ASA 5510 Guest Internet Access

Similar Messages

• Guest Internet access in the Enterprise

  We have set up guest internet access in our enterprise using GRE tunneling with a PIX. I'm trying to determine the best way to do authentication for users on this guest network.
  I think I can do RADIUS (using ACS) with the PIX as an NAS. Question is can I use a different type of server (such as MS IAS)? Can I use either one to utilize an existing MS Active Directory database?
  If I use radius on the pix for authentication, a login prompt pops up when a user tries to use the web. Is there a way to redirect users to a web page first and have the login embedded on the page? This is done in hotels now and I don't know if there's a Cisco solution for this.

  The following documents lists all the supported Databases,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm

• EA6100 AC1200 Blocking Guest internet access during specific times?

  I see that you can disable guest internet access for specific times but only for specific devices. What I want to do is turn off Guest access for all devices during specific times. 
  I am using this in an environment  where I will have different guests at different times with different devices and can't go in to block each one each time. 

  I think your only option at this time is to manually disable the Guest Wireless network when wanted.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Load Balance guest Internet access via two different DMZ zones at two sites

  Hi Sir,
  My customer has the following unified wireless guest access requirement:
  - There are 2 internet links and dmz zones at two different locations, Site A and Site B
  - Data centre is at Site A
  - WiSM is proposed to be installed at the Cat 6500 in Site A
  - Lightweight AP are distributed across Site A, Site B and other branches
  - Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
  My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
  Thanks for your help
  Delon

  You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

• Corporate responsibility for logging guest Internet access

  Hi all
  Can anyone tell me what the requirement is in the uk for logging guest Internet access for guest users at my co
  Company ? Is it lawful requirement ?

  The following documents lists all the supported Databases,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm

• ASA 5510 and VPN access to remote site over Ext WAN

  ASA 5510
  int client IP 172.0.1.XXX /24
  VPN Client IP 172.0.1.248 /29
  Static routes in the ASA
  1) 0.0.0.0 --- points to router1
  2) 172.29.1.1 --- Points to router2
  3) 172.29.1.2 --- Points to router2
  Router1 Internet connection // VPN access in path
  Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
  ................../---- ROUTER 1
  ..Inside -- ASA --- outside (switch 2 rtrs)
  ..................\---- ROUTER 2
  If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
  At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
  Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
  I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
  3000 packets captured
  1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
  2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
  3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
  4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
  5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
  Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

  Hi,
  Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
  Something like this:-
  access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
  nat (Inside) 0 access-list NONAT

• Restrict Wireless Guest Internet Access

  I am implementing a wireless guest solution for Internet access. I would like to restrict these users to Internet access only. I undestand the concept of configuring a seperate vlan for them but how can I restrict them to Internet only. I also have remote campuses that I would like to setup as well. I have an ASA 5520 for my firewall and am using metro ethernet from the main campus to the remote campuses. Thanks for any help.

  Hello,
  I have found the simplest way of doing this is to apply an access list to the radio sub-interface for the vsitor vlan.
  Set the access-list to allow any dhcp requests, deny any to a private network and permit any.
  You could do it back at the ASA but there is a chance of the traffic getting onto the network first.
  HTH.
  Andy.

• ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

  Hi,
  As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.
  And rest users we have to block excluding Mails.
  Please help.
  Thanks,
  Regards,
  Hemant Yadav 

  login as: Rakh
  [email protected]'s
  password:
  Type help or '?' for a list of available commands.
  FAST-HQ-ASA> en
  Password:
  Invalid password
  Password: ***********
  FAST-HQ-ASA# show rum
                      ^
  ERROR: % Invalid input detected at '^' marker.
  FAST-HQ-ASA# show run
  : Saved
  ASA Version 8.3(1)
  hostname FAST-HQ-ASA
  enable password 7tt1ICjiO2a2/Hn2 encrypted
  passwd U8oee3lIrDCUmSK2 encrypted
  names
  interface Ethernet0/0
  description ASA Outside segment
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 62.173.33.67 255.255.255.240
  interface Ethernet0/1
  description VLAN AGGREGATION point
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1.2
  description INSIDE segment (User)
  vlan 2
  nameif INSIDE
  security-level 100
  ip address 192.168.172.1 255.255.255.0
  interface Ethernet0/1.3
  description LAN
  vlan 3
  nameif LAN
  security-level 100
  ip address 192.168.173.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network INSIDE
  subnet 192.168.172.0 255.255.255.0
  object network LAN
  subnet 192.168.173.0 255.255.255.0
  object network MAIL-SERVER
  host 192.168.172.32
  object network DENY-IP-INTERNET
  range 192.168.172.121 192.168.172.200
  object-group service serBLOCK-INTERNET tcp
  port-object eq www
  object-group network BLOCK-IP-INTERNET
  network-object object DENY-IP-INTERNET
  access-list 102 extended permit icmp any any time-exceeded
  access-list 102 extended permit icmp any any echo-reply
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp
  access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https
  access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET
  access-list BLOCK-WWW extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  mtu LAN 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INSIDE
  nat (INSIDE,OUTSIDE) dynamic interface
  object network LAN
  nat (LAN,OUTSIDE) dynamic interface
  object network MAIL-SERVER
  nat (INSIDE,OUTSIDE) static 62.173.33.70
  access-group OUTSIDE-IN in interface OUTSIDE
  access-group BLOCK-WWW out interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh 192.168.172.37 255.255.255.255 INSIDE
  ssh 192.168.173.10 255.255.255.255 LAN
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username Rakh password EV9pEo1UkhHJSbIW encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d
  : end
  FAST-HQ-ASA#

