Centralized content with ASA filtering
Hi all
I was wondering if it is possible to install an ASA with CSC-SSM-20 module and license of 500 users in central administration, to allow him to meet with Microsoft AD and funcion as a proxy for the filtering of content for remote sites and mobile users. Basically what we need to achieve is remote sites users authenticate with AD via VPN and before going out through web surfing their local ISP would need through content in HQ on ASA filtering.
In this case all the remote site Internet traffic would need to come out by the FAI in HQ?
Another solution is to implement the filtering of content with TrendMicro on 800 routers in each site, but the license would be very costly for the 60 + wise sites.
Thanks for your suggestions.
So from what you say, you'll have the ASA terminate your VPN for remote users, and then, you want the ASA with the CSC to make the URL filtering based on AD.
Well that might work if all of your web traffic of your users hit the ASA (turn around it). If you perform the tunneling split for the web, it will not work because the ASA does not see traffic navigation.
I hope that makes sense.
PK
Tags: Cisco Security
Similar Questions
-
Can I put OS Lion directly to El Capitan without an intermediate upgrade. I have a MacBook Pro late 2011. Safari no longer works on a lot of web content with this OS not.
Yes.
(143974)
-
MSN Outlook, hotmail "IE has blocked this site to display content with security certificate errors. Click here for options... »
How can I get rid of this irritating pop-up message whenever outlook is open?
Without knowing what are certificate errors, it is a shot-in-the-dark.
80 90% of certificate in Windows XP errors can be attributed to one of the following two issues:
- Time Date, time, time zone, or light of day on your computer is/is not set correctly. The time on your machine should be within 5 minutes of real time for certificates authenticate properly. Right-click on your taskbar clock, and select time settings to check the correct time. Synchronize time via Internet can solve this problem.
- Windows XP does a poor job of keeping its root certificates (certificates by which all other certificates are considered) up-to-date. The newer versions of Windows did a much better job. It certainly wouldn't hurt to update your root certificates and in many cases, this is all you need. For update, visit the following article:
"Members of the certificate program root Windows.
<>http://support.Microsoft.com/kb/931125 >
Then go down to the subsection titled "root Update Package (for Windows XP only). Then click on the option "update for root certificates for Windows XP... "the link. This will take you to the last downloadable update. Download the package on your computer and double-click it to update your certificates
One of the above should solve your problem.
HTH,
JW
-
I finally got my computer run without any problem and all my programs work very well, the last time I upgraded to 8.1 Windows, I had all sorts of questions. So my question is; you have to upgrade to 8.1 Windows or is it a corridor of contention with no option? Right now I can decide if I want to use Skydrive or not, but with Windows 8.1 with Onedrive it automaticlly load my photos and documents with my knowledge and I have to go sreaching to see where they went. Don't forget I'm old and want to do it my way. Pavilion p6 2378, with Windows 8, 64-bit.
You are not required to update to 8.1, but it is beneficial because it is more stable. With 8.1, you will be eligible to get the free Windows 10 update when it comes out at the end of the year.
As far as Onedive goes you can disable the download of your files by changing the parameters, see also this:
http://www.eightforums.com/tutorials/29426-onedrive-integration-Windows-8-1-enable-disable.html
-
NAC Appliance with ASA (for remote user VPN)
I have a pair of firewall 5520 cisco which is used as a VPN gateway (for remote user VPN) and perimeter firewall Internet (to provide outbound internet connectivity).
We allow the NAC to remote VPN users. I have it will be deployed with active 3 layer inband.
The problem with this design is that how to ensure that outgoing internet traffic does not pass through the CASE?
I heard about couple of optioins:
-ACB (for send only IP subnet to VPN users remote to go through CASE)
-Version 8.x characteristic of ASA (Restrcit access to VLAN under Group Policy).
I intend to do with ASA firewall where I can set a new subinterface on the SAA (with a new tag VLAN) and under the group policy for remote user VPN, I select the option to "restrict access to the new VLAN.
My question is: is - it still works (even if the firewall have a route to the internal network by using the 'inside' interface and NOT the new interface of the NAC). If this does not work, please let me know what are the other options for this type of deployment.
Thanks in advance.
Hello
It should work. Please see the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
HTH,
Faisal
-
[ACS 5.4] PEAPv1 authentication with MAC filtering
Hello
Our WiFi use the PEAPv1 authentication.
It works very well with different devices (computer, tablets, smartphones).
