SSM40 and ASA Config

Similar Messages

• Backup tool for ASA config?

  Hi,
  We are using Solarwinds Kiwi backup tool to backup our ASA configs, however it has hit a bug which they are looking into as it only backs up half of the config.  While they search for a fix does anyone know of another free tool I can use to schedule backups of our ASA?
  Thanks

  Hi Bro
  You could look into some freeware tools out there in the market such as Cisco SNMP Tool v2.5 and WinAgents HyperConf. Good luck.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• Checkpoint and ASA

  Inside I have 2 networks: 10.10.x.x and a 10.199.x.x
  My ASA interfaces was the following:
  E0/0 Public IP
  E0/1 10.199.1.2/24
  E0/2 10.10.144.47/22
  I put a checkpoint in front of the ASA and changed to the following:
  Checkpoint Ext. 10.10.144.47/22
  Checkpoint Int. 192.168.1.1/30
  ASA E0/1 10.199.1.2/24
  ASA E0/2 192.168.1.2/30
  Now I am having trouble talking between the networks 10.199.x.x and 10.10.144. x
  I have attached ASA config.
  Thanks in advance on any help provided

  Hi,
  So if I am looking correct then the "insideNOV" interface leads to the Checkpoint which has the other LAN network behind it?
  The interface ACL for the interface is not really clear to me as it contains a lot of "name" and "object-group" references which are not mentioned. It seems though that on multiple occasions you have referenced the NOV network as the destination. Should this not be the source network as that network is located behind that interface?
  Also with regards to the routing you have only shared your Default Route in the configuration.
  Do you have a route for the NOV network towards "insideNOV" ?
  route insideNOV 10.10.144.0 255.255.252.0 192.168.1.1
  Does the Checkpoint have the appropriate routing and other configurations to allow the traffic?
  - Jouni

• Automated ASA Config Backup

  Does anyone know of a way to automatically backup an ASA config using SNMP or some other method?
  Thanks
  Frank

  Yeah, you can back it up via TFTP without an authentication challenge - that's not a problem. You can even build an ACL to limit the IP addresses that can perform a TFTP GET against the ASA (to pull the config). There are a number of scripts and tools that make backups of ASAs & PIXs using TFTP (or you could just modify the script I published depending on your comfort level in Expect)
  The problem I had in my situation is that I couldn't trust the path to the device, and in the case of TFTP it can be vulnerable to a MITM. As you probably already know, once someone gets your device config in its entirety they can plan an attack of the device that is likely to succeed.
  Keeping credentials in a file are not desirable, but out of all the systems used to perform the backup, the host running the script was the one I trusted the most.  There are ways to really secure that using tools (in both Expect and Shell scripts) to convert the credentials to a hash that is decrypted only when the script is run, I just haven't tied that in with my script yet.

• HP NNM and ASA discovery.

  Hi
  I am not able to see Firewall ASA 5585 links to our HP network node manger. 
  ASA is having multiple context (2 context) mode. having portchannel to two different NExus 7k (vpc).
  ASA config is also attached here. NNM can discover ASA via management interface but does not show the data link between ASA and Nexus. I am not too sure if NNM is confused due to vpc or firewall multiple context ? 
  fw01/admin# sh running-config snmp-server
  snmp-server host management 1.x.x.x community **** version 2c
  snmp-server host management 1.x.x.x community **** version 2c
  snmp-server location Slv
  snmp-server contact [email protected]
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps memory-threshold
  snmp-server enable traps connection-limit-reached
  snmp-server enable traps cpu threshold rising

  I'm having a similar problem so I decided to call support.
  Seperate issue, it took over 30 minutes to talk to someone who could talk about tablets. Had to talk to two different people (giving my name, email, phone number, serial number both times!) before I reached a third  person.
  I was quite disappointed to hear that the inability to reach 100% is actually part of some sort of battery saving feature. Once the battery gets to 96%, it'll just stop. I asked the tech several times - so there's no way to get to 100% reliably? 
  It's all part of how new tablets work these days. I said - you mean HP tablets? Because literally none of my devices have this problem.
  I'm strongly considering returning this device considering this "feature" and all around terrible support experience.

• What is difference between ADF Task Flow and Faces-Config - when delpoy ?

