We have a Cisco ASA 5520 with the VPN Plus License and 8.04 IOS installed, we want to set up vpn access to our users. We can use the Cisco VPN client which works on Windows Platform, but we also have MAC OS 10.7 which works only with Cisco Any connect.
I am a little bit lost with all the client and the license, actually we can't setup more than 2 vpn session with an Any connect client installed on MAC or Windows. The authentication is by Certificate, the first two connect fine, but the third one don't connect and prompt for a username / password. I joined a SH VER of my ASA, what is wrong on the license or perhaps it's a configuration problem?
What's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.
Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license. Does that mean I can download the security plus license? Or do I even need it on the 5520.
I have got ASA 5520. I am planning to install Cisco ASA AIP SSM-20 and Cisco ASA Content Security and Control (CSC) Security Services Module on ASA 5520.. However I am also thinking of adding AIP only as I can do the function of content filtering with proxy server. Relating this issue I would like to ask -
1. What would be the benefit of adding CSC ?
2. Do I have to pay the license cost every year for both of these SSM? What would be the cost ?
We have bought L-ASA-AC-PH-5520=Anyconnect Vpn Phone License for our Cisco Phones but when we entered this license into our ASA it shows th following i.e enabled for linksys phones. Is there a diff part no to enable vpn for cisco phones. [code]
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA: Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150
According to the link here:[URL]Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?
I have 50 SSL Premium licenses on my ASA 5520 running 8.4. I want to run Anyconnect on IPAD- and IPHONE-devices but it seems that this requires a Mobile-license on top of the premium-license. Is it possible to receive an evaluation-license for this? It will take a few days to receive permanent licenses and I want to user this now.
I need to activate AnyConnect SecureMobility client on an IPAD. I have an ASA with the below feature licenses:
[code]...
This platform has an ASA 5520 VPN Plus license
As I've understood that I need the ASA-AC-M-5520 license for each IPAD used but they mentioned that we need also the Essential or premium license to be activated on the ASA as well. As shown above, I have the "VPN Plus license" activated on the firewall.
We apply a new anyconnect mobile license to our primary asa 5520 and the failover feature went into an off state. WE have now applied a second purchased anyconnect mobile to our secondary asa but the failover is still inactive/off.
bcoh1fw50# sh failover state State Last Failure Reason Date/Time This host - Primary Disabled Ifc Failure 14:43:21 EST Jan 30 2013
I’m stuck in some problem with installation of LMS4.0 in customer site.
- we purchase a LMS4.0(CWLMS-4.0-100-K9) but couldn’t install it on Windows server 2008 R2 64bit because those things don’t support each other. - I need to upgrade the LMS4.0 to LMS4.2 that is supporting Windows server 2008 R2 64bit. - So, I ordered following items via product update tool (url...) [code]
- In this status, how to install LMS4.2 with license for 100 devices? If I install R-PI12-BASE-K9 first, can i enter a licese for 100 devices for CWLMS-4.0-100-K9 into PI1.2?
rececntly we have installed 2504 WLC in of branch office, I can able to log via console but it is not coming over LAN not even showing in CDP, all config seems to be fine in wired side & WLC side & physical connection also fine...LED also green.I am seeing log message in WLC, is this related to License issue
I wish to purchase Cisco Prime LMS 4.1, particularly Cisco part # R-LMS-4.1-500-K9 which support 500 Cisco nodes.We have about 360 Cisco switches/routers/ASA/FWs/WLCs so the 500 nodes license would seem to suffice for now & for future growth.We also have about 200 lightweight APs that are managed & monitored by our WLC/WCS/Navigator environment.According to the device support documentation for LMS, it supports and I assume will auto-discover these APs.Does that mean these APs will use up node licenses on LMS even though management of the APs is done by WLC/WCS? If so is there an easy way to suppress discovery of APs by LMS so we don’t have to purchase extra node licenses for LMS? Or, does LMS offer additional support features for wireless APs not already offered by WLC/WCS/Navigator?Just trying to understand how many network node licenses for LMS I have to purchase.
we have a cisco ASA5505 with base license and 3 interface configured. Internal 192.168.1.1/24 DMZ 172.16.0.1/24 Outside 20.20.20.20/24 The DMZ is configured to allow the traffic pass to the outside interface only (base license allow only traffic to one interface) in order to let clients on this network to browse internet. On the outside interface there's a nat configuration that let the port 443 to be natted to an in internal server. Is it possible to let the clients in DMZ to access to the internal server on port 443 from the outside interface?
