Access to the ASA 5515 IPS administration
Hello!
I can not access the ASA IPS module.
I try to ASDM. Configuration-> IPS. I type user name and password, see following message: "error connecting to the sensor. Error loading sensor.
Could you please help me fix my config?
I have the topology of the network like this
http://www.Cisco.com/image/gif/paws/113690/IPS-config-mod-01.gif
My config
KR - ASA # sh run concert int 0/5
!
interface GigabitEthernet0/5
nameif inside
security-level 100
IP 172.33.1.253 255.255.255.0 watch 172.33.1.254
!
interface Management0/0
management only
No nameif
security-level 0
no ip address
!
KR - ASA # sh details ips module
App name: IPS
App status. : to the top
App Status / / Desc: Normal operation
App version: 4,0000 E4
Flight status data: to the top
Status: to the top
License: IPS active Module perpetual
Mgmt IP addr: 172.33.1.251
MGMT network mask: 255.255.255.0
Mgmt gateway: 172.33.1.253
MGMT access list: 172.33.1.0/24
MGMT access list: 172.34.1.0/24
Web to MGMT ports: 443
Mgmt TLS enabled: true
!
KR - ASA # ping 172.33.1.251
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.33.1.251, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 10/10/10 ms
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
Thank you!
Hi Vladimir,.
Yups, this is an issue that is seen. Downgrade of Java should solve the problem. If this is not the case, turn on java debugging logs and paste those here:
Go to control panel-> java right click-> Open-> Advanced-> check all the boxes that appear under debugging and click the radio button to see the console
Rerun the IDM in browser and collect data in the java console window and paste it here.
-
Kind regards
Sourav Kakkar
Tags: Cisco Security
Similar Questions
-
Enable WebVPN without granting access to the ASA/AMPS/CLI
Is there a way to allow access to users WebVPN (SSL) through the ASA (8.2.1) without allowing them to connect via ASDM, SSH, Telnet or CLI? I want to warn my VPN users to access the configuration of the firewall.
I see in ASDM there are certain formulations on "it's effective only if AAA authenticates command console is configured" but I do not understand what it is explained.
Thanks in advance,
Greg
You can restrict local users with the following:
name of user attributes
type of remote access service
You need aaa authenticate console orders because when its not defined you can come as the default username (pix) or no username at all and the password enable (in the case of Deputy Ministers DEPUTIES). If there is no sent username, so we cannot verify obviously not the option of type 'service' in the attributes of user name. Here is more information on the command "aaa authenticate console":
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/A1.html#wp1535834
-heather
-
RV016 access to the modem in wan1 administration page, wan 2... from LAN
Hello
We have installed router rv016, balancing 5 adsl conections.
We can access the router rv016 with IP 192.168.1.1 LAN.
We can access the administration modem1 page in wan1 which has IP 10.0.0.1
But we cannot access other pages of Directors of modems as fitted wan2 IP 10.0.0.2, or modem wan3 with IP 10.0.0.3, modem wan4 or wan5...
In the diagnosis of rv016 page, we can make a successful ping 10.0.0.1, but not to another wan...
All modems have active DHCP ok with access authorization.
Can you help us?
Thank you!
Hello
Change modems to get LAN IP addresses in different subnets:
10.0.0.1
10.0.1.1
10.0.2.1
10.0.3.1
10.0.4.1
Then, everything should work perfectly.
Please mark this thread as answer or reply if you have any additional questions.
