Question about site to site VPN failover on an ASA
Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3
I have just encountered a similar situation. It seems to work near enough, but I still consider it a hack.
Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce. A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!
Im just using HRSP on the access site between 2 x 887's tracking the WAN interface. On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3".
The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.
Cheers
Kent.
Similar Messages
-
Remote site redundancy IPSEC VPN between 2911 and ASA
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
What is the best way of achieving this?
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
Any help/advice would be appreciated!Hello,
I don't think GRE tunnel that you could set up on the switch behind ASA would be really helpfull. Still site-2-site tunnel you want to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
I hope what I wrote makes some sense. -
Access Site to Site from SSL VPN. ISA 570 & ASA 5505
I have an Site to Site network between my ISA 570 and my ASA 5505.
On the ISA 570 side I have the network 192.168.0.0/24 and remote users that are connecting via AnyConnect are in the 192.168.190.0/24
On the ASA 5505 side I have the netowrk 192.168.200.0/24
The Site to Site is working properly i can reach the networks from both sides.
But when I am connected via AnyConnect to the ISA firewall I will also access the 192.168.200.0/24 network on the ASA side.
I have made an firewall (in the ISA 570) rule that are allowing traffic from SSLVPN to VPN, but I need to nat the traffic from the 192.168.190.0/24 to 192.168.200.0/24 otherwise the ASA are blocking the traffic. I can solve the problem in the ASA but i want to solve it in the ISA 570.I have solved my problem.
Just added an Advanced NAT.
From: Any (this will be changed to proper network later)
To: Any (this will be changed to proper network later)
Original Source Adress: Any (this will be changed to proper network later)
Original Destination Adress: Site_B (192.168.200.0/24)
Original services: Any
Translated source adress: IP of my ISA 570 (192.168.0.1)
Translated destination adress: Site_B (192.168.200.0/24)
Translated services: Any -
This isn't a Dreamweaver question, but you guys have been
great help in the past. Perhaps you can help me here.
I have a customer, WC, who had a site through one of these
'template' companies. I have redesigned his site. His domain name
is registered through Network Solutions. If I leave the domain
registration with Network Solutions but CHANGE his hosting company,
will anything (settings, Cnames, MX records, etc) need to change on
their Microsoft Exchange server? They no longer have a network
admin, and I'm not familiar with Exchange. I don't want to risk
crashing their email for a day!
Thanks!
Brady> Thanks Murray... I had talked to GoDaddy about moving
both my hosting
> account
> AND the domain, and they indicated that it could cause
problems for a day
> or
> so.
This will only be true if you are not using an exchange
server. When I do
this for non-exchange server domains, I always have the
clients set up a new
email account that grabs incoming email from the new
mailserver, while they
also continue to get it from the old one. In the 72 - 96
hours it takes to
be really sure all DN servers have propagated, they will
receive email from
both locations. After that time, they can then cancel their
original
hosting account, and remove the associated email account.
> Will I have to set up all of their email addresses again
after moving the
> hosting account?
No - not if they are using an exchange server.
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"bradyg23" <[email protected]> wrote in
message
news:efj8et$oe0$[email protected]..
> Thanks Murray... I had talked to GoDaddy about moving
both my hosting
> account
> AND the domain, and they indicated that it could cause
problems for a day
> or
> so.
>
> Will I have to set up all of their email addresses again
after moving the
> hosting account? Or are they maintained on the Exchange
server? (In the
> past
> with non-Exchange businesses I moved, it was simply a
matter of updating
> their
> Outlook settings).
>
>
>
>
>
quote:
Originally posted by:
Newsgroup User
> I think you are safe. That's one of the really nice
things about using an
> exchange server....
>
>
>
> -
Flash newbie questions about slow loading site
Hi all. I am new to Flash and web-site building in general and I have been learning while doing. Its fun, but frustrating. I really need some help, hope someone out there with Flash experience can give me some advice.
My problem is this: I built a Flash website, but it is painfully slow to load up (3-5 minutes via cable modem) when I visit the site (via Firefox, etc). Once it does load up, everything is fine with navigation. I'm having a hard time figuring out why its taking so long to load up on the web because, basically, I don't know how to trouble shoot. Hope you guys can help!
