ASA, Anyconnect and DMZ

Similar Questions

• ASA Anyconnect and Posture assessment

  Hello

  I have read the configuration guide Cisco ASA VPN ASDM 7.2 and also the Anyconnect Client Admin Guide 4.1 and can't find a clear answer as to how to implement assesment of endpoint.

  I see options for the use of the Module of Posture AnyConnect, HostScan and Secure Desktop. They appear on the page to download the Cisco software as

  separate downloads be prédéployées customers. I have a client who wishes to also VPN connections without client on the SAA to have an evaluation of the endpoint.

  I don't know what software to use three options, or how it should be deployed to the client, or client VPN connection. If anyone has all the answers to what precedes, or can point me to a link with the information, I would be grateful.

  Thank you

  Jim

  Without client by definition means we do not have any software installed on the client. So the Module of Posture AnyConnect can not be used for Clientless SSL VPN.

  HostScan and Secure Desktop are modules of execution if they can be invoked for connections without client.

  Note that this are not very actively developed and will probably eventually deprecated. Cisco tries to refer clients to a solution complete including the ISE and the AnyConnect ISE Posture of the AnyConnect Client module option ensure complete mobility.

• Connection interface ASA inside and DMZ

  Hello

  I'm moving my current Internet/VPN link to a double link on different ASA and ISP providers.

  I want to create an INTERIOR on my ASA 5545 x interface that will connect directly to my Nexus 7 k Distribution or tanks

  The interface inside the ASA5520 is currently a virtual local network that was created on the Nexus 7 k.

  It seems simple enough to follow this same design, but using the different VLANs and the intellectual property regime.

  I also need to create an interface DMZ on the SAA on my distribution of Nexus 7 K device.

  Currently the ASA5520 DMZ interface comes from a VLAN that was created on the SAA and then to shared resources

  It seems simple enough to follow this same design, but using the different VLANs and the intellectual property regime.

  Is there a best practice approach document or advise that someone would pass along

  Models reference Cisco Secure Data center not dier DMZ. However, it is a very common configuration for the ASAs.

  Real wrinkles come in on the side of switch. You have the option to use physically separate switches (which you have already decided not to do), and a core of Nexus 7 k, the next option is to know how to separate the DMZ and the inside of the safe areas. The most secure, with a standard kernel k 7 would be to create a second VDC for the DMZ with no layer 3 services and have interface DMZ of the SAA to be the default gateway for hosts. A second option on the 7 k would be to stick with a VDC but put the DMZ VLAN charge either in their own VRF or simply once again make L2 only on the SAA with the ASA being the L3 bridge.

  There are several other approaches that you could take, but those that I have just described is the most commonly used.

• ISE 1.3-> ASA ssh and attribute anyconnect

  Hello

  I created a condition made up to match the anyconnect client and allow, if necessary, but the problem is that if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA) he get authenticated to anyconnect and go to the default group of tunnel.

  AnyConnect condition: type of device, NAS-PORT-Type = virtual and Cisco - VPN3000:CVPN3000/ASA/PIX7x - Client - Type = client Anyconnect

  SSH status: device type, NAS-PORT-Type = virtual

  Basically, if the user does not match the anyconnect condition it can still vpn through SSH condition.

  Thank you

  Khaled

  There are several ways you can do. Probably the cleanest is to use different strategy games. One for VPN access and one for the administration of the unit.

  But to keep things simple, you can use the same attribute 'Cisco VPN3000'... "in your SSH condition, but instead of '=' you can use 'Different' in this way if the SSH session sees the AnyConnect client, then the condition will not be matched.

  Thank you for evaluating useful messages!

• ASA 5545 and Anyconnect Licenses

  Currently, we use several devices to Cisco ASA 5545.  Initially, we learned that we were automatically allowed using the Anyconnect Secure Mobility client with our ASA devices.   With recent security issues, we are trying to move to a solution that supports TLS 1.2, and it seems that anyconnect Mobility Client 4.0 will do exactly that.   My question is, the automatic authorization supplied with the unit of 5545 ASA include Client Anyconnect 4.0?   After an exhaustive search, I am still unable to find this information.   Also, is there an official document detailing exactly what licenses is part of 5545 device, with respect to other Cisco Software Solutions?

