ASA Anyconnect and Posture assessment

Similar Questions

• ASA, Anyconnect and DMZ

  Hello

  I had a little problem with my config to the asa.

  The asa is set up to allow anyconnect with local users.

  but after I added the NAT statement following ACL on the outside, I can not connect with Anyconnect.

  NAT (DMZ, OUTSIDE) interface static source HOST_DMZ-NAS-FTP

  OUTSIDE_access_in list extended access permitted tcp HOST_DMZ-NAS-FTP eq ftp objects

  How to make it work again?

  Hello

  You have a dominant NAT configuration.

  We should see a Phase of Nations United-NAT in the beginning before any other Phase of the ACCESS-LIST.

  You probably have a dynamic configuration PAT for the demilitarized zone in Section 1 Manual NAT which is at the origin of the problems

  Because you cannot share the configuration that I can not really anything else that try to give an alternative configuration, which should make it work but it is not the ideal configuration for your dynamic rule PAT shouldn't be to such priority anyway. That's if I'm wrong in my guess on the problem above.

  Remove NAT Auto / network object NAT I suggested

  network of the HOST_DMZ-NAS-FTP object

  no nat (DMZ, OUTSIDE) interface static 21 21 tcp service

  Note that we leave the 'host' under the 'object' statement yet. Only remove us the "nat" command.

  Then, you must add these

  Service FTP object

  tcp source eq 21 service

  service interface NAT (DMZ, outside) 1 static source HOST_DMZ-NAS-FTP FTP FTP

  Then try again.

  -Jouni

• Cisco ISE posture assessment and client provisioning

  Hello

  I have the Cisco ISE and Cisco IOS device. I configured the RADIUS between these devices.

  Also, I configured RADIUSbetween ISE of Cisco and Cisco ASA. Now I want to know that how to posture assessment for these devices (ISE of Cisco and Cisco ASA or ISE Cisco Cisco IOS). Please give me the steps together for assesment for cisco ios device posture in Cisco ise.

  In addition, please give me related to posture assessment and the provisioning client logs.

  Thanks in advance.

  You can go through the list link below to download a PDF link

  Assessment of the posture with ISE.

  http://www.Cisco.com/Web/CZ/expo2012/PDF/T_SECA4_ISE_Posture_Gorgy_Acs.PDF

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ISE 1.3-> ASA ssh and attribute anyconnect

  Hello

  I created a condition made up to match the anyconnect client and allow, if necessary, but the problem is that if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA) he get authenticated to anyconnect and go to the default group of tunnel.

  AnyConnect condition: type of device, NAS-PORT-Type = virtual and Cisco - VPN3000:CVPN3000/ASA/PIX7x - Client - Type = client Anyconnect

  SSH status: device type, NAS-PORT-Type = virtual

  Basically, if the user does not match the anyconnect condition it can still vpn through SSH condition.

  Thank you

  Khaled

  There are several ways you can do. Probably the cleanest is to use different strategy games. One for VPN access and one for the administration of the unit.

  But to keep things simple, you can use the same attribute 'Cisco VPN3000'... "in your SSH condition, but instead of '=' you can use 'Different' in this way if the SSH session sees the AnyConnect client, then the condition will not be matched.

  Thank you for evaluating useful messages!

• ASA 5545 and Anyconnect Licenses

  Currently, we use several devices to Cisco ASA 5545.  Initially, we learned that we were automatically allowed using the Anyconnect Secure Mobility client with our ASA devices.   With recent security issues, we are trying to move to a solution that supports TLS 1.2, and it seems that anyconnect Mobility Client 4.0 will do exactly that.   My question is, the automatic authorization supplied with the unit of 5545 ASA include Client Anyconnect 4.0?   After an exhaustive search, I am still unable to find this information.   Also, is there an official document detailing exactly what licenses is part of 5545 device, with respect to other Cisco Software Solutions?

