ASA 55xx and Videoconferencing and VCS

I'm not a Security or ASA guy but I always encounter on all my projects the question of "can you help me translate into a configuration that TCP/IP ports you need for your videoconferencing?"
APpreciate it a lot if someone can send or email or PM me a working config(scrubs the confidential info) of the ASA that will work for the setup that has
VCS Control
VCS Expressway
Internal video endpoints calling External (different company's) endpoints
Thanks

Sory forgot to add more details.
The protocols will be H.323 and SIP.  Tandberg(now Cisco) has a document that lists all the TCP and UDP ports that are required to be open in the firewall.
It is just translating those ports into an actual ASA command lines or config that I need since I am not an ASA guy.
I just want to help the customer that is asking for assistance as I always encounter this question and it is a bt frustrating not have the info.  I am enrolling myself in an ASA class soon though.

Similar Messages

  • Cisco Prime Infrastructure 2.0 and ASA 55xx platform

    Hello,
    We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
    When I attempt to add ASA's to prime i get the following collection errors:
    Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
    In the logfile I get the following XML parsing error on the MIB:
    <palError>
      <deviceId>6284310032</deviceId>
      <code>VALIDATION_ERROR</code>
      <message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
      <result>
        <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
          <xmp-im-file-system-module>
            <MemoryPoolStatistics>
              <memoryPoolIndex>1</memoryPoolIndex>
              <free>4294967295</free>
              <largestFree>4294967295</largestFree>
              <used>3484331296</used>
            </MemoryPoolStatistics>
    To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
    Regards,
    Marcel

    The X series (all with 64-bit SMP images) are not currently supported by PI 2.0. We can hope for a device update in the coming months to remedy that situation.
    If you click on the arrow next to the help icon in the top right of your PI and choose "Device Level Support" you will see:
    Cisco ASA-5500 Series Adaptive Security Appliances
    Features :
    Topology
    LLDP Neighbor Discovery
    CDP Neighbor Discovery
    Configuration
    Configuration Archive
    Software Image Management
    Monitoring
    Device Availability
    Reachability
    Inventory
    Physical
    System - Memory Pools
    Interfaces - IP
    Interfaces - Ethernet
    Device Type
    SYSOIDS
    S/W Version
    Software
    Cisco ASA-5510 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.669
    OID:1.3.6.1.4.1.9.12.3.1.3.447
    Cisco ASA-5510 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.773
    Cisco ASA-5520 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.670
    OID:1.3.6.1.4.1.9.12.3.1.3.448
    Cisco ASA-5520 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.671
    Cisco ASA-5540 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.672
    OID:1.3.6.1.4.1.9.12.3.1.3.449
    Cisco ASA-5540 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.673
    Cisco ASA-5560 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.12.3.1.3.454
    Cisco ASA-5550 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.753
    Cisco ASA-5550 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.763
    Cisco ASA-5505 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.745
    OID:1.3.6.1.4.1.9.12.3.1.3.560
    Cisco ASA-5580 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.914
    Cisco ASA-5585 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.1194
    OID:1.3.6.1.4.1.9.1.1195
    OID:1.3.6.1.4.1.9.1.1196
    OID:1.3.6.1.4.1.9.1.1197
    Cisco ASA-5585 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.1198
    OID:1.3.6.1.4.1.9.1.1199
    OID:1.3.6.1.4.1.9.1.1200
    OID:1.3.6.1.4.1.9.1.1201
    Cisco ASA-5585 Adaptive Security Appliance System Context
    OID:1.3.6.1.4.1.9.1.1202
    OID:1.3.6.1.4.1.9.1.1203
    OID:1.3.6.1.4.1.9.1.1204
    OID:1.3.6.1.4.1.9.1.1205
    Cisco ASA-5580 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.915
    Cisco ASA-5580 Adaptive Security Appliance System Context
    OID:1.3.6.1.4.1.9.1.916

  • Cisco Prime Infrastructure 2.0 and ASA 55xx platform problem

    Hello,
    We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
    When I attempt to add ASA's to prime i get the following collection errors:
    Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
    In the logfile I get the following XML parsing error on the MIB:
    <palError>
      <deviceId>6284310032</deviceId>
      <code>VALIDATION_ERROR</code>
      <message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
      <result>
        <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
          <xmp-im-file-system-module>
            <MemoryPoolStatistics>
              <memoryPoolIndex>1</memoryPoolIndex>
              <free>4294967295</free>
              <largestFree>4294967295</largestFree>
              <used>3484331296</used>
            </MemoryPoolStatistics>
    To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
    Regards,
    Marcel

