Cisco sr520 VPN configuration and deployment
Hope one of the cisco genius' can help me out. I have a small business with one sr520 edge router. The network is up and running fine but I need to allow remote users to connect back to a vpn at the office in order to access user winxp Pcs using RDP remotedesktop.
I have searched the web and cisco forums and see there are quite a few vpn configurations but I found no clear setup guide for accomplishing what I understood to be pretty simple. "allow 5 outside users to connect back to the office and work as if they were sitting in the office"
Question:
1. What client software is needed on the remote client pc to connect back back to the sr520 vpn? Can I use the windows pptp vpn client or the built-in Mac client?
2. My router shows three items labeled vpn. VPN remote, VPN Server and SSL VPN...i have tweaked each of these screens but still not been able to connect an outside client. Is there a setup guide to explain the features of this router and how to use it.
3. after poking around the Cisco site for a vpn client i am wondering why do I need a support contract to use a feature of a router I just bought? Does Firmware and client software cost extra?
Thanks for any assistance you can offer...
Kevin Hall
Houston Tx
Hi,
Some users have reported that IPSecuritas works well with the Cisco Small Business routers.
http://www.lobotomo.com/products/IPSecuritas/
For the RV180 I would try to adapt the SA500 tutorial to make it work:
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_mac_appnote.pdf
Please note that this client is not supported by Cisco. If you have questions or issues, please post here on the forum.
- Marty
Similar Messages
-
Best practice for .war? Configure and deploy or deploy and configure?
In Apache Tomcat for example, I can deploy an app, stop the server, reconfigure the app in situ, then start the server again...
Is this recommended for deploying Java web apps to Oracle App Server 10g?
We currently have a consulting firm that is recommending to configure the web app before deploying. Sounds reasonable, except that they want this done via JDeveloper so that the Sys Admin can right click on the "deploy to OAS" button (ie: have the tools generate the .war file after configuration and deploy automagically).Thanks for your feedback.
Are you aware of any way to use the *.deploy configuration file that is created by JDeveloper in an ANT script to create the .war or .ear file?
If not, I can picture the Sys Admin and developers groaning when they're told that they're JDeveloper web-app configuration cannot be used for production -- and that they must somehow duplicate that functionality in an ANT script!
I do have the below ANT scripts from Debu to do the deployment etc. But they only help after the .ear is built.
EAR file deployment:
<target name="deploy" depends="core">
<java jar="${j2ee.home}/admin.jar" fork="yes">
<arg value="${oc4j.deploy.ormi}"/>
<arg value="${oc4j.deploy.username}"/>
<arg value="${oc4j.deploy.password}"/>
<arg value="-deploy"/>
<arg value="-file"/>
<arg value="${this.build}/${this.ear}"/>
<arg value="-deploymentName"/>
<arg value="${this.application.name}"/>
</java>
</target>
Web application binding:
<target name="bind-web-app" depends="deploy">
<java jar="${j2ee.home}/admin.jar" fork="yes">
<arg value="${oc4j.deploy.ormi}"/>
<arg value="${oc4j.deploy.username}"/>
<arg value="${oc4j.deploy.password}"/>
<arg value="-bindWebApp"/>
<arg value="${this.application.name}"/>
<arg value="${this.war}"/>
<arg value="http-web-site"/>
<arg value="/${this.uri}"/>
</java>
</target>
Undeployment:
<target name="undeploy" depends="init">
<java jar="${j2ee.home}/admin.jar" fork="yes">
<arg value="${oc4j.deploy.ormi}"/>
<arg value="${oc4j.deploy.username}"/>
<arg value="${oc4j.deploy.password}"/>
<arg value="-undeploy"/>
<arg value="${this.application.name}"/>
</java>
</target> -
Assistance in configuring and deploying OS to domain
Kindly provide info about in configuring and deploying OS to domain
Pls have a look, Best place to start , in and out
http://www.windows-noob.com/forums/index.php?/topic/4468-using-sccm-2012-rc-in-a-lab-part-7-build-and-capture-windows-7-x64/
http://www.windows-noob.com/forums/index.php?/topic/4512-using-sccm-2012-rc-in-a-lab-part-8-deploying-windows-7-x64
http://www.windows-noob.com/forums/index.php?/topic/5124-using-sccm-2012-rc-in-a-lab-part-15-deploying-windows-8-consumer-preview-using-configuration-manager-2012-rc2/
Video Pls
<cite class="_Fe">www.youtube.com/watch?v=99I354t500g</cite>
<cite class="_Fe"></cite><cite class="_Fe">www.youtube.com/watch?v=8uEvEVul1Vk</cite>
Thanks, Prabha G -
How to configure and deploy OAM 11g with DB setup using silent mode
Hello all,
I am trying to create automation process to install and configure OAM 11g on WLS. This task involves three stages
1. Install WLS
2. Install OAM 11g
3. Create DB schema using RCU
4. Configure and deploy OAM 11g
I have done first 3 stages in silent mode using scripts and response files. I am stuck at 4th stage. I know how to configure and deploy OAM 11g using config.sh via GUI installer as well as console mode. But I would like to run config.sh in silent mode something like
./config.sh -mode=silent -silent_script=<script_location>
I have searched a lot, but could not find any resource on how to do it? I tried passing the parameters via a text file. But that has not worked. I have also explored WLST, but it also does not work. Given that first 3 things are relatively very simple, the 4th step is becoming complex. I would be very thankful if someone can please point me in the right direction.