  Thank you

  David

  All * ASAs include two licenses AnyConnect Premium "free." Which is designed primarily for the evaluation, as most businesses need more two simultaneous remote access users. However, if that's all you need is free and fully functional. It was designed around the Client AnyConnect Secure Mobility 3.x and earlier offer.

  From 4.0, there is a new model of licence for AnyConnect. It is explained in the Guide of command AnyConnect. While it is not currently applied by technical means, use of AnyConnect 4.0 requires having a license to do so.

  For some additional supporting documents as you initially requested, see also "Feature Licenses" of the Configuration Guide of the SAA.

  * Some models do not support remote access VPN and either do not have the feature available or cannot use the license - for example ASA 1000v and an ASA working in multiple context mode.

• Access Internet AnyConnect and ASA 8.3

  I have configured with ASA 8.3 AnyConnect and I am able to access everything on the internal LAN very well.  However, I can't connect to the Internet while I am connected to AnyConnect.  I tried different DNS servers in the AnyConnect profile, different parameters of Tunnel from Split.  I can't understand the issue of the Internet.  And the strange thing is that I can not solve them that addresses all the Internet, either through the AnyConnect connection.  When I try ping www.msn.com it just says that it cannot find the host www.msn.com.  Can someone please help with this question?

  Thank you

  Corey

  As well as the order, looking at the config that I feel need to add this as well after removing split tunnel configuration.

  network of the AnyConnect-INET object

  192.168.253.0 subnet 255.255.255.0

  interface NAT (outside, outside) dynamic source AnyConnect-INET

  Thank you

  Ajay

• How to accompany the IDS in ASA 5505 and 5520?

  Dear All;

  We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

  Part number:	Description	QTY.
  ASA5505-BUN-K9	ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES	1
  CON-SNT-AS5BUNK9	SMARTNET 8X5XNBD ASA5505-BUN-K9	1
  SF-ASA5505 - 8.2 - K8	ASA 5505 Series Software v8.2	1
  CAB-AC-C5	Power supply cord Type C5 U.S.	1
  ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	1
  ASA5505-PWR-AC	ASA 5505 power adapter	1
  ASA5505-SW-10	ASA 5505 10 user software license	1
  SSC-WHITE	ASA 5505 hood SSC of the location empty	1
  ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	1

  Part number:	Description	QTY.
  ASA5520-BUN-K9	ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES	2
  CON-SNT-AS2BUNK9	SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES	2
  ASA5520-VPN-PL	ASA 5520 VPN over 750 IPsec User License (7.0 only)	2
  ASA-VPN-CLNT-K9	Cisco VPN Client (Windows Solaris Linux Mac) software	2
  SF - ASA - 8.2 - K8	ASA 5500 Series Software v8.2	2
  CAB - ACU	Power supply cord (UK) C13 BS 1363 2.5 m	2
  ASA-180W-PWR-AC	Power supply ASA 180W	2
  ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	2
  ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	2
  SSM-WHITE	ASA/IPS SSM hood of the location	2

  Thanks in advance.

  Rashed Ward.

  Okay, I was not quite correct in my first post.

  These modules - modules only available for corresponding models of ASA.

  They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

  When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

  When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

  In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

  To better understand, familiarize themselves with this link:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html

• ASA 1000V and ASA 5500

  I hope someone can help me to answer this question:

  Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

  Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

  Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

  Thanks for your help.

  -Joe

  Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

  Here's the Q & A on ASA1000V which includes more information:

  http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

  Hope that answers your question.

• Clients vpn AnyConnect and cisco using the same certificate

  Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?

  John.

  The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.

  What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.

  M.

• AnyConnect and SSL - VPN without client

  Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?

  I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?

  Hi Daniel

  It's a little complicated if you want a granular authentication and authorization, but it works.

  I'm running an ASA with IPSec, SSL Client and clientless SSL.

  Each of these virtual private networks with user/one-time-password name and certificate based authentic.