    Hi,
    does anyone happen to know if that problem is fixed? My currently setup looks like this:
    1. Cisco Prime Infrastructure 2.1 with updated device pack.
    2. Assurance license
    3. ASA5510 which has enabled netflow. Netflow is being sent to Cisco Prime 2.1
    I do receive netflow raw data within Cisco Prime 2.1 but any graphical display of netflow data is not working. Does anybody has an idea where the problem is? Could it be that the graphical data is only displayed when sending netflow 1, netflow 5 or netflow 7?
    regards
    Maurus

  • CISCO ASA 5505 bandwidth Controll and split

    Dear All,
    Below am giving the infrastructure which i like to do please help me.
    I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
    in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
    i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
    each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
    after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
    Cisco Adaptive Security Appliance Software Version 7.2(4)
    Device Manager Version 5.2(4)
    Compiled on Sun 06-Apr-08 13:39 by builders
    System image file is "disk0:/asa724-k8.bin"
    so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.  
    Thanks 
    Lalu R.S

    There's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
    You can do some crude controls with QoS - the configuration guide chapter on doing that is here.

  • Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

    Hello,
    We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
    Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
    : Saved
    ASA Version 8.4(2)
    hostname domainasa
    domain-name adomain.local
    enable password cTfsR84pqF5Xohw. encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 205.101.1.240 255.255.255.248
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.168.2.60
    domain-name adomain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network SBS_2011
    host 192.168.2.60
    object network NETWORK_OBJ_192.168.2.0_24
    subnet 192.168.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.5.192_
    27
    subnet 192.168.5.192 255.255.255.224
    object network Https_Access
    host 192.168.2.90
    description Spam Hero
    object-group network DM_INLINE_NETWORK_1
    network-object object SPAM1
    network-object object SPAM2
    network-object object SPAM3
    network-object object SPAM4
    network-object object SPAM5
    network-object object SPAM6
    network-object object SPAM7
    network-object object SPAM8
    object-group service RDP tcp
    description Microsoft RDP
    port-object eq 3389
    access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
    access-list outside_access_in extended permit tcp any object SBS_2011 eq https
    access-list outside_access_in extended permit icmp any interface outside
    access-list outside_access_in remark External RDP Access
    access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
    access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
    ip local pool VPN_Users 192.168.5.194-192.168.5.22
    0 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
    NETWORK_OBJ_192.168.2.0_24
    destination static NETWORK_OBJ_192.168.5.192_
    27 NETWORK_OBJ_192.168.5.192_
    27 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network SBS_2011
    nat (inside,outside) static interface service tcp smtp smtp
    object network Https_Access
    nat (inside,outside) static interface service tcp https https
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.160-192.168.2.19
    9 inside
    dhcpd dns 192.168.2.60 24.29.99.36 interface inside
    dhcpd wins 192.168.2.60 24.29.99.36 interface inside
    dhcpd domain adomain interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy domain internal
    group-policy domain attributes
    wins-server value 192.168.2.60
    dns-server value 192.168.2.60
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value domain_splitTunnelAcl
    default-domain value adomain.local
    username ben password zWCAaitV3CB.GA87 encrypted privilege 0
    username ben attributes
    vpn-group-policy domain
    username sdomain password FATqd4I1ZoqyQ/MN encrypted
    username sdomain attributes
    vpn-group-policy domain
    username adomain password V5.hvhZU4S8NwGg/ encrypted
    username adomain attributes
    vpn-group-policy domain
    service-type admin
    username jdomain password uODal3Mlensb8d.t encrypted privilege 0
    username jdomain attributes
    vpn-group-policy domain
    service-type admin
    tunnel-group domain type remote-access
    tunnel-group domain general-attributes
    address-pool VPN_Users
    default-group-policy domain
    tunnel-group domain ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e2466a5b754
    eebcdb0cef
    f051bef91d
    9
    : end
    no asdm history enable
    Thanks again

