage is always high, between 115MB and 120MB but during these problems it creeps higher.
Why might the memory usage be so high when my network load is quite light for the 515E? What circumstances cause the memory usage to increase during operation? Is there anything I can do to prevent the memory usage increasing to the point where the PIX crashes?
I have a second 515E with 8.0(4)32 and 64MB RAM, loaded with the same config. I have not had this one in service, but off-line it is using 53MB of memory. If the spare pix needs 53MB to load the firmware and my config, why does the other one use 115MB?
limit the bandwidth used by certain wireless devices on my network. The problem I'm having is of priority. For some reason when someone is watching Netflix on my laptop (wireless) no other device has any bandwith available to it, so while someone is watching Netflix my hard wired desktop can barely load Google.com much less do anything useful.I'm using a Cisco ValetPlus M20 wireless N router.allocating at least a minimum amount of bandwidth to wired devices?
I'm using a Catlyst 3550 to supply power to a IP network surveliance camera. By default, the predecesor to POE, Cisco Inline Power allocates 15.4 W of power to a port ... What is the process for reducing this power output?
"For an IEEE device, the switch always allocates 15.4 W to the port. The switch does not display the IEEE class type in the show power inline privileged EXEC command output. Instead, it displays n/a."
I have one cisco Nexus 7000 with version 6.1(2).I created 3 VDC
ADMINCOREsecurity
I have configured 1 - 45 ports for Core and 46 - 48 ports for Security.Now I am not using the VDC Security and I tried to move the assigned ports 46 - 48 from Security to ADMIN.Switch accepted the command .But the ports are not visible on ADMIN VDC.Now it is not showing on Security VDC also. I need this ports in ADMIN VDC
We have a Cisco 881 router, which is crashing. We have seen that the ARP cache fills up so much it causes things to crash, our phones go down.. We dont know why this however IP CEF seems to be doing it, when we disable it goes away however disabling IP CEF causes our L2TP tunnel to become inoperable also. So why does IP CEF cause thousands of AR entries and how can we limit that!? Below is the error, sample of the ARP cache and our config. You will notice we also have a /31 given to us on WAN interface, this was given to us by our service provider. This is really strange I cant find other examples on internet.
The error:
Nov 1 04:21:57.474: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x81F083F4, alignment 16 Pool: Processor Free: 55176 Cause: Not enough free memory Alternate Pool: I/O Free: 2352 Cause: Not enough free memory
