We are going to purchase a Device , thte sites and also VPN server for remote access ( EzVPN), Should we use ASA or should we use Cisco 1800 series router with security software. The main purpose of this device is to terminate all VPN connections ( Site-to-site) and remote access.
View 1 RepliesI have cisco router model 1921 , how can i terminate my existing pppoe connection to 1921, so that my other LAN users can use internet.
1- One cable (RJ45) which is comming from ONT has connected with Integrated WAN Port on router.
2- One cable (RJ45) which going to my LAN switch has connected with Integrated LAN Port on router.
Now i need to configure my router, so that i can give internet access to my LAN users. I red cisco's guides but not clear regarding configurations, because in guides they use modules to configure pppoe. But i am not using any module, i am simply connecting one cable for WAN and one for LAN.
Our HQ Location dont support high bandwidth pipe served by ISP, so will go ahead with 3 different ISP at 2MB each.Goal is to provide Email / Application access to Remote office using site to site VPN.In Total will have 10 to 15 Branch offices each with around 25 to 35 users
Each ISP will give
/29 subnet of public IPCopper Interface for WANdefault Gateway and Two DNS server IP will be provide Existing hardware we got are Cisco 2821 Router with 2 FastEthernet ports ( not in use )24 port switch 2900 series ( not in use ) Can we use the above hardware to terminate all 3 ISP link and use the Router for site to site VPN.
Our Lan Core is Cisco 3560 which is uplink to 3X2950 user switch?how should we terminate the link and use each ISP for VPN.
we configued An ACE 4710 with SSL termination on Oracle Aplication Server 10g (10.1.2.0.2) ,so that SSL termination is done on the ACE and HTTP reaches the Oracle Aplication Server 10g (10.1.2.0.2) then we configure the ACE to enabled client authentication with Pkcs#11 smart card token certificate and this don succfully my problem need do this client certificate authentication for only the [URL] not for all SSL proxy service how can do that.
View 3 Replies View RelatedI read in the Cisco IOS ASA documentation (8.x) that some group-policy attribues are only available for soft-VPN clients while some are available for both soft-VPN clients and L2L VPN clients. Cisco didn't clearly specify which attributes were available for which clients.
To aid me in troubleshooting my L2L VPN setup could someone indicate if the order of events (listed below) is correct for ASA 5520 with IOS 8.x and if the attributes selected are available for L2L VPN clients?Also, are there "show" commands to reveal more details about tunnel-groups, group-policy, etc. when used with VPNs?
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I am terminating GRE vrf-lite on my 7600 and using loopback as source for each client.I found one problem where 7600 seems to be not forwarding traffic until I delete create the tunnel interface.Worked fine for a week. Then stopped again. I had to delete,create again tunnel interface.
View 6 Replies View RelatedI am setting up a new ASA 5510 on our inside network so that we can terminate our VPN connections on this ASA. I can get the VPN to work fine however I noticed that once I turned on my VPN profiles now when I try to access the ASDM I'm getting the VPN logon page. So I decided that in order to resolve this I need a separate interface dedicated to management of my ASA.
I'm trying to come up with the best way to do this. I've got two ports on the ASA plugged into my core switch. One is on a separate VLAN from the rest of my network traffic. This is the port I want to use for management. The second will be used to route all of my VPN traffic.
So far I haven't been able to get this to work at all. My thought was that it had to do with routes, NAT and ACLs. I've been playing with them but can't get any combination to work.
Cisco SRP527W-U.
We would like to configure it in the following way, 1) we have an ethernet termination for the WAN 2) we have 2 different vlans going to 2 different switches.
Can we have the default gateway for 2 LAN subnets and a default route via a /30 for our WAN. Can we use the 4 switchports for this?
switchport 1 VLAN 2 (Switch 1 LAN)
switchport 2 VLAN 3 (Switch 2 LAN)
switchport 3 VLAN 4 (Link to Data centre switch with /30)
We have an ASA 5510 with ~100 vpn lan2lan. Now we need to migrate to a new ISP, so we have connected a new asa interface to the internet. Default gw is still on old connection. We are trying to migrate vpn lan2lan using static routes, pointing ip of remote vpn gateway to new isp gateway. VPNs going up, but when they try to send traffic, I can see Rx counter growing up, but Tx remains 0.. I've tried with different vpn (old and completely new), and problem remains.