Thanks!Have a look at your software directory : <sofware directory>/Disk1/stage/Response
Here you will find 2 rsp files which you can use to install and then configure it all.
Good luck.
Filip -
I established a VPN configuration and connected but cannot connect to server?
I work from an imac at home and need to connect to my work server and files. I established the VPN configuration and connected to the building but cannot access the server. What am I doing wrong or what else do I need to do.
Once your VPN is connected, you still need to log in to the server(s) you are using. This does not necessarily happen automatically - you may have to manually log in to your server(s). To do this, in the Finder menu do Go > Connect to Server and enter the server address. If these are windows servers it's probably an SMB connection in which case you would enter smb://<serveraddress> in the server address field.
Best bet is to talk with the IT folks where you work, as you may need specific information about how to log in to your server(s). There are ways to automate the login but you first need the correct login details (server address, userID, password).
If you want to automate the login process, here's a simple Applescript that I wrote in my own case. Create this using Applescript Editor. After testing, save it as an Application; then in System Preferences you can add it to your list of Login Items so it runs automatically whenever you sign in to your Mac. Of course, your VPN will have to already be connected in order for this to actually work.
delay 30
tell application "Finder"
mount volume "smb://servername1/mountpoint_A"
mount volume "smb://servername2/mountpoint_B"
end tell
(Note: "servernameX/mountpoint_Y" is the address of each of the 2 servers I log into, except that in this example they are completely fictitious names.) -
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify.
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port.
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy. If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA. Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE. If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection. If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution. Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig -
Ask the Expert: Cisco Prime Infrastructure - Implementation and Deployment
Welcome to the Cisco Support Community Ask the Expert conversation.
This Ask The expert Session will cover questions spanning Cisco Prime Infrastructure on Implementation and Deployment on Wired and Wireless. This will be more specific to Customer’s and Partners questions product covering PI on configuration, Features and Menu, Network Monitoring, Maps, Implementation, High Availability and Maintenance and t/s parts.
Monday, February 2nd, 2015 to Friday, February 13th, 2015
Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS) handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Prime Infrastructure and Cisco Wireless products. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC) certifications.
Afroz Ahmad is a customer support engineer in High-Touch Technical Services (HTTS) handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS),CCIE (DC), and SCJP (Sun Certified Java Professional )
Vinod Kumar Arya is a customer support engineer in High-Touch Technical Services (HTTS) handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 8 years of industry experience working with large enterprise and service provider networks. He also holds VCP 5 and RHCE certifications.
** Remember to use the rating system to let the experts know you have received an adequate response.**
Because of the volume expected during this event, the experts might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, > Network Management, shortly after the event. This event lasts through February 13th 2015. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.Hello Wilson,
Thanks for joining us.
1841 should just work fine for net flow . Hope you have a valid "PI Assurance license" installed on the server.
