Configuring Cisco AP 1252 as a Univeral WGB

Similar Messages

• How setup SPA525 vpn client?How configuration Cisco VPN server?

  Hi all,
  How setup SPA525 vpn?
  How configuration Cisco VPN server for SPA525?
  Regards
  John

  Hi John,
  Do you want to setup the SPA525 on the UC300?  If so the UC300 does not support any VPN or remote users.  If you need configuration help with the UC5XX just let me know.
  Thank you,
  Jason Nickle

• Configuring Cisco Router for use with Syslog Server

  Configuring Cisco Router for use with Syslog Server:
  Does anyone know of a good doc for this?
  -Ashley

  Start with that one: http://security-planet.de/wp-content/uploads/2008/12/logging-ios.pdf
  And if you need more informations, just ask what you want to achieve.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring

  Hi all,
  I am implementing Cisco Prime Collaboration to monitor the quality of the VoIP call.
  I am following all the steps that I have to do to accomplish this task at this link:
  http://docwiki.cisco.com/wiki/Setting_up_Devices_for_Prime_Collaboration_Assurance#Configuring_Unified_Contact_Center_Enterprise_Devices
  And now I am arrived on this step:
  Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
  Not all the Cisco devices that I have on the network are "Mediatrace, IP SLA and Performance Monitoring" capabilities. The core switch is one of them.
  What will happen if some devices are configured with these capabilities and some are not?
  Are the data provided from Cisco Collaboration still reliable?
  Thanks in advance.
  Luigi

  I can't see a reason why the 2 features won't work together. The 2 features will work just fine with each other.
  Unfortunately there is no sample config with both feature in the same document, but it will work just fine.

• Install and configure Cisco Network Analysis Module NAM-2

  Hi,
  Does anyone have a step-by-step document on how to install and configure Cisco NAM-2 module ?
  Thanks in advance.
  Regards,
  Lamine

  Hi Lamine,
  The official installation guides for NAM software can be found here:
  http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_installation_guides_list.html
  Is this what you are looking for?
  Cheers,
  Shane

• Configuring Cisco Access Points 1602i Air-SAP-1602I-Z-K9

  Hi everyone,
  I am having touble configuring cisco access points 1602i. I have configured them and they are broadcasting SSID and clients are able to connect to them, but the only thing which is troublesome is speed. I have 100Mbps bandwidth speed but at access point I am getting speed between 17 to 25. Can anyone please tell me where I am gone wrong.
  I have Juniper Srx210 configured as backbone for providing internet on fiber. Then further I have attached one POE switch (managable). From that switch I have attached 4 access points.
  One more thing,two ports of Juniper is configured as Vlans, one for staff and one for students. I have attached this POE switch to Student Vlan, but haven't configured ports of POE switch as trunk. Please tell me do I have to configure ports as trunk on POE Switch. Is this the cause of slow bandwidth over access points.
  I am also planning to go for Wlan Controller to manage Access points. When I contact my supplier about it, told me the following:
  "You just need to convert the Access points to autonomous mode. Here are    some details, there is no additional charge."
  https://supportforums.cisco.com/message/3889653
  http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
  http://www.youtube.com/watch?v=QQ_NuxdRhQ4
  https://supportforums.cisco.com/docs/DOC-14960
  I looked at the links but couldn't understand properly. Then I searched over the internet  and found out that
  "a cisco autonomous access point basically runs on its own while a  lightweight access point uses a centralized device called a wireless lan controller to get its configuration.  autonomous access points are managed  individually, while the lightweight access points can be managed centrally.  also, the switchport configurations to support both types of access points will  differ. "
  I didn't understand, why he suggested to go for Wlan controller and to upgrade access points to autonomous mode, when according to above finding, it says that autonomous access points runs individually.
  Please advice.
  I shall be thankfull