View 1 Replies View RelatedIm trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance. I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine Was reading [URL]. Any working config example for doing this with the ACE4700
View 2 Replies View RelatedI am doing an small project, I have to connect 4 cisco switches SF 302-08 (1 GBIC each one) to a core switch SGE 2000 (4 GBICs). Because of cable length I have go connect all 5 switches with fiber. The fiber termination is multimode LC duplex. My confusion is on the mini GBICs. There is compatibilities issues i been reading. [code]
View 3 Replies View RelatedThe "Wireless Network Monitor" for my Linksys Dual-Band Wireless A+G Notebook Adapter Model No WPC55AG has been unable to run after I last updated my Windows XP machine using Windows Update. The problem presents itself immediately upon login (because the monitor is set to run on startup) with an error window that says "Abnormal program termination" and "WPC55AGV2.exe" in the title bar. I suspect the problem occurred because one of the new updates included an upgrade to the Microsoft .NET Framework Services 3.0.
View 6 Replies View RelatedI have a router with 2 WAN (MPLS) connections to two different IPSs.One connection is a 3mbs MLPPP connection and the other is a 10mbs MetroEthernet connection.Both use BGP to peer up with the ISP with private AS numbers (65001, 65002, etc)I want the router to always prefer (use) the BGP connection through the 10mbs link, but here are my considerations:I can't change the prefix length for the peers. In other words, BGP 65001 is going to advertise 192.168.21.0 /24 to its peer, and BGP 65002 is going to advertise the same network with the same mask.What is the best way to make sure the 10mbs link is always preferred? Can I do local preference?
View 6 Replies View RelatedI have sub-interfaces created on the switch and are in active(up/up) state,but these sub-interface not available for selection in the instance window while creating the poller, and am not able to monitor the traffic on these sub interface in the performance management.
LMS will not display the interfaces in the instance selection window if they are not active, but here the sub-interface are in active state but these are not available.
I am designing a new NAT configuration for an ASA 8.4
On my PIX 8.0 configuration I needed to allow bidirectional traffic between interfaces with different security levels. For example, Inside at 100 and dmz at 50.To accomplish this in 8.0 I used a static NAT command along with any necessary ACLs.
I now need to apply this same 8.0 config for 8.4. With the static command not availablein 8.4 I am unsure of which NAT commands to use to achieve the bidirectional traffic.
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies View RelatedI multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies View RelatedWe purchased an ASA 5505 (ASA5505-BUN-K9) and more recently purchased the license to upgrade it from 10 to 50 users (L-ASA5505-10-50). I would like to provide remote access to users via AnyConnect - specifically, AnyConnnect on Windows plus the iPhone/iPad and Android versions. My understanding is that I should purchase the Anyconnect Essentials (L-ASA-AC-E-5505) and Anyconnect Mobile (L-ASA-AC-M-5505) licenses. Is this correct? If I do this, how many simultaneous remote access VPN connections (via Anyconnect clients) will the ASA then support?
Further, we did not initially purchase Smartnet with this device, but I would like to do so to gain access to software updates. Is there a site or document where I can locate the SKU #'s for Smartnet contracts that would be appropriate with our device?
The output of "show version" is below:
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
[code]....
Our company is in the process of replacing our old firewall with a Cisco ASA since our old firewall can handle only 170 concurrent users and we are expanding fast. Can I know what are the considerations when selecting from the different models of ASA currently we are debating if we should buy a 5510 or a 5520 also can I know if cisco ASA also have a limitations on concurrent users online in a lan like our old firewall. By the way we are a Call Center company(going 500 seats) so we are using VOIP(Asterisk using SIP and IAX).
View 1 Replies View Relatedi want to install a 3500e. I have a hole in my wireless network where this AP will be a perfect fit. I do have a wireless controller running code 6.x, so I think I will need to upgrade to 7 which is not a big deal.
The problem I have is the antenna selection. Since the AP has MIMO multiple-inputs multiple-inputs I’m perplexed on the type of antenna to choose. Since the environment is a warehouse the Omni directional would be preferred - should I also add the dipole antenna for close proximity to the AP. Also, I noticed in the getting started guide the 3500e has 6 external connection points 3 for 2.4 and 3 for 5 GHz. The antenna documentation says to use dual-band antennas, but this contradicts what is shown in the getting started guide. So what antennas should I get to make the 3500e work in a warehouse environment.
I am using Cisco 7609 IOS15.0(1)S1 and Cisco 3600 IOS 15.1(2)EY.I am trying to provision VPNs over MPLS network.All I found in the documentation is how I attach a whole interface to a VRF.However, I need to be able to attach a VLAN (or any other matching criteria, for that matter) to a VRF.In other words, I want to be able to attach port 1/1 vlan 100 to VRF-A and port 1/1 vlan 200 to VRF-B.
