Cisco VPN :: ASA 5505 / ACL Does Not Match Proxy IDs In Two Tunnels

Feb 1, 2011

I'm getting an "ACL does not match proxy IDs" error that I'm not able to troubleshoot, googled this with a lot of results, tried some; but nothing applied.I have setup 2 tunnels, 1/one from a pix 515e (office) to an ASA 5505 (hosted server) for my guys to access the hosted server2/A second one from the ASA 5505 to my client's firewall so that its equipments can reach the hosted server and from the hosted server reach the equipments.Both tunnels are working fine, my issue comes when I'm trying to join my clients equipments from my office, ie cascading the tunnels.
 
This is the first time I'm trying to cascade some tunnels, no issues with other vpns I have been building.I'm joining the configuration of the pix and the asa and an extract of the syslogs showing the error, any obvious error I haven't seen!

View 7 Replies


ADVERTISEMENT

Cisco VPN :: 5505 Certificate Does Not Match The Servername

Feb 20, 2013

I have a problem with latest Anyconnect Mobile clients, on any device(iPhone,PC..) I have this error message.Anyconnect cannot verify the VPN serverAll certificates(rootCA,userCER) - installed on client side, all of them are trusted.

View 1 Replies View Related

Cisco VPN :: ASA 5505 Number Of Tunnels Or Connections Through It?

May 14, 2012

We are planing on offering low end ASA 5505s as a customer offer to connect their network to our cloud as this is a business requirment. However, one of my colleagues is convinced that the license for the 5505 is *not* based ont he number of IPSEC endpoints, but the number of distince connections via *any* tunnel.  So, according to him, if you have a license for 10 IPSEC endpoints, if you have 11 people connecting via *one* tunnel from a customer's network to our cloud, you go beyond your license.

View 1 Replies View Related

Cisco Firewall :: 5505 - Disabling Timeouts Which Affect SSH Tunnels

Jan 4, 2012

Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.
 
Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)? timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 
Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?
 
class CLASS_MAP_SSH
set connection  random-sequence-number disable
set connection timeout idle  48:00:00 reset
set connection decrement-ttl

View 3 Replies View Related

Cisco VPN :: ASA 5505 - Configure Allowed Bandwidth On IPSec Tunnels?

Oct 25, 2011

ASA 5505 8.2.1
ASA 5520 8.4 
 
We currently have a tunnel configured between 2 ASAs
 
1-  Is it possible to assign 1.5 Mbits of Bandwidth(BW) to this tunnel?. Then if Tunnel number 2 is configured I could assign 2 Mbits to that one for example?
 
I am not referring to prioritizing certain type of traffic over the IPsec tunnel, I am referring to Tunnel 1 has 1.5 Mbits of BW guaranteed for all traffic that goes thru it. Same for tunnel 2
 
Then
 
2- How to monitor the amount of BW in an IPsec tunnel?

View 1 Replies View Related

Cisco Firewall :: ASA IPv6 NDP Proxy With 5505

Nov 26, 2011

i have a 5505 running 8.4, and my ISP is giving me a /64 IPv6 Prefix. Basically, I have a subnet between my ASA and my ISP's box which is my outside, running into a private subnet (192.168.0.0), as most of ISP does.I have my ASA behind, and i'd like to turn on IPv6 for my inside hosts, but the problem is that I can't modify the routing on y ISP's side, and thus it will assume all host are directly connected in my outside. Thus, I would need some kind of Neighbor Discovery Proxy on the Outside of the ASA. Is there such feature ?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 Cut Through Proxy And Redirection After Login

Jun 17, 2012

I have successfully set up a 5505 as a cut-through proxy so that wireless users are required to log in when they open a browser to access the Internet.   Is there a way to take them to the original page they requested after the login is complete, rather than having it sit at the screen where it is says they are logged in?                  

View 1 Replies View Related

Cisco Firewall :: Redirecting Traffic To Proxy From ASA 5505

May 20, 2011

I have ASA 5505 with base license. I like to install proxy server in my network.I configured below commands to forward my traffic to proxy server from my ASA.

If there is any configuration that i need to configure.And if possible send me the configuration guide to setup SQUID server. ( Actually it was set up by the 3rd party vendor)

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / One Way Audio For Phones Using IP Proxy?

Jun 5, 2011

I've got an ASA 5505 running 8.2 configured for solely as an IP phone proxy, it is the default gateway for the cucm box and PRI router, its inside interface is directly attached to the same subnet as all internal phones as well. Calls can be placed from either end, but after call is established, proxy phones does not hear audio from internal or pstn phones. The proxy phone registers with cucm with the remote internal IP of the phone that obviously cannot be reached by corp network.
 
