Packet Capture for VPN traffic

Hi Team,
Please help me to set ACL and capture for Remote Access VPN traffic.
Requirement is to see how much traffic is flowing from that Source IP.
Source : Remote Access VPN IP(Tunneled) 10.10.10.10
Destination : any
This is what I did which is not working
access-list VPN extended permit tcp host 10.10.10.10 any
capture CAP_VPN type raw-data access-list VPN interface OUTSIDE

Hello,
If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
access-list VPN extended permit ip host 10.10.10.10 any 
Capture CAP_VPN access-list VPN interface outside 
Then with:
show capture CAP_VPN
You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
  https://<ip address of asa>/capture/<capname>/pcap   capname-->CAP
For further details of captures you can find it on this link
Let me know if you could get the information you were trying to reach.
Please don´t forget to rate and mark as correct the helpful Post!
David Castro,
Regards,

Similar Messages

  • Getting packet captures for IP Phone

    Hi,
    I want to take captures for IP phone calls to  find out the frequency and cadence of the FXO ports. My county doesn't  have listed cptones.
    Now while i'm trying to get the  captures, i am not getting any UDP stream from source IP (which is  usually the gateway IP address) to IP phone. Its only the skinny  packets. Can anyone help me to get appropiate captures.
    For your information, we are using 8 PSTN lines connected to the FXO ports of the router.
    Regards,
    Sagar

    Hi Esperier,
    Thanks for your mail.
    To my understanding, we can use VAD only on voip dial-peers. We have 8 PSTN lines connected to the FXO ports. On the POTS dial-peer, there is no option for VAD.
    Another thing is, we have separate routers for Internet & Voice traffic. Not sure what did you mean by routing issue. We don't have any explicit routing other than the default routing. We have subinterfaced g0/0 into data and voice vlan and the default route is directed to data vlan gateway. Still I'm getting only the TCP & Skinny packets.
    Please help me.
    Regards,
    Sagar

  • Capture all VPN traffic?

    I downloaded Microsoft Network Monitor and I'm trying to look at all the traffic going on on the remote network. I enabled NDISWANBH (WAN Miniport) only to capture the PPP traffic. I have set up PPTP VPN and can connect to (and browse) the remote network
    just fine.
    But when I tried to capture all the traffic on the VPN network, it only showed my computer's IP address (the local one when connected to the network 192.168.1.200) and the remote router's IP address (192.168.1.1).
    I'm looking to capture what the other computers and devices (that are on the remote network) are doing. How do I do that?

    When you start network monitor, you need to select NDISWAN from select networks. You should see this option on the start page when you launch Network Monitor.
    BTW, Message Analyzer (http://blogs.technet.com/MessageAnalyzer), the eventual replacement for Network Monitor, can also capture tunnel traffic, but intstead it uses a firewall driver to capture the
    data.  Perhaps this is another option for you.
    Thanks,
    Paul

  • Tcp Connection timeout on ASA for vpn traffic

    Hello All
    I need an answer please.
    I wanted to give tcp conenction timeout as unlimited for some IPs coming through VPN.
    So, I created an access-list defining the traffic for which I want this tcp timeout.
    Then a class map, policy map, entered set timeout to '0'
    Applied it under default service-policy, which is applied as global (by default).
    My doubt is should I apply the service policy on the interface or the global will work.
    Just a silly doubt
    Thanks in advance.

    Hi,
    I think it should work just fine if you attach it to the default "policy-map" configuration that you have attached globally on the ASA.
    You might want to configure the timeout value as something long rather than setting it as unlimited.
    - Jouni

  • Monitor Capture for IPv6

    Trying to capture IPv6 BGP hello traffic with monitor capture feature without success.
    With the monitor capture for IPv6 traffic active and running; If I traceroute (IPv6) from this same router I do see the IPv6 traceroute traffic but NEVER IPv6 BGP hellos.
    NOTE:
    IPv6 traceroute traffic is not shown in the below output because I already cleared the V6BUFF buffer before running the show command.
    My setup:
    monitor capture buffer V6BUFF size 512 max-size 128 linear
    monitor capture point ipv6 cef V6PT mfr0.1 both
    monitor capture point associate V6PT V6BUFF
    monitor capture point start V6PT
    Troubleshooting
    After disassociating monitor capture point V4PT here are the results:
    1941-WAN3#sh mon cap buff all par
    Capture buffer V6BUFF (linear buffer)
    Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0
    Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
    Associated Capture Points:
    Name : V6PT, Status : Active
    Configuration:
    monitor capture buffer V6BUFF size 512 max-size 128 linear
    monitor capture point associate V6PT V6BUFF
    Capture buffer V4BUFF (linear buffer)
    Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 125
    Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
    Associated Capture Points:
    Name : V4PT, Status : Inactive <--- I already disassociated this one
    Configuration:
    monitor capture buffer V4BUFF size 512 max-size 128 linear
    monitor capture point associate V4PT V4BUFF
    Regards
    Frank

