Cisco VPN :: ASA5500 / Command To Check Tunnel Up-time?

Jun 27, 2011

I am using ASA5500 series box which has a site to site tunnel terminated on it.Is there any command by which we can check the up time of the tunnel.
 
ASA# sh isakmp sa
   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1   IKE Peer: x.x.x.x    Type    : L2L             Role    : responder     Rekey   : no              State   : MM_ACTIVE

ADVERTISEMENT

Cisco VPN :: ASA5540 Any Command To Check Tunnel Up-time

Mar 17, 2011

I am using cisco ASA 5540, Is there any command to check the tunnel uptime?

View 2 Replies View Related

Cisco Firewall :: Command To Check IPSEC Tunnel On ASA 5520?

Jan 7, 2013

Need to check how many tunnels IPSEC are running over ASA 5520.Tried commands which we use on Routers no luck?

View 6 Replies View Related

Cisco VPN :: ASA5500 / TCP State Bypass For Traffic - Coming From IPsec Tunnel?

Feb 6, 2012

We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached) All branch offices are connected to central asa though IPsec. The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel According to the sheme:172.16.1.0/24 is on of the branch office LANs10.1.1.0/24 and 10.2.2.0/24 are central office LANThe crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8 the aim is to restrict access from 172.16.1.0/24 to 10.1.1.0/24 When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2 When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't work.The central asa 5500 is configured according to cisco doc [URL] 
 
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
!
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl

[code].....

View 4 Replies View Related

Cisco Firewall :: Command To Check ASA 5520 Is Passing Traffic

May 14, 2012

how can i check that ASA is passing traffic? Also what command we can use to make sure VPN is working fine.

View 2 Replies View Related

Cisco WAN :: Command To Check List Of Incoming Vlans On Catalyst 4640?

Oct 4, 2011

is there a cisco command to check the list of incoming vlans on a catalyst 4640 or at least that will give you the same output?we're having an issue with an ethernet circuit, links are up but ping won't go through(no ACLs) and I want to see if the vlan tag from the the other side(side B) is properly reaching side A.

View 1 Replies View Related

Cisco VPN :: Check Right Time On VPN Client  Session On ASA 5510?

Sep 11, 2011

How can I check I have the right vpn time on a VPN client  session on a asa 5510 , and how can I modify it to more time...

View 3 Replies View Related

Cisco Switching/Routing :: Command To Check Memory Slot In 3800 Routers?

Nov 13, 2011

I remember there is one command which can tell you which memory slot has how much big memory in Cisco 2800 or 3800. But at this moment, I just couldn't recall this command. I checked "show diag" but didn't see any information about memory.

View 9 Replies View Related

Cisco Routers :: Rv082 - Can't Check Enable Vpn Tunnel

Sep 8, 2011

According to the manual rv082, if you wan to use vpn.. check the enable
 
But I can't check enable botton... it's disable So i can't check

View 1 Replies View Related

Find The Time To Check The Network Layout Attached In The PDF?

Nov 9, 2012

Time to check the network layout attached in the PDF. This design is regarding a new redundant DC being built (hypothetically only) but I need to know if I've connected this in the right way/ if its possible with the equipment listed and how I've put them together. [CODE]

View 3 Replies View Related

Cisco Switching/Routing :: WS-C6513 Command To Check 6500 Switch Performance / Resource Usage

Apr 25, 2013

I am on a call right now troubleshooting some latency issue. The CPU usage on the sup card is low. Don't see any drops or input errors. I am aware that the switch and its modules have capability limits. Is there command I can run which will tell me if any module is overloaded or if the fabric/backplane is over utilized?My chassis is WS-C6513 and sup card is WS-SUP720-3B.

View 3 Replies View Related

Cisco VPN :: 3000 Network Address Is Allowed Down Tunnel / Check Phase 2 IPSEC Proposal

Nov 4, 2012

I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?

