Cisco VPN :: Licensing Required To Perform Host Scan On ASA 5520
Apr 6, 2011
I want to mark company owned laptops with a registry setting and have our ASA 5520 identify these systems when connecting via SSL and IPSEC remotely, and allow broader access to the internal network than the telecommuter that use their personal PCs. For the users that connect with their personal PCs, I want to only allow RDP access to their company PCs on the internal network.
Can I accomplish this with the current VPN Plus license and Anyconnect Essentials feature enabled? If not, what license/features do I need installed/ enabled to accomplish these objectives?
View 1 Replies
ADVERTISEMENT
Jan 5, 2012
I have a customer that purchased an LMS 3.0 package and later upgraded it to LMS 3.2 using same license for 300 devices.Now the customer wants to upgrade to LMS 4.1 and is asking if they can get a similar free upgrade as before, especially since their current LMS is covered under an SP Base contract.
Do you know if the SP Base contract will qualify them for this? I have tried discussing it with a TAC licensing Engineer and the Local Accounts team both have not given me a solid answer.
View 3 Replies
View Related
Oct 31, 2012
I upgraded to ASA 9, and asdm 7, everything went perfect except AnyConnect IKEV2 doesnt work anymore, I have a lot of errors under my event viewer:
When it goes to install I get this error: Failed to perform required client update checks. Contact your system administrator
Under Eventviewer I find:
Function: CDownloadTask::Run
File: .DownloadTask.cpp
Line: 413
[Code].....
View 3 Replies
View Related
Sep 27, 2011
Anyway, I am looking for a way to discover host names of Apple devices (namely iPods and iPhones) that are on our network. I've tried a number of programs like Nmap, Advanced IP Scanner, and LanSpy to name a few. All of them will report back the MAC address with no problem but no dice on resolving the host name.
My goal is to use the host name to identify the device, and ultimately the person with the device. Any thoughts on how I can go about this? Is there a setting in Nmap I'm missing or perhaps a better program to use?
View 2 Replies
View Related
Mar 20, 2011
A customer is currently running a 5520 ASA pair in active/standby HA mode. The devices also have an IPS module, one of them using a temporary (60-day) license. So, right now, licensing is identical on both ASAs and HA is operational.
The question is what exactly will happen after 60 days, once the temporary license expires? Does HA shutdown completely once it's determined that the licensing isn't a 100% match any longer, or does it just cripple one feature (such as the IPS module)?
The customer is balking at purchasing SMARTnet for the 2nd ASA, so I need to explain exactly what is going to happen (if anything) once the license on the 2nd ASA drops off...
View 4 Replies
View Related
Oct 16, 2012
I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.
View 7 Replies
View Related
May 13, 2012
I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]
View 2 Replies
View Related
Apr 20, 2013
Port forwarding done to a DMZ located server on the cisco ASA 5520. Now this host cannot browse but allowed outside to inside access is possible Is there anyway i can give this system to browse internet? may be through the natted IP ( 94.20.*.*)
View 2 Replies
View Related
Nov 3, 2011
I am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?
View 2 Replies
View Related
May 13, 2013
I have ASA 5520. I cannot ping the host(192.168.1.20) which is inside firewall from outside hosts. Inside host (192.168.1.20) is translated into (198.24.210.226) using static NAT.From outside host, I used "PING 198.24.210.226". Is it because I used dynamic PAT for inside hosts?
interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 198.24.210.230 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0
[Code].....
View 3 Replies
View Related
Jun 22, 2011
How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.
Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).
View 1 Replies
View Related
Mar 3, 2013
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
View 6 Replies
View Related
Jun 27, 2011
I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
View 2 Replies
View Related
May 7, 2012
ASA 5510
Ver 8.2(5)
I have been looking all over the place for the answer of how to allow clients on an IPSEC VPN to ping from host to host.
View 4 Replies
View Related
Feb 10, 2011
I'm just wondering if its possible to ping an IPv4 host using the IPv6 host assuming that the NAT64 has already been implemented?
[code]...
View 2 Replies
View Related
May 2, 2011
I want to perform log in ASDM if there is some one remote to server inside ASA by vpn. Does ASA 5050 able to show the log from ASDM.
View 1 Replies
View Related
Jul 17, 2012
I work for a company that buys used cisco equipment and we are trying to get a basic test center set up. What is the best way to perform basic router testing? We have been trying to come up with something for about 3 weeks and so far all we can do is get in the configuration and play around.
View 1 Replies
View Related
Nov 9, 2011
I have to load balance traffic between 2 servers sitting behind the LB. The webservices are on HTTPS/8443. I followed the end to end configuration guide for SSL. No success.
Here is my configuration -
rserver host nms1
ip address 10.29.36.31
conn-limit max 4000000 min 4000000
[Code].....
View 3 Replies
View Related
May 16, 2012
I have 5 public, static IP's provided by my ISP. I read on another page that to use the 2nd, 3rd, 4th and 5th IPs, I must first 'register' them by entering them on the WAN page and I must wait until I can successfully PING them from an external network. Then I can set the WAN IP back to the one I want to use to administer the router. Then I can use those other IP's on the various Access Rules or Port Forwarding pages where there is a spot to enter 'alternate WAN IP address'. I'm trying to determine if this is true because I'm having a heck of a time getting port forwarding to work. My BIOS is 1.0.3.5.
View 7 Replies
View Related
May 31, 2012
I am attempting to configure an ACE4710 to perform SSL end-to-end confguration. i.e. SSL termination - load balance - SSL initiate to backend server.The configuration appears to work fine in a test lab using any old web server, however when I peform the same configuration in the production environment it does not work. It appeatrs from a capture run on the ace that the ace is reseting the tcp connections after communicating with the back end server. The main difference I can think of in this environment is that the cert and key pair the ace is using where exported from the backend server, i.e. both the ace and the backend server have the same certificates and keys. Is this allowed? how to troubleshoot why the ace resets the connection.
View 6 Replies
View Related
Jul 23, 2012
I'm new and just entered in the world of studying my certification for Cisco, since I'm curious I see that there are switches that can perform task depending on the layer? I see some with specifics for Layer 2, some other for layer 3 and even some others with router capabilities!I know this is a rookie question but how do I know what the best switch for a network? or how can I identify them?
View 3 Replies
View Related
Aug 3, 2011
We have 3200 logical devices configured on CiscoWorks and CiscoWorks is running very very slow. CiscoWorks installed on server with Windows Server 2003 32-bit and this version of windows it can only support RAM up to 4GB, which is already installed. In order to increase the RAM we have to upgrade the windows version as well. Which versions of Window can perform best with CiscoWorks. E.g. Windows Server 2003 with Service Pack 1 (SP1), Standard Edition 64-bit: or Windows server 2008 etc. We are currently using the LMS 3.2, RME 4.3.0, CM 5.2.1
View 2 Replies
View Related
Dec 10, 2012
how to perform Linear Hashing in databases on given values?
View 2 Replies
View Related
May 2, 2012
Can you configure multiple next-hop entries and have it perform load balancing?
Example
route-map test
match ip address test
set ip next-hop 1.1.1.1
set ip next-hop 2.2.2.2
View 1 Replies
View Related
Mar 18, 2012
I have an Aironet 1231G that I'm trying to recover an image on. I'm following the cisco directions of reloading the AP image file from an active TFTP server (which is myPC). My PC has a static ip address of 10.0.0.2 with the TFTP server running. I've verfied that the TFTP server works by upgrading a switch IOS.The issue I'm encountering is the 1231G does not see the TFTP server correctly. url...
View 2 Replies
View Related
Jan 2, 2013
I am slowly working my way though the setup and configuration of our new 4900m switch. The switch will have a pretty basic operational configuration. We are simply going to network 3 servers together through the swtich. Anyhow, I have been fallowing the guide at this site: [URL]
Basically the switch is brand new and I just setup things such as the clock, the banner, and the hostname. Anyhow, at various points in the guide such as the configuration of the telnet password and especially the interface gigabitethernet I get the "invalid input detected at '^' marker". I also did a show interfaces and noticed there was not any gigabitethernet interfaces but there was a
"FastEthernet1 is down, line protocol is down Hardware is Fast Ethernet for out of band management, address i"
Anyhow, my thinking is continuing on with the guide and at least try to setup the interface for the management port so I can then use the cisco network assistant gui to then configure the rest of the switch.
View 1 Replies
View Related
Jul 15, 2012
We are in need to perform a site survey with the Aironet 1041N Access Point.
Upon reviewing the site survey software, it seems you need to use an Aironet adapter. However from what i can tell, all the Aironet adapters are PCMICA cards, which most modern laptops do not have, and the PCMICA cards that do exist don't have drivers for windows 7.
Are there USB adapters w/ Windows 7 drivers that can be used to perform a site survey?
View 2 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
Oct 14, 2012
I have a VIP, which is listening on port 8312 in ACE LB and NO probes attached to it. In this scenario how does the ACE module perform the health monitoring ?
View 4 Replies
View Related
Mar 27, 2012
how to perform UBRL User Based Rate Limiting on ASR1000 like we can do it on Catalyst6500?
View 3 Replies
View Related
Jan 21, 2013
Platform:
cisco6509-E with FWSM
Supervisor Engine 32 PISA 8GE
sup-bootdisk:s32p3-adventerprisek9_wan-mz.122-18.ZY2.bin
command:
(config)#ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
(config)#no ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
#clear ip nat tran *
(config)#ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
%Port 14029 is being used by system
Or %Static entry in use, cannot change
But when I perform "sh ip nat tran" command,There is nothing
View 1 Replies
View Related
Nov 13, 2012
We have a CISCO 2921/K9 which has the securityk9 feature set (reflects Permanent under show version)
I thought that included SSL VPN, but doing a "show license all" it doesn't reflect that:
StoreIndex: 4 Feature: SSL_VPN Version: 1.0
License Type: EvalRightToUse
License State: Active, In Use
[Code].....
View 2 Replies
View Related
Mar 21, 2013
My current ASA 5525-X is licensed with Anyconnect premium = 2 and 750 "Other VPN" What does other mean? Also does this mean that only two clients with Anyconnect can use the ASA for VPN? Or is Premium different than Anyconnect alone?
View 5 Replies
View Related
