Question on WCCP and ASA/VPN

Similar Messages

• ASA VPN QUESTION

  Hi All
  The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
  The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
  I would appreciate some help pls
  Here is the config:
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password J7NxNd4NtVydfOsB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.0.11 EXCHANGE
  name x.x.x.x WAN
  name 192.168.30.0 VPN_POOL2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address WAN 255.255.255.252
  interface Ethernet0/0
  switchport access vlan 2
  <--- More --->
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nk-acl extended permit tcp any interface outside eq smtp
  access-list nk-acl extended permit tcp any interface outside eq https
  access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list VPN_NAT outside
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
  static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group nk-acl in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  snmp-server host inside 192.168.0.16 community public
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd dns 217.27.32.196
  dhcpd address 192.168.0.100-192.168.0.200 inside
  dhcpd dns 192.168.0.10 interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy customerVPN internal
  group-policy customerVPN attributes
  dns-server value 192.168.0.10
  vpn-tunnel-protocol IPSec
  password-storage enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value customerVPN_splitTunnelAcl
  default-domain value customer.local
  username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
  username xxx attributes
  vpn-group-policy TUNNEL1
  username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
  username xxx attributes
  vpn-group-policy PAPAGROUP
  username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
  username xxx attributes
  vpn-group-policy customerVPN
  username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
  tunnel-group customerVPN type ipsec-ra
  tunnel-group customerVPN general-attributes
  address-pool VPN_POOL2
  default-group-policy customerVPN
  tunnel-group customerVPN ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
  : end
  ciscoasa#                           

  Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
  Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
  I will remember to ask about that at Cisco Live next month.

• Yet Another ASA VPN Licensing Question :)

  I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
  1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
  2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
  Thanks!

  It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
  Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
  If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

• Dual ISP on ASA VPN question.

  Hi all.
  My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
  Lets assume if the primary isp goes down is there any way for  the VPN tunnel come online at the backup isp ?
  Config:
  crypto isakmp enable outside
  crypto isakmp enable backup
  tunnel-group 200.200.2.1 type ipsec-l2l
  tunnel-group 200.200.2.1 ipsec-attributes
  pre-shared-key CISCO
  tunnel-group 200.200.1.1 type ipsec-l2l
  tunnel-group 200.200.1.1 ipsec-attributes
  pre-shared-key CISCO
  crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 match address VLAN121_TO_VLAN23
  crypto map VPN 10 set peer 200.200.1.1
  crypto map VPN 10 set transform-set 3DES_MD5
  crypto map VPN 20 match address VLAN121_TO_VLAN23
  crypto map VPN 20 set peer 200.200.2.1
  crypto map VPN 20 set transform-set 3DES_MD5
  ! Apply crypto-map and enable VPN traffic to bypass ACLs
  crypto map VPN interface outside
  crypto map VPN interface backup
  sysopt connection permit-vpn
  Thank you.

  We are not abble to make a loop back on the ASA.
  The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for  first isp ip adddrs.

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• VPN load balancing and ASA !!!

  Hi netpros,
  I have a couple of questions about this and hope you might be able to assist me.
  1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
  2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
  3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
  Your comments are much appreciated

  Hi Gilbert ..
  1.- Thanks I wanted to make sure.
  2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
  ASA1: Public 20.20.20.20
  Private 192.168.1.1
  ASA2: Public 20.20.20.21
  Private 192.168.1.2
  Cluster virutal IP: 20.20.20.10
  Default gateway for segment 192.168.1.0 is 192.168.1.1
  Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
  3.- Any idea about this one ..?
  Cheers,

• NAC VPN and ASA

  Hi
  I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
  That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
  Thanks
  Pat

  You can use a single ASA for internet access and NAC VPN.
  If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
  If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
  Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
  VGW Example
  NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  Real IP example
  Integrating with Cisco VPN Concentrators
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
  Regards,
  Dan Laden

• ASA VPN client question

  Hello.
  I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
  The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
  Is this a normal condition with Easy VPN Client enabled?

  u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
  lets say the private network behind the vpn server is 192.168.1.0/24
  so make a standard ACL
  access-list split standard permit 192.168.1.0 255.255.255.0
  group-policy [ur grop policy name] attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
  good luck
  Rate if helpful

• VPN with Cisco 877 and ASA 5505

  Hi Experts
  this is my scenario :
  remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
  i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
  i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
  if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
  please i need your support to make this dream real lol.
  i will poste my configuration step by step following your help.
  many thanks.

  ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

• ASA 5505 Site to Site and Web VPN

  Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
  Thanks for your expert opinions!

  Hi,
  There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
  If you for example have an "inside" interface which has NAT0 configuration like
  nat (inside) 0 access-list NAT0
  You just add the needed ACL lines to that existing ACL for the L2L VPN.
  On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
  - Jouni

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• VPN between IOS and ASA

  Hello my friends,
  I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
  Here are my configuration commands:
  Router:
  crypto isakmp policy 20
  encryption 3des
  auth pre-share
  hash md5
  group 2
  crypto isakmp key XXX address 103.252.AAA.AAA
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map MAP 5 ipsec-isakmp
  set transform 3DES-MD5
  match address VPN
  set peer 103.252.AAA.AAA
  ip access-list extended VPN
   permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
   permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
  ASA commands:
  sysopt connection permit-vpn
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  tunnel-group 203.167.BBB.BBB type ipsec-l2l
  tunnel-group 203.167.BBB.BBB ipsec-attributes
  pre-shared-key XXX
  access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 set transform-set 3DES-MD5
  crypto map VPN 10 match address LIST
  crypto map VPN 10 set peer 203.167.BBB.BBB
  crypto map VPN interface outside
  Do you have any idea what is wrong? Thank you a lot in advance.

  I managed to get this from the show crypto ipsec sa
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
  And  details from show crypto session detail
  Interface: GigabitEthernet0/1
  Session status: DOWN
  Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

• WCCP does not work between WSA and ASA

  I have configured WCCPv2 between WSA S160 (         6.3.1-025) and ASA5540 (8.2(1)109).
  Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
  If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
  It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
  I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
  Does anybody have any idea what the problem is and how I can resolve it ?

  IronPort Support team helped me to find the trouble:
  If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
  ("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
  The WSA guide doesn't clearly say about it.
  So the Discussion can be closed ...

• User from certificate with Cisco VPN client and ASA (and radius)

  Hello,
  we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
  Thanks!
  Santiago.

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman

• WCCP on ASA & traffic between physical interfaces on ASA

  Hello,
  I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
  Eth 0/0 : Outside (to internet)
  Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
  Eth 0/1.211 : Vlan211 (20.21.10.0/24)
  Eth 0/1.212 : Vlan212 (20.21.20.0/24)
  Eth 0/1.220 : Vlan220 (20.22.0.0/16)
  Eth 0/2 : WAAS (20.21.30.0/24)
  I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
  I get this error message:
  3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
  How can I fix this?
  My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
  wccp 61 redirect-list WCCP_To_LAN
  wccp 62 redirect-list WCCP_To_WAN
  wccp interface outside 62 redirect in
  wccp interface LAN 61 redirect in
  access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
  access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
  I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
  Thanks
  Ankit

  common guys
  Am I doing something wrong here?
  No one replies to my posts. I had the same experience with the previous one.
  Is this not the right forum for this query???
  Ankit