Cisco ASA 5520 SSL VPN Web Login Customization For RSA Login

I have a Cisco 5520 that I have RSA radius with hardware token up and working witrhout issue. The RSA radius authentication works fine.
My problem is that I want the login page of the WebVPN portal to display two fields for the user RSA passcode. An RSA passcode is the PIN and the current toke code together.
I want one field to accept the PIN from the passcode and the other field to accept the TOKEN CODE from the RSA token.
Currently the login page has in this order:
USERNAME:
PASSCODE:
My end state would be:
USERNAME:
PIN:
TOKENCODE:
I know this has been done with the native Cisco IPSEC client but I cannot find a way to do this with the WebVPN login page. I have been thru the Customization page and can't seem to get this to work correctly.
Thanks.

Hello friend!
Please allow me to resurect this old post. Did you have the solution?
Regards!

Similar Messages

What is the Cisco ASA 5520's VPN ustility like?

Hi, I have a Cisco 3015 VPN concentrator, the Web admin tool is really good. We are getting a 2 Cisco 5520 soon in failover mode and I wondered if I should move my site-to-sites to the ASA 5520 and if so how good it the tool for the ASA VPN's as I not seen it yet?

The VPN capabilities of the ASA are very similar to that of the concentrators. Much of the management interface will have the same look and feel on both appliances. Migrating your L2L VPNs is a matter of preference and will depend on your topology. For me, I prefer to terminate my L2L VPNs into a DMZ and use the ASA to permit/deny traffic into my LAN.

Cisco ASA 5505 SSL VPN

Hi Everyone,
In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
I need help to solve this mystery. Please find attached the ASA config: #show run
I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
Best regards,
BEN

If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
Daniel

What is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

Hi,
I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
The scanario:
Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
Any help or advice is much appreciated.
Thanks.

Hello Bernard,
What you are looking for is a Remote Ipsec VPN mode not a L2L.
Here is the link you should use to make this happen:)
https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
Regards,
Julio

Older version of openssl in cisco asa 5520

Hi,
Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have to check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
Thanks,
Sridhar

Sridhar,
W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
Marcin

Command to View LDAP Password on Cisco ASA 5520

Hello
I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
Thanks!
Matt

Thankyou Jennifer for the responds.
Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = [email protected]
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
Is their any other settings that i need to do it on AD ?
Kindly advice
Regards
Shiji

Cisco ASA 5520 Failover with DMZ

I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
PRIMARY ASA
Primary-ASA# sh run failover
failover
failover lan unit primary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Primary-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Primary - Active
Active time: 69648 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
     Interface outside (184.61.38.254): Normal
     Interface inside (192.168.218.252): Normal
     Interface dmz (192.168.215.254): Normal (Waiting)
     Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
     IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Primary-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
STANDBY ASA
Standby-ASA# sh run failover
failover
failover lan unit secondary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Standby-ASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
     IPS, 6.0(3)E1, Up
Other host: Primary - Active
Active time: 70110 (sec)
      slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.254): Normal
Interface inside (192.168.218.252): Normal
Interface dmz (192.168.215.254): Normal (Waiting)
Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
     IPS, 6.0(3)E1, Up
Standby-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
Does anyone see something I might be missing? I am at a loss...

I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.

Cisco ASA 5520 Crashinfo

I have cisco asa 5520 firewall in production sudenly yetserday firewall was reboted and crashinfo file was genetrated(check with command show crashinfo)
But unable to undersatand the terms
I want to know below thing regarding crashinfo
1) In asa where crashinfo file stores and file name(please share commnad for checking)
2) How to copy file from device to machine
3) How to read that file(any tool any software)

The crashinfo file ("show crashinfo") is plain text and along with the memory register contents there is a whole long list of other information - running-configuration, interface status and counters, etc. So you can look at it in any text editor or even on the ASA console itself.
As far as learning from it directly, there is plenty to learn and use without knowing the most detailed possible level of debug information.
If you want to see some of the tools that are available (and may include some of the crashinfo data), I'd recommend to you a Cisco Live presentation like BRKSEC-3020. You can download that and any other Cisco Live presentations here with a free registration.

Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

Hi,
Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

Cisco ASA 5520 traffic between interfaces

Hello,
I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
ciscoasa# ping esx_management 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping home_network 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Thank you in advance.

Hi,
Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
Static Identity NAT
static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
OR
NAT0
access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
nat (home_network) 0 access-list HOMENETWORK-NAT0
Hope this helps
- Jouni

Cisco ASA 5520 Traffic monitoring

Hello ,
We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
Thanks a lot

Hi,
I dont think the ASA alone can give you a really clear picture of the real time situation.
It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
My ASDM version is 7.1 but it should be there in your version also.

HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

Hi all!
we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
Best regards for all,

You cannot make a 5520 establish failover with the mate being a 5525-X.
1. The configuration guide (here) states:
The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

ASA Clientless SSL VPN can't access login pages on websites

When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
show run
: Saved
ASA Version 8.4(4)1
hostname PatG
domain-name resolver4.opendns.com
enable password aDvdtQE/ih5t061i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
boot system disk0:/asa844-1-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group Comcast
name-server 75.75.75.75
domain-name cdns01.comcast.net
dns server-group DefaultDNS
name-server 208.67.220.222
name-server 208.67.220.220
domain-name resolver4.opendns.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Remote1 protocol radius
aaa-server Remote1 (inside) host 192.168.1.8
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console Remote1
aaa authentication http console Remote1 LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain redtube.com
dhcpd auto_config outside
dhcpd option 150 ip 192.168.1.15 192.168.1.5
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
tunnel-group-list enable
group-policy Eng internal
group-policy Eng attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value EngineerMarks
group-policy RemoteHTTP internal
group-policy RemoteHTTP attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Test
customization value Extra
username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
tunnel-group Browser type remote-access
tunnel-group Browser general-attributes
authentication-server-group Remote1
default-group-policy RemoteHTTP
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
authentication-server-group Remote1
default-group-policy RemoteHTTP
tunnel-group TEST webvpn-attributes
group-alias testing enable
group-url https://24.19.162.53/testing enable
tunnel-group Engineering type remote-access
tunnel-group Engineering general-attributes
authentication-server-group Remote1 LOCAL
default-group-policy Eng
tunnel-group Engineering webvpn-attributes
group-alias engineering enable
group-url https://209.165.200.2/engineering enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
policy-map map
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
: end
Can anyone please help me? Thanks

In your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
Example:
ASA public IP: 2.2.2.2
Remote network: 192.168.1.0/24
access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
Mirror the above acl on the remote end router.
PS. If you found this post helpful, please rate it.

RV320 SSL VPN web service unable to connect port 56000 56001...

I have recently installed a RV320 dual WAN small business router in order to use the SSL VPN functionality to allow secure access to our intranet pages which are hosted on a server inside our network. I have the latest firmware installed on the router.
With the firewall feature of the RV320 disabled - After logging in to the router remotely via the HTTPS interface, I am able to use the web-based services such as SSH and NetworkPls. However, when using the HTTP and HTTPS services I receive a web browser unable to connect error on port 56000, 1, 2, 3 ... This is regardless of whether I enter a URL or IP address on the network behind the router or on the internet.
Enabling the firewall feature of the RV320 gives a different result - when any IP or URL is entered into the box in the second image below, the router log-in page is loaded instead of the required site. I have pasted an extract from the log at the bottom of this post although it doesn't seem to contain any relevant information. As a separate issue, you will also notice that users connecting to the router brings up [HACK] SynFlooding Attack in error.
Can anyone explain why this is happening? Alternatively, does anyone have a guide for setting up a IPSec VPN with this router? There seems to be very little literature available for this model.
Thanks in advance for your help.
Log extract
2013-11-02, 11:36:19
Connection Accepted
IN=eth1 OUT=eth0 SRC=178.239.83.183 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=57573 DF PROTO=TCP SPT=54925 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:36:19
[HACK] SynFlooding Attack
IN=eth1 OUT=eth0 SRC=178.239.83.183 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=57573 DF PROTO=TCP SPT=54925 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:31:53
Connection Accepted
IN=eth1 OUT=eth0 SRC=178.239.83.156 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=50721 DF PROTO=TCP SPT=55634 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:31:53
[HACK] SynFlooding Attack
IN=eth1 OUT=eth0 SRC=178.239.83.156 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=50721 DF PROTO=TCP SPT=55634 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:31:38
User Log
User cisco login success from 221.142.25.181
2013-11-02, 11:31:38
User Log
User cisco login success from 221.142.25.181
2013-11-02, 11:29:49
Kernel
kernel: upnp idx=83, ip=192.168.10.220, eport=59725, iport=59725
2013-11-02, 11:29:49
Kernel
kernel: wrong ip[0],not_list[0]
2013-11-02, 11:29:43
Connection Accepted
IN=eth1 OUT=eth0 SRC=176.251.102.32 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=44670 DF PROTO=TCP SPT=49423 DPT=143 WINDOW=65535 RES=0x00 SYN URGP=0
2013-11-02, 11:29:43
[HACK] SynFlooding Attack
IN=eth1 OUT=eth0 SRC=176.251.102.32 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=44670 DF PROTO=TCP SPT=49423 DPT=143 WINDOW=65535 RES=0x00 SYN URGP=0
2013-11-02, 11:29:12
Kernel
kernel: upnp idx=83, ip=192.168.10.220, eport=59725, iport=59725
2013-11-02, 11:29:12
Kernel
kernel: wrong ip[0],not_list[0]
2013-11-02, 11:29:12
SSL Log
User ben login success from 221.142.25.181

After lots of trial and error, I was able to eliminate this problem. What I wound up doing is defining the XE service again in the listener.ora file:
SID_LIST_LISTENER =
(SID_LIST =
    (SID_DESC =
      (SID_NAME = XE)
      (ORACLE_HOME = C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server)
I know that typically you should not have to do this, especially since I already had defined DEFAULT_SERIVCE_LISTENER = (XE) at the bottom of the listener.ora file. Explicitly defining the XE service in the listener.ora file allows the listener to find it while the system is running under the Cisco AnyConnect VPN. The only hiccup I found by doing this is that the XE service is discovered twice by the listener when the system is NOT running under the Cisco AnyConnect VPN. It still works OK. The listener just seems to ignore the repeated definition of the XE service (see output below):
C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server\bin>lsnrctl service
LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-JUN-2013 10:03:15
.......(omitted output).......
Service "XE" has 2 instance(s).
Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0
         LOCAL SERVER
Instance "xe", status READY, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0 state:ready
         LOCAL SERVER
Service "XEXDB" has 1 instance(s).
Instance "xe", status READY, has 1 handler(s) for this service...
    Handler(s):
      "D000" established:0 refused:0 current:0 max:1022 state:ready
         DISPATCHER <machine: DEV-M-137GF, pid: 5544>
(ADDRESS=(PROTOCOL=tcp)(HOST=DEV-M-137GF.paychex.com)(PORT=58257))
The command completed successfully
If anyone has a cleaner solution for this problem, please let me know. Otherwise, I am moving forward with what I did.
Thanks.....Paul

Cisco ASA 5520 SSL VPN Web Login Customization For RSA Login

Similar Messages

Maybe you are looking for