I need to disable approxematly 40 different VPN profiles in our ASA5550`s without deleting them (need the ability to quickly activate them again if needed). I thought maybe i could disable IPSec for those profiles, but since the IPSec is an attribute for Group Policy, i cant do it - as many other profiles are sharing the same policy.
View 2 RepliesI've searched the release notes for 7.2+, but I haven't found a documented number of how many active RF Profiles a 5508 can support. Any limitation of how many RF Profiles they can have?
View 3 Replies View RelatedI have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:ACS 5.3 group hierarchy:VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles),VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A),VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
View 3 Replies View RelatedWe've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
Is there a way that i can associate one user with two VPN profiles. Now here is the scenario.Our company has bought a win 7 64 bit pc for some of the employees , so i had to create anyconnect. But the same users are also connecting via normal cisco vpn client. they will give away these old pc but for the time being my need is that both users shall connect to anyconnect profile and ipsec profile.
I tried ti to assign same profile with both ipsec and svc so that they could use single profile but anyconnect didn't work. I am having cisco ASA 5510 as VPN gateway.And How many licenses does cisco asa have by default for anyconnect users. Here is the configuration for anyconnect
group-policy Broad_Anyconnet internalgroup-policy Broad_Anyconnet attributes dns-server value 4.2.2.2 vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL address-pools value Broadcast_AnyPool webvpn svc ask none default svc
[Code]...
In regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
View 3 Replies View RelatedIs there way to group APs to get different profiles. I need to have some that have the 2.4GHz turned down and some wiht the 2.4 and 5.0 GHz on.
View 7 Replies View RelatedI recently upgraded to Windows 7 in my company and the OS came bundled with Anyconnect VPN client version 2.5.
In the earlier version I used to add user profile using a .pcf file by importing it into the client to access customer LAN.
But in the Anyconnect VPN client I dint find any option to import the file. The IT support has told to edit the xml file to add it. The problem is I even after i edit the anyconnect-cert.xml with changes in host name and host address tags I am not able to start a connection. I dont knw know exactly what address must be given in Host address tag. I copied the host address from .pcf file which i used earlier.
Whether I will be able to add a user profile in this way or any correction is to be done in the whole process of adding the user profile,
Customer has a WLC 4402 and 21 AP's LAP1131AG, there is a PDA wlan created to give PDA's and wireless Phones access to the webmail. This is done by access lists and firewalls. Now the customer wants more access to the internet in this PDA wlan, maybe in a later phase to the other vlans, can we use an ISE server and make profiles, is this the only additional server that we need or is an upgrade of the WLC and ÄP's also needed.
View 1 Replies View RelatedI just bought new 942L (HW Rev3, 1.12 FW) and the only profile which is used to stream to iPhone or Web browser in mydlink is profile 3 which is limited to JPEG. Is there some way how to change the profile to be used for streams or is there a way how to make to profile 3 something else then JPEG?
View 1 Replies View RelatedFor ACS 5.4: In Network Access -> Authorization Profiles there is a Permit Access profile. If you try to edit it a message pop's up that says: "The profile you have selected is reserved and cannot be deleted or modified". What this profile contains in its rule base? If I wanted to create a similar profile what Common Tasks, or Radius Attributes would I need to use? The same would go for a Deny Access profile. I have looked at the Common Tasks and Radius Attributes for a new profile and it doesn't seem very intuitive.
View 2 Replies View RelatedI use a Cisco ASA 5510 with the AnyConnect VPN for remote workers. Now we want to give access to a select group of consultants who only need access to one sever and block everything else.
I was thinking this could be done by creating a separate AnyConnect Connection Profile on the ASA. From that new connection will come a new GroupPolicy with a ACL to only allow access to the one system. That GroupPolicy will point to the Radius Server looking for an account in a specific MemberOf group.
My question is - Could you explain how the ASA knows what Connection Profile to use when a user tries to authenticate? Does it automatically hunt down each Connection Profile until there is a username match via RADIUS in the Connect Profile?
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
View 3 Replies View RelatedWLC Model
---------
WLC 4402
Software Version
----------------
5.2.178
Problem Statement
-----------------
Do we have any Cisco WLC MIB to get WLAN profile (Order in which WLAN profiles are added inside an AP Group) information present in an AP group?
We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
If at all possible, I do not users to have to pick a conenction profile or use different URL's.
i have recently added to a domain. The initial setup is a server running windows 2003 and several xp machines which logon to the domain using mandatory profiles. However, after adding windows 7 machines and logging them on to the system it doesnt load the profiles. (which is fine as I understand you cannot use the same profiles with windows 7+xp)The problem is it automatically creates a roaming profile when logging off and saves it back to the same path as the other profiles under user.V2 which is growing considerably and causing huge logoff and logon times.How can I get the windows 7 machines to not attempt roaming profiles back to the server and instead to just save the profiles locally when logging off.