Debugging from pri router shows the rtp traffic destination is the internal ip address of the proxy phone 192.168.0.50, why is the phone registering with its internal IP 192.168.0.50 rather than its Natted external IP 50.50.50.50 that can be reachable by cucm and other phones?Proxy phone is a 7945, after it registers, I do not see it under sh phone-proxy secure-phones, or sh phone-proxy signaling-sessions while on a call.
 
ASA Proxy config
 
interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.10.33.25 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 65.x.x.24 255.255.254.0!boot system disk0:/asa823-k8.binftp mode passivedns server-group DefaultDNSdomain-name ----.comsame-security-traffic permit intra-interfaceaccess-list inside_access_in extended permit ip host 10.10.33.10 anyaccess-list inside_access_in extended permit ip any host 10.10.33.10access-list inside_access_in extended permit ip host 10.10.33.5 anyaccess-list inside_access_in extended

[code]....

View 10 Replies View Related

Cisco Firewall :: Configuring UC-Proxy On ASA 5505 Version 8.0?

Jan 24, 2012

I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
 
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).

View 6 Replies View Related

Cisco Firewall :: ASA 5505 - Redirecting Http And Https Traffic To Proxy Server

Aug 5, 2008

I have an ASA 5505 that I am using to connect my contractors to via an inside interface, the outside interface is my private LAN. I have setup on our corporate Proxy server to allow traffic from my outside interface of my  ASA to go to the internet without credentials BUT log internet activity. The question is I want to know if the ASA can send that http & https traffic to my proxy server and all other traffic to my default route? I want to be able to send all internet traffic to my proxy server. This will avoid me asking the contractors to place proxy credentials in their browsers.

View 6 Replies View Related

Cisco Firewall :: Max Number Of Clients And Site To Site VPN Tunnels On ASA 5505

Aug 15, 2012

I wanted to know the maximum VPN client sessions (using the Cisco VPN  client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505  simultaneously.
 
In other words, if I have x VPN clients and y Site-to-Site  tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)?  If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
[Code]...

View 3 Replies View Related

Cisco :: Setting Transparent Proxy To A Proxy Running On A Client?

May 28, 2012

I would like to connect devices to my network so that their traffic passes through a proxy running on my computer. I figured the best way to do this is by setting the proxy on my router to the one I am running, but then I would need to have another connection to the computer running the proxy or else there would be an infinite loop ?? something like that. so:

Internet -> router (1) -> my proxy on comp A -> router (2) -> computer B

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Proxy Server Send Register To Hosted Server Private IP Changed

Aug 23, 2011

We have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.

Here is debug log on real time monitoring.
 
Aug 24 2011    05:21:19    302015    203.xxx.xxx.226    192.168.1.51     Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142)
Aug 24 2011    05:21:19    607001    203.xxx.xxx.226         Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message
Aug 24 2011    05:21:19    710005    203.xxx.xxx.226    99.xxx.xxx.107     UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063

Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.

View 2 Replies View Related

Security / Firewalls :: Using Non-proxy Software Through Proxy?

Mar 31, 2012

I access the internet from my company�s LAN, which has a restrictive firewall, so I cannot request the admin to open any ports manually for me. Hence I use a software called your-freedom. This proxy software supports both http as well as socks 4 and 5 proxy (by entering the proxy IP 127.0.0.1 (localhost) and Port 8080 for http proxy OR 1080 for Socks Proxy), and I have successfully been using web browsers and some other softwares that support proxy/ allow proxy info to be entered to login/ connect to the internet. Your-Freedom also supports port forwarding.However, the softwares I intend to use do not have any options to enter proxy methods or proxy ports (as far as I have noticed). I have tried to proxify these 2 softwares using softwares such as SocksCap and Free Cap, but either they don�t work, or my settings in proxifying are not correct. I believe I will have to do port forwarding or proxify the softwares, but have been unable to do so in the correct manner.

Following is the info on the 2 softwares:

1.NOW Trading terminal:[FONT=Times New Roman]Normally when I start the NOW or Zerodha software, the software starts and I get a login screen, but under firewall conditions, I get the initial Splash screen but then the software stops with the error: [b][u]NOW Initialisation failed for Interactive Engine << os error>>.

2.PowerIndia Bulls:The software is written in Java and starts with a batch file (PowerIndiabulls.bat) located in C:UsersDEFAULT_USERNAMEAppD..... I converted this batch file to .exe (with battoexe software) and then ran it through a proxifying software. The .exe start properly without proxifying software but not under proxifying environment. Basically the software needs to connect to the internet using Port 443. I am also expected to keep ports 443, 41599 and 59598 open. software's requirement is available at Indiabulls Securities: Indiabulls Securities is a leading capital market company offering securities broking and advisory services, depository services, equity research services to its clients in India. (item no. 5).To confirm, while the software is unable to connect through port 443, you will get an error message: "Connection to Login Server could not be established" when you try to login with any random Username and Password.To know that the software is able to connect properly, you will get an error: "This User ID is not enabled to be used with this product".

