I have password management configured on our 5520 for VPN users, and it is prompting and allowing me to change passwords.... however it seems the password change seems to not be replicating to AD. I am able to access network resources using the old and new password.
Currently have an ASA5520, management port is set to management only connected to a management vlan, inside, outside and dmz ports also in use for respective traffic, all is working well, the issue i have is that the ITsupport staff on there user vlan have to have access to manage the ASA with ASDM at all times, this all works fine as i have added a route for management to there subnet, problem is that from this vlan they can no longer ping the remote sites which connect via site to site vpn. For troubleshooting and management purposes this is required, is there any way around this?, if we make the management port not management-only how will this effect other traffic or routing?
Two 5520 firewall configuration of the failover and SSH, the first remote landing SSH, can use user and password successful landing, again landing, to prompt the user name password is invalid, what is the reason?
I have a ASA 5520 which is intended to use as a VPN for clients using PDA, I think the PDA is a very old product that the VPN only support CHAP/ MS- CHAP, but seems it cannot connect the VPN, it will prompt "invalid username and password" (but in fact the username and password is valid when using PAP), below is the log i captured from the ASDM when the PDA is connecting the VPN. when i tried to connect it in windows PC, I also have the same issue if the VPN setting is using MS-CHAP, if I choose PAP, it can connect with no problem. But the PDA has no option of PAP. [code]
Has any one got a working setup for SSL VPN users in regards to notification about password is going to expire and then providing the VPN user the opportunity to change password during the VPN login process, involving ASA5520 - ACS Radius server - Active Directory Our VPN users are connecting with Cisco Any Connect VPN Client V.2.5.3046 to a ASA5520 running 8.4(1), all user validation is handled via Radius though a Cisco ACS 5.2 server, which in turn validates the users up against MS Active Directory.
For the relevant connection profile on the ASA, the options Advanced / General/ Password Management / Enable password management has been selected together with the Notify user 14 days prior to password expiration, as mentioned its connecting to a Cisco ACS Radius server with MSCHAPv2 enabled on both the ASA and ACS.
On the ACS server under users and Identity Stores > External Identity Stores > Active Directory we have a successful bind to the AD, the values End User Authentication Settings > Enable password change has been selected.
Just to make sure the password notification function is working in the first place I change the ASA5520 AAA Server group to use LDAP instead of Radius and configured a direct path towards one of our domain controllers, sure enough when the user logged in he got a notification about the password would expire in xx days and then provided with a option to change the password right away or just connect with the current password.
The thing is I don’t want to just use LDAP for VPN authentication, I have quite a expensive setup on the ACS servers with unique ACL's for various group of employees and especially for external consultants, I also use the ACS for customization for webpage and resources when Web VPN is used.
Can it really be so that password expiration notification only works using LDAP, and if this is really the case, is there any way to configure Dual Authentication, so I could first validate the user against LDAP and next against the ACS??
(Side note: I tried to configure the ASA to use LDAP as normal Authentication and then the ACS as Authorization, but it failed, first off because the ASA started to use PAP/ASCII against the ACS and even if I allowed that, it seemed like the ASA wasn’t parsing the users password onwards, with the result that ACS failed and the user account ended up getting locked out in the AD).
I'm trying to setup a SSLVPN Portal for our customer which will authenticate against Active Directory using LDAP over SSL and with the portal have the ability to change password if it has expired. I have managed to setup everything now except for the password reset which is giving me a headache. This is the message that's presented by the portal when i try to change the password even though the same password works when i change it on a PC instead of using the portal.
"Cannot complete password change because the password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements."
And below is the output of ldap debug on the ASA5510 the Portal is running on.
 Session Start  New request Session, context 0xadbe760c, reqType = Modify Password  Fiber started  Creating LDAP context with uri=ldaps://x.x.x.x:3269  Connect to LDAP server: ldaps://x.x.x.x:3269, status = Successful  supportedLDAPVersion: value = 3
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:18.104.22.168/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
I have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
! interface GigabitEthernet0/0 nameif internet security-level 0
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
We have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out. If we are having no issues, is it best just to leave it as it is? I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.
I am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
We have 2 firewalls on PIX facing the Internet and connected to interface e1 (behind it) an ASA version 8.3 Both the PIX (Firewall facing) and the ASA are on the same subnet.
By using Routing statements and statics I have been able to reroute specific traffic to the ASA5520 version 8.3 Now I need to inverse the 2 devices. The ASA5520 will be facing the Internet and the PIX will be behind it.Unfortunately the ASA5520 is refusing to route the traffic to the PIX. The access-lists are open accordingly and a NAT on the ASA has been created.
i have my router connected to ISP then my router directly connected to my ASA5520....i use also ASA5520 as my DHCP Server and i was wondering with the DHCP Server function of ASA 5520 because if i use the ASA 5520 LAN ip ...all workstation will not be able to browse anything from the internet unless i use my ISP DNS IP which they gave me?
Get the following log message on secondary ASA console output when turning on the ASA failover function?
"Mate's service module (CSC SSM 6.6.1125.0) on slot 1 is different from mine (CSC SSM 6.6.1125.0)"
After that the secondary cannot join as a failover unit and shows in disabled status.We have the same model ASA & CSC module and each pair of them are in same firmware (CSC 6.6.1125.0 with ASA5520 8.4(4)1), when I shutdown both the csc modules, the ASA failover works fine.
I am using a squid proxy behind an ASA5520 firewall to collect the users to the internet. Squid is just necessary to log what is going on in order to find a quick solution when the internet slows down.
Considering that I have unlimited licenses and I would like to get rid of squid, I wonder if the ASA has some functionalities to track which websites are being used and how much traffic is generated. If there is not, I would like to know if Cisco offers a good product to replace Squid.
Upgraded an ASA5520 from 7.x to 8.4 in one step? Release notes for 8.4 state that you can "...upgrade from any previous release directly to 8.4..." I've read the previous version release notes and see the various changes in NAT etc that 8.3 made.
Any limits on the number of IPSec sessions an ASA5520 can support over a DSL connection?
Currently, as we increase the number of IPSec VPN tunnels, our LAN switches connected to the DSL/ASA start seeing CRC/input errors. Tried different LAN ports for both DSL/ASA connections - same reults (CRCs and errors). Swapped ASA for PC running 1 IPSEC w/HD video and no issues.
VPN connection bandwidth demand 50% of DSL capacity, so not exceeding DSL bandwidth. Errors get so bad that all VPN sessions drop - sometimes VPN sessions re-establish while other instances a DSL modem reboot is required.
cause of LAN switch connections seeing errors with 4+ VPN sessions established on ASA across a DSL Internet circuit?
I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
I have a pair of brand new 5520s I am in the middle of commission. After carving out all the DMZs etc I needed I realized that I really neede another physical NIC, not just another VLAN off a configured nic. [code]I am running 8.3(2). How can I turn these "Not used" interfaces into useable ones?
I have Cisco ASA5520 with a 8.4 code in GNS3. I have a problem pinging to the internet. On the ASA console, I can ping to outside world, but on vpc I cannot ping the outside world. But I can ping the ASA Inside interface and other VLANs, no problem. [code]
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
I've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
how do I verify if CG-NMS is enabled on ASA5520. I just need to know if it's enable/install to be enabled and used?Cisco Adaptive Security Appliance Software Version 8.0(5)28..Device Manager Version 6.1(5)51
I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp, packet 0, drop 0, reset-drop 0
I can no longer SSH to a primary active firewall. It had all of a sudden stopped working. However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.
I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*. I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.
version 8.2.(5) model ASA5520
I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?