ASDM ACL Manager

Similar Questions

• Cannot start device - ASDM question Manager

  Hello

  I have recently updated our router to spare ASA 5510 to version 9.1 (3) with image ASDM Version 7.1 (5) 100.

  The customer I try to run the ASDM launcher on Windows 7 x 64 is the latest version of Java (updated 7-5).

  I am able to do at the hand of the screen when I have https to the device.  I can install the ASDM launcher, but as soon as I get the host name and the password I have the following error "could not launch 192.168.X.XXX Device Manager."

  I went through a checklist and I can confirm the following:

  -3des-sha1 license is activated

  -Http server is enabled for my customer subnet

  -ssl encryption is enabled

  -Tried Firefox and IE10

  When I try to run the ASDM via the browser I go as far as to ask for the password, and although the initial prompt seems to accept it, an another authentication box will appear asking you to do this over and over again in an infinite loop.

  I have lived through many forum posts and checklists, but I can't seem to identify this problem.

  If it helps, the box was already flashed back to factory default before I then applied the configuration from scratch (depending on the configuration of our live cam ASA 5510).

  Can anyone help please?

  Thank you

  Hi Anthony,.

  Since then, you must have more control on ASA:

  AAA authentication http LOCAL console

  Alongside this, there should be a user name and password in the local data base of the SAA. Then try to configure command, then check:

  username cisco password cisco

  After this attempt to access two cisco ASDM with username and password and check if it works or not.

  -Prateek Verma

• Needing ACL Manager - Access control list manager is EOL

  Hi everyone;

  CiscoWorks access control list manager is an excellent tool for the management and optimization of the ACL (removing covered ACEs, fusion maskable ACE face beaches, covered fusion ACE port ranges, removing the redundant ACEs, deleting double ACE and ACL Hits Optimizer)

  But now, it is not available more :(

  Does anyone know any similar tool or script?

  Thank you

  As much I know there no current Cisco product specially designed to manage ACL switch, such as a point solution or a feature of a product of greater reach.

  I don't see many customers with complex or extensive ACLs on the switches and the lack of tools available on the market to manage probably reflects this observation as well.

• How the ACL runs fragmented packets?

  Hello

  I'm looking for documentation on how the acl managing fragmented packets. Let's say I have the following in my access switch:

  class-map correspondence-everything MyACL1

  match the name of group-access MyACL1

  class-map correspondence-everything MyACL2

  match the name of group-access MyACL2

  class-map correspondence-everything MyACL3

  match the name of group-access MyACL3

  class-map correspondence-everything MyACL4

  match the name of group-access MyACL4

  class-map correspondence-everything MyACL5

  match the name of group-access MyACL5

  class-map correspondence-everything MyACL6

  match the name of group-access MyACL6

  In what order the fragmented incomming package will be checked by my class-card rules? It is sequential? I doubt it.

  Concerning

  He travels class-cards until there is a match, and it applies to this category

  regarding treatment ACL of fragments, see this page:

  http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

  and this

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_vfrag.html

• SG300-10 - need help with ACL

  We recently received a SG300-10 switch and we need assistance in the creation of an access list for SSH access. The switch is running

  1.3.0.62 SW version. We want to make sure the SSH access is allowed only from the 192.168.1.0 network. We would also like all attempts to the connected port tcp 22 for SSH. Right, SSH is now accessible from any IP including external (Internet). Here's what we have at the moment. The switch has an IP address of 192.168.1.7.

  ...

  SSH_access extended IP access list

  ip permit 192.168.1.0 0.0.0.255 192.168.1.7 0.0.0.0

  output

  ssh line

  exec-timeout 0

  output

  ...

  The external (Internet) users can still try and SSH in. Please notify.

  You have defined an ip access list. Those who are for routed traffic filtering, is not to control access to the switch itself. What more, it seems that you don't activate it on any interface (via the access-class command), so it has no effect at all.

  To control access to the switch itself, you must define a list of management access and activate it with the management access-class command. Unfortunately the syntax of these differs slightly from the standard ACL. For example:

  management of the access-list SSH_access

  ip-source service permit 192.168.1.0 mask 24 ssh

  https service permit

  deny

  output

  management of the access-class SSH_access

  allow SSH for the 192.168.1.0 network and HTTPS everywhere, but reject everything else (IE. Telnet or HTTP). Details can be found in ch. 11 "ACL management orders" the CLI Guide 300 series.

  HTH

  Tilman

• In regard to the centre of defence and module SFR

  I have installed in my virtual machine DC. The DC and the SFR module are both in version 5.4. At the time of purchase, I was told that DC is used to monitor the ASA. We bought the license for unit 2, which means I can monitor up to 2 of my DC ASA. I wonder if the domain controller is used only for purpose of filtering and monitoring newspapers. If possible, I want to have the ACL, NAT and the general everying thing ASA through this domain controller so that I don't have to connect to the device 2 all the time. Is it still possible? I use ASA 5515 - x version 9.2.2 and ASDM 7.2 and I don't have the ASDM firesight management access so I use DC separately. Thank you in advance.

