NAC CCA - Designated Period

Hello,
I'm running a NAC solution (L2 OOB VG). I'm fine tuning the CCA section configuration on the CAM. I've selected 'audit' for my enforce type in the Requirements section, because I want to see all the reports whether my users are certified or not. Is it possible to configure the CAM to give my users a designated period (lets say 2wks) to get everything updated to get there PCs certified, if not they would be lock from getting access to the internal network?
-K

I think this Release Notes for Cisco NAC Appliance (Cisco Clean Access), clear your doubts for NAC/CCA issues.

Similar Messages

NAC/Wireless Design

Hi!
Looking for some input on some design options for NAC with a wireless deployment since OOB and IB are now both options.
In a campus environment of up to 300 wireless users, in-band seems good so that we can have one SSID, but restrict a user login to a role and apply restrictions on the appliance, but I'm concerned about the common issue of the appliance becoming a bottleneck.
My other thought too would be have multiple SSIDs (VLANs) and have multiple appliances handle certain VLANs, but this is pricey.
In wireless OOB, it appears you can only have one "access" VLAN to maps users to (I guess b/c that is all the WLC supports?), so that does not work for us as we need to have employees and guests (among others, separated).
Please correct me on any misunderstandings.
All insight appreciated. Thanks for the input!

Your understanding is correct.
For 300 wireless users, you may want to go inband and do enforcement at the NAC server level.
For OOB, you need to make different SSID for different roles.
e.g. Guest, Employees and Contractor
You can look at the configuration example too for OOB Wireless NAC 4.5 here:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

NAC Appliance design question

I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
Thanks

NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

Cisco Wireless NAC Appliance - Design Practices ??

Hi,
I have a new Cisco WIreless NAC appliance, the purpose of which is to manage the Guest users access to network. I have been searching for some best practices related to the design of this appliance but havent found one.
Can anybody help me in sharing his design experience or any docuement which would be guiding in deciding over the design / placement of this NAC device in network.
Thank You.

Hi,
there is nothing such as "Wireless Nac appliance".
The question is "do you have the NAC Guest Server" or the "Nac appliance Server and Nac appliance Manager (CAS/CAM)" ?
Because those are just not the same at all.
Then on the wireless side, do you have autonomous APs or a WLC ?
Sorry to ask, but there's just so many possibilities you could be asking that we need to clarify.
My bet is that you are either looking for this :
http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a0080a138cc.shtml
or for this :
http://www.cisco.com/en/US/partner/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html#wp1092277
Nicolas
===
Don't forget to rate answers that you find useful

NAC CCA Problem

I have a CAM/CAS deployment in L2 OOB - vlan 545 trunked to untrusted and vlan 245 trunked to the trusted side. The switch/device/port profiles are setup via snmpv3. The switchport is not being bounced since the IP address is not being changed from auth vlan to access vlan. I hook a PC up and I get the CCA login page when I try and access a website on the trusted network. I put in some valid credentials and I see the snmp information being sent to the switch. Howerver, the switchport never changes to the access vlan and the CCA login page re-displays itself. What could I be missing here?

Hello,
Logically I would say that SNMP is not configured correctly.
Could you try to change to version 1 and see if that works? Then you are sure that the NAC appliance is configured correctly.
Can you tell us what kind of switch you are using as access switch?
If you're switch is L3 (on network level, not on NAC level) then C6500 and C4500, no problem. C3750/C3560 must be running 12.2(25)SEE or higher. C3550 is not supported to be in L3.
For more detail, see following matrix: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/switch.htm#wp60598
hope this helps.

Switch support for NAC CCA for 6500 series switch

per the 4.0 document "switch support for Cisco NAC" there is a note that says
Catalyst 6000/6500 on IOS do not support mac-notification
Does this mean you cannot deploy layer 2 OOB mode, as snmp notification to the CAM will not happen with the 6k platform?