  Thank you

  David

  All * ASAs include two licenses AnyConnect Premium "free." Which is designed primarily for the evaluation, as most businesses need more two simultaneous remote access users. However, if that's all you need is free and fully functional. It was designed around the Client AnyConnect Secure Mobility 3.x and earlier offer.

  From 4.0, there is a new model of licence for AnyConnect. It is explained in the Guide of command AnyConnect. While it is not currently applied by technical means, use of AnyConnect 4.0 requires having a license to do so.

  For some additional supporting documents as you initially requested, see also "Feature Licenses" of the Configuration Guide of the SAA.

  * Some models do not support remote access VPN and either do not have the feature available or cannot use the license - for example ASA 1000v and an ASA working in multiple context mode.

• ASA inside access DMZ and return

  Hi Expert,

  How configure ASA to allow access from the inside to dmz host and also back?

  Thank you.

  Rgds,

  To the Shaw feel Yeong

  Hello

  By default, access from inside the DMZ is permitted this access is through higher security level to lower the level of security.

  Return to inside host traffic is automatically granted by ASA/firewall if the connection / translation is valid / exists.

  Example:

  Inside of the intellectual property: 192.168.1.1/24

  DMZ: 172.16.1.1/24

  2 two ways to do:

  a. use nat & global command:

  Global (dmz) 1 172.16.1.10 - 172.16.1.20--> help de.10 a.20 will be used inside hosts to access dmz

  Global (dmz) 1 172.16.1.21--> all inside will use this IP like PAT, if the above range is fully used.

  NAT (inside) 1 192.168.1.0 255.255.255.0

  Note:

  -Use the ACL if you need to control the type of service to pass through and apply on the inside of the interface.

  b. static use of translation between inside and DMZ subnets:

  static (inside, dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

  Note:

  -This will allow inside the host to initiate & access dmz and dmz to initiate & access to the inside (initiate connection to dmz host). When DMZ accessing inside the host, DMZ use inside physics/assigned host IP.

  -Use the ACL if you need to control the type of service for cross and apply on time interfaces dmz & Interior.

  Example of configuration:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

  * Watch under command "static (inside the dmz).

  Rgds,

  AK

• Access Internet AnyConnect and ASA 8.3

  I have configured with ASA 8.3 AnyConnect and I am able to access everything on the internal LAN very well.  However, I can't connect to the Internet while I am connected to AnyConnect.  I tried different DNS servers in the AnyConnect profile, different parameters of Tunnel from Split.  I can't understand the issue of the Internet.  And the strange thing is that I can not solve them that addresses all the Internet, either through the AnyConnect connection.  When I try ping www.msn.com it just says that it cannot find the host www.msn.com.  Can someone please help with this question?

  Thank you

  Corey

  As well as the order, looking at the config that I feel need to add this as well after removing split tunnel configuration.

  network of the AnyConnect-INET object

  192.168.253.0 subnet 255.255.255.0

  interface NAT (outside, outside) dynamic source AnyConnect-INET

  Thank you

  Ajay

• How to accompany the IDS in ASA 5505 and 5520?

  Dear All;

  We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

  Part number:	Description	QTY.
  ASA5505-BUN-K9	ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES	1
  CON-SNT-AS5BUNK9	SMARTNET 8X5XNBD ASA5505-BUN-K9	1
  SF-ASA5505 - 8.2 - K8	ASA 5505 Series Software v8.2	1
  CAB-AC-C5	Power supply cord Type C5 U.S.	1
  ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	1
  ASA5505-PWR-AC	ASA 5505 power adapter	1
  ASA5505-SW-10	ASA 5505 10 user software license	1
  SSC-WHITE	ASA 5505 hood SSC of the location empty	1
  ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	1

  Part number:	Description	QTY.
  ASA5520-BUN-K9	ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES	2
  CON-SNT-AS2BUNK9	SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES	2
  ASA5520-VPN-PL	ASA 5520 VPN over 750 IPsec User License (7.0 only)	2
  ASA-VPN-CLNT-K9	Cisco VPN Client (Windows Solaris Linux Mac) software	2
  SF - ASA - 8.2 - K8	ASA 5500 Series Software v8.2	2
  CAB - ACU	Power supply cord (UK) C13 BS 1363 2.5 m	2
  ASA-180W-PWR-AC	Power supply ASA 180W	2
  ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	2
  ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	2
  SSM-WHITE	ASA/IPS SSM hood of the location	2

  Thanks in advance.

