2 tier security for remote vpn ?

Similar Messages

• Routing issue for remote vpn user and spoke

  Hi all,
  i have configure VPN (see attached file)
  before upgrading ASA from 8.3 to 8.4,  SPOKES was able to communicate between them and  also remote VPN users was able to access spoke site.
  after upgrade  ASA HUB, neither spoke-to-spoke  nor remoteuser---to---spoke cannot communicate
  here is NAT exemption configuration on ASA HUB.  only this ASA have been upgrade. nothing have been done on other site
  object network 172.17.8.0
  subnet 172.17.8.0 255.255.255.0
  object network 10.100.96.0
  subnet 10.100.96.0 255.255.240.0
  object network VPN-SUBNET
  subnet 172.20.1.0 255.255.255.0
  nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
  same-security traffic permit intra-interface
  same-security traffic permit inter-interface
  Please do you know what can be the problem ?
  thanks so much for your help

  Since you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
  Pls "clear xlate" after removing it and let us know how it goes.

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Help with setting up Remote VPN

  Hi,
  Currently our company is using following:
  Linksys WAG200G(54Mbps):     ADSL Modem/DHCP/Firewall/port forwarding/wireless
  CISCO ESW-540-8P switch for intranet: 1x Windows Server 2012 Standard/ 1x NAS and connected to 1x CISCO WAP4410N for wireless
  We intend to enable our network for remote VPN( 1 to 5 users) and as well as upgrading the WAG200G to new equipment to use 802.11n wireless.
  Would hope someone can suggest stable small business equipment/s for our upgrade? I have previously bought the WAP4410N and tried upgrading to 802.11n for all our users but was not successful as this unit constantly give us access problems. So right I am only using this for my support purpose. I read the WAP321 is a stable equipment from community comments so may consider getting one for 802.11n access. As for VPN and ADSL modem, hope someone can suggest suitable stable models.
  Thank you.

  There are many devices that can provide you a VPN solution. Personally I would get a router of some sorts maybe a 2800 or 1800 series and then create a L2 tunnel config on it. There are many links on the web where you could almost do a copy paste of the config. The issue will then be the ability to do a NAT to the router and setting up internal access. That is always unique to the environment so I couldn't help more there without a better diagram and basic configs.
  Here is a link with sample configs
  http://tekcert.com/blog/2006/12/14/configuring-cisco-router-accept-vpn-connections
  -Toby
  Sent from Cisco Technical Support Android App

• Remote VPN access with Windows 7, 64 bit

  Hey there,
  What do you guys suggest for Remote VPN access with Windows 7, 64 bit?

  Hi,
  You can configure a Remote access VPN with a  windows 7, 64 bit client. You wieall hav to download a IPsec VPN client  specially for a 64-bit machine. It should not give you much trouble.
  The  client is vpnclient-winx64-msi-5.0.07.0290-k9.exe. it is available on  cisco.com site.
  hope this helps.
  Regards,
  Anisha
  P.S.:  please mark this thread as resolved if you feel your query is resolved.  Do rate helpful posts.

• Remote VPN When Firewall behind Router

  Hi All,
  I want to create IPsec Remote VPN on ASA, but ASA have local ip on it's outside interface & that local IP has been natted with one free public ip in the router. I have already created one site to site VPN on the ASA & it's working fine. but my Remote VPN is not woking.
  Is there any configuration required on the router for remote VPN
  Thanks

  Hi Shuai, the likely problem is, the devices you're trying to access have a firewall or domain blocking access. When you have a VPN connection, a domain controller see the VPN as a public connection. Additionally, things such as Windows firewalls do not accept inbound connections from different subnets. Lastly, UNIX boxes, would require the ip routing exceptions in the firewalls.
  -Tom
  Please rate helpful posts

• New to server, need VPN for remote desktop and file share...