-Marty
-
AnyConnect VPN is not access to the ASA
Hello
I have an ASA 5512 - x configured as a hub AnyConnect VPN, but when I connect I can not access the firewall... I can ping the address 10.4.11.2 but I can not connect... No idea what to do? It's the running configuration:
: Saved
:
ASA 1.0000 Version 2
!
asa-oi hostname
domain xx.xx.xx.xx
activate 7Hb0WWuK1NRtRaEy encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
1.1.1.1 DefaultGW-outside name description default gateway outside
name 10.4.11.1 description DefaultGW - Default Gateway inside Inside
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.4.11.2 255.255.255.0
!
interface GigabitEthernet0/5
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5.2000
VLAN 2000
nameif outside
security-level 0
IP 1.1.1.2 255.255.255.252
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
boot system Disk0: / asa861-2-smp - k8.bin
passive FTP mode
clock timezone BRST-3
clock summer-time recurring BRDT 2 Sun Oct 0:00 Sun Feb 3 0:00
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
1.1.1.1 server name
1.1.1.2 server name
domain xx.xx.xx.xx
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the PoolAnyConnect object
subnet 10.6.4.0 255.255.252.0
access extensive list permits all ip a outside_in
list of access by standard tunnel allowed 10.0.0.0 255.0.0.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer 1048576
logging buffered information
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 10.6.4.1 - 10.6.7.254 255.255.252.0 IP local pool PoolAnyConnect
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 66114.bin
enable ASDM history
ARP timeout 14400
NAT (inside, outside) static source any any static destination PoolAnyConnect PoolAnyConnect non-proxy-arp-search to itinerary
NAT (exterior, Interior) static source PoolAnyConnect PoolAnyConnect non-proxy-arp-search to itinerary
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 DefaultGW-outdoor 1
Route inside 10.0.0.0 255.0.0.0 DefaultGW-Inside 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-Server LDAP protocol ldap
AAA-server host 3.3.3.3 LDAP (inside)
Timeout 5
LDAP-base-dn o = xx
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
novell server type
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
Enable http server
http 0.0.0.0 0.0.0.0 inside
http 2.2.2.2 255.255.255.240 outside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 2.2.2.2 255.255.255.240 outside
SSH timeout 10
Console timeout 10
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL cipher aes128-sha1 aes256-3des-sha1 sha1
WebVPN
allow outside
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GrpPolicyAnyConnect group strategy
attributes of Group Policy GrpPolicyAnyConnect
value of server DNS 1.1.1.1 1.1.1.2
VPN - 1000 simultaneous connections
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value in tunnel
field default value xx.xx.xx.xx
admin Dp4l7Cmqr7SMHl.l encrypted privilege 15 password username
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address pool PoolAnyConnect
LDAP authentication group-server
Group Policy - by default-GrpPolicyAnyConnect
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the ctiqbe
inspect the http
inspect the dcerpc
inspect the dns
inspect the icmp
inspect the icmp error
inspect the they
inspect the amp-ipsec
inspect the mgcp
inspect the pptp
inspect the snmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:9399e42e238b5824eebaa115c93ad924
: end
BTW, I changed the NAT configuration many attempts the problem, this is the current...
YPU need to allow your client VPN address pool (10.6.4.1 mask - 10.6.7.254 255.255.252.0) ssh and http from 'outside' access, which is where they come from. Add them to the:
http 0.0.0.0 0.0.0.0 inside
http 2.2.2.2 255.255.255.240 outside
SSH 0.0.0.0 0.0.0.0 inside
SSH 2.2.2.2 255.255.255.240 outside
-
Political dynamic VPN access and access to the administration
Hi all
I'm testing a scenerio with an ASA 5520 so he could authenticate VPN users against and an environment Active Directory more access to management as well. I created a dynamic access on the ASA policy indicating that, if you are a member of the Active Directory 'Managment' group continue. I have chagned the DefaultAccessPolicy to "Finish." With it, users could not connect VPN because they are not a member of this group, but access to manage the ASA is allowed due to this policy.
Is there a way through the use of dynamic access policies I can afford access to the administration (SSH, AMPS, etc.) by matching to membership in a group and will allow normal users to VPN in successfully, but not give them access to the management of the ASA?
I just try this but it seems that I should be able to swing that?
Thaks in advance.
