Webvpn and anyconnect on same interface

Hello !!
Can we configure WebVPN and anyconnect on same interface ?
We have ASA 5520 running with code 9.1(2) with vpn plus license installed. Webvpn is already configured in it. users are already using it. We have a legacy VPN concentrator for RAVPN. Now the client want to move all the RAVPN users from VPN concentrator to ASA using anyconnect.
As we already have webvpn on the asa box, can we configure anyconnect on the same firewall on same interface. ? if so what are the parameters we need to consider.
I am attaching the sh ver of firewall . Any help in this regard is highly appreciated.
Cheers,
Octopus.

Hi,
The answer is yes.
Check this for more information:-
https://supportforums.cisco.com/discussion/11181216/webvpn-and-anyconnect
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/svc.html
Thanks and Regards,
Vibhor Amrodia

Similar Messages

AP and AR in same interface?

Hi,
We are planning to do the AP and AR of a legacy system in SAP through interface. If both AP and AR are done from a common inventory, can we do both the AP and AR in the same interface? Or can it be done in two different interfaces? What is the difference between doing both in the same interface and two different interface?
Please give me some info on it. I'm new to FI..
Thanks..
Uma.

I can't think of any. If you separate them, you can run them in parallel, so that should be quicker too.
But in the end, I think it's a business decision.
Rob

Is ATA and ATA150 the same interface?

Is this hd compatible with a MacBook?
http://www.newegg.com/Product/Product.asp?Item=N82E16822146053

When you boot from the install DVD can you see it under the system profiler or disk utility to initialize it for the Mac? Most HDs come formatted for Windows and while our Mac should still see it, you will want to format it HFS+ for use in your Mac.

¿Can Extended and Ethertype (input) ACLs be applied to the same interface?

Hello team:
¿ Is it possible to apply one Extended ACL and one Ethertype ACL, in input mode, to the same interface?
Thank you very much in advance.
Mariela Musitani

Thank you very much Borys. I assumed that it was possible, but the documentation was not clear in this context.
regards, Mariela

Stetting up FTP and SFTP adapters for the same interface

Experts-
I have a situation in which client has a requirement to setup both FTP and SFTP adapters (from adapetive adapters) for the same interface. They want to have a copy of file locally and also want a file to be sent out securly using SFTP. In my interface which was previously developed they have used one business system and added FTP and SFTP to the same. If try to add new Receiver Agreement it will say that the object already exists as the Interface Mapping is same.
Please send me any suggestions which would resolve my problem

Hi Hari,
As you cannot create two Receiver agreement using only one receiver interface , please create a new receiver Interface, add that in interface determination step and then assing a different channel to new receiver agreement.
If your requirement is to store the file ,i would suggest write the file in your unix directory using NFS( /usr/sap...). then run a AFT job (if already set up in your landscape) to transfer file securly to target destination.Not sure if its feasible in your case otherwise you can use SFTP for the secure transfer.
Best Regards
Srinivas