View 14 Replies View RelatedWe have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
I have recently installed acs5.2 evaluation on a vmware and i can't launch common task on authorization profiles when i click on it i have the bellow message javascript:cuesToggleTab('NetworkAccess',1,false,false
View 4 Replies View RelatedIs it possible to have one netflow export profile (may not be the right word...) to send all the flow information to one collector and another profile to only send traffic to and from centain IP addresses to another collector? If it is possible on the hardware and software, any quick sample config?
#sh ver
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH4,
#sho module 7
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
7 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL1115LJBR
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
7 0017.9444.9814 to 0017.9444.9817 5.3 8.4(2) 12.2(33)SXH4 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
7 Policy Feature Card 3 WS-F6K-PFC3B SAL1115L2NH 2.3 Ok
7 MSFC3 Daughterboard WS-SUP720 SAL1115LH7W 2.6 Ok
Mod Online Diag Status
---- -------------------
7 Pass
I'm trying to setup a tunnel from our Cisco 5520 to a 5550 using one of our external ips natted through this tunnel. For some reason traffic that should hit this tunnel goes through global nat. Here is the configs I have for this tunnel:
access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4
access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4
access-list Outside_cryptomap_60 extended permit ip host 66.85.99.170 host 1.2.3.4
[code]...
If I ping 1.2.3.4 from a inside ip host I see in the logs that it uses 66.77.88.136 as the NAT and not 66.77.88.170. Do you see something wrong with this configuration?
I have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
View 7 Replies View RelatedIn our company we use ASA 5550 as a VPN server (failover pair, FW 8.2(5)). Long time we used Cisco VPN client (easyVPN) only and some time ago we started to use L2TP/IPsec VPN from Windows clients.From this time we can see strange behavior. Some ip addreses (we use ipv4 only) from local VPN ip pool are getting unusable for clients. When client gets this ip address the traffic from client to intranet is ok but the traffic from intranet to the client is blocked. This behavior affect both L2TP/IPsec and easyVPN clients with this ip address.The packet trace shows that the traffic will be blocked because implicit deny ACL but ACL for the connected user is created:
Phase: 10
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
[code].....
We use RADIUS for authentication and ACL. Failover to the standby ASA solves the problem but this terminates all L2TP/IPsec VPN connections.We use Cisco Anyconnect VPN too and when Anyconnect client gets this „strange“ ip address he can communicate normally without problems. It looks like that this problem is related to IPsec. how to discover why ASA uses -implicit deny- instead of user ACL?
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
View 9 Replies View RelatedIs it possible to know the VPN usage for a particular session using Cisco ASDM 6.4? Device type is ASA 5550. ASA version 8.4
View 4 Replies View Relatedwe had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
[Code]....
Currently on internship in a multi-site company, I am studying the IPv6 transition.I have to perform several tests and i was wondering if is it was possible to make a Site-to-Site IPSec VPN with IPv6 between a Cisco Asa 5550 and a Cisco 881 router.
View 17 Replies View RelatedI have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
I have Active Standby ASA5550 setup with VPN premium license. A few days back we had a requirement of SSL VPN connection for and we got a temporary from Cisco for same, this license expired and the ASA reverted to it's original license. 3 4 days after this we saw a sudden increase in CPU utilization (upto 90% + -5%) on the ASA during production hours but were not able to figure out the reason, in order to restore the services we failovered the firewall to secondary and everything worked fine. We were suspecting one of the following but there were no logs for any of this
1. The ASA hardware was haivng problem
2. Some client was doing a DoS attack to bring down the ASA (no logs for this as well).
We took a downtime to look further by failovering the ASA back to primary and it worked fine without any issues ruling out the 1st option. We also came across a licesing doc [URL]
Downgrading any license (for example, going from 10 contexts to 2 contexts).
# Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
As per this doc, sooner or later a restart was required on the ASA. We restarted secondary ASA and everthing was fine but when we restarted the primary ASA by swtiching over to secondary some of the server (not all) in the DMZ stopped working (even ICMP unreachable) and only came back to normal when the primary ASA was restored and working fine (with failover).
The reboot was done by shuting down the physical link between the Core switch and ASA inside individually.
I am not sure what could be the issue that the servers in the DMZ wen unreachable.
In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?
View 6 Replies View RelatedI have AnyConnect newly configured on my ASA 5550, running 8.2.x code; however, Mac users cannot connect using the Apple client, nor using the Cisco AnyConnect client - they are getting a "posture error" of some kind or the laptop is failing some kind of machine profiling.
View 3 Replies View RelatedI would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies View Related