Question about site to site VPN failover on an ASA

Similar Messages

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• Access Site to Site from SSL VPN. ISA 570 & ASA 5505

  I have an Site to Site network between my ISA 570 and my ASA 5505.
  On the ISA 570 side I have the network 192.168.0.0/24 and remote users that are connecting via AnyConnect are in the 192.168.190.0/24
  On the ASA 5505 side I have the netowrk 192.168.200.0/24
  The Site to Site is working properly i can reach the networks from both sides.
  But when I am connected via AnyConnect to the ISA firewall I will also access the 192.168.200.0/24 network on the ASA side.
  I have made an firewall (in the ISA 570) rule that are allowing traffic from SSLVPN to VPN, but I need to nat the traffic from the 192.168.190.0/24 to 192.168.200.0/24 otherwise the ASA are blocking the traffic. I can solve the problem in the ASA but i want to solve it in the ISA 570.

  I have solved my problem.
  Just added an Advanced NAT.
  From: Any (this will be changed to proper network later)
  To: Any (this will be changed to proper network later)
  Original Source Adress: Any (this will be changed to proper network later)
  Original Destination Adress: Site_B (192.168.200.0/24)
  Original services: Any
  Translated source adress: IP of my ISA 570 (192.168.0.1)
  Translated destination adress: Site_B (192.168.200.0/24)
  Translated services: Any

• Question about moving a site

  This isn't a Dreamweaver question, but you guys have been
  great help in the past. Perhaps you can help me here.
  I have a customer, WC, who had a site through one of these
  'template' companies. I have redesigned his site. His domain name
  is registered through Network Solutions. If I leave the domain
  registration with Network Solutions but CHANGE his hosting company,
  will anything (settings, Cnames, MX records, etc) need to change on
  their Microsoft Exchange server? They no longer have a network
  admin, and I'm not familiar with Exchange. I don't want to risk
  crashing their email for a day!
  Thanks!
  Brady

  > Thanks Murray... I had talked to GoDaddy about moving
  both my hosting
  > account
  > AND the domain, and they indicated that it could cause
  problems for a day
  > or
  > so.
  This will only be true if you are not using an exchange
  server. When I do
  this for non-exchange server domains, I always have the
  clients set up a new
  email account that grabs incoming email from the new
  mailserver, while they
  also continue to get it from the old one. In the 72 - 96
  hours it takes to
  be really sure all DN servers have propagated, they will
  receive email from
  both locations. After that time, they can then cancel their
  original
  hosting account, and remove the associated email account.
  > Will I have to set up all of their email addresses again
  after moving the
  > hosting account?
  No - not if they are using an exchange server.
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================
  "bradyg23" <[email protected]> wrote in
  message
  news:efj8et$oe0$[email protected]..
  > Thanks Murray... I had talked to GoDaddy about moving
  both my hosting
  > account
  > AND the domain, and they indicated that it could cause
  problems for a day
  > or
  > so.
  >
  > Will I have to set up all of their email addresses again
  after moving the
  > hosting account? Or are they maintained on the Exchange
  server? (In the
  > past
  > with non-Exchange businesses I moved, it was simply a
  matter of updating
  > their
  > Outlook settings).
  >
  >
  >
  >
  >
  quote:
  Originally posted by:
  Newsgroup User
  > I think you are safe. That's one of the really nice
  things about using an
  > exchange server....
  >
  >
  >
  >

• Flash newbie questions about slow loading site

  Hi all. I am new to Flash and web-site building in general and I have been learning while doing. Its fun, but frustrating. I really need some help, hope someone out there with Flash experience can give me some advice.
  My problem is this: I built a Flash website, but it is painfully slow to load up (3-5 minutes via cable modem) when I visit the site (via Firefox, etc). Once it does load up, everything is fine with navigation. I'm having a hard time figuring out why its taking so long to load up on the web because, basically, I don't know how to trouble shoot. Hope you guys can help!
  Details: the site is just a portfolio site with pictures and a few motion-things, no complicated animations. The swf file is about 9MB. I do have a flash preloader, but it doesn't show up until after the 3-5 minute "load-up" time. When I do the testing via Flash, its Ok and doesn't show the lag. But once I upload the website files and try to visit my website, the load time problem occurs.
  My thoughts:
  - do I have to purge my Flash file/library of unused images before creating my swf file?
  - Is there a problem with my html code in my index file?
  - because it is a portfolio site, I've got about 90 images on it, each image about 300-400K.  Is this too big, or about right?
  Please help! Sorry for the long email, just desperate for help. Thanks in advance for any advise!!!! Just in case, here is the html code:
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <title>Acme Company</title>
  <script src="Scripts/AC_RunActiveContent.js" type="text/javascript"></script>
  <style type="text/css">
  <!--
  body {
  background-color: #000000;
  -->
  </style>
  <link href="favicon.ico" rel="icon" />
  </head>
  <center>
  <body>
  <script type="text/javascript">
  AC_FL_RunContent( 'codebase','http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0','wid th','800','heigh t','600','title','Acme Company','vspace','100','src','development files/company site_AS2_2008 OCT_final','loop','false','quality','high','plugin spage','http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash','bgco lor','#000000','scale','exactfit','movie','develop ment files/company site_AS2_2008 OCT_final' ); //end AC code
  </script><noscript><object classid="clsid27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0" width="800" height="600" vspace="100" title="Acme Company">
  <param name="movie" value="development files/comapny site_AS2_2008 OCT_final.swf" />
  <param name="quality" value="high" /><param name="BGCOLOR" value="#000000" /><param name="LOOP" value="false" /><param name="SCALE" value="exactfit" />
  <embed src="development files/company site_AS2_2008 OCT_final.swf" width="800" height="600" vspace="100" loop="false" quality="high" pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" bgcolor="#000000" scale="exactfit"></embed>
  </object></noscript>

  Yeah I'm with Ned on this one. Dynamically loading your images is the way to go. The fact that you are new to Flash, try this tutorial (http://www.entheosweb.com/Flash/loading_external_images.asp). As you move along in learning Flash, look for tutorials on actionscript arrays and loading images dynamically. Arrays allow you to call each images from a folder outside your fla. That way your site moves right along without much loading time.
  Hope I was of help,
  -Sly

• Quick question about my flash site and facebook

  I have a XML Flash template that I bought and customized to my likings, I used coda html editor to customize it, my question is how do I add the like button from face book, I went to facebook and did the steps to get my code  to plug into my website, do I use the iframe code or the XBML code they gave and is ther eanything special I need to do code wise? it is not working when I copy and paste it, thanks for anyone who can help.

  hi Chris951,
  For the PowerDVD, is the image below the same error that you're getting?
    - Link to picture
  If it is, can you try the following:
  1. After running the Power DVD 10 BD installer, close the error message and navigate to the C:\Drivers\PowerDVD 10 BD folder
  2. Right click on Custom.ini and choose Edit (this will open Notepad). From here, look for the LEGEND Dragon entry and change it to Lenovo then save. When finished, run the setup.exe and PowerDVD should now install successfully.
    - Link to picture
  Regards
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
  Follow @LenovoForums on Twitter!

• Question about updating SQL Server on failover cluster

  Hi all,
  I would like to better understand the update process of SQL Server (2008 r2) in a failover cluster environment.
  In our cluster we have 4 instances of SQL running, where two of them I am able to at anytime stop the instance and update it.
  The question is... Applying the latest update, will update forcibly all instances installed on that node, or do I have the ability to choose which instance I want to update?
  This way, I could "test" the update process in those two SQL Instances, as described in http://support.microsoft.com/kb/958734 and after finishing I would update the remaining instances.
  Please let me know.
  Thanks in advance.
  Nuno Silva

  Hi Nuno,
  It's a failover cluster issue, I moved it to SQL Server High Availability and Disaster Recovery. So that you can get better help.
  Regards,
  Charlie Liao
  TechNet Community Support

• Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

  Hi All,
  Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
  I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
  To best explain the question I have put together an example scenario:
  Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
  Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
  The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
  Routing on the outside interface is not of concern in this scenario.
  The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
  VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
  New subnets are added and removed at each site on a frequent basis.
  EIGRP will be running on each core router, and any stub routers at each site.
  So this results in the following example topology, of which I have exaggerated the VLSM position:
  (http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
  Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
  The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
  Is there a better method to propagate the routing information dynamically around the example scenario above?
  Is there a way to have dynamic crypto maps based on router information?
  P.S. Diagram above produced via http://www.diagram.ly/

  Hi Guys,
  Thanks for your responses!  I am learning here, hence the post.
  David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits.  The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA.  In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
  Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
  ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
  Otherwise I would agree it would be happy days...
  Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
  Kindest Regards,
  James.

• Some Site to Site VPN questions

  When you have an ASA to ASA Site to Site VPN, you do have to configure the routes you want to transverse the tunnel in the routing table with a gateway of the device on the other side correct?
  Also does each side have to match the exact subnets within the crypto domain? For instance if I have defined two subnets 10.10.10.0/24 and 10.100.100.0/24, the other side should have those exact subnets, not just a 10.0.0.0/8 correct? If that makes sense?

  Hi,
  When we consider routing and L2L VPN connections then we generally can presume that they are built through the interface which has the default route. We can also presume that you are not configuring a L2L VPN for a remote network that overlaps with your LAN networks. Considering both of the mentioned things we can determine that naturally any network that is not in your local network will follow the default route when the ASA is making decision about where to forward the traffic.
  So generally you wont need to manually configure any additional routes on the ASA for any remote VPN networks. VPN Client connections adds routes automatically for the VPN Pool IP that is assigned to the VPN Client user. On L2L VPN connections you can configure the ASA to add the routes based on the L2L VPN connections ACL that tells the local and remote networks. In this case you will have to add the following configuration for a given L2L VPN connections
  crypto map set reverse-route
  This will add a route on the ASAs routing table though this wont show in the "route" configurations on the ASA.
  With regards to your questions about the local/remote subnets I actually have to say that I am not 100% sure. To my understanding your ACL can have lines/rules that dont match the other side but the ACL does have to have matching local/remote subnets. Any extra lines in the ACL to my understanding dont matter, just that there is a match between the VPN peers.
  I have personally never had the need to make very broad local/remote network definitions for the L2L VPN. I have always been for being as specific as I can be. Naturally a very large environment might dictate to follow another approach but I have not run into anything like that myself.
  - Jouni

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• ASA 5520 site-to-site VPN question

  Hello,
  We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
  The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
  After doing some research, I came across the this command;
  sysopt connection permit-vpn
  I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
  Thanks,
  John

  What are your configs and network diagrams at each location?  What are you doing for DNS?  I can help quicker with that info.  Also, here are some basic site to site VPN examples if it helps.
  hostname cisco
  domain-name cisco.com
  enable password XXXXXXXX encrypted
  passwd XXXXXXXXXXX encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.2 255.255.255.0
  interface Ethernet0/2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/3
  nameif outsidetwo
  security-level 0
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.com
  same-security-traffic permit intra-interface
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list split standard permit 10.0.0.0 255.255.255.0
  access-list split standard permit 10.90.238.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered errors
  logging trap notifications
  logging asdm informational
  logging class vpn buffered debugging
  mtu outside 1500
  mtu inside 1500
  mtu backup 1500
  mtu outsidetwo 1500
  mtu management 1500
  ip local pool vpnpool 10.0.10.100-10.0.10.200
  ip audit name Inbound-Attack attack action alarm drop
  ip audit name Inbound-Info info action alarm
  ip audit interface outside Inbound-Info
  ip audit interface outside Inbound-Attack
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 10 set transform-set myset
  crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
  crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address XXX
  crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address XXX2
  crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 2 set transform-set myset
  crypto map outside_map 2 set security-association lifetime seconds 28800
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map 3 match address XXX3
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 3 set transform-set myset
  crypto map outside_map 3 set security-association lifetime seconds 28800
  crypto map outside_map 3 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy XXXgroup internal
  group-policy XXXgroup attributes
  dns-server value XXX.XXX.XXX.XXX
  vpn-idle-timeout 30
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  default-domain value domain.local
  username XXX24 password XXXX encrypted privilege 15
  username admin password XXXX encrypted
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXXgroup type remote-access
  tunnel-group XXXgroup general-attributes
  address-pool vpnpool
  default-group-policy rccgroup
  tunnel-group XXXgroup ipsec-attributes
  pre-shared-key XXXXXXXXXX
  isakmp ikev1-user-authentication none
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily

• 2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover

  Hello,
  My senario is as described in Title.
  Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
  Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
  All ADSL connections have static IPs and belong to same ISP.
  Need - Site to Site VPN between the routers.
  Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
  Any help will be appreciated.

  I don't believe you will find a One solution for this. 
  An idea would be to have all three ADSLs paired with ADSL on the other side. 
  Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric. 
  This will cause IOS to load balance natively. 
  Potential problem: return path might not be the same as forward path, but it should not matter much for most applications. 
  Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible. 
  Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. 

• Question about firefox permissions for sites

  i have a question about sites permissions
  in google chrom it is easy to set permission for each site like (java, flash plugin, image , ...)
  http://i58.tinypic.com/nl66v9.png
  but i prefer to use firefox
  is there any addon or something else to have this options in firefox ?

  You can inspect and manage the permissions for the domain in the currently selected tab via these steps:
  *Click the "[[Site Identity Button|Site Identity Button]]" (globe/padlock) on the location/address bar
  *Click "More Information" to open "Tools > Page Info" with the Security tab selected
  *Go to the Permissions tab (Tools > Page Info > Permissions) to check the permissions for the domain in the currently selected tab
  You can inspect and manage the permissions for all domains on the <b>about:permissions</b> page.
  *https://support.mozilla.org/kb/how-do-i-manage-website-permissions

• Hi, I have answered no to the question about saving password for one spesific site. I have changed my mind and would like Firefox to save the password. How do I reactivate the password saver for one spesific site?

  Hi, I have answered no to the question about saving password for one spesific site. I have changed my mind and would like Firefox to save the password. How do I reactivate the password saver for one spesific site?

  Check exception list of your Firefox password Manager and check if your site is there or not?
  * http://kb.mozillazine.org/User_name_and_password_not_remembered#Password_Manager_settings

• Questions about Access Manager tutorials available in netbeans site

  Hi
  Thank you for reading my post
  I have some questions about two tutoral which i find in :
  http://www.netbeans.org/kb/55/amsecurity.html and
  http://www.netbeans.org/kb/55/amsecurity-liberty.html
  here is my problem :
  we have some web services, now we want to have authentication applied for consumer who try to access our web services.
  we need to have most possible flexibility because we may deploy the server for a customer with an already established Identity database ( Database Table with user details)
  Also we need to have Transport level security using SSL.
  I read and studied both of them and now i have some questions :
  -I think Securing Web Services Using the SAML or UserNameToken is what we need for authentication and autorization of web service consumers?
  is that right?
  -Does Sun Java System Access Manager provide flexibility to authenticate user/password with a database table content?
  -How we can apply roles in Sun Java System Access Manager when we authenticate users ?
  Thanks

  Imagine that we want to have an end to end security for our web services
  we thought that we could use message level encryption to protect the soap message and also we should protect our web services from un-authenticated acess,
  we will use userName token for this.
  Our customer has large database which contains many user/password and role of those users.
  some of web services should be available to higher role (manager) and not for all users.
  so we should check a user role before we allows him/her to access a web service.
  my question is whether Sun Access manager can help us with this? or there are other configuration or packages that we should apply to have this feature.
  to explain more :
  our client side is a swing application, users enter username/password to login into system. after they loged in, we send user/pass every time user want to request some data from some services. (is it good to send user/pass every time?)
  We want Sun Access Manager to handle users authentication .
  We also need to handle role related authorization, can Sun access manager handle this?
  Thanks