Details: the site is just a portfolio site with pictures and a few motion-things, no complicated animations. The swf file is about 9MB. I do have a flash preloader, but it doesn't show up until after the 3-5 minute "load-up" time. When I do the testing via Flash, its Ok and doesn't show the lag. But once I upload the website files and try to visit my website, the load time problem occurs.
My thoughts:
- do I have to purge my Flash file/library of unused images before creating my swf file?
- Is there a problem with my html code in my index file?
- because it is a portfolio site, I've got about 90 images on it, each image about 300-400K. Is this too big, or about right?
Please help! Sorry for the long email, just desperate for help. Thanks in advance for any advise!!!! Just in case, here is the html code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Acme Company</title>
<script src="Scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<style type="text/css">
<!--
body {
background-color: #000000;
-->
</style>
<link href="favicon.ico" rel="icon" />
</head>
<center>
<body>
<script type="text/javascript">
AC_FL_RunContent( 'codebase','http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0','wid th','800','heigh t','600','title','Acme Company','vspace','100','src','development files/company site_AS2_2008 OCT_final','loop','false','quality','high','plugin spage','http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash','bgco lor','#000000','scale','exactfit','movie','develop ment files/company site_AS2_2008 OCT_final' ); //end AC code
</script><noscript><object classid="clsid27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0" width="800" height="600" vspace="100" title="Acme Company">
<param name="movie" value="development files/comapny site_AS2_2008 OCT_final.swf" />
<param name="quality" value="high" /><param name="BGCOLOR" value="#000000" /><param name="LOOP" value="false" /><param name="SCALE" value="exactfit" />
<embed src="development files/company site_AS2_2008 OCT_final.swf" width="800" height="600" vspace="100" loop="false" quality="high" pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" bgcolor="#000000" scale="exactfit"></embed>
</object></noscript>Yeah I'm with Ned on this one. Dynamically loading your images is the way to go. The fact that you are new to Flash, try this tutorial (http://www.entheosweb.com/Flash/loading_external_images.asp). As you move along in learning Flash, look for tutorials on actionscript arrays and loading images dynamically. Arrays allow you to call each images from a folder outside your fla. That way your site moves right along without much loading time.
Hope I was of help,
-Sly -
Quick question about my flash site and facebook
I have a XML Flash template that I bought and customized to my likings, I used coda html editor to customize it, my question is how do I add the like button from face book, I went to facebook and did the steps to get my code to plug into my website, do I use the iframe code or the XBML code they gave and is ther eanything special I need to do code wise? it is not working when I copy and paste it, thanks for anyone who can help.
hi Chris951,
For the PowerDVD, is the image below the same error that you're getting?
- Link to picture
If it is, can you try the following:
1. After running the Power DVD 10 BD installer, close the error message and navigate to the C:\Drivers\PowerDVD 10 BD folder
2. Right click on Custom.ini and choose Edit (this will open Notepad). From here, look for the LEGEND Dragon entry and change it to Lenovo then save. When finished, run the setup.exe and PowerDVD should now install successfully.
- Link to picture
Regards
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
Follow @LenovoForums on Twitter! -
Question about updating SQL Server on failover cluster
Hi all,
I would like to better understand the update process of SQL Server (2008 r2) in a failover cluster environment.
In our cluster we have 4 instances of SQL running, where two of them I am able to at anytime stop the instance and update it.
The question is... Applying the latest update, will update forcibly all instances installed on that node, or do I have the ability to choose which instance I want to update?
This way, I could "test" the update process in those two SQL Instances, as described in http://support.microsoft.com/kb/958734 and after finishing I would update the remaining instances.
Please let me know.
Thanks in advance.
Nuno SilvaHi Nuno,
It's a failover cluster issue, I moved it to SQL Server High Availability and Disaster Recovery. So that you can get better help.
Regards,
Charlie Liao
TechNet Community Support -
Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?
Hi All,
Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
To best explain the question I have put together an example scenario:
Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
Routing on the outside interface is not of concern in this scenario.
