Cisco Security :: 5520 Build A WebVPN For The Company Urls
Jun 22, 2008
I have a ASA 5520 upon which I need to build a WebVPN for the company urls - webmail, intranet portals etc. There will be 2 groups -
a. Confidential Access - For senior management.
b. Public Access - For employee access.
RSA Token & LDAP auth would be used for access to the WebVPN. However, I am unclear on certain aspect.How do I isolate the 2 groups? I mean only Senior management should be able to view & access the first set of links while employees see and access the other set of links only.Both the groups will be available to all users loggin on to the WebVPN. Since the authentication mechanism - LDAP - is the same, anyone would be able to access the groups and in turn, urls.
View 2 Replies
ADVERTISEMENT
Dec 27, 2011
How to block the unwanted urls or sites in firewall?
View 2 Replies
View Related
Aug 19, 2012
we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)
View 2 Replies
View Related
May 28, 2012
I am setting up Clientless Anyconnect on ASA 5520. I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error. FYI I have the Primary Cert Authority Installed already?
View 1 Replies
View Related
Nov 19, 2012
I'm performing a migration from an ASA5520 running version 8.04 to an ASA5525-X running 8.6.
The issue I had was that whilst all of the SSL VPN portal configuration was migrated the initial portal page does does not load. I thought that this could be to do with ASDM and WebVPN both being enabled on the outside interface and so I tried changing the port used for ASDM and disabled the ASDM altogether on the outside - but still to no avail.
Could this have something to do with the fact that you can no longer just point your browser at the outside interface of the firewall to get to the ADSM? Does some configuration need to change for the ASA to accept connections on the outside interface?
The basic WebVPN access as it stands right now is:
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
[Code].....
View 3 Replies
View Related
Apr 1, 2008
I'm looking for a system to backup the configuration of the ASA like this I've noticed:
if the ASA is 5510 or higher and has sw 8.x and ASDM 6.x we have ASDM -> Tools -> Backup Configuration command that create a folder containing all configuration files and webvpn personalization
What I have to do to have the same command on ASA 5505 sw 8.x and ASDM 6.x? Or is there someting similar using the console too?
And what else for ASA which have sw 7.x and ASDM 5.x, is there the possibility to backup webvpn personalization?
View 2 Replies
View Related
Jan 17, 2013
I have a project to upgrade an ASA 5520 to 9.1.x, then add another ASA for failover. What will be the correct way ?
I had the 2 Gb memory.
I have rewritten all nat statements (during my other 8.2 to 8.3 or 8.4 upgrade project, the nat conversion was catastrophic, so I rewrite all now).
Can I upgrade directly to v9 ? Or 8.2 -> 8.4 -> 9.1 ?
I think to :
- inject actual config in the new ASA in 8.2
- remove nat statement
- upgrade to 8.4
- configure new nat
- upgrade to 9
- connect the new ASA to the network and deconnect the other ASA
- test
- upgrade old ASA to 8.4 or 9 directly ?
- configure failover
View 1 Replies
View Related
Feb 27, 2013
I configured a Cisco 861 router to allow only youtube.com and block all other URLs. I used the below configuration but is not working. Actually everything is blocked even the access to the router. Is there any other way to acheive this requirement?
class-map match-any YOUTUBE
match protocol http host *youtube.com*
class-map match-all YOUTUBE-ONLY
[Code].....
View 2 Replies
View Related
Jun 12, 2011
I have a performance issue with ACE 20, urls is very slow sometimes, and not from all computers, some computers are facing this problem not all of them,
[code]....
View 2 Replies
View Related
Mar 7, 2011
Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license. Does that mean I can download the security plus license? Or do I even need it on the 5520.
View 2 Replies
View Related
Jun 17, 2012
I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:
=================================
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.72
description VLAN 72
[code]....
(notice that they have the same security-level)I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.
View 9 Replies
View Related
Jun 20, 2011
I have a SSL certificate from a third party that is showing under the Identity in ADSM, howerver the audit scan of the firewall shows that the SSL Certificate Signed with an unknown certification Authority. I have installed the Intermediate Primary and Secondary Certificate from the third party under the CA Certificate of the ADSM however when I verify the SSL certificate it still shows as self-signed. What other steps do I miss. I have attached some screenshots.
View 2 Replies
View Related
May 6, 2013
I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.
View 3 Replies
View Related
Feb 1, 2007
I'm trying to establish a site to site ipsec tunnel between an ASA 5520 and a Nortel Connectivity box. Despite trying a number of different transform sets and IKE setups it keeps failing at phase 1 with:
Information Exchange processing failed
Received an UN-encrypted INVALID_ID_INFO notify message dropping.
View 4 Replies
View Related
Sep 22, 2011
We have a ASA 5520 which is configured to send log files to an ftp server. It has been doing that until recently I found out that it stopped sending the logs on August 11. I can't remember what I have changed in the ASA config to make the ftp stop. I changed the ftp config to another server but it won't upload any log file.
