ASA Identity Firewall

Hi,
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.
I have installed the ADAgent on a domain member Win2008 and configured as follows:
aaa-server ADAGENT_SERVER protocol radius
ad-agent-mode
aaa-server ADAGENT_SERVER (VPN) host 172.17.v.x  key *****
I have configured the LDAP connection to the DC as follows:
aaa-server DOMAIN_SERVER protocol ldap
aaa-server DOMAIN_SERVER (VPN) host 172.17.v.z
ldap-base-dn DC=YYY,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn vvvvv
server-type microsoft
The identity config is as follows:
user-identity domain YYY aaa-server DOMAIN_SERVER
user-identity default-domain YYY
user-identity action netbios-response-fail remove-user-ip
user-identity logout-probe netbios local-system
user-identity ad-agent aaa-server ADAGENT_SERVER
user-identity user-not-found enable
access-list 122 extended permit ip user YYY\ashdew any any
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.
The ADagent has been properly tested and ASA can register to it.
The ASA can connect to AD DC controller and query user database.
I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity
Do I need to add extra rules in the access-list 122 to permit trafic to DC?
Can I check on the AD Agent if it can retrieve the user to ip mapping ?
Thanks
Ashley

Thanks Karsten,
Great its clear now. I know the DMZ seems a bit odd. Actually, the DMZ is only accessible through the any-connect VPN.
In the DMZ, we will have a citrix farm to access internal resources through identity management.
We are testing with a laptop in the first place.
Now, we have allowed in the acl to access AD, the laptop authenticates in the domain but then all connections are refused since the AD Agent is not retrieving the mapping.
Is there a way to check if the ADAgent is properly retrieved the mapping. We suspect the problem is here.
We did a capture on the ASA and we have found that the ASA contact the ADAgent when the user authenticates but then ADAgent does not return any ip mapping. The ASA sees the user as  ip as user-not -found .
Thanks again for your help,
Ashley

Similar Messages

  • Major flaw in Identity Firewall?

    Hi!
    I have just configured identity firewall on our ASA 5510.
    I have 3 nodes that authenticates against Active Directory, using the Windows Server 2008 R2 builtin Network Policy Server:
    A laptop, a stationary PC, and a Android Phone. All 3 nodes are authenticated using the same user/password.
    Now, in ASDM -> Monitoring -> Properties -> Identity -> Users, I can see two of the nodes with my user name attached to it, namely the laptop and the stationary PC.
    But not the Android phone.
    Then it dawned on me. To set up the ADAgent properly, you have to apply 2 group policy entries. Unfortunately, those 2 entries are applied to the Computer Configuraton part of the Group Policy!!
    This means that your COMPUTER has to be a member of your domain for USER IDENTITY to work.
    Err. hello?
    So my Android phone and other nodes not a member of the AD Machine Store will never be detected by identity rules, and can roam the network free.
    If this isn't a major flaw, I don't know what is.
    Unless, of course, there is something I have completely misunderstood.
    Please tell me that I have.

    Hello,
    For devices that are not joined to the AD domain, the IDFW feature supports learning username to IP mappings via VPN or cut-through proxy authentication. The configuration guide describes this type of deployment:
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html#wp1372180
    -Mike

  • Identity firewall with OpenLDAP ?!

    Hi Guys
    I am interested to use identity firewall but I am using OpenLDAP , as far as I know there is no OpenLDAP agent like AD Agent!
    Does it mean that I only able to use OpenLDAP for VPN authentication and not for identity feature ?
    Thanks
    Ehsan

    Probably the answer is Yes I guess , ASA identity feature works only with Microsoft Active Directory !!!!

  • Can Identity Firewall work with L2L IPSec

    Hello,
    One of my customers has requested a L2L IPSec tunnel between a 3rd party ASA5505 and their central office 5510.
    The tunnel works fine but they have asked to enable Identity Firewall against the incoming connections in relation to the IPSec tunnel.
    I've read about sysopt and vpn filter. So there are 2 choices.
    1. Disable access rule bypass for VPN connections via the sysopt command and configure the access rules accordingly.
    2. Use the vpn filter mechanism and define the ACL / ACE w/ the Identity Firewall.
    This is an excerpt from the Identity Firewall chapter ASA 9.0/ASDM 7.0.
    VPN filter—Although VPN does not support identity  firewall ACLs in general, you can use configure the ASA to enforce  identity-based access rules on VPN traffic. By default, VPN traffic is  not subject to access rules. You can force VPN clients to abide by  access rules that use an identity firewall ACL (
    no sysopt connection permit-vpn
    command). You can also use an identity firewall ACL with the VPN filter  feature; VPN filter accomplishes a similar effect as allowing access  rules in general.
    Has anyone attempted and succeeded with such a configuration? If so, did it support AD authentication or LOCAL only?
    Thanks in advance for your input.