  What is difference between ADF Task Flow and Faces-Config? When I create navigation between pages with ADF task flow then the navigation don't work when I deploy my application to Weblogic 10.3. When I use default server then navigation works fine. With Faces_config in both situations all works ok - on Stanalone server and default.
  Where is the problem?
  Best regards!

  Shay, I don't use both faces-config and adf task flow! When I failed with task flow I tried faces-config.
  I have active on my weblogic - adf.oracle.domain(1.0,11.1.1.0.0). This is the right ADF? If yes then where is the problem?
  Best regards!

• VPN with Cisco 877 and ASA 5505

  Hi Experts
  this is my scenario :
  remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
  i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
  i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
  if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
  please i need your support to make this dream real lol.
  i will poste my configuration step by step following your help.
  many thanks.

  ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

• Is it possible to import and export Config Toll Configuration  from one sys

  Hi All,
  Is it possible to import and export Config Toll Configuration  from one system to Another system (QUS/PRD), for especific service.
  Kindly let me know the pro and corn of it and step by step process
  Thanks alot for your time.
  Thanks
  AB

  Yes...It is certainly possible but then you would need to bring OS level j2ee filestructure as well and there are lots of changes at OS level in *.properties file and then at configtool level changes related to hostname, system numbers and port numbers etc.
  This is not much difficult but not impossible also if you do it very carefully. Please note that SAP DOES NOT SUPPORT THIS METHOD.
  alternatively, you can use sapinst to export-import j2ee filesystem from source to target which inturn would require to do configtool export/import and then changes at configtool level.
  Do let us know your requirement so that we cud help you in case you are facing any issues.
  cheers !!!
  Ashish

• NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL, dACL)

  hello,
  could anyone please post screen capture of ISE posture configuration ( and remediation )
  I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
  Authentification and authorizations policies not needed.
  posture and remediation policies not needed.
  The issue is about ACLs (I guess)
  Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
  My IOS is 122.55 SE or 52 SE
  Thank you by advance.
  Best regards.
  V.

  Hi Venkatesh,
  Your the ultimate ISE Guru !!
  You're right
  Thanks a lot.
  See screen captures and Sw config below
  aaa new-model
  aaa group server radius ISE
  server 192.168.6.10 auth-port 1812 acct-port 1813
  server 192.168.6.10 auth-port 1645 acct-port 1646
  aaa authentication login default local
  aaa authentication dot1x default group ISE
  aaa authorization network default group ISE
  aaa authorization network auth-list group ISE
  aaa authorization auth-proxy default group radius
  aaa accounting dot1x default start-stop group ISE
  aaa server radius dynamic-author
  client 192.168.6.10 server-key 123456789
  ip dhcp snooping
  ip device tracking
  dot1x system-auth-control
  dot1x critical eapol
  interface FastEthernet1/0/1
  switchport mode access
  ip access-group ACL-ALLOW in
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-POSTURE-REDIRECT
  deny   udp any any eq domain
  deny   udp any host 192.168.6.10 eq 8905
  deny   udp any host 192.168.6.10 eq 8906
  deny   tcp any host 192.168.6.10 eq 8443
  deny   tcp any host 192.168.6.10 eq 8905
  deny   tcp any host 192.168.6.10 eq www
  permit ip any any
  snmp-server community snmp RO
  snmp-server community RO RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps mac-notification change move threshold
  snmp-server host 192.168.6.10 public
  snmp-server host 192.168.6.10 version 2c snmp  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
  radius-server vsa send accounting
  radius-server vsa send authentication
  V.

• VPN between IOS and ASA

  Hello my friends,
  I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
  Here are my configuration commands:
  Router:
  crypto isakmp policy 20
  encryption 3des
  auth pre-share
  hash md5
  group 2
  crypto isakmp key XXX address 103.252.AAA.AAA
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map MAP 5 ipsec-isakmp
  set transform 3DES-MD5
  match address VPN
  set peer 103.252.AAA.AAA
  ip access-list extended VPN
   permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
   permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
  ASA commands:
  sysopt connection permit-vpn
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  tunnel-group 203.167.BBB.BBB type ipsec-l2l
  tunnel-group 203.167.BBB.BBB ipsec-attributes
  pre-shared-key XXX
  access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 set transform-set 3DES-MD5
  crypto map VPN 10 match address LIST
  crypto map VPN 10 set peer 203.167.BBB.BBB
  crypto map VPN interface outside
  Do you have any idea what is wrong? Thank you a lot in advance.