"PI Assurance license" is required for "net-flow" feature
Devices supporting Netflow in PI ::
1400, 1600, 1700 & 1800
2500, 2600 & 2800
3600, 3700, 3750 & 3800
4500 & 4700
AS5300 & 5800
7200, 7300, 7400 & 7500
Catalyst 4500 ASCI
Catalyst 5000, 6500, & 7600 ASCI
ESR 10000 ASCI
GSR 12000 ASCI
Cisco IOS Software Release Version
Supported Cisco Hardware Platforms
11.1CA, 11.1CC
Cisco 7200 and 7500 series, RSP 7200 series
12.0
Cisco 1720, 2600, 3600, 4500, 4700, AS5800
RSP 7000 and 7200 series
uBR 7200 and 7500 series
RSM series
12.0T, 12.0S
Cisco 1720, 2600, 3600, 4500, 4700, AS5800
RSP 7000 and 7200 series
uBR 7200 and 7500 series
RSM series, MGX8800RPM series, and BPx8600 series
12.0(3)T, 12.0(3)S
Cisco 1720, 2600, 3600, 4500, 4700, AS5300, AS5800
RSP 7000 and 7200 series
uBR 7200 and 7500 series
RSM series, MGX8800RPM series, and BPx8650 series
12.0(4)T
Cisco 1400, 1600, 1720, 2500, 2600, 3600, 4500,
4700, AS5300, AS5800
RSP 7000 and 7200 series
uBR 7200 and 7500 series
RSM series, MGX8800RPM series, and BPx8650 series
12.0(4)XE
Cisco 7100 series
12.0(6)S
Cisco 12000 series
NetFlow is also supported by these devices Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300, 7600, 10000, CRS-1 and these Catalyst series switches: 45xx, 55xx, 6xxx.
NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card (NFFC) or NFFC II and the Route Switch Module (RSM), or Route Switch Feature Card (RSFC). However, check whether version 5 is supported, as most switches export version 7 by default.
You can check the below steps to diagnose the issue::
To verify that NetFlow is exported from a device to PI, follow the steps below:
1) Browse to Administration > Data Sources page. Check the value in column ‘Last Active Time’ for the ‘Device Data Sources’ table. If the table is empty or the value does not represent recent time, then
it is possible that the device is not exporting NetFlow or PI Assurance license is not applied / expired.
2) Login to PI console ( via SSH) as root user and run the command:
netstat –an | grep 9991 – Output of this should be like : udp 0 0 :::9991 :::*
Check the firewall settings on PI server using the command: firewall -L
1) Check the configuration on an IOS / IOS –XE device. Run the commands
a) sh running-config | inc destination
1) This should list the IP address of the PI SERVER ( along with other outputs if any)
b) sh running-config | inc 9991
1) This should list at least one entry.
c) If the above are fine, then verify that the flow monitor, flow exporter and the flow records are correctly configured on the device.
Refer to the URLs below to configure NetFlow export.
http://preview.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/user/guide/setup_monitor.html#wp1056427
Thanks-
Afroz
***Ratings Encourages Contributors **** -
Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2
This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working
Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
How to create Agreement Configuration and deploy it
Hi All,
Through self-service API's we are able to create the agrement. How to I create the configuration for the same and deploy it using java/pl-sql code ... any sample code and example file...???
Regards,
PraveenHi Praveen,
You can use self-service API to deploy configuration using a JAVA program or command line. To use it in the command line-
1. java oracle.tip.adapter.b2b.selfservice.TradingPartnerManager --- creates the Trading Partner profiles from the specified XML file
2. java oracle.tip.adapter.b2b.selfservice.AgreementManager creates agreements from the specified XML file
To use it in the JAVA -
FileInputStream fis = new FileInputStream(tpFile);
InputSource is = new InputSource(fis);
TradingPartnerManager tpMgr = TradingPartnerManager.newInstance();
tpMgr.init();
if (args.length == 2) {
tpMgr.processTPProfiles(is, true);
} else {
tpMgr.processTPProfiles(is, false);
tpMgr.shutdown();
FileInputStream fis = new FileInputStream(tpFile);
InputSource is = new InputSource(fis);
AgreementManager agreementMgr = AgreementManager.newInstance();
agreementMgr.init();
agreementMgr.processAgreements(is);
agreementMgr.shutdown();
Please refer below link for the same -
http://www.b2bgurus.com/2007/09/creating-b2b-metadata-using-self.html
Regards,
Anuj -
Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...
Hi Guys
I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
Also want to be able to set logging to debug mode for the Racoon application on mac clients.
Your help is much appreciated
Kind Regards
MohamedHi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
Cisco AnyConnect VPN client and 256 AES encryption in IE8
Hey,
We have a site that we are trying to connect to with the AnyConnect VPN client version 2.5.3055 on Windows XP SP3. As soon as we enter the site info and hit select, it says a connection was unable to be established.
I believe this has to do with the encryption, its set up with 256 bit AES. We are only able to install IE8, which on XP only supports up to 128 bit encryption, so in IE8 the page will not load. To fix that issue we installed firefox which supports 256 bit encryption. We can get to the page there, but when we go to connect to the same site VIA the VPN client it still will not connect. It will work fine on a windows 7 box with IE9 installed from the same network.
