ASA 55xx and Videoconferencing and VCS
I'm not a Security or ASA guy but I always encounter on all my projects the question of "can you help me translate into a configuration that TCP/IP ports you need for your videoconferencing?"
APpreciate it a lot if someone can send or email or PM me a working config(scrubs the confidential info) of the ASA that will work for the setup that has
VCS Control
VCS Expressway
Internal video endpoints calling External (different company's) endpoints
Thanks
Sory forgot to add more details.
The protocols will be H.323 and SIP. Tandberg(now Cisco) has a document that lists all the TCP and UDP ports that are required to be open in the firewall.
It is just translating those ports into an actual ASA command lines or config that I need since I am not an ASA guy.
I just want to help the customer that is asking for assistance as I always encounter this question and it is a bt frustrating not have the info. I am enrolling myself in an ASA class soon though.
Similar Messages
-
Cisco Prime Infrastructure 2.0 and ASA 55xx platform
Hello,
We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
When I attempt to add ASA's to prime i get the following collection errors:
Unable to collect processor and RAM information. Processor and RAM information. Unexpected error. See the log file inventory.log for details.
In the logfile I get the following XML parsing error on the MIB:
<palError>
<deviceId>6284310032</deviceId>
<code>VALIDATION_ERROR</code>
<message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
<result>
<result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
<xmp-im-file-system-module>
<MemoryPoolStatistics>
<memoryPoolIndex>1</memoryPoolIndex>
<free>4294967295</free>
<largestFree>4294967295</largestFree>
<used>3484331296</used>
</MemoryPoolStatistics>
To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
Regards,
MarcelThe X series (all with 64-bit SMP images) are not currently supported by PI 2.0. We can hope for a device update in the coming months to remedy that situation.
If you click on the arrow next to the help icon in the top right of your PI and choose "Device Level Support" you will see:
Cisco ASA-5500 Series Adaptive Security Appliances
Features :
Topology
LLDP Neighbor Discovery
CDP Neighbor Discovery
Configuration
Configuration Archive
Software Image Management
Monitoring
Device Availability
Reachability
Inventory
Physical
System - Memory Pools
Interfaces - IP
Interfaces - Ethernet
Device Type
SYSOIDS
S/W Version
Software
Cisco ASA-5510 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.669
OID:1.3.6.1.4.1.9.12.3.1.3.447
Cisco ASA-5510 Adaptive Security Appliance Security Context
OID:1.3.6.1.4.1.9.1.773
Cisco ASA-5520 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.670
OID:1.3.6.1.4.1.9.12.3.1.3.448
Cisco ASA-5520 Adaptive Security Appliance Security Context
OID:1.3.6.1.4.1.9.1.671
Cisco ASA-5540 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.672
OID:1.3.6.1.4.1.9.12.3.1.3.449
Cisco ASA-5540 Adaptive Security Appliance Security Context
OID:1.3.6.1.4.1.9.1.673
Cisco ASA-5560 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.12.3.1.3.454
Cisco ASA-5550 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.753
Cisco ASA-5550 Adaptive Security Appliance Security Context
OID:1.3.6.1.4.1.9.1.763
Cisco ASA-5505 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.745
OID:1.3.6.1.4.1.9.12.3.1.3.560
Cisco ASA-5580 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.914
Cisco ASA-5585 Adaptive Security Appliance
OID:1.3.6.1.4.1.9.1.1194
OID:1.3.6.1.4.1.9.1.1195
OID:1.3.6.1.4.1.9.1.1196
OID:1.3.6.1.4.1.9.1.1197
Cisco ASA-5585 Adaptive Security Appliance Security Context
OID:1.3.6.1.4.1.9.1.1198
OID:1.3.6.1.4.1.9.1.1199
OID:1.3.6.1.4.1.9.1.1200
OID:1.3.6.1.4.1.9.1.1201
Cisco ASA-5585 Adaptive Security Appliance System Context
OID:1.3.6.1.4.1.9.1.1202
OID:1.3.6.1.4.1.9.1.1203
OID:1.3.6.1.4.1.9.1.1204
OID:1.3.6.1.4.1.9.1.1205
Cisco ASA-5580 Adaptive Security Appliance Security Context
OID:1.3.6.1.4.1.9.1.915
Cisco ASA-5580 Adaptive Security Appliance System Context
OID:1.3.6.1.4.1.9.1.916 -
Cisco Prime Infrastructure 2.0 and ASA 55xx platform problem
Hello,
We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
When I attempt to add ASA's to prime i get the following collection errors:
Unable to collect processor and RAM information. Processor and RAM information. Unexpected error. See the log file inventory.log for details.