• Guest Internet Access

  Hi
  Looking for input on Guest Vlan subject.
  How can I avoid routing of Guess VLAN traffic to DATA VLAN, any traffic from Guest VLAN should be routed to Internet directly.
  Looking for similar setup as in Hotels, Guest are provided with username/password with time duration to access internet and limit the download speed.
  Do I need to create another SSID on the WLC and how the guest users will acquire ip, from WLC DHCP or Windows DHCP.
  If its Windows DHCP then Guest traffic reaches my Data VLAN
  Any Help

  We got WLC 4420 ----- Do you mean a 4402-xx
  AP 1200 series ( 5 in quantity )
  I am new to WLC, can you help me to understand
  How many SSID we can configure on WLC, does each ssid can have different config parameters.
  The AP's and the Code you might have will only support 8-16.  You don't want to configure too many (best practice is around 4) because of all the beacons that needs to be sent might cause issues with certain devices.  You can configure eash ssid the same of different, it is up to you.  Follow best practices on this.
  can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )
  You can create WLAN Override (depends on code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP's will braodcast what SSID's.  This can be messy if you have gaps for roaming, unless that is not an issues.
  For Guest SSID is it recommended to connect to a seprate port on WLC
  You have different options:
  You can use a guest anchor controller in you DMZ
  You can use one port on the WLC connected to your internal network and the other port to the DMZ
  You can trunk vlans and use ACL's to block guest traffic from inside networks.
  All this depends on you current infrastructure and if you plan on buying more equipment or use the existing.
  Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )
  You can use a NAC Guest Server... if you want to spend a lot of money.  You can configure a Lobby Admin account on the WLC so that the secretary has only read/write to add guest accounts.  This would be the same if you have WCS with a lobby admin account.
  http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1078208
  How to have bandwidth control on WLC, restrict users with bandwidth limit
  You would need to use a 3rd party tool for this like ZoneCD or again you can use the NAC Guest Server.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html
  http://www.google.com/url?q=http://cisco.com/application/pdf/paws/107630/WLC_NGS.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CAgQzgQoAA&usg=AFQjCNF0eA-Z8nss7WzgpPRnFjtSdZnvWQ
  http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg
  Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.
  I put some links above... hope this helps.  Again, it will come down to your existing environment and how much more you want to spend.  You also have to look at the time it might take to setup, will the secertary want to do this, etc?  How I see guest access..... well.... they go out a seperate internet pipe, so I don't really care about bandwidth.  Its guests so they would have to deal with that anywhere the go, even hotspost or even worse hotels:)  Make it simple and make it work... then you can add to that later when you get more familiar to configuration and troubleshooting.

• Advice regarding house guest internet access through Airport Express

  I would like to set up trouble-free (on my part and my house guests) access to the internet. Any thoughts or suggestions? It seems to me that if folks may have reasonable access to cable/satellite TV and telephone, or what have you, it is also reasonable to make available to them the internet. What is the best way to go about doing this? I have an existing home wireless system using Airport Express (may also work in a Netgear WG614 wireless router). Mostly, I am concerned with the technical aspects but would also like to hear from anyone regarding the legal/social ramifications. Any such solutions must take into account both Windows and Mac environments. Thanks.
  17 in. iMac G5 ALS (1.8 GHz)   Mac OS X (10.4.5)   iMac G3 DV (400 MHz), Airport Express, 3rd gen iPod

  Meme,
  A nice touch, and one that made me choose one small hotel over another when I used to travel a lot.
  I can't give a complete solution, but I can give you bits of info, which others will also do.
  One thing that probably is a must, is to set Wireless Isolation. That is that although all the wireless clients can see the internet, they can't see each other. I'm not sure that the AE supports this, I honestly thought it did, but now I can't find it. The Netgear will support it.
  Wireless encryption will be a must too, you may even want to make it a "closed network", so that the network does not advertise it's presence. Clients wishing to connect must specify ("key in") the network name and connect. That may be just a little too difficult for some business travellers. Back to wireless encryption, some may say to use some ultra-modern hi-tech secure encryption algorithm to be really safe, but these are enormous long passwords that your clients will have to key. Those with older computers may not support the latest encryption methods. Some may recommend WPA, I'd say WEP (more compatability) and a simple (non-dictionary) password, like "@pple" or "@irPortXPr3ss" or any easy to communicate word(s) with a few letters replaced by vowels or (printable) symbols. It is up to you how often you change the password.

• ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

  Hi,
  I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
  permit ip any "Nat_subnet"
  After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
  Regards,
  Muds
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
  object-group network d1-dr-nat_nets
  network-object 192.168.128.0 255.255.248.0
  object network 10.210.14.0_Net
  nat (outside,inside) static 192.168.128.0_Net
  object network 10.210.16.0_Net
  nat (outside,inside) static 192.168.129.0_Net
  object network 10.210.80.0_Net
  nat (outside,inside) static 192.168.130.0_Net
  object network 10.210.84.0_Net
  nat (outside,inside) static 192.168.131.0_Net
  object network 10.210.86.0_Net
  nat (outside,inside) static 192.168.132.0_Net
  object network 10.210.88.0_Net
  nat (outside,inside) static 192.168.133.0_Net !
  object network 10.210.14.0_Net
  nat (outside,inside) static 192.168.128.0_Net
  object network 10.210.16.0_Net
  nat (outside,inside) static 192.168.129.0_Net
  object network 10.210.80.0_Net
  nat (outside,inside) static 192.168.130.0_Net
  object network 10.210.84.0_Net
  nat (outside,inside) static 192.168.131.0_Net
  object network 10.210.86.0_Net
  nat (outside,inside) static 192.168.132.0_Net
  object network 10.210.88.0_Net
  nat (outside,inside) static 192.168.133.0_Net
  access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
  access-group prod_lan-in in interface inside

  Hi,
  As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
  Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
  Let me give an simple example
  object network STATIC
  host 10.10.10.10
  nat (outside,inside) static 192.168.10.10
  access-list INSIDE-IN permit ip any host 10.10.10.10
  or
  access-list INSIDE-IN permit ip any object STATIC
  - Jouni

• Internet Access from Inside to Outside ASA 5510 ver 9.1

  Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
  I get errors like this when I try Packet Tracer:
  (nat-xlate-failed) NAT failed
  (acl-drop) Flow is denied by configured rule
  Version Information:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  Device Manager Version 7.1(5)
  Compiled on Thu 05-Dec-13 19:37 by builders
  System image file is "disk0:/asa914-k8.bin"
  Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
  Thank You!
  Config:
  ASA5510# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  domain-name
  inside.int
  enable password <redacted> encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd <redacted> encrypted
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.199.199.123 255.255.255.240
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.199.199.4
  domain-name
  inside.int
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  access-list OUTSIDE-IN extended permit ip any any
  access-list INSIDE-IN extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
    nat (Inside,Outside) dynamic interface
  access-group INSIDE-IN in interface Inside
  access-group OUTSIDE-IN in interface Outside
  router rip
  network 10.0.0.0
  network 199.199.199.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username <redacted> password <redacted> encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
     inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
     destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
     subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:
  <redacted>
  : end
  SH NAT:
  ASA5510# sh nat
  Manual NAT Policies (Section 1)
  1 (Inside) to (Outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  Auto NAT Policies (Section 2)
  1 (Inside) to (Outside) source dynamic inside-net interface
       translate_hits = 0, untranslate_hits = 0
  SH RUN NAT:
  ASA5510# sh run nat
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
  nat (Inside,Outside) dynamic interface
  SH RUN OBJECT:
  ASA5510(config)# sh run object
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

  Hello Mitchell,
  First of all how are you testing this:
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  Take in consideration that the netmask is /30
  The Twice NAT is good, ACLs are good.
  do the following and provide us the result
  packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
  packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
  And provide us the result!
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  Note: Check my website, there is a video about this that might help you.
  http://laguiadelnetworking.com

• Help me to fix access internet on asa 5510

  Hi everyone,
  Now i have an asa 5510 with version 8.3 - ASDM 6.3, i configured to block websites like instruction below:
  http://www.cisco.com/en/US/products/...80940e04.shtml
  but i don't block mail yahoo, when i sign in mail yahoo and i click in a message, it has error "Sorry, your session has expired. To protect your account, you need to confirm your password periodically". i don't know how to solve this problem, please help me!

