How to configure ASA 5510 V9.1(5) to send Netflow packets to Netflow Analyser 8.0

Hi guys,
I've configured my ASA 5510 Version 9.1(5) to send flow to Netflow Analyser. I think I've done it correctly but what happened is that I can see the ASA in netflow and netflow packets are receiving and increasing every time I refresh the page but there are no traffic as you can see in the attachment file. Also how can I figure out which ifindex is which interface to rename it? 
BTW, my netflow version is 8.0 and below is the netflow config:
access-list NETFLOWMONITOREDTRAFFIC extended permit ip any any
flow-export destination INSIDE A.B.C.D 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
flow-export active refresh-interval 2
class-map NETFLOW
 match access-list NETFLOWMONITOREDTRAFFIC
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
 class NETFLOW
  flow-export event-type all destination A.B.C.D
 class class-default
  flow-export event-type all destination A.B.C.D
Hope someone can help me here.
Cheers,
Joe

I did find a workaround by keeping a connection open for communication between the client and server. However, I wish I did not have to do this. Ideally, I would like to be able to establish connections to the server only when needed and have the client JRE remember what certificate the user selected.
Browsers have this feature based on a user session. (i.e. once a user offers up a certificate to a server, the browser will not ask the user which certificate to send for the duration of the session to a given server).

Similar Messages

  • How to configure the file adaptor so as to send an sample XML message.

    Hi all ,
    I had done the configuration and now i want to test the scenario but i dont now how to do that ?.
    how to configure the file adaptor so as to send an sample XML message to the integration server ?.
    I am totally new to XI.
    please help me out how to do it.
    its an urgent.
    Thanks,
    shuja

    Hi,
    I think you should post your question Process Integration (PI) & SOA Middleware.
    Regards
    Message was edited by:
            Shehryar Khan

  • Looking for Recommendation for Redundant or Backup ISP configuration: ASA 5510

    Good Day,
    Currently I have two ASA 5510's version 8.2(5) with the security plus license in my environment. These are configured to failover with the SAME ISP in the event of hardware failure. We are currently trying to introduce ISP backup configuration. I've already engaged ISP's for services, However, I was wonder what this configuration may entail additionally. Can anyone advise on a best practice/configuration  in this regard?
    I am trying to achieve high availability for services provided by another company location. Looking forward to any assistance that can be provided.
    Thanks much.

    Cisco has a whitepaper on setting this up. It's a bit dated but mostly applicable.
    With an HA pair of ASAs, we typically setup a switch (or stack for higher availability) between the HA pair and upstream routers. Other than that, the whitepaper is followed.
    The only significant issue is whether you have any incoming services exposed via public IP and don't have you own provider-independent address block. In that case, you need to account for how those services will be reachable in the event that your are using the address of your secondary provider. This usually involves some DNS changes or other such work.
    Some people offload the whole setup to an external device like a FatPipe Warp appliance.

  • Configuring ASA 5510

    I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :ASA5510# show run
    ERROR: % Invalid input detected at '^' marker.
    ERROR: Command authorization failed .need your help to resolvr this issue
    Posted by WebUser Mugisha Vianney

    Can I access both the FW and IPS through the dedicated management port via SSH and ASDM/IDM?
    Sorta, you can ssh to the ASA and from there establish a backplane connection to the module.
    Can I assign the management port an external IP address and to establish  a L2L VPN tunnel for remote management and tunnel syslog and IPS logs  through it?
    Would I be able to route Syslog and IPS event through the Management port to a remote event collector?
    Yes, but you can't do the IPS part though.
    The IPS is an independant unit and will use its own management interface to send logs, the only way you can do this is to log into the ASA, then into the IPS and get the logs you are looking for.
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1198794
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1214750
    Cabling clarification: internal switch connected to the ASA's management interface and to the IPS' management interface.
    This is ok, if you want the units to communicate make sure they are part of the same vlan.

