Client AAA Authentication Failure

Similar Messages

• AAA Authentication Failure

  I just moved from a windows 2003 IAS server over to window 2008 NPS and I am getting  this message on the WLC. AAA Authentication Failure for UserName:VESLABCT10_15DO\Administrator User Type:  WLAN USER. this is a test user. I double checked the password both for NPS and WLC. It worked great under windows 2003 IAS. I installed certifcates services on the windows 2008 and exported the certificate and install the certificate on the client. Any suggestions

  Maybe check on the NPS logs the reason of the failure ? WLC is just a forwarder in this case :-)

• Annoying 'fake' aaa authentication failure

  Hi
  Got some new 3750x running c3750e-universalk9-mz.150-2.SE5.bin. They have identical aaa configs to other switches running 15 code (4948e) doing LOCAL device user authentication for VTY SSH access.
  Relevant bits are:
  username xxx privilege NN secret yyy
  aaa new-model
  aaa authentication login VTY local
  aaa authorization config-commands
  aaa authorization exec VTY local
  aaa authorization commands 15 VTY local
  aaa session-id common
  line vty 0 4
   session-timeout 10
   access-class 23 in
   authorization commands 15 VTY
   authorization exec VTY
   login authentication VTY
   transport input ssh
  For some reason, on SSH to the device, the login banner comes up but the password: prompt takes a few seconds. At the same time some authfail logs are seen even through haven't yet had a chance to login/enter the password. Once entering the correct password, authentication is always (correctly) successfully
  This does not occur on the older code (12.2) or on the 4948e with 15.0 code.
  It is annoying as we collect audit syslogs and every login where local is used generates one or more fails before a success.
  Is there something obscure in 15.0+ code that changes LOCAL aaa behaviour ?

  Telnet works differently anyway in that you login with a username/password. With ssh, I am passing the username.
  I did enable telnet anyway and this works without failure
  Log I get is a straightforward fail. The issue must be to do with the ssh handshake and passing of username and the behaviour has changed on some code bases. I've noticed the ASR1000 with 15.0 do the same. It is annoying due to filling up audit logs with 'rubbish'
  May 13 09:58:52.926: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 09:58:52 UTC Tue May 13 2014

• Web Auth with AAA (RAIDUS) Failure

  Hi Guys,
  We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
  I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
  Does anyone have any suggestions?

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Aaa authentication enable default group tacacs+ enable

  I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
  aaa authentication enable default group tacacs+ enable
  what will happen if I login via console? Will I be required to enter any username/password?
  Below is my configuration
  aaa new-model
  aaa authentication login authvty group TACACS + local
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 15 authvty TACACS+ local
  TACACS-server host IP
  Tacacs-server key key
  Ip tacacs source-interface VLAN 3
  aaa accounting send stop-record authentication failure
  aaa accounting delay-start
  aaa accounting exec authvty start-stop group tacacs+
  aaa accounting commands 15 authvty start-stop group tacacs+
  aaa accounting connection authvty start-stop group tacacs+
  line vty 0 15
  login authentication authvty
  authorization commands 15 authvty
  accounting connection authvty
  accounting commands 15 authvty
  accunting exec authvty
  Any suggestion will be appreciated!

  It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
  If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
  *** Username: cisco, Password: cisco (priv 15f - local) ****
  Unauthorized use is prohibited.
  Enter your name here: user1
  Enter your password now:
  Router#
  The config more or less looks like:
  aaa new-model
  aaa authentication banner ^CUnauthorized use is prohibited.^C
  aaa authentication password-prompt "Enter your password now:"
  aaa authentication username-prompt "Enter your name here:"
  aaa authentication login default group radius
  aaa authentication login CONSOLE local
  HTH
  AK

• The test couldn't sign in to Outlook Web App due to an authentication failure. Extest_ account.

  Hi.
  I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
  I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
  The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
  One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
  Target: xxx|xxx
  Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxxx
  User: extest_xxx
  Details:
  [22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
  [22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
  [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
  [22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
  [22:50:09.154] : The server reported that it supports authentication method FBA.
  [22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
  [22:50:09.154] : Trying to sign in with method 'Fba'.
  [22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
  [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
  [22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxx
  User: extest_xxx
  [22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
  Authentication Method: FBA
  Mailbox Server: xxx
  Client Access Server Name: xxx
  Scenario: Logon
  Scenario Description: Sign in to Outlook Web App and verify the response page.
  User Name: extest_xxx
  Performance Counter Name: Logon Latency
  Result: Skipped
  Site: xxx
  Latency: -00:00:00.0010000
  Secure Access: True
  ConnectionType: Plaintext
  Port: 0
  Latency (ms): -1
  Virtual Directory Name: owa (Default Web Site)
  URL: https://xxx.com/OWA/
  URL Type: External
  Error:
  The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxx
  User: extest_xxx
  Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
  EventSourceName: MSExchange Monitoring OWAConnectivity External
  Knowledge:
  http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
  Computer: xxx
  Impacted Entities (3):
  OWA Service - xxx, xxx - xxx, Exchange
  Knowledge:     View additional knowledge...
  External Knowledge Sources
  For more information, see the respective topic at the Microsoft Exchange Server TechCenter
  Thanks
  MHem