Now, I want to filter the devices of the company. We have all the MAC addresses of these devices.
Is it possible to activate authentication PEAPv1 combined with MAC filtering in Cisco ACS?
I don't want to filter addresses MAC on WLC...
Thank you
Patrick
Hi Patrick,
See if this helps:
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
https://supportforums.Cisco.com/thread/2163123
Agentless network access:
Ed
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Blocked the hotmail Web site to display content with security certificate errors
Blocked the hotmail Web site to display content with security certificate errors.
Need help with answers.
Hello
1. which browser is installed on the computer?
2. were there any changes (hardware or software) to the computer before the show?
Perform the steps from the link if you have Internet Explorer and check.
Answer to us if you are having problems with Internet Explorer security certificate errors or any other problem of Windows, and I'd be happy to help you.
Good day!
Hope this information helps.
-
No Internet connectivity with ASA 5505 VPN remote access
Hello
I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?
Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.
Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?
I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.
Thank you very much for you help.
Concerning
Salman
Salman
What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.
You have at least 2 options:
-You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.
-You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command
permit same-security-traffic intra-interface
HTH
Rick
-
doubt Doc-ID 1618305.1 How to install and configure the user interface with WebCenter content 11.1.1.8.0 content
The portal_domain field contains;
AdminServer (admin) and Enterprise Manager, (port 7001)
IBR_server1, (port 16250)
UCM_server1, (port 16200)
WC_Spaces1, (port 8888).
On the same machine, I have another weblogic, admin and for the ITS.
The case is that continued to develop for the upgrade to the new skin WebCenter content.
That's my goal.
Then I did some research and came to the following notes in support.
1 - how to install and configure the UI content with WebCenter content 11.1.1.8.0 and 11.1.1.9.0 (Doc ID 1618305.1()
and
2 - update of the 11.1.1.8.0 UI content after you apply the Patch of Bundle WebCenter content 3 (MLR 3) or higher (Doc ID 1617477.1()
The UCM_server1 has the following House / app / oracle / Middleware / Oracle_ECM1 /.
And the list of patches;
===================================================================================================
Installed products of higher level (1):
Oracle WebCenter content management install 11.1.1.8.0
There are 1 products in this House of Oracle.
Installed products (40):
Cloning of the 11g Application Server 11.1.1.8.0 component
Enterprise Manager Application Server Integrator Plugin - Management Service Support11.1.1.7.0
FMW Control Plugin for Oracle inbound refinery 11.1.1.8.0
FMW Control Plugin for Oracle WebCenter Capture 11.1.1.8.0
Component install SDK 11.1.0.9.0
Oracle Application Server Configuration 11.1.1.7.0
Part of Oracle 11.1.1.7.0 Bali
Oracle 11.1.1.8.0 capture
Common files Oracle WebCenter content management 11.1.1.8.0
Oracle Content Server 11.1.1.8.0
Content of Oracle 11.1.1.8.0 Server component
Content access Content Server Oracle 11.1.1.8.0
Access to the contents of the Oracle Content Server 11.1.1.8.0 files
Oracle Content Server Core 11.1.1.8.0
Oracle 11.1.1.8.0 server content distribution
Oracle extended Windowing Toolkit 11.1.1.7.0
Oracle Fusion Middleware Admin Config 11.1.1.6.0
Oracle Help for Java 11.1.1.7.0
Oracle Help for the Web - UIX 11.1.1.7.0
Oracle Help for the Web Shared Library 11.1.1.7.0
Oracle Help share library 11.1.1.7.0
Ice browser Oracle 11.1.1.7.0
Oracle IRM 11.1.1.6.0
Oracle extended JFC Windowing Toolkit 11.1.1.7.0
One-time correction of Oracle 11.1.0.9.9 installer
Oracle outside in technology 8.4.0.0.0
Oracle Remote Client of Intradoc 11.1.1.8.0
Component of Oracle 11.1.1.7.0 rules
Oracle SOA 11.1.1.7.0 workflow
Universal Oracle install 11.1.0.9.0
Oracle Upgrade Wizard 11.1.1.8.0
Oracle Upgrade Wizard 11.1.1.8.0
Upgrade Oracle WebCenter content management 11.1.1.8.0 Assistant
Oracle WebCenter Capture 11.1.1.8.0
Oracle Webcenter content - rights 11.1.1.7.0 documentalist
Oracle WebCenter content - Universal Content Manager 11.1.1.8.0
Oracle WebCenter content management install 11.1.1.8.0
Oracle WebCenter content 11.1.1.8.0 management product suite
Oracle WebCenter content: Imaging 11.1.1.8.0
OracleAS Documentation 11.1.1.8.0
There are 40 products installed in this House of Oracle.