My question mainly pertains to how the AnyConnect client connects on the back end. Does it use Internet explorer's SSL layer by default? Or does it have its own? If it connects through internet explorer, is there a way to change it to firefox so it will actually be able to open up a connection?
Thank you for your answers in advance,
JohnHey Jeff,
Thanks for answering that question. Hmm, so it doesnt go through the browsers SSL layer. We have systems on the same network (same proxy, firewall, vlan, etc). All the systems with windows XP SP3 and IE8/IE7 can not connect to the VPN (they arent even able to start the connection and ask for proxy/logon info.), all the systems with windows 7 and IE9 can. Same setups on each one as far as the security policies go as well. I thought it may have to do with the 256 bit encryption that they are using.
If thats not the case, what else could be causing the problem? weve tested it on about 5 XP machines and 5 Win 7 machines, same results on each. Connects on Win 7, does not connect on Win XP.
Thanks,
John -
10gAS configuration and deploying 9i applications on 10gAS forms server
Hi!
To start with, Pls. explain me the main configuration files after the installation of 10gAS or any AS.
How to deploy 9i applications on 10gAS forms server?http://download-uk.oracle.com/docs/cd/B13597_05/bf.904/b10470/toc.htm
-
Cisco 5505 VPN assistance - Resending P1 and Peer to Peer List No match
Hello and thanks in advance to anyone that can help me with the IPSec connection. the VPN were working when i first created them but now they wont connect. Here is the error on the primary (local) firewall: (yes i know the time isnt set yet on the firewall)
4|May 17 2007|13:51:55|713903|||||IP = X.X.X.X, Error: Unable to remove PeerTblEntry
3|May 17 2007|13:51:55|713902|||||IP = X.X.X.X, Removing peer from peer table failed, no match!
6|May 17 2007|13:51:55|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
5|May 17 2007|13:51:55|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|May 17 2007|13:51:47|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
5|May 17 2007|13:51:47|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
The local firewall has one VPN configured and the remote has 2 (1 working and the other not): Local Firewall is Base licensing with 3DES. As far as I can tell they have the same VPN parameters but maybe the remote has pfs1 turned on? Ive played with various settings and cant seem to get it to work. The cryptomap has the same firewall rules in it (obviously reversed on remote). Any help much appreciated! I Have a third site doing exactly the same thing (once again also works on another site to site but not this one). It's weird because I used the IPSec wizard and got it to work and rebooted the ASA and tunnel came up yet again but now my debug log is just full of this info and tunnels never come up.....the only time it was up was for a few hours then wont come up anymore...odd..
Local Fire Wall:
hostname ciscoasa
names
name 172.25.42.0 MASALan
name 172.25.7.0 FHR
name 172.25.43.0 MR
interface Vlan1
nameif inside
security-level 100
ip address 172.25.6.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.30 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-network
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group network DM_INLINE_NETWORK_4
network-object MASALan 255.255.255.0
network-object MR 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 172.25.6.0 255.255.255.0
network-object FHR 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group network DM_INLINE_NETWORK_3
network-object 172.25.6.0 255.255.255.0
network-object FHR 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object MASALan 255.255.255.0
network-object MR 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
access-list NONAT extended permit ip any 172.25.4.0 255.255.255.0
access-list NONAT extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
access-list NONAT extended permit ip FHR 255.255.255.0 MR 255.255.255.0
access-list NONAT extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_5
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemotePool 172.25.4.1-172.25.4.2 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 172.25.1.0 255.255.255.0 172.25.6.2 1
route inside 172.25.2.0 255.255.255.0 172.25.6.2 1
route inside 172.25.8.0 255.255.255.0 172.25.6.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.25.0.0 255.255.0.0 outside
http 172.25.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 216.183.157.158
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.25.0.0 255.255.0.0 inside
ssh 172.25.6.0 255.255.255.0 inside
ssh 172.25.0.0 255.255.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group osfdremote ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy1
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
REMOTE FIREWALL
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group CHN
ip address pppoe setroute
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 172.25.42.0 255.255.255.0
network-object RFN 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object RHQASAnet 255.255.255.0
network-object RHQNet 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object gre
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object 172.25.42.0 255.255.255.0
network-object RFN 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object FHData 255.255.255.0
network-object FHR 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object gre
protocol-object tcp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq www
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 RHQASAnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 RHQNet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 RHQASAnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 FHData 255.255.255.0
access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 FHR 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_2
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any object-group DM_INLINE_NETWORK_4
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 FHData 255.255.255.0
no pager
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool 192.168.5.1 192.168.5.1-192.168.5.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.110.10.1 1
route inside RFN 255.255.255.0 172.25.42.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.25.0.0 255.255.0.0 inside
http 10.7.72.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 outside
http RHQNet 255.255.255.0 inside
http RHQASAnet 255.255.255.0 inside
http RHQASAnet 255.255.255.0 outside
http RHQNet 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer Y.Y.Y.Y
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.255.255 inside
telnet 172.25.0.0 255.255.0.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.5.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-tunnel-protocol IPSec
vpn-group-policy remotevpn
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y general-attributes
default-group-policy GroupPolicy1
tunnel-group Y.Y.Y.Y ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map global-policy
class inspection_default
inspect pptp
service-policy global_policy global
prompt hostname contextMay 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error hi story (struct &0xd578cda0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2 , EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_W AIT_MSG3, NullEvent
May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:8e338e16 terminatin g: flags 0x01000002, refcnt 0, tuncnt 0
May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with re ason message
May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Removing peer from peer table faile d, no match!