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

  • ASA v9.0.1 and ASDM v7.0.1 released

    Looks like v9 is now out...
    http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.pdf
    Regards Simon
    http://www.linksysinfo.org       

    Thanks for spreading out the good news Simon.
    People interested in these two releases can find them here.
    ASA 9.0.1 and ASDM 7.0.1
    Important points to consider before an upgrade to 9.0:
    ASA and ASDM Compatibility
    ASA OS
    ASDM
    ASA Model:
    ASA 5505
    ASA 5510, 5520, 5540
    ASA 5550
    ASA 5580
    ASA 5512-X, 5515-X,   5525-X, 5545-X, 5555-X
    ASA 5585-X
    ASASM
    ASA 1000V
    ASA 9.0(1)
    ASDM 7.0(1).
    YES
    YES
    YES
    YES
    YES
    YES
    YES
    No
    Limitations and Restrictions
    •Clientless SSL VPN with a self-signed certificate on the ASA—When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the "Confirm Security Exception" button is disabled. See: https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and later, use compatibility mode.
    •Citrix Mobile Receiver and accessing Virtual Desktop Infrastructure (VDI):
    –CSD is not supported.
    –HTTP redirect is not supported.
    –Using Citrix Receiver mobile clients to access web interface of Citrix servers is not supported.
    –Certificate or smart card authentication is not supported as a means of auto sign-on.
    –You must install XML service and configure on XenApp and XenDesktop servers.
    –Make sure the ports 443, 1494, 2598, and 80 are open on any intermediate firewalls between the ASA and the XenApp/XenDesktop server.
    –The password-expire-in-days notification on tunnel group that is used by VDI is not supported.
    •When configuring for IKEv2, for security reasons you should use groups 21, 20, 19, 24, 14, and 5. We do not recommend Diffie Hellman Group1 or Group2. For example, use
    crypto ikev2 policy 10
    group 21 20 19 24 14 5
    As always make sure you are familiar with the upgrade procedure Upgrading the Software.
    Important Notes
    •Downgrading issues—Upgrading to Version 9.0 includes ACL migration (see the "ACL Migration in Version 9.0" section). Therefore, you cannot downgrade from 9.0 with a migrated configuration. Be sure to make a backup copy of your configuration before you upgrade so you can downgrade using the old configuration if required.
    •Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    To enable per-session PAT after you upgrade, enter:
    clear configure xlate
    The above deny rules are cleared so that only the default permit rules are still in place, thus enabling per-session PAT.
    •No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
    –Unified Communications
    –VPN
    You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.
    More information at:
    Release Notes for the Cisco ASA Series, 9.0(x)
    HTH.
    Portu.
    Please rate any helpful posts

  • Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

    Hi,
    Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
    Thanks in advance for any input!
    Tina

    Hi,
    I have an update for this quite broad question.
    I have now came a bit further on the path.
    Now the needed Radius Access Attribute are available in ISE after adding them in
    "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
    I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
    Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
    With that I could really see the attributes in the radius access requests going in to the ASA.
    Now looking at a request in "Radius Authentication details" I have
    Other Attributes:
    ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
    Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
    That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
    So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
    Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
    What could it be I have missed?
    Best regards
    /Mattias

  • Info about ASA 55xx

    Hi
    i'm starting to read about ASA 55xx in Cisco website. But after some good reading, I have some questions.....
    In Cisco Docs about ASA55xx, I see the "Maximum concurrent AnyConnect or clientless VPN sessions" and "Maximum concurrent site-to-site and IPsec IKEv1 VPN sessions" (e.g. 750 both): well, the maximux concurrent sessions are 750+750 (anyconnect + site-to-site), so I have to add the two types of sessions? Or what are the maximum concurrent sessions (of each type) in ASA5520?
    So, at this point, if I want 750 AnyConnect Session and 750 site-to-site Session which license do i need to buy? ASA5500-SSL-750 ? ASA-VPNS-1000? or whatelse?
    then, what are the "shared" license? When and where do i need to buy them?
    thanks in advance.
    Bye