    Anyone??

  • Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

    Hello,
    I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    ip address outside xxx.xxx.xxx.94 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

    Hey Craig,
    Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
    On 8.4 for interface defining use below mentioned example :
    int eth0/0
    ip add x.x.x.x y.y.y.y
    nameif outside
    no shut
    int eth0/1
    ip add x.x.x.x y.y.y.y
    nameif inside
    no shut
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
    If you're still not able to reach.Paste your entire config and version that you are using on ASA.

  • I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

    I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
    I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
    I need to allow the following IP addresses to have RDP access to my server:
    66.237.238.193-66.237.238.222
    69.195.249.177-69.195.249.190
    69.65.80.240-69.65.80.249
    My external WAN server info is - 99.89.69.333
    The internal IP address of my server is - 192.168.6.2
    The other server shows up as 99.89.69.334 but is working fine.
    I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
    THE FOLLOWING IS MY CONFIGURATION FILE
    Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
    Also the bolded lines are the modifications I made but that arent working.
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password DowJbZ7jrm5Nkm5B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.6.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.89.69.233 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network EMRMC
    network-object 10.1.2.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.11.0 255.255.255.0
    network-object 172.16.0.0 255.255.0.0
    network-object 192.168.9.0 255.255.255.0
    object-group service RDP tcp
    description RDP
    port-object eq 3389
    object-group service GMED tcp
    description GMED
    port-object eq 3390
    object-group service MarsAccess tcp
    description MarsAccess
    port-object range pcanywhere-data 5632
    object-group service MarsFTP tcp
    description MarsFTP
    port-object range ftp-data ftp
    object-group service MarsSupportAppls tcp
    description MarsSupportAppls
    port-object eq 1972
    object-group service MarsUpdatePort tcp
    description MarsUpdatePort
    port-object eq 7835
    object-group service NM1503 tcp
    description NM1503
    port-object eq 1503
    object-group service NM1720 tcp
    description NM1720
    port-object eq h323
    object-group service NM1731 tcp
    description NM1731
    port-object eq 1731
    object-group service NM389 tcp
    description NM389
    port-object eq ldap
    object-group service NM522 tcp
    description NM522
    port-object eq 522
    object-group service SSL tcp
    description SSL
    port-object eq https
    object-group service rdp tcp
    port-object eq 3389
    access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
    access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
    access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
    access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
    access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.6.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 68.156.148.5
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    tunnel-group 68.156.148.5 type ipsec-l2l
    tunnel-group 68.156.148.5 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
    : end
    ciscoasa(config-network)#

    Unclear what did not work.  In your original post you include said some commands were added but don't work:
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    and later you state you add another command that gets an error:
    static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
    You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
    The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
    Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

  • DMZ issues in ASA 5505 Firewall

    hi , i have asa 5505 firewall with ASA5505-UL-BUN-K9 license i have problem with DMZ. I am not able to create dmz. please suggest me what i need to do in order to be able to configure dmz. should i need to upgrade the license. please suggest.

    Hi,
    Is the currently licensed firewall something that you have had for sometime or is it a new purchase?
    Just wondering as it would seem unreasonable to just have bought something and then having to get a new license. Just wondering if you can somehow avoid spending extra money if this is a new purchase that wasnt what you were actually looking for.
    You can check this link for the differnent options the ASA5505 has
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
    You can also check this link for all the available licensed options on the ASA5505
    http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html#wp2124788
    This link contains also information on the ASA models
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
    So essentially you would get 20 Vlan interfaces instead of 3 and also support for Trunking which would let you use a single physical link for several Vlans (if you wanted that is)
    Hope this helps
    - Jouni

  • Identity firewall NetBIOS Probe problem

    Hi,
    I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
    The NetBIOS probe function is active and configured as below.
    user-identity domain TEST aaa-server LDAP_Identity
    user-identity default-domain TEST
    no user-identity action mac-address-mismatch remove-user-ip
    user-identity inactive-user-timer minutes 120
    user-identity logout-probe netbios local-system
    user-identity poll-import-user-group-timer hours 1
    user-identity ad-agent aaa-server adagent
    user-identity user-not-found enable
    The problem is following message...
    "746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
    I've never seen an NetBIOS probe successful message
    Can anyone help me with this issue?
    Thanks

    Hi,
    Could you please run some of these debug commands:
    debug user-identity user
    debug user-identity user-group
    debug user-identity ad-agent
    debug-user-identity ldap
    debug user-identity logout-probe
    debug user-identity acl
    debug user-identity tmatch
    debug user-identity fqdn
    debug user-identity process
    debug user-identity debug
    debug user-identity error
    debug ldap 255
    Also here is a guide that may provide some direction -
    https://supportforums.cisco.com/docs/DOC-20366
    Tarik Admani
    *Please rate helpful posts*

