What is the Cisco ASA 5520's VPN ustility like?

Similar Messages

• Cisco ASA 5520 SSL VPN Web Login Customization For RSA Login

  I have a Cisco 5520 that I have RSA radius with hardware token up and working witrhout issue. The RSA radius authentication works fine.
  My problem is that I want the login page of the WebVPN portal to display two fields for the user RSA passcode. An RSA passcode is the PIN and the current toke code together.
  I want one field to accept the PIN from the passcode and the other field to accept the TOKEN CODE from the RSA token.
  Currently the login page has in this order:
  USERNAME:
  PASSCODE:
  My end state would be:
  USERNAME:
  PIN:
  TOKENCODE:
  I know this has been done with the native Cisco IPSEC client but I cannot find a way to do this with the WebVPN login page. I have been thru the Customization page and can't seem to get this to work correctly.
  Thanks.

  Hello friend!
  Please allow me to resurect this old post. Did you have the solution?
  Regards!

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Older version of openssl in cisco asa 5520

  Hi,
  Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have  to  check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
  Thanks,
  Sridhar

  Sridhar,
  W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
  You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
  In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
  Marcin

• Cisco ASA 5520 traffic between interfaces

  Hello,
  I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
  ciscoasa# ping esx_management 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  ciscoasa# ping home_network 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Thank you in advance.

  Hi,
  Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
  I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
  packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
  I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
  I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
  Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
  Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
  Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
  Static Identity NAT
  static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  OR
  NAT0
  access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
  nat (home_network) 0 access-list HOMENETWORK-NAT0
  Hope this helps
  - Jouni

• How to configure QOS on certain IP in the Cisco ASA 5510

  Hi,
  I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
  Can this done on a ASA 5510 series? if yes can you help me how ?
  Regards,
  Venkat

  Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
  Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
  I hope it helps.
  PK

• Cisco ASA 5520 Failover with DMZ

  I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
  Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
  PRIMARY ASA
  Primary-ASA# sh run failover
  failover
  failover lan unit primary
  failover lan interface stateful1 GigabitEthernet0/3
  failover key *****
  failover link stateful1 GigabitEthernet0/3
  failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
  Primary-ASA# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 20:39:23 CDT Sep 3 2013
  This host: Primary - Active
  Active time: 69648 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
       Interface outside (184.61.38.254): Normal
       Interface inside (192.168.218.252): Normal
       Interface dmz (192.168.215.254): Normal (Waiting)
       Interface management (192.168.1.1): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Other host: Secondary - Standby Ready
  Active time: 2119 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.253): Normal
  Interface inside (192.168.218.253): Normal
  Interface dmz (192.168.215.252): Normal (Waiting)
  Interface management (192.168.1.2): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
  IPS, 6.0(3)E1, Up
  Primary-ASA# sh run interface
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
  ospf cost 10
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
  ospf cost 10
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
  ospf cost 10
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  ospf cost 10
  management-only
  STANDBY ASA
  Standby-ASA# sh run failover
  failover
  failover lan unit secondary
  failover lan interface stateful1 GigabitEthernet0/3
  failover key *****
  failover link stateful1 GigabitEthernet0/3
  failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
  Standby-ASA# sh failover
  Failover On
  Failover unit Secondary
  Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 20:39:23 CDT Sep 3 2013
  This host: Secondary - Standby Ready
  Active time: 2119 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.253): Normal
  Interface inside (192.168.218.253): Normal
  Interface dmz (192.168.215.252): Normal (Waiting)
  Interface management (192.168.1.2): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Other host: Primary - Active
  Active time: 70110 (sec)
        slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.254): Normal
  Interface inside (192.168.218.252): Normal
  Interface dmz (192.168.215.254): Normal (Waiting)
  Interface management (192.168.1.1): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Standby-ASA# sh run interface
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
  ospf cost 10
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
  ospf cost 10
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
  ospf cost 10
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  ospf cost 10
  management-only
  Does anyone see something I might be missing? I am at a loss...

  I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.

• Cisco ASA 5520 Crashinfo

  I have cisco asa 5520 firewall in production sudenly yetserday firewall was reboted and crashinfo file was genetrated(check with command show crashinfo)
  But unable to undersatand the terms
  I want to know below thing regarding crashinfo
  1) In asa where crashinfo file stores and file name(please share commnad for checking)
  2) How to copy file from device to machine
  3) How to read that file(any tool any software)

  The crashinfo file ("show crashinfo") is plain text and along with the memory register contents there is a whole long list of other information - running-configuration, interface status and counters, etc. So you can look at it in any text editor or even on the ASA console itself.
  As far as learning from it directly, there is plenty to learn and use without knowing the most detailed possible level of debug information.
  If you want to see some of the tools that are available (and may include some of the crashinfo data), I'd recommend to you a Cisco Live presentation like BRKSEC-3020. You can download that and any other Cisco Live presentations here with a free registration.

• Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

  I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
  home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

  Hi,
  Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
  Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

• Cisco ASA 5520 Traffic monitoring

  Hello ,
  We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
  Thanks a lot

  Hi,
  I dont think the ASA alone can give you a really clear picture of the real time situation.
  It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
  My ASDM version is 7.1 but it should be there in your version also.

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• What are the best practices to migrate VPN users for Inter forest mgration?

  What are the best practices to migrate VPN users for Inter forest mgration?

  It depends on a various factors. There is no "generic" solution or best practice recommendation. Which migration tool are you planning to use?
  Quest (QMM) has a VPN migration solution/tool.
  ADMT - you can develop your own service based solution if required. I believe it was mentioned in my blog post.
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.