May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Error: Unable to remove PeerTblEntr
Is the result and then it repeats =) -
To clarify, we have about 100 ipads deployed in our district and lots more on the way. We had just used iTunes in the past to backup one master device with the apps and restored on the remaining sets of iPads. Obviously we wanted a simpler way to manage this as we are getting a lot more iPads coming in for use in the different schools. We got a MDM solution (Casper) and started using Configurator.
We are running the latest of Configurator (1.4.2) and IOS (7.0.4).
From what I have read (and a lot at that) I know that there are numerous issues with this setup (hopefully addressed very soon)
Here is my question:
Is it possible to take an already deployed device, loaded with apps (paid and free), back it up in Configurator, and deploy it to other iPads and still get all the apps to come down along with the restore?
Apparently this was possible in the past, I am just wondering if I am missing something. Any help or suggestions on how you are doing it would be very helpful
Oh, and to clarify, we are using VPP for the apps, just not managing them any where at this time, haven't decided the best tool for that, maybe casper maybe configurator, but we are compliant, only using the same quantity of apps that we have purchased.
Thanks
Edit: spelling errorI've heard if you contact your apple rep, Apple may restore your vpp codes so you can move to an MDM.
Read the Google doc below and nsdjoey write up.
IT Resources -- ios & OS X -- This is a fantastic web page. I like the education site over the business site.
View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
http://www.apple.com/education/ipad/resources/
scroll down after all the pretty picture. Click on the words "For It".
Joe Rowe's Excellent guides
IT managers who are new to configurator and managing a cart of ios devices:
https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
[ original announcement -- https://discussions.apple.com/thread/4256735?tstart=0 ]
Quick help presentation for students:
https://docs.google.com/presentation/d/18937JdleX2gymtSb8zfbDczV-76BdR2DIfCV9eJi yOE/edit#slide=id.g1b776944_0_224
good tips for initial deployment:
https://discussions.apple.com/message/18942350#18942350
https://discussions.apple.com/thread/3804209?tstart=0
See nsdjoey writeup. See third post.
https://discussions.apple.com/message/22286109#22286109
"Deploying a great quantity of iOS devices means creating a great quantity of Apple IDs. This script allows automated Apple ID creation from a spreadsheet."
http://www.enterpriseios.com/wiki/Apple_ID_Automation_Builder -
WLS 6.0 config and deployment
Hi,
Just converted our app from 5.1 to 6.0. Not too many problems once we
figured out the class loader situation. I have some questions regarding
configuration and deployment which are not clear to me after reading the
documentation.
I find I have to modify config.xml manually quite often to fix problems
which the console creates. It is not at all uncommon for me to change a
property via the console and then have to undo the change manually to
get the server to properly start up again. While I accept that this is
probably due to a mistake I am making, I am very surprised that this
system is so fragile. Now for my questions...
1) Sometimes the console will add a new application to my config.xml
with a
"-1 " extension. Why is this? It doesn't create problems in and of
itself but does seem to accompany other problems which the console
creates in this file.
2) I intend to deploy an ear for production purposes, but as the
documentation points out this is inconvenient for development. I need
the ability to modify single jsp files without redploying all of them.