Hello
You can try to apply the DAP and configure the filter ACL network. allowing only the protocols you want to that they can access.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
How to set up the ASDM/HTTP access for Cisco ASA firewall
Hi all
I am looking for a solution / guide that will allow our ASA 5510, V8.4 (5) Firewall, ASDM version 6.4 (9) to help users Active Directory. I want to activate our administrators to access the ASA via ASDM using their AD accounts (a local administrator account also exist but not a password of General knowledge)
Anyone would be abe to advise on a guide / Solution.
Thank you very much
If that you issue correctly you want active tpo AD authention for AMPS/HTTP access to the ASA. If it is correct that you have need of the following using the CLI to enable that command
ASA-32-22 (config) # aaa authentication http console?
set up the mode commands/options:
LOCAL server predefined Protocol AAA 'local' tag
Name WORD of RADIUS or GANYMEDE + aaa-server for the administrative group
authentication
After the console you needd to defind the name of the AD server you have configured on the SAA.
You can do the same thing by using ASDM:
Change LOCAL to the announcement that there are listed.
I hope that answers your question.
Thank you
Jeet Kumar
-
No access to the interface of the ASA by behind the other is
Hello
I am faced with the issue of not being able to access the interface of "dmz" behind the interface 'internet '.
Here is a brief description of the topology:
List entry on the internet access "," allows for 1xx.xxx.172.1 traffic.
No nat is configured between these interfaces.
The routing is OK because hosts on the DMZ network are accessible from the Internet.
The software version is 9.1 (3).
Security level of the interfaces is the same.
Security-same interface inter traffic is allowed.
Here's what packet trace says:
tracer # package - entry internet udp 7x.xxx.224.140 30467 1xx.xxx.172.1 det 500
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
identity of the 255.255.255.255 1xx.xxx.172.1Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
identity of the 255.255.255.255 1xx.xxx.172.1Result:
input interface: internet
entry status: to the top
entry-line-status: to the top
the output interface: NP identity Ifc
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: (headwall) No. road to hostPlease help me find the cause why asa is unable to find the path to its own interface.
Thank you in advance.
Hello
You will not be able to connect to an IP address of an interface ASA behind another ASA interface. It is a limit that has been there for Cisco firewalls as long as I can remember.
The only exception is when you have a VPN connection that is connected to an ASA interface, then you can connect through this VPN connection to another interface of the ASA. In this case the ASA will also require that you have the following command
access to the administration
Where is the name of the interface to which you are connected.
-Jouni
-
ASA 5515 - Anyconnect - inside the subnet connection problem
Hi all
I have a problem with the connection to the Interior/subnet using Anyconnect SSL VPN.
ASA worm. 5515
Please find below of configuration:
User access audit
ASA1 # show running-config
: Saved
:
ASA 9.1 Version 2
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
mask of local pool swimming POOLS-for-AnyConnect 10.0.70.1 - 10.0.70.50 IP 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
192.168.64.1 IP address 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 20
address IP B.B.B.B 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
network of the OBJ_GENERIC_ALL object
subnet 0.0.0.0 0.0.0.0
network outside_to_inside_FR-Appsrv01 object
Home 192.168.64.232
network outside_to_dmz_fr-websvr-uat object
Home 10.20.20.14
network inside_to_dmz object
192.168.64.0 subnet 255.255.255.0
gtc-tomcat network object
Home 192.168.64.228
network of the USA-Appsrv01-UAT object
Home 192.168.64.223
network of the USA-Websvr-UAT object
Home 10.20.20.13
network vpn_to_inside object
10.0.70.0 subnet 255.255.255.0
extended access list acl_out permit everything all unreachable icmp
acl_out list extended access permit icmp any any echo response
acl_out list extended access permit icmp any one time exceed
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 3389
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 28080
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 9876
acl_out list extended access permit udp any object outside_to_inside_FR-Appsrv01 eq 1720
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq www
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq https
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq 3389
acl_out list extended access permit tcp any object USA-Appsrv01-UAT eq 9876
acl_out list extended access permit udp any eq USA-Appsrv01-UAT object 1720
acl_out list extended access permit tcp any object USA-Websvr-UAT eq www
acl_out list extended access permit tcp any USA-Websvr-UAT eq https object
acl_out list extended access permit tcp any object USA-Websvr-UAT eq 3389
acl_out list extended access permit tcp any object USA-Appsrv01-UAT eq 3389
acl_dmz list extended access permit icmp any any echo response
acl_dmz of access allowed any ip an extended list
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 8080
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 8081
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 3389
acl_dmz list extended access permitted tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8080
acl_dmz list extended access permitted tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8081
access extensive list ip 192.168.64.0 gtcvpn2 allow 255.255.255.0 10.0.70.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT dynamic interface of OBJ_GENERIC_ALL source (indoor, outdoor)
NAT (inside, outside) static source all all static destination vpn_to_inside vpn_to_inside
!
