Cisco VPN :: ASA 5510 - Maximum Connect Time Configuration?
Mar 21, 2011
I have been working on my ASA 5510 version 8.2(1) trying to change the maximum connection time. Originally the custom "Group Policy" for IPSEC (Remote Access VPN) was set to inherit the settings from the default system Group Policy (DfltGrpPolicy). The custom group policy for the sake of this discussion is called "ABCD". I have modified the settings on the default (DfltGrpPolicy) as the custom policy (ABCD) was inheriting the configuration from default to disconnect after 1200 minutes. I changed the setting "maximum connection time" to 1200 minutes. I saved the configuration and what not then connected my VPN client, after two (2) hours I was disconnected. Something just doesn't add up.
I went ahead and deselected all inherited properties and manually configured them for the ABCD custom policy. No longer was the ABCD custom policy configured to use the inherited properties/settings. I saved the configuration again tested but instead of having a 1200 minute connection limit, I have 120 minute connection limit. Inside Monitoring --> VPN --> Sesssions : I can click on my session and see Session details". The Group Policy and Connection Profile properly list the "ABCD" custom profile. However, the "Conn Time Out" setting is: 120 minutes. I am completely stumped as to what is going on.
In the actual running config I see:
group-policy abcd attributes
banner none
wins-server value 123.123.123.123
dns-server value 123.123.123.123
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 60
vpn-session-timeout 1200
What I need to do next to get this working short of a recycle of the ASA.
View 3 Replies
ADVERTISEMENT
Jan 5, 2011
I have configured the "Maximum Connect Time" as unlimited in my group policy but when a connection is established it shows a "Conn Time Out: 120 minutes". The connection does get dropped with this timer. how to actually make it unlimited and why it get sets to 120?I having a problem with SSL phone clients dropping throughout the day and think this may be the cause.
View 14 Replies
View Related
Feb 28, 2012
i want to know a number of maximum tcp connection at same time on interface of my 7200 router,how i'll do that?any configuration, software?
View 1 Replies
View Related
Jun 26, 2011
On the BEFSR41 v1 series and WRT54G series, what is the maximum value for the DHCP "Client Lease Time (in minutes)?" It seems that 2^16 -1 (65535) minutes is the max. This is about 45 days. has the max value changed with newer versions of these devices?
View 1 Replies
View Related
Apr 18, 2012
We have a ASA 5510 (v8.2.2 with ASDM 6..4.7, 256Mb mem) with a license for 250 VPN Peers. The machine has currently one site-to-site VPN active. I've added a remote-access IPSec VPN for some users but when connecting from the remote site the connection is dropped and the ASA reports %ASA-4-713239 Tunnel Rejected : The maximum tunnel count allowed has been reached.
I've searched for info relating to this message but I found none. Before I plan a restart (it's up for 222 days), is there something I could do on CLI to fix this ?
View 4 Replies
View Related
Apr 1, 2012
I have a trouble with 2 IPSec tunnels on Cisco ASA 5510.Both of them are Site-to-Site tunnels.Both of them are established against the same public IP address on my site.It looks like they cannot run steadily in the same time. It looks like when one of them is actived, the other one could not be up.Is it some kind of limit of Cisco ASA?
View 6 Replies
View Related
Sep 11, 2011
How can I check I have the right vpn time on a VPN client session on a asa 5510 , and how can I modify it to more time...
View 3 Replies
View Related
Jan 23, 2012
4402 Wireless LAN Controller running 7.0.116.0 versión. The equipment is working fine, but after a hard reset i lost date and time configuration.No other configuration is affected, only date and time. What can be the cause of this?
View 18 Replies
View Related
Feb 23, 2011
I need to estimate the installation and configuration time of Cisco NAC (NAC Network Module spare for 2800, 3800 ISR) and Cisco NAC Manager(NAC Appliance 3315 Manager -max 3 Servers. There is some Cisco tool to estimate the installation and configuration time?
View 3 Replies
View Related
Nov 15, 2011
We have ASA running code 8.0.4 with Active/Standby for quite long time. Today when we gave the command wri standby it started sync the config to standby ASA but waited forever.when we checked the show failover, we got the following result.
This host: Secondary - Active
Active time: 1928633 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface PERIMETER-MGMT (10.12.8.1): Normal (Not-Monitored)
Interface OUTSIDE (86.36.xx.xx): Normal (Waiting)
[code].....
When we console to Standby ASA and tried to save (wri mem), we got the following error and also please note the hostname has become default...?
ciscoasa(config)# wri memory
Building configuration...
Command Ignored, Configuration in progress...
[FAILED]
and when we tried to give following command we got this error:
ciscoasa(config)# copy running-config startup-config
Source filename [running-config]?
%Error reading system:/running-config (Configuration temporarily locked)
ciscoasa(config)#
I see here the standby ASA IPS module is down, but can that issue cause not sync the config backup and writing to nvram (save config)..?
