How to configure AnyConnect/ASA/Certificate/MS CA together

Hello
We are looking to apply mobile device management utilizing some third-party cloud solution. Mostly iPad users will connect to our internal network using AnyConnect thru ASA. Third party MDM will be used to control and provision ipads and i need to provide solution for AnyConnect VPN.
Looking for some guidance, docs, examples, white paper that will provide info how to configure the following:
users will connect to ASA VPN using AnyConnect; certificate issued by internal Microsoft CA and unique to each user will be used for authenticate the user. ACS will communicate with Microsoft AD to check if the user is valid AD user. Once authentication is done, user will have access to internal network.
I am struggling to get all those peace of puzzle togehter so i can work on solution.
I would appreciate if someone will give me some ideas how this whole scenario will work.
Thank you.

Anyone from experts out there? I am sure someone heave doen this before.

Similar Messages

  • How to Configure Cisco ASA 5512 for multiple public IP interfaces

    Hi
    I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
    Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
    I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
    Outside Networks (I've changed the IPs for security purposes)
    Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
    Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
    Inside1 : E 0/1 192.168.255.1 255.255.248.0
    Inside2 : E 0/3 172.16.255.1 255.255.248.0
    My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
    I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
    I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
    Thanks in advance for the suggestions/help

    I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
    I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
    To the original poster
    It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
    HTH
    Rick

  • How to configure AnyConnect ACL's?

    I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.   Can anyone please help me with this? Any help would be much appreciated.

    Thanks for your reply....
    I would like to have a block all then allow access to certain back end servers. For example: If user signs in and authenticates against AD. I would like to keep it simple at first and just apply an access list to that group. I was told by a few people that the ASA starts a connection with it open to everything and then you have to tell it what to block. I would like to apply an ACL to a group where it just allows access to one application. So I would be a Coplink user for instance and I am allowed to connect back to our Anyconnect VPN. The user signs on and because he is in the Coplink group apply an access list to him to only allow him to 10.105.x.x. Or if someone is in a group called SSL_VPN they would only have access to 10.101.x.x and 10.105.x.x networks.

  • How to configure an ASA with 2 Public IP address.

    Hi, I have to configure a router ASA 5505 with 2 Publics IP, our ISP give us a 3 Public IP, and actually our configuration is like this:
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.x.x 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 200.91.x.x 255.255.255.248
    The problem is: If I create a new Vlan, the interface overlaps.
    How can I solve that problem??
    Thanks for your answers!!!

    Answered in duplicate post:
    https://supportforums.cisco.com/discussion/12150111/how-configure-asa-2-public-ip-address

  • How to configure Cisco ASA 5500 to work with the iPhone

    We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
    http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
    We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
    After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
    Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
    I noticed that many people are having these problems.
    Please do not post to this topic if you have ANY OTHER Cisco device.
    Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
    Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
    It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
    Thank you!
    Oleg R

    We found the solution and a bug in Cisco firmware (seems to be a bug).
    First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set iphone esp-3des esp-sha-hmac
    crypto ipsec transform-set iphone mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
    crypto map outside_map 10 match address vpn
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 20
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    crypto isakmp nat-traversal 20
    group-policy iphone internal
    group-policy iphone attributes
     wins-server value <insert ip> <insert ip>
     dns-server value <insert ip> <insert ip>
     vpn-tunnel-protocol IPSec
     ipsec-udp enable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value iphone_splitTunnelAcl
     default-domain value <insert domain name>
    tunnel-group iphone type remote-access
    tunnel-group iphone general-attributes
     address-pool VPN-Pool
     authentication-server-group ActiveDirectory2
     default-group-policy iphone
    tunnel-group iphone ipsec-attributes
     pre-shared-key <insert pre-shared key>
    For iPhone you have to be using IPSec tab for configuration.
    We tried to set up this config using the wizards, but it would not work.
    Later it turned out that wizards by default set this setting:
    "crypto isakmp nat-traversal 20"
    equal to zero and there is no way to change it from the GUI.
    Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
    Please let me know how it works out for you.
    Message was edited by: Rogik
    Message was edited by: Rogik

  • How to configure CISCO ASA 5510 for internal remote desktop ?