View 1 Replies View Related

Cisco :: IP Proxy-arp Vs Ip Local-proxy Arp

Jan 8, 2013

Anyone know the differnce between these two on a MLS? Seems that proxy arp as I know it works with or without the 'local' version.

View 7 Replies View Related

Cisco WAN :: 7018 - Mix And Match 1 And 10 Gig Ports In Two Different VDC?

Feb 21, 2011

We have pair of Cisco Nexus 7018 with four eight port 10gig modules.I have created two VDC's with mixing 10gig ports from diffrent modules.Now we requied some one gig SFP ports and we are planning to buy 48 port 1gig sfp+ card.My question is can
 
1- Can I still mix and match 1gig and 10 gig ports in two different VDC's? (1-24 for VDC1 and 25-48 for VDC2)

2- All 48 port module hve to allocate to one VDC which alreday have all 10gig ports.

View 3 Replies View Related

Cisco WAN :: ASR1004 - QoS / Match Protocol Command

Apr 1, 2011

If I want to use the command match protocol xxxx  when configuring  traffic classification for QoS, is necessary to have the following licence?
 
-FLASR1-FPI-RTU

-Flexible Packet Inspection RTU Feature License for Cisco ASR 1000 Series.

View 1 Replies View Related

Cisco WAN :: 1751 - Series Match For Router

Apr 18, 2005

I am currently using a Cisco 1751 w/ 1-WIC-DUS-T1 to connect our branch locations via Frame Relay.  I will be adding 2 new locations in about 2 months.  What is the 1800 series match for the router I currently use and is there and performance advantages?

View 2 Replies View Related

System And Network Time Do Not Match?

Feb 24, 2011

This is happening to me to multiple computers on my domain. When it happens i can only log in as a local user or if I unplug the network cable, log in and then re-connect the networkThe time on all these machines is correct within at least 1 minute but still it's throwing off this error. When reading about this problem I see many fixes that all relate to how to sych the time on the PC.

View 1 Replies View Related

Do These Protocols Match Correctly To Each Layer?

Apr 17, 2011

Data link-ARP,RARP, presentation-SSL,TSL,ASCII,JPG, Session layer-ASP(apple talk session protocol),SCP are these correct?can your provide 2 new protocols for each with the long name?

View 17 Replies View Related

Sharing :: Pointers Not Match Up On Both Computers

Dec 19, 2011

On the laptop, the info bar is on the left side, the website tabs on the top, this shifts the other computers screenview down and to the right, it also cuts off the right side and bottom, with still leaving space on the right side and bottom. The pointer on the lap top does not line up with the desktop, because the screen is shifted, but only a portion of the screen is visible anyway. I used the same password and log in on both computers, don't know if they have to be different.There is full a screen option at the top right, but this causes the top tabs and info buttons on the left side to go black.

View 3 Replies View Related

Auto-Configuration IPv4 Does Not Match Up

Feb 29, 2012

I live in a shared house, and I am the only one who has been experiencing issues connecting to the internet. I have to ask a housemate to reset the server, as this is the only thing that works.

When I am unable to connect, and I use command ipconfig, the following appears: Autoconfiguration IPv4 169.254.23.29 On the occasions when I am connected, the following appears in its place: IPv4 IP Address: 192.168.0.2

One tip that I came across was to check the box (Wireless Network properties, Connection tab) for "Connect even if the network is not broadcasting". I had hoped this simple solution would assist, but to no avail.

View 5 Replies View Related

Cisco Switching/Routing :: ME3800 - ACL To Match ICMP

Nov 24, 2011

We have some ME3800MX router/switches running ME380x-UNIVERSALK9-M), Version 12.2(52)EY2.  The Cisco website says:
 
The switch does not support these Cisco IOS router ACL-related features: # •Non-IP protocol ACLs (see Table 26-1) or bridge-group ACLs
 
how we would match ICMP traffic then?

View 4 Replies View Related

Cisco VPN :: ASA5505 Use One Crypto Map / Add Second Set Peer And Match Address

Aug 24, 2012

We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN. I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface. A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?

View 10 Replies View Related

Cisco WAN :: 7609-s Switching And Routing Path Not Match

Jun 13, 2012

I've Cisco7609-S with IOS 12.2(33)SRC2 met an issue is that "show ip route x.x.x.x" and "show ip cef x.x.x.x" shown next-hop is not actual switched next-hop.

For example, "show ip route 192.168.1.1" and "show ip cef 192.168.1.1" shown correct next-hop is 10.1.1.1, but the traffic destine to 192.168.1.1 actually not through 10.1.1.1, but always through the default route next-hop. Everything works normal after rebooted the router. Suppose it should caused by a bug? BTW, my Cisco7609 is runing BGP with ISP which received about 10K routes.