  Hi,
  Based on the error, it looks like an OWA authentication failure.
  Have you tried post this to LYNC forums?
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• CLIENT-CERT authentication in WL7

  Hi,
  I'm trying to enforce two-way authentication for clients (java applications) accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With BASIC authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to the web service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
  the server doesn't
  produce client certificate request. May it be the cause of the problem? If so,
  how can I make the server to
  generate client cert request?

  Exactly, it was the reason. Thanks.
  Marcin
  On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
  >
  You must have been accessing the server over one-way SSL. Make sure the
  two-way
  ssl server attribute is set to: Client Certificate Enforced, or Client
  Certificate
  Requested But Not Enforced.
  This should be all that is needed to make the server send the
  certificate request.
  With Client Certificate Enforced option you should be getting ssl
  handshake failure
  unless the client sends its certificate.
  Pavel.
  yazzva <[email protected]> wrote:
  Yes, I have. If I had not done it, I couldn't have accessed the service
  via https using basic authentication, and of course ssl debugging
  information and server configuration show that ssl is configured
  properly.
  The problem is that WL7 doesn't generate client cert request. Thanks
  for
  an attempt to help.
  Have you configured the server for two way ssl?
  See
  http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
  http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
  for information on this.
  Pavel.
  "yazzva" <[email protected]> wrote:
  Hi,
  I'm trying to enforce two-way authentication for clients (java
  applications)
  accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With
  BASIC
  authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to theweb
  service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the
  handshake
  procedure
  the server doesn't
  produce client certificate request. May it be the cause of the
  problem?
  If so,
  how can I make the server to
  generate client cert request?--
  Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

• Authentication Failure (Password Mismatch)

  Hi there.
  I am having a nightmare trying to get my web server working under Snow Leopard. To cut a long story short the server died and I had to restore it using a disk image before I migrate it to a new mavericks server. For obvious reasons I'd like to get everything working before I migrate.
  Whenever a users tries to access a secure page (mainly for svn access) they get rejected. If I try to access the page via safari/chrome I get a pop up window asking for a username and password. If the user enters their correct name and password it is constantly rejected (the name and password work elsewhere for email etc).
  In the logs on the server I get:
  [Wed Feb 05 16:34:33 2014] [error] [client 192.168.0.56] mod_auth_apple: User XXX authentication failure for "/xxx/xxxxxx": Password mismatch according to checkpw
  [Wed Feb 05 16:34:33 2014] [notice] [client 192.168.0.56] mod_auth_apple: Authenticating using lookupd or checkpw failed, and no configured htaccess file (AuthUserFile)
  If in Versions I try to refresh the svn repository I get:
  OPTIONS of 'https://[email protected]/svn/project'://[email protected]/svn/project': authorization failed: Could not authenticate to server: rejected Basic challenge (https://server.name.com)
  I am also having issues with iCal Server and AFP which makes me think there is some authorisation service which is corrupt/broken?
  Any help MOST appreciated as I am tearing my hair out here!
  Yours,
  Nic

  Ok something I have worked out by a bit of trial and error.
  NEVER run a server with two HDDs both with clones/installs of Mac OS.
  My server had the internal (faulty HDD) with the original server install called Macintosh HD. The clone was on a USB drive called SnowLeopardServer_Backup.
  Now for the most part the server worked (because most stuff uses Unix and proper paths). However it looks like all of apples stuff (Web services, iCal server and AFP) use the full path or at least components of them do. So because the server was originally set up on an HDD called Macintosh HD I can only suspect that it was freaking out by 1) now being on an HDD called something else and 2) that there was another HDD there called Macintosh HD.
  I have now renamed my old HDD to something else and renamed all the OS folders in it to something different too. I also renamed the clone drive to Macintosh HD.
  So far I turned on Web services and AFP and they work perfectly I have not turned on iCal yet as I want to ensure each service is working before turning on another.
  Also finally got the holy grail of Kerberos and Open Directory triangle working. I though that the iCal/Web/AFP not working with accounts was Open Directory related so I backed it up (and WGM), change to standalone and then tried to go back to a Master. It complained about the DNS not being set up and I finally found a post saying that you need to have your DNS set to point at 127.0.0.1 in the System Preferences > Network settings. I changed that and boom no more complaints about bad DNS
  Nic.