Interim plates (2):
Patch 18188143: applied the sea Mar 19 17:37:32 BRT 2014
Patch ID: 17263162
Created February 5, 2014, 12:56:41 pm
Bugs fixed:
15872313, 17184457, 17515691, 16633496, 14317920, 15991141, 16892410
14071471, 17929776, 13414481, 16042293, 17018964, 17627211, 16768600
16037162, 14521663, 17768056, 14738077, 16460053, 17567819, 17806416
15905591, 16080297, 17569908, 17043756, 18139768, 17211093, 17805499
16418434, 16828356, 16671687, 17039391, 16698130, 17943394, 17632731
17560900, 14246603, 15941347, 16045712
Location of patch in the inventory:
/ app/Oracle/middleware/Oracle_ECM1/Inventory/oneoffs/18188143
Patch location in the storage area:
/app/Oracle/middleware/Oracle_ECM1/.patch_storage/18188143_Feb_5_2014_12_56_41
Patch 18088049: applied the sea Mar 19 17:35:58 BRT 2014
Patch ID: 17182855
Created February 16, 2014 20:35:48 hrs PST8PDT
Bugs fixed:
17919101, 17894065, 17884570, 17883868, 17883112, 17854549, 17835742
17832305, 17819213, 17812338, 17789722, 17783376, 17778867, 17761746
17740542, 17733871, 17698852, 17658821, 17642431, 17636186, 17622384
17616664, 17616611, 17616489, 17613656, 17608703, 17589960, 17581458
17574153, 17567413, 17565564, 17558210, 17558068, 17546505, 17545841
17540480, 17528590, 17514070, 17511368, 17511271, 17511089, 17501678
17500375, 17475733, 17449617, 17421368, 17417817, 17416821, 17416807
17416771, 17416377, 17416343, 17402732, 17401071, 17401052, 17397875
17393920, 17393892, 17369286, 17368525, 17368096, 17362858, 17362130
17354877, 17353764, 17352746, 17335303, 17335290, 17330493, 17324707
17323595, 17323038, 17317268, 17314494, 17313064, 17313052, 17313000
17312990, 17312933, 17312863, 17312366, 17298386, 17295962, 17290804
17285105, 17270986, 17261952, 17255019, 17219134, 17216119, 17206903
17201035, 17200854, 17199763, 17187804, 17185539, 17171852, 17171818
17164502, 17160600, 17153780, 17074852, 17050451, 17049175, 17026301
17008220, 17007746, 17007534, 17006378, 16999307, 16999291, 16991380
16980256, 16980207, 16980196, 16979042, 16961904, 16958142, 16954858
16941623, 16936055, 16936048, 16936036, 16936020, 16936006, 16935987
16935976, 16921682, 16908287, 16858148, 16815976, 16796213, 13931337
17424037, 17006115, 17171834
OPatch succeeded.
==============================================================================================
And contains the following configurations in config.cfg
==============================================================================================
SocketAddressHostSecurityFilter = 127.0.0.1 | 0:0:0:0:0:0:0:1 | 192.168.1. * | 10.62.1.79
xPortalSecurityPropagate = true
Web server = javaAppServer
AllowUpdateForGenwww = 1
SearchIndexerEngineName = OracleTextSearch
IndexerDatabaseProviderName = SystemDatabase
AdditionalEscapeChars = -: #.
FileEncoding = UTF8
MaxQueryRows = 2000
DisableAuthorizationTokenCheck = true
IntradocServerPort = 4444
SchemaPublishInterval = 604800
SSAllowDelayedProjectWrites = true
IdcServerThreadQueryTimeout = 120
DisableQueryTimeoutSupport = false
MaxSearchConnections = 20
#Cache
UseSearchCache = false
#
#AdditionalEscapeChars = _: #, -: {-}, has: A, GOLD: GOLD, CAN: CAN, AND: AND at the END:
# Accesing a content item on a mapped Web URL (WebUrlMap) fails with the error: "unable to retrieve the content. Security access denied» (Doc ID 1639028.1()
MaxAccountsInSecurityClause = 300
# end (Doc ID 1639028.1()
#Search fails for external users in WCC after upgrade to 11.1.1.8.0 (Doc ID 1676468.1()
DoCaseInsensitiveAcctSearch = false
# end (Doc ID 1676468.1()
#MigrationFormatForfApplicationGUID = dCollectionName:dCollectionGUID
==============================================================================================
To my UCM_Server1 content WebCenter.