network outside_to_inside_FR-Appsrv01 object
NAT static x.x.x.x (indoor, outdoor)
network outside_to_dmz_fr-websvr-uat object
NAT (dmz, outside) static x.x.x.x
network of the USA-Appsrv01-UAT object
NAT static x.x.x.x (indoor, outdoor)
network of the USA-Websvr-UAT object
NAT (dmz, outside) static x.x.x.x
Access-group acl_out in interface outside
Access-group acl_dmz in dmz interface
Route outside 0.0.0.0 0.0.0.0 B.B.B.B 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.64.204 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ASA1
GTCVPN2 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate of 19897d 54
308201cf 30820138 a0030201 02020419 897d 864886f7 0d 010105 5430 0d06092a
0500302c 3111300f 06035504 03130851 57455354 32343031 17301506 092a 8648
09021608 51574553 54323430 31343132 30333034 30333237 301e170d 86f70d01
5a170d32 34313133 30303430 3332375a 302 c 3111 55040313 08515745 300f0603
53543234 30311730 1506092a 864886f7 010902 16085157 45535432 34303081 0d
9f300d06 092 has 8648 86f70d01 01010500 03818d 00 30818902 818100a 2 5e873d21
dfa7cc00 ee438d1d bc400dc5 220f2dc4 aa896be4 39843044 d0521010 88 has 24454
b4b1f345 84ec0ad3 cac13d47 a71f367a 2e71f5fc 0a9bd55f 05d 75648 72bfb9e9
c5379753 26ec523d f2cbc438 d234616f a71e4f4f 42f39dde e4b99020 cfcd00ad
73162ab8 1af6b6f5 fa1b47c6 d261db8b 4a75b249 60556102 03010001 fa3fbe7c
300 d 0609 2a 864886 f70d0101 8181007a 05050003 be791b64 a9f0df8f 982d162d
b7c884c1 eb183711 05d676d7 2585486e 5cdd23b9 af774a8f 9623e91a b3d85f10
af85c009 9590c0b3 401cec03 4dccf99a f1ee8c01 1e6f0f3a 6516579c 12d9cbab
59fcead4 63baf64b 7adece49 7799f94c 1865ce1d 2c0f3ced e65fefdc a784dc50
350e8ba2 998f3820 e6370ae5 7e6c543b 6c1ced
quit smoking
Telnet 192.168.64.200 255.255.255.255 inside
Telnet 192.168.64.169 255.255.255.255 inside
Telnet 192.168.64.190 255.255.255.255 inside
Telnet 192.168.64.199 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_GTCVPN2 group strategy
attributes of Group Policy GroupPolicy_GTCVPN2
WINS server no
value of 192.168.64.202 DNS server 192.168.64.201
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gtcvpn2
field default value mondomaine.fr
username cHoYQ5ZzE4HJyyq password of duncan / encrypted
username Aosl50Zig4zLZm4 admin password / encrypted
password encrypted sebol U7rG3kt653p8ctAz user name
type tunnel-group GTCVPN2 remote access
attributes global-tunnel-group GTCVPN2
Swimming POOLS-for-AnyConnect address pool
Group Policy - by default-GroupPolicy_GTCVPN2
tunnel-group GTCVPN2 webvpn-attributes
enable GTCVPN2 group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory 19
Subscribe to alert-group configuration periodic monthly 19
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0b972b3b751b59085bc2bbbb6b0c2281
: end
ASA1 #.I can connect to the ASA from outside with the Anyconnect client, split tunneling works well unfortunately I can't ping anything inside the network, VPN subnet: 255.255.255.0, inside the 192.168.64.x 255.255.255.0 subnet 10.0.70.x
When connecting from the outside, cisco anyconnect is showing 192.168.64.0/24 in the tab "details of the trip.