• NAS configure with 2 ip address failed on AAA authentication

  I have routers configured with 2 bvi interfaces for dlsw.
  When I configure NAS setting with 2 ip address, sometime the AAA authentication failed to prompt for user authentication.
  Should I used ip tacacs source-interface?
  If I configure only one, if that interface is down, then I will not be authentication using AAA even the second bvi interface is up.

  Chee
  The AAA server identifies the client by a single IP address and the client always needs to use that address as the source address. If you have 2 BVI interfaces it may be that sometimes the source address is one and sometimes the source address may be the other. That would account for the fact that sometimes it promts for user authentication and sometimes it does not prompt.
  If using 1 BVI as the source address creates the potential that sometimes it might not work because that interface was down but the other BVI was up, then perhaps you should consider configuring a loopback address and using the loopback address as the source address. If the loopback was the source address then it would not matter which BVI might be up and which might be down.
  HTH
  Rick

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Mails need to be Triggerd when clients Fails authentication

  CISCO 4404 ALERTS TO BE GENERATED(mail has to be triggerred) WHEN WLAN CLIENT AUTHENTICATION FAILS.
  Is there are any options on WCS to enable Authentication Failure on WCS.
  I have already Enabled
  1.Client authentication failure Alarm and Authentication failure reported by controller & configured both severity to Critical.
  we are currently Using Wireless Control System Version 5.1.64.0

  I assume you mean you changed the severity for "Client authentication failure" to Critical under Administration > Settings > Severity Configuration?
  Did you also go to Monitor Alarms > pulldown and choose Email Notification and enable the Clients category with the checkbox and then click the Clients category and check the critical box and add your email address?
  Have you verified that a test mail works from Administration > Settings > Mail server?

• Rman tivoli failure:  create sequential file, Authentication Failure

  New db instance, not writing to tape.
  DB is 10.2.0.4
  run {
  allocate channel sbt_backup1 type 'SBT_TAPE' format '%U' parms 'ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/ora
  cle/bin64/tdpo_mydb.opt)';
  backup tablespace users;
  release channel sbt_backup1;
  RMAN-00571: ===========================================================
  RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
  RMAN-00571: ===========================================================
  RMAN-03009: failure of backup command on sbt_backup1 channel at 10/02/2009 11:17:42
  ORA-19506: failed to create sequential file, name="0tkqpi6l_1_1", parms=""
  ORA-27028: skgfqcre: sbtbackup returned error
  ORA-19511: Error received from media manager layer, error text:
  ANS1025E (RC137) Session rejected: Authentication failure
  Settings
  /usr/tivoli/tsm/client/oracle/bin64
  dsm_mydb.opt
  SErver_name MYDBPRD
  tdpo_mydb.opt
  DSMI_ORC_CONFIG /usr/tivoli/tsm/client/oracle/bin64/dsm_mydb.opt
  TDPO_NODE MYDBPRD
  /usr/tivoli/tsm/client/api/bin64
  dsm.sys
  NODENAME MYDBPRD
  ERRORLOGNAME /usr/local/tsm/logs/IFSDBS_MYDBPRD_error.log
  SCHEDLOGNAME /usr/local/tsm/logs/IFSDBS_MYDBPRD_sched.log
  Note: Several db/clients are working on this server. This is a new setup and not working.

  This is not an Oracle/RMAN problem,contact your TSM administrator:
  http://www-01.ibm.com/support/docview.wss?uid=swg21216057
  Werner