In the logfile I get the following XML parsing error on the MIB:
<palError>
<deviceId>6284310032</deviceId>
<code>VALIDATION_ERROR</code>
<message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
<result>
<result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
<xmp-im-file-system-module>
<MemoryPoolStatistics>
<memoryPoolIndex>1</memoryPoolIndex>
<free>4294967295</free>
<largestFree>4294967295</largestFree>
<used>3484331296</used>
</MemoryPoolStatistics>
To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
Regards,
MarcelHi,
does anyone happen to know if that problem is fixed? My currently setup looks like this:
1. Cisco Prime Infrastructure 2.1 with updated device pack.
2. Assurance license
3. ASA5510 which has enabled netflow. Netflow is being sent to Cisco Prime 2.1
I do receive netflow raw data within Cisco Prime 2.1 but any graphical display of netflow data is not working. Does anybody has an idea where the problem is? Could it be that the graphical data is only displayed when sending netflow 1, netflow 5 or netflow 7?
regards
Maurus -
CISCO ASA 5505 bandwidth Controll and split
Dear All,
Below am giving the infrastructure which i like to do please help me.
I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.
Thanks
Lalu R.SThere's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
You can do some crude controls with QoS - the configuration guide chapter on doing that is here. -
Cisco ASA 5505 Ipsec VPN and random connection dropping issues.
Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks againHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
ASA v9.0.1 and ASDM v7.0.1 released
Looks like v9 is now out...
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.pdf
Regards Simon
http://www.linksysinfo.orgThanks for spreading out the good news Simon.
People interested in these two releases can find them here.
ASA 9.0.1 and ASDM 7.0.1
Important points to consider before an upgrade to 9.0:
ASA and ASDM Compatibility
ASA OS
ASDM
ASA Model:
ASA 5505
ASA 5510, 5520, 5540
ASA 5550
ASA 5580
ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X
ASA 5585-X
ASASM
ASA 1000V
ASA 9.0(1)
ASDM 7.0(1).
YES
YES
YES
YES
YES
YES
YES
No
Limitations and Restrictions
•Clientless SSL VPN with a self-signed certificate on the ASA—When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the "Confirm Security Exception" button is disabled. See: https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and later, use compatibility mode.
•Citrix Mobile Receiver and accessing Virtual Desktop Infrastructure (VDI):
–CSD is not supported.
–HTTP redirect is not supported.
–Using Citrix Receiver mobile clients to access web interface of Citrix servers is not supported.
–Certificate or smart card authentication is not supported as a means of auto sign-on.
–You must install XML service and configure on XenApp and XenDesktop servers.
–Make sure the ports 443, 1494, 2598, and 80 are open on any intermediate firewalls between the ASA and the XenApp/XenDesktop server.
–The password-expire-in-days notification on tunnel group that is used by VDI is not supported.
•When configuring for IKEv2, for security reasons you should use groups 21, 20, 19, 24, 14, and 5. We do not recommend Diffie Hellman Group1 or Group2. For example, use
crypto ikev2 policy 10
group 21 20 19 24 14 5
As always make sure you are familiar with the upgrade procedure Upgrading the Software.
Important Notes
•Downgrading issues—Upgrading to Version 9.0 includes ACL migration (see the "ACL Migration in Version 9.0" section). Therefore, you cannot downgrade from 9.0 with a migrated configuration. Be sure to make a backup copy of your configuration before you upgrade so you can downgrade using the old configuration if required.
•Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
To enable per-session PAT after you upgrade, enter:
clear configure xlate
The above deny rules are cleared so that only the default permit rules are still in place, thus enabling per-session PAT.
•No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
–Unified Communications
–VPN
You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.
More information at:
Release Notes for the Cisco ASA Series, 9.0(x)
HTH.
Portu.
Please rate any helpful posts -
Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design
Hi,
Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access. We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE. And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure. And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password. I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design? Any potential issue may break the flow?
Thanks in advance for any input!
TinaHi,
I have an update for this quite broad question.
I have now came a bit further on the path.
Now the needed Radius Access Attribute are available in ISE after adding them in
"Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
With that I could really see the attributes in the radius access requests going in to the ASA.
Now looking at a request in "Radius Authentication details" I have
Other Attributes:
ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
What could it be I have missed?
Best regards
/Mattias -
Hi
i'm starting to read about ASA 55xx in Cisco website. But after some good reading, I have some questions.....
In Cisco Docs about ASA55xx, I see the "Maximum concurrent AnyConnect or clientless VPN sessions" and "Maximum concurrent site-to-site and IPsec IKEv1 VPN sessions" (e.g. 750 both): well, the maximux concurrent sessions are 750+750 (anyconnect + site-to-site), so I have to add the two types of sessions? Or what are the maximum concurrent sessions (of each type) in ASA5520?
