Backup WebVPN personalization on ASA
Hi all,
I'm looking for a system to backup the configuration of the ASA like this I've noticed:
if the ASA is 5510 or higher and has sw 8.x and ASDM 6.x we have ASDM -> Tools -> Backup Configuration command that create a folder containing all configuration files and webvpn personalization
What I have to do to have the same command on ASA 5505 sw 8.x and ASDM 6.x? Or is there someting similar using the console too?
And what else for ASA which have sw 7.x and ASDM 5.x, is there the possibility to backup webvpn personalization?
Thanks a lot,
Matteo
hi,
i am not sure in ASDM but we can do this using CLI. below are the commands
export webvpn Anyconnect-customization name url
export webvpn customization name url
below is the command reference document for the commands:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1928399
Plus, you can also look in the below document for Smart Call Home:
https://supportforums.cisco.com/docs/DOC-14958
Similar Messages
-
How do I backup an IPS config (ASA-SSM-10)
Hi,
How do I backup an IPS config (ASA-SSM-10)?
ThanksThere is a copy command in the IPS CLI that can be used to copy the current configuration to a backup configuration on the sensor itself.
Or to copy the current configuration to an FTP or SCP server.
The copy command can then be used to copy a configuration from backup or from an FTP or SCP server back to the running configuration of the sensor.
http://www.cisco.com/en/US/docs/security/ips/6.2/command/reference/crCmds.html#wp458440 -
Cisco ASA 5505 Dual-ISP Backup VPN
I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing. The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
My first thought was to add the following crypto map to the configuration below:
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer 9.3.21.13
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map interface backupisp -->but this would break the current tunnel.
NYASA# sh run
: Saved
ASA Version 7.2(4)
hostname NYASA
domain-name girls.org
enable password CHwdJ2WMUcjxIIm8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 9.17.5.8 255.255.255.240
interface Vlan3
description Backup ISP
nameif backupisp
security-level 0
ip address 6.27.9.5 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list 150 extended permit ip any host 10.1.2.27
access-list 150 extended permit ip host 10.1.2.27 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backupisp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backupisp) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 9.17.5.7 1 track 1
route backupisp 0.0.0.0 0.0.0.0 6.27.9.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 9.3.21.13
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
track 1 rtr 10 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
tunnel-group 9.4.21.13 type ipsec-l2l
tunnel-group 9.4.21.13 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:22bb60b07c4c1805b89eb2376683f861
: end
NYASA#
Thanks in advance.In that case is the PIX who needs two peers (to the ASA).
The ASA will requiere the crypto map to be applied to the backup interface as well (as you mentioned)
crypto map outside_map interface backupisp -->but this would break the current tunnel.
The above command should not break the current tunnel (if the route to reach the other end goes out via the primary interface).
Additionally you need IP SLA configured in the ASA to allow it to use the primary connection and fallback to the backup connection to build-up the tunnel (as well to use again the primary interface when it recovers).
Federico. -
Problem with Java-based application and WebVPN
Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
Any hint about where to search or what to try?
Thanks.Hello. Could you please help me in find out any specification/known limitations in using Java-based applications through WebVPN in Cisco ASA 5520 v8.3(2).
A customer of mine has got in trouble in using a Java viewer for graphical files that is invoked by another application (this one correctly served via WebVPN), that cannot be launched because JVM does not find it (NullPointer).
Our suspects are generically about the URL rewriting of the WebVPN and/or unsupported configuration in the ASA SSL certificates vs Java.
Any hint about where to search or what to try?
Thanks. -
ACE: any configuration backup solution?
Hello,
for the ACE module I did not find an easy way to create a backup for the whole configuration (running configuration and crypto material of all the contexts). Any ideas? I only found a perl backup script for Cisco ASA which I could modify:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1063700
Regards, OlafHi Ramin,
Apologies for the delay - I was on leave. The download works for me - but here it is again - inline this time.