What can I do to make the ASA save the log buffer to the ftp server again?
View 1 Replies
View Related
Oct 9, 2011
I have 1 firewall module of ASA 5510. I am trying to block some URL's in it via ASDM but not working.
So far tried by following standard cisco doc which shows hwo to enable URL blocking via ASDM n via regex. Not working in my case.
View 1 Replies
View Related
Mar 17, 2011
I purchased a SA520W for my company, and i have some probles for configuring firewall. I want to deny access to facebook, youtube and twitter but not for 4 hosts which needs this websites for work. I tried to configure content filtering > blocking URLs but with this solution, I deny acces for all users, So, I tried to make IP v4 rules :
The 4 hosts who may access to these websites are 192.168.50.124 to 127
Example :
FROM Zone : LAN
TO : WAN
Service : Any
Action: block always
Source hosts : 192.168.50.32 to 192.168.50.123
destination hosts : 66.220.158.11 (one of the facebook's ip)
but it does not work. So, I am looking for an other solution, or maybe my rule is not correctly configured ?
View 5 Replies
View Related
Nov 10, 2011
On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
interface GigabitEthernet0/3.175
vlan 175
nameif Test175
security-level 30
ip address 172.30.175.1 255.255.255.0
[code]....
View 13 Replies
View Related
Mar 27, 2013
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
View 6 Replies
View Related
Apr 17, 2011
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
View 1 Replies
View Related
Dec 6, 2012
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies
View Related
Nov 22, 2011
My company uses a pair of 5510 ASAs as the gateway to Internet. I once configured policy-map to filter certain webpages (facebook, twitter, ...etc) and they work fine. However nowdays those websites all support HTTPS. In the https the URL seems encrypted so can't do regex match... Is there anyway that I can still block those webpages?
Another two ways I can think of are
1. Block IPs (don't really want do this unless absolutely necessary)
2. Block DNS for the URL (however they can work around by setting static DNS entries)
View 6 Replies
View Related
Dec 16, 2011
I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.How can i stop the Firewall from changing the mac addresses of the devices on the network.My ASA is a 5520 and i have 2960Switches.
View 4 Replies
View Related
Mar 27, 2011
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
View 5 Replies
View Related
Dec 9, 2010
I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
My browser show the error message as attach image.
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip
[Code]....
View 7 Replies
View Related
Jun 6, 2012
I've just completed a port security project at a site on numerous Cisco switches and all works well, however they have 2 Nortel 5520 switches (which I left until the end) which they would like to lock down. I have logged a message on the Nortel forums and I have heard nothing for days. I just need to lock 2 ports down to the Mac address of 2 computers stopping any other computer being plugged in.
View 2 Replies
View Related
Mar 17, 2011
I´m trying to configure a subinterface named Inside with vlan 1 but the interface stops work with this vlan.My switch is a Cisco and use the lan with vlan 1 too.If I change de vlan for other i.e vlan13 works fine. And all others vlans works fine too.Is there a problem to use the vlan 1?
My configuration is:
Cisco ASA:
interface gig0/3
no ip address
no security
no nameif
Interface gig0/3.1
vlan 1
nameif Inside
Securirity-level 100
ip address 10.x.y.x 255.255.224.0
The giga port of the swtich is configure to trunk model.
View 2 Replies
View Related
Jun 16, 2012
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
View 1 Replies
View Related
May 23, 2012
How many urls can you block with this router also is it good for games and watching videos or is it just a slow business router for business stuff ?
View 1 Replies
View Related
Jan 31, 2011
i have cisco asa 5510 as firewall, i was trying to block some site using the link provided below
[URL]
and its working fine, but the problem i am having, when i go to download attachment from hotmail its not downloading, from gmail and other mails its
View 13 Replies
View Related
Oct 20, 2012
i use ASA 5510 and i want to block some urls :
-192.168.2.70 to 79 allow every thing
-192.168.2.80 to 89 : block facebook , myspace, twiter,
-192.168.2.90 to 99 : block facebook , myspace, twiter, youtube , dailymotion
-192.168.2.100 to 199 deny everting
View 1 Replies
View Related
Jun 28, 2011
how can i store urls used by the client side in the server using java
View 1 Replies
View Related
Jan 1, 2012
I'm a big fan of Cisco products and recently have purchased an E4200. I always connect my iPod classic to the router and listen to the music on my ps3 and laptop. The only problem is that I can't make any playlists since the media server creates a different link to a song, every time I reconnect my iPod. It'd be great if you allow the server to create links like below. I'm sure all the users will e much happier with it! [URL] like this.
Something tells me I'll never see the day that I can activate this feature on my E4200. Anyways, I leave it to your engineers make it happen...
View 1 Replies
View Related