View 1 Replies
View Related
Oct 17, 2012
I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports. For example
Source IP 10.10.4.69
Source Port 59886
Destination IP 8.8.8.8
Destination Port 59866
So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping. All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?
View 4 Replies
View Related
Apr 1, 2012
I'm new to an ASA 5510 running 8.4(3) and am trying to figure out something regarding time ranges in ASDM. I simply want to allow a single port during business hours only (I'm not concerned about open sessions needing to be closed). So as an example I add a rule something like:
(RULE1 on the internal interface) SRC=INTERNAL DEST=ANY SERVICE=RDP ACTION=PERMIT with a time range set for weekdays 8:00-16:59. I did a test after 5pm on a weekday and was still allowed to do RDP to a server (from INTERNAL), and after using the packet trace tool saw it was still passing through due to a rule a couple lines down (rule 4) that allowed a port range that happened to include port 3389. So my question is if I specify an "allowed" time range and someone attempts access outside that time range, why doesn't it drop it right there? I guess I'm assuming that anything outside the "allowed" time range would be dropped but that doesn't seem to be the case. I'm also assuming the rule base is processed top to bottom.
View 2 Replies
View Related
May 5, 2012
I have a network with static routes witch I need to convert to OSPF.Never used OSPF, and do not have much experience in routing in general.The netvork is connected via some fiber links, but moastly wireless bridges.I have attached a drawing of how the network is.Routers are 3550, 3560 and 3750s.Each router is on a different physical site.
View 2 Replies
View Related
Feb 15, 2012
I have a new ASA 5510 running 8.3(1) and ASDM 6.4(5)
I am trying to use the real time log viewer to troubleshoot some access issues, but I am getting delays of up to 30 seconds or more between my client connecting to the ASA and the corresponding events showing in the RT Log viewer. I am using a simple filter for source IP as it's quite a busy device.
I've seen an article that says to turn off certain logging IDs (such as 304001 from memory) which I have done, but no different.
View 6 Replies
View Related
Jan 3, 2013
Current configuration:
2xASA5510s (Active/Standby) --->3925 Internet Router---->Internet
Going to:
2xASA5510s(Active/Standby)---->3925 Internet Router A----->ISP (Primary)
---->3925 Internet Router B----->ISP (Backup)
Note: Only one ISP just different speed connections
We're going to be using BGP to the ISP. Our goal is to advertise one subnet via BGP over both links using routerA as the primary and routerB only if it fails. How can should I configure my ASA and the internet routers to accomplish this?
View 2 Replies
View Related
Dec 26, 2011
I have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside}) It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so...Basically this is the desired flow:
1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)
2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in [URL] and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)
3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).However, I do suspect that if I changed the route from default to static as such:
route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway) route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing. Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.
Here is the running-config:
ciscoasa# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name marcjacobs.lvmh
[code].....
View 16 Replies
View Related
Oct 31, 2011
we have a cisco ASA5510 and our client owns a Juniper device. we already have a vpn tunnel in place between the two locations and its working fine.Now, they have some networks which are in more secure zone, if we add those subnets to the present tunnel we are not able to access them. so what they are suggesting that we can reconfigure the VPN to be a route based VPN instead of policy based OR configure a second VPN tunnel.am not sure of cisco ASA supports route based tunnels???.. Can we create a 2nd tunnel between the same devices ( asa5510 and thei juniper device) as the IP remains same, only the internal remote networks will change for me. do i need to make any changes to the present tunnel??
View 8 Replies
View Related
Jan 24, 2013
I am attempting to set up FTP behind this new CISCO ASA 5510 we just bought. I haven't configured a cisco device in 5 years, so I am having issues., i think i am close. If I FTP from outside (fixed) IP it connects and takes the password but hangs on PASV and gives no data connection below is my configuration. It is simple since I seem to have the connection inside correct. and yes you can connect to the FTP server from inside without issue.
Code...
View 4 Replies
View Related
Jul 24, 2012
I have one Asa 5510 with base license. now we wish to add one back up ISP for VPN fail over, is this possible to configure backup ISP with this ASA 5510 and how ?
Check ASA features
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
Cisco asa up 3 hours 35 min
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
View 3 Replies
View Related
Jun 11, 2009
We have some users who use citrix outside corporate network through citrix web interface.These users are high priority users and we want to prioritize the citrix traffic. I want to make sure that my configuration will fullfill our requirements. Below is the configuration i was thinking to implement.:
ASA(config)# priority-queue outside
ASA(config-priority-queue)# exit
ASA(config)#access-list CTX-QoS extended permit tcp any 10.1.1.200
255.255.255.255 eq https
ASA(config)# class-map CTX-QoS-CMAP
ASA(config-cmap)# match dscp ef
ASA(config-cmap)# match access-list CTX-QoS
ASA(config-cmap)# exit
ASA(config)# policy-map CTX-QoS-PolicyMap
ASA(config-pmap)# class CTX-QoS-CMAP
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# exit
ASA(config)# service-policy CTX-QoS-PolicyMap interface outside
View 3 Replies
View Related
Feb 6, 2013
I am not seeing the IKE Policy configuration screens while configuring IPSEC VPN on ASA 5510. (Using ver 9.1(1) / ASDM 7.1) following the wizard after step 8, I am expecting the screen where you configure DES/3DES ,etc the screen does not show up - Have the right (3DES) licence.
View 2 Replies
View Related
Aug 28, 2011
I have created the following config for an ASA 5510. I implemented a DMZ on it. Is this config as secure as I can get it. I want the web server in the DMZ to only be able to access port 80 and 1433 on the SQL box inside.
ASA Version 8.2(1)
!
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
View 6 Replies
View Related
Apr 30, 2013
BTW, the ASA is running version 7.0 (8) and I'm doing this through the command line.I've got a group of workers coming in a couple times per week that need wireless access to 1 printer on our network and internet access; I'll deny them access to the rest of our LAN.I've already configured an AP with WPA2 on a seperate subnet and put a router between it and our network. I've setup the router to apply an ACL to allow access to the printer's IP, deny to the rest of our main subnet, and permit everything else to go to our ASA 5510 that is serving as our gateway. From a laptop connected to the access point:I'm able to ping the printer's ipI'm not able to ping other workstations or our servers, as intendedI'm able to ping the ASA's inside interface The only part I can't seem to pull off is the final part of getting the ASA to translate the IP's from the new subnet to the outside interface.
So we have:
Laptop > Wireless AP > Router with ACL > Primary LAN > ASA5510 > internet
PAT is working fine for the primary LAN, but the laptop can't hit the internet.
View 7 Replies
View Related
Jul 30, 2011
i want to configure asa 5510 to send syslog messages to syslog server which i placed in my inside interface. also if enableing syslog will inrease the cpu utilization or memory? the necessary configuration parts?
View 1 Replies
View Related
Apr 25, 2013
I have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17.I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.
View 4 Replies
View Related
May 8, 2011
creating a DMZ with my current configuration. Most of my configuration has been through the ASDM as I am still learning. I'm looking for a good tutorial through the ASDM to get me on my way. What I need to accomplish is this:
I have an internal GIS server which needs to have a constant database connection to an remote GIS Server which is already configured. I've got a separate VLAN setup on my 3750 switch which connects to the DMZ configured port on my ASA with a security level of 50. My GIS server has been placed in the DMZ VLAN which is accessible from my internal clients. I have a /30 Internet block which is being used for Internet and VPN. I have a separate /28 block that I'm assuming I'll need for the DMZ to work properly.
View 1 Replies
View Related
Jan 30, 2012
is there any way to reload the current saved (not running) config without a reboot of the firewall?
View 4 Replies
View Related
Jan 11, 2009
I would like to configure limited internet access to olnly a select group of Windows AD users.
I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
View 7 Replies
View Related
Mar 8, 2011
Will give configuration of NAT for my internal users with 192.168.1.0/24 with single public IP.
I new to configure IOS version 8.3.
View 5 Replies
View Related
Apr 12, 2012
I'm working on getting a ASA 5510 set up and am having major difficulties. I'm really new to ASA and coming over from Microsoft ISA. Below is my configuration, how to get this all sorted out. As of nwo it doesn't appear that any traffic is going through whether it's incoming or outgoing. [code]
View 3 Replies
View Related
Dec 5, 2012
I've a problem with syslog logging on my Cisco ASA 5510 version 8.2(1). I need to:
- 1) log some ACL with warning level to log deny access.
- 2) log some ACL with informational level to log permit and deny access (notification level log only deny access and not permit access).
- 3) not log others ACL.
For 1), I configured the syslog server with warnings level and i enabled the logging rules with default level (syslog default level)
logging enable logging trap warnings logging host "interface" "host" . access-list "interface" extended permit ip any any log default.
For 2), I enabled the logging rules with specific level (informational).
access-list "interface" extended permit ip any any log 6 interval 300.
For 3), I disabled the logging rules.
access-list "interface" extended permit ip any any log disable
My problem is that the syslog logging level bypass the ACL logging level. Even if some ACL are configured with informational level, the ASA send only warnings logs to the syslog. I tried to configure the syslog default level to warnings, to remove the ACL and then put it back again with the specific logging level but I still have the problem.
View 1 Replies
View Related
Jul 18, 2012
I have worked on cisco switches only..I want to configure nortel5510 have configured vlan.but Switch Ip address is changing when I am giving ip address to port. and i cant see port ip configuration in show runn also i want to configure loopback.I am configuring switch ip address 192.168.123.1/24 but when I give ip address to port 192.168.120.17/29(PORT IN DEFAULT VLAN) switch ip address changes automatically.I have port 1-4 configured in vlan 1 other ports are in L3 vlan.I want see port ip address details Like we see in cisco (SHOW IP INTERFACE BRIEF ) what is command in NORTEL??
View 2 Replies
View Related
Dec 30, 2012
when we are configuring ASA 5510 8.2(5) for Authenticating with ACS 5.X Server is not authentication fail error.
View 2 Replies
View Related
