Cisco Security :: ASA-5540 / UI - Send Command ASDM Location (network Object IP Address) To Device
Dec 17, 2007
When ever I create a network object in ASDM 6.0(3) the UI also wants to send the command 'asdm location (network object IP address)' to the device.What is the purpose of 'asdm locaction ....'? Is it telling the ASA-5540 that the IP address is allowed to connect to the device using ASDM?If that is the case why does 'asdm location xxx.xxx.xxx.xxx'get denerated for every network object I create?
Before running firmware asa722-k8.bin and asdm-522.bin ASDM "asdm location" config lines were created when we created a network object. After the upgrade to asa722-k8.bin and asdm-522.bin this dissapeared.We recently upgraded to asa724-k8.bin and asdm-524.bin which brought those config lines back.So if "asdm location" is needed, if not can we make sure those lines wont pollute the config file?
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test network-object 192.168.0.0 192.168.63.255 ? network-object-group mode commands/options: A.B.C.D Enter an IPv4 network mask sh run ob id test object-group network test network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
We have an ADSM (version 5.2(3) ) . In ASA ( version 7.2(3)) we are working with routing, access restriction and configuring IPSEC vpn with integration to our AD. We need to get two diferent profiles: one for networking administrators, who are going to manage routing, acls and have the root for ASA, and the other profile is going to be for the vpn administrators. As I read from the ASDM 6.0 user guide is posible define command privilege level. So do you consider posible to define a particular level for all the command related with ipsec vpn (Create, Modify and Delete) and asociate that particular level with the user for vpn administration.
I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.ASA 8.4 is in question and trying the following does not seem to work:
privilege configure level 3 command object,gives me ,ERROR: specified command 'object' not found in any mode.It looks like localy this cannot be done or I am doing something wrong?
I'm running a home network with 3 computers via a linksys router attached to a westell modem. Is there a local network messaging system I can use to pop a message on a screen to one of the other computers? Can I use DOS?
I have a server that I need to open up some ports on to allow access to the new internal Sharepoint server we're setting up. I've been having some issues getting the ports open like once I put the commands in and save them that server suddenly stops allowing outbound traffic. After looking at a few things I noticed while I was looking at the config file that the ASDM location is showing 2 IP's, both are the same as the server I'm trying to open ports for one being the private IP and the other is the public IP I'm trying to use. Is this the reason I'm having problems when I try to open those ports to my server? Do I need to use both a different private and public IP for this server so I can get my ports to work? The programmers selected these IP's so if I need to change them I'll let them know in case they need to make changes for the Sharepoint setup. This is on an ASA 5505.
I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
Environment: Solaris 10(Sparc) LMS 3.2 RME 4.3.1 CS 3.3.0 CM 5.2
I need to delete a device from CiscoWorks but I cannot find it in the Common Services->Device Management search. I can find it by IP address using the Network->Object Finder . It has an IP address, hostname, display name, and "managed by" information in the search results. Supposedly its managed by: RME IPM DFM(listed twice) However, when I click on the device link , it has almost no tools available (limited to ping) and no device information. I'm hard pressed on how to delete the item withouth having it in Common Services so that I can select it and then click on "delete" . how I can purge this device?
I have one server-A(windows 2008) installed one application called"host front" which gives athentication to connect Linux(mainframe console) server (SERVER B).These 2 servers are bihind the firewall.If one internal user who has the athentication to logine server-B ,tried to login server A,will get the" username and password"screen and once they enter the username and password ,will get the server-B screen.But if somebody try to connet via MPLS(we need to test MPLS site customers) from outside via ASA 5540 ,to server-A will get the "username password" screen and once enter the credentials, after 1 minitue will get error"http server faild to send datas to the server" and will not move to server -B screen.
We have an ASA 5540 failover bundle working in Active/Standby mode. On our active asa 5540 when the sh run command is issued it gets stuck and displays the output after more than 15-20 mins.. and it takes another 10-15 mins to get back to the prompt..
However on the standby asa 5540 if the sh run command is issued, it displays the ouput and comes back to the prompt (even though this also takes 2-3 seconds)
I have tried rebooting the active asa 5540.We are running asa version 8.2.2.
I would like to have these commands on our Firewall to avoid at least several students to use this service. How to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 22.214.171.124 126.96.36.199.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 188.8.131.52ADE-OS System Architecture: i386 Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ACS1 Version information of installed applications--------------------------------------------- Cisco ACS VERSION INFORMATION-----------------------------Version : 184.108.40.206Internal Build ID : B.839
I'm suspecting it a read/write issue with the database or a database corruption. I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
ACS1/admin# show application status acs ACS role: PRIMARY Process 'database' runningProcess 'management' runningProcess 'runtime' runningProcess 'view-database' runningProcess 'view-jobmanager' runningProcess 'view-alertmanager' runningProcess 'view-collector' runningProcess 'view-logprocessor' running
I have a Cisco 5540 that terminates one end of a L2L tunnel, the remote end is a Sonicwall TZ100. The tunnel is in place to carry voice traffic and I have a need to decrypt the traffic that's been captured in .cap file using Wireshark 1.8.5. How to go about getting the session keys from either device?
I just got the motorola droid 3, my first android device. I'm trying to figure out how to get my device to connect to my network as it won't obtain the IP address.I have a Motorola Surfboard SBV5120 Modem and a Microsoft MN-700 router. I just switched from the Palm Pre Plus which connected perfectly to this network, the network is unsecured and has 2 pc's and a 360 running on it. I was able to connect to my friend's wireless network fine at his house.
Bell gives my and IP address and if I reset my modem I will get a new one. Take for example I have an IP address at 7:30pm and decided to reset my modem at 8:00pm. I now have a new IP address, will my previous address, the one I had at 7:30pm, will that one be able to be traced back to me in anyway, can any of my previous addresses be traced back to me in anyway?
How does a device attached to a Cisco IP Phone send data to the switch?a. As tagged (using the voice VLAN)b. As untaggedc. As tagged (using the data VLAN)d. As tagged (using the CoS value)The correct question is A in the book though it said that tagging is switch process PC's doesn't tag frames.
How do I check IP address of others, when in chatting or playing online game, I could only know that he is Mr. X from YZA country which appears on Screen, But I also know he is using with wrong name and wrong Country name.I would to check his IP as well as his Place?
Do you know an easy way to determine the physical location of the device were an IP address is attached? IP Geo location doesn't work well.Is something like this possible? I know it could be if you are the network administrator and know the location of your equipment and stuff.