ASA 5520 to get it to authenticate VPN users against and Active Directory environment plus allow management access as well. I created a Dynamic Access Policy on the ASA stating that if you are a member of the Active Directory group "Managment" the continue. I chagned the DefaultAccessPolicy to "Terminate". So with that, VPN users cannot connect because they are not a member of that group, but the access to manage the ASA is allowed because of that policy.Is there a way through using Dynamic Access Policies that I can allow management access (SSH, ASDM, etc) by matching to a group membership and will allow normal users to VPN in successfully but not allow them access to managing the ASA?
i have an ASA 5520 version 8.4(1) the wan interface is 216.41.115.33 and the internal subnet is 192.168.1.0 /24 what would be the exact nat command so users on the internal subnet can access the internet ?
I'm trying to setup a very basic EasyVPN from my ASA 5505 (home/client) and ASA 5520 (work/server/ IP 74.25.12.245). Everytime when I enable 'Easy VPN Remote' on my ASA5505, my home PC get disconnected from the internet.
My ASA5505 client gets dhcp IP address (private IP 10.1.1.79) from my cable modem. I believe my cable modem has this public ip 50.54.12.224.
I looked at the logs on my ASA 5520, it seems that all the requests from my ASA 5505 client are going thru and connected. And similar with ASA 5505's log.
Between 74.25.12.245 and 50.54.12.224 (user= home) has been created.
IPSEC: An outbound remote access SA (SPI= 0xA0319409) between 74.25.12.245 and 50.54.12.224 (user= home) has been created. Group = EasyVPN01, Username = home, IP = 50.54.12.224, Security negotiation complete for User (home) Responder, Inbound SPI = 0x7440e3a5, Outbound SPI = 0xa0319409 Group = EasyVPN01, Username = home, IP = 50.54.12.224, Overriding Initiator's IPSec rekeying duration from 2147483647 to 4608000 Kbs(code)
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"
As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.
Currently my VPN settings use a shared key without certficate to access the VPN. I would like to now set up a self assigned certifcte from the ASA to get users to import the certficate in order to VPN..
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
I have setup clientless SSL VPN on my ASA. User authentication is done by RADIUS using ACS 5.2, I have created two portal one for IT department and the other for auditing department but the user in auditing if the select IT group from the drop down list they can login to it, my question is how can I make them login to their group only and prevent them from accessing other groups ?
I have an issue where my vpn clients are unable to access certain vlans in my network.I have configured an ASA 5520 with VPN access using the wizard and using the ASA as a dhcp server for VPN clients. I find that this allows the clients to access server resources such as the Exchange and Domain Controller but I find that these vpn clients are unable to ping each other as well as certain vlans that I have.Is there a way to configure the ASA to use a particular vlan that is already configured on the core switches?If I create a vlan interface and set the IP of it to 10.50.x.x then the vpn clients are suddenly unable to connect to any network resources...
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
I'm trying to set up Windows Server UAG for Direct Access in a Testlab. The UAG Server has two network nics. One in my Testdomain (internal) and the other one in a DMZ of our Cisco ASA (external).Our ASA dmz has subnet 192.168.3.x but UAG Direct Access needs public ip adresses.Is there documentation how to configure an ASA 5520 Firewall so i can use my Windows UAG Server with Direct Access?
I am new to v5.3, and I am not good at VPN.I just have my consultant to configure this correctly just today. Currently, there is only one rule for the access policy (Single Result Selection). That rule is to use Active Directory as the source for the authentication. And by default will deny any other access which is not found in the rule.Now... I just got an order that I need to setup a new user who will need to access to our network by using Cisco IPSec VPN (the software one). But that user is not setup in our Active Directory, and we do not want him to access our domain anyway. He only needs to access non-domain resourse...such as airconditioning controller by IP. So I am thinking to setup his account by using "internal identtity". If I do this way, what do I need to do to setup another access policy? May you give me some steps with little more details? OR... if it is not the way I should do...what else can I do to achieve this goal? Also, he said he could provide his static IP trying to access from. I have a ASA 5520.
We have an ASA 5520 in HA. (version 8.X upgraded to 9.1 (1))We used Wizzard to configure VPN clientless and portal. Also, configured manually we have the same issue: We can access to the portal using IP address of Lan interface but not with outsides (2 ISP). The clientless VPN is enable on the public interface and no packets rejected in logs.We try to modify the Crypto map created by default to replace "any" to "any" by "any" to "our public IP" (We see that is recommended by Cisco) It works for 10 minutes.(strange..) but after 10 minutes the active member crashs.. only a reboot with previous configuration was good.We try to investigate but each time we modify Crypto maps, the firewall is going bad.
I have set up a remote access ipsec vpn on an asa 5520. I can connect, and ping internal ip addresses, however I cannot ping back out to the internet, and dns resolution does not work.