Probably, the configuration guide will give you better idea about your problem.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_book09186a00803f5611.html

NAC CCA 4.1.3.1 gives winsock error

Hi Friends,
I have nac solution implemented in my network. Clients are able to get authenticated through NAC web agent. But with clean access agent its not working.
clean access agent doesn't popup for the username and password, when i click on login it gives the error message as "WinSock Error: invalid state of operation"
any help is appreciated.
Thanks
Ravi

From NAC 4.x, VPN SSO is supported for the following devices :
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/40/4rn.html#wp38043

NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

Hello,
I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
Core Switch:
VLAN DB:
vlan 10
name VLAN_DEPT1
vlan 11
name VLAN_DEPT2
vlan 20
name VLAN_DEPT3
vlan 26
name VLAN_DEPT4
vlan 27
name VLAN_DEPT5
vlan 28
name VLAN_DEPT6
vlan 29
name VLAN_DEPT7
vlan 30
name VLAN_DEPT8
vlan 32
name VLAN_DEPT9
vlan 50
name VLAN_NetMGT
vlan 51
name VLAN_CAS_MGT
vlan 52
name VLAN_CAM_MGT
vlan 210
name VLAN_DEPT1_Auth
vlan 211
name VLAN_DEPT2_Auth
vlan 220
name VLAN_DEPT3_Auth
vlan 226
name VLAN_DEPT4_Auth
vlan 227
name VLAN_DEPT5_Auth
vlan 228
name VLAN_DEPT6_Auth
vlan 229
name VLAN_DEPT7_Auth
vlan 230
name VLAN_DEPT8_Auth
vlan 232
name VLAN_DEPT9_Auth
Interface Configs
interface GigabitEthernet3/41
description "Link to Cisco CAM-PRI eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/42
description "Link to Cisco CAM-FO eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/43
description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/44
description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/46
description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet3/48
description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet1/1
description "Trunk link to DEPT1 Access SW"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
!------- Example of VLAN Interface --------
interface Vlan10
description "DEPT1 VLAN"
ip address x.x.10.1 255.255.255.0
ip helper-address x.x.50.5
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!------- No VLAN Interface for AUTH VLAN 210 --------
Access Switch Configuration
interface GigabitEthernet0/1
description "Trunk Link to Core Switch"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
no ip address
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
=========================================
Is the above config correct?
Thanks

Hi,
By bogus I assume you mean something like;
interface Vlan700
description "BIT BUCKET for unused ports"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown

Can the phone site be disabled and have phones display the desktop site while designing phone site?

Currently, I have a live desktop design website which is being updated regularly. I tried to begin a phone site design, but was interrupted with a change to the desktop site (I'm adding new sponsors to an event on a regular basis). When I uploaded to the FTP, the phone site was also pushed through, making an unfinished page pop up on the browser of my phone. My phone site is going to be quite large in regards to page number and it's not practical to disable and enable each individual page.
Can I have the phone site entirely disabled and have phones display the desktop site while in the process of designing the phone app? I will still need to update the desktop site during this design period.
Thanks!

A similar thread here that should answer your query - http://forums.adobe.com/message/5551805.
Thanks,
Vinayak

NAC Agent warning

How to avoid certificate warning message in NAC CCA Agent. Everytime when user login before authentication certificate warning message appears. Please advide how to bypass it.

Another way to do this is to create your own CA and sign certificates for the NAC boxes with it. You can then deploy the root cert as a trusted source via AD.

NAC check windows firewall

Hi,
Is there a NAC CCA check to see whether the windows firewall is enabled or not?
Thanks,
Wei

Hi,
Thanks for the reply. I am looking at the ICF firewall. Do you know what's the pre-configured check/rule name for it.
Anyway, after googled on the internet, I found the ICF firewall was controlled by the following registry setting. I manually created a check/rule. It seems working. Now I will further find out what's the registry related to the vista windows firewall.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\]
"EnableFirewall"=dword:1
Regards,
Wei

MacBook pro 13 mid '09 not going to sleep after the selected period

Hi i am kinda new to this so i don't know if I am doing this right. Well this is the problem, when i leave the mbp on it's own for a while it doesn't go to sleep after the designated period of time. The laptop goes to sleep when the lid is closed and i have tried the usuals such as resetting the PRAM, restarting, restoring the default sleep times etc. I know this is not a major problem and I probably wasting your time and I'm sorry but it's just one of those annoying things!
Thanks in advance!

Is this a new Apple battery? If so bring it to an Apple store for evaluation and probable replacement. If it is a third party battery, it may be suspect.
Ciao.