As I already have a WebCenter content I have to follow the second part of the note
How to install and configure the UI content with WebCenter content 11.1.1.8.0 and 11.1.1.9.0 (Doc ID 1618305.1).
Install and configure content WebCenter ADF WebUI against WebCenter Content Server
Step 1) install the MDS schema
(Step 2), install the Weblogic Server
11 GR 1 material step 3) DOWNLOAD and install Oracle Application Development Framework (11.1.1.6.0) in the new WebUI WLS Middleware House, found here
Step 4) Download and apply Patch 16, 546 129.
Step 5) Download and apply Patch 16, 546 157.
Step 6) download and apply the Patch and then 19,469,801, 18,102,108 Patch
Step 7) copy the wccadf files in the field of user interface
Step 8) Oracle on demand services (MDS) metadata registry
Step 9) Place the WebCenter content domain user interface model
Step 10) run the Setup Wizard on the new home of Middleware WebUI to create the new domain
Step 11) updated the Oracle ADF of shared libraries
Step 12) start the domain WebUI administration server
Step 13) Save target Managed Server with the MDS repository and create the metadata partition
Step 14) start the server managed WebUI.
Step 15) associate UI WebCenter content to Content Server.
Step 16) reboot the WebUI ADF server managed.
Step 17 access the WebUI
Step 18) complete the Configuration of the workflow
Step 19) apply the latest Patch Bundle content UI of WebCenter
MY DOUBT IS:
To read the steps that I understood, to 19, with success, in the end, I will have an another WebLogic with a domain name and its respective EM.
I have two servers weblogic?
portal_domain (explained above) and a new wccui_domain wls and domain.
This fix it?
Two WLS to keep WebCenter portal and content, and other elements.
Because I'm not able to do with the WLS even where I UCM_server1 today?
Thanks for all suggestions and criticism.
To read the steps that I understood, to 19, with success, in the end, I will have an another WebLogic with a domain name and its respective EM.
I have two servers weblogic?
portal_domain (explained above) and a new wccui_domain wls and domain.
This fix it?
Two WLS to keep WebCenter portal and content, and other elements.
Because I could not do with the WLS even where I UCM_server1 today?
Yes, up to 11.1.1.9.0, you will need to install a new wls House (new wls server admin) and then configure WCC ui there. User interface and COE will not work in the same field. You can have the portal and content under the same House of wls and install a new one for the user interface.
This is due to a problem with ADF and WCC libraries.
With 12 c, this dependence is not there, and you can install / configure all 3 (Portal, content and adf ui) applications on the same domain.
-
How to show only layers with layer filtering layers?
Is there a way I can have showing only the layers, files, colors, text, and al. I've worked with in a composition of specific layers in the layer panel? I thought I could achieve with layer filtering, but is the closest with "Selected", the problem is that I lose my folder structure I.
Thank you in advanced for your help.
Attribute > Visible (edit: with this layer selected either Comp)?
-
I just got a new Office Win.7 and Internet Explorer by connecting to Adobe.com, becomes a 'Internet Explorer blocked this site to display content with security certificate errors'. the message that I can't go beyond. I added adobe.com to Trusted Sites. I tried to lower the level of security. I downloaded FireFox and it seems to work fine. So, there must be a setting in IE. Someone else has solved this problem?
a PC Tech solved my two problems. The technicians. have a file of certificates on one of their servers. He who ran and it updated the certificate allowing IE to connect Adobe to Adobe.com. Second, I received a "No. Internet Connection" message when you try to run the CreativeCloudSetup file. We started Symantec Enpoint Protection and then stopped again. It worked. It doesn't matter that I had already turned off. Restarted the PC several times. Start and stop worked. Hope this helps someone else out there.
-
You can create a table of contents with page numbers using bookmarks?
You can create a table of contents with page numbers using bookmarks?
Sometimes a long article has bookmarks to help navigate, it but has no real TOC (table of contents) on the first page. In such a situation, I think that it would facilitate the reading of the paper version if you can somehow create a table of contents with page based on hierarchical bookmarks in the document numbers.
