Cisco Firewall :: 5525 Authenticated User Access
Oct 31, 2012
We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop. We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.
View 3 Replies
ADVERTISEMENT
May 21, 2013
I am in the process of upgrading a client's firewalls from 5520s to 5525-Xs. I have 2 independent firewalls that are merging into a single firewall. Both of the source ones have a TON of user accounts defined for remote user VPN, is there any way to move these user accounts with passwords in tact?? The goal is not to have to tell the 250+ users that they need to reset their passwords at once.
View 2 Replies
View Related
Jun 30, 2011
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
View 2 Replies
View Related
Sep 23, 2012
Is there a module or way to create a Guest Access Lobby on the ASA 5525? We currenly leverage the WLC to do this for us, but are moving to a routed access enviornment which is causing some issues. We would like to offload the guest access responsibility to the ASA if possible.
View 1 Replies
View Related
Feb 28, 2013
I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[Code]......
View 0 Replies
View Related
Apr 18, 2013
I've just installed NCS. When trying to configure NCS for ACS Tacacs+ authentication, I receive the message below when trying to login to NCS. ACS records my login in the 'passed authentications' log. I am using ACS 4.2."No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". I used the following link to configure ACS for NCS, url...
View 3 Replies
View Related
Feb 12, 2012
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies
View Related
Jan 22, 2012
802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
Debug radius authentication
Debug aaa authentication
Does not appear in the log only message port is down
Equipment;
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
Client:windows xp, windows 7
Cisco 2960 Port Config
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop
View 1 Replies
View Related
May 9, 2013
I have read that it is possible to migrate from a 525 to an ASA via a upgrade to pix asa version 7.0 then using the migration tool once copied to the new ASA 5500 series, but i have alos read in a forum somewhere that a migration from PIX to ASA 5500-x series is not possible,, is this true ?
View 1 Replies
View Related
Apr 8, 2013
We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where we are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the web server IP. The firewall get hits, but web server page is not being displayed. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I
|INTERNET|
|
|
195.201.55.X
[ ASA ]
Natting to
10.100.100.151
[ F5 ]
|
/
/
Real Servers---> .150 .151
NAT Config is; nat (DMZ1,OUTSIDE) source static 10.100.100.151 195.201.55.X.
View 8 Replies
View Related
Oct 8, 2011
At one of our locations we are experiencing some problems getting connected to our wireless networks.
It is possible to sit right next to an AP (AIR-LAP1131AG) and only have limited access to the network.
I have attached a snapshot from inSSID from the wireless networks in the area. All of them are broadcasted by our controller and I can´t figure out how it is possible to see SSIDs in other channels than the ones in the 2.4GHz band (11-14)?
View 1 Replies
View Related
Aug 15, 2012
May I know how to configure for remote accessing ASA 5525 via ssh?I have issued the following commands
ssh 10.60.0.0 255.255.0.0 outside
ssh 10.60.0.0 255.255.0.0 dmz
ssh 10.60.0.0 255.255.0.0 inside
ssh timeout 5
but I am not able to access ASA via ssh. Do I need to add any other command
View 20 Replies
View Related
May 28, 2012
I have a PIX 515 with version 8.0(3). We buy a ASA 5525-X for replace the PIX.
The question is, what is the better method to migrade the configurations? Manually?
What is the better version for 5525-X? 8.6.1?
View 4 Replies
View Related
Nov 14, 2012
We have a customer that has a ASA 5525-x reporting only 4g flash memory rather than 8g has any 4g version of the 5525 or is the IOS reporting incorrectly the size, as it seems to be embedded on these units as a USB disk internal.
View 4 Replies
View Related
Nov 13, 2012
We have a 5525 that has not been deployed to production yet so we're using it in the lab. I want to lab some upgrades from 8.2 to 8.6 for some customers but the 5525 comes loaded with 8.6. Would there be any problem with reimaging the 5525 with 8.2? I'm just not sure if there would be an issue with this new hardware running that old software.