EAZYVPN and DMVPN on the same router,same interface

Hi all,
           First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?
Hub :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
HUB#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
Spoke one:
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
SPOKE1#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
5.5.5.1         5.5.5.2         QM_IDLE           1002 ACTIVE
10.10.1.1       10.10.1.2       MM_NO_STATE       1134 ACTIVE (deleted)
10.10.1.1       1.1.1.10        QM_IDLE           1126 ACTIVE
10.10.1.1       1.1.1.10        QM_IDLE           1076 ACTIVE
HUB#sh crypto se
HUB#sh crypto session
Crypto session current status
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.1
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 60201
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1
        Active SAs: 2, origin: dynamic crypto map
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.2
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 49768
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2
        Active SAs: 2, origin: dynamic crypto map
Interface: FastEthernet0/1
Profile: DMVPN
Session status: UP-IDLE
Peer: 5.5.5.2 port 500
IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active
Interface: Serial0/1/1
Profile: DMVPN
Session status: DOWN-NEGOTIATING
Peer: 10.10.1.2 port 500
IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive
HUB#
2. My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!
DMVPN AND EAZYVPN SERVER config..
crypto keyring dmvpnkey
pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 40
authentication pre-share
crypto isakmp keepalive 30
crypto isakmp xauth timeout 90
crypto isakmp client configuration group Accounting
key eazypvn
dns 4.2.2.2
wins 4.2.2.2
domain bigBois.com
pool dmAccouting
crypto isakmp profile AccountingPro
   match identity group Accounting
   client authentication list access_in
   isakmp authorization list my_vpn
   client configuration address respond
crypto isakmp profile DMVPN
   keyring dmvpnkey
   match identity address 0.0.0.0
crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac
crypto ipsec profile dmvpnlab
set transform-set DMVPN
set isakmp-profile AccountingPro
crypto dynamic-map Remote_Acc 20
set transform-set EAZYVPN
set isakmp-profile AccountingPro
reverse-route
crypto map RemoteAcc client authentication list access_in
crypto map Remote_Acc client authentication list my_vpn
crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc
interface Loopback0
ip address 192.168.200.1 255.255.255.0
interface Loopback2
ip address 172.16.10.1 255.255.255.0
interface Loopback3
ip address 172.16.15.1 255.255.255.0
interface Tunnel1
bandwidth 10000
ip address 4.4.4.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 7940
ip nhrp registration timeout 10
ip tcp adjust-mss 1360
tunnel source Serial0/1/1
tunnel mode gre multipoint
tunnel key 7940
tunnel protection ipsec profile dmvpnlab
interface FastEthernet0/0
description OUTSIDE
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
description INSIDE
ip address 5.5.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
interface Serial0/1/1
description to SPOKE1
ip address 10.10.1.1 255.255.255.0
crypto map Remote_Acc
interface Serial0/3/0
no ip address
shutdown
router eigrp 10
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 10.0.0.0
network 10.10.10.0 0.0.0.3
network 172.16.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.15.0 0.0.0.255
network 192.168.200.0
ip local pool dmAccouting 20.20.20.1 20.20.20.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
THanks a bunch for the help,
Ernest

Any ideas why devices keep renewing phase 1?
Thanks,

Relay traffic out same interface

Is it possible to relay traffic out of the same interface? For instance we have a computer on the Internet that only is accessible from our network. I'd like users to connect to our network, look at the ACL, and then connect to the remote computer. So basically I'm going right back out the same interface. VPN->outside interface->Internet. I'd still want split tunneling to be enabled and have this apply to only a specific IP or subnet.   Is this possible?

This is the packet tracer result:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can see the traffic comming from the VPN client to the IP, so the route is working. I get a teardown and built message in the log, but nothing saying the traffic is denied.
I think this info should cover what you're looking for:
group-policy GroupPolicy_ZSSL attributes
wins-server none
dns-server value 192.168.1.8 192.168.1.47
vpn-tunnel-protocol ikev2 ssl-client
default-domain value company.com
webvpn
anyconnect profiles value ZSSL_client_profile type user
username company password xxxxxxxxxxxxxx encrypted privilege 15
tunnel-group companyVPN type remote-access
tunnel-group companyVPN general-attributes
address-pool VPNPool
authentication-server-group MicrosoftIAS LOCAL
accounting-server-group MicrosoftIAS
default-group-policy companyVPN
password-management
tunnel-group companyVPN ipsec-attributes
ikev1 pre-shared-key *****

ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones

Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.8.1 192.168.8.19
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
multilink bundle-name authenticated
isdn switch-type primary-ni
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
voice class codec 1
codec preference 1 g711ulaw
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
voice translation-rule 2
rule 1 /.*/ /541999999/
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
voice translation-profile Inbound_Calls_To_CUE
translate called 1
voice translation-profile InternationalType
translate called 100
voice translation-profile Local-CLID
translate calling 2
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
hw-module pvdm 0/1
hw-module sm 1
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
interface Loopback0
ip address 192.168.17.1 255.255.248.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
tftp-server flash:apps31.9-3-1ES26.sbn
control-plane
voice-port 0/0/0:23
voice-port 0/3/0
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
gatekeeper
shutdown
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 29 dual-line
number 252
ephone-dn 30 dual-line
number 253
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
ephone-dn 104
number 8000...
mwi on
ephone-dn 105
number 8001...
mwi off
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
end