View 1 Replies View Relatedthrough asa webvpn we need to provide our user remote destkop access; we would not use static rdp:// bookmarks for this accomplishmet as this would grow too much management effort with bookmarks updating. Our strategy would be to give users the "url entry" bar where they can input the resource name (example: "pc-flavio.mydomain") so the management effort is outplaced to the guys who manage the dns server. This stated, we noticed that most end-users would get in troubles because of the default-ing "url-protocol" is http://, so they don't change it to the correct rdp:// from the drop-down list and don't have the java-rdp applet started. There is a chance to admin the default protocol for URL Entry Functions? Our setup is asa 5510 ver 9.1, act/stb failover.
View 2 Replies View RelatedI just installed a new ACS 5.1 to authenticate wireless PEAP users, so I created an Access policy "WirelessUsers" with identity store being Windows Active directory and all domain users are selected, and create a service rule that dictates that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "WirelessUsers", so this part worked perfectely, all domain users are able to gain wireless access via their DOMAIN/usernames and domain passwords. Now I want ACS local indentity store users (those local usernames can be the same or different from their AD usernames) to be able to manage those controllers, so I created another access policy "DeviceAdminUsers" with identity store being local users, another service rule which says that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "DeviceAdminUsers". The problem is that with the setup, whenenve when I try to SSH to WLC, ACS always put me in "WirelessUsers" access policy, even the login name does not have DOMAIN pre-pended or the login name simly does not exist in AD. if I put the second rule in front of first rule, I am able to authenticate with ACS local username/password and gain access to WLC, but wireless users will fail to authenticate, because ACS is trying to put regular wiress users in "DeviceAdminUsers" access policy. I would expect if username does not exist in AD, ACS should proceed with next rule. Similar requirement was easily achieved in ACS 3.3.
View 5 Replies View RelatedI'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool
(something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?
We have a campus with both office and industial areas with various propagation problems. Historically I have been installing and maintaining access points in the 1200 range, the latest being the 1242. All these have a similar antenna setup based on diversity pairs.Since Cisco seems to be dropping the old series any week now I have been looking at the 2602 as a replacement.I can find no good documentation on antenna selection and mounting suggestions for these.If I want a proper omni coverage pattern with dual band antennas, do I just set them to a H form assuming the unit is sitting on a wall?
View 1 Replies View RelatedI try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
View 1 Replies View RelatedWe have a deployment with six 1524SB mesh APs. Two are used as RAPs and face east and west respectively with directional antennas and two MAPs on each side with omni antennas. The RAPs are within 20 feet of each other. I set the bridge group name as east or west depending on which side of the mesh the equipment is located but noticed the downlink channel is set to 56 on both RAPs. I don't remember setting the channel for the RAPs, but they aren't using the global DCA.Would best practice be to change the downlink to unique channels on the RAPs, enable DCA (if it will let me), or is a unique bridge group name sufficient enough?
View 2 Replies View RelatedI have a mixed WAN environment with both eBGP and EIGRP routes. The BGP routes should always take precedence, when they exist. If no BGP routes exist I want the router to fail over to using the EIGRP routes. So far, this works fine.
The problem is, when the BGP route again becomes available (and the associated entry appears in the "sh ip bgp ... received-routes" output) the router is NOT relinquishing the EIGRP route. It remains in effect, showing as a "D" route int the route table even though there is a better ("B") route available. If I bounce EIGRP or the interface associated with it, the EIGRP route disappears and the BGP route reasserts itself, and everything will run correctly until the next time the BGP route disappears due to maintenance, line failure, etc.
My router is (C2900-UNIVERSALK9-M), Version 15.3(1)T
Here's the associated config
interface Tunnel101
description VPN backup WAN interface
bandwidth 7168
ip address 192.168.75.1 255.255.255.0
[code].....
We have p2p link that interconnects our data centers and the bandwidth is 150 meg link.In the current architecture, one end of the link is Nexus 7k (data center 1) and other end is catalyst 65k (data center 2)..We are planning to migrate this link to routers. We planned to install 3945 router on both data center and move the p2p link to this routers. [code]
View 2 Replies View RelatedI have a requirement to select a farm based on source IP address. I tried creating a match all class-map that matches on the virtual-address and source address but I get this message.LB01/Admin(config-cmap)# match source-address x.x.x.75 255.255.255.255 Error: Only one match virtual-address is allowed in a match-all class-map and it cannot mix with any other match type To me this is the only place where it makes sense to set the source match criteria.
View 2 Replies View Relatedthe best antenna to use in high-ceiling environments, as in 25 feet or higher. He was in favor of using a high gain, omni, such as a the AIR-ANT1728. I was against this form of antenna due to their increased horizontal radiation and decrease of vertical. I was more in favor of an antenna similar to AIR-ANT24 30V-R. I've seen successful deployments with both options, but curious what the community has to say on the matter.
View 1 Replies View RelatedI'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can differentiate among them in the service selection rules.
View 5 Replies View Related