Can ASA (8.03) Single Context Mode support limit-resource?

Similar Messages

• Why can't I enter single user mode on my Mac Mini for an admin password reset?

  Hi,
  I recently created a new user account for my mac and deleted the old one, not realising that this was the only account with admin priveleges. As such, I no longer have access to administrator priveleges, and cannot grant them to my new user account.
  I have tried to boot in single user mode and recovery mode but neither command results in any reaction on the part of my computer.
  This thread follows on from a previous, unrelated disscussion:
  BDAqua: If you hold alt key at bootup do you see a lock in the middle?
  Yenots: No...what does this mean?
  BDAqua: If it did, it would mean Firmware Password Protection was enabled, which prevents booting in other modes, so that's not the problem, are you using a wired Mac KB, or Windows KB?
  Yenots: I'm using an 'Apple Keyboard with Numeric Keypad' [ http://store.apple.com/uk/product/MB110B/B/apple-keyboard-with-numeric-keypad-br itish ]
  If you find me here BDAqua, hit me with your knowledge!
  Any other contributions are welcome and, now we're under the right heading, will hopefully help other users who have encountered this problem.
  Thanks, Cristo

  Hi,
  Thanks for the link to MacPilot, and the sexy screenshot. I found an archived version for 10.4 on the koingosw website. That solves getting into single user/safe mode. Though I'd be interested to see whether sudo nvram boot-args="-s" will result in single user boot.
  As for creating administrator priveleges for my new user account, I've found a method which looks good:
       \single user mode\
       cmd-s
       \mount drive\
       mount -uw
       \open 'directory access'\
       lauchctl load /System/Library/LaunchDaemons/com.apple.opendirectory.plist
       \list users\
       ls /Users
       \change password\
       dscl . passwd /Users/<username> <password>
  I think that this method intends that if I change the root users password I'll be changing the administrator password  (as root is the only user with administrator priveleges), and subsequently be able to change my new user accounts priveleges using 'netinfomanager'. But I'm not 100%. Could you give me your opinion on this?
  Furthermore, three keys 'L' 'O' and '(' aren't working on my keyboard, which means I can't try this until I find an intact keyboard to borrow. I was thinking maybe a mod version of the above instructions would work in terminal using sudo, so I could use the keyboard viewer to type the missing characters. If you have any ideas on constructing such a mod I would be interested to hear them.
  Otherwise, Thank You for your help BDAqua! And enjoy your summer wherever you are.

• Freezing with blue screen & can't boot from single user mode or disk

  My keyboard is wired and plugged directly into my Intel iMac running OSX 10.5.8. I do not have the Leopard disks, but I do have the Tiger disks. I was trying to boot in single-user mode so that I could run AppleJack to try to fix another issue I'm having--I get the light blue startup screen flashed at me several times daily for the past week or so. When the blue screen flashes, it totally freezes my computer (obviously) and lasts from 1-10 seconds. I can't find anything that is triggering it. I haven't installed anything new that I'm aware of, and it happens whether the computer has previously been slept or not. I'm also not using an external display / additional monitor.
  Also, for anyone who is nice enough to answer, please explain everything--I'm not an expert user.

  Well since it is so time consuming and a security risk to turn off FileVault, I was hoping to hear from someone with more experience if this was the solution, or just something to "try"? Are you speaking from experience or just making a suggestion, leroydouglas? Thanks.

• Can not startup in single-user mode

  I can not get my MacBook to startup in single-user mode. I am holding Command-S at startup but it starts up normally.
  I also tried starting up in verbose mode by holding Command-V. That didn't work either. I then used the Terminal command to make it start up every time in verbise mode. That worked but I don't really want it doing it every time.
  So then I thought it was because I have a firmware password set. I then started up holding the Option key so I can enter the password. The password field popped up as it should, I entered the password, then held down the Command-S keys to startup in single-user mode. No dice.
  Can anyone tell me why I can not get single-user or verbose startup modes working?

  Because entering the password into the Startup Manager doesn't disable it or any of the other functions it provides. You need to use the Terminal method or take the password off.
  (58123)

• Can't start in single user mode, trying to fix blue screen startup

  Trying to fix my blue screen startup and I'm on the step to fix the Network Preferences and I'm suppoed to go into single user mode. It starts but then locks up. last line is: localhost:\ root# Anyone have an idea?