View 3 Replies
View Related
Feb 27, 2013
I'm about to upgrade from an ASA5520 to ASA5525.
View 1 Replies
View Related
Apr 26, 2011
On my wireless network, I am running guest access that I want to have as authenticated. If I enable WLAN, security, layer 3 web policy, when an iPAD / iPhone connects, they get directed to the Web Auth splash page, on where they must enter username & password. My users do not want to be directed to this page everytime they login - just select the SSID and connect - is there a way of authenticating guests via a WLC4400 without going through the splash page everytime?
View 6 Replies
View Related
May 21, 2013
We are using MS System Center Operations Manager to monitor network devices. We are trying to monitor our Cisco ASA 5525-X firewall interfaces.
We have a generic management pack installed that seems to work for parts of the 5525. We can see performance info for IF-4 but none of the other interfaces.
Our Management Pack is a generic Cisco Adaptive Security Appliance Version 9.1(1) management pack.
Is there a management pack that is specifically for this Cisco firewall?
View 0 Replies
View Related
Apr 9, 2013
We are suffering an issue with ASDM 7.1(1) on a 5525-X with 9.1(1) software. In the Configuration --> Interfaces window, I can modify parameters on physical interfaces, I can modify parameter on subinterfaces, but I cannot create new subinterfaces or Etherchannels through ASDM.
When I create a subinterface, entering all parameters, interface name, vlan id, security level, etc., then I click on "Apply" button and nothing happens. It doesn't send anything to ASA. If I click on another window, ASDM ask for applying changes, I click on it, but nothing is applied and window doesn't change. It happens only when creating new interfaces. If I create them through CLI, then I can modify parameters without any problem.
I have tried re-installing java and I have tested with 6.31, 7.9, 7.11, 7.17 Java versions, from Windows XP, Windows 2003 Server and Windows 7 computers with same issue. Also with Linux Mint distro with IcedTea Java.
View 3 Replies
View Related
Mar 14, 2013
I recieved my IPS module license for my ASA 5525 . I enetered the key via the ADSM and it prompted me to restart the firewall .. After that i cannot get into the firewall via the ASDM .
View 3 Replies
View Related
Feb 12, 2013
I need to setup an ASA 5525 in Active/Standby failover mode. I am setting up the ASA for a company that purchased only one public IP address. The public IP address is assigned to the outside interface. My question is will failover work correctly if I don't use a secondary IP address on the failover configuration on the outside interface?
View 4 Replies
View Related
May 22, 2013
We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet.
Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.
View 7 Replies
View Related
May 28, 2012
Could I configure and connect 3 Dell switches to an ASA-5525 Firewall which has got 8 interfaces.
View 7 Replies
View Related
Apr 25, 2012
We currently have one Cisco ASA 5510 firewall at our mailn office. Our firewall does not let users access the internet. We currently have a web proxy that lets users access this. I need to let users access one website through the firewall without going through the firewall. I believe this is possible if I use dynamic NAT.
View 1 Replies
View Related
Aug 2, 2011
I tried the solution posted at [URL] however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
object network Private_IP
host 192.168.1.15
object network Public_IP
host 1.1.1.1
object-group network internal_net
[code]....
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
View 4 Replies
View Related
May 5, 2011
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone, There is a document that describe a solution to this? What IP adressess should I use?
View 2 Replies
View Related
Oct 3, 2011
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone
View 3 Replies
View Related
Jan 12, 2012
I would like to create a additional user vpn on a 55010 where the user authenticates with the firewall and not the radius server.This user should NOT be able to log on to the firewall, but only be able to authenticates with the vpn client.I'm correct that the command "username abc123 password abc234 privilege 0" ?Also for this remote vpn how to I make sure the user only authencates with this password?
View 3 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Nov 27, 2012
We have a small office and already have a firewall in place that uses content filtering. I am looking for a low cost wireless access point that I can place behind my firewall that will allow me to control access by a username and password list, not just the passkey.
Does this exist without having to go to an Aruba or Ruckus type enterprise WIFI product?
View 1 Replies
View Related