    What was the issue and how did you solve it?
    -Deepak

  • Port forwarding not working for VPN

    Hi there,
    I am at a loss as to what I am doing wrong with regards to setting up a VPN. I admit this is all completely new territory for me, and I am learning as I go along, so may have overlooked something very obvious.
    I have openned up the VPN ports on the router (500, 1701, 4500 - UDP; 1723 - TCP), and can confirm from the logs that they are letting traffic in ok.
    So that leaves the server itself - testing using an open port checking tool confirms all ports I have open in the router firewall, and active and accessible on the server, except the VPN ports and service, are indeed open and accessible.
    The VPN service is running, and I have ensured the services are available within the firewall service for 'all', and all services available for the 192.168.1.xxx range.
    I have indicated that the VPN should use the range - 10.0.0.1 to 200
    The DNS and DHCP services on the server are running. At the domain resgitsrar, I have indicated that the subdomain I am using to access the server and its services via the web should point to the static IP I have from the ISP.
    I should mention that if I use the local IP address of the server, I can connect ok, it is only when I use the static IP that I am unable to connect.
    Every other port opens up successfully - FTP (21), Web (80/443), etc - just not the ones for the VPN, so I assume there is some sort of conflict between or within the the VPN/DHCP/DNS services or with the VPN service itself.
    Any advice and potential solutions would be greatly appreciated, as I have spent quite a bit of time trying to figure this one out by myself.
    Thanks in advance, and I hope to hear from folk soon.
    Chris

    OK - here's how my router is configured:
    NAT (Type = Destination) Public IP address to VPN Server IP address (I had a problem when I didn't have the NAT Type set properly)
    I have a separate public IP address reserved for VPN traffic, but that's not necessary if you set up the order of the rules on your router properly. It's just easier to have a separate IP address.
    These are the ports I have open:
    UDP - 500
    UDP - 1701
    TCP - 1723
    TCP - 3283
    UDP - 3283
    UDP - 4500
    TCP - 5900
    TCP - 5988
    I have these ports open to accomodate remoting in via Apple Remote Desktop.
    However, since Mavericks, I can't use ARD anymore. But I can use Back to My Mac and Screen Sharing (go figure!) to get to my server and then from the server I can use ARD within the network.
    Don't know if that helps or not, but it works for me.

  • Pulling packet capture from IPS device

    I work for a MSP (Managed Services Provider), we currently are evaluating CSM for mgt of 50 IPS/IDSM devices. To make analysis more effective, want to be able to pull the packet capture from the device. We have our own correlation engine, so we do not need MARS. We want to grab the packet and then put a copy into our ticketing system so the analyst has the data right in front of them.
    Is the IP Log directory where the packet capture data is kept? Has anyone ever tried this before? What are the performance/health concerns with enabling packet captures for just high signatures? Does the IP log directory really "clean" itself out after a certain period of time?

    There are 4 event actions that can be used to capture packets.
    The produce-verbose-alert event action will encode the trigger packet as part of the alert itself. So with this event action the packet is already included in the alerts you are already pulling off the sensor. You just need to modify your tool to strip off this packet, decode it, and then add it to your ticketing system at the same time as you add the alert.
    This is where I would start.
    Using the produceVerboseAlert uses very little additional sensor resources. It has only a very small affect on sensor performance. Because each alert will be larger than normal it will reduce the total number of alerts that can be stored in the sensor's eventstore. But if your application is actively subscribing for these events, then the reduction in total number of alerts stored on the sensor should not cause you any issues. So adding this for all High alerts woulc be a good practice.
    The other 3 event actions are log-attacker-packets, log-pair-packets, and log-victim-packets. These event actions will trigger an IP Log (packet log) to be created (or increase the time for capture on an existing IP Log.
    The IP Log system is a collection of numbered files on the sensor. As event actions trigger new IP Logs to be created the sensor will pick one of those numbered files and begin writing packets to that file. The sensor retains an internal mapping of what packets are being written to each file. If no empty files exist, then the sensor will automatically overwrite the oldest IP Log file with the new IP Log file. Larger platforms have up to 512 of these numbered files, and smaller platforms may have as few as 128 or even 64 of these numbered files. Each file is 1 Megabyte in size and usually stored in RAM memory. With the limited number of files, the storage of these logs on the sensor is very short term. And so should be pulled off the sensor as soon as possible (just like what you are planning to implement). The sensor also has a usual limit of only writing 20 IP Log files at any one time.
    With these limitations on the IP Log files they shoudl be used sparingly. Configuring too many signatures or signatures that trigger often with these event actions can lead to problems. The IP Logs could easily be overwritten by newer IP Logs being triggered, and/or more than 20 could be requested at any one time which means some alerts won't be able to have an IP Log created.
    So IP Logging event actions should be limited to only those alerts where the additional data is manditory.
    Also understand that IP Logging can have a negative impact on sensor performance. If you plan on using IP Logging often, then consider using a sensor rated for higher speeds than what you will be monitoring.

  • Packet capture via 'show events alert' on 4.1(4)

    Grettings all. I have an IDSM2 running 4.1(4g). When looking at events via 'show events alert' I notice that some signatures have packet capture info, other do not. Trying to figure out what determines this??
    Example, Long SMTP Command(sigID 3109, subsigID 1) 'show events alert' has packet capture info. Looked at the following
    1.
    (config-vsc-virtualSensor)# SERVICE.SMTP
    (config-vsc-virtualSensor-SER)# show settings
    CapturePacket: False <defaulted>
    2.
    config-vsc-virtualSensor)# SERVICE.SMTP
    config-vsc-virtualSensor-SER)# signatures siGID 3109
    (config-vsc-virtualSensor-SER-sig)# show settings
    CapturePacket: False <defaulted>
    3.
    config-vsc-virtualSensor-SER)# signatures siGID 3109 subSig 1
    config-vsc-virtualSensor-SER-sig)# show settings
    CapturePacket: False <defaulted>
    =========
    Again...trying to determine where/how the option to get packet capture for this sigID is set. Thanks for any help.

    It looks like you are in the right place and checking the correct setting.
    Were the alerts you are looking at generated during a period of time that CapturePacket had been set to True? Changing this setting will only affect new alerts being generated, and not old alerts previously stored on the sensor.
    A few other things to check:
    Try executing "show conf" and look for any tunings on Sig 3109.
    There is a very small possibility of the config being out of sync. Doing a show conf should show you the config currently being used by the sensor.
    Execute "show events" and verify that the SigID is 3109 and the SubSig is 1 or 0. If it is another subsig like 2, then you will need to separately edit the settings for that subsig.
    Marco

  • Access-list needed for vpn

    Hi,
    if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
    i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
    Thanks

    There are two way you can filter traffic which is moving over VPN.
    1) Filter at source ofcourse ACLs are required.
      For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where  10.0.0.0/24  is configured .Lets assume port 80 we want to deny.
    ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
                                                                                permit any any
                                  acess-group xxxx in inside
    So this will deny port 80 and permit rest of the traffic.
    2) You can configure VPN filter which is called under group policy .
    Thanks
    Ajay

  • How to display date for each packet in a Cisco ASA packet capture

    Hello,
    Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
    When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 
    Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
    ASA5505# sh cap test
       1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
       2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
       3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
       4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
       5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
       6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
    Thanks for any help.
    Joe

    Hi,
    I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
    For example
    copy /pcap capture:test tftp://x.x.x.x/test.pcap
    This should copy the current data in the capture to the mentioned location with the mentioned filename.
    I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
    Hope this helps :)
    - Jouni

  • Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

    Hi All,
    I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
    2811 having C2800NM-ADVIPSERVICESK9-M
    2811 router connects to the Internet SW then connects to the Internet router.
    Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
    Below is router config for VPN & NAT
    crypto keyring ISR_Keyring
      pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 10
    crypto isakmp profile isa-profile
       keyring ISR_Keyring
       self-identity user-fqdn [email protected]
       match identity user vpn-proxy.websense.net
    crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
    crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
    set peer vpn.websense.net dynamic
    set transform-set ESP-NULL-SHA
    set isakmp-profile isa-profile
    match address 101
    interface FastEthernet0/1
    description connected to Internet
    ip address 216.222.208.101 255.255.255.128
    ip access-group HVAC_Public in
    ip nat outside
    ip virtual-reassembly
    duplex full
    speed 100
    no cdp enable
    crypto map GUEST_WEB_FILTER
    access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
    access-list 103 permit ip 192.168.8.0 0.0.3.255 any
    ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
    ip nat inside source list 103 interface FastEthernet0/1 overload
    ip nat inside source route-map nonat pool mypool overload

    How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
    Check
    show crypto isakmp sa
    show crypto ipsec sa
    show crypto session
    You'd better remove the preshared key from your post.

  • LMS 3.2 syntax for specifying an interface for packet capture

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tableau Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";}
    Hi fellows,
    I have been trying to specify a particular interface on the packet capture windows and can not find the syntax on any documentation.
    It has to be something like @IPswitch /or: or ? and the interface
    Can someone have an example for the correct syntax?
    Thanks in advance
    Tewfiq

    You can't specify a device interface for packet capture.  The packet capture in LMS runs on the LMS server itself.  You can select a server interface and filter on a specific IP, but you cannot filter down to the device interface unless you filter on that device interface's IP address.  To filter on an IP, just type the IP address in the Address(es) text field.

  • CAS SSO not working for VPN Group

    Hello,
    I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
    Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
    The only thing I got is this from the ASA:
    AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
    AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
    I am so close but cant call this done yet....

    Hey Faisel,
    Thanks for the question.
    This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server)  would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
    So on the ASA I now get these:
    AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
    AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
    Where cas_accounting2 is the AAA server group for Group A
    On the ASA I can see that the FW sends a packet to the cas:
    "send pkt cas2-hvn-3515/1813"
    but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
    "rad_vrfy() : response message verified"
    What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.

  • Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

    With Rahul Rammanohar 
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
    In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
    •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
    •       ASR9k: network processor capture
    •       7200/ISRs: embedded packet capture
    •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
    •       Cisco Nexus 7K: ELAM
    •       CRS: show captured packets
    •       ASR1K: embedded packet capture
    More Information
    Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
    Watch the Video:  https://supportforums.cisco.com/videos/6226
    Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
    Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
    Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
    Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Hello Erick
        Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
         Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
    Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
    VPN label - 5678
    Source Address - 111.111.111.111
    Destination Address - 123.123.123.123
    show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
    Trigger for two labels. (for other core routers)
    IGP label - 1234
    VPN label - 5678
    Source Address - 111.111.111.111
    Destination Address - 123.123.123.123
    show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
        You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
         I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
         Please let me know if this helps.
    Thanks & Regards
    Hitesh & Rahul

  • ISE Profiling options for VPN clients

    I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

    Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
    I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
    I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
    Sent from Cisco Technical Support Android App

Maybe you are looking for

  • ALV report with internal in field symbol

    Hi Shifu ABAP, I have ALV report. My problem is when I tried to do sum using the sum icon. I got a message 'desired operation cannot be performed for column 'Dignostic delay'. Is it because I used field symbol, then when I clicked on the column it di

  • Firmware question for Color LaserJet: Two computers on my network, Win XP and Win 7. Does it matter?

    I don't understand firmware, but I know I needed to update my CP2025dn printer's firmware.  I used my older computer to do this.  If I had used my newer computer with Windows 7, would this affect my printing from either computer?  Thanks.

  • HOW to retrive data from SAP Tabel

    Hi Friends,    1)Can you please explain how to retrive data from SAP table(example AFRU).    2) we had requriment based on the qunatity , Product name and date we need to display KPI's .KPI is based no products manfactured per day with some condition

  • Oracle.security.jps.service.policystore.PolicyObjectNotFoundException

    Hi Experts, I am getting the following erron when statting the managed server, Could you please let me know what could be the cause. oracle.security.jps.service.policystore.PolicyObjectNotFoundException: JPS-04028: Application with name "CallistaSMS"

  • Handling Valid To and Valid From Dates in Infocube

    Hi Gurus, I am designing a transaction data InfoCube for Human Resources. The date from and Date to are seem in PSA. But they are not display in InfoCube . Can anyone share thoughts on how to handle this situation? Thanks in advance. Sincerely, Minax