Question on WCCP and ASA/VPN
Hello i have this simple scenario.
-ASA as an EZVPN server.
-WSA in my local lan (inside interface)
-remote vpn users connecting to the ASA.
When a user connects via VPN to my ASA, and i want to do some web filtering to them using the WSA... How would i accomplish it if i dont want to use explicit proxy?
Can i use WCCP on the outside interface of the ASA and redirect web traffic to the WSA which is across my inside ASA interface?
Need to know if WCCP redirection from one ASA interface to another is supported.
Thanks in advanced!
Emilio
Hi
Please have a look at the following link:
http://my.safaribooksonline.com/1587052091/copyrightpg?cid=2008-ciscopress-pp-widget-book&searchtextbox=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&query=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&searchmode=simple&searchview=summary&portal=ciscopress#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTE1ODcwNTIwOTElMkZjaDE2JnF1ZXJ5PUNpc2NvJTIwQVNBJTNBJTIwQWxsLWluLU9uZSUyMEZpcmV3YWxsJTJDJTIwSVBTJTJDJTIwYW5kJTIwVlBOJTIwQWRhcHRpdmUlMjBTZWN1cml0eSUyMEFwcGxpYW5jZQ==
Similar Messages
-
Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month. -
Yet Another ASA VPN Licensing Question :)
I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
1. Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?
2. Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need? I'm assuming this is correct >> ASA5525VPN-PM250K9
Thanks!It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method. -
Dual ISP on ASA VPN question.
Hi all.
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ?
Config:
crypto isakmp enable outside
crypto isakmp enable backup
tunnel-group 200.200.2.1 type ipsec-l2l
tunnel-group 200.200.2.1 ipsec-attributes
pre-shared-key CISCO
tunnel-group 200.200.1.1 type ipsec-l2l
tunnel-group 200.200.1.1 ipsec-attributes
pre-shared-key CISCO
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 200.200.1.1
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN 20 match address VLAN121_TO_VLAN23
crypto map VPN 20 set peer 200.200.2.1
crypto map VPN 20 set transform-set 3DES_MD5
! Apply crypto-map and enable VPN traffic to bypass ACLs
crypto map VPN interface outside
crypto map VPN interface backup
sysopt connection permit-vpn
Thank you.We are not abble to make a loop back on the ASA.
The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for first isp ip adddrs. -
ASA 5505 site-to-site VPN tunnel and client VPN sessions
Hello all
I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z). His satellite office will have a single PC sitting behind the ASA. In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
The first question I have is about the ASA 5505 and the various licensing options. I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A. Would someone please confirm or deny that for me?
Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules? Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
Thanks in advance for any assistance provided!First question:
Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
Second question:
Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
Last question:
This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
Here is what needs to be configured:
1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
2) On site A configures: same-security-traffic permit intra-interface
3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
On Site Z:
access-list permit ip
On Site A:
access-list permit ip
4) NAT exemption on site Z needs to include vpn client pool subnet as well.
Hope that helps.
Message was edited by: Jennifer Halim -
VPN load balancing and ASA !!!
Hi netpros,
I have a couple of questions about this and hope you might be able to assist me.
1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
Your comments are much appreciatedHi Gilbert ..
1.- Thanks I wanted to make sure.
2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
ASA1: Public 20.20.20.20
Private 192.168.1.1
ASA2: Public 20.20.20.21
Private 192.168.1.2
Cluster virutal IP: 20.20.20.10
Default gateway for segment 192.168.1.0 is 192.168.1.1
Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
3.- Any idea about this one ..?
Cheers, -
Hi
I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
Thanks
PatYou can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
VGW Example
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Real IP example
Integrating with Cisco VPN Concentrators
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
Regards,
Dan Laden -
Hello.
I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
Is this a normal condition with Easy VPN Client enabled?u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
lets say the private network behind the vpn server is 192.168.1.0/24
so make a standard ACL
access-list split standard permit 192.168.1.0 255.255.255.0
group-policy [ur grop policy name] attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
good luck
Rate if helpful -
VPN with Cisco 877 and ASA 5505
Hi Experts
this is my scenario :
remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
please i need your support to make this dream real lol.
i will poste my configuration step by step following your help.
many thanks.ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.
-
ASA 5505 Site to Site and Web VPN
Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
Thanks for your expert opinions!Hi,
There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
If you for example have an "inside" interface which has NAT0 configuration like
nat (inside) 0 access-list NAT0
You just add the needed ACL lines to that existing ACL for the L2L VPN.
On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
- Jouni -
ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?
Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.
I don't think it is possible. Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml -
Hello my friends,
I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
Here are my configuration commands:
Router:
crypto isakmp policy 20
encryption 3des
auth pre-share
hash md5
group 2
crypto isakmp key XXX address 103.252.AAA.AAA
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 5 ipsec-isakmp
set transform 3DES-MD5
match address VPN
set peer 103.252.AAA.AAA
ip access-list extended VPN
permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
ASA commands:
sysopt connection permit-vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
tunnel-group 203.167.BBB.BBB type ipsec-l2l
tunnel-group 203.167.BBB.BBB ipsec-attributes
pre-shared-key XXX
access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map VPN 10 set transform-set 3DES-MD5
crypto map VPN 10 match address LIST
crypto map VPN 10 set peer 203.167.BBB.BBB
crypto map VPN interface outside
Do you have any idea what is wrong? Thank you a lot in advance.I managed to get this from the show crypto ipsec sa
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
And details from show crypto session detail
Interface: GigabitEthernet0/1
Session status: DOWN
Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 -
WCCP does not work between WSA and ASA
I have configured WCCPv2 between WSA S160 ( 6.3.1-025) and ASA5540 (8.2(1)109).
Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
Does anybody have any idea what the problem is and how I can resolve it ?IronPort Support team helped me to find the trouble:
If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
The WSA guide doesn't clearly say about it.
So the Discussion can be closed ... -
User from certificate with Cisco VPN client and ASA (and radius)
Hello,
we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
Thanks!
Santiago.mrbacklash wrote:
Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
Message was edited by: BobTheFisherman -
WCCP on ASA & traffic between physical interfaces on ASA
Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankitcommon guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit
Maybe you are looking for
-
Bios update not engaging. computer stuck in bios update
My computer HP Pavilion g2 notebook is stuck in hp bios update mode and although updated bios was downloaded it doesnt engage. At the very least how can i get it back to its original state of operation?
-
Recipe for success in iWeb '08?
Lucky me - I decided to mail order my copy of iLife and didn't get it until today. In the meantime I have been following the threads of this forum, adding my words of "wisdom" and trying to organize myself for the big day. In the past, I kept my indi
-
Extend-TCP client not failing over to another proxy after machine failure
I have a configuration of three hosts. on A is the client, on B & C are a proxy and a cache instance. I've defined an AddressProvider that returns the address of B and then C. The client just repeatedly calls the cache (read-only). The client configu
-
Configuring static routes at the network edge
We have some Cisco 1750 routers at the edge of our network which are running RIP. We were advised to use static routes on the router, since there was only one route (across a WAN link) for traffic to go from the hub connected to the router, as RIP wo
-
I am working on creating a fixed length flat file with data from multiple files. This flat file will have 4 different record formats. My idea is to create a table for each one of these record formats, populate it in my PL/SQL program and utilize the