  Hello Scott and Leo,
  Thanks for all your help.
  I have managed to install and configure 4 Access points and Now Access points are giving speed between 25 to 45Mbps. Still not enought but it sloving the purpose. Everyone is enjoying their face book. I will soon get the Cisco Wlan Controller as well. I dont know if there is a way to get more speed from these access points. I am ready to buy more equipments if required.
  Anyway, today I need your guys expretise once again. As you know Junipr Srx 210 is configured for fiber internet to provide internet services to school. Now we are changing the building and transfering the line to new building. This time I want to use Cisco router in place of Juniper Srx210. But I need to know what model will support the current configuration for fiber. Would you please tell me what model/series router will be suitable for fiber internet and for implementing other restrictions.
  I am attaching a picture of current jiniper Srx 210 for your consideration.
  I shall be very thankfull to you
  Sarabjit

• Configure cisco vpn connection in linux console

  Hi all,
  how do I configure cisco vpn_client connection in ubuntu/debian/raspbian linux console using .pcf file?
  Thanks ahead.

  I mean, what packages should I install?
  Is it possible to use only "apt-get install" or I should also use "dpkg"?
  Is it possible to avoid using any guid interfaces because it is headless pc?
  I'm asking because I successfully use openvpn connection in console and I hope that cisco vpn is also possible here.
  Thanks for your attention and best regards!

• Is there any limitation of firmware or hardware for QoS configuration (4400 controller & 1252 AP's)

  Hi Experts,
  Before proceeding for adding AP model 1131 and 1252 into my set-up , I need to know whether any limitation of firmware or hardware for QoS configuration in wireless set-up .
  I have 4400 controller and 1130 & 1250 AP models.

  Hi Vinod,
  Since you have 4400 controllers, you can run upto WLC 7.0.x code. Refer this for more detail
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
  there is no specific limitation to 1131/1252 AP model as such, everything is WLC software dependent.
  From later software 7.4.x,7.6.x,8.x, lots of improvement for QoS configuration & bandwidth control, but since your controller is old hardware, you cannot have those latest features.
  here is a reference post on how QoS works in wireless environment
  http://mrncciew.com/2012/11/28/understanding-wireless-qos-part-1/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Cisco Aironet 1252 AP Poor range

  Hi,
  I have 6 no. 1252 access point installed in my college on different 6 floor they are configured different channels on respective AP and i have enabled 2.4 and 5 Ghz wireless setings with 5Ghz antena.  but still i m not getting full range in fornt of access point distance near by 2-3 meters its showing half range in my laptop wi-fi adapter. below is the access point configuration detail.
  First-Floor#show configuration
  Using 2107 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname First-Floor
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid MITSOM
     authentication open
     guest-mode
  power inline negotiation prestandard source
  username isource privilege 15 secret 5 $1$wSSH$mAOV0jfC3ozp/6XGbm9E40
  username mitsom privilege 15 secret 5 $1$0AC.$51TLWg1ffjKd/NeJXDn3o1
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 40bit 7 87C03667BEB5 transmit-key
  encryption mode wep mandatory
  ssid MITSOM
  speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2.
  m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
  channel 2412
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption key 1 size 40bit 7 318B1C92A4DC transmit-key
  encryption mode wep mandatory
  ssid MITSOM
  no dfs band block
  speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6.
  m7. m8. m9. m10. m11. m12. m13. m14. m15.
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.1.55.11 255.255.255.0
  no ip route-cache
  ip default-gateway 10.1.55.254
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

    1) I am using 5 Ghz antennas.
  What model of antennas are these and how many have you installed on a 1252?  What about the 2.4 Ghz?  Are the 5.0 Ghz antennas installed on the 5.0 Ghz radio?
  I have installed access point in corridor and antenna direction towards the wall. Depending on what antennas you've installed, it's advisable to mount the AP with the Cisco logo pointing to the client.

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• Need help configuring Cisco/Linksys wireless router to extend wi-fi signal to living room

  My U-verse wireless gateway is in the back of our house. We live in an old 1920's home with solid wood walls. For our macbooks, we get a pretty decent signal, but my wife's iPad 2 get's poor wi-fi speeds. I bought a Cisco/Linksys WRT160N wireless N broadband router. I have a wired connection in my living room (going to a 4 port switch) then connected to my DVR. I tried hooking up the new router but ended up getting no signal on the iPad. In fact, it caused other issues. I ended up disconnecting it and re-booting my gateway. All came back fine. This wireless router replaces a similar unit that went out in after a power failure, so I know this can be done, but I forget exactly how I confiured the old one. I would like it to "extend" my signal to the living room, but I am also willing to create a new network (different SSID). Do I need to turn of DHCP? Are there any web sites that can assist me in configuring the router? I wish I didn't have to deal with this. The signal from the RG is great when you are in the back room (20+ down). But my wife gets about 3 down on her iPad in the living room. Thanks in advance.

  Hi ,
  I was doing some research on how this can be done. It does not appear there is an option in the Cisco router to set it up as an access point, but there are several options you can do to extend your network. 
  The first thing you can do is just set it up as a router behind router setup, and you will just have two separate networks. Make sure the DHCP pool does not conflict with the U-verse's gateway of 192.168.1.x. 
  The second thing you can do is connect the Ethernet cable to one of the LAN ports on your Cisco router instead of using the internet port. This should make it work like a smart switch. 
  With both setups, you want to probably change the SSID, network key, and wireless security settings to the same thing for wireless roaming abilities. That way, anyone that configures their wireless connection will be connected to both networks. Just make sure the wireless channels are not the same, and I would suggest having them at least 5 apart.
  Hope this helps.
  -ATTU-verseCare

• Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

  OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
  What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 
  Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
  When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
  Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
  The ASA is connected to a checkpoint sub interface
  Any help would be beneficial as im new to cisco ASAs 
  Thanks
  Mark

  Mark
  If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
  HTH
  Rick

• Help, How to configure cisco ASA5505 to permit access to internal LAN

  Hi everyone,
  Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.
  From outside (on VPN connection) I can ping the interface e0/0 (outside)  and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.
  I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.
  Best regards,
  BEN

  Many thanks Marvin,
  I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.
  Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.
  Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100
                                                                                                                                 Subnet Mask 255.0.0.0 
                                                                                                                                  Def Gateway 10.0.0.1 
                                                                                                                                  dns server 192.168.30.3
  Best regards,
  BEN.
  Message was edited by: Bienvenu Ngala

• How to configure Cisco ASA 5500 to work with the iPhone

  We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
  http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
  We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
  After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
  Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
  I noticed that many people are having these problems.
  Please do not post to this topic if you have ANY OTHER Cisco device.
  Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
  Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
  It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
  Thank you!
  Oleg R

  We found the solution and a bug in Cisco firmware (seems to be a bug).
  First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
  access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
  access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set iphone esp-3des esp-sha-hmac
  crypto ipsec transform-set iphone mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
  crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
  crypto map outside_map 10 match address vpn
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 20
   authentication pre-share
   encryption aes-256
   hash sha
   group 5
   lifetime 86400
  crypto isakmp nat-traversal 20
  group-policy iphone internal
  group-policy iphone attributes
   wins-server value <insert ip> <insert ip>
   dns-server value <insert ip> <insert ip>
   vpn-tunnel-protocol IPSec
   ipsec-udp enable
   ipsec-udp-port 10000
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value iphone_splitTunnelAcl
   default-domain value <insert domain name>
  tunnel-group iphone type remote-access
  tunnel-group iphone general-attributes
   address-pool VPN-Pool
   authentication-server-group ActiveDirectory2
   default-group-policy iphone
  tunnel-group iphone ipsec-attributes
   pre-shared-key <insert pre-shared key>
  For iPhone you have to be using IPSec tab for configuration.
  We tried to set up this config using the wizards, but it would not work.
  Later it turned out that wizards by default set this setting:
  "crypto isakmp nat-traversal 20"
  equal to zero and there is no way to change it from the GUI.
  Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
  Please let me know how it works out for you.
  Message was edited by: Rogik
  Message was edited by: Rogik