SSRS: "View Report" button doesn't refresh parameter dropdowns

So many people have asked similar questions about why SSRS report parameters are not refreshed when "View Report" button is clicked and MSDN simply comes back with an answer "work as designed". It's a bad design, period.
Here is my suggestion to Microsoft team who works on SSRS: either add a "Refresh Parameters" button at the end of the last parameter dropdown so users can force reload the parameter list, or add "Reload
Report" after "View Report" button (which should be re-named "Refresh Report" more precisely) to allow user reload the entire report (as if it was Ctrl-F5 is pressed in I.E.), not just to refresh the main report dataset as "Review
Report" button is currently doing.

Hi Steve Liu,
Thanks for your suggestion and you can also submit this suggestion at
https://connect.microsoft.com/SQLServer/
If the suggestion mentioned by customers for many times, the product team may consider to add the feature in the next SQL Server version. Your feedback is valuable for us to improve our products and increase the level
of service provided.
Thanks for your understanding
Regards,
Vicky Liu
Vicky Liu
TechNet Community Support

ASA 5505 Speed Issue - Help Requested if possible

Hi All,
I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:
1.     SIte to Site VPN is up and running perfectly.
2.     Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.
3.     The outside interface is at line speed - approximately 5-6MBits per second.
4.     When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.
5.     The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.
6.     Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)
7.     Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.
8.     All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.
Current Environment Traffic Flow:
1.     All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.
2.     The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.
3.     Memory is stable at roughly 190Mb out of 512Mb
4.     CPU is constant at approximately 12%.
5.     WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.
Current Issues:
1.     Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).
2.     Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).
3.     I ping the IP address of the exact same server and the latency is still 400ms.
4.     Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.
5.     I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).
6.     I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.
7.     I flush dns, same issue for 5/6.
8.     I clear xlate on the ASA and the same issue persists.
9.     I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.
I am currently out of ideas and would like some advice on what I have actually missed.
Things I suspect that I may need to do:
1.     Upgrade IOS to latest version (Other than that - I'm out of ideas).
ASA Version 8.2(1)
hostname BLAH
enable password x.x.x.x encrypted
passwd x.x.x.x encrypted
names
name x.x.x.x BLAHPC
name 8.8.8.8 Google-DNS description Google-DNS
name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri
name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec
name 203.96.152.4 TelstraClearPri description TCL-PRI
name 203.96.152.12 TelstraClearSec description TCL-Sec
name x.x.x.x BLAH_Network description BLAH-Internal
name x.x.x.x DC description DC VPN Access
name x.x.x.x Management-Home description Allow RDP Access from home
name x.x.x.x SentDC description BLAHDC
name x.x.x.x Outside-Intf
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoex
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.
banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
ftp mode passive
clock timezone WFT 12
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Google-DNS
name-server Telecom-Alien-Pri
name-server Telecom-Terminator-Sec
name-server TelstraClearPri
name-server TelstraClearSec
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network BLAH-US
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network x.x.x.x
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group service Management_Access_Secure
description Management Access - SECURE
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 4434
object-group service FileTransfer tcp
description Allow File Transfer
port-object eq ftp
port-object eq ssh
object-group service WebAccess tcp
description Allow Web Access
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service AD_Access udp
description Allow Active Directory AD ports - UDP Only
port-object eq 389
port-object eq 445
port-object eq netbios-ns
port-object eq 636
port-object eq netbios-dgm
port-object eq domain
port-object eq kerberos
object-group network DM_INLINE_NETWORK_2
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_3
group-object x.x.x.x
group-object x.x.x.x
object-group network BLAH_DNS
description External DNS Servers
network-object host Telecom-Alien-Pri
network-object host Telecom-Terminator-Sec
network-object host TelstraClearSec
network-object host TelstraClearPri
network-object host Google-DNS
object-group service AD_Access_TCP tcp
description Active Directory TCP protocols
port-object eq 445
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq domain
port-object eq kerberos
port-object eq 88
object-group network DM_INLINE_NETWORK_4
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_6
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_1
group-object x.x.x.x
group-object x.x.x.x
access-list inside_access_in remark Allow Internal ICMP from BLAH
access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_access_in remark Allow Internal ICMP to BLAH
access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0
access-list inside_access_in remark External DNS
access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain
access-list inside_access_in remark Allows Web Access
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Remote Desktop Connections to the Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP
access-list inside_access_in remark Allow File Transfer Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging monitor informational
logging buffered notifications
logging trap informational
logging asdm informational
logging class auth monitor informational trap informational asdm informational
mtu inside 1500
mtu outside 1492
ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0
ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 BLAH 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable RANDOM PORT
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1428
sysopt connection tcpmss minimum 48
auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!
auth-prompt accept Accepted
auth-prompt reject Denied
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname **************
vpdn group pppoex ppp authentication pap
vpdn username ************** password PPPOE PASSPHRASE HERE
dhcpd auto_config outside
dhcpd address x.x.x.x/x inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source outside prefer
tftp-server outside x.x.x.x /HOSTNAME
webvpn
group-policy DfltGrpPolicy attributes
banner value Testing ONE TWO THREE
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_cryptomap_65535.1
user-authentication enable
nem enable
address-pools value Remote-Access-DHCP
webvpn
svc keepalive none
svc dpd-interval client none
USER CREDENTIALS HERE
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SITETOSITE PSK
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key CLIENTTOSITE PSK
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
authentication eap-proxy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspect_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f
: end