  • IDS,ASA,PIX firewall monitoring and optimizing

    Dear All,
    Please let me know the products from Cisco to monitor and optimize the IDS, ASA, PIX firewall in the data centre and corporate networking environment.
    I believe that VMS 2.3 can be used.I like to know about the CS-MARS product from Cisco and its usage.
    Thanking you
    Swamy

    Hi,
    CS-MARS is a security product that mainly used to analyse, correlates and produce/recommed mitigation action based on the log analysis.
    You need to send your syslog, snmp or NetFlow to CS-MARS from all/selected network devices in the network to enable it to have visibility of the network activities. It has built-in signatures or rules that trigger incidents, and allows you can create your own rule to monitor certain segment or devices. Notification is available in the form of email, sms, pager, snmp and syslog.
    CS-MARS does not replace the function of IDS/IPS or antivirus, but as a critical security complimentary product to allow you to stop any detected malicious incidents/activities from a nearest point, e.g shutting down switch port where a PC is detected trying to launch network attack, virus or trojans. The concept more or less similar to 'Forward Defense' used by certain country today.
    http://www.cisco.com/en/US/partner/products/ps6241/products_data_sheet0900aecd80272e64.html
    CS-MARS is measured by its capabilities to handle received Event and Netflow logs per second. This include the HDD capacity. You can have single unit (Local Controller) or multiple unit that centrally managed by Global Controller.
    CS-MARS support wide range of networking and security products.
    http://www.cisco.com/en/US/partner/products/ps6241/products_device_support_tables_list.html
    Rgds,
    AK

  • ASA 5525 firewall Trace Route.

    Hi,
    We are Having  ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
    ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
    PLease help me to resolve this issue.
    Regards,
    Dheeraj

    Hi Dheeraj,
         firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
    Make the Firewall Show Up in a Traceroute in ASA/PIX
    ciscoasa(config)#class-map class-default
    ciscoasa(config)#match any
    !--- This class-map exists by default.
    ciscoasa(config)#policy-map global_policy
    !--- This Policy-map exists by default.
    ciscoasa(config-pmap)#class class-default
    !--- Add another class-map to this policy.
    ciscoasa(config-pmap-c)#set connection decrement-ttl
    !--- Decrement the IP TTL field for packets traversing the firewall.
    !--- By default, the TTL is not decrement hiding (somewhat) the firewall.
    ciscoasa(config-pmap-c)#exit
    ciscoasa(config-pmap)#exit
    ciscoasa(config)#service-policy global_policy global
    !--- This service-policy exists by default.
    WARNING: Policy map global_policy is already configured as a service policy
    ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
    !--- Adjust ICMP unreachable replies:
    !--- The default is rate-limit 1 burst-size 1.
    !--- The default will result in timeouts for the ASA hop:
    Cheers,
    Naveen

  • Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

    Recently i have installed ASA 5520 firewall, Below is the detail for my network
    ASA 5520 inside ip: 10.12.10.2/24
    Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
    Cisco Call Manager 3825 IP: 10.12.110.2/24
    The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
    the Default Gateway for Data user is 10.12.10.2/24 and
    for the voice users is 10.12.110.2/24
    now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

    Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
    ASA Version 8.2(1)
    name x.x.x.x Mobily
    interface GigabitEthernet0/0
     nameif inside
     security-level 99
     ip address 10.12.10.2 255.255.255.0
    interface GigabitEthernet0/1
     nameif outside
     security-level 0
     ip address x.x.x.x 255.255.255.252
    object-group service DM_INLINE_SERVICE_1
     service-object tcp-udp
     service-object ip
     service-object icmp
     service-object udp
     service-object tcp eq ftp
     service-object tcp eq www
     service-object tcp eq https
     service-object tcp eq ssh
     service-object tcp eq telnet
    access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
    access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
    ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-641.bin
    asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 Inside-Network 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 Mobily 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Mgmt-Network 255.255.255.0 mgmt
    http Inside-Network 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    telnet Inside-Network 255.255.255.0 inside
    telnet timeout 5
    ssh Inside-Network 255.255.255.255 inside
    <--- More --->              ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy RA_VPN internal
    group-policy RA_VPN attributes
     dns-server value 86.51.34.17 8.8.8.8
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value RA_VPN_splitTunnelAcl
    username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
    tunnel-group RA_VPN type remote-access
    tunnel-group RA_VPN general-attributes
     address-pool VPN-Users
     default-group-policy RA_VPN
    tunnel-group RA_VPN ipsec-attributes
     pre-shared-key *
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
    : end

  • Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

    Dear All,
                         I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
    Thanks
    Vijay

    Hi Vijay,
    If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
    HTH,

  • Identity Firewall using CDA

    Hello All,
    I am thinking to set up Identity Firewall functionality too for our  environment.  I had a couple of questions.  Is the new version of AD  Agent now called CDA (Context Directory Agent)?  Also will this support  Windows 2012?
    Adil

    Hi,
    Yes, CDA is the replacement of AD Agent.
    Supported Active Directory Versions
    The Cisco CDA supports the following Active Directory versions:
    •Windows 2003
    •Windows 2003R2
    •Windows 2008
    •Windows 2008 R2
    •Windows 2012
    http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1059944
    HTH
    Luis Silva
    "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
    http://www.cisco.com/web/partners/tools/pdihd.html

  • Identity firewall with Single Forest/Multi-Domain

    I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.
    Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:
    I have 3 domains.
    domain1.test.com
    domain2.domain1.test.com
    domain3.domain2.domain1.test.com
    Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2\user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.
    The cisco documentation states the following:
    •Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine).
    Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.
    Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.  I wanted to ask though before I blow everything up and start over.  The instructions are not overwhelming clear on what needs to done in this scenario.  Suggestions?

    Hi Matthew,
    If I understand your post correctly, the problem is that the ASA is unable to search users in domain2, correct? This portion of the communication is unrelated to the AD Agent, but it sounds like the Agent can talk to the DC just fine. The ASA searches for users directly on the DC via LDAP queries. The communication between the ASA and the Agent is all done via RADIUS.
    If the above is correct, I would focus on why the LDAP queries are failing between the ASA and the domain2 DC. Feel free to open a TAC case on this as well for additional assistance from the AAA experts.
    -Mike

  • Unable to see interface on ASA 5510 Firewall

    Hi All,
    I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
    Below is the output.
    ciscoasa# sh int ip br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                x.x.x.x           YES CONFIG up                    up
    Ethernet0/1                x.x.x.x           YES CONFIG up                    up
    Ethernet0/2                unassigned      YES unset  administratively down down
    Internal-Control0/0        127.0.1.1       YES unset  up                    up
    Internal-Data0/0           unassigned      YES unset  up                    up
    Management0/0              192.168.1.1     YES CONFIG up                    up
    Please suggest what could be the reason.
    Regards
    Pankaj

    Hi Ramraj,
    Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
    Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
    fy-a# sh ver
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 6.4(5)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fy-a up 1 day 1 hour
    Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1
    0: Ext: Ethernet0/0         : address is 2c54.2d0c.8f1a, irq 9
    1: Ext: Ethernet0/1         : address is 2c54.2d0c.8f1b, irq 9
    2: Ext: Ethernet0/2         : address is 2c54.2d0c.8f1c, irq 9
    3: Ext: Ethernet0/3         : address is 2c54.2d0c.8f1d, irq 9
    4: Ext: Management0/0       : address is 2c54.2d0c.8f1e, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 50             perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Disabled       perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual
    Security Contexts                 : 0              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    This platform has a Base license.
    Serial Number: JMX1AXXXXX
    Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    fy-a#
    Ramraj please do correct me if am wrong.
    Please do rate if the given information helps.
    By
    Karthik

Maybe you are looking for

  • History and Future Bucket of the Data View

    Hi Experts As per my Client Requirement Planning for the Next year Jan 2010 u2013 Dec 2010 which Starts in the second Quarter of the Year 2009. They need historical data (Historical Time Bucket) of Last 3 years in the monthly bucket and Future bucket

  • Opening PDF files in Reader itself takes a long time

    When I try opening PDF Files in Reader itself, this process takes a long time (more then 2 minutes for opening PDF files). When I try opening PDF Files directly from My computer, My documents: no problem (direct opening). Running Reader XI on Windows

  • Impossible to program a Kintex-7 with Vivado Lab Edition 2015.[1,2]

    Hello, I'm trying to program a Kintex-7 160T with a Platform USB Cable and Vivado Lab Edition 2015.1 and 2015.2. The JTAG chain is shown on the screenshot below: It is possible to program very small bitstream (~600KiB). But when the bitstreams become

  • Using numbers with iPad

    Before I spend 10 bucks on the numbers app for iPad I have a few general questions. The main one being how compatible is excel and numbers. I want to know if I import a sheet I was working with in excel to numbers and that sheet has formulas, charts,

  • Unit of measure problem between Order UOM, Base UOM and Inspetion UOM

    Material: ROH-001 Base UOM: Meter Order UOM: Kilogram Inspection UOM: Roll I have already maintained conversion factor in material master between meter and kilogram. Is there any way to maintain KG in inspection plan header level and Roll in inspecit