    Platform capabiliites and required licensing are as noted in the product data sheet:
    Up to 750 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5520 by installing an Essential or a Premium AnyConnect VPN license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 AnyConnect and/or clientless VPN peers or 7500 IPsec VPN peers per cluster.
    Reiterating:
    The ASA 5520 750 site-site VPN capability is in the base license / product (Part number ASA5520-BUN-K9 or  ASA5520-K8 depending on whther you are eleigible to pruchase the strong encryption (-BUN-K9) version)
    The AnyConnect user licenses required depend on whether you need Anyconnect Essentials or Premium. The Anyconnect data sheet outlines the differences. Essentials is one license that allows up to 750 clients to use the appliance simultaneously. Premium (which cannot be loaded at the same time as Essentials) requires the licenses to be purchased according to the tiered per user scheme.
    Shared licenses are shared among ASAs in a cluster (2 or more units configured together).
    There is the concept of licenses in a failover (2-unit) cluster. That is automatic - i.e. the license numbers are additive and shared up to the platform capability. the ASA5500-SSL-750 part would be used in that setup.
    There is also the concept of an anyconnect Premium Shared Server. In that scheme, the shared server allocates licenses in 50 unit blocks to the cluster membes ars they need them. The ASA-VPNS-1000 part number you mention is used in that sort of setup.

  • New ASA 55xx

    I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.
    I'm considering upgrading to a ASA 55xx box.
    I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.
    I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?
    Thanks...

    I would use one ASA with the AIP-SSM module.
    And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.
    There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)
    Regards
    Farrukh

  • I got a new macbook pro and am having a great deal of trouble with it from the start!  But other than that, which I will get to, I have had macs since the one following Lisa and I am a diehard apple fan, yet now with the macbook pro and Lion and its

    I could not download the upgrade to the mountain lion. my updates were taking an enormous amount of time for other programs. When I finally got the indication it was waiting to be downloaded I had to shut down. It was after 2 am and I was practically unconscious already with all the trauma of trying to find the right place for the redeem of the code to open the password. It was all confusing and poorly communicated by Apple. The terrible deterioration of Apple's written communications by non-American techies who can't write for easy understanding, even by this old time tech afficianado is heart-breaking and frustrating is putting the effects mildly.  I have not yet gone back to the mac book pro to finish the job. I am too frustrated and unhappy with the new system.  Also, I found out the hard way that my time capsule saved files on the macbook Snow Leopard, which still works fine after 6 years of use, is locked in that external drive and I cannot transfer the items except one by one or by folders on that computer to a DVD or to a flash drive, to mport to this new computer. Because the systems are not the same, I can't access the files automatically. I fear I will have further problems with the mountain lion vs. lion in seeing those files. What can I do? What should I do?  I am afraid to designate an external hard drive I purchased with the new laptop for the time capsule because then it won't work with any other computer.  I read of terrible incompatibility issues and crashes and things not working right once Mountain Lion was installed and now I am terrified they will happen to me. I just wanted the computer to be as easy to use as all the other macs I have and have had and now it is more like a horribly complicated and difficult Microsoft IBM compatible PC. I hate this. Perhaps Apple wanted to appeal to new Apple users and tried to make them comfortable while disregarding the comfort of loyal Apple users?  It's a sell-out. Meanwhile, I have to get senior tech people because the kids who try to answer my questions much of the time don't interpret what i am telling them and it takes a pro.  Perhaps the kids can answer what I should do in preferenced to scroll the screen, since the scroll indicators disappear and I can't see them and have to resort to using the arrows on the keyboard, which is not the way I like to work.    Please advise me about all of these things!

    Use the trackpad to scroll, thats what it was designed for. The scroll bars automatically disappear when not being used and will appear if you scroll up or down using the trackpad.
    This is a user-to-user forum and most people will post on here if they have problems. You very rarely get people posting to say there update went smooth. The fact is the vast majority of Mountain Lion users will not be experiencing any major problems with the OS, or maybe with apps which are not compatible, but thats hardly Apple's fault if developers don't update their apps.

  • I need help to find and open a job app that I exported, was able to fill out and sign and saved and now can't open it? What did I do wrong?

    I need help to find and open a job app that I exported, was able to fill out and sign and saved and now can't open it? What did I do wrong?

    What file format did you export it to?