I think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
Please remember to select a correct answer and rate helpful posts

Firefox and AnyConnect 3.1

Is anyone have issues getting AnyConnect 3.1 to work with Firefox on Windows 8. I have upgraded the client on the router and tested vs. OSX Safari and Firefox on Win 7 32 bit. All works fine. The issue seems to be on Win 8 and Firefox 15. Java starts and then hangs after it launches the Java Applet.
I have seen some previous discussions on this and the recommendation was to go up to 3.1 on Win 8. Another fix was to go into the Java Control Panel and uncheck Enable Blacklist revocation check. Does not seem to help. The webvpn pages gets to the following:
"Web-based installation was unsuccessful. If you wish to install the Cisco AnyConnect Secure Mobility Client, you may download an installer package."
I have manually installed and still no go. I have double checed the plugins in Firefox to make sure that Java is enabled - it is. This cropped up after upgrades to Java. The JRE is Java(TM) SE Runtime Environment (build 1.7.0_07-b10).
On the infosec side, Win 8 is running MS Sec. Essential (Windows Defender on 8).
Anyone have any ideas?
Thanks
JPH
Just a little bit more info after some more experimentation. I have a VM with Win 7 (32bit), Firefox 11 and Java SE7U1. Tested AnyConnect and it worked. Upgraded Firefox to V15. AnyConnect stopped working. Updated Java to SE7U7. Retested and AnyConnect worked. Went back to the Win 8 machine - same version of Java (SE7U7) as on Win 7 machine. Firefox is 15 (x86 en-US) also. Anyconnect does not work,

Hi Jerry,
We currently do not support windows 8. Developers might start working on it once the final release of windows 8 comes out. We also have some internal enhancement requests filed for it but currently there is no ETA for this.
Shikhar Sharma
CCIE Security # 29741
Cisco TAC - VPN Team

ASA 8.0 VPN cluster with WEBVPN and Certificates

I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
I'm assuming the client gets presented the appropriate certificate based on the http GET.
Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
Thanks,
Mark

There is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
Here are the details:
Symptom:
========
ASA 8.0 load balancing cluster with WEBVPN.
When connecting using a web browser to the load balancing ip address or FQDN,
the certifcate send to the browser is NOT the certificate from the trustpoint
assigned for the load balancing using the
"ssl trust-point vpnlb-ip" command.
Instead its using the ssl trust-point certificate assigned to the interface.
This will generate a certificate warning on the browser as the URL entered
on the browser does not match the CN (common name) in the certificate.
Other than the warning, there is no functional impact if the end user
continues by accepting to proceed to the warning message.
Condition:
=========
webvpn with load balancing is used
Workaround:
===========
1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
Warning: configs are not backward compatible.
2) upgrade to 8.0.2 interim (8.0.2.11 or later)

PAT between 2 networks on same interface

Hi,
I'm using asa 5505 with 8.4(2) and have the following problem.
I have 2 Networks. each Network has it's own externel Internet-Ip and also Mail-Server.
Here is the example:
Network1:
192.168.1.0/24
Mail-Server: 192.168.1.10
External: 1.1.1.1
Network2:
192.168.2.0/24
Mail-Server: 192.168.2.10
External: 2.2.2.2
Both Networks are connectet through a routing-network to the asa
interface: routed
net: 10.10.10.0/24
Now I want a communication between the two Mailservers with their external Ip-Address.
I did a static NAT from ipnt any to int any or also from int routed to int routed, but nothing worked.
Packet tracer showed at NAT-Lookup where the externel adress of the second Mailserver is passed:
Info
Static translate Network1 to Network1
But it should show a translation from network1 to network1-external
Due to Security reasons, I cannot paste the whole config. I hope the example tells enough about my Problem.
Under 8.0 I did the same configuration with Policy-Nat and it worked.
Thanks for help
Sent from Cisco Technical Support iPad App