Hi all, this post can be officially closed. The issue had nothing to do with the ASA but required a firmware upgrade on the WAN router which boosted the throughput on the external interface on the ASA to 10Mbps and the inside throughput naturally corrected itself to what was expected.
Thanks to everybody who looked at this issue.
Andrew

Frame Hold feature doesn't work in PE8

In one of my video clips, I want to freeze a frame in the middle, and then have that frame frozen until the end of the clip. The Frame Hold feature is supposed to accomplish this. However, I can't get it to work in Windows 7. Here are the steps I've taken, which is right out of the PDF manual for PE8:
(1)     I open up a clip in the Preview Monitor.
(2)     I position the CTI where the frame is to be held, then I mark it with Marker 0 (zero).
(3)     I exit the Preview Monitor.
(4)     I select the video clip, go to Clip, Video Options, Frame Hold. I check "Hold on," and specify Marker 0 (zero).
But when I play the clip back, all of it is completely frozen -- before the zero marker and after the zero marker. I've uninstalled and reinstalled the program, but this didn't help. I have 4 gigs of memory, and a 500+ gig hard drive. My video drivers are current and up-to-date. Does anyone have any clues as to why I'm not able to get the Frame Hold feature to work?

This is an old thread, but I have a related question.
First, what exactly is "Frame Hold" in PrE12? If I search the PDF Manual (AKA "Tutorial"), there are zero occurrences.
I gather from the above that it's supposed to allow the user to designate one or more frames at one or more points in the clip that will stop the action for a designated period of time.
I have been accomplishing the same effect with the Freeze Frame function, which inserts a BMP image in the clip. (It also allows the bmp to be saved to a folder on the computer.) I don't like this because the insertion chops up the audio and sound tracks, creating gaps that are hard to fix later. (See one of my other posts for more details on this.)
So the Frame Hold option intrigues me with the hope that it would be less disruptive to the work flow.
The other point of interest comes from Bill Hunt's comment above:
"In PrE, there is a little "camera" icon, that produces a still image from the Video. Select the Frame (last Frame in this example), and output a still image. Cannot recall the exact choices in PrE 8, but I think that they are BMP, or TIFF."
The Freeze Frame in PrE12 only allows BMP; I would love to have a TIFF option, and I'm hoping that Frame Hold might allow it. (I thought could export a still image as TIFF, but I find that JPEG is the only option, and in any case that is time-wasting if you have a lot of frames to capture.)
Yet another question: PrE has no little camera icon that I can find. One has to go to Tools > Freeze Frame (or use a shortcut key, which I do). Then the choice is either Export as BMP or Insert in video. (If you want to do both, choose Export first, since Insert will close the dialog box and you will have to start over to do the Export.) Has the camera icon (which had the obvious advantage of being simple, quick and intuitive) been replaced?
Bottom line: does Frame Hold (supposedly) accomplish the same as Insert Freeze Frame, without the disruption of other tracks? If so (or even if not), how? I have futzed around with it for quite some time and have no idea of how it is supposed to function. I have tried setting inpoint, outpoint, marker zero, etc. and no matter what I do, the video keeps on rolling right through that point when I get there.
It's frustrating to have a feature that is not searchable in the "Manual" and doesn't lend itself to trial and error discovery.
Message was edited by: Kawika808 - factual correction

NAC CCA - Designated Period

Similar Messages

Maybe you are looking for