This worked great in 5.1. I am unable to do this in 6.0. As it stands
now, my jsp files are only redeployed on startup and unfortunately seem
to be redeployed every time we start regardless of whether chnages were
made to them. This makes development much slower. The REPLOY file
business discussed in the docs doesn't seem to have any effect. I
currently am deploying the jsp files and associated classes in "expanded
directory format" under the .config/domain/applications/applicationName
directory. I am deploying some EJBS in a pre-compiled jar file and
placing this jar file in the system classpath so the jsps can access the
shared classes. (I know this prevents hot deployment but I seem to have
no choice since the EJBs interfaces do not reference all shared classes
and therefore do not export them to their parent.) This jar file resides
in the ./config/domain/applications directory. Any ideas as to why I can
not get my jsp files to hot deploy one at a time.
All in all, 6.0 is a great release but development time has increased
dramatically. Hot deployment is not going to work for us because
unfortuneately many of our classes are required by our startup classes
and therefore must be placed in the system classpath.
Thanks,
SteveBasically, hot deployment of JSPs isn't supported for dynamically deployed
webapps, that is, those int the applications directory.
Gary
Steve Snodgrass <[email protected]> wrote in message
news:[email protected]...
Follow up...
I have been able to get individual jsp files to hot deploy if they are
located in the DefaultWebApp_myserver directory instead of my applications
directory. It is possible to achieve this behavior in other directoriestoo
if they are configured correctly right? I mean, there is nothing special
about DefaultWebApp_myserver that would allow it to do something thatother
directories can not?
Steve
Steve Snodgrass wrote:
Hi,
Just converted our app from 5.1 to 6.0. Not too many problems once we
figured out the class loader situation. I have some questions regarding
configuration and deployment which are not clear to me after reading the
documentation.
I find I have to modify config.xml manually quite often to fix problems
which the console creates. It is not at all uncommon for me to change a
property via the console and then have to undo the change manually to
get the server to properly start up again. While I accept that this is
probably due to a mistake I am making, I am very surprised that this
system is so fragile. Now for my questions...
1) Sometimes the console will add a new application to my config.xml
with a
"-1 " extension. Why is this? It doesn't create problems in and of
itself but does seem to accompany other problems which the console
creates in this file.
2) I intend to deploy an ear for production purposes, but as the
documentation points out this is inconvenient for development. I need
the ability to modify single jsp files without redploying all of them.
This worked great in 5.1. I am unable to do this in 6.0. As it stands
now, my jsp files are only redeployed on startup and unfortunately seem
to be redeployed every time we start regardless of whether chnages were
made to them. This makes development much slower. The REPLOY file
business discussed in the docs doesn't seem to have any effect. I
currently am deploying the jsp files and associated classes in "expanded
directory format" under the .config/domain/applications/applicationName
directory. I am deploying some EJBS in a pre-compiled jar file and
placing this jar file in the system classpath so the jsps can access the
shared classes. (I know this prevents hot deployment but I seem to have
no choice since the EJBs interfaces do not reference all shared classes
and therefore do not export them to their parent.) This jar file resides
in the ./config/domain/applications directory. Any ideas as to why I can
not get my jsp files to hot deploy one at a time.
All in all, 6.0 is a great release but development time has increased
dramatically. Hot deployment is not going to work for us because
unfortuneately many of our classes are required by our startup classes
and therefore must be placed in the system classpath.
Thanks,
Steve
Maybe you are looking for
-
I want to play music bought from itunes on my new computer but apple id is old email address no longer accessible and password forgotten. Security information date of birth also not accepted. No good apple sending reset information to old email addre
-
Windows Home Server and iTunes
Hi, I have the following setup (all machines on GBit LAN): - a Windows Home Server machine with all my music on it (currently stored raw on the filesystem) - 3 Windows XP machines - 2 iPods I would like an authoritative answer on how to setup iTunes
-
Can't start the tns Lisenter -oracle xe 11g installed on window 7 64 bit
Hi I have followed the below website's advise installed xe 11g R2 on my window 7 64 bits. http://blog.mclaughlinsoftware.com/2011/09/13/oracle-11g-xe-installer/ It worked at the time when I installed. but the next day, I restart the pc , then I can a
-
Firefox using massive CPU resources, even with no addons?
I've been trying to figure out why Firefox is using ridiculously large amounts of CPU resources, but can't seem to find anything. At the time of writing this, I have 5 tabs open, none of which are highly graphic- or sound-intensive (facebook, 3 artic
-
How to make an account in iChat with Apple ID but no .mac?
Hi everyone, my Apple ID is my email adress but not ending with @mac.com or @me.com. How can I make an account in iChat with my Apple ID without making an extra ID with an @mac.com name? Thanks