  • Move CA from Win2K3 to Win2012R2 - how to configure ASA

    Hi Guys,
    i've a littel problem with a ASA in combination with a Microsoft CA.
    First, i will describe you the enviroment we have which works
    CERTSRV => A Windows Server 2003 Server, with CA in Standanlone, activated NDES / SCEP Service and a RADIUS / IAS Service to let the ASA authenticate VPN User against the local Window User. The CA Root Cert has a key lenght of 512bit
    Our goal is the move the CA and the RADIUS to a Windows 2012 R2 Server. Due the restriction of the windows 2012 ca to reject ca certs which less the 1024 bit we cannot simply import the current ca cert-pair into the new ca.
    Also we wont upgrade the ca key-pair on our current win2k3 ca, because we cannot estimate the side-effects and the ASA VPNs must work.
    So we came to fabulos idea to clone the win2k3 CERTSRV into VM. there we generate a new key-pair with 1024bit length. Then export this key, export the database from live system and import both successfully into the new 2012 R2 CA. SCEP and NAP Services are installed and tested succesfully. We are able to create a new client cert with SCEP.
    Our actual problem is that we dont know how to handle the new, upgraded CA in the ASA Configuration.
    I added the new CA in the CA Certificates Menu
    Here is the relevant part of the ASA log (debug level)
    7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE SENDING Message (msgid=6b028bd2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
    7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing qm hash payload
    7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing IKE delete payload
    7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing blank hash payload
    7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], sending delete/delete with reason message
    7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE SA MM:49765104 terminating:  flags 0x0105c002, refcnt 0, tuncnt 0
    7|Feb 27 2014|11:56:58|715065|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE MM Responder FSM error history (struct &0xadcda9c0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_CERT_FAIL-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ACTIVATE_NEW_SA-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT
    5|Feb 27 2014|11:56:58|713904|||||Group = DefaultRAGroup, IP = [CLIENT_IP], Certificate Validation Failed
    3|Feb 27 2014|11:56:58|717027|||||Certificate chain failed validation. Certificate chain is either invalid or not authorized.
    7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
    7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
    7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
    7|Feb 27 2014|11:56:58|717029|||||Identified client certificate within certificate chain. serial number: 1F00000951EB42CE6BD7157E2E000400000951, subject name: [CERT ATTRIBUTES].
    7|Feb 27 2014|11:56:58|717025|||||Validating certificate chain containing 1 certificate(s).
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Connection landed on tunnel_group DefaultRAGroup
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via default group...
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IP ADDR...
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IKE ID...
    3|Feb 27 2014|11:56:58|713020|||||IP = [CLIENT_IP], No Group found by matching OU(s) from ID payload:  
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via OU...
    4|Feb 27 2014|11:56:58|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
    7|Feb 27 2014|11:56:58|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via cert rules...
    6|Feb 27 2014|11:56:58|713172|||||IP = [CLIENT_IP], Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing notify payload
    7|Feb 27 2014|11:56:58|713906|||||Dump of received Signature, len 256:
    7|Feb 27 2014|11:56:58|715076|||||IP = [CLIENT_IP], Computing hash for ISAKMP
    7|Feb 27 2014|11:56:58|715001|||||IP = [CLIENT_IP], processing RSA signature
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert request payload
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert payload
    7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], DER_ASN1_DN ID received, len 145
    7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing ID payload
    7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 3111
    7|Feb 27 2014|11:56:58|715063|||||IP = [CLIENT_IP], Successfully assembled an encrypted pkt from rcv'd fragments!
    Do you know which is the best practise for us ?
    best regards from germany
    Edit: I see. I missed some more informationen. Old VPN Client, with certs created on the old Win2k3 CertSrv are working
    6|Feb 27 2014|13:27:52|717028|||||Certificate chain was successfully validated with revocation status check.
    6|Feb 27 2014|13:27:52|717022|||||Certificate was successfully validated. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTRB] .
    7|Feb 27 2014|13:27:52|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
    7|Feb 27 2014|13:27:52|717029|||||Identified client certificate within certificate chain. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTR].
    7|Feb 27 2014|13:27:52|717025|||||Validating certificate chain containing 1 certificate(s).
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Connection landed on tunnel_group DefaultRAGroup
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via default group...
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IP ADDR...
    7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IKE ID...
    Here are the configuration of the trustpoints
    crypto ca trustpoint ASDM_TrustPoint0
    revocation-check crl
    enrollment url http://U.X.Y.Z:80/certsrv/mscep/mscep.dll
    fqdn xxxxx
    subject-name [CERT_ATTRB]
    keypair asa01.key
    crl configure
      no protocol ldap
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpoint ASDM_TrustPoint2
    revocation-check crl none
    enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
    no client-types
    crl configure
      no protocol ldap
    crypto ca trustpoint ASDM_TrustPoint3
    crl configure
    crypto ca trustpoint ASDM_TrustPoint4
    revocation-check crl none
    enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
    no client-types
    crl configure
      no protocol ldap
    crypto ca trustpoint ASDM_TrustPoint5
    enrollment terminal
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 2a5a90e900010000083c
      quit
    certificate ca 1e185567c7bc7e91473edd472e033d78
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca 10acffbf9fb6429947e0cdea136cf8eb
      quit
    crypto ca certificate chain ASDM_TrustPoint2
    certificate ca 10acffbf9fb6429947e0cdea136cf8eb
      quit
    crypto ca certificate chain ASDM_TrustPoint4
    certificate ca 10acffbf9fb6429947e0cdea136cf8eb
      quit
    crypto ca certificate chain ASDM_TrustPoint5
    certificate ca 3ae8ce8cf1619498418f9982315e6ad9
      quit

    This seems to be  very useful answer but can you provide me with some code of some link where I can find some help. actually I am new to SSIS
    Here are some good examples for filling variables with an Execute SQL Task:
    http://dataqueen.unlimitedviz.com/2012/08/how-to-set-and-use-variables-in-ssis-execute-sql-task/
    http://dwbi1.wordpress.com/2011/06/06/ssis-updating-a-variable-based-on-database/
    And here is how you set the value of a property of the foreach loop with an expression:
    Please mark the post as answered if it answers your question | My SSIS Blog:
    http://microsoft-ssis.blogspot.com |
    Twitter

  • How to configure ASA to allow activesync connections ?

    To allow Activesync connections (between smartphones and an internal Exchange server) thru an ASA, I think about 3 or 4 potential solutions :
    1) do a NAT on the Exchange server and allow  activesync TCP connections from any IP to the Exchange server : I tested that and this works, but it is not the most secure solution we can imagine;
    2) use a Clienless VPN SSL  ASA configuration : I tried it, but got problems certaintly related to the fact that the Activesync client, installed on my Android/Samsung smartphone, does not seem to be able vto pass properly thru the ASA Portal to reach the Exchange server;
    3) use an Anyconnect VPN ASA configuration : I tried it , but did not manage to install or use any of the Samsung Anyconnect client available on Android Market; by the way, I saw, in the Anyconnect VPN Client Admin Guide 2.4, that an ActiveSync MSI is available from CISCO (
    anyconnect-wince-ARMv4I-activesync-AnyConnectRelease_Number-k9.msi), but I don't see any details about how it is supposed to be used except that it is for Windows environment only, so, not for an Android phone, but I have Windows Mobile smartphones to integrate too, so, maybe it can help me in this case ;
    4) if Clientless nor Anyconnect solutions can't work, it might be better to use the ASA Cut-Through proxy function to get a more secure solution than the first one listed above; but I was not successful either with this cut-through proxy function
    Any ideas or examples about how to allow activesync connections thru ASA would be welcomed
    thanks in advance

    Hi,
    Generally ASA with CSC will support HTTP,FTP,SMTP,POP3 Scaning and Filtering.
    From version ASA IOS 8.4.2 and CSC  6.6.1125.0, it will support HTTPS filtering also.
    But here one limitation is that Https filtering will not support earlier versions of internet explorer 9, i.e if you want HTTPS filtering you must use Internet explorer 9 or after versions( As you know that Windows XP machines won't support internet explorer 9). But with firefox HTTPS filtering will support from versions 4.
    For your reference use below 8.4.2 release guide
    http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
    Release notes for CSC version 6.6.1125
    http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.pdf
    Basic configuration of the CSC
    http://www.cisco.com/en/US/docs/security/csc/csc6.1.1569.0/administration/guide/cscappa.pdf
    Sending traffic to the CSC module (using ASDM and CLI)
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml
    The troubleshooting guide:
    http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc8.html#wp1147829
    Hope this will help you...
    Do rate help ful posts..
    Regards,
    Janardhan

  • How to configure and publish Webservice (WMS Redprairie) to SAP using RFC

    Hi XI Techno Savies,
    I know how to configure SAP RFC, SAP IDOC adapters for sending and receiving. I want to know the step by step procedure to configure and Publish Webservices for Ware House Management System "REDPRAIRIE" for sending and receiving message to SAP R3/BW. Kindly help me.
    Thanks,
    Sridhara Addala.

    Hi,
    This doc may help you-general
    http://help.sap.com/saphelp_nw04/helpdata/en/0d/2eac5a56d7e345853fe9c935954ff1/content.htm
    /people/durairaj.athavanraja/blog/2004/09/20/consuming-web-service-from-abap
    in XI-
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/befdeb90-0201-0010-059b-f222711d10c0
    Regards,
    Moorthy

  • Configuring port mirroring on the MA561x to capture voice packets?

    How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!

    How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!
     I use the MA5616,too,and I bought from  www.huanetwork.com
    , nice price. The configuration of this problem, please visit:  http://momopp.blogdetik.com/

  • How to configure QOS on certain IP in the Cisco ASA 5510

    Hi,
    I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
    Can this done on a ASA 5510 series? if yes can you help me how ?
    Regards,
    Venkat

    Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
    Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
    I hope it helps.
    PK

  • How to configure CISCO ASA 5510 for internal remote desktop ?

    Helo,I have a client that want to install new ASA (5510) in their network.
    and then I did some experiment to implement it. the topology is like this :
    --------configuration---------
    2800 router :
    interface FastEthernet0/0
    ip address 172.16.1.1 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.11.3 255.255.255.0
    duplex auto
    speed auto
    ip route 192.168.12.0 255.255.255.0 172.16.1.2
    1841 router :
    interface FastEthernet0/0
    ip address 172.16.1.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 172.16.1.1
    ASA 5510 :
    : Saved
    : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
    ASA Version 8.2(1)
    hostname ciscoasa
    enable password **** encrypted
    passwd ***** encrypted
    names
    name 192.168.12.0 Branch
    dns-guard
    interface Ethernet0/0
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.11.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    management-only
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
    access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
    tcp-map mssmap
      synack-data allow
      invalid-ack allow
      seq-past-window allow
      urgent-flag allow
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    asdm location Branch 255.255.255.0 inside
    no asdm history enable
    arp timeout 14400
    static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
    static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    route inside Branch 255.255.255.0 172.16.1.1 1
    timeout xlate 3:00:00
    timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username ***** password ***** encrypted
    class-map mymap
    match access-list inside_access_in
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    policy-map myPolicy
    class mymap
      set connection advanced-options mssmap
    service-policy global_policy global
    service-policy myPolicy interface inside
    prompt hostname context
    Cryptochecksum:a605d94f29924e5267644dd0f4476145
    : end
    I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
    then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
    "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
    "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
    I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
    please help, any suggest would be great .
    thanks .
    sincerley yours
    -IAN WIJAYA-

    ear Ian_benderaz,
    Thank god i am not alone on this ,
    Me too having the exact same problem , i can ping to the host ,but no remote desktop .
    Somebody please help me on this , how enable remote desktop on asa 5505 
    Thanks 

  • How to configure Cisco ASA 5500 to work with the iPhone

    We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
    http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
    We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
    After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
    Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
    I noticed that many people are having these problems.
    Please do not post to this topic if you have ANY OTHER Cisco device.
    Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
    Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
    It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
    Thank you!
    Oleg R

    We found the solution and a bug in Cisco firmware (seems to be a bug).
    First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set iphone esp-3des esp-sha-hmac
    crypto ipsec transform-set iphone mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
    crypto map outside_map 10 match address vpn
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 20
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    crypto isakmp nat-traversal 20
    group-policy iphone internal
    group-policy iphone attributes
     wins-server value <insert ip> <insert ip>
     dns-server value <insert ip> <insert ip>
     vpn-tunnel-protocol IPSec
     ipsec-udp enable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value iphone_splitTunnelAcl
     default-domain value <insert domain name>
    tunnel-group iphone type remote-access
    tunnel-group iphone general-attributes
     address-pool VPN-Pool
     authentication-server-group ActiveDirectory2
     default-group-policy iphone
    tunnel-group iphone ipsec-attributes
     pre-shared-key <insert pre-shared key>
    For iPhone you have to be using IPSec tab for configuration.
    We tried to set up this config using the wizards, but it would not work.
    Later it turned out that wizards by default set this setting:
    "crypto isakmp nat-traversal 20"
    equal to zero and there is no way to change it from the GUI.
    Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
    Please let me know how it works out for you.
    Message was edited by: Rogik
    Message was edited by: Rogik

  • ASA 5510 ignoring configured acl entry?

    Greetings,
      I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
    interface Ethernet0/0.200
    vlan 200
    nameif SITECORP
    security-level 90
    ip address 10.1.4.1 255.255.254.0
    interface Ethernet0/0.207
    vlan 207    
    nameif SITESERVER
    security-level 90
    ip address 10.1.7.1 255.255.255.128
    interface Ethernet0/1.311
    vlan 311
    nameif MOD1BMS
    security-level 100
    ip address 10.1.144.1 255.255.252.0
    I have the following access-lists configured and applied:
    access-list SITECORP_access_in extended permit ip any any
    access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
    access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
    fw# show run object-group
    object-group network SITECORP
    network-object 10.1.4.0 255.255.254.0
    object-group network MOD1BMS
    network-object 10.1.144.0 255.255.252.0
    object-group network SITESERVER
    network-object 10.1.7.0 255.255.255.128
    fw# show run nat-control
    no nat-control
    packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group SITECORP_access_in in interface SITECORP
    access-list SITECORP_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd5641ec8, priority=12, domain=permit, deny=false
            hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
            src ip=0.0.0.0, mask=0.0.0.0, port=0
            dst ip=0.0.0.0, mask=0.0.0.0, port=0
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd544e8c8, priority=110, domain=permit, deny=true
    hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0
    This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
    Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
    Regards,
      Phil

    Hello Phil,
    That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
    But you do not have to change the Security level, of course that is one work-around but again the solution is :
    -     same-security-traffic permit inter-interface
    Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
    Regards,
    Julio

  • How to copy contents of ASA 5510 to another ASA 5510?

    Hello,
    I want to copy contents of 1 ASA 5510 to another 5510.
    Both ASA has same license.
    -I tried to connect to 2nd ASA via console cable
    -Went to "Conf t" and copied config of 1st ASA. [ using paste tab from Hyper Terminal ]
    - used commands like copy running config disk0:/startup.config.cfg
    - also used write memory all , wr mem commands
    - But after reboot config was gone.
    As of now I have ASA 8.3.x version in both ASA's.
    How can I save config to 2nd ASA via Hyper Terminal?

    I am trying to save basic config.
    Basic config also not getting saved.
    Steps followed as follows :-
    - Given private IP to eth 0/1
    - no shut
    - speed auto
    - wr
    - exit
    - wr
    - exit
    - hostname asasec
    - wr
    - reload
    After reload firewall is not saving configuration.

  • ASA 5510 - how many concurrent VOIP calls can pass through?

    Hi all,
    I wonder how many concurrent VOIP calls can handle Cisco ASA 5510, any idea?
    Gegham

    hi Gegham,
    Basically what the values of  50,000 and 130000  connections indicate  are lab values  tested with 80% TCP and 20% udp  traffic. (according to table a-2 in the doc below)
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1170941
    RTP  is udp traffic but in case of an asa and considering a customer  scenario what happens is...
    1 voip call =  1 control connection (h323,sip,sccp)    +   2 or 4 rtp connections
    -so a call will in total  easily consume  5  or more  connections depending on control connections you have set up .
    -also this number differs depending on if the call is  voice only or video.
    So to  simply answer your  questions...
    1>the number of connections that a call  consumes depends on the above factors.
    2>Also there is no hard number on the  number of calls an asa can handle because this depends on the controls  you use ...including nat and inspections.
    Thanks,
    Karthik

  • ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

    I have ASA 5505 8.4.  How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
    Or as something else to implement it?
    My configuration for SLA monitor:
    sla monitor 123
     type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
     num-packets 3
     timeout 3000
     frequency 10
    sla monitor schedule 123 life forever start-time now
    track 1 rtr 123 reachability

    Hey cadet alain,
    thank you for your answer :-)
    I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
    Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
    3
    Nov 21 2011
    18:29:56
    77.xxx.xxx.99
    59068
    80.xxx.xxx.180
    80
    TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
    The attached file is only the show running-config
    Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
    Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
    Regards.
    Chris

Maybe you are looking for

  • Isub not working with new imac

    the help menu is telling me to make sure that the isub is plugged in, and then to make certain it is selected under sound preferences... the only problem is that the imac is not picking up that the usb is even plugged in- there is no isub option that

  • Collect Files Error - Folder Nested too deeply?

    I'm getting a new error when trying to collect files. "Folders are too deeply nested to create full path for file "filename"" 3:32 I'm a little puzzled because this source folder isn't more deeply nested than any other source file in my project. How

  • How to add customer account in the existing variant

    Hi In the customer outstanding balance report, we are using a variant with relavent customer accounts. if we need to add some more customers in the variant how can we do. please help

  • DVD burn Result - to much red in all pictures

    I am using iPhoto to adjust pics; using iMovie to make a movie incorporating transitions, music, effects and zoom and pan; very satifisfied with result also did chapter markers; Went to iDvd; created my theme; dragged my movie into iDvd; previewed mo

  • Search in book mode

    I have a large event with over 1000 images to choose from to produce a book. My question is; Do I have to search through the whole folder of images on the right hand side of "book mode" or is there some simpler way of doing this? I suspect I have to