  JSP page:
  <%@ page language="java" contentType="text/html; charset=UTF-8"
       pageEncoding="UTF-8"%>
  <%@ taglib prefix="s" uri="/struts-tags"%>
  <%@page import="java.util.*,model.*"%>
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <title>View Info</title>
  </head>
  <body>
  <center>
  <%
       UpdateAndGet li = new UpdateAndGet();
       ArrayList list = (ArrayList)li.getAll();
  %>
  <table cellSpacing=1 cellPadding=3 border=1 width="100%">
       <tr>
            <th>ID</th>
            <th>Name</th>
            <th>Sex</th>
            <th>Testcode</th>
            <th>Email</th>
            <th>Cellphone</th>
            <th>Give Grade</th>
       </tr>
       <%
            Student stu = null;
            Iterator it = list.iterator();
            while (it.hasNext()) {
                 stu = (Student) it.next();
                 session.setAttribute(String.valueOf(stu.getId()), stu);
       %>
       <tr>
            <td><%=stu.getId()%></td>
            <td><%=stu.getName()%></td>
            <td><%=stu.getSex()%></td>
            <td><%=stu.getTestcode()%></td>
            <td><%=stu.getEmail()%></td>
            <td><%=stu.getCellphone()%></td>
            <td><a href="update.do?id=<%=stu.getId()%>">Give Grade</a></td>
       </tr>
       <%
       %>
  </table>
  <p><font color=blue>There are<%=list.size()%> examinees</font>
  </center>
  </body>
  </html>

• Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

  I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
  WLC 2504
  1142 LAPs
  4510R+E
  ASA 5510
  Existing configuration as follows:
  WLC management interface and APs addressed on the 192.168.126.0 /25 network
  Internal WLAN mapped to the management interface
  Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
  WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
  4510 connected to ASA inside interface (security level 100)
  Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
  ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
  What is the best way to add guest wireless to our existing configuration?
  Note: I need the guest wireless to be filtered by Websense as our internal wireless is
  Any advice would be greatly appreciated!

  Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
  Any input would be greatly appreciated...
  JW

• Access from Inside to Outside ASA 5510 ver 9.1

  Hi All,
  I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
  Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
  I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
  Thank you for the help!
  ASA5510(config)# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.195.168.100 255.255.255.240
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  shutdown
  nameif management
  security-level 0
  no ip address
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.195.168.4
  name-server 205.171.2.65
  name-server 205.171.3.65
  domain-name internal.int
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  router rip
  network 10.0.0.0
  network 199.195.168.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  CISCO 2811:
  Current configuration : 2601 bytes
  ! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RouterDeMitch
  boot-start-marker
  boot system flash
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/0
  no aaa new-model
  dot11 syslog
  ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 172.16.10.1 172.16.10.49
  ip dhcp excluded-address 172.16.20.1 172.16.20.49
  ip dhcp pool Mitchs_Network
  network 192.168.1.0 255.255.255.0
  dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
    default-router 192.168.1.1
  ip dhcp pool VLAN10
  network 172.16.10.0 255.255.255.0
  default-router 172.16.10.1
  dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
  ip dhcp pool VLAN20
  network 172.16.20.0 255.255.255.0
    dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
  default-router 172.16.20.1
  no ip domain lookup
  ip name-server 199.195.168.4
  ip name-server 205.171.2.65
  ip name-server 205.171.3.65
  ip name-server 8.8.8.8
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  redundancy
  interface FastEthernet0/0
  description CONNECTION TO INSIDE INT. OF ASA
  ip address 10.10.1.2 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
    duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/1.1
  encapsulation dot1Q 10
    ip address 172.16.10.1 255.255.255.0
  interface FastEthernet0/1.2
  encapsulation dot1Q 20
  ip address 172.16.20.1 255.255.255.0
  interface FastEthernet0/1.3
  description Trunk Interface VLAN 1
  encapsulation dot1Q 1 native
    ip address 192.168.1.1 255.255.255.0
  interface Dialer0
  no ip address
  router rip
  version 2
  network 172.16.0.0
  network 192.168.1.0
  network 199.195.168.0
  no auto-summary
  ip default-gateway 10.10.1.1
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 1 interface FastEthernet0/0 overload
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
  access-list 1 permit any
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
  exec-timeout 0 0
  password encrypted
  login
  line aux 0
  line vty 0 4
  exec-timeout 0 0
  transport input all
  scheduler allocate 20000 1000
  end

  I made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
  ASA5510# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd liqhNWIOSfzvir2g encrypted
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.195.168.123 255.255.255.240
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  shutdown
  nameif management
  security-level 0
  no ip address
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.195.168.4
  name-server 205.171.2.65
  name-server 205.171.3.65
  domain-name internal.int
  object-group network PAT-SOURCE
  network-object 172.16.10.0 255.255.255.0
  network-object 172.16.20.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  network-object 10.10.1.0 255.255.255.252
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
  router rip
  network 10.0.0.0
  network 199.195.168.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  Message was edited by: Mitchell Tuckness