I am using the "File exist"-check in my Dynamic Access Policies to be sure that VPN-computers are corporate. I would like to place the file in each users %APPDATA%-directory, but it seem that the ASA cannot use variables when specifying the path? Is there a way to do this or do I have to use a absolute path in the check?I am running a ASA 5520 with sw 8.4(1).
View 1 RepliesI have been tasked with attempting to setup an enviroment that allows users to VPN from home and use Dameware to connect, from home, to another machine in another users home that is VPN'd into the same network. Is this possible?
We are using 2 5520 ASA's and CiscoAnyConnect.
What are the possibilities that exist for running a site to site vpn in our environment with the following infrastructure Cisco ASA 5520 - running on a multiple context mode
-Cisco 3750 switches
-Microsoft TMG
I believe these options are limited in terms of providing end point for VPN.Is there a VPN module that we can buy for 5520 to run IPSEC VPN?
I am new to v5.3, and I am not good at VPN.I just have my consultant to configure this correctly just today. Currently, there is only one rule for the access policy (Single Result Selection). That rule is to use Active Directory as the source for the authentication. And by default will deny any other access which is not found in the rule.Now... I just got an order that I need to setup a new user who will need to access to our network by using Cisco IPSec VPN (the software one). But that user is not setup in our Active Directory, and we do not want him to access our domain anyway. He only needs to access non-domain resourse...such as airconditioning controller by IP. So I am thinking to setup his account by using "internal identtity". If I do this way, what do I need to do to setup another access policy? May you give me some steps with little more details? OR... if it is not the way I should do...what else can I do to achieve this goal? Also, he said he could provide his static IP trying to access from. I have a ASA 5520.
View 4 Replies View RelatedI recently upgraded the ios image and the asdm on a cisco 5520 firewall. I use a policy on a cisco security manager to push policys out to this firewall. But it cant push to them now because the image has changed on the device.Is their anyway to re - assign the policy without having to do a new discovery.
View 2 Replies View Relatedwe have a nat exemption rule for 10.0.0.0/8 to w.x.y.z followed by some static nat rules and then dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d.When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).We are running the following software on an ASA5520.
View 7 Replies View RelatedI have configured the primary firewall every thing seem to be fine, And we have configured fail over device while config is getting replicated to the fail over device we are getting below error.
ERROR: Cannot add policy to rule engine
ERROR: Unable to assign access-list LAN_out to interface inside
IOS and Model are same.But all the config got replicated from primary to secondary but except the one access group command.
access-group LAN_out in interface inside.
I've tried to set up IPSec over TCP with a VPN-Client V5.0.07.0440 on Win 7 64b to my ASA 5520 (Version 8.2(2)16) regarding to
[URL]
IPSec over TCP activated at the ASA
crypto isakmp ipsec-over-tcp port 10000
and in the transport tap of the VPN connection 'enable transport tunneling' with IPSec over TCP an port 10000 instead of 'IPSec over UDP' The connect timed out with error code 412 And this is my log from the ASA:
%ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000
%ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x
%ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000
%ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x
I don't have a clue what's here missing.I have static crypto maps for the L2L tunnels and the default dynamic crypto map for the VPN clients which come over NAT-T
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address INTERNET_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
ASA 5520 can handle 2 ISP? not to load balance or not standby/active but to use the 2 ISP at the same time and separately. for example, ISP_A who has 10m will be dedicated to the customer A/VLAN A, then ISP_B who has 4m will be for the rest of the customer's traffic. Can the ASA 5520 do traffic shaping or policy map just like in a normal router?
View 5 Replies View Relatedi have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
ASA 5520 to get it to authenticate VPN users against and Active Directory environment plus allow management access as well. I created a Dynamic Access Policy on the ASA stating that if you are a member of the Active Directory group "Managment" the continue. I chagned the DefaultAccessPolicy to "Terminate". So with that, VPN users cannot connect because they are not a member of that group, but the access to manage the ASA is allowed because of that policy.Is there a way through using Dynamic Access Policies that I can allow management access (SSH, ASDM, etc) by matching to a group membership and will allow normal users to VPN in successfully but not allow them access to managing the ASA?
View 1 Replies View RelatedI want to create a network with a bunch of routers and switches to be used as a test network for company employees to remotely login and learn networking.I don't want this network to interfere with the rest of the network in any way.I am basically trying to create a stub network or a passive network!!
View 4 Replies View RelatedCurrently I'm with a pure Cisco shop, running every LAN Switched infrastructure (even in the HQ datacenter) with PVST+, I'm noticing in the documentation I've read and labs I've created that RSTP is... great, and I've observed that even the uplinkfast functionality seems to be build in by just enabling rapid-pvst. Of course I'll propose a migration plan, document the network, diagram it entirely and provide effective steps to implement the change, but that's assumed from any get'go.
View 1 Replies View Relatedi am using L3MPLS VPN services from a provider.They are doing QOS, like my Voice, Data, ICMP. all traffic is classified in their network and take different paths.Now sometime when we face voice issues, simple ICMP ping , TCP ping, will not give me insight if there are any packet losses, since Voice packets are taking someother path with in MPLS cloud due to DSCP marking of Voice pack to 46.is there any tool in which i can change DSCP value of my packets and test out network response? or any monitoring tool that can do this by default?i am looking for freeware at the moment or trial
View 1 Replies View Relatedquestion 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?
Today, we have a server running SNA that connects to router via the following. Vitrual Server --> Nexus 1000v ---->Nexus 7010 ---->2800 series router.We are trying to move server to new environment where it is Virtual Server ----> Nexus 1000v ----- Fabric Interconnect-----Nexus 55xx-----Nexus 7010-----2800 router.
View 2 Replies View RelatedHere is what I am attempting to do.
1. I have a 1042N AP configured as a Workgroup-Bridge attaching to a Lightweight Access Point.
2. LWAPP AP is on a 5508 series Controller.
3. I have MAC Authentication configured through an Ciso ACS box running 5.2 code. And that portion is working.
4. I want to lock this WGB down even further with a second layer of security. I am thinking WPA2 -AES.
I am looking for a Cisco firewall to replace a Sonicwall NSA240 firewall in SME environment?
View 3 Replies View RelatedNeed securing a wireless environment in a hotel? The SSID has to be broadcast of course but how can we protect guests from man in the middle attacks, etc.? Currently the environment is all AP1200s with no hardware upgrades in the near future. There is also a 2811 router in place but nothing else. We would love to be able to force users to authenticate with a password in order to get out to the Internet as well.
View 2 Replies View RelatedI was asked to mount ACESMs on each of the CAT6K switches of a VSS cluster (one ACESM on each individual switch).On a non-VSS environment, the "svclc module <slot> vlan-group <group>" command is used to bind the VLAN group to the module on a certain slot. But now I am facing a VSS scenario, I will need to combine switch and slot in order to reference each of the individual modules...
How do I "index" each of the ACESMs in a VSS cluster? ¿Is there an extension of the aforementioned command to be able to combine switch and slot information?
I am looking to slowly migrate some of our wireless devices (Aironet 1231 and 1232's) to the Wireless N spec - 1260's.I currently have four AP locations that I want to upgrade first before anywhere else. At the minute, these four AP's work on the 2.4Ghz G band.
how the new 1260's will work in the mixed environment. I believe I will need to purchase the 1262 (which is the dual band version) so that I can operate the AP in both the 2.4Ghz G band range and the 5Ghz N range at the same time, is this correct?If I was to purchase the 1261 (which is the single band version), will I only be able to operate in either th 2.4Ghz or 5Ghz, but not at the same time?
For the mixed environment, would you suggest the dual band version? Can I place the same SSID on multiple Radios if this is the case? Following example: Say I have the SSID called 'Company' - this at the minute is operating on the G band 2.4Ghz range. If I was to purcahse the dual band 1262, could I put this SSID on both the G radio and the N radio? Would clients with an N adapter automatically connect to the 5Ghz range (N Radio) and legacy G and B adapters automatically connect to the 2.4Ghz (G Radio)?
We have the following BYOD environment:
WLC 5508 (7.4.100.0)Cisco Identity Services EngineVersion : 1.1.2.145 Patch Version : 3
During BOYD implementation we faced some problems with Android devices:
1) The Netwrok Setup Assistant (NSA) download process corrupts during the self-provisioning process (captured on 4.1.1 and 4.2.2 version)
2) If NSA is already installed, the network setup process (downloading profile, certificate) stops at last step: connecting to network, meanwhile the connection itself successfully establishes. This bug is captured on 4.2.2 version, 4.1.1 is ok.
Google ACL is configured according to TrustSec docs and permits all traffic to google networks 173.194.0.0/16 and 74.125.0.0/16.
I am currently finalising my project in Uni and in the project planning section is asks if there are any ethical considerations to be made in my project. I am conducting penetration testing on a VIRTUAL network simulator (GNS3) using Metasploit toolkit. I am guessing I will need permission to download these tools onto the university network, would that count as an ethical consideration? If not, what would I say in this section? note, all of the data I am using in the project was created by myself, and there is no other human participation.
View 3 Replies View RelatedI have a small business environment that uses a domain controller and supports about 50+ PCs. Starting this morning multiple computers have lost their ability to obtain an IP address. We have rebooted our domain controller and tried various fixes on local machines with no luck.
View 1 Replies View RelatedI have a peachtree application installed on a standalone system and needs three other systems to connect to the shared folder to work but each time I click on show workgroup computers, it shows me a blank page on one and only shows the other system on the other.Hence when i try to connect to the peachtree folder, it give error that the system is not accessible?
View 1 Replies View RelatedI'm trying to use RDC to connect to my home PC from work. I've tested everything on my laptop from another network and the connection works fine but the same settings don't seem to work when I'm at work.
I'm pretty sure I have everything set up correctly. Using the default port forwarded to the desired computer.
I got a $7 per month plan on a server and I have a problems with FTP connection. I am trying to upload a 20MB file with multiple folders and files in it and the connection is very choppy and I literally was not able to do that since yesterday.
View 1 Replies View RelatedI'm having some serious sound problem with some 2950 Cisco switches that I have in my CCNA lab these switches sound like a jet I've gone in and made sure the fans are clean and I even replaced one they still are too loud. So I have a few options I can run them without a fan which I really don't want to do but I want to look at two other options. The first option would be to put a heat sink on the chip that's producing heat I also thought about cutting a whole in the top and mounting a 120mm fan.
View 4 Replies View RelatedIhave a 3560 w/multicast support and I'm trying to configure a simple environment. I have 2 ports configured, one for the multicast server and the other for the client. Each are on their own subnet, so I have an ip route between the two. My run config on both ports is:
ip multicast-routing distributed
interface fastethernet 0/3 & 0/4
ip pim version 2
ip pim sparse-dense-mode
I'm using vlc server /client configured to use 224.0.0.1 on my isolated network. I can see the mulitcast traffic going into the port, and I the client is sending reports, but I think the 3560 is dropping the packets, since I don't see them coming in the client port. Need to configure a simple multicast environment using 2 ports on a Cisco 3560.
I can't find any information that the AP1231G-A-K9 AP is supported in a 5508 Controller Based environment with Prime NCS.Could one of the experts confirm or deny?
View 1 Replies View RelatedDoes the FWSM for a 6506/6509 is supported in a VSS environment?Also, does the FWSM work with the 2T supervisor module?
View 1 Replies View Relatedwe have some pairs of 6509-VSS, which partially have old (no more officially supported) 6509-Chassis.All linecards in the VSS are the same (Sup 720-10GE-3C, 67XX).
We now bought some new 6509-E-Chassis and want to change the old chassis by the new ones in a ISSU manner, that means:
1. putting the partner, which chassis changes, in redundancy mode, switch it off, exchange chassis (old "Catalyst 6509", new "Catalyst 6509-E")
2. inserting the line-cards exactly in the same slots and connecting all cables
3. switch on the new chassis, witing to come up in VSS
I'm not sure of having to set the switch number for VSS (is that in the Sup?; configuration? or part of the chassis-memory?)
I've looked up cisco for some hints, but don't found anything.
We have a Cisco 2801 router running IOS "c2801-spservicesk9-mz.151-4.M4.bin" which we upgraded from previous “c2801-spservicesk9-mz.124-3d.bin”.
Requirement.
We want to monitor the device temperature via snmp but unable to do because temperature ratings are not available on "show environment all" output like below.
Routeri# sh environment all Fan 1 OK Fan 2 OK ILP Power Supply - Absent Fan Speed Setting: Normal
Where as on Cisco 2811/51 & Cisco 3825/45 we can get temperature ratings on "show env all" output.
As per link [URL] below commands are supported on Cisco 2800 series router.
Command options
• show environment all
• show environment fans
• show environment leds
• show environment power-supply
• show environment table
• show environment temperatures
• show environment voltages
I want to know whether this is Cisco 2801 platform limitations or something else. tried to find Cisco doc on this but no luck.