  Hi David.
  Sorry we haven't received any response yet. getting used to the new forum is occupying a lot of peoples time at present I fear. I've yelled a bit louder this time!
  In the mean time, have you already tried starting up in SAFE mode, rather than SU? http://docs.info.apple.com/article.html?artnum=107393 and following the other processes identified in http://docs.info.apple.com/article.html?artnum=106464
  If you have access to another firewire equipt Mac then you could also use Target disk mode (connect the two together with a firewire cable, then start up your own computer while holding down the t key. ) Your own HD would then appear on the desktop of the other computer as another HD, and you can then proceed to remove or shift the same .plist files (on your own HD) identified in point 4 or 5 of http://docs.info.apple.com/article.html?artnum=106464
  Cheers
  Rod

• Can't type in single user mode

  Hi,
  I am trying to fix a MacBook Air's hard drive and attempted to boot from single user mode to run fsck. However, when I get into single user mode I can't type a thing. No buttons on the keyboard work. I shut it down and tried doing it again but the same issue occurs. I tried again, this time connecting an Apple USB keyboard and it still wouldn't type. I booted from an external hard drive that had OS X on it and both the inbuilt and external USB keyboards worked absolutely fine.
  Does anyone know why I would be having this issue and how to rectify it?
  Cheers.

  Reinstall Lion, Mountain Lion, or Mavericks without erasing drive
  Boot to the Recovery HD:
  Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
  Repair
  When the recovery menu appears select Disk Utility. After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list.  In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive.  If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported then click on the Repair Permissions button. When the process is completed, then quit DU and return to the main menu.
  Reinstall Lion, Mountain Lion, or Mavericks
  OS X Mavericks- Reinstall OS X
  OS X Mountain Lion- Reinstall OS X
  OS X Lion- Reinstall Mac OS X
       Note: You will need an active Internet connection. I suggest using Ethernet
                   if possible because it is three times faster than wireless.

• Can't boot in Single User Mode or zap PRAM on iMac G5

  I want to boot into Single User Mode in order to run Applejack to "clean" the system before applying Apple's latest security patches. So I hold down Cmd-S at start-up, but it has no effect; the computer boots normally into the Tiger GUI. Thinking that zapping the PRAM might help, I restarted while holding down Cmd-Opt-P-R. Same result: normal startup with no zap. I tried resetting the power management circuit by unplugging the iMac and depressing the power button. No effect.
  Apart from the inability to do special boots, the system seems to be running just fine. Any ideas?
  iMac G5 Mac OS X (10.4.8) 1.5 GB RAM

  Ben F-
  Not guessing yet. You did not provide what steps you have taken thus far and now I know.
  I am thinking then that you have somehow set up firmware password protection.
  At least the things that you describe are disabled if a password is set.
  Luck-
  -DaddyPaycheck

• Can't boot in single user mode

  hi there,
  i just found out that my MacBook1,1 1,83 GHz ignores Cmd-s, Cmd-v and occasionally Cmd-Alt-p-r. Green LED on keyboard doesn't flash at boot. I did a parameter ram reset and permission repair, without positive change.
  The keyboard works fine with system booted.
  thanks! achim

  another permission repair helped..

• Remote Access VPN Support in Multiple Context Mode (9.1(2))?

  Hi Guys,
  I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
  Multiple Context Mode New Features:
  Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
  New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
  Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
  New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
  Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
  Regards,
  Leon

  Hey Leon,
  According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
  Regards,
  Dennis

• ASA in multi context mode and AAA based on context

  Hello, running ASA5520 in multicontext mode, and would like to apply AAA in separate contexts; eg. context A and B should have AAA authentication and context C not.
  I am familliar how to setup AAA in single firewall mode but not sure about correct procedure when setting up AAA in multicontext mode.
  Is it possibe to configure individual contexts for AAA?
  Thanks

  Hi,
  Yes, it is possible to setup AAA in individual contexts. The procedure is going to be exaclty the same as when the firewall is in single context mode.
  Just be careful while configuring command authorization on a firewall in multiple context.
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1060011
  Hope it helps.
  Thanks,
  Amitashwa

• Can you run a bash script on boot in single user mode

  Hey guys quick question.
  Is it possible to run a bash script on boot in single user mode.
  I can create a file and dump it on the root hd.
  Let's call it repair.
  I can then boot to single user mode and run it by typing /repair.
  But I want it to do it automatically.
  Every time I go into my machines that I clean for my job. I have to run sbin/fsck -fy
  Then I have to mount the drive and then remove all cache files, then reboot the machines.
  I would like to automate this by just holding command s and then moving to the next computer.
  There must be some sort of boot daemon somewhere.
  Please help.
  Sincerely,
  John

  Have you seen Applejack?
  http://applejack.sourceforge.net/
  It doesn't start automtically, but does cleanup.
  Robert

• Can't find Single Page Mode

  Hello, everyone!
  I have a strange problem with my Digital Edition. I can't find the single page mode button or any other mode change button on it. I have tried re-downloading but it hasn't worked. I also tried Shortcut Keys but to no avail!
  Please help!
  Thanks in advance.

  An Open Firmware password is one thing that would prevent you from changing the startup disk, booting from a CD or starting up in single user mode. You would see a lock and a dialog asking you to enter your password. So, it doesn't seem that this is your problem.
  If you have some file directory damage, you can use the Tiger install DVD to attempt to repair it. Put the DVD in the drive, restart and hold down on the "c" key (if you have one and then choose the language you want to use. At the next screen, do not continue to install but choose to open the Disk Utility from the Utilities menu. You can then use the Disk Utility to "repair disk" on your hard drive. The Tiger Disk Utility is pretty mature and can repair many problems.
  -Doug

• SSLVPN/webvpn in multiple context mode?