  The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.

  Feel free to ask questions...

  Stephan

• AnyConnect and 2 certificates

  people

  I have a question regarding anyconnect and using 2 profiles on a single customer

  I use anyconnect ssl vpn to connect to several sites, each using certificates and name of user and password for authentication

  My problem is that when I 2 certificates in the store of my staff two different asas, I can't authenticate on one of the firewalls

  each certificate is named differently, i.e. mycert-site1 and site2 mycert

  anyone came across this before?

  Thanks to anyone who takes the time to answer

  Hello

  You have this option in a newer version of anyconnect:

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect24/release/notes/anyconnect24rn.html#wp1025402

  HTH,

  Marcin

• LAN to Lan tunnel between ASA 5505 and 3030.

  I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

  Hello

  Please visit this link using config:

  http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Log each ASA connection and router

  Hello

  I have a Cisco ASA 5520 and a Cisco 3825 router in my network. I want to log every connection to these devices. There are a few users who have different levels of access to these devices in n/w. I would like to connect all these users and what they actually change and to implement in the devices. Is this possible using a RADIUS server or any other method pls. I also have access to reading / writing to these devices. Thank you very much

  You can do it too.

  You can use auth-proxy (router) passage proxy (ASA) to have the user to authenticate to the connections he and do accounting of GBA. But I don't think you need to do this for all connections, for those who require the intervention of the user.

  Let us know if that answers the question.

  PK

• Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

  I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

  The config below has had IPs/passwords has changed.

  External Datacenter: 1.1.1.4

  External office: 1.1.1.1

  Internal data center: 10.5.0.1/24

  Internal office: 10.10.0.1/24

  : Saved
  :
  ASA Version 8.2 (1)
  !
  hostname datacenterfirewall
  mydomain.tld domain name
  activate the password encrypted
  passwd encrypted
  names of
  name 10.10.0.0 OfficeNetwork
  10.5.0.0 DatacenterNetwork name
  !
  interface Vlan1
  nameif inside
  security-level 100
  10.5.0.1 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  1.1.1.4 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  buydomains.com domain name
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  inside_access_in list extended access permit icmp any one
  inside_access_in list extended access permitted tcp a whole
  inside_access_in list extended access udp allowed a whole
  inside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  outside_access_in list extended access udp allowed any any eq isakmp
  IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
  IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
  outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
  outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  IP verify reverse path to the outside interface
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 623.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
  Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 10.5.0.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
  Crypto dynamic-map ciscopix 1 transform-set walthamoffice
  Crypto dynamic-map ciscopix 1 the value reverse-road
  map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
  dynmaptosw interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 13
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  lifetime 28800
  crypto ISAKMP policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.5.0.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 10.5.0.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd address 10.5.0.2 - 10.5.0.254 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP server 66.250.45.2 source outdoors
  NTP server 72.18.205.157 source outdoors
  NTP server 208.53.158.34 source outdoors
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  VPN-idle-timeout no
  username admin password encrypted
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  !
  context of prompt hostname
  Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
  : end

  Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

  Add the statement of rule sheep in asa and try again.

  NAT (inside) 0-list of access pixtosw

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

  Concerning

• ASA 5520 and MPF

  Hi all. In our company we have recently upgraded our PIX 515 firewall to ASA 5520, and we started to live a thing strange event. On one of the sites we host, I saw a lot of outdated SSM messages popping up and I think that they are the source of the problem when they surf the site (mainly surfing works fine, but sometimes people cannot content etc.).

  I found the Cisco solution for this problem by using the MPF, but one thing confuses me. If I ask a MPF allowing adults MSS on the external interface of the ASA does this political conflict with the comprehensive policy that is on the SAA by default or can they both at the same time?

  Thanks in advance for any help.

  You can have a single policy per interface and another - global, that by default applies to default-inspection-traffic.

  See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for more details.