Cisco asa 5515x web user management

hi all,
i bought recently a new asa 5515x, i'm also new to it especially if i can have user login to internet before they can use the internet. my 5515 security license is a plus license. and also if that user management can be integrated with active directory 2008 r2.
thanks for any comment you may add.

The ASA should be able to talk to your AD via either LDAP or Kerberos..
And yes, you need the CX to perform content filtering on the ASA itself, or you can look at the Ironport appliances or Cloud Web Security (scansafe) fir additional filtering options
Sent from Cisco Technical Support iPad App

Similar Messages

Migrating watchguard firebox to cisco asa 5515x

Guys
I have a client who wants to migrated their very old watchbuard firebox to cisco asa 5515x. Is there any of the cofiguration tool available that I can use to migrate their existing config on watchguard to ASA ? Please advise
Thanks in advance

Amit,
From my understanding there is no such tool. Not even from Pix to ASA which is no longer available.
I am afraid that you may need to manually migrate the configuration.
Regards,
Juan Lombana
Please rate helpful posts.

Creating a 20MB bandwidth using two cisco asa 5515x with a hub (10/100/1000)

hi all,
I would like to simulate a bandwidth of 20MB for my DR project testing on my two cisco asa 5515x and with a cisco hub (10/100/1000). I was thinking to make two connections on my "outside" vlan with both speed of 10 and etherchannel it and do it again on the other asa.
Do you think it will simulate 20MB bandwidth? Or any other suggestion? Please add any comment, thanks to all.

Hi Nicholas,
You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.
In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.
But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.
The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.
Please do rate if the given information helps.
By
Karthik

Cisco Unified MeetingPlace web user portal

All,
Someone could say me what is the URL of the "Cisco Unified MeetingPlace web user portal"?
My design is MeetingPlace / WebEx with MeetingPlace Scheduling.
Thanks a lot,
Luciane de Medeiros

RC,
This behavior is stemming from a change in MP 7.0 MR2 to disable the MPWeb login for system profiles. This was an internal change made by the developers to restrict the log on to the MPWeb page by the default accounts created in MeetingPlace upon installation. The change now displays this error when the admin account is attempted to be used for MPWeb login, as you experienced-
Error:[22953] You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles.
You should be able to log into MPWeb using any other user profile that you have either created manually or pulled in from LDAP/Active Directory. You just cannot use the admin account. This is reserved for login to the MP Application Server Administration page only. I am going to work to get this information added to the MP 7.0 documentation with a note for changed behavior in MR2 and above. Here is the note from MP 8.0 documentation-
Note: You cannot use this preconfigured admin profile to access the Cisco Unified MeetingPlace Web Server interface. Instead enter the User ID and password information from one of the other user profiles that have system administrator privileges to sign in to the Web Server.
Please let me know if you have any further questions.
Thank You,
Gerry

Cisco internet filtering for cisco asa 5515x

hi all,
i know either websense or smartfilter (btw, mcaffee is now not selling smart filter anymore) can be used in 5515x internet filtering but does cisco have it's own filtering software for its product? please don't give an appliance, my company is small.
I'm tempting to use the default CLI command but there's no reporting on it i think. Can it provide reporting for user access? If it yes, please provide on how to do that.
thanks!

I just installed the ASA CX (http://www.cisco.com/en/US/products/ps12521/index.html) onto my software module on the ASA 5512-X. All it required was a SSD and license for the software. If you know anything about the Ironport Web Security Appliances, ASA CX is basically the IronPort WSA running on the sw-module of the ASA.
The on-box version of the reporting/configuration engine (Cisco Prime Security Manager "PRSM") is simple but effective. Longer-term storage and drill-down reports requires an appliance or VMware virtual machine with the full-blown PRSM.
The neat thing about the CX is the ability to block not just domains, but drill down and block specific application features. Say you want to block Facebook Games but not Facebook itself, it is a simple configuration on the ASA CX.
I believe there is also a cloud version of it you can purchase, but I'm not sure of the details.
Good luck!

Cisco ASA 5515 - Anyconnect users can't ping other Anyconnect users. How can I allow icmp traffic between Anyconnect users?

ASA configuration is below!
ASA Version 9.1(1)
hostname ASA
domain-name xxx.xx
names
ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface GigabitEthernet0/1
description Interface_to_VPN
nameif outside
security-level 0
ip address 111.222.333.444 255.255.255.240
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name www.ww
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.11.0 255.255.255.0
description LAN
object network SSLVPN_POOL
subnet 192.168.12.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
email [email protected]
subject-name CN=ASA
ip-address 111.222.333.444
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
fqdn vpn.domain.com
email [email protected]
subject-name CN=vpn.domain.com
ip-address 111.222.333.444
keypair sslvpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint6
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.5.2-192.168.5.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint6 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 5
vpn-session-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value mycomp.local
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect dtls compression lzs
anyconnect modules value vpngina
customization value DfltCustomization
group-policy IT_POLICY internal
group-policy IT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 3
vpn-session-timeout 120
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value company.com
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect dtls compression lzs
customization value DfltCustomization
username vpnuser password PA$$WORD encrypted
username vpnuser attributes
vpn-group-policy VPN_CLIENT_POLICY
service-type remote-access
username vpnuser2 password PA$$W encrypted
username vpnuser2 attributes
service-type remote-access
username admin password ADMINPA$$ encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy VPN_CLIENT_POLICY
tunnel-group VPN webvpn-attributes
authentication aaa certificate
group-alias VPN_to_R enable
tunnel-group IT_PROFILE type remote-access
tunnel-group IT_PROFILE general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
authentication aaa certificate
group-alias IT enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

Hi,
here's what you need:
same-security-traffic permit intra-interface
access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL
Patrick

CISCO ASA config issue (Remote management ASDM/SSH/etc)

I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though.

I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
This topic first appeared in the Spiceworks Community

Cisco ASA - Web Server Publishing

My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.
The users will be using secure https acccess to the Web Server.
I have only 1 Public IP Address assigned to access both the Web Servers.
Wanted to know what are the things required in the Cisco ASA firewall.
1. What type of licenses ?
2. What type of certificates ?
3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.
I dont want any client software on the end users PC.....

ThanksI do have 2 Public IP address for my 2 servers.That is clear.
I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.
Prior 8.3:
static (inside,outside) public_ip1 web_server1
static (inside,outside) public_ip2 web_server2
8.3 or later:
object network web_server1_real
host web_server1
nat (inside,outside) static public_ip1
object network web_server2_real
host web_server2
nat (inside,outside) static public_ip2
Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.
About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.
Regards,
AM

SSD for ASA 5515X

hi all,
we have an opportunity to sell cisco ASA 5515X firewall. and i have one doubt.
do i need to order SSD drive with ASA 5515-X with IPS?
Please note that i dont want to have CX software, i just want to enable the IPS software on the firewall.
and if i dont need it, where the IPS logs will be saved?
thanks in advance.

No SSD is required for IPS on the 5500X series. You do need to license the feature and order the device accordingly - e.g., ASA5515-IPS-K9 part number.
IPS event logs are stored locally on disk0 or optionally can be retrieved by a remote server such as Cisco Security Manager (CSM).

Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch?
Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
The ASA is connected to a checkpoint sub interface
Any help would be beneficial as im new to cisco ASAs
Thanks
Mark

Mark
If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
HTH
Rick

Contact person Rel.ship Data not getting updated in B2B Web User Mngt

Hi CRM Gurus,
Need some help on Web User Management functionality.
Sub: Contact person Relationship data not getting updated when we change the company (to wich contact person belong to) in ISA CRM 5.0 Web User Management.
we are currently on CRM ISA 5.0 and using Web User Managment for our B2B scenario. New creation of users is working fine. But when we want to change the company (Sold to pary) for the existing contact person, the relationship data in CRM is not getting updated and the below are the details.
Contact person No: XXXX (has a Relationship: "Is contac person for YYYY company in CRM)
Company/Sold to Party: YYYY (has a relationship "Has contact person XXXX in CRM).
When I chage the contact person's (XXXX) company from YYYY to ZZZZ,
- Relationships of the new assignment for ZZZZ in CRM not getting updated.
- Old Records in YYYY is not getting deleted (i.e. relationships.
- There is No relationship data appear in XXXX.
Appreciate any inputs on the same.
Thanks,
Rahul >>>

Hi Rahul,
I'd suggest you running a session trace / ABAP debugging to see if some information is not getting passed from the Java stack onto the ABAP stack. An alternate move would be to create a new OSS customer message.
Cheers,
Ashok.

Web Filtering Cisco ASA 5510

Hello !
I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
What u guys recommand !
Thanks

Hi Neji,
Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
Block URLs using Regular Experessions (Regex)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
CSC module:
http://www.cisco.com/en/US/products/ps6823/index.html
How to enable the CSC module:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
ASA CX module (ASA 5512,5525,5545,5545,5555)
http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
Scansafe:
http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
Configuration Cisco Cloud Web Security
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
Ironport:
http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
How to integrate the ASA with Ironport (WCCP):
https://supportforums.cisco.com/docs/DOC-12623
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html

ASA 5515x and web content filtering

hi all
i tried adding a content rule on my asa 5515x, it say i don' t have one configured in configuration/firewall/url filtering. when i got there, i need to configure either websense or smartfiler. Are those free or I need to purchase that from those vendor? My 5515x is security plus, is that included there?
does asa 5515x have it's own filtering without going to third party vendor?
thanks for any comment you may add.

As already mentioned, the MPF has the capability to filter on URLs. But that is quite limited and in my opinion not usable at all (unless you only have a couple of FQDNs to filter that don't change often). If you need more functionality and you want to stay on the ASA you could deploy ASA-CX. Otherwise you could deploy a dedicated proxy and force your users to use that proxy. That could be the best solution in your environment.
Sent from Cisco Technical Support iPad App

Setting office Hours in Cisco Web Interaction Manager

Hi
I was testing cisco Web Interaction manager for Live chat with the customers. I was getting messages for off office hours.
I want to change the officehours . Is there any place I can change the office hours ?.
I am using Cisco Web and Email Integration ver 4.3.2.3
I am new to this product. Any help on this would be great help for me.
Thanks in Advance,

Page 22 of the guide http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/cisco_interaction_manager/cim_43/user/guide/cisco_im431_cce_userguide_administration_chat.pdf
Options tab, go to the Off hours section. Set up the text to be displayed when no agents are
available.

No user is able to login to User Management Engine in SAP Web AS Java

Hi,
We are facing an error"User Authentication failed" in SAP Web AS Java(Stand-alone).
No user is able to login through User Management Engine but we were able to login as administrator into Visual admin.Tried SAP* (Emergency User Activation in config tool) also.SAP* is also able to login to Visual Admin But not into UME.Login in Visual Admin was successful when we tried with SAP* or administrator.
Feels like some UME configuration might have changed.Can anyone help me in this.
Thank You.
Regards,
Sudheer.

Hi
Has the SAP* emergency user been activated? While this user is active, all the other users are inactive. Check the following documentation for information on this:
http://help.sap.com/saphelp_nw70/helpdata/en/3a/4a0640d7b28f5ce10000000a155106/frameset.htm
Regards,
Désiré

Cisco asa 5515x web user management

Similar Messages

Maybe you are looking for