  Hello diomande,.

  Understand you the purpose of the use of Firesight is not correct. Firesight Management Center is only used to monitor managed devices under him such as devices of fire power or firepower software modules integrated with the ASA firewall. You can control or manage your ASA firewall by using the domain controller (Firesight Management). To manage the ASA, you must use the ASDM.

  Since you have an ASA, using the firepower of software module, you can inspect traffic selected in your environment. Create an access list and you specify the traffic you need to redirect through the module of firepower.

  Select and evaluate if this helps.

  Concerning

  Jetsy

• question of mgt ASA

  Internet<>Global MPLS WAN to other sites

  Hello! We have the configuration above in our environment. The box of the ASA is used to establish the tunnel at our headquarters if the MPLS WAN is down.

  I have question Manager box of the ASA of the network (internal LAN from other sites) other internal local network. I can ping to the internal interface of the ASA from other sites, but when I try to ssh or use the ASDM to manage, I see that there is a msg "routing cannot locate the next hop for TCP to inside inside xxxx xxxx." There is no FW between sites (thru Global WAN MPLS). I can ping each other between sites, and ssh/asdm mgt + acl to allow lan local + world was added.

  I also noticed that I cannot ping other sites of the ASA cli. I can only Ping IP ranges configured as a static route to the inside interface of the box of the SAA.

  What I see, everything works fine, it's just that I'm not able to manage the ASA box from other sites.

  What could be the problem here?

  THX

  If the error message is that the SAA could not find a route, then of course it sounds like a routing problem. My first suggestion would be to look at the error message, take the destination address of the message and check to see if the ASA has a route to this address (and to ensure that the route passes through the Interior because the error message indicates that he thinks that the destination is inside the interface)

  HTH

  Rick

• Port of filter IPsec site to site VPN

  Hello guys!

  I have configured a VPN Site to Site, as follows: (for the access list)

  Local: 192.168.0.0/24

  Distance: 10.0.0.0/24

  So, I have this configuration:

  VPN-Test line 1 permit access list extended ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

  But I would like to leave just tcp/80 on my remote to connect to my Local. (because now 10.0.0.0/24 accesses all in my 192.168.0.0/24)

  How can I do? (I tried to change the list of access VPN-Test under ASDM, Configuration, ACL Manager, but no way)

  I should create a rule in the external interface, such as:

  Source: 10.0.0.0/24

  DST: 192.168.0.0/24

  Protocol: tcp/80

  How can I do?

  Thank you

  Diego

  By default, the external ACL is not evaluated for VPN traffic. Instead, you configure a new ACL that is applied as a "vpn-filter' to the group policy for your connection.

   access-list VPN-FILTER-XXX permit tcp any any eq 80 ! group-policy GP-VPN-XXX attributes vpn-filter value VPN-FILTER-XXX ! tunnel-group a.b.c.d type general-attributes default-group-policy GP-VPN-XXX 

  In the ACL, you need not specify the networks, as the tunnel cannot carry anything other what is specified in the crypto-ACL. But of course you can enter them if you want to:

   access-list VPN-FILTER-XXX permit tcp 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

• ASA 5510 CLI Configuration

  Hello

  Is it possible to perform all the system configuration and management functions through the CLI at the Terminal?

  I think specifically to aspects such as the management of firewall rule configuration of the DHCP Service, VPN configuration, log review. etc etc.

  I have already done some configuration of the interface of base if the CLI, but want to know what depth, I can go.

  Thanks in advance.

  Paul

  The main thing that I know will have to be made through ASDM is manage bookmarks SSL VPN client and other pages.  All the other stuff you mentioned can be done through CLI.  I like to use a hybrid of CLI & ASDM when I managed firewalls.  I prefer to see the logs on the ASDM so, real-time log buffer is an excellent tool.

• CSM: Peripheral FWSM responsible and multiple contexts, how?

  We have several contexts on FWSM and from time to time, I would first form ASDM (Device Manager) CSM, but I can't. It says lack of credentials.

  We managed the FWSM only in the context of the admin, either we let CSM discover the FWSM.

  Usually when you start ASDM Conect to the context of the admin, you can then move on to different contexts, but not of CSM and I can't open the ASDM for the context because of the missing of credentials.

  But I don't think it's credentials, since we have not all settings enabled for direct access, as always, we managed the contexts of the admin context.

  How can we have for all contexts of work Device Manager?