  I've set up server and have the VPN working, I think, I need to have several outside systems join the servers VPN permanently to allow for file sharing and remote desktop. I don't want the "normal" internet browsing to go through the VPN (huge slow down) I have read that a "split DNS" or "split tunnel" is what I need, then to disable "send all traffic over VPN connection" option on each remote system. I was a little confused after reading on how to do this on Leopard server (the only instructions I found) but have absolutely no idea on how to do this on Snow Leopard server (the server I set up is 10.6) any assistance would be great, thanks in advance.

  Server Admin, VPN, Settings, Client Information, Network Routing Definition.
  Here add a private network record type that matches your LAN/VPN ip.
  For example
  IP Address: 192.168.0.0
  Mask: 255.255.255.0
  Type: Private
  You can find more informations about this feature in Snow Leopard Server documentation:
  http://images.apple.com/server/macosx/docs/NetworkServices_Adminv10.6.pdf
  search for "Configuring VPN Network Routing Definitions"

• Help For Remote Access Via VPN

  Need Help
  what cisco product or router specification or model  can we use for VPN connection in our remote site via Internet Connection
  thanks Godbless

  There are several options here, but more information is probably needed to give a good recommendation.
  1.  What type of VPN?  A site to site VPN that stays up, or remote VPN that is more on demand?
  2.  What type of Internet access to have at your remote site?
  3.  Are you going to also use this as a gateway to the Internet or will this device sit to the side or behind your gateway?
  My first inclination is that if you just need occasional remote access to your remote site for support issues check out the ASA 5505.  Depending on where you will place it and what amount of user traffic will flow through it, you may be able to get by with just a base license and use IPSec remote VPN. 
  If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

• Help networking a Security System DVR for remote viewing

  Hey,
  I am trying to network my Security System DVR for remote viewing but cannot seem to get it working. I have read some post on this site as well as many others and followed instructions to the T but to no avail.
  Here's what I've got:
  Linksys WRT54G2 V1 connected to a modem.
  My DVR has 3 settings for networking:
  -PPPOE
  -Static
  -DHCP 
  On DHCP, The DVR automatically sets these settings:
  IP Address: 192.168.1.100
  Subnet:  255.255.255.0
  Gateway: 192.168.1.1
  and then the DNS is the same as the one on the "status" area of the router settings...
  Port: 10000-10020
  I set up port forwarding for 192.168.1.100 for port 10000-10020 selecting "both"
  If I pull up the "DHCP Clients Table" it shows the above IP Address but with no name....and the MAC address is something like ee:ee:ee:d4:03:5f.
  I have tried to change the DVR to Static and do everything manually but thats not working either.
  I created a Dynamic DNS with goddns.org but the DVR seems to have its own one built in that you cannot change. (at the bottom of the network settings it says something like "URL: 123484984.goddns.org----Status:  OK."  But when I try to type that in the address bar of IE it goes no where.)
  I hope someone can tell me why its not working.... It was working when we first got everything set up...then it stopped. then I messed with it and got it working but didn't know what I did.  Now its broken again and I don't know what to do.  
  -Ian
  PS.  When I am connected to the router via LAN cable and I type the internal IP Address assigned to the DVR by the DHCP (192.168.1.100:10000) it brings up the DVR menu perfectly.  But when I try to log into it from a different location...with the external IP address...thats when I have trouble.  I do not think my external IP has changed since I got this router set up.
   Any help would be awesome. 

  Hmmm... Did that and I can't seem to get it working still. Whats weird is that as long as I am connected to the router...I can access it through the internal IP address.... (if using DHCP its 192.168.1.100:10000 and if using static its 192.168.1.99:10000)
  Those both work when set up on DHCP for the first and Static for the second.  But as soon as I type the external IP address with the port it doesn't work.  Its like there is a firewall OR the port forwarding is not working.  But everything on the port forwarding page looks good... Its enabled, set on Both, correct port range... 10000-10020...
  Any Ideas?
  -Ian 

• Failover option(s) for remote site VPN

  Currently, I have several remote VPN locations, in which most of them of ISDN dial backup in case the primary connection goes down. Can I use DSL/T1 circuit as a failover/dial backup link? If so, please point me to the right direction in finding documentations. Thank you.