  I managed to get this from the show crypto ipsec sa
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
  And  details from show crypto session detail
  Interface: GigabitEthernet0/1
  Session status: DOWN
  Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

• Why do we need to specify Role baseprovider and membership provider in Central Admin and security config files?

  Hi,
  why do we need to specify role base provider and membership provider files in central admin and securiy config files.
  thanks,
  gaurav

  We use 3 settings in Forms based auth:
  1 Membership = This contains Users and groups information. (This table also has username and password)
  2 ConnectionString = Connetion details to connect to database is stored here(servername, databasename, username, password, port )
  3 Role = This table contains all the Roles (Admin, contibutor, etc of the data source)

• Location of MTA and POA config files:

  Hello. I'm reading an article from cool tools by Kiril Stankov regarding
  moving a groupwise database to a new volume or server. In step 4 he says
  if you are moving data between servers make sure to copy the POA, MTA,
  WAA and GWIA config files. The only one I can find is the gwia.cfg. I
  looked under SYS:\system for the others and can't find them anywhere.
  Thanks

  > What's in grpwise.ncf ?
  >
  > It should be something like
  >
  > LOAD SYS:\SYSTEM\GWPOA @POA.POA
  > LOAD SYS:\SYSTEM\GWMTA @MTA.MTA
  LOAD SYS:\SYSTEM\GWPOA @CTCPO.POA
  LOAD SYS:\SYSTEM\GWMTA @CTCMAIL.MTA
  > the files you want are the ones after the @ sign, and they should be in
  > the directory referred to in the load bit, in this case sys:\system
  Ok. So I can, in my case anyway, just copy my SYS directory over if I
  choose too
  > Cheers Dave
  >
  >
  > --
  > Dave Parkes [NSCS]
  > Occasionally resident at http://support-forums.novell.com/

• How to save column widths in tag monitor and tag config editor?

  how to save column widths in tag monitor and tag config editor?

  The attached example may help.
  After launching the editor, I locate a reference to the front panel control named "Tag List".
  This is type cast as a multicolumn list box which then allows me to increment through all of the cells and set the widths as i go.
  Trying to help,
  Ben
  Ben Rayner
  I am currently active on.. MainStream Preppers
  Rayner's Ridge is under construction
  Attachments:
  Set_Width2.vi ‏60 KB
  SET_WIDTH.JPG ‏94 KB

• Cannot Read From Registry - Need to save and load config

  I have code the I have tested in other programs. I cannot read or write to the registry from a plugin. Any ideas?
  Any suggestions for the best way to save and load config information?
  Thanks!!!

  Hi Srikanth,
  Thank you for responding.
  I had a problem on one material. So deleted the request and Reload it from PSA. That issue got solved.
  And Now the problem is , Now my senior is saying Delete the data from April-09 till date and Reload it. The issue is My CUBE ( ZSD_C03 ) is updated with 4 data sources. 2LIS_11_V_ITM   ,  2LIS_13_VDITM   ,  2LIS_12_VCHDR  , 2LIS_11_VAITM .
  And I need to delete data from 2LIS_13_VDITM  data source . How Can I proceed for the current issue   ?
  Please suggest   ...
  Thank you ,
  Utpal

• Managed bean in both adfc-config.xml and faces-config.xml file

  hi,
  i can see that it's possible to declare managed bean in both adfc-config.xml and faces-config.xml file.
  is there any difference? which one is recommended?
  read here - http://www.jaypillai.com/tag/adf/
  but still not clear.
  thanks.

  Hi.
  As you know ADF is a framework based on JSF.
  In faces-config.xml you define general application manage beans. It offers you define manage beans for all application using JSF default scopes (application, session, request).
  In adfc-config.xml you define general application manage beans using ADF Scopes. It means that you can use JSF default ones including "view, pageFlow and backing".
  My recommendation is use only one point entry for your general manage beans. Use adfc-config.xml because allow you to use more scopes.
  Regards.