I got a question a about is there a Cisco VPN client that can be used with Honeywell PDA and Cisco ASA?
* Firewall
Cisco ASA 5520
IOS: asa832-k8.bin
* PDA
Brand: Honeywell
Model: Dolphin 7800
O.S. Windows Embedded Handheld 6.5 Professional
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I want to setup NAT with ASDM on ASA for a client and I can not make it work. I have several interface:
Inside: 10.97.0.1 / 24
Outside: 10.0.1.70 /24
Interco: 192.168.6.1 /24
Other Sites: 10.26.0.4 /24
All routing in the network is Ok My customer want to access a server @ ip 10.194.70.1 in https on the interface Interco with his nat address as 10.97.0.11 .This server must be accessible with the address 10.97.0.11:443 from interfaces inside, outside and other sites.And source address must be nated with original destination address 10.97.0.11 to be redirected on 10.194.70.1.
We have Cisco ASA 5520 with csc ssm 10 (product ver. Trend Micro InterScan for Cisco CSC SSM 6.6.1125.0)in Web>Global settings> URL filtering > Rules > Communications and Search> Social Networking category is set to block during work time and allow during leisure time(see the attachement), but rule for this category won't work. I mean social networking sites are always remain allowed.
View 2 Replies View RelatedI have an asa 5520 that works fine if you are using passive ftp and ftp inspection is on globally. It is not working for an active ftp session. I tried allowing all ports back to the external ip address of the internal client as a test and this did not work either.
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.2(3)
policy-map Global_Policy
[Code].....
I read another article saying that this command needs to be on the asa "fixup protocol ftp 21"
If this is enabled will it show on the firewall? How do I enable it?
I am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.
Are the ASA memory DIMMs created for specific models? Would a 1GB 5510 Memory stick work in a 5520?
View 1 Replies View RelatedI am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.
View 3 Replies View RelatedI'm looking for a good yet inexpensive firewall for a small business (12 people in the office, and 12 others who are out and about all day). I also would to monitor internet traffic too. Currently using FortiGate50B, and it expires in 90 or so days,
View 19 Replies View RelatedI have configured my ASA5520 to act as VPN server. It accepts connections from the internet and then it authenticates the user to a Windows 2008 Server via Radius.Everything works fine if I use the VPN client embedded in Microsoft Windows. Conversely, if I try to configure Cisco VPN Client, I cannot find where to define the PSK string.
View 3 Replies View RelatedI have a L2L VPN tunnel on a Cisco ASA 5520 that I'm trying to get RRI to work on. On my cryptomap ACL I have defined a local object-group and a remote object-group, and I'm performing one-to-one NAT on the local group. I also have a route map configured that will take the static routes and redistribute them into my EIGRP AS. Two things I've noticed -1, I'm not seeing any static routes on my ASA that point to the remote subnets, and 2, the ACL that I've used in my route map definition is not getting any hits on it.
View 2 Replies View RelatedI have made the following change to my ASA 5520 using ASDM to try and force VPN clients to use a self assigned certificate from the ASA. I made the following changes Remove Access VPN > Certificate Management > Identity Certificates > Add Certificate.Then I made the following change.. Remote Access VPN > Network (Client) Access > IPSec(IKEv1) Connection Profiles > Connection Profile > Edit > IKE Peer Authentication > Pre Shared key and pointed the identity certificate to the one I created in the step above.Having made this change I am still able to VPN without a certificate configured in authentication settings.I was expecting that the VPN would attempt to issue the self assigned cert to client machine?
View 1 Replies View RelatedI have remote branches that connect to the corporate office as a site-to-site VPN. Now the clients at the branch are getting an application that is using an unsecured port (tcp/23). I would like to use a set of ASA 5520's that I have at the corporate office, with the AnyConnect license on them. I want the client machines to establish a tunnel from the client to one of these ASA's. The ASA' then would have a connection to the VLAN that the receiving server is housed on. The trick is to just establish the tunnel from the client to the ASA that will allow the IP of the client to not be translated. So I would use the ASA as a security 'pass-through' for the clients that use this new application.
View 1 Replies View RelatedWe have an ASA with software version 8.2(1) and ASDM 6.2 to use the VPN. We configure the anyconnect client with split tunnels for our vendors to access internal server and have access to the other resources in the web simultaneously. Windows XP client works fine however, the Mac OS x can only access the internal resource but not the web.we need to restrict the client to access and use only specific IP and http port.have internal and external DNS that are separated by ASA5520s all VPN terminate at the DMZ with192.168.xx.0/24 IP pool?
View 1 Replies View RelatedI woudl like to ask all of you that i have ASA 5510 and i want to do VPN client authetication with LDAP, after verify username and password with AD and it use policy with ACS?
View 3 Replies View RelatedI see a topology, I wonder if this topo can work?two ASA config active/standby ASA is VPN server, two fortigate firewall config active/passive.Normally I see ASA must config: inside, outside, .. . and vpn config.But this topo, ASA may not have inside, outside.
View 4 Replies View RelatedMy basic question is, does Cisco VPN Client allow two simultaneous VPN connections at once?I want to set up the following:User Client (Remote Access VPN via Internet)--> Head Office ASA 5520 A/S Pair --> (Remote Acces VPN via Internet) --> Branch Office ASA 5510S+ A/S Pair,So, in order to access the branch office system, the user must:Connect to Head Office ASA peer via Cisco VPN Client (user/password authentication),Head Office ASA peer gives a private 172.16.1.x IP, and is configured to route all requests to Branch Office's public ASA IP via it's own public IP address. Once Head Office VPN established, user establishes a SECOND VPN tunnel from Cisco VPN client (user/password and cert-based auth).