  We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
  So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
  As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
  Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?

  If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
  Sent from Cisco Technical Support iPad App

• Cisco ASA5520 multiple context revert back to single context

  Hi all,
  We have a redudant set of Cisco ASA5520's. This firewalls runs in multiple context mode.
  No we want to make both "virtual" firewalls physical.
  We already migrated on of the two firewalls to another physical set.
  Now we would like to revert back the multiple context into single context mode, with keeping on of the two firewalls as the new running config.
  We would like to do this with a minimum downtime.
  Is this possible, can someone advise?
  Kind regards,
  Danny van der Aa

  The config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe).  As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.
  I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs.  Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side.  Then change it to single mode with the command "mode single".  Now copy the configuration into the ASA.
  Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network.  You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.
  Do the same for the second ASA and connect it back to the network.  Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.
  Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.
  Please remember to rate and select a correct answer

• Botnet Filter with multiple Context Mode

  We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
  How should be the Botnet Filter configured in Multiple Context Mode?
  Thanks for any response in advance.

  sh run | grep dns
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  policy-map type inspect dns preset_dns_map
  inspect dns preset_dns_map
  ping update-manifests.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
  ping updates.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
  ASA Version 8.4(2)
  hostname DE-VM-TER-FW-02
  enable password 8Ry2Yj8765U24 encrypted
  passwd 2KFQnb6IdI.2KY75 encrypted
  names
  interface GigabitEthernet0/0.3207
  nameif TR_v207
  security-level 50
  ip address 10.28.6.60 255.255.255.248
  interface GigabitEthernet0/0.3208
  nameif TR_v208
  security-level 70
  ip address 10.28.6.68 255.255.255.248
  interface GigabitEthernet0/0.3209
  nameif TR_v209
  security-level 80
  ip address 10.28.6.76 255.255.255.248
  interface GigabitEthernet0/0.3210
  nameif TR_v210
  security-level 90
  ip address 10.28.6.84 255.255.255.248
  interface GigabitEthernet0/1
  nameif COLT
  security-level 0
  ip address 217.111.58.46 255.255.255.240
  interface GigabitEthernet0/3
  nameif T-COM
  security-level 0
  ip address 194.25.250.94 255.255.255.240
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  name-server 8.8.8.8
  object network COLT_dynamic_NAT
  subnet 0.0.0.0 0.0.0.0
  object network T-COM_dynamiy_NAT
  subnet 0.0.0.0 0.0.0.0
  object-group network DM_INLINE_NETWORK_1
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
  access-list COLT_access_in extended deny ip any any
  access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
  access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
  access-list T-COM_access_in extended deny ip any any
  access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
  access-list TR_3208_access_in extended permit ip any any
  access-list TR_3208_access_in extended permit icmp any any
  access-list TR_v207_access_in extended deny ip any any
  access-list TR_v210_access_in extended deny ip any any
  access-list TR_v209_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu TR_v208 1500
  mtu T-COM 1500
  mtu COLT 1500
  mtu TR_v207 1500
  mtu TR_v210 1500
  mtu TR_v209 1500
  ip verify reverse-path interface T-COM
  ip verify reverse-path interface COLT
  ipv6 access-list TR_v207_access_ipv6_in deny ip any any
  ipv6 access-list TR_v208_access_ipv6_in deny ip any any
  ipv6 access-list TR_v209_access_ipv6_in deny ip any any
  ipv6 access-list TR_v210_access_ipv6_in deny ip any any
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network COLT_dynamic_NAT
  nat (any,COLT) dynamic interface
  object network T-COM_dynamiy_NAT
  nat (any,T-COM) dynamic interface
  access-group TR_3208_access_in in interface TR_v208
  access-group TR_v208_access_ipv6_in in interface TR_v208
  access-group T-COM_access_in in interface T-COM
  access-group COLT_access_in in interface COLT
  access-group TR_v207_access_in in interface TR_v207
  access-group TR_v207_access_ipv6_in in interface TR_v207
  access-group TR_v210_access_in in interface TR_v210
  access-group TR_v210_access_ipv6_in in interface TR_v210
  access-group TR_v209_access_in in interface TR_v209
  access-group TR_v209_access_ipv6_in in interface TR_v209
  route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
  route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
  route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  telnet timeout 5
  ssh timeout 5
  no threat-detection statistics tcp-intercept
  dynamic-filter use-database
  dynamic-filter enable interface T-COM
  dynamic-filter enable interface COLT
  dynamic-filter drop blacklist interface T-COM
  dynamic-filter drop blacklist interface COLT
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map dynamic-filter-snoop
  service-policy global_policy global
  Cryptochecksum:7bbe975fb39e189e99d8878787a0037
  : end
  System Context
  dynamic-filter updater-client enable
  ​ Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured