Cisco sr520 VPN configuration and deployment

Hope one of the cisco genius' can help me out. I have a small business with one sr520 edge router. The network is up and running fine but I need to allow remote users to connect back to a vpn at the office in order to access user winxp Pcs using RDP remotedesktop.
I have searched the web and cisco forums and see there are quite a few vpn configurations but I found no clear setup guide for accomplishing what I understood to be pretty simple. "allow 5 outside users to connect back to the office and work as if they were sitting in the office"
Question:
1. What client software is needed on the remote client pc to connect back back to the sr520 vpn? Can I use the windows pptp vpn client or the built-in Mac client?
2. My router shows three items labeled vpn. VPN remote, VPN Server and SSL VPN...i have tweaked each of these screens but still not been able to connect an outside client. Is there a setup guide to explain the features of this router and how to use it.
3. after poking around the Cisco site for a vpn client i am wondering why do I need a support contract to use a feature of a router I just bought? Does Firmware and client software cost extra?
Thanks for any assistance you can offer...
Kevin Hall
Houston Tx

Hi,
Some users have reported that IPSecuritas works well with the Cisco Small Business routers.
http://www.lobotomo.com/products/IPSecuritas/
For the RV180 I would try to adapt the SA500 tutorial to make it work:
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_mac_appnote.pdf
Please note that this client is not supported by Cisco. If you have questions or issues, please post here on the forum.
- Marty

Similar Messages

  • Best practice for .war?  Configure and deploy or deploy and configure?

    In Apache Tomcat for example, I can deploy an app, stop the server, reconfigure the app in situ, then start the server again...
    Is this recommended for deploying Java web apps to Oracle App Server 10g?
    We currently have a consulting firm that is recommending to configure the web app before deploying. Sounds reasonable, except that they want this done via JDeveloper so that the Sys Admin can right click on the "deploy to OAS" button (ie: have the tools generate the .war file after configuration and deploy automagically).

    Thanks for your feedback.
    Are you aware of any way to use the *.deploy configuration file that is created by JDeveloper in an ANT script to create the .war or .ear file?
    If not, I can picture the Sys Admin and developers groaning when they're told that they're JDeveloper web-app configuration cannot be used for production -- and that they must somehow duplicate that functionality in an ANT script!
    I do have the below ANT scripts from Debu to do the deployment etc. But they only help after the .ear is built.
    EAR file deployment:
    <target name="deploy" depends="core">
    <java jar="${j2ee.home}/admin.jar" fork="yes">
    <arg value="${oc4j.deploy.ormi}"/>
    <arg value="${oc4j.deploy.username}"/>
    <arg value="${oc4j.deploy.password}"/>
    <arg value="-deploy"/>
    <arg value="-file"/>
    <arg value="${this.build}/${this.ear}"/>
    <arg value="-deploymentName"/>
    <arg value="${this.application.name}"/>
    </java>
    </target>
    Web application binding:
    <target name="bind-web-app" depends="deploy">
    <java jar="${j2ee.home}/admin.jar" fork="yes">
    <arg value="${oc4j.deploy.ormi}"/>
    <arg value="${oc4j.deploy.username}"/>
    <arg value="${oc4j.deploy.password}"/>
    <arg value="-bindWebApp"/>
    <arg value="${this.application.name}"/>
    <arg value="${this.war}"/>
    <arg value="http-web-site"/>
    <arg value="/${this.uri}"/>
    </java>
    </target>
    Undeployment:
    <target name="undeploy" depends="init">
    <java jar="${j2ee.home}/admin.jar" fork="yes">
    <arg value="${oc4j.deploy.ormi}"/>
    <arg value="${oc4j.deploy.username}"/>
    <arg value="${oc4j.deploy.password}"/>
    <arg value="-undeploy"/>
    <arg value="${this.application.name}"/>
    </java>
    </target>

  • Assistance in configuring and deploying OS to domain

    Kindly provide info about in configuring and deploying OS to domain

    Pls have a look, Best place to start , in and out
    http://www.windows-noob.com/forums/index.php?/topic/4468-using-sccm-2012-rc-in-a-lab-part-7-build-and-capture-windows-7-x64/
    http://www.windows-noob.com/forums/index.php?/topic/4512-using-sccm-2012-rc-in-a-lab-part-8-deploying-windows-7-x64
    http://www.windows-noob.com/forums/index.php?/topic/5124-using-sccm-2012-rc-in-a-lab-part-15-deploying-windows-8-consumer-preview-using-configuration-manager-2012-rc2/
    Video Pls
    <cite class="_Fe">www.youtube.com/watch?v=99I354t500g</cite>
    <cite class="_Fe"></cite><cite class="_Fe">www.youtube.com/watch?v=8uEvEVul1Vk</cite>
    Thanks, Prabha G

  • How to configure and deploy OAM 11g with DB setup using silent mode

    Hello all,
    I am trying to create automation process to install and configure OAM 11g on WLS. This task involves three stages
    1. Install WLS
    2. Install OAM 11g
    3. Create DB schema using RCU
    4. Configure and deploy OAM 11g
    I have done first 3 stages in silent mode using scripts and response files. I am stuck at 4th stage. I know how to configure and deploy OAM 11g using config.sh via GUI installer as well as console mode. But I would like to run config.sh in silent mode something like
    ./config.sh -mode=silent -silent_script=<script_location>
    I have searched a lot, but could not find any resource on how to do it? I tried passing the parameters via a text file. But that has not worked. I have also explored WLST, but it also does not work. Given that first 3 things are relatively very simple, the 4th step is becoming complex. I would be very thankful if someone can please point me in the right direction.
    Thanks!

    Have a look at your software directory : <sofware directory>/Disk1/stage/Response
    Here you will find 2 rsp files which you can use to install and then configure it all.
    Good luck.
    Filip

  • I established a VPN configuration and connected but cannot connect to server?

    I work from an imac at home and need to connect to my work server and files.  I established the VPN configuration and connected to the building but cannot access the server.  What am I doing wrong or what else do I need to do.

    Once your VPN is connected, you still need to log in to the server(s) you are using.  This does not necessarily happen automatically - you may have to manually log in to your server(s).   To do this, in the Finder menu do Go > Connect to Server and enter the server address.  If these are windows servers it's probably an SMB connection in which case you would enter  smb://<serveraddress> in the server address field.
    Best bet is to talk with the IT folks where you work, as you may need specific information about how to log in to your server(s).  There are ways to automate the login but you first need the correct login details (server address, userID, password).
    If you want to automate the login process, here's a simple Applescript that I wrote in my own case.  Create this using Applescript Editor.  After testing, save it as an Application; then in System Preferences you can add it to your list of Login Items so it runs automatically whenever you sign in to your Mac.  Of course, your VPN will have to already be connected in order for this to actually work.
    delay 30
    tell application "Finder"
        mount volume "smb://servername1/mountpoint_A"
        mount volume "smb://servername2/mountpoint_B"
    end tell
    (Note: "servernameX/mountpoint_Y" is the address of each of the 2 servers I log into, except that in this example they are completely fictitious names.)

  • Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
    October 27, 2014 through November 7, 2014.
    The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
    Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
    Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
    Remember to use the rating system to let Craig know if you have received an adequate response.
    Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
    (Comments are now closed)

    1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
    2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
    a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
    b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
    For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
    Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
    If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
    A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
    Regarding AD multi-domain support...
    Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
    Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
    When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
    In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
    Regards,
    Craig

  • Ask the Expert: Cisco Prime Infrastructure - Implementation and Deployment

    Welcome to the Cisco Support Community Ask the Expert conversation.
    This Ask The expert Session will cover questions spanning Cisco Prime Infrastructure on Implementation and Deployment on Wired and Wireless. This will be more specific to Customer’s and Partners questions product covering PI on configuration, Features and Menu, Network Monitoring, Maps, Implementation, High Availability and Maintenance and t/s parts.
    Monday, February 2nd, 2015 to Friday, February 13th, 2015
    Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Prime Infrastructure and Cisco Wireless products. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC) certifications.
    Afroz Ahmad is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS),CCIE (DC), and SCJP (Sun Certified Java Professional )
    Vinod Kumar Arya is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 8 years of industry experience working with large enterprise and service provider networks. He also holds VCP 5 and RHCE certifications.
    ** Remember to use the rating system to let the experts know you have received an adequate response.**
    Because of the volume expected during this event, the experts might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, > Network Management, shortly after the event. This event lasts through February 13th 2015. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

    Hello Wilson,
    Thanks for joining us.
    1841 should just work fine for net flow . Hope you have a valid "PI Assurance license" installed on the server.
    "PI Assurance license" is required for "net-flow"  feature
    Devices supporting Netflow in PI ::
    1400, 1600, 1700 & 1800
    2500, 2600 & 2800
    3600, 3700, 3750 & 3800
    4500 & 4700
    AS5300 & 5800
    7200, 7300, 7400 & 7500
    Catalyst 4500 ASCI
    Catalyst 5000, 6500, & 7600 ASCI
    ESR 10000 ASCI
    GSR 12000 ASCI
    Cisco IOS Software Release Version
    Supported Cisco Hardware Platforms
    11.1CA, 11.1CC
    Cisco 7200 and 7500 series, RSP 7200 series
    12.0
    Cisco 1720, 2600, 3600, 4500, 4700, AS5800 
    RSP 7000 and 7200 series
    uBR 7200 and 7500 series
    RSM series
    12.0T, 12.0S
    Cisco 1720, 2600, 3600, 4500, 4700, AS5800 
    RSP 7000 and 7200 series
    uBR 7200 and 7500 series
    RSM series, MGX8800RPM series, and BPx8600 series
    12.0(3)T, 12.0(3)S
    Cisco 1720, 2600, 3600, 4500, 4700, AS5300, AS5800
    RSP 7000 and 7200 series
    uBR 7200 and 7500 series
    RSM series, MGX8800RPM series, and BPx8650 series
    12.0(4)T
    Cisco 1400, 1600, 1720, 2500, 2600, 3600, 4500,
    4700, AS5300, AS5800
    RSP 7000 and 7200 series
    uBR 7200 and 7500 series
    RSM series, MGX8800RPM series, and BPx8650 series
    12.0(4)XE
    Cisco 7100 series
    12.0(6)S
    Cisco 12000 series
    NetFlow is also supported by these devices Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300, 7600, 10000, CRS-1 and these Catalyst series switches: 45xx, 55xx, 6xxx.
    NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card (NFFC) or NFFC II and the Route Switch Module (RSM), or Route Switch Feature Card (RSFC). However, check whether version 5 is supported, as most switches export version 7 by default.
    You can check the below steps to diagnose the issue::
     To verify that NetFlow is exported from a device to PI, follow the steps below:
    1)    Browse to Administration > Data Sources page. Check the value in column ‘Last Active Time’  for the ‘Device Data Sources’ table. If the table is empty or  the value does not represent recent time, then
    it is possible that the device is not exporting NetFlow or PI Assurance license is not applied / expired.
    2)    Login to PI console ( via SSH) as root user and run the command:
                    netstat –an | grep 9991 – Output of this should be like :  udp        0      0 :::9991         :::*
                    Check the firewall settings on PI server using the command: firewall -L
    1)    Check the configuration on an IOS / IOS –XE device. Run the commands
    a)    sh running-config | inc destination
    1)    This should list the IP address of the PI SERVER ( along with other outputs if any)
    b)    sh running-config | inc 9991
    1)    This should list at least one entry.
    c)    If the above are fine, then verify that the flow monitor, flow exporter and the flow records are correctly configured on the device.
    Refer to the URLs below to configure NetFlow export.
    http://preview.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/user/guide/setup_monitor.html#wp1056427
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ****

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • How to create Agreement Configuration and deploy it

    Hi All,
    Through self-service API's we are able to create the agrement. How to I create the configuration for the same and deploy it using java/pl-sql code ... any sample code and example file...???
    Regards,
    Praveen

    Hi Praveen,
    You can use self-service API to deploy configuration using a JAVA program or command line. To use it in the command line-
    1. java oracle.tip.adapter.b2b.selfservice.TradingPartnerManager --- creates the Trading Partner profiles from the specified XML file
    2. java oracle.tip.adapter.b2b.selfservice.AgreementManager creates agreements from the specified XML file
    To use it in the JAVA -
    FileInputStream fis = new FileInputStream(tpFile);
    InputSource is = new InputSource(fis);
    TradingPartnerManager tpMgr = TradingPartnerManager.newInstance();
    tpMgr.init();
    if (args.length == 2) {
    tpMgr.processTPProfiles(is, true);
    } else {
    tpMgr.processTPProfiles(is, false);
    tpMgr.shutdown();
    FileInputStream fis = new FileInputStream(tpFile);
    InputSource is = new InputSource(fis);
    AgreementManager agreementMgr = AgreementManager.newInstance();
    agreementMgr.init();
    agreementMgr.processAgreements(is);
    agreementMgr.shutdown();
    Please refer below link for the same -
    http://www.b2bgurus.com/2007/09/creating-b2b-metadata-using-self.html
    Regards,
    Anuj

  • Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

    Hi Guys
    I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
    I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
    However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
    When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
    Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
    My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
    Also want to be able to set logging to debug mode for the Racoon application on mac clients.
    Your help is much appreciated
    Kind Regards
    Mohamed

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Cisco AnyConnect VPN client and 256 AES encryption in IE8

    Hey,
    We have a site that we are trying to connect to with the AnyConnect VPN client version 2.5.3055 on Windows XP SP3. As soon as we enter the site info and hit select, it says a connection was unable to be established.
    I believe this has to do with the encryption, its set up with 256 bit AES. We are only able to install IE8, which on XP only supports up to 128 bit encryption, so in IE8 the page will not load. To fix that issue we installed firefox which supports 256 bit encryption. We can get to the page there, but when we go to connect to the same site VIA the VPN client it still will not connect. It will work fine on a windows 7 box with IE9 installed from the same network.
    My question mainly pertains to how the AnyConnect client connects on the back end. Does it use Internet explorer's SSL layer by default? Or does it have its own? If it connects through internet explorer, is there a way to change it to firefox so it will actually be able to open up a connection?
    Thank you for your answers in advance,
    John

    Hey Jeff,
    Thanks for answering that question. Hmm, so it doesnt go through the browsers SSL layer. We have systems on the same network (same proxy, firewall, vlan, etc). All the systems with windows XP SP3 and IE8/IE7 can not connect to the VPN (they arent even able to start the connection and ask for proxy/logon info.), all the systems with windows 7 and IE9 can. Same setups on each one as far as the security policies go as well. I thought it may have to do with the 256 bit encryption that they are using.
    If thats not the case, what else could be causing the problem? weve tested it on about 5 XP machines and 5 Win 7 machines, same results on each. Connects on Win 7, does not connect on Win XP.
    Thanks,
    John

  • 10gAS configuration and deploying 9i applications on 10gAS forms server

    Hi!
    To start with, Pls. explain me the main configuration files after the installation of 10gAS or any AS.
    How to deploy 9i applications on 10gAS forms server?

    http://download-uk.oracle.com/docs/cd/B13597_05/bf.904/b10470/toc.htm

  • Cisco 5505 VPN assistance - Resending P1 and Peer to Peer List No match

    Hello and thanks in advance to anyone that can help me with the IPSec connection.  the VPN were working when i first created them but now they wont connect.  Here is the error on the primary (local) firewall: (yes i know the time isnt set yet on the firewall)
    4|May 17 2007|13:51:55|713903|||||IP = X.X.X.X, Error: Unable to remove PeerTblEntry
    3|May 17 2007|13:51:55|713902|||||IP = X.X.X.X, Removing peer from peer table failed, no match!
    6|May 17 2007|13:51:55|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
    5|May 17 2007|13:51:55|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected.  Retransmitting last packet.
    6|May 17 2007|13:51:47|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
    5|May 17 2007|13:51:47|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected.  Retransmitting last packet.
    The local firewall has one VPN configured and the remote has 2 (1 working and the other not): Local Firewall is Base licensing with 3DES.  As far as I can tell they have the same VPN parameters but maybe the remote has pfs1 turned on?  Ive played with various settings and cant seem to get it to work.  The cryptomap has the same firewall rules in it (obviously reversed on remote). Any help much appreciated!  I Have a third site doing exactly the same thing (once again also works on another site to site but not this one).  It's weird because I used the IPSec wizard and got it to work and rebooted the ASA and tunnel came up yet again but now my debug log is just full of this info and tunnels never come up.....the only time it was up was for a few hours then wont come up anymore...odd..
    Local Fire Wall:
    hostname ciscoasa
    names
    name 172.25.42.0 MASALan
    name 172.25.7.0 FHR
    name 172.25.43.0 MR
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.25.6.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.10.10.30 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network inside-network
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object igmp
    protocol-object gre
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object icmp
    protocol-object igmp
    protocol-object gre
    object-group network DM_INLINE_NETWORK_4
    network-object MASALan 255.255.255.0
    network-object MR 255.255.255.0
    object-group network DM_INLINE_NETWORK_6
    network-object 172.25.6.0 255.255.255.0
    network-object FHR 255.255.255.0
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object igmp
    protocol-object gre
    object-group network DM_INLINE_NETWORK_3
    network-object 172.25.6.0 255.255.255.0
    network-object FHR 255.255.255.0
    object-group network DM_INLINE_NETWORK_5
    network-object MASALan 255.255.255.0
    network-object MR 255.255.255.0
    access-list outside_2_cryptomap extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
    access-list NONAT extended permit ip any 172.25.4.0 255.255.255.0
    access-list NONAT extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
    access-list NONAT extended permit ip FHR 255.255.255.0 MR 255.255.255.0
    access-list NONAT extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_5
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool RemotePool 172.25.4.1-172.25.4.2 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    route inside 172.25.1.0 255.255.255.0 172.25.6.2 1
    route inside 172.25.2.0 255.255.255.0 172.25.6.2 1
    route inside 172.25.8.0 255.255.255.0 172.25.6.4 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 172.25.0.0 255.255.0.0 outside
    http 172.25.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set peer 216.183.157.158
    crypto map outside_map 2 set transform-set ESP-AES-128-SHA
    crypto map outside_map 2 set security-association lifetime kilobytes 4608000
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh 172.25.0.0 255.255.0.0 inside
    ssh 172.25.6.0 255.255.255.0 inside
    ssh 172.25.0.0 255.255.0.0 outside
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-filter none
    vpn-tunnel-protocol IPSec
    tunnel-group osfdremote ipsec-attributes
    pre-shared-key *
    tunnel-group X.X.X.X type ipsec-l2l
    tunnel-group X.X.X.X general-attributes
    default-group-policy GroupPolicy1
    tunnel-group X.X.X.X ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    REMOTE FIREWALL
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group CHN
    ip address pppoe setroute
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network DM_INLINE_NETWORK_1
    network-object 172.25.42.0 255.255.255.0
    network-object RFN 255.255.255.0
    object-group network DM_INLINE_NETWORK_2
    network-object RHQASAnet 255.255.255.0
    network-object RHQNet 255.255.255.0
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object gre
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object 172.25.42.0 255.255.255.0
    network-object RFN 255.255.255.0
    object-group network DM_INLINE_NETWORK_4
    network-object FHData 255.255.255.0
    network-object FHR 255.255.255.0
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object gre
    protocol-object tcp
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any any eq www
    access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 RHQASAnet 255.255.255.0
    access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 RHQNet 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 RHQASAnet 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.240
    access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 FHData 255.255.255.0
    access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 FHR 255.255.255.0
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_2
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any object-group DM_INLINE_NETWORK_4
    access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 FHData 255.255.255.0
    no pager
    logging enable
    logging asdm debugging
    mtu inside 1500
    mtu outside 1500
    ip local pool 192.168.5.1 192.168.5.1-192.168.5.10 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.110.10.1 1
    route inside RFN 255.255.255.0 172.25.42.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 172.25.0.0 255.255.0.0 inside
    http 10.7.72.0 255.255.255.0 inside
    http 192.168.5.0 255.255.255.0 inside
    http 192.168.5.0 255.255.255.0 outside
    http RHQNet 255.255.255.0 inside
    http RHQASAnet 255.255.255.0 inside
    http RHQASAnet 255.255.255.0 outside
    http RHQNet 255.255.255.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map0 2 match address outside_cryptomap_1
    crypto map outside_map0 2 set peer Y.Y.Y.Y
    crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
    crypto map outside_map0 2 set security-association lifetime seconds 28800
    crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
    crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map0 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 0.0.0.0 0.0.255.255 inside
    telnet 172.25.0.0 255.255.0.0 inside
    telnet 192.168.5.0 255.255.255.0 inside
    telnet 192.168.5.0 255.255.255.0 outside
    telnet timeout 5
    ssh 192.168.5.0 255.255.255.0 inside
    ssh 192.168.5.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol IPSec
    group-policy remotevpn internal
    group-policy remotevpn attributes
    vpn-tunnel-protocol IPSec
    vpn-group-policy remotevpn
    tunnel-group Y.Y.Y.Y type ipsec-l2l
    tunnel-group Y.Y.Y.Y general-attributes
    default-group-policy GroupPolicy1
    tunnel-group Y.Y.Y.Y ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    policy-map global-policy
    class inspection_default
      inspect pptp
    service-policy global_policy global
    prompt hostname context