set date [exec C:\\Mywork\\UnxUtils\\date.exe "+%y%m%d"]
set configout [open C:\\ACE\\Configs\\ACE1-Test-$date.txt a]
set ip "192.168.10.91"
spawn telnet $ip
expect "login:"
sleep 1
send -- "adminTest\r"
expect "Password:"
sleep 1
send -- "whatever\r"
expect -- "Test#"
sleep 1
send -- "term len 0\r"
expect -- "Test#"
sleep 1
send -- "sh runn\r"
expect -- "Test#"
set s [split $expect_out(buffer) \n]
foreach nline $s {
if {[string first "sh runn" $nline] == 1} continue
if {[string first "Generating" $nline] == 0} continue
if {[string first "Test#" $nline] == 0} continue
if {[string first "ace1/Test#" $nline] == 0} continue
regsub -all "\r" $nline "" nline2
puts $configout "$nline2"
close $configout
sleep 1
send -- "term len 22\n"
expect -- "Test#"
sleep 1
send -- "exit\r"
expect -- "foreign"
expect eof
HTH
Cathy -
Just an architecture setup question. We have purchased two 5515x ASA firewalls. I will be setting them up in a stateful failover setup. I know this sounds like a basic question but here goes. I am thinking we should get the first one working on my network and then install the failover ASA once the first one is working properly....? Any thoughts?
Hi,
Yes, you can just configure the single ASA first with the configurations and after its configurations are finished install the Secondary unit.
Naturally while you are configuring the Primary unit you should already setup the interfaces with a "standby" IP address under the interface configuration.
After you have setup the Primary ASA and made sure that for each of its interfaces/subinterfaces you have a L2 connection through the connecting networking devices to the Secondary ASAs corresponding interfaces/subinterfaces, then you are ready to install the Secondary ASA to the network.
What you could do on the Secondary ASA is that you remove its default factory configuration and then configure "no shutdown" on each physical interface that you are going to use. Then you could configure the required Failover configurations using the multiple different "failover" configuration commands. (You wont need to configure the actual physical port separately, just need to enable it with "no shutdown", the "failover" commands should handle the rest) After the physical interfaces are configured up and the "failover" commands are set up on the Secondary ASA (and naturally the Primary ASA) then you could basically save the configuration on the Secondary ASA, power down the Secondary ASA, connect it to the network and boot it up. It should then sync the configuration from the Primary ASA after it has booted up and noticed the Active unit (Primary ASA) through the Failover link. So you should not really need to configure the Secondary ASA a lot since it syncs majority of the configurations from the Primary ASA. Naturally the above "failover" configurations are required so the Failover link can be formed for the sync.
I have had to do this a couple of times lately because of broken down ASAs in Failover pairs. Naturally I would suggest that you take backups of the Primary ASAs configurations before you start setting up the Failover environment so that incase of some error in the setup you still have the configuration. Some people have mentioned the other unit wiping the others configuration but it has not happened to me atleast.
Hope this helps and that I made any sense :)
- Jouni -
Webvpn and anyconnect on same interface
Hello !!
Can we configure WebVPN and anyconnect on same interface ?
We have ASA 5520 running with code 9.1(2) with vpn plus license installed. Webvpn is already configured in it. users are already using it. We have a legacy VPN concentrator for RAVPN. Now the client want to move all the RAVPN users from VPN concentrator to ASA using anyconnect.
As we already have webvpn on the asa box, can we configure anyconnect on the same firewall on same interface. ? if so what are the parameters we need to consider.
I am attaching the sh ver of firewall . Any help in this regard is highly appreciated.
Cheers,
Octopus.Hi,
The answer is yes.
Check this for more information:-
https://supportforums.cisco.com/discussion/11181216/webvpn-and-anyconnect
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/svc.html
Thanks and Regards,
Vibhor Amrodia -
Securely backing up config for ASA
How do you usually store the backup config for your ASA/PIX config so that it's easily accessible, and yet it's secure enough? Do you simply save it to a network drive? Is there a better way to do it? I just like to know the best practice out there. It's because if I save the backup config in a network drive, people may be able to get to it and look at the config file since it's not encrypted. Any recommendation is welcome. Thanks.
We have our configs backed up automatically and they are stored in a database (with security). Why can't you save it to a network drive that has the appropriate permissions? You could also store them in an encrypted virtual drive using something like TrueCrypt.
Hope that helps. -
I have a porblem with the RDP-Plugin on WebVPN on the ASA.
On one client, i have installed this Add-on: "Microsoft rdp client control", here the RDP-Plugin works. On the other Client i have installed this Add-on: "Microsoft terminal services client control", here the rdp Plugin doesn't work.
has anyone an idea to delete the add-on or to reinstall the right add-on?
thanksSee the troubleshooting section on this link.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c0603.shtml -
Accessing Home Dir's via ASA SSL VPN
I have an ASA 5540 and an ACS 4.0. i am configuring an SSL based VPN for users in an active directory. I want to give the users access to their Windows Home Dir and have created a CIFS link in the URL list in the tunnel group policy for those users.
