I have a Cisco 5520 cluster and Cisco Anyconnect Secure Mobility Client 3.0.5080. I eventually want to connact by means of a Smard Card and I was able to connect a view weeks ago. Now I am hastled by the error Logon denied, unauthorized connection mechanism, contact your administrator. Well that's me and a do not know anymore where to look on the Asa. I thought it had something to do with the authentication method, but AAA (AD or Local), nor cetificates is now working.
I use 802.1x to authenticate the company-network devices - authentication works fine. I do not use dynamic V LAN --> static V LAN-config on 802.1x ports --> authenticated devices have access to the network.
Is it possible to use a guest-V LAN? un authenticated devices should connect to an other v lan than authenticated devices.
One more question: Is MAC-authentication also possible?
192.168.0.1 "HTTP 401 unauthorized access: Authorization is required to access the configuration server. You must enter the correct username and/or password."I am trying to set up my Netgear wireless router. I have my username and password, but never get the chance to type it in. My Default Gateway is set to 192.168.0.1, but when I type it in the web address, I get the HTTP 401 error message above. I can access the internet through LAN cable now, but would like to get wireless set up to do so..
Windows IP Configuration Host Name . . . . . . . . . . . . : User-PC Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid
In short, I had the following problem in the past but it solved itself when people physically left the area. Now they are back, the problem is occurring and this time I have as many router settings as I can find to maybe aid in the solution.This is the problem:We have a wireless network where the physical equipment is not available to users and yet, the local network name and password continues to be changed wirelessly FROM say, "ABC network" with network password "ABC secret password" to "Jimmy's Network" and network password "some new string of letters and numbers". (we know who Jimmy is but will not approach him until we learn if this situation is inadvertent on his part or more purposeful, which we doubt as of now)Cisco Lynksys Wireless-N Home Router WRT120N[CODE]
We have blocked some sites in router which our user cannot access and it gets them default browser message "pages cannot be displayed". But I want to display pages like "You are trying to access unauthorized website" or something like that when they try to open such websites.
we have Cisco 6509 as a access switch in our network. Each user has an IP phone and a computer. we are going to implement 802.1X for end users by next month. I need to check all the users activity in the network like if someone plug an access point to the network or a router.I just checked Cisco NAC and how to detect those activities on the network.
I need to get more details on Cisco NAC or other products for that purpose. also what is the difference between Cisco NAC and application like Microsoft TMG?
is it agent less or I have to install something on computers? is it working as a default router for users computers?
Simply put, a wireless network was set up with a network name and password in a senior community of primarily beginner users. Recently the name and password became changed to that of a community member named, let's say, "Joe". After addressing the router several times to change things back - only to find that the network name reverted to Joe - I changed the router password from admin to a unique pw and I confirmed that Remote Management was off. Next day... it was Joe again
We are currently using Cisco VPN Client. I'm looking to migrate to Cisco Any Connect. Our ASA 5520 has 750 IPSec and 2 SSL license. I also have approximately 40 IPSec site to site VPN's on this. ,Will anyconnect interfere with the site to site tunnels?,If I setup anyconnect with the IPSec instead of SSL do I still need to purchase the premium or essentials license?,Lets say if I do have to get the license and I get essentials will it cause any issues with the site to site VPNs?
I have a VPN tunnel between my ASA 5520 and another device.The tunnel is up and there are no problems in that. I have a SIP device behind my ASA and anther one behind the other device (no specific details about the other side since it is with a client).I have allowed the (ICMP & IP) traffic to pass through the tunnel, and I successfully can ping from my SIP the client's SIP through the tunnel.When I try to make a SIP call over the tunnel it fails.After troubleshooting I found the bellow results:
1- the traffic never go through the tunnel (the number of packets are not increased when I try to make a call although it in increased when I ping the other side)
2- When I made a test using the ASDM (Packet tracer) the result is successful (the traffic is NATed and allowed (passed the access list) and goes through the VPN tunnel).
3- the below result are the output of the logging of my ASA:
6|Nov 23 2008|11:00:24|305011|10.43.11.86|39421|62.Y.98.30|10932|Built dynamic UDP translation from Voice:10.43.11.86/39421 to outside(Voice_nat_outbound):62.Y.98.30/10932 6|Nov 23 2008|11:00:24|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 476764 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/10932) 6|Nov 23 2008|11:00:24|305011|10.43.11.86|5060|62.Y.98.30|43072|Built dynamic UDP translation from Voice:10.43.11.86/5060 to outside(Voice_nat_outbound):62.Y.98.30/43072
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
I am not able to access the device via SSH .After connecting to teh console I have found that allowed SSh session are fully utilized with show resource usage command and the output is [code]
So I used show ssh session command to see who is using the sessions but in the output it has showed only one session and the output was [code]
I was wondering why it shows only one session above instead of showing all the 5 sessions which are utilized as confirmed by show resource usge command.We are usning some internal tool for ssh monitoring on device which is poling the device after a fixed interval for port 22 reachabilty .I dont think these tools are making any issue as this is secondary firewall and we are not facing any reachabilty issue for primary firewall.also we are using 10 min for idle ssh timeout.