View 3 Replies View Related

Cisco :: Interface Tunnel Command Does Not Exist?

Oct 21, 2012

I am using ASA 5520 Image in GNS3, when i come in Configuration Mode and try to create Tunnel through command "interface Tunnel 0", but this command doesn't exist. I need this command to create Tunnel for GRE Lab.

View 2 Replies View Related

Cisco WAN :: Getting 1941 Tunnel Bandwidth Command?

May 13, 2011

I have a Cisco 1941 router with the Security license running IOS c1900-universalk9-mz.SPA.151-4.M.bin.  Is there a "tunnel bandwidth" command like with routers that have the Advanced IP Services license?  My concern is being able to adjust the bandwidth to a value greater than 8 Mbps...

View 3 Replies View Related

Cisco :: Scheduler Max-task-time 5000 Command

Dec 10, 2011

I was wondering what this command that appears in default configuration of cisco routers: scheduler max-task-time 5000.I did some research in forums but did not find anything apart from the "scheduler" command with other options.

View 2 Replies View Related

Servers :: Cannot Set Time Through Command - Getting Error Message?

May 22, 2011

After setting thru set time command, error message is display on server 'synthetic time issued'.

View 2 Replies View Related

Cisco :: 3560 - Missing IPv6 Tunnel Command?

Sep 17, 2011

I've finally got my 3560 switch IPv6 capable (IP Services IOS), but I've stumbled upon something strange: I can configure a tunnel interface, but I can't put the tunnel in ipv6ip mode. The command is missing. I can choose GRE, IP in IP, and a bunch of other things, but no ipv6ip. I'm a bit desperate here and probably I am going to have to live with it, but just in case? I need the IPv6 tunnel for an uplink to a tunnel broker which only supports this type of tunnel, and I'm surprised this is missing.

View 4 Replies View Related

Cisco VPN :: 3925 - LAN-LAN IPsec Tunnel Command Unavailable

Apr 14, 2011

I'm looking to utilize one of my 3925's to create a LAN-LAN IPsec VPN tunnel with another site.
 
I was under the impression that I needed to get a securityk9 license installed and then I would be good to go.   I got a temporary 60 day trial license and successfully installed it, but none of the commands that I need to create the tunnel are showing up for me.
 
I'm trying to use the "crypto isakmp" command, but that is not showing up: Router(config)#crypto ?   ca   Certification authority   key  Long term key operations   pki  Public Key components
 
Here's my show license:
Index 2 Feature: securityk9
Period left: 633 weeks 4  days
Period Used: 0  minute  0  second
License Type: Evaluation
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low

View 7 Replies View Related

Cisco WAN :: 3845 Remove Tunnel Mode RBSCP Command

Sep 19, 2011

I am trying to implement RBSCP on two 3845s running 15.1(4)M1 Adv Enterprise over a satellite link.  The "show" commands all look correct, but whenever I policy route my machine through the RBSCP tunnel I dont even make it to the opposite side.  However, if I remove the "tunnel mode RBSCP" command so it acts like a regular GRE tunnel, I route through it just fine.  So I know its not a NAT, routing issue.  [code]

View 1 Replies View Related

Cisco Switching/Routing :: 3845 - Archive Command Time-period Does Not Work

Oct 14, 2012

I have a Cisco 3845 with the archive command configured:
 
archive
path tftp://x.x.x.x/$h
write-memory
time-period 60
 
The archive command works with the execution of the write mem, but with the "time-period" doesn't work.This is the show version of my 3845: 
 
NTP_Server#SH VER
Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.3(14)T7, RELEASE SOFTWARE (fc2)
Technical Support: [URL]
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Thu 23-Mar-06 01:59 by pwade

[code].....