I want to give the users access to \\SERVER\Share\%username% as it is described in windows terms. how do a go about this in the ASA, as the above does not work at all? the ASA wants to use the / instead of \ in the CIFS shares. It works fine for normal shares and hidden share specified with $, but not using the %username% variable.
The documentation on SSL VPNS on both ASA and ACS 4.0 is terrible.
Best regards,
Neal LewisThis question might be a bit outdated, yet I stumbled across it since even in times of OS 8.4(3), I've had exactly the same problem. Menawhile I've found the solution to it:
You can work with the usual WebVPN variables which ASA offers for single sign-on (SSO) purposes. The following example works for my customer for a profile in which he applies two-factor authentication and allows his users to access their Windows home share using SSO (using the secondary WebVPN login information, which is their AD login name, accessed via LDAP):
Bookmark URL:
cifs:///CSCO_WEBVPN_SECONDARY_USERNAME%24 (where %24 is a code substitution for the '$' sign)
SSO config:
group-policy attributes
webvpn
auto-signon allow ip auth-type ntlm username CSCO_WEBVPN_SECONDARY_USERNAME password CSCO_WEBVPN_SECONDARY_PASSWORD
There are two important things to consider, though:
The share name *must* match the user's login name
The folder effectively has to be configured to be a share (not just an ordinary folder). My tests have shown that it doesn't work even if that desired, ordinary destination folder is a subfolder of an accessible share.
Hope that helps other people.
Toni -
Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: endHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun -
ASA 5505
ASA Version 9.0.(2)
Suddently on the webvpn Interface when i click on my web bookmarks (and java launches in browser) i get this fail in Chrome and FF 'It has take a while for SSL VPN Relay til load. You need to verify Java is enabled in your browser' and nothing happens...
Java IS enabled and running. Tried this in both 7.45 and 7.51
No problem in IE 11 and java 7.45 and 7.51
I've googled alot but have not been able to find any suggetions
Hope you have a solution
Best Regards.Any resolution on this? Firefox/Chrome my cifs work but smart tunnel RDP doesn't, and in IE my shares don't work but RDP smart tunnel does....
Cisco, if you're not going to do something good, just don't do it. The SSL VPN is a hack job. -
ASA 5505 configured for WebVPN connecting to Citrix Web Interface
ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay -
I have ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
Or as something else to implement it?
My configuration for SLA monitor:
sla monitor 123
type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachabilityHey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
3
Nov 21 2011
18:29:56
77.xxx.xxx.99
59068
80.xxx.xxx.180
80
TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
Regards.
Chris -
ASA 5505 VPN with backup route
We are looking to set up a site-to-site VPN with a backup over a T1. We have a remote site with a 1841 router. This router has a PTP T1 back to a secondary location with a 2811. Due to location, the only option we had to get additional bandwidth was to have a cable modem installed. We want to set a site-to-site up to our primary location, with a backup route over the T1 in the event the cable modem goes down. We have an ASA 5505 at the remote location, and an ASA 5540 at the primary. In addition, we want to split the traffic across the two connections. Since the wireless controllers are anchored back to the secondary location, we want to send that traffic over the PTP T1 and the rest of the traffic over the VPN. We also need to have a backup route for the wireless traffic to send across the VPN in the event the T1 goes down.
Go to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards
Maybe you are looking for
-
Problem with VPN client on Cisco 1801
Hi, I have configured a new router for a customer. All works fine but i have a strange issue with the VPN client. When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connec
-
Issues with Hosted Exchange, UM and Lync 2013.
Hello everyone! I am trying to deploy UM with Office 365 Hosted Exchange. We are using one Lync 2013 Standard Edition FE and have deployed one edge server. We have set up our firewall to host the Reverse Proxy. We do not use wildcard certs. External
-
Unusual? iPod Classic connection/sync problem
I have an 80Gb iPod Classic, and iTunes 8.1 running on Windows XP. With iTunes open, I connect the iPod. The iPod screen says connecting...synchronising... Then the iPod appears in the iTunes device list, and the iPod says ejecting...ok to disconnect
-
Accounting Principle role in Foreign Currency Valuation
Dear Frns, Why do we create an Accounting Principle in Foreign Currency Valuation and assign the same to the Ledger Group. Regards, Venkata
-
RnR 4.2: Unable to Create TOCFile
When I try to run a back up, everything goes well until the progress bar reaches 100%, at which point nothing happens. Trying to cancel the backup has no effect. Here is part of the engine.log: Sat May 10 15:41:07 2008 Engine: br_funcs.exe - versio