  Hello

  You will need to click on each of the contexts in the inventory of the CSM and select "Properties". From there, you must add a management IP address both the credentials for the individual context. This will allow you to launch ASDM for a particular context of the MSC. When you discover all the contexts through the context of the admin, CSM fills only IP address and credentials for the admin context fields.

  -Mike

• Authenticate Anyconnect VPN on Active Directory

  Hello

  I have a Cisco ASA5520, and that you have configured for authentication to the AD using a win2008 box running the network policy server.

  In ASDM I can test the auth and it works.

  In ASDM-> Device Management-> AMPS/HTTP, SSH, Telnet, access AAA I can define what auth group that I use for user authentication to activate. When I updated SSH auth using auth group that I created, it works very well... so I know that the authentication works.

  Problem is, it doesn't seem to work for a user with annyconnect VPN authentication. I seem not to be able to figure out how to tell the ASA to use my ad auth group and not to the LOCAL group auth to authenticate VPN users.

  Any help is greatly appreciated.

  Thankx

  M

  Try this:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml

  But you are probably landing on the defaultwebvpngroup, then change the authentication to your aaa server group it ldap/ntlm and see if the behavior changes.

  By default, the SSL connectivity uses the connection by tunnel-group/DefaultWEBVPNGroup profile.  If you do not use this profile/tunnel-group, you must use Group-URL or alias so that he can land on another:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808bd83d.shtml

  -Jason

• User account question

  I have an ASA 5520, and we are the subject of an audit.  Is it possible to display a list of users/accounts?  I am responsible to all users which powers will be login for the SAA.  All of these users are in Active Directory, but I was informed the "anyconnect group" is a group of Tote that is not exhaustive.

  Hi Burgessf,

  To see all the user accounts created locally on ASA, go to ASDM---> Device Management---> Configuration--> users / AAA---> user accounts.

  If Active Directory is integrated for the authentication of the user, then see also OU specified as base DN attributes. ASA can only query this UO for the authentication of the user.

  Management devices--> Configuration---> Server AAA group---> servers in the selected group---> AD Select server---> Edit---> Base DN---> OU =, this as never specified OU.

  All users specified that UO can connect to the device, but they can have different permission levels.

• Update software remotely active / standby ASA 5520

  Hello

  We have a pair of 5510 s and a pair of 5520 s, each active mode / standby.  I would like to upgrade the ASDM and ASA software on these, but can't find any documentation that advise on how this can be done without physical access to devices.  There I am on the site, but we will deploy these all throughout our network and I would like to be able to perform this type of maintenance without having to travel to each site.

  We use CSM and ASDM to manage these most of the time, but are certainly capable of configuration via the CLI.

  The question may be my understanding lack the foundations of the ASA, but I really don't understand how the software can be copied to the ASAs individual of the pair so that they can be reloaded and updated continuously.  My lack of understanding also makes a difficult word question, so please forgive me that.  With a remote SSH connection to the pair, I only copy the correct software to the ASA Active?  Or y at - it a way to get the software on each disk individually in the only SSH connection?  I'm not sure how to handle the ASA ensures no comfort in it... If I can get to remote software at each ASA (copy on different disks? i.e. disk0: and disk1:?), while I will also meet a problem to update startup for each statement individually, but to solve that I guess I could just remove the old software, but cela seems bad practice before confirming the new software is ok.

  If there is an easier way to deploy the new code via ASDM or CSM, I am certainly open to that.

  Any advice or resources that anyone could offer would be extremely useful and appreciated.

  Thank you

  Justin

  Justin,

  This is exactly why. If you are using version prior to version 8.4.1, routing table information is not replicated between the devices.

  Information that is not transmitted to the rescue unit when the rollover is enabled includes these:

  • The HTTP connection table (except if the HTTP replication is enabled)

  • The user authentication (uauth) table

  • The routing tables

  • Status information for the security service modules

  http://Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

  If your gateway of default route is learned via EIRGP and you are trying to access from the internet, you won't be able to get to the secondary unit.

  Workaround solution, put the default gateway static with a metric higher while it appears on the running configuration and sent to the secondary unit.

  Of the questions let me know.

  Mike

• Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs

  Hello

  I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.

  Kind regards

  RAM

  + 6 012-2918870

  Hello

  It is not possible.

  You cannot push the ACL in the NAC manager.

  If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.

  Using the Radius attributes you can then map users to roles.

  Please, take a look at this:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• TIME BASED ACLS ON FIRESIGHT MANAGER

  Dear all,

  We use the power of fire management center Cisco for VMWare. In which we have created several rules under strategies--> access control. But we want to run some rules under the defined time interval. Can anyone please help on this configuration.

  screenshot is attached.

  Thank you very much.

  Raja,

  Sorry, but this feature is not currently available.