  Rashed Ward.

  Okay, I was not quite correct in my first post.

  These modules - modules only available for corresponding models of ASA.

  They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

  When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

  When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

  In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

  To better understand, familiarize themselves with this link:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html

• ASA 1000V and ASA 5500

  I hope someone can help me to answer this question:

  Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

  Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

  Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

  Thanks for your help.

  -Joe

  Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

  Here's the Q & A on ASA1000V which includes more information:

  http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

  Hope that answers your question.

• Clients vpn AnyConnect and cisco using the same certificate

  Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?

  John.

  The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.

  What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.

  M.

• AnyConnect and SSL - VPN without client

  Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?

  I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?

  Hi Daniel

  It's a little complicated if you want a granular authentication and authorization, but it works.

  I'm running an ASA with IPSec, SSL Client and clientless SSL.

  Each of these virtual private networks with user/one-time-password name and certificate based authentic.

  The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.

  Feel free to ask questions...

  Stephan

• AnyConnect and 2 certificates

  people

  I have a question regarding anyconnect and using 2 profiles on a single customer

  I use anyconnect ssl vpn to connect to several sites, each using certificates and name of user and password for authentication

  My problem is that when I 2 certificates in the store of my staff two different asas, I can't authenticate on one of the firewalls

  each certificate is named differently, i.e. mycert-site1 and site2 mycert

  anyone came across this before?

  Thanks to anyone who takes the time to answer

  Hello

  You have this option in a newer version of anyconnect:

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect24/release/notes/anyconnect24rn.html#wp1025402

  HTH,

  Marcin

• LAN to Lan tunnel between ASA 5505 and 3030.

  I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

  Hello

  Please visit this link using config:

  http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Log each ASA connection and router

  Hello

  I have a Cisco ASA 5520 and a Cisco 3825 router in my network. I want to log every connection to these devices. There are a few users who have different levels of access to these devices in n/w. I would like to connect all these users and what they actually change and to implement in the devices. Is this possible using a RADIUS server or any other method pls. I also have access to reading / writing to these devices. Thank you very much

  You can do it too.

  You can use auth-proxy (router) passage proxy (ASA) to have the user to authenticate to the connections he and do accounting of GBA. But I don't think you need to do this for all connections, for those who require the intervention of the user.

  Let us know if that answers the question.

  PK

• Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

  I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

  The config below has had IPs/passwords has changed.

  External Datacenter: 1.1.1.4

  External office: 1.1.1.1

  Internal data center: 10.5.0.1/24

  Internal office: 10.10.0.1/24

  : Saved
  :
  ASA Version 8.2 (1)
  !
  hostname datacenterfirewall
  mydomain.tld domain name
  activate the password encrypted
  passwd encrypted
  names of
  name 10.10.0.0 OfficeNetwork
  10.5.0.0 DatacenterNetwork name
  !
  interface Vlan1
  nameif inside
  security-level 100
  10.5.0.1 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  1.1.1.4 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  buydomains.com domain name
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  inside_access_in list extended access permit icmp any one
  inside_access_in list extended access permitted tcp a whole
  inside_access_in list extended access udp allowed a whole
  inside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  outside_access_in list extended access udp allowed any any eq isakmp
  IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
  IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
  outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
  outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  IP verify reverse path to the outside interface
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 623.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
  Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 10.5.0.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
  Crypto dynamic-map ciscopix 1 transform-set walthamoffice
  Crypto dynamic-map ciscopix 1 the value reverse-road
  map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
  dynmaptosw interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 13
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  lifetime 28800
  crypto ISAKMP policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.5.0.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 10.5.0.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd address 10.5.0.2 - 10.5.0.254 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP server 66.250.45.2 source outdoors
  NTP server 72.18.205.157 source outdoors
  NTP server 208.53.158.34 source outdoors
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  VPN-idle-timeout no
  username admin password encrypted
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  !
  context of prompt hostname
  Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
  : end

  Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

  Add the statement of rule sheep in asa and try again.

  NAT (inside) 0-list of access pixtosw

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

  Concerning