Do you know if I'm missing something? (internal subnet to subnet route vpn?)
Thank you
Use your internal subnet ASA as its default gateway? If this isn't the case, it will take a route pointing to the ASA inside the interface.
You can perform a packet - trace as:
Packet-trace entry inside tcp 192.168.64.2 80 10.0.70.1 1025
(simulation of traffic back from a web server inside a VPN client)
-
Hello
I have a question about the steps for using on IPS on ASA - all using a NAT addresses or configuration of access list for interesting traffic, that I have to use really. Specifically, NAT and the list of access or access and NAT?
Keep the ACL extended near the source and the REAL IP address. NAT occurs within the ASA, then you're dealing with external systems.
If you have 6 or 14 addresses external, public IP by your ISP, you can NAT... otherwise, you're stuck with PAT.
For entrants to the outside: use the real, REAL public IP addresses have been assigned by your service provider in order to allow certain incoming traffic. It could be access list 100 or a list named more extensive access, such as 'inbound-outside '.
For entrants inside the interface: use internal IP address private plan [192.168.x.x, 172.16.x.x - 172.31.255, 10.0.0.0] with appropriate subnet mask to allow traffic from the inside to the outside for your users. Most of the people open the "permit ip any any" here, but I prefer to limit the internal address, specific private only. It could be access list 102 or a named example lsit access 'inbound_inside '.
Traffic, which is not "allowed" will be implicitly denied.
-
Hello!
I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Help me please! Thank you!
Hello
Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.
Thank you
swap
-
How to give some access to the system without giving local administrator access?
Hello
I'm looking for advice on how I can accomplish the following tasks without giving certain groups of rights of a local administrator on the server.
- Ability to query the status of all Windows Services
- Access WMI
- Ability to read all the event logs
- Ability of the State to the query of all services
- Activation of remote PowerShell commands
I need to give this kind of access to the servers are Windows Server 2008 R2, Windows Server 2008 Std Edition and Windows Server 2003.
Advice and guidance would be greatly appreciated.
Thanks in advance.
Hello
The question you have posted is better suited for the TechNet forums. Please post your question here.
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer
-
Original title - edit registry of the world of Warcraft Launcher to write
I downloaded the patch more recent game in my computer, I did a cleanup of the system and tried to log in again, but now the States window it "(Launcher requires permission in writing for World of Warcraft key to locate and launch the game successfully." Please allow write access to the registry key by using an administrator account)", how can I access the registry to resolve this problem? Help please
Hello DaTurtle !
I had exactly the same problem, I have not found the sollution here...
But I found how to fix very easy !
You do a right click on the WOW icon at the office-
then browse to the location of the file -
It will appear a lot of files-
Click on the WoW program file instead of the pitcher-
will start your wow game-
Log in as normal-
then he will come to the top to update...After the update your wow will work as usual!
It worked on my computer, please respond!
Hans_Craft
-
I want to be able to allow user group to be able to reset passwords and create accounts in an organizational unit. I delegate control of the organizational unit for the group, but if I connect to the domain controller and try opening users and computers active directory, we wonder an administrator password. I have a mix of two domain controllers Server 2003 and a Server 2008 DC. Is there a way to give a group access to the users and computers active directory without being administrator?
For assistance, please ask for help in the appropriate Microsoft TechNet Windows Server Forum.