View 3 Replies View RelatedCISCO ASA 5520 -K9 .Client can connects ASA server and get ip address(172.168.31.X),but can't ping ASA inside interface ip address and other servers in lan .
View 2 Replies View RelatedI currently have a Cisco 5520 ASA which is up and running and the users are able to connect to Anyconnect to VPN into the network. However, users plugged into the internal network inside the ASA are unable to connect to the vpn address and download the Anyconnect Client. I think this may be to do with reverse NAT missing?
View 4 Replies View RelatedI'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
I have set-up the 3 remote access groups:
Group 1 - subnet 192.168.1.48/28Group 2 - subnet 192.168.2.0/25Group 3 - subnet 192.168.3.0/25
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
[code].....
can I use Windows 7 Native VPN client to connect to the ASA..and are there docs out there that support install and config ? I heard it is possible but not able to confirm .
View 1 Replies View RelatedDoes VPN concentrator "VPN3005" work with AnyConnect SSL VPN client?
View 3 Replies View RelatedI recently picked up a Billion 7800N home router to replace my old netgear which was dropping signal alot.I seem to have develpoed a problem accessing my work network through the VPN client. I am able to connect the Cisco VPN client to the network ok but I don't have any access to the server and exchange email. I have tested the client settings on my old Netgear and it is working fine. This points me to the direction of the router....I don't have any packet filtering on and I have set up profile from my fixed internal home ip to the work ip to allow any protocol and any port.I have also port forwarded 500, 4500 and 10000UDP to my internal ip address.
View 4 Replies View RelatedI have a need to Remote Desktop connect to company’s employees for support then they are abroad and using Cisco AnyConnect client.Cisco AnyConnect client connection works fine, clients can reach company’s inside network without problems, but I cannot make revers connection, I cannot Remote Desktop connect or ping VPN clients from companies inside network. I cannot ping clients from ASA too.I am using ASA 5520, Cisco Adaptive Security Appliance Software Version 8.4(3) Device Manager Version 6.4(7), and Cisco AnyConnect VPN Client 2.2.0133. Protocol Encryption- AnyConnect-Parent SSL – Tunnel DTLS-RC4 RC4 AES 128.
View 0 Replies View RelatedI have a VPN setup thru a Cisco 5520, Windows clients connect just find and the end users configure there browser to use our internal proxy servers. Users with the MAC OS X Anyconnect client can connect, they configure their Mac to use our proxy server, but the broswers will not work, clients can reach networks and resources behind the VPN gateway and have access to the Proxy(Tried a telnet to that hostname/port). I am running ASA 8.3(2), Anyconnect(OS X) 3.1.01065.
View 3 Replies View RelatedIs it possible with ASAVPNSERVER 5520 and an EasyVPN 5505 Client to have the client do split tunnel to a single public IP address? Both devices are on 8.2(5) 33. Could you possible provide sample config for split tunnel?
View 1 Replies View RelatedI need to activate AnyConnect SecureMobility client on an IPAD. I have an ASA with the below feature licenses:
[code]...
This platform has an ASA 5520 VPN Plus license
As I've understood that I need the ASA-AC-M-5520 license for each IPAD used but they mentioned that we need also the Essential or premium license to be activated on the ASA as well. As shown above, I have the "VPN Plus license" activated on the firewall.
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
View 1 Replies View RelatedI need opening up some ports for a sftp client at work. software version 8.0 (3) device manager version 6.1 (1)
View 4 Replies View RelatedWe are using an ASA 5520, running 8.4(3). We have users running the AnyConnect Secure Mobility Client 3.1.02026. I have the AnyConnect connection profile configured to authenticate users using LDAP over SSL. I enabled the password management and am able to get password change prompts to appear in the AnyConnect client. However, new passwords are rejected and changing passwords through that prompt does not work. I'm not sure what the cause of the problem is, since LDAP over SSL is enabled and working, which is required for the password management feature
View 9 Replies View RelatedWRVS4400N Where is the Server Certificate located to get the VPN Client to work?
View 2 Replies View RelatedI have a problem configuring port forwarding to 443 and having client VPN to work.When 443 is NOT forwarded, VPN just runs fine (QuickVPN).As soon as I enable 443, the VPN stops working. No client can connect.I have the latest 1.2.0.9 firmware.Is there a way to enable 443 and having VPN to work at the same time ? I need 443 for Exchange.
View 4 Replies View RelatedI have purchased 4 of these devices about 2 months ago and have experienced all of the issues reported within this thread. The came with the 2.0.0.5 FW rev installed, so unless the 2.0.0.5 on the cisco DL site is different, nothing I can do with that.I've tried making them work as stand alone AP's, Bridge<-> Bridge, etc... all modes seem to lock up eventually needing a reboot to get any functionality back.Ultimately, I need to make them work in AP<->Client-Repeater mode. I've not been successful in making them work in any mode for a prolonged period of time.
having just rfound this thread today, I have not tried hard coding the NIC's to 100/full, but will give it a try. If it works, great, but then that would defeat the purpose of buying an N radio AP. I would like the potential 300Mbps throughput.