Hello Roman,
1-Are they behind the same interface?
2-Can you explain a little bit better your network? A diagram would be great
Can you try this:
Object network Server-inside
host: 192.168.1.10
Object network: Server-secondary
host: 192.168.2.10
Object network Natted-inside
host 1.1.1.1
Object network Natted-secondary_server
host 2.2.2.2
Same-security permit intra-interface
nat (routed,routed) source static Server-inside Natted-inside destination static Server-secondary Natted-secondary_server
nat (routed,routed) source static Server-secondary Natted-secondary_server destination static Server-inside Natted-inside
Regards,
Julio

How to config. different Operations of the same Interface to different BPM

Hi Gurus
   I have a very urgent problem.
   The requirement is like this:
   Customer creates an invoice in A1S and release it. Information of the invoice is retrieved via two service interfaces:
        CustomerInvoiceProcessingInvoiceAccountingOut
        CustomerInvoiceProcessingReceivablesPayablesOut
        with operation NotifyOfInvoice;
   These two interfaces will transfer the information into XI and the information will be filled into a BAPI, BAPI_ACC_DOCUMENT_A1S, to R3. Then the finacial document together with the invoice will be created in the R3.
   when customer cancels the invoice in A1S, Information of the cancellation is retrieved via the same two service interfaces:
        CustomerInvoiceProcessingInvoiceAccountingOut
        CustomerInvoiceProcessingReceivablesPayablesOut
        with operation NotifyOfInvoiceCancellation;
   These two interfaces will transfer the information into XI and the information will be filled into a BAPI, BAPI_ACC_DOCUMENT_REV_POST, to R3. Then the reverse finacial document will be created in R3.
    My solution is like this:
    1. for invoice creation:
     Both messages sent to BPM_1, then send to R3. 3 interface determinations are needed for 3 abstract interfaces.
    2. for invoice cancellation:
     Both messages sent to BPM_2, then send to R3. 3 interface determinations are needed for 3 abstract interfaces.
    My problem is this:
    No matter during creation or cancellation, the same interfaces are triggered. The related receiver determination will distribute the information to both of two BPMs. However the information only contains data of one operaton: creation or cancellation. Error messages will appear in monitor for the other BPM. For example, when customer creates an invoice, the information only contains data of creation whereas it is sent to two BPMs via the receiver determination. the BPM for cancellation surely can not deal with this information then error appears.
    My question is : how can i solve the problem? How can i avoid the appearance of the error? thanks
Message was edited by:
        SAP LCR

Hi,
In the receiver determination you can route the message to the RIGHT BPM according to the content of the payload. So each time only one BPM is called.
Regards,
Hui

Same interface name in alert for the synchronous messages

Dear Friends,
I have configured the alert for my interfaces. In the container i have added the message id, sender interface and receiver interface variables. While the error occurs, the alert is getting triggered. But in the alert long text in both the sender and receiver interface the Same 'is_Update'(receiver interface) is only coming.
But in the case of asynchronous interface alerts the sender and receiver interface are coming correctly in the long text of the alert.
Please tell me what might me the problem.
Thanks and Regards
Prem

thanks for ure reply....
ya i have given the correct interrface names.... this problem is nt only for my interface. this is for all the developers over here...in long text the same interface name is coming for both the sender interface and in receiver interface

Outbound and Abstract Sync message Interface difference

Hi Experts,
Is there any difference between the input and output messagetype for Outbound/Inbound Synch Message Interface and Abstract Sync Message Interface.
Do we need to mention the same input and output messagetype for both outbound and Abstract or it should be otherway around?
Regards
Sara

---Is there any difference between the input and output messagetype for Outbound/Inbound Synch Message Interface and Abstract Sync Message Interface.
No there is not. U can select any message type irrespective of the type of message interface.
---Do we need to mention the same input and output messagetype for both outbound and Abstract or it should be otherway around?
Yes. As per ur requirement u can specify the same.
Regards,
Prateek

Webvpn and anyconnect on same interface

Similar Messages

Maybe you are looking for