    Helo,I have a client that want to install new ASA (5510) in their network.
    and then I did some experiment to implement it. the topology is like this :
    --------configuration---------
    2800 router :
    interface FastEthernet0/0
    ip address 172.16.1.1 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.11.3 255.255.255.0
    duplex auto
    speed auto
    ip route 192.168.12.0 255.255.255.0 172.16.1.2
    1841 router :
    interface FastEthernet0/0
    ip address 172.16.1.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 172.16.1.1
    ASA 5510 :
    : Saved
    : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
    ASA Version 8.2(1)
    hostname ciscoasa
    enable password **** encrypted
    passwd ***** encrypted
    names
    name 192.168.12.0 Branch
    dns-guard
    interface Ethernet0/0
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.11.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    management-only
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
    access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
    tcp-map mssmap
      synack-data allow
      invalid-ack allow
      seq-past-window allow
      urgent-flag allow
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    asdm location Branch 255.255.255.0 inside
    no asdm history enable
    arp timeout 14400
    static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
    static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    route inside Branch 255.255.255.0 172.16.1.1 1
    timeout xlate 3:00:00
    timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username ***** password ***** encrypted
    class-map mymap
    match access-list inside_access_in
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    policy-map myPolicy
    class mymap
      set connection advanced-options mssmap
    service-policy global_policy global
    service-policy myPolicy interface inside
    prompt hostname context
    Cryptochecksum:a605d94f29924e5267644dd0f4476145
    : end
    I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
    then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
    "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
    "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
    I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
    please help, any suggest would be great .
    thanks .
    sincerley yours
    -IAN WIJAYA-

    ear Ian_benderaz,
    Thank god i am not alone on this ,
    Me too having the exact same problem , i can ping to the host ,but no remote desktop .
    Somebody please help me on this , how enable remote desktop on asa 5505 
    Thanks 

  • [SOLVED] How to configure prosody and jitsi to work together?

    Hi,
    I want to use prosody to connect several jitsi accounts on different computers on a LAN. I have followed the Prosody page in our wiki to set up Prosody and some user accounts. The service starts and ss -tul indicates that it is listening on the expected ports. I have created the missing key and certificate files expected by the default setup and placed them in /etc/prosody/certs.
    I have created the account foo@localhost using prosodyctl adduser foo@localhost.
    In jitsi I have created an XMPP account (foo@localhost) on the same host as prosody. The account appears but it fails to connect to the server. Jitsi displays error messages on the console which indicates that the server does not support TLS connections even though these are enabled in the prosody configuration file (and lua51-sec is installed).
    I have tried numerous variations of disabling encryption in both prosody and jitsi but I either get the same error message or jitsi simply hangs while trying to connect to the server.
    So far the only thing that I've been able to find that deals specifically with prosody and jitsi is an episode of the Linux Action Show from last year that skimps on the details of the setup. The various online documentation that I've found seems to be for an older version or Prosody (e.g. Host entries in the configuration file).
    Does anyone have a similar setup working with the latest versions of Prosody and Jitsi? If so, please share your configurations.
    edit
    I went through the Prosody wiki page again today and managed to get it working. I think my problem was in misconfigured paths for the SSL server certificates in the VirtualHost section.
    Last edited by Xyne (2014-08-13 00:35:51)

    So, i tried both ways but it still didn't work.
    anrxc: i didn't know i could still prevent DNS leak without privoxy. Privoxy always blocked flash animations and videos (like youtube) here. I'll try to set up this better tomorrow when i have more time.
    By the way, after following your guide, i got this when executing /usr/bin/tor:
    Jan 10 19:29:16.993 [notice] Tor v0.2.1.21. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
    Jan 10 19:29:16.994 [warn] Skipping obsolete configuration option 'Group'
    Jan 10 19:29:16.995 [notice] Initialized libevent version 1.4.12-stable using method epoll. Good.
    Jan 10 19:29:16.995 [notice] Opening Socks listener on 127.0.0.1:9050
    Jan 10 19:29:16.995 [notice] Opening Socks listener on 192.168.0.1:9050
    Jan 10 19:29:16.995 [warn] Could not bind to 192.168.0.1:9050: Cannot assign requested address
    Jan 10 19:29:16.995 [notice] Closing partially-constructed listener Socks listener on 127.0.0.1:9050
    Jan 10 19:29:16.995 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
    Jan 10 19:29:16.995 [err] Reading config failed--see warnings above.
    Last edited by ILoveJapaneseGirls (2010-01-10 22:00:12)

  • ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

    I have ASA 5505 8.4.  How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
    Or as something else to implement it?
    My configuration for SLA monitor:
    sla monitor 123
     type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
     num-packets 3
     timeout 3000
     frequency 10
    sla monitor schedule 123 life forever start-time now
    track 1 rtr 123 reachability

    Hey cadet alain,
    thank you for your answer :-)
    I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
    Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
    3
    Nov 21 2011
    18:29:56
    77.xxx.xxx.99
    59068
    80.xxx.xxx.180
    80
    TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
    The attached file is only the show running-config
    Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
    Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
    Regards.
    Chris

  • Move CA from Win2K3 to Win2012R2 - how to configure ASA

    Hi Guys,
    i've a littel problem with a ASA in combination with a Microsoft CA.
    First, i will describe you the enviroment we have which works
    CERTSRV => A Windows Server 2003 Server, with CA in Standanlone, activated NDES / SCEP Service and a RADIUS / IAS Service to let the ASA authenticate VPN User against the local Window User. The CA Root Cert has a key lenght of 512bit
    Our goal is the move the CA and the RADIUS to a Windows 2012 R2 Server. Due the restriction of the windows 2012 ca to reject ca certs which less the 1024 bit we cannot simply import the current ca cert-pair into the new ca.
    Also we wont upgrade the ca key-pair on our current win2k3 ca, because we cannot estimate the side-effects and the ASA VPNs must work.
    So we came to fabulos idea to clone the win2k3 CERTSRV into VM. there we generate a new key-pair with 1024bit length. Then export this key, export the database from live system and import both successfully into the new 2012 R2 CA. SCEP and NAP Services are installed and tested succesfully. We are able to create a new client cert with SCEP.
    Our actual problem is that we dont know how to handle the new, upgraded CA in the ASA Configuration.
    I added the new CA in the CA Certificates Menu
    Here is the relevant part of the ASA log (debug level)
    7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE SENDING Message (msgid=6b028bd2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
    7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing qm hash payload
    7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing IKE delete payload
    7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing blank hash payload
    7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], sending delete/delete with reason message
    7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE SA MM:49765104 terminating:  flags 0x0105c002, refcnt 0, tuncnt 0
    7|Feb 27 2014|11:56:58|715065|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE MM Responder FSM error history (struct &0xadcda9c0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_CERT_FAIL-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ACTIVATE_NEW_SA-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT
    5|Feb 27 2014|11:56:58|713904|||||Group = DefaultRAGroup, IP = [CLIENT_IP], Certificate Validation Failed
    3|Feb 27 2014|11:56:58|717027|||||Certificate chain failed validation. Certificate chain is either invalid or not authorized.
    7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
    7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
    7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
    7|Feb 27 2014|11:56:58|717029|||||Identified client certificate within certificate chain. serial number: 1F00000951EB42CE6BD7157E2E000400000951, subject name: [CERT ATTRIBUTES].
    7|Feb 27 2014|11:56:58|717025|||||Validating certificate chain containing 1 certificate(s).
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Connection landed on tunnel_group DefaultRAGroup
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via default group...
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IP ADDR...
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IKE ID...
    3|Feb 27 2014|11:56:58|713020|||||IP = [CLIENT_IP], No Group found by matching OU(s) from ID payload:  
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via OU...
    4|Feb 27 2014|11:56:58|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
    7|Feb 27 2014|11:56:58|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via cert rules...
    6|Feb 27 2014|11:56:58|713172|||||IP = [CLIENT_IP], Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing notify payload
    7|Feb 27 2014|11:56:58|713906|||||Dump of received Signature, len 256:
    7|Feb 27 2014|11:56:58|715076|||||IP = [CLIENT_IP], Computing hash for ISAKMP
    7|Feb 27 2014|11:56:58|715001|||||IP = [CLIENT_IP], processing RSA signature
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert request payload
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert payload
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], DER_ASN1_DN ID received, len 145
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing ID payload
    7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 3111
    7|Feb 27 2014|11:56:58|715063|||||IP = [CLIENT_IP], Successfully assembled an encrypted pkt from rcv'd fragments!
    Do you know which is the best practise for us ?
    best regards from germany
    Edit: I see. I missed some more informationen. Old VPN Client, with certs created on the old Win2k3 CertSrv are working
    6|Feb 27 2014|13:27:52|717028|||||Certificate chain was successfully validated with revocation status check.
    6|Feb 27 2014|13:27:52|717022|||||Certificate was successfully validated. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTRB] .
    7|Feb 27 2014|13:27:52|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
    7|Feb 27 2014|13:27:52|717029|||||Identified client certificate within certificate chain. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTR].
    7|Feb 27 2014|13:27:52|717025|||||Validating certificate chain containing 1 certificate(s).
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Connection landed on tunnel_group DefaultRAGroup
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via default group...
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IP ADDR...
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IKE ID...
    Here are the configuration of the trustpoints
    crypto ca trustpoint ASDM_TrustPoint0
    revocation-check crl
    enrollment url http://U.X.Y.Z:80/certsrv/mscep/mscep.dll
    fqdn xxxxx
    subject-name [CERT_ATTRB]
    keypair asa01.key
    crl configure
      no protocol ldap
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpoint ASDM_TrustPoint2
    revocation-check crl none
    enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
    no client-types
    crl configure
      no protocol ldap
    crypto ca trustpoint ASDM_TrustPoint3
    crl configure
    crypto ca trustpoint ASDM_TrustPoint4
    revocation-check crl none
    enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
    no client-types
    crl configure
      no protocol ldap
    crypto ca trustpoint ASDM_TrustPoint5
    enrollment terminal
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 2a5a90e900010000083c
      quit
    certificate ca 1e185567c7bc7e91473edd472e033d78
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca 10acffbf9fb6429947e0cdea136cf8eb
      quit
    crypto ca certificate chain ASDM_TrustPoint2
    certificate ca 10acffbf9fb6429947e0cdea136cf8eb
      quit
    crypto ca certificate chain ASDM_TrustPoint4
    certificate ca 10acffbf9fb6429947e0cdea136cf8eb
      quit
    crypto ca certificate chain ASDM_TrustPoint5
    certificate ca 3ae8ce8cf1619498418f9982315e6ad9
      quit

    This seems to be  very useful answer but can you provide me with some code of some link where I can find some help. actually I am new to SSIS
    Here are some good examples for filling variables with an Execute SQL Task:
    http://dataqueen.unlimitedviz.com/2012/08/how-to-set-and-use-variables-in-ssis-execute-sql-task/
    http://dwbi1.wordpress.com/2011/06/06/ssis-updating-a-variable-based-on-database/
    And here is how you set the value of a property of the foreach loop with an expression:
    Please mark the post as answered if it answers your question | My SSIS Blog:
    http://microsoft-ssis.blogspot.com |
    Twitter

  • How to configure ASA 5510 V9.1(5) to send Netflow packets to Netflow Analyser 8.0

    Hi guys,
    I've configured my ASA 5510 Version 9.1(5) to send flow to Netflow Analyser. I think I've done it correctly but what happened is that I can see the ASA in netflow and netflow packets are receiving and increasing every time I refresh the page but there are no traffic as you can see in the attachment file. Also how can I figure out which ifindex is which interface to rename it? 
    BTW, my netflow version is 8.0 and below is the netflow config:
    access-list NETFLOWMONITOREDTRAFFIC extended permit ip any any
    flow-export destination INSIDE A.B.C.D 9996
    flow-export template timeout-rate 1
    flow-export delay flow-create 60
    flow-export active refresh-interval 2
    class-map NETFLOW
     match access-list NETFLOWMONITOREDTRAFFIC
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect ip-options 
      inspect netbios 
      inspect rsh 
      inspect rtsp 
      inspect skinny  
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect sip  
      inspect xdmcp 
      inspect icmp 
      inspect icmp error 
     class NETFLOW
      flow-export event-type all destination A.B.C.D
     class class-default
      flow-export event-type all destination A.B.C.D
    Hope someone can help me here.
    Cheers,
    Joe

    I did find a workaround by keeping a connection open for communication between the client and server. However, I wish I did not have to do this. Ideally, I would like to be able to establish connections to the server only when needed and have the client JRE remember what certificate the user selected.
    Browsers have this feature based on a user session. (i.e. once a user offers up a certificate to a server, the browser will not ask the user which certificate to send for the duration of the session to a given server).

  • What is Certificate and how to configure it in cacerts file...

    Hi,
    I got an error wile authenticating LDAP server, saying"unable to find valid certification path to requested target", I came to know that I need to configure LDAP server's certificates in jre/lib/security/cacerts file. but I don't know how to do it.
    Could someone explain what is that certificate? how do I get that information from LDAP admins? how to configure certification in my machine and how to use in our logic?
    Thanks,
    Sumant K

    I got the certificate and now I want to add it in my cacerts file .. how do I do that? please give me reply

  • How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

    Hi Team,
    We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
    Thanks

    I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
    Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
    Hope this helps!
    Thank you for rating helpful posts! 

  • How to Configuring external certificate for MEP

    Hi,
    I want to configuring external certificate to my mep gateway tier , can any one tell me procedure how to configure the certificate.
    I am configuring behind the firewall I cannot run default port no 8181 for https , so where can I change https port no for MEP after installation and I need to import external certificates in to keystore.

    Hi Jayanth,
    Both issues you raise are GlassFish issues rather than MEP issues per se.
    To change the port, after doing 'asadmin stop-domain mep' you just edit the
    domain.xml file in the .../domains/mep/config directory manually. Search for
    8181 and change it to whatever you want, then restart GlassFish (asadmin start-domain mep).
    In the MEP Installation Guide, there is a section on establishing trust between
    tier1 and tier2 in a two-tier configuration. See http://docs.sun.com/app/docs/doc/820-7203/ggxmb?a=view
    Hopefully, you can generalize that procedure to your situation.

  • Don't know which technology to utilize or how to configure ASA5505

    I have an ASA5505.  Currently, it is using static NAT on several ports to forward traffic to several devices inside my network.  It is a pain not only to configure but from the end user side.
    The issue I am having is the applicatoins I am using to access the devices become a mess with dual configurations, one for when I am connected to the internal network and one for when I am away from the office and accessing from the internet.  For example, I have 2 Cisco VC240 IP Cameras behind the ASA5505.  One is set use port 9091 and the other 9092.  When I am inside the office, I access them via http://10.1.2.215:9091 and http://10.1.2.216:9092.  But when I am away from the office, I have to have another configuration in an Android app to use them, http://external_ASA_IP:9091 and 9092 and then NAT 9091 to the object for Camera1 and 9092 for Camera2.  This is only one scenario.  I also have a UC320W that I would like to put an IP phone at home and it sounds like AnyConnect is the only way to do this.
    It sounds like to me that if I use some type of VPN, I can access the same devices using the same IP whether internal or external with the external connection using the VPN to tunnel the IP to the local network.  There seems to be quite a few ways to do this with an ASA 5505.
    AnyConnect seems like the way to go but after reading Cisco documentation, it requires your Android device to be root'd if it is not a particular Samsung model.  If I understand correctly, root'ing your phone voids the warranty.  I know it is common practice but would think Cisco would have a better solution as I am sure Cisco would not want another manufacturer telling their customers to void the warranty on their Cisco equipment in order to get it to work.
    I believe I can just use IPSEC and use the native VPN of the Android OS and also tunnel L2TP as the Android supports IPSEC-PSK/L2TP or IPSEC-CRT/L2TP.  But will either of these will support the IP phone to the UC320W?
    A friend also told me to use NginX to proxy URL's so the URL http://www.fqdn.com/camera1 gets proxy'd to the internal IP of Camera1 and http://www.fqdn.com/camera2 gets proxy'd to Camera2.  He says I should be able to store a cookie on the phone and let the phone authenticate to the camera and if the phone cannot, the proxy can authenticate internally to the IP camera over SSL.
    I don't know anymore, I am so confused and just want to simplify my life as I am just a small business with me and a couple other employees but I have full-time job and it is not IT/Network Technician, it is only CTO/CEO/CIO/CFO.  I don't have hours upon hours to set this up and test and I don't have hours upon hours to manage it.  I just need to simplify this and have so that it is a set-it-and-forget-it for 6 months to 1 year and re-evaluate or update.  So, if someone suggests IPSEC, I would not know how to configure anyway and you should expect another post.  The same for AnyConnect or any of the other suggestions.
    Thanks in advance for any advice.

    Hi!
    1. Set Calculation Mode property of ITEM_5 to Formula.
    Formula property:
    nvl(:Block_Name.ITEM_1, 0) + nvl(:Block_Name.ITEM_2, 0) + nvl(:Block_Name.ITEM_3, 0) + nvl(:Block_Name.ITEM_4, 0)
    OR
    Function_Name(Param_1,... Param_N);
    Have in view of, that the ITEM_5 data will not be saved in DataBase.
    2. When-Validate-Item trigger is usfull when is necessary to store calculated item data in DataBase.
    Rename you Post-Query trigger to When-Validate-Item.
    Modify trigger: Store calculation result in the variable.
    (Don't forget to round variable value!)
    Then compare it with ITEM_5. If they are different - :ITEM_5 := var_name.
    I prefer the first method.

  • Anyconnect ASA 5510

    Hi people
    I have configured Anyconnect access with split tunneling and I can connect with the username and password but the problem is: I can't connect to the two hosts I have given in my split tunneling. When I connect to anyconnect I get the IP address which I specified in the Pool but still can't connect to the hosts. Another qustion is how to tell ASA that only this IP address 10.54.112.90 should access the via Anyconnect?
    I am new to ASA world so please bare with my questions if you think it's stupid.

    Since you are able to connect but not able to access resources mentioned in split tunneling after connecting with VPN thus it should be either a NAT or ACL issue or may be inspection if its only ping that is not working.
    If you can post your configuration then I can check it for you else you can follow the link mentioned below to verify your configuration as a sample for Anyconnect with split tunneling:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
    Regarding the second question, it is not quite clear however if you are looking that how can we assign a specific address to a VPN user everytime then you can configure the same in username attributes or you can assign it via a a third party authentication server like Radius/ TACACS if you have any.
    Hope that helps.
    Regards,
    Anuj

Maybe you are looking for

  • MY BB CURVE 9300 LED ISNT WORKING

    AFTER UPGRADING MY BB TO OS 6 THE LED ISNT WORKING ANYMORE.. when someone texted me that should be on red light but now its still on green, thats while i need to unlock it first before i can see if someone has texted me... even on facebook,twitter an

  • How can i delete an icloud account from my iphone

    How can I delete my icloud account from my iphone. I have two icloud accounts the old one just can not retrieve the pwd to access it

  • Macbook Pro makes wireless for iMac G3 + wireless receiver

    First a situation sketch of my setup: My Macbook Pro is connected with an ethernet cable to the internet cable modem. The sharing settings is set to share the internet from the ethernet port over airport. The internet shared through Airport is spread

  • How to calculate percentge based on totals of two columns?

    All, I am trying to create a percentage in the totals of a worksheet. PCT = (AMT01 / AMT02) * 100 GTPCT = (AMT01 / ( SUM(AMT01) OVER (PARTITION BY COL01)) AMT02 will be hidden PCT will not be totaled, since the total is not correct. GTPCT will be for

  • Migrating Smartform to Adobe form

    Hi All,   I have Standard SAP  Purchase order, i have cpoied into  Z-Smatform.   then i have to migrating the same smartform to Adobe form.   While migrating from smartform to Adobe i am getting dump like..   There is already a type called TY_TEXT ..