    May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error hi                                                                                        story (struct &0xd578cda0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3,                                                                                         EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2                                                                                        , EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_W                                                                                        AIT_MSG3, NullEvent
    May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:8e338e16 terminatin                                                                                        g:  flags 0x01000002, refcnt 0, tuncnt 0
    May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with re                                                                                        ason message
    May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Removing peer from peer table faile                                                                                        d, no match!
    May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Error: Unable to remove PeerTblEntr  
    Is the result and then it repeats =)

  • Is there any way to back up a preconfigured iPad and deploy to new iPads using Configurator??

    To clarify,  we have about 100 ipads deployed in our district and lots more on the way.  We had just used iTunes in the past to backup one master device with the apps and restored on the remaining sets of iPads.  Obviously we wanted a simpler way to manage this as we are getting a lot more iPads coming in for use in the different schools.  We got a MDM solution (Casper) and started using Configurator.
    We are running the latest of Configurator (1.4.2) and IOS (7.0.4).
    From what I have read (and a lot at that) I know that there are numerous issues with this setup (hopefully addressed very soon)
    Here is my question:
    Is it possible to take an already deployed device, loaded with apps (paid and free), back it up in Configurator, and deploy it to other iPads and still get all the apps to come down along with the restore?
    Apparently this was possible in the past, I am just wondering if I am missing something.  Any help or suggestions on how you are doing it would be very helpful
    Oh, and to clarify, we are using VPP for the apps, just not managing them any where at this time, haven't decided the best tool for that, maybe casper maybe configurator, but we are compliant, only using the same quantity of apps that we have purchased.
    Thanks
    Edit: spelling error

    I've heard if you contact your apple rep, Apple may restore your vpp codes so you can move to an MDM.
    Read the Google doc below and nsdjoey write up.
    IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
    View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
        http://www.apple.com/education/ipad/resources/
        scroll down after all the pretty picture.  Click on the words "For It".
    Joe Rowe's Excellent guides
    IT managers who are new to configurator and managing a cart of ios devices:
          https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
             [ original announcement  -- https://discussions.apple.com/thread/4256735?tstart=0 ]
    Quick help presentation for students:
         https://docs.google.com/presentation/d/18937JdleX2gymtSb8zfbDczV-76BdR2DIfCV9eJi yOE/edit#slide=id.g1b776944_0_224
    good tips for initial deployment:
    https://discussions.apple.com/message/18942350#18942350
    https://discussions.apple.com/thread/3804209?tstart=0
    See nsdjoey writeup.  See third post.
    https://discussions.apple.com/message/22286109#22286109
    "Deploying a great quantity of iOS devices means creating a great quantity of Apple IDs. This script allows automated Apple ID creation from a spreadsheet."
    http://www.enterpriseios.com/wiki/Apple_ID_Automation_Builder

  • WLS 6.0 config and deployment

    Hi,
    Just converted our app from 5.1 to 6.0. Not too many problems once we
    figured out the class loader situation. I have some questions regarding
    configuration and deployment which are not clear to me after reading the
    documentation.
    I find I have to modify config.xml manually quite often to fix problems
    which the console creates. It is not at all uncommon for me to change a
    property via the console and then have to undo the change manually to
    get the server to properly start up again. While I accept that this is
    probably due to a mistake I am making, I am very surprised that this
    system is so fragile. Now for my questions...
    1) Sometimes the console will add a new application to my config.xml
    with a
    "-1 " extension. Why is this? It doesn't create problems in and of
    itself but does seem to accompany other problems which the console
    creates in this file.
    2) I intend to deploy an ear for production purposes, but as the
    documentation points out this is inconvenient for development. I need
    the ability to modify single jsp files without redploying all of them.
    This worked great in 5.1. I am unable to do this in 6.0. As it stands
    now, my jsp files are only redeployed on startup and unfortunately seem
    to be redeployed every time we start regardless of whether chnages were
    made to them. This makes development much slower. The REPLOY file
    business discussed in the docs doesn't seem to have any effect. I
    currently am deploying the jsp files and associated classes in "expanded
    directory format" under the .config/domain/applications/applicationName
    directory. I am deploying some EJBS in a pre-compiled jar file and
    placing this jar file in the system classpath so the jsps can access the
    shared classes. (I know this prevents hot deployment but I seem to have
    no choice since the EJBs interfaces do not reference all shared classes
    and therefore do not export them to their parent.) This jar file resides
    in the ./config/domain/applications directory. Any ideas as to why I can
    not get my jsp files to hot deploy one at a time.
    All in all, 6.0 is a great release but development time has increased
    dramatically. Hot deployment is not going to work for us because
    unfortuneately many of our classes are required by our startup classes
    and therefore must be placed in the system classpath.
    Thanks,
    Steve

    Basically, hot deployment of JSPs isn't supported for dynamically deployed
    webapps, that is, those int the applications directory.
    Gary
    Steve Snodgrass <[email protected]> wrote in message
    news:[email protected]...
    Follow up...
    I have been able to get individual jsp files to hot deploy if they are
    located in the DefaultWebApp_myserver directory instead of my applications
    directory. It is possible to achieve this behavior in other directoriestoo
    if they are configured correctly right? I mean, there is nothing special
    about DefaultWebApp_myserver that would allow it to do something thatother
    directories can not?
    Steve
    Steve Snodgrass wrote:
    Hi,
    Just converted our app from 5.1 to 6.0. Not too many problems once we
    figured out the class loader situation. I have some questions regarding
    configuration and deployment which are not clear to me after reading the
    documentation.
    I find I have to modify config.xml manually quite often to fix problems
    which the console creates. It is not at all uncommon for me to change a
    property via the console and then have to undo the change manually to
    get the server to properly start up again. While I accept that this is
    probably due to a mistake I am making, I am very surprised that this
    system is so fragile. Now for my questions...
    1) Sometimes the console will add a new application to my config.xml
    with a
    "-1 " extension. Why is this? It doesn't create problems in and of
    itself but does seem to accompany other problems which the console
    creates in this file.
    2) I intend to deploy an ear for production purposes, but as the
    documentation points out this is inconvenient for development. I need
    the ability to modify single jsp files without redploying all of them.
    This worked great in 5.1. I am unable to do this in 6.0. As it stands
    now, my jsp files are only redeployed on startup and unfortunately seem
    to be redeployed every time we start regardless of whether chnages were
    made to them. This makes development much slower. The REPLOY file
    business discussed in the docs doesn't seem to have any effect. I
    currently am deploying the jsp files and associated classes in "expanded
    directory format" under the .config/domain/applications/applicationName
    directory. I am deploying some EJBS in a pre-compiled jar file and
    placing this jar file in the system classpath so the jsps can access the
    shared classes. (I know this prevents hot deployment but I seem to have
    no choice since the EJBs interfaces do not reference all shared classes
    and therefore do not export them to their parent.) This jar file resides
    in the ./config/domain/applications directory. Any ideas as to why I can
    not get my jsp files to hot deploy one at a time.
    All in all, 6.0 is a great release but development time has increased
    dramatically. Hot deployment is not going to work for us because
    unfortuneately many of our classes are required by our startup classes
    and therefore must be placed in the system classpath.
    Thanks,
    Steve

Maybe you are looking for