If this is not possible from Acrobat, is there a third party app?
Indeed you have created a script for this - sorry that I missed it. I should have...
Acrobat - Create TOC bookmarks
-
I have 7 Captivate and would like to know if it is possible to filter some slides of OCD.
The point here is that they may not be static, but change the slides to show transparently based on the choice of the user.
== Example ==
You have a file containing below 3 slides captivate. (A, B, C)
And each slide content is needed for the subject in []. (I, II, III)
A [I, II AND III]
B [II, III]
C [I, III]
Lets say the user wants to know about the topic-II.
While the user should only see slides A and B.
If the user wants to know on the subject-I, then only slides A and C are shown in the table of contents.
== == End of example
In my view, that's not possible with only using Captivate and research to achieve anyway. (for example. Load the captivate through Flash and control the captivate Flash with AS3 file).
Thanks in advance for your help.
You have no control of this type on the default TOC THAT included with Captivate. You can have this control, if you create a custom table of contents and use advanced/variables actions. Advanced actions are converted on the duration of AS3 (for SWF) or JS (for HTML5). Since you talk about Flash, I assume you want SWF-output. I know a lot about system variables supplied, there may be some hidden variables that you can solve with AS3 or (better IMO) with JS, but only system variables for the table of contents is to lock or hide/show it (if in overlay).
-
Strange thing happening with ASA and RDP by filtered VPN
Hello
I'm hoping to get support here anymore as I am clearly out of options.
I have 3 ASA 5505 2 and a 5510
all of them are connected via the internet by VPN
a 5505 is on my principles and I use VPN to serve 2 other sites that belong to the same customer. Clearly, I want to go the VPN will aswell to localities other than traffic from them.
the strange thing is if I put an IP address a whole on the acl filter can I use RDP, for when I apply the filter, where I activate TCP/3389, I get an error that the server is not found.
in forestry, I see the package hit the ACL:
<167>:Jul 05 21:13:19 CEDT: %ASA-session-7-106102: access-list VPN_Filter permitted tcp for user '
' User-Lan/192.168.1.87(58603) -> XS4ALL/172.31.2.12(3389) hit-cnt 1 first hit [0xbe2548e2, 0x0] <166>:Jul 05 21:13:19 CEDT: %ASA-session-6-302013: Built outbound TCP connection 43436 for XS4ALL:172.31.2.12/3389 (172.31.2.12/3389) to User-Lan:192.168.1.87/58603 (192.168.1.87/58603)
VPN filter:
access-list VPN_Filter extended permit ip any any log debugging inactive
access-list VPN_Filter extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat
access-list VPN_Filter extended permit udp object-group DM_INLINE_NETWORK_4 object Lan-Pat eq tftp
access-list VPN_Filter extended permit icmp object-group DM_INLINE_NETWORK_1 object Lan-Pat log debugging
access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_3 object Lan-Pat eq www
access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_5 object Lan-Pat eq https
access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_6 object Lan-Pat object-group DM_INLINE_TCP_1
access-list VPN_Filter extended deny ip any any log debugging
any help will be greatly appreciated!
If do you a RDP from your PC to the client session, port TCP/3389 is used on the client side and not on your side. So your ACL should be the following:
VPN_Filter list extended access permitted tcp 172.31.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0
Remember: in a VPN-filter is the syntax = remote destination, local = source. Port 3389 is on the remote end.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni
Maybe you are looking for
-
How do I watch a dvd that is formatted for IFo and VOB videos on my mac pro book, am very new to macbook.
-
My new tab today page is missing the 3 favorite, saved, or top sites (what you call pages)I do not have them bookmarked. Please I need them back!So basically here it is the new layout of the new tab a search google... bar is very good, but inside, th
-
HP Pro 3405: File.wim
After a disastrous 10 Windows download, I had to reinstall Windows 7. Hp recovery took a backup of my data files, but these are in a format (.wim). How can I recover these files?
-
My laptop details are given below: Operating system: Windows 8.1 (64-bit) Product name: HP ENVY 15-j050tx Notebook PC Model No.: F2C67PA I have only two disks, C, and D. Drive C is used for Windows and install other software. It has around 672 GB sto
-
What is the best format for burning a cd for use in a car and a stereo?
This is a copy of singing me songs that have been copied on cassette and later, somehow in my computer and then burned on a cd - r. I'm just had to get the best quality, I can get! What is the format would be the best to use?