Thank you. -
Original title: can not access the configuration file because I'm not the administrator, even if I'm the only person who uses this computer
I bought Windows 7 Professional on a new computer, because a program that I use every day may run in XP mode. Configure XP mode and when it asked for a password that I left it empty and press to enter. When I try to enter in the file config on XP the message "is client\users\administrator is not accessible." You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permission.
I downloaded the andxp of MS virtual pc mode because this 8 year and plu program will be run in this mode. I copied the old computer config file and you want to replace the file loaded when I installed the program on the new computer. Who will save me load all data files (more than 80) and not to recreate the data in these files that I changed. I installed the program from the original disc and it is implemented very well except for the config file.
There are two user fence: virtual XP-admin and virtual user of XP-88950xp.
The only program I installed XP mode is this one.
Thank you.
Hugh Humphreys
Hi Hugh Humphreys,
Leave the password empty section and see if the XPMUSER can be accessed.
Method 1: If the problem persists, you can try to access Windows XP Mode with the default account named "Administrator". This account appears when we get into Safe Mode. By default, there is no password for this account, and the password is determined when you set up the Windows XP Mode. We can use this account to reset the password of the other accounts password. To do this, follow these steps:
(a) Firstly, disable the integration features.
(b) restart Windows XP Mode. When the Boot Menu appears on startup, press F8. (Continue to press the F8 key until the Windows Startup menu is displayed.)
(c) on the advanced Windows Menu of Options, select Safe Mode and press ENTER.
(d) log in Windows by using the administrator account and the password.
Note: The password is empty by default unless you already set a password.
(e) after the connection mode safe, click on "Start", go to "run", type "nusrmgr.cpl" (without the quotes) and press ENTER.
(f) choose the user you want to change and click 'reset password'. Set a new password.
(g) click on "Advanced" tab, click on the button "Advanced".
(h) click on "users". The choice of the user you want to edit in the right pane. It to the right and click on "Properties".
(i) check the "password never expires". Click on 'OK'.
(j) then exit the settings and restart Windows XP Mode to normal mode.
Method 2: Please try following the steps for the computer to remember the credentials and do not ask the password to open each programs:
(a) when he asks for a password, click Cancel. Without integration feature, you are allowed to log on with an account that does not have a password.
(b) set a password for your current user.
(c) click on tools on Windows Virtual PC, choose enable integration features.
i. type the password, check the box "Remember my credentials" and click OK to open a session.
II. after joining the domain, logon in XP mode with the local administrator account.
If this does not work, post your request in the TechNet forums to get help.
http://social.technet.Microsoft.com/forums/en/w7itprovirt/threads
-
Access to the user account problems - I am the owner of the administrator account
I try to use windows powershell, after I discovered the executionpolicy (one word) was reduced, tried to change it using the set command, told me that I had no access to the registry. I have administrator privileges and it's my computer, as far as I know that I am the only person who uses it, and I have no guest account, I cannot access the registry key. I don't want to stop user access control. You have any ideas?
Hello
Please take a look at response Pegasus in the following thread replied:
Maybe you are looking for
-
(On the desktop) When I opened Firefox & follow the steps in the help (click on history, tools, etc.), these aren't active links. I'm clicking on a help screen; No actions are performed. Cache and cookies are not deleted.
-
Subject line covers the major part of the question. Version 4.0 has worked well. I uninstalled and reinstalled 4.01. No change. Tools, Addons does not reveal addons. New window opens with some missing toolbars and a blank page. Using tabmix plus; May
-
How long will last the iPad 2?
How do you know when your iPad is on its way? It's the iPad 2, using the latest OS 9.2.1. It is slow to respond and sometimes manifests 2-3 faucets to open an application. Also the touch screen feature takes sometimes many faucets before he answer
-
How can I get my Crystal eye webcam icon, my web cam does not work.
Please help me; to my 'sex cam Crystal eye' work. Thank you.
-
I'm creating a testbed set in labview that uses 8 ports. When it comes to the user to select the ports for each device, I would like to see if it is possible to select only the available ports. For example: Device 1 COM1 Then for camera 2, I want to