View 1 Replies View Related

Cisco VPN :: Tunnel Gets Idle For Arbitrary Amount Of Time Rv110w

Oct 15, 2012

I have set up 2 RV110w firewall/vpn/routers at remote locations and an ipsec tunnel between them.  Once the tunnel gets established everything works fine until it has been idle for some arbitrary amount of time. (Maybe a half hour or less.) at which point we lose server access and can no longer ping across the tunnel. To fix this I have had to dissconnect and reopen the tunnel again,  I even went so far as to install an autopinger on the remote end to keep traffic on the tunnel which seems to work but is not going to be a viable long term solution.  

View 2 Replies View Related

Cisco Firewall :: ASA5500 Going To Eos

Mar 3, 2013

Does any one advise the current ASA 5510 is going to EOS ?

View 1 Replies View Related

Cisco :: Netflow Restart On ASA5500

Feb 5, 2013

I have an issue with Netflow that I have been unable to solve. I have an ASA5510 that is sending netflow data to a FogLight NMS and it works fine until I reboot the server. After the server is rebooted, the flows no longer are received until I reload the ASA. Once the ASA is rebooted, flows work fine. I can remove and reconfigure the netflow configuration on the ASA and that will  start the netflow again, but that is painful.
 
Is there any way to easily stop/restart or re-initiate the netflow from the ASA easily?

View 2 Replies View Related

Cisco VPN :: ASA5500 How To Get Secure Desktop

Oct 16, 2012

Is Cisco secure desktop free and available for download on Cisco's download site? Is host scan part of the package? I just purchased an AnyConnect license for my ASA (ASA5500-SSL-250=)  and would like to know how to get Cisco Secure desktop and more specifically if host scan comes with CSD.

View 1 Replies View Related

Cisco VPN :: ASA5500 / Secure Desktop With SSL VPN?

Oct 1, 2012

What benefits does the Cisco Secure Desktop bring to customers running ASA5500-SSL-250= user license on the ASA? This is not Anyconnect. This is just regular clientless SSL VPN. I am particularly interested in anti-virus/anti-spyware compliance. Is this available with the base version of CSD? How does this endpoint control work? Can endpoint control detect that an O/S antivirus is not up to date and then block this device from accessing the VPN? If it can, how is this configured? note I am not asking about the additional Advanced endpoint control license. Just basic Cisco Secure Desktop download.

View 1 Replies View Related

Cisco Firewall :: Can Connect To Network Via ASA5500

Oct 31, 2011

Using any computer and AnyConnect, I can connect to our network via ASA5500.  But when I use Cius or iPAD, I always get a No License error message.

View 3 Replies View Related

Cisco VPN :: ASA5500 Static Address For Vpn User

Apr 10, 2011

I am trying to configure ASA to assign same static ip address to certain user(User1) every time when he connect to network via AnyConnect client. We have Windows AD and use LDAP AAA server for authentication of  VPN Remote Access users. I found in document "Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2" in section "Configuring an External Server for Security Appliance User Authorization" explanation and configured ASA and User Properties in AD on exectly same way:First, I assigned static ip address in properties menu(dial in section) of User1 in Active Directory. Then I created ldap attribute map where I mapped msRADIUSFrameIPAddressattribute to IETF-Radius-Framed-IP-Address attribute. At the end I applied this ldap attribute map to AAA server group LDAP.
 
Although I set this up, whenever I connect using User1 credentials from AD I still get ip address from vpn pool instead static ip address that I configured. In output of debug ldap 255 command I found line "msRADIUSFramedIPAddress: value = -1062718956" but not any line that prove mapping above mentioned attributes.It seems like mapping is not working.All AnyConnect users get parameters from defined internal group policy on ASA,including addresses form pool,dns server etc. I want that User1 get static ip address and inherit all other parameters from group policy.

View 4 Replies View Related

Cisco Firewall :: ASA5500 Add A Second Outside Connection With Second Provider

Feb 24, 2013

ASA-5510, inside, outside, and some DMZ.Some services published with Static NAT - no problem.Now we need to add a second outside connection, with a second provider.Internet navigation only through the first provider (default gateway to the provider router "A").I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.