So, at this point, if I want 750 AnyConnect Session and 750 site-to-site Session which license do i need to buy? ASA5500-SSL-750 ? ASA-VPNS-1000? or whatelse?
then, what are the "shared" license? When and where do i need to buy them?
thanks in advance.
ByePlatform capabiliites and required licensing are as noted in the product data sheet:
Up to 750 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5520 by installing an Essential or a Premium AnyConnect VPN license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 AnyConnect and/or clientless VPN peers or 7500 IPsec VPN peers per cluster.
Reiterating:
The ASA 5520 750 site-site VPN capability is in the base license / product (Part number ASA5520-BUN-K9 or ASA5520-K8 depending on whther you are eleigible to pruchase the strong encryption (-BUN-K9) version)
The AnyConnect user licenses required depend on whether you need Anyconnect Essentials or Premium. The Anyconnect data sheet outlines the differences. Essentials is one license that allows up to 750 clients to use the appliance simultaneously. Premium (which cannot be loaded at the same time as Essentials) requires the licenses to be purchased according to the tiered per user scheme.
Shared licenses are shared among ASAs in a cluster (2 or more units configured together).
There is the concept of licenses in a failover (2-unit) cluster. That is automatic - i.e. the license numbers are additive and shared up to the platform capability. the ASA5500-SSL-750 part would be used in that setup.
There is also the concept of an anyconnect Premium Shared Server. In that scheme, the shared server allocates licenses in 50 unit blocks to the cluster membes ars they need them. The ASA-VPNS-1000 part number you mention is used in that sort of setup. -
I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.
I'm considering upgrading to a ASA 55xx box.
I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.
I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?
Thanks...I would use one ASA with the AIP-SSM module.
And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.
There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)
Regards
Farrukh -
I could not download the upgrade to the mountain lion. my updates were taking an enormous amount of time for other programs. When I finally got the indication it was waiting to be downloaded I had to shut down. It was after 2 am and I was practically unconscious already with all the trauma of trying to find the right place for the redeem of the code to open the password. It was all confusing and poorly communicated by Apple. The terrible deterioration of Apple's written communications by non-American techies who can't write for easy understanding, even by this old time tech afficianado is heart-breaking and frustrating is putting the effects mildly. I have not yet gone back to the mac book pro to finish the job. I am too frustrated and unhappy with the new system. Also, I found out the hard way that my time capsule saved files on the macbook Snow Leopard, which still works fine after 6 years of use, is locked in that external drive and I cannot transfer the items except one by one or by folders on that computer to a DVD or to a flash drive, to mport to this new computer. Because the systems are not the same, I can't access the files automatically. I fear I will have further problems with the mountain lion vs. lion in seeing those files. What can I do? What should I do? I am afraid to designate an external hard drive I purchased with the new laptop for the time capsule because then it won't work with any other computer. I read of terrible incompatibility issues and crashes and things not working right once Mountain Lion was installed and now I am terrified they will happen to me. I just wanted the computer to be as easy to use as all the other macs I have and have had and now it is more like a horribly complicated and difficult Microsoft IBM compatible PC. I hate this. Perhaps Apple wanted to appeal to new Apple users and tried to make them comfortable while disregarding the comfort of loyal Apple users? It's a sell-out. Meanwhile, I have to get senior tech people because the kids who try to answer my questions much of the time don't interpret what i am telling them and it takes a pro. Perhaps the kids can answer what I should do in preferenced to scroll the screen, since the scroll indicators disappear and I can't see them and have to resort to using the arrows on the keyboard, which is not the way I like to work. Please advise me about all of these things!
Use the trackpad to scroll, thats what it was designed for. The scroll bars automatically disappear when not being used and will appear if you scroll up or down using the trackpad.
This is a user-to-user forum and most people will post on here if they have problems. You very rarely get people posting to say there update went smooth. The fact is the vast majority of Mountain Lion users will not be experiencing any major problems with the OS, or maybe with apps which are not compatible, but thats hardly Apple's fault if developers don't update their apps. -
I need help to find and open a job app that I exported, was able to fill out and sign and saved and now can't open it? What did I do wrong?
What file format did you export it to?
-
PMS and Training and Event Management
Hi Gurus,
Our one the of the client implementing PMS and Training and Event Management.
Could anyone suggest me what are the questions need to be asked in initial meeting with the client.
and if anyone has configuration documents on PMS and Training and Event management please forward to me,
my id would be [email protected]
Regards,
Rajesh SomaThe prerequisites of PMS is OM and PA is mandatory,
PMS is just like an interaction between the manager and the employees in an enterprise, based
On his work they are going to put some rating etc.
In the standard system employee called as “Appraise” Manager called as an “Appraiser” and Manager’s Manager called as Higher level manager “Part Appraiser “ can be a self-peer & customer they can save & provide their Comments to the “Appraiser”
First you take the requirement form client side what are the process and how Appraisal system in client then you have to prepare one sheet like Preparation ,Planning,Process
for business functions and other check below :-
HCM, Performance Management (Flexible) 01 - SAP Documentation
HCM, Performance Management (Predefined) 03 - SAP Documentation
check below once :-
Tcodes for PMS Basic Setting
OOHAP_BASIC Basic Appraisal Template Settings
OOHAP_CATEGORY Appraisal Category Settings
OOHAP_CAT_GROUP Category Group Settings
OOHAP_SETTINGS_PA PA: Settings
OOHAP_VALUE_TYPE Standard Value Lists
T codes for PMS Process
PHAP_ADMIN Administrator - Appraisal Document
PHAP_CATALOG Appraisal Template Catalog
PHAP_CHANGE Change Appraisal Document
PHAP_CREATE Create Appraisal
PHAP_PREPARE Prepare Appraisal Documents
PHAP_SEARCH Evaluate Appraisal Document
start your work with above things any other post here again ...... -
is there a way to create form fields to tab into and type and or drop down selection fields in pages as you can with microsoft word?
No
-
The screen on my ipod touch is stuck zoomed in. I don't know how it happened I just looked down and it was like that. I have turned it off and back and even reset it but it still keeps zooming back in each time I turn it on. I can't unlock it because I can't see the numbers and it won't let me move around the screen. Please help.
This is asked and answered often. The foru search bar is on the right side of this page.
It is also covered in the manual - zoom feature:
iPod touch User Guide (For iOS 4.3 Software)
Double tap with three fingers. -
From my dozens of bookmarks, I often would like to open 5 or 6 of them at once -- perhaps a couple of weather reports, a couple of radio stations, a couple of other websites. But I see no way of doing this without laboriously finding a bookmark, selecting it, opening the website, then returning to the bookmarks, finding the second bookmark, selecting it, opening the website, and on and on. Surely there's a way for me to select multiple unrelated bookmarks and open them at the same time. Thanks much for your help. Don
''Actually there is a picture and better explanation in the corresponding History article''
* ''http://kb.mozillazine.org/Viewing_the_browsing_history_-_Firefox ''
Look where this picture is embedded in the article topic [http://kb.mozillazine.org/Viewing_the_browsing_history_-_Firefox#Selecting_history_items Selecting history items]
* http://kb.mozillazine.org/images/Fx3_history_sidebar_selections2.png
Selecting, viewing, and searching the sidebars and library lists is explained in both articles previously mentioned.
Multiple selection is something built-in to a lot of applications and into all browsers, and yes you guessed correctly the favicon it the thing to the left of the bookmark and that is what is is called in all browsers. And if you look at selection you will find that it matches what you asked for, especially if you were to do a search from the search bar on the bookmark or history sidebar. But there is also no problem opening up a single bookmark or history item into a new tab, with either Ctrl+click or Ctrl+Shift+click in the area to the right of the favicon either.
However I would suggest making a change to your configuration options so the the same keyboard shortcut is used from a link and from your bookmarks. See those keyboard shortcuts in the following along with the footnotes just below the table for them in
* http://www.mvps.org/dmcritchie/firefox/keyboard.htm
Maybe you are looking for
-
My ipod will no longer sync to my itunes. Shows up but will not sync when i add music
When i add music to my 5th gen ipod it will no longer sync in itunes. It shows up in itunes, but when i add mysic it comes up with an error number (13019). The songs show under music on my ipod, but when i disconnect it theyre not on there for me to
-
I recently bought a second-hand ipod classic. When connecting to itunes the message reads that the ipod is corrupt and needs to be restored to factory settings. However, this does not solve the issue and I get the message saying unable to restore,
-
when i active my mac pro all i get is a white screen and it loading and when it fully load its turn off , and it keep on doing the same thing for hours
-
Can't install flash player - disk space not enough
I have 11 partitions (drive letters). Which one I should check? System partition, programs partition, tmp partition or profile partition? Games partitions maybe or documents? This stupid useless message can't help me to solve the problem at all.
-
NWDI for Version Control of Non-Java-Objects
Hello, we are using NWDI to manage Java-Source (full Scenario with Tracks..). How can I use NWDI to manage Non-Java-Objects (Texts, PHP,..) and what DC-Type do I have to use in NWDS, so that there is no build or the build works without error when ch