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
I have attached setup like this :- This is the same scenarios as ASA with Dual WAN setup. But my requirement is different. I have added in ASA and configure sla is asa, all working fine. When one link goes down traffic pass through backup route. my sal config is below:-
sla monitor 100 type echo protocol ipIcmpEcho 10.5.5.120 interface Link1 num-packets 3 frequency 10 sla monitor schedule 100 life forever start-time now
show runn routes are :- route Link1 10.5.5.0 255.255.255.0 10.4.4.5 1 track 10 route Link2 10.5.5.0 255.255.255.0 10.6.6.5 254
Is there any way that i can implement track on 2nd link to destination? because may be after Link1 failure when backup route was it would be able pass traffic to destination, may be link failure between Link router and Destination. Can i monitor backup link if that is active and traffic can pass to destination when 1st Link1 will fail.
I bought it just before 2 months, before i had no problem wit the internet connection. It was working perfectly.But after once, i have restored the system to Last Known good configuration. .i am unable to connect it to the internet. When i try to connect it to my Wi-Fi modem. .I am getting a error message as. .LIMITED ACCESS..!
My basic question is, does Cisco VPN Client allow two simultaneous VPN connections at once?I want to set up the following:User Client (Remote Access VPN via Internet)--> Head Office ASA 5520 A/S Pair --> (Remote Acces VPN via Internet) --> Branch Office ASA 5510S+ A/S Pair,So, in order to access the branch office system, the user must:Connect to Head Office ASA peer via Cisco VPN Client (user/password authentication),Head Office ASA peer gives a private 172.16.1.x IP, and is configured to route all requests to Branch Office's public ASA IP via it's own public IP address. Once Head Office VPN established, user establishes a SECOND VPN tunnel from Cisco VPN client (user/password and cert-based auth).
I am trying to set up remote access vpn on an asa 5520 running 8.4.1. I have the ipsec group, policies, and ip pool set up. When I try and connect with the cisco vpn client I see the following in the logs. Deny icmp src outside:184.108.40.206 dst outside:220.127.116.11 (type 3, code 3) by access-group "acl_inbound". Do I need to put in some firewall rules to allow this traffice so that the VPN can connect?
I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
I Have asa 5520 terminate the remote access VPN Connection,when successfully connect to my corporate Network and try to copy a file(30MB) from the share to my PC ,it takes around 2 Hours or it disconnect.what is the speed of the vpn client once y connected to the corporate over the Internet ?at my home i have 512 ADSL while at my corporate we have 155Mbps Internet speed.
We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?
I have a Cisco ASA 5520 that we was working properly. I tried to create a VPN IPSEC to test but when I finished the wizard I lost the conection between the inside interface and outside. I use other interface for DMZ and other for printers network but this adapters are working properly. I have reviewed the NAT's and the ACL's but I don't see the problem?
I have delete the VPN IPSEC but it's still not working and I have the network down
I have a server in a DMZ behind the ASA, connections to this server work sometimes and then fail others, so I dont think i'm looking at an ACL or NAT problem here.The syslogs report a SYN Timeout,I have taken a trace on the ASA, it seems that a SYN-ACK does come from the destination server within the 30sec timeout, but its not passed through the ASA back to the source ? there is one odd thing, what seems to be an out of sequence ACK from the destination which arrives before the SYN-ACK at the ASA, i'm wondering if this might be the problem ? This only occurs on the connections which fail, the connections that work, the destination responds quickly to the initial SYN, and the 3way handshake completes.
Oct 18 19:17:32 nzlsudfedsi001-pri Oct 18 2011 19:17:32 NZLSUDFEDSI001 : %ASA-6-302013: Built outbound TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 (172.24.32.31/21) to BPO-TRANSIT:x.x.x.x/59392 (x.x.x.x/59392) Oct 18 19:18:02 nzlsudfedsi001-pri Oct 18 2011 19:18:02 NZLSUDFEDSI001 : %ASA-6-302014: Teardown TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 to BPO-TRANSIT:x.x.x.x/59392 duration 0:00:30 bytes 0 SYN Timeout
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 18.104.22.168 / 29. We have usable public IP's 22.214.171.124 - 126.96.36.199 with default gateway 188.8.131.52. We assigned 184.108.40.206 255.255.255.0 to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 220.127.116.11/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 18.104.22.168(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 22.214.171.124/29 to the outside interface?