View 6 Replies View Related

Cisco Firewall :: Active IPS Feature In ASA5500-X?

May 5, 2013

Should we active IPS feature in ASA 5500-x by useing license?in the 5500-x ordering guide:IPS is only sold as ASA-IPS combo SKUs i.e., one cannot add IPS service as an option on top of ASA SKU. For example, if IPS service is desired on ASA 5515-X appliance, the relevant SKU is ASA5515-IPS-K8 or ASA5515-IPS-K9.But my customer has actived it by using the ASA5525-IPS-SSP on ASA5525-K9.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASA5500 / ACS 5.1 Radius For VPN And Admin?

Feb 27, 2011

I am trying to configure ACS 5.1 to authenticate SSL VPNs on an ASA5500 and aslo to provide admin access to the ASA5500 both via radius.I want to authenticate the VPN against a SeureID appliance and the admin login against a different database (using internal for testing but will use LDAP in the end).I cant seem to get the ACS to distinguish between the two authentication types. If I create a rule that says match protocol radius I can point that at either database but if I try saying match radius and service type 5 it doesnt match the VPN and falls through to the default authentication service. I have also tried matching service type 6 for admin and that doesnt seem to work either.In the end what I want to acheive is to authenticate teh ASA5500 VPN against the SecureID appliance and then admin access to all devices on teh newtork (a mixture of Cisco, F5 and Juniper) to active directory via LDAP where if the user is a member of the "admin" group they get access.I was intending to use specific devices for the ASA5500s (there aretwo) and then creat a device group based on IP address range for everything else.

View 4 Replies View Related

Cisco :: ASA5500 - Wireless Client Authentication Using ISE

Jul 24, 2012

I am designing wireless controller solution for one of our customer network with Cisco 5500 series controller, wireless client authentication part.
 
1.       There are 25 departments around the campus, each will be given one or two access points.
2.       One Cisco AIR-CT5508-50-K9 Controller shall be used.
3.       Single SSID/ VLAN shall be used for entire campus.
4.       Wireless Authentication credentials used by one department shouldn’t work for other department

View 7 Replies View Related

Cisco WAN :: ASA5500 Transparent Multi Mode Firewall

Feb 4, 2012

Recently i have configured ASA5550 with 2 Contexts in Transparent mode. Traffic can pass through a single Firewall context but through both contexts it couldn't.

View 0 Replies View Related

Cisco Firewall :: Schedule Automatic Backups Of ASA5500

Mar 2, 2012

I would like to schedule automatic backups of our ASA5500's OoO-hours:

1. SSH from secure server and create _FULL_ backup - what would be the CLI command(s) ?
2. SCP from secure server and retreive file(s) - what is the location of the file(s) ?

View 12 Replies View Related

Cisco WAN :: Possible To Access ASA5500 Firewall Management Port

Jul 17, 2012

It's a problem about access ASA5500 Firewall mangement port. The customer request access ASA5500 by entering the default IP address https://192.168.1.1 to monitor data tracffic in Windows 7. But after entering the default IP in IE, no any page appear.

But that way can access ASA5500 magement port successfully in Windows XP. What the different between Windows 7 and Windows XP? Is there any way or any patch can access ASA5500 manemeng port in Windows 7?

View 4 Replies View Related

Cisco VPN :: Inside LAN Cannot Ping RAVPN Client On ASA5500

Mar 9, 2011

I have configured Remote Access VPN on an ASA5500 Firewall. I am able to login normally and Ping Internal servers on the LAN. However, The servers cannot ping my IP address that i am taking from the RAVPN Pool. So it is a one way communication.

View 2 Replies View Related

Cisco VPN :: SSO On CIFS Shares For Clientless WebVPN ASA5500

Jun 20, 2012

I currently have a problem with connecting to some CIFS shares on a EMC NAS. I have created some bookmarks for those shares to be used via the client less SSL VPN portal. I have also setup SSO which works properly for web-bookmarks and RDP stuff but not for the CIFS shares.

When I try to access those shares I'll always get a "authentication failed" error message. Afterwards a new log in-box is displayed. I have been able to log in to those shares by using the user-ID prefixed with the domain name [URL]. Log in fails when using only the user-ID or for example DOMAIN user-ID. I have also tried with a share on a different Server (windows2008 R2) which works without any problems.

View 1 Replies View Related

Cisco Firewall :: Identify ASA5500 With A Single DIMM Slot?

Dec 26, 2011

I have a large quantity of ASA5520's and ASA5540's that need to be quickly assessed and RTV'd (if need be) if they are found to be upgraded ASA5510's.
 
My concern is because of this recent release-note by Cisco: [URL]
 
Is there a way to check the amount of DIMM slots on a unit through console or do I have to physically check each and every one?

View 2 Replies View Related

Cisco Firewall :: ASA5500 - AnyConnect Vs IPsec VPN Client Licensing

Sep 19, 2011

I was wondering if  it is needed to license the IPsec VPN clients in the ASA5500 firewalls...I know that you have license the SSL VPN peers (AnyConnect). I am almost sure that for the IPsec you don't have to.

View 1 Replies View Related

Cisco Firewall :: Resolving Drop During Port Forwarding On ASA5500

Jan 10, 2012

I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
 
#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh
 Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
[Code]...

View 7 Replies View Related

Cisco Firewall :: ASA5500-x Bandwidth Control Based On Different Users And Applications

Sep 20, 2012

I would like to know about asa 5500-x. Does it supports application visibility and granular control for different applications. Moreover bandwidth control based on different users and different applications

View 1 Replies View Related

Cisco VPN :: ASA5500 - User Authentication ACS By Adding External RADIUS Database

Feb 28, 2012

I would like to configure the below setup:
 
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
 
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
 
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?

View 6 Replies View Related

Cisco Routers :: RV082 VPN To ASA5500 Device Crashes When Keep-alive Enabled?

Dec 19, 2011

We have several RV082s here which are intended to connect to a central ASA5510 firewall. The VPNs are configured and do work basically, however in our test environment the RV082s kept crashing after an apparently unpredictable amount of time (sometimes after several days or even weeks). All the RV082 have the newest firmware installed (v4.1.0.02-tm).
 
When further investigating the issue, I found out that the crashes can be reproduced when enabling the keep-alive option on the RV082. When powering up the RV082, they boot, start up the VPN, and then they crash a few seconds after the tunnel has been established (one or two pings usually get through). When crashing, the RV082 becomes completely unreachable, ie no ping, no webinterface etc.
 
There is a note in the firmware release notes saying that enabling the keep-alive option would not work the way it should. However it seems that enabling that option lets the router completely crash after its next reboot. This makes the keep-alive option basically worthless, however we need this since the routers will get installed at remote sites with no personnel available there.
 
Is there any way to enable the keep-alive option without making the routers crash immediately after startup?

View 3 Replies View Related

Cisco VPN :: ASA5500 Remote Access Group Policies IPsec Client Firewall

Mar 6, 2011

We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?

View 3 Replies View Related

Cisco WAN :: 2621 / Time-Based Access Lists Using Time Ranges?

Jan 4, 2011

I have one 2621 router i want to creat time base access list so that one of my subnet user(10.128.194.0 255.255.255.128) use only internet between 11am to 2pm.

View 15 Replies View Related

Cisco Wireless :: WAP321 Lost Time - Cannot Sync With Time Server

Jul 8, 2012

I just bought a WAP321 Wireless AP. I wonder why it cannot sync with our time server automatically. Every time I reboot it, the system time become "Fri Dec 31 1999 12:00:00 UCT".  I have to do the sync manually by clicking on the "Save" button under the menu Administration > Time Setting.

View 5 Replies View Related

ADVERTISEMENT