• WAP321 Authentication failure log codes

  Devices that have previoulsy connected to the WAP are still able to connect but any new device to the environment is not.  If I delete the network from an existing device that device is no longer able to authenticate and connect to the WAP.  Log entries below show the following errors for a single MAC.  This happened once before and to solve the issue I reentered the key into the SSID setup on the WAP.  All devices had to delete the existing SSID from their list of networks but then they were able to rejoin.  I don't want to ask users to do that again.  Any help on the log entries below is greatly appreciated!
  Jul 19 2013 01:42:34
  info
  hostapd[1078]
  wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea deauthed from BSSID c4:64:13:0c:e3:00 reason 1
  Jul 19 2013 01:42:34
  info
  hostapd[1078]
  Station 90:18:7c:b1:79:ea had an authentication failure, reason 16
  Jul 19 2013 01:42:32
  warn
  hostapd[1078]
  Received invalid EAPOL-Key MIC (msg 2/4)
  Jul 19 2013 01:42:32
  info
  hostapd[1078]
  Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
  Jul 19 2013 01:42:31
  info
  hostapd[1078]
  Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
  Jul 19 2013 01:42:30
  warn
  hostapd[1078]
  Received invalid EAPOL-Key MIC (msg 2/4)
  Jul 19 2013 01:42:30
  info
  hostapd[1078]
  Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
  Jul 19 2013 01:42:30
  info
  hostapd[1078]
  wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea associated with BSSID c4:64:13:0c:e3:00
  Jul 19 2013 01:42:30
  info
  hostapd[1078]
  wlan0: IEEE 802.11 Assoc request from 90:18:7c:b1:79:ea BSSID c4:64:13:0c:e3:00 SSID KnightIns1

  Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
  Reason Code 16: Authentication failed due to a user credentials mismatch.
  Reason-Code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
  I am not sure what is causing this. However I would ask that you do two things. While everything is working normally go to Administration/Support Information and download a diagnostic file. Label it with a date WAP321 and the word "good". Save it somewhere. When this happens again, before doing anything go back in and get another diagnostic file label it the same except with the word "bad".
  Call in and open a support case and have the engineer notify me that you have opened one and also give them a reference to this community support thread.
  I will work with your engineer to see what is happening.
  Thanks
  Eric Moyers    .:|:.:|:.
  Cisco Small Business US STAC Advanced Support Engineer
  CCNA, CCNA-Wireless
  866-606-1866
  Mon - Fri 09:00 - 18:00 (UTC - 05:00)
  *Please rate the Post so other will know when an answer has been found.

• Aaa authentication enable console issue

  I have an ASA5505 running 8.2(5). It is configured with
  aaa authentication telnet console xxxxxx LOCAL
  and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
  I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
  I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
  I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
  Could there be something that needs to be changed on the ACS server to make this work?
  Thanks.

  Using TACACS+
  No command authorization rules are being used
  When I add the aaa authentication enable console xxxxxxxx LOCAL command,
  and use login instead of enable, I get Login failed if I try to use my credentials.
  However, if I use login with the locally configured username and password, it lets me in.
  Here is the config (without the aaa authentication enable console command):
  User Access Verification
  Username: xxx/xxxxxxxxxx
  Password: ************
  Type help or '?' for a list of available commands.
  FW> en
  Password: ********
  FW# sh ru
  : Saved
  ASA Version 8.2(5)
  terminal width 511
  hostname xxxxxxxx
  enable password *********** encrypted
  passwd *********** encrypted
  names
  interface Ethernet0/0
  switchport access vlan xxx
  interface Ethernet0/1
  switchport access vlan xxx
  shutdown
  interface Ethernet0/2
  switchport access vlan xxx
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlanxxx
  nameif inside
  security-level 100
  ip address x.x.x.x x.x.x.x
  interface Vlanxxx
  nameif OUtside
  security-level 0
  ip address x.x.x.x x.x.x.x
  ftp mode passive
  same-security-traffic permit intra-interface
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
  group-object TCPUDP
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object udp
  protocol-object tcp
  group-object TCPUDP
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  access-list Outside_access_in extended permit ip any any
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
  ny any inactive
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
  ny any
  access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
  any any inactive
  access-list OUtside_access_in extended permit icmp any any
  access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
  any any
  pager lines 24
  logging enable
  logging asdm informational
  logging host inside x.x.x.x
  mtu inside 1500
  mtu OUtside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group inside_access_in in interface inside
  access-group OUtside_access_in in interface OUtside
  route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server xxxxxxxxx protocol tacacs+
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa authentication http console ******* LOCAL
  aaa authentication ssh console ******* LOCAL
  aaa authentication telnet console ******* LOCAL
  aaa local authentication attempts max-fail 5
  http server enable
  http x.x.x.x x.x.x.x inside
  http x.x.x.x x.x.x.x inside
  snmp-server host inside x.x.x.x community ***** version 2c
  snmp-server host OUtside x.x.x.x community ***** version 2c
  snmp-server host inside x.x.x.x community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet x.x.x.x x.x.x.x inside
  telnet x.x.x.x x.x.x.x inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config OUtside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ******* password ************** encrypted privilege 15
  username ******* password ************** encrypted privilege 15
  username ******* password ************** encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:
  : end
  FW#
  Thanks.