  • PMS and Training and Event Management

    Hi Gurus,
    Our one the of the client implementing PMS and Training and Event Management.
    Could anyone suggest me what are the questions need to be asked in initial meeting with the client.
    and if anyone has configuration documents on PMS and Training and Event management please forward to me,
    my id would be [email protected]
    Regards,
    Rajesh Soma 

    The prerequisites of PMS is OM and PA is mandatory,
    PMS is just like an interaction between the manager and the employees in an enterprise, based
    On his work they are going to put some rating etc.
      In the standard system employee called as “Appraise” Manager called as an “Appraiser” and Manager’s Manager called as Higher level manager “Part Appraiser “ can be a self-peer & customer they can save & provide their Comments to  the “Appraiser”
    First you take the requirement form client side what are the process and how Appraisal system in client then you have to prepare one sheet like Preparation ,Planning,Process
    for business functions and other check below :-
    HCM, Performance Management (Flexible) 01 - SAP Documentation
    HCM, Performance Management (Predefined) 03 - SAP Documentation
    check below once :-
    Tcodes for PMS Basic Setting
    OOHAP_BASIC      Basic Appraisal Template Settings
    OOHAP_CATEGORY      Appraisal Category Settings
    OOHAP_CAT_GROUP Category Group Settings
    OOHAP_SETTINGS_PA PA: Settings
    OOHAP_VALUE_TYPE Standard Value Lists
    T codes for PMS Process
    PHAP_ADMIN     Administrator - Appraisal Document
    PHAP_CATALOG     Appraisal Template Catalog
    PHAP_CHANGE     Change Appraisal Document
    PHAP_CREATE     Create Appraisal
    PHAP_PREPARE     Prepare Appraisal Documents
    PHAP_SEARCH     Evaluate Appraisal Document
    start your work with above things any other post here again ......

  • Is there a way to create form fields to tab into and type and or drop down selection fields in pages as you can with microsoft word?

    is there a way to create form fields to tab into and type and or drop down selection fields in pages as you can with microsoft word?

    No

  • The screen on my ipod touch is stuck zoomed in. I turned it off and back and its still stuck zoomed in. I also tried to reset it and that didn't work either. Please help.

    The screen on my ipod touch is stuck zoomed in. I don't know how it happened I just looked down and it was like that. I have turned it off and back and even reset it but it still keeps zooming back in each time I turn it on. I can't unlock it because I can't see the numbers and it won't let me move around the screen. Please help.

    This is asked and answered often.  The foru search bar is on the right side of this page.
    It is also covered in the manual - zoom feature:
    iPod touch User Guide (For iOS 4.3 Software)
    Double tap with three fingers.

  • How can I select more than one bookmark at a time so that I can then open multiple bookmarks -- without the aggravation of going back to the list and selecting and opening each one.

    From my dozens of bookmarks, I often would like to open 5 or 6 of them at once -- perhaps a couple of weather reports, a couple of radio stations, a couple of other websites. But I see no way of doing this without laboriously finding a bookmark, selecting it, opening the website, then returning to the bookmarks, finding the second bookmark, selecting it, opening the website, and on and on. Surely there's a way for me to select multiple unrelated bookmarks and open them at the same time. Thanks much for your help. Don

    ''Actually there is a picture and better explanation in the corresponding History article''
    * ''http://kb.mozillazine.org/Viewing_the_browsing_history_-_Firefox ''
    Look where this picture is embedded in the article topic [http://kb.mozillazine.org/Viewing_the_browsing_history_-_Firefox#Selecting_history_items Selecting history items]
    * http://kb.mozillazine.org/images/Fx3_history_sidebar_selections2.png
    Selecting, viewing, and searching the sidebars and library lists is explained in both articles previously mentioned.
    Multiple selection is something built-in to a lot of applications and into all browsers, and yes you guessed correctly the favicon it the thing to the left of the bookmark and that is what is is called in all browsers. And if you look at selection you will find that it matches what you asked for, especially if you were to do a search from the search bar on the bookmark or history sidebar. But there is also no problem opening up a single bookmark or history item into a new tab, with either Ctrl+click or Ctrl+Shift+click in the area to the right of the favicon either.
    However I would suggest making a change to your configuration options so the the same keyboard shortcut is used from a link and from your bookmarks. See those keyboard shortcuts in the following along with the footnotes just below the table for them in
    * http://www.mvps.org/dmcritchie/firefox/keyboard.htm

Maybe you are looking for