The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
New subnets are added and removed at each site on a frequent basis.
EIGRP will be running on each core router, and any stub routers at each site.
So this results in the following example topology, of which I have exaggerated the VLSM position:
(http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
Is there a better method to propagate the routing information dynamically around the example scenario above?
Is there a way to have dynamic crypto maps based on router information?
P.S. Diagram above produced via http://www.diagram.ly/Hi Guys,
Thanks for your responses! I am learning here, hence the post.
David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits. The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA. In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
Otherwise I would agree it would be happy days...
Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
Kindest Regards,
James. -
Some Site to Site VPN questions
When you have an ASA to ASA Site to Site VPN, you do have to configure the routes you want to transverse the tunnel in the routing table with a gateway of the device on the other side correct?
Also does each side have to match the exact subnets within the crypto domain? For instance if I have defined two subnets 10.10.10.0/24 and 10.100.100.0/24, the other side should have those exact subnets, not just a 10.0.0.0/8 correct? If that makes sense?Hi,
When we consider routing and L2L VPN connections then we generally can presume that they are built through the interface which has the default route. We can also presume that you are not configuring a L2L VPN for a remote network that overlaps with your LAN networks. Considering both of the mentioned things we can determine that naturally any network that is not in your local network will follow the default route when the ASA is making decision about where to forward the traffic.
So generally you wont need to manually configure any additional routes on the ASA for any remote VPN networks. VPN Client connections adds routes automatically for the VPN Pool IP that is assigned to the VPN Client user. On L2L VPN connections you can configure the ASA to add the routes based on the L2L VPN connections ACL that tells the local and remote networks. In this case you will have to add the following configuration for a given L2L VPN connections
crypto map set reverse-route
This will add a route on the ASAs routing table though this wont show in the "route" configurations on the ASA.
With regards to your questions about the local/remote subnets I actually have to say that I am not 100% sure. To my understanding your ACL can have lines/rules that dont match the other side but the ACL does have to have matching local/remote subnets. Any extra lines in the ACL to my understanding dont matter, just that there is a match between the VPN peers.
I have personally never had the need to make very broad local/remote network definitions for the L2L VPN. I have always been for being as specific as I can be. Naturally a very large environment might dictate to follow another approach but I have not run into anything like that myself.
- Jouni -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
ASA 5520 site-to-site VPN question
Hello,
We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
After doing some research, I came across the this command;
sysopt connection permit-vpn
I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
Thanks,
JohnWhat are your configs and network diagrams at each location? What are you doing for DNS? I can help quicker with that info. Also, here are some basic site to site VPN examples if it helps.
hostname cisco
domain-name cisco.com
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/2
nameif backup
security-level 0
no ip address
interface Ethernet0/3
nameif outsidetwo
security-level 0
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list split standard permit 10.0.0.0 255.255.255.0
access-list split standard permit 10.90.238.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered errors
logging trap notifications
logging asdm informational
logging class vpn buffered debugging
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu outsidetwo 1500
mtu management 1500
ip local pool vpnpool 10.0.10.100-10.0.10.200
ip audit name Inbound-Attack attack action alarm drop
ip audit name Inbound-Info info action alarm
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address XXX
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address XXX2
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set transform-set myset
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address XXX3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
crypto map outside_map 3 set transform-set myset
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXXgroup internal
group-policy XXXgroup attributes
dns-server value XXX.XXX.XXX.XXX
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.local
username XXX24 password XXXX encrypted privilege 15
username admin password XXXX encrypted
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXXgroup type remote-access
tunnel-group XXXgroup general-attributes
address-pool vpnpool
default-group-policy rccgroup
tunnel-group XXXgroup ipsec-attributes
pre-shared-key XXXXXXXXXX
isakmp ikev1-user-authentication none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily -
2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover
Hello,
My senario is as described in Title.
Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
All ADSL connections have static IPs and belong to same ISP.
Need - Site to Site VPN between the routers.
Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
Any help will be appreciated.I don't believe you will find a One solution for this.
An idea would be to have all three ADSLs paired with ADSL on the other side.
Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric.
This will cause IOS to load balance natively.
Potential problem: return path might not be the same as forward path, but it should not matter much for most applications.
Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible.
Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. -
Question about firefox permissions for sites
i have a question about sites permissions
in google chrom it is easy to set permission for each site like (java, flash plugin, image , ...)
http://i58.tinypic.com/nl66v9.png
but i prefer to use firefox
is there any addon or something else to have this options in firefox ?You can inspect and manage the permissions for the domain in the currently selected tab via these steps:
*Click the "[[Site Identity Button|Site Identity Button]]" (globe/padlock) on the location/address bar
*Click "More Information" to open "Tools > Page Info" with the Security tab selected
*Go to the Permissions tab (Tools > Page Info > Permissions) to check the permissions for the domain in the currently selected tab
You can inspect and manage the permissions for all domains on the <b>about:permissions</b> page.
*https://support.mozilla.org/kb/how-do-i-manage-website-permissions -
Hi, I have answered no to the question about saving password for one spesific site. I have changed my mind and would like Firefox to save the password. How do I reactivate the password saver for one spesific site?
Check exception list of your Firefox password Manager and check if your site is there or not?
* http://kb.mozillazine.org/User_name_and_password_not_remembered#Password_Manager_settings -
Questions about Access Manager tutorials available in netbeans site
Hi
Thank you for reading my post
I have some questions about two tutoral which i find in :
http://www.netbeans.org/kb/55/amsecurity.html and
http://www.netbeans.org/kb/55/amsecurity-liberty.html
here is my problem :
we have some web services, now we want to have authentication applied for consumer who try to access our web services.
we need to have most possible flexibility because we may deploy the server for a customer with an already established Identity database ( Database Table with user details)
Also we need to have Transport level security using SSL.
I read and studied both of them and now i have some questions :
-I think Securing Web Services Using the SAML or UserNameToken is what we need for authentication and autorization of web service consumers?
is that right?
-Does Sun Java System Access Manager provide flexibility to authenticate user/password with a database table content?
-How we can apply roles in Sun Java System Access Manager when we authenticate users ?
ThanksImagine that we want to have an end to end security for our web services
we thought that we could use message level encryption to protect the soap message and also we should protect our web services from un-authenticated acess,
we will use userName token for this.
Our customer has large database which contains many user/password and role of those users.
some of web services should be available to higher role (manager) and not for all users.
so we should check a user role before we allows him/her to access a web service.
my question is whether Sun Access manager can help us with this? or there are other configuration or packages that we should apply to have this feature.
to explain more :
our client side is a swing application, users enter username/password to login into system. after they loged in, we send user/pass every time user want to request some data from some services. (is it good to send user/pass every time?)
We want Sun Access Manager to handle users authentication .
We also need to handle role related authorization, can Sun access manager handle this?
Thanks
Maybe you are looking for
-
Error during update. Error Code U44M1P2003
Hi I'm using Adobe Photoshop Elements Version: 12.0 (12.0 (20130903.r.43239)) x32 on Windows 8 64-Bit Version: 6.2. When I choose "update" in the help menu there is an upate available. When I install the update it is downloaded but crashes at 99%. Th
-
How do I get rid of the space game that keeps popping up every time I open Firefox?
There is a space game that pops up every time I open the internet in Fire Fox. It does not do it in with Google Chrome or Internet Explorer. I have to click "control", "alt" "a" to get it to stop playing every time or it will continually send up litt
-
Run two reports but generate one output
I have developed two reports, one is a detail (portrait style) and another is a summary report (landscape). Now I need to provide an option that will run both the reports but display the output in one document (the document should contain both the de
-
Javax.naming.NameAlreadyBoundException: localhome is already
Hi, I'm trying to install a clustered environment. I was able to startup the ff: 1. NodeManager = port 24101 2. Admin Server = 24102 However, when i want to startup the managed servers, i'm getting an error.... The WebLogic Server did not start up pr
-
My Facebook does not run properly since upgrading to yosemite, some sections i can't get in and you see the waiting clock then safari says it can't find it, not all photos load properly, also keep on getting you need to load java runtime overtime I l