  As per your config, I guess you are referring to the VPN connectivity with Peer IP 166.149.125.81.
  If yes than you have missed the other subnets of main site in the ACL outside_cryptomap_1
  which have been mapped in the VPN with this Peer.
  object-group network DM_INLINE_NETWORK_2
  under this statement match the network-object with the subnets at main site that needs communication with the subnet 192.168.90.x/24 at remote site (same as you have done for 192.168.0.0/24 subnet)and vice versa.
  BR
  Please rate if this solve your problem.

• JConsole remote and security for NetBeans app

  I am developing an app under NetBeans. It has an MBean which is enabled for remote operation as described in http://java.sun.com/developer/technicalArticles/J2SE/jmx.html.
  The docs say that security is enabled by default, but when I connect from another machine it doesn't require any role/password.
  I modified the jmxremote.password file as described and even tried setting the variables com.sun.management.jmxremote.authenticate, com.sun.management.jmxremote.password.file and com.sun.management.jmxremote.access.file. Still doesn't enable security.
  Any ideas why?

  Hi,
  Are you sure there are no typo in your Java Options?
  For instance, I have a JMX application in NetBeans.
  If I edit the project properties, go the run node, and in VM options, specify:
  -Dcom.sun.management.jmxremote.port=5665then when I start my application I get the following error:
  Error: Password file not found: <jdk-home>/jre/lib/management/jmxremote.passwordwhich is correct since I haven't specified any password file [you only
  have a [i]jmxremote.password.template at this location]
  This tells me that my JMX app is really starting with security on.
  Note that if you only specify -Dcom.sun.management.jmxremote then
  the default is no security - since you should be the only user able to connect, and only from the local host [-Dcom.sun.management.jmxremote is for local management].
  The configuration you need to put in place for remote monitoring is describe here:
  http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html#remote
  hope this helps,
  -- daniel
  JMX, SNMP, Java, etc...
  http://blogs.sun.com/roller/page/jmxetc

• Asa 5505 Remote VPN Can't access with my local network

  Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
  ASA Version 8.2(1)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 155.155.155.10 255.255.255.0
  interface Vlan5
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy mull internal
  group-policy mull attributes
  vpn-tunnel-protocol IPSec
  username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
  vpn-group-policy Mull
  tunnel-group mull type remote-access
  tunnel-group mull general-attributes
  address-pool vpn-Pool
  default-group-policy mull
  tunnel-group mull ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context

  Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
  here is my cry ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
        current_peer:155.155.155.1, username: Thomas
        dynamic allocated peer ip: 192.168.100.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 73FFAB96
      inbound esp sas:
        spi: 0x1B5FFBF1 (459275249)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2894
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x73FFAB96 (1946135446)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2873
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

• LDAP vs local login for remote access

  Hi Team,
  I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
  I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.

  Hello Manoj,
  IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
  Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
  Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
  If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
  AnyConnect Certificate Based Authentication.
  Why to use AD:
  Pros
  Scalable.
  Easy to manage.
  Allows password-management.
  Cons:
  Expensive (not open AD solution).
  HTH.
  Please rate helpful posts.

• Recommendations for remote pc to mac software

  Does anyone know of any reliable software for monitoring a Mac from a Windows PC.
  I use a PC when travelling but use a Mac when at home, sometimes I need to access my Mac to get information is it possible to do this.
  Thanks

  Hi
  Yes it is possible.
  http://www.uvnc.com/
  http://www.tightvnc.com/
  http://www.realvnc.com/
  Are three I've tried and that work. You might have to pay for the Enterprise version if using UltraVNC. You have to enable Remote Management on the Mac. System Preferences > Sharing. Make sure you enable the "VNC viewers may control screen with password" option in the Computer Settings. You supply the password defined there when accessing the mac using Real, Tight or Ultra VNC. Make sure Port 5900 is open and forwarding to the internal IP address of the mac client. If you're concerned about security then use VPN.
  Another solution I've heard others use is:
  http://www.aquaconnect.net/
  Tony

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml