LMS 3.2: Compliance Mngt: ASA tacacs configuration

Hi there!
I'm stuck (again *sigh*) with CiscoWorks compliance managment.
I would like to check our tacacs configuration (ASA):
aaa-server TACACS+ (inside) host <server1>
timeout 20
key <key>
aaa-server TACACS+ (inside) host <server2>
timeout 20
key <key>
aaa-server TACACS+ (inside) host <server3>
timeout 20
key <key>
I would like to know if there is a timeout and key statement for every tacacs server configured.
How can this be done with compliance managment ?
It seems to me, that the compliance mngt can't check for three occurrences of the same line (e.g. key or timeout) ?
If you have any ideas, please let me know.
Thanks!
Holger

RME doesn't break out all of the sub-modes of the ASA. Only interfaces are broken out into sub-modes. To make sure the "inspect sqlnet" and "inspect esmtp" commands aren't in the config, you'd have to check in global mode.

Similar Messages

TACACS+ configuration for Cisco ASA

I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

Leo,
I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.
RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+ with ASDM 6.2+.
If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.
CSCtf23419 ASDM OTP authentication support in multi-context and transparent modes
With WLC is yet not possible and there is a enhancement request filed.
CSCuf61598 WLC: Need ability to support multiple sessions via OTP authentication
~BR
Jatin Katyal
**Do rate helpful posts**

LMS 4.0 support for ASA firewall

I need to add ASA 5520 to LMS 4.0, mainly for configuration archiving. ASA seems to be supported on LMS 3.2 as per the below link.
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html
I had directly added the ASA to the DCR, with the right login credentials and SNMPv3 strings , but still LMS fails to detect the ASA.
Thanks in advance.

Thanks Nael for the reply, please find below the SNMP configuration on the ASA
snmp-server group SNMPGRP v3 auth
snmp-server user SNMPUSR SNMPGRP v3 encrypted auth md5 a9:ba:79:44:5b:b0:98:65:88:30:a1:8b:7b:69:a2:9c
snmp-server host inside 10.88.80.11 trap version 3 SNMPGRP
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
The show version is given below.
ASA5520# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(3)
Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"
ASA5520 up 8 days 19 hours
failover cluster up 25 days 14 hours
Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001f.9e50.8a24, irq 9
1: Ext: GigabitEthernet0/1 : address is 001f.9e50.8a25, irq 9
2: Ext: GigabitEthernet0/2 : address is 001f.9e50.8a26, irq 9
3: Ext: GigabitEthernet0/3 : address is 001f.9e50.8a27, irq 9
4: Ext: Management0/0       : address is 001f.9e50.8a28, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMXXXXX
Running Activation Key: XX
Configuration register is 0x1
Configuration last modified by enable_1 at 15:05:29.268 AST Sun Jun 12 2011
When I add the ASA to the LMS using SNMPv3, the Device Management shows a blue box with a question mark(shown below).
Is ASA supported on LMS 4.0 with SNMPv3? Doing a troubleshooting on the LMS shows that LMS might only support SNMPv1 & v2.

ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

Advanced ASA PAT configuration...

I have a unique requirement for my ASA PAT configuration...
By default a Cisco router running IOS will utilize the SAME port when creating a dynamic PAT. i.e. the inside hosts request, generates a dynamic PAT, where the requests source port, is the port which is translated to the inside host from the outside interface.
The ASA ignores the inside hosts source port, and maps the PAT using its own random port above 1024.
I would like to over-ride this default behavior and instruct the ASA to use the same port for PAT that was the inside host's initiated source port.
TIA for any help,
Travis

The document present in the url below will of great help to you in defining the port number manually:
http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htpt4pat.html#wp1049437

Can someone help me with tacacs+ configuration on 881AP?

I have tacacs+ configuration working for authenication against CLI and web GUI. Everything is working as one would expect with one exception, from the GUI if I click on the any of the links that takes you to the security pages I get prompted for authenication again. I enter my credentials and nothing happens, eventually I get an access denied. On the ACS server, the AP is in a device group that my account has priv 15 access to. Also on ACS, there are no failed attempts being logged for the activity. Has anyone seen this before and if so I am willing to try anything. I even upgraded to the latest IOS image for this device with the same results.
Help!!
Thanks,
Mark Case | CCNA, CCNAW

Here are the relevant lines of code, on the http part of the configuration you see; if I change the ip http authentication to local it works fine authenicating against a local account and I can access all portions of the GUI fine. The group csacseT is defined in the configuration; as well as ACL 99. However, when I specify csacseT for ip http aaa login-authenication, I get the following message: "Warning: Authentication list "csacseT" is not defined for LOGIN"
aaa group server tacacs+ csacseT
server x.x.x.x
server x.x.x.x
aaa authentication login default group csacseT local-case
aaa authentication login console local-case
aaa authentication enable default group csacseT enable
aaa authorization config-commands
aaa authorization exec default group csacseT local
aaa authorization reverse-access default group csacseT
aaa accounting exec default start-stop group csacseT
aaa accounting commands 15 default start-stop group csacseT
aaa accounting connection default start-stop group csacseT
aaa accounting system default start-stop group csacseT
aaa session-id common
no ip http server
ip http access-class 99
ip http authentication aaa login-authentication csacseT
ip http secure-server
I have opened a TAC case, the engineer is as puzzled as I am and is researching. as mentioned, the CLI authenication mechanism is working as expected.

Ciscoworks LMS RME / ASA Firewall configuration pre-shared key savings

Does anybody know the concept about saving pre-shared by Ciscoworks LMS /RME ?
Is there a way to get the unencrypted values from Ciscoworks LMS /RME for an ASA Firewall ?
ASA config. saved with RME
pre-shared-key *
ASA config. saved to TFTP from ASA
pre-shared-key 1ZdmaKVwEkQ66nD37d9kA9fj9z75

If you enable "shadow directory" (RME - Admin - Config Mgmt - Archive Mgmt - Archive Settings), you can find the raw configs in locations such as /var/adm/CSCOpx/files/rme/dcma/shadow/Security_and_VPN/PRIMARY on Solaris, or its Windows equivalent, after one requisite cycle of Periodic Polling and/or Periodic Collection. That's the same config one'd get saving to TFTP manually.
However, I don't recall how to unscramble the "asterisks" in the RME GUI, if at all possible.

CiscoWorks LMS 4.0.1 and ASA 5540

I've added an ASA-5540 to the group of systems I backup each night. When the admin logs into the ASA in the morning, he sees the "save configuration" flag has been set. This started the same day CiscoWorks saved teh configuration. What is CiscoWorks doing to set this flag, and how do I stop it? It should only be reading the configuration. Thanks.

Ideally LMS should not save configuration only when LMS is taking the backup of configuration. This can be easily tested, if you try to run an instant job for Configuration Archive under Configuration > Sync Archive and see it on the ASA if it shows "save configuration" flag set.
It should be something else on either LMS or somewhere outside. In LMS it could be something like a NetConfig Job which may save configuration or other options like deploy configuration, which is very unlikely.
Before we stop it, we need to test and confirm, it is actually LMS,. You can also try to suspend the device once from LMS to see if next day you still see similar flag set.
Once we confirm it is LMS, we can test which action of LMS is doing it and how to prevent.
-Thanks
Vinod
** Encourage Contributors. RATE them**

ASA VPN configuration question

I am trying to configure a VPN tunnel to a remote 3rd party site from an ASA. I have set up a new tunnel group
But it seems to be trying to use the DefaultRAGroup and then the Defaultl2lGroup one. What do I need to do to ensure it uses the new one I have set up ?

The name of the tunnel-group has to be the ip address of the remote gateway. With that, the ASA can match the IPsec packets to the correct tunnel-group.

Cisco ASA 5505 configuration

Hi,
I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
Here is my configuration:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname xxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.48 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name processia.com
access-list outside_access_in extended permit ip any any
access-list icmp_out_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group icmp_out_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 80.10.246.2 80.10.246.129 interface inside
dhcpd ping_timeout 5000 interface inside
dhcpd domain xxxxxxxxxxxxxxxxx interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map global_policy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
: end
Thank you for your help

Hi Sylla,
The static route you have configured for Internet access needs to be corrected:
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
-Mike

Cisco ASA 5505 Configurations. Help... Beyond Frustrated

Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga

ASA 5510 Configuration. how to configure 2 outside interface.

Hi
I Have Cisco 5510 ASA and from workstation I want create a new route to another Router (Outside) facing my ISP.
From Workstation I can Ping ASA E0/2 interface but I cant ping ISP B router inside and outside interface.
I based all my configuration on the existing config. which until now is working
interface Ethernet0/0
description outside interface
nameif outside
security-level 0
ip address 122.55.71.138 255.255.255.2
interface Ethernet0/1
description inside interface
nameif inside
security-level 100
ip address 10.34.63.252 255.255.240.0
interface Ethernet0/2
description outside interface
nameif outsides
security-level 0
ip address 121.97.64.178 255.255.255.240
global (outside) 1 interface
global (outsides) 2 interface ( I created this for E0/2)
nat (inside) 0 access-list nonat
nat (inside) 1 10.34.48.11 255.255.255.255 (Working: To E0/0 to Router ISP A inside and outside interface)
nat (inside) 2 10.34.48.32 255.255.255.255 (Working: To E0/2 to Router ISP A inside interface only but outside cant ping).
route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (Working)
route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (Test For New Route)
ISP Router A working Can ping and I can access the internet
interface FastEthernet0/0
description Connection to ASA5510
ip address 122.55.71.139 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
duplex auto
speed auto
interface S0/0
ip address 111.54.29.122 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip nat inside source static 122.55.71.139 111.54.29.122
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ISP 2
interface FastEthernet0/0 ( ASA Can ping this interface)
description Connection to ASA5510
ip address 121.97.64.179 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
duplex auto
speed auto
interface E0/0 ( ASA Can 't ping this interface)
ip address 121.97.69.122 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip nat inside source static 121.97.64.179 121.97.69.122
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 E0/0
CABLES
ASA to ISP Router B ( Straight through Cable)
ISP Router to IDU ( Straight through Cable)
Hope you could give some tips and solution for this kind of problem thanks

Hi,
You can only use a single Default route on the ASA device.
Now , as per your requirement ,
route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (Test For New Route)
(Why do you have this route on the ASA device ?) I see this in the Inside interface Subnet.
Route lookup would be Destination based.
Are you looking to route specific traffic out thru the "outsides" interface ?
If yes , this configuration would not work unless you use some workaround configuration on the ASA device.
Refer:-
https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa
https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options
Thanks and Regards,
Vibhor Amrodia

Cisco works LMS 3.0.1 does not archiever configuration for cisco 7201 router

Hi All,
We have Cisco works LMS 3.0.1 and it does not archiever configuration for cisco 7201 router.
Any help would be appriciated.
Thanks in advance
Samir

Hi,
*** Device Details for d0151-100 ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
Unable to get results of job execution for device. Retry the job after increasing the job result wait time using the option:Resource Manager Essentials -> Admin -> Config Mgmt -> Archive Mgmt ->Fetch Settings
This is the error while doing syn archieve.
I am not sure about Rtr7000 version but we have latest Rtr7000.
Waiting for your kind reply.
Samir

LMS 4.2.3 and ASA SNMP v3 not working

I have ASA running version 8.2.5 and using snmp v3 as below;
snmp-server group Authentication&Encryption v3 priv
snmp-server user SNMP_TEST Authentication&Encryption v3 encrypted auth md5 cisco123 priv aes 128 password123
snmp-server host IN 10.10.10.110 version 3 SNMP_TEST
LMS device credential is as per above SNMPv3 config
Can't get this to work. Digging aroung but no avail. Any help is appreciated. I also try this on ASA 9.1 but same result.
This is my LAB environment.
Thanks. TS-Support

Thank you for your reply.
I can manually poll using SNMP v3 with the credentials (user, auth and priv).
I have other devices switches and routers also using SNMPv3 and was able to see the device using chassisview.
Since this is a LAB environment for now, I manually added each of these devices. See below; (ASA-VPN) is the device in question. Already tried increasing snmp timeout to 30 secs still no luck.
As you said I try to export using CSV and was successful;
10.10.1.50,10.10.1.50,,,10.10.1.50,1.3.6.1.4.1.9.1.950,0,281231715,CheckThisForSnmpset,,,,SNMP_TEST,cisco123,MD5,password123,AES128,80:0:0:9:3:0:c:85:25:1d:e2:1,,,,,,,,,,,,,,,,
10.10.10.254,10.10.10.254,,,10.10.10.254,1.3.6.1.4.1.9.1.576,0,279120799,,,,,SNMP_TEST,cisco123,MD5,password123,AES128,80:0:0:9:3:0:10:8c:cf:e6:f4:f8,,,,,,,,,,,,,,,,
10.10.100.88,vWLC,,,vWLC,1.3.6.1.4.1.9.1.1631,0,UNKNOWN,,,cisco321,cisco123,,,,,,,,,cisco,!NeverSl33p#,!NeverSl33p#,,,,,,,,,,,
10.10.10.15,ASA-VPN,,,ASA-VPN,1.3.6.1.4.1.9.1.669,0,999990413,,,cisco123,cisco123,SNMP_TEST,cisco123,MD5,password123,AES128,,,,cisco,cisco,cisco,,,,,,,,,,,
;End of CSV file
Thanks.

LMS 4.2 Compliance check extended access-list

Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
Soren

Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. **

LMS 3.2: Compliance Mngt: ASA tacacs configuration

Similar Messages

Maybe you are looking for