View 1 Replies View Related

Cisco Application :: ACE30 Match Http Url Except Specific One

Feb 4, 2013

is it possible to construct the L7 HTTP class-map expression to match all URLs except one? I have 1 correct url, for example: /correcturl.* and want to redirect requests to all other possible URLs to this one, without the need to list them all in "possitive match" statements.

View 6 Replies View Related

Cisco WAN :: 6509 Match Vlan Is Not Supported For Interface

Mar 13, 2013

I have a 10Mbps connection link which I will like to reduce to 5Mbps on a 6509 switch as indicated in the config below. [code] After applying the service policy on the vlan interface, i got this "match vlan is not supported for this interface". I actually tried the rate limit command but I cant see the effect using the speedtest.

View 2 Replies View Related

Cisco Application :: L7CLASSSrv2 / ACE Loadbalance Ssl Match Header?

Mar 27, 2012

I created several rules to balance on a specific server somes apps. Everythings works great in http but no in https.In my example, i would like [URL] to be redirected to my server2 but it's always using the default rules instead of the L7CLASSSrv2. Today [URL] is well redirected. All other apps are correctly loadbalance with the stickyness effect but I can't handle the https connections.
 
 class-map match-all L4-WEB-IP
      2 match virtual-address xxxx tcp eq www
class-map match-all L4-WEBHTTPS-IP
      2 match virtual-address xxxx tcp eq https
class-map type http loadbalance match-any L7CLASSSrv1

[code]....

View 4 Replies View Related

Cisco WAN :: ASR1002 / Unable To Use BGP Route-map Match Next-hop On Inbound?

Feb 28, 2011

I am running ASR1002 with latest XE IOS version asr1000rp1-adventerprisek9.03.02.01.S.151-1.S1.bin configuration bellow
 
router bgp 65000 bgp router-id 1.1.1.1 bgp log-neighbor-changes timers bgp 5 15 ! address-family ipv4 vrf LABR01-VRF  bgp router-id 1.1.1.1  neighbor bgprrclient peer-group  neighbor bgprrclient remote-as 65001  neighbor bgprrclient password 7 1234  neighbor bgprrclient update-source Loopback0  neighbor bgprrclient version 4  neighbor bgprrclient route-reflector-client  neighbor bgprrclient route-map set_weight in I then tried to create new route-map and get error that match next-hop can not be used on inbound
 
route-map set_weight permit 10 match ip next-hop prefix-list thirdparty match as-path 1 set weight 1000
 
LAB-ASR1002(config)#route-map set_weight permit 10LAB-ASR1002(config-route-map)# match ip next-hop prefix-list thirdparty% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match Not sure why Cisco is not supporting a pretty basic feature for BGP route maps.I tried looking into matching other variables but I am unable to get same result as I have same routes on bgp table from multible inbound peers.
 
I also get this message when configuring tacacs. I looked for "new" cli but no luck:LAB-ASR1002(config)#tacacs-server host 2.2.2.2 This cli will be deprecated soon. Use new server cli

View 1 Replies View Related

Cisco Switching/Routing :: 7200 - How To Match YouTube In Qos

Apr 26, 2013

i want to ask , how to match youtube  in my qos, i  want to give youtube the best priority in the rush hour. currently im using an acl that match the ips of youtube but i think its not sufficeitt :

View 5 Replies View Related

Cisco :: 5508 - Mobility Group To Match On Internal WLC?

Feb 1, 2012

I am setting up officeexten. I have placed the officeextend wlc in the dmz with an mgmt ip of 192.168.10.2. in the process of anchoring this to the internal wlc. Also the ip on the firewall for this interface is 192.168.10.1
 
1. does the mobility group need to match the same on the internal wlc ?

2. Now do i need a NAT transnational on the firewall for the external WAN ip (AP primed address say 66.10.10.10) to NAT back to 192.168.10.2 ?

3. The 5508 WLC is running on ver6.0.199.4 (license level base) - will this support office extend?

View 14 Replies View Related

Facebook Number Of Mutual Friends Do Not Match

Jun 17, 2012

While on facebook I search a friend and in the search bar it says we have say 10 mutual friends however when I click this person to and view their profile it suddenly says we only have 8 mutual friends.An even stranger thing is I have a friend on facebook (she has her friend's list hidden) who will appear on MOST mutual friends lists of others I am also friends with. However she won't appear on two of my friend's mutual list when I am CERTAIN she is friends with them and also she will appear on mutual lists of some I am not friends with but also fail to appear on mutual lists of people I'm not friends with but I know she is. TO SUMMARIZE:1.) why doesn't the mutual friends number match up. it will say 10 mutual friends but show 8.2.) why does she not appear on some lists but does on others when I KNOW she should be on the others know of any scripts to just see hidden friend lists?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved