equivalent command to 'Ganymede-source interface ip' on SAA

Y at - it equivalent command to 'Ganymede-source interface ip' on ASA? We have an L2L VPN between 2 ASAs and AAA server is through the VPN tunnel and I want ASA to go to ACS with source interface indoors, not outdoors.  AAA server command is the external interface-oriented and management-access to the Interior is set up but always packets are routed using outside interface as a source. No work around outside NAT?

Yes, you can configure the interface within the command in aaa-server when you set the ip address of the server.

For example:

mytacacs AAA-server (inside) host 10.1.1.1

Here is the command for your reference:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/A1.html#wp1596947

Hope that helps.

Tags: Cisco Security

Similar Questions

  • command 'Ganymede source interface ip' works not

    I have a C-3750 L3 switch that is part of a project to get authentication based on the configured ACS, and while I'm able to get most of the devices working, this switch will not take control of Ganymede source ip interface . Can someone confirm if this is a problem of IOS? :

    -C-3750-a (config) #ip Ganymede source-interface loopback0

    ^

    Invalid entry % detected at ' ^' marker.

    Current IOS on the device:

    SW Version SW Image model switch ports

    ------ ----- -----              ----------            ----------

    * WS-C3750G-28 1 24PS 12.2 (44) SE C3750-ADVIPSERVICESK9-M

    2 28 WS-C3750G-24PS 12.2 (44) SE C3750-ADVIPSERVICESK9-M

    --

    Thank you!

    Its a bug: -.

    CSCsm28901

    command 'Ganymede source interface ip' missing in 12.2.44SE.

    Please move to other IOS.

  • By specifying a source interface

    Does anyone know if there is a way to force a packet from a router to the source of a specified interface? I'm running into a situation where my service provider may not necessarily know all the subnets that are hosted by a router and I want to force the management of network traffic came from a rear interface located in the address space of the carrier. Thanks for your help!

    source-interface IP Ganymede

    IP tftp source-interface

    IP source-interface telnet

    property intellectual ssh source-interface

    source-interface IP radius

    http://www.Cisco.com/en/us/partner/products/SW/iosswrel/ps1831/products_command_reference_chapter09186a00800e3efa.html#wp1017795

  • Ping with source interface

    Hello world

    We have an IPSec tunnel to the headquarters. Our local address pool is 10.0.0.0/24. In the router, when I ping a remote server (ping 192.168.1.1) it does not work. But when I ping with source (bvi1 = 10.0.0.1/24) interface, it works: ping 192.168.1.1 source bvi1.

    Could you please tell me the difference between the two commands? And why I can't ping in the normal way? If a computer is in the 10.0.0.0/24 subnet, can it ping the remote server?

    Thank you

    Triet

    It all depends on what is in your crypto access list. So, if your crypto access list reads something like

    access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 (router version)

    or

    vpntraffic list access ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0 (Pix version)

    You can generate with a source IP address ping in the 10.0.0.x range. When you ping the router without specifying the source interface used by the router, it is outside the interface. If the IP address of the external interface is not in your crypto map access-list, then it will not work.

    Jon

  • In Gimp, there is a command called "alpha to selection". Who selects the alpha channel only. What is the equivalent command in Photoshop?

    Untitled.jpeg In Gimp, there is a command called "alpha to selection" which automatically selects the alpha channel of the image or layer. What is the equivalent command that in Photoshop? I tried Googling it but everything that comes is tutorials on masks. I just want to know what to select the alpha automatically without using a 'magic wand' to select one by one.

    CMD (mac) or Ctrl (pc), click on everything that has transparency and that load a selection. This includes layers with transparency, masks layers, channels and paths. Also, there is a selection at the bottom of the layers, paths and channels Panel icon that looks like a dotted circle.

  • equivalent command in the OPS for what what post record forms

    Hello

    What is the equivalent command in the OPS when when validate check in forms

    --
    Kumar

    Use a method named validateEntity() in the object of the entity.

    Reference http://oracle.anilpassi.com/oa-framework-interview-questions-2.html

    -Anand

  • GRE over IPSec - choose a source interface

    I have a 3660 with two T1 from different suppliers running BGP. Our ASN space is on f0/0, with the two serial interfaces T1 with an address of series on the networks of their respective providers.

    I am trying to configure an IPSec tunnel and made on the part of the interfaces series (as I normally do in smaller offices with a single T1). I have then reconfigure the card encryption to be on f0/0 and any other relevant changes on both sides at the source of this traffic of f0/0. IPSec negotiates and makes its way thorugh on the 3660, I see even a peer EIGRP come with the remote. This peer eventually falls, and the review of the wristwatch that sends him away and the 3660 receives, but no package never leave the 3660 (on the its).

    Any suggestions on where start looking for it, or is there a best/recommended/example configuration of a similar setup, I could look at?

    Thanks in advance,

    Daryl

    To bind the cryptographic card for an interface use the command:

    card crypto 'name card' - address "interface."

    FOR EXAMPLE:

    Crypto map crypt-map1-address Loopback2

    -Brett

  • could not ping via source interface

    Hi all

    Can someone help me solve my problem.below sh travels from the router all in what router R1, R2, R3, R4 communicate its ok but when I try to ping to router R1 f0/0 interface of R4 source then is not to get ping but if I normal ping from R1 to R4 can it ping.

    Similarly for R3 also, but here I mention sh run of the R1 R2 R4 only.

    even I add static route on R1 to R4 but I can't.

    R4 #ping 10.1.1.1

    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes of 10.1.1.1, time-out is 2 seconds:
    !!!!!
    Success rate is 100 per cent (5/5), round-trip min/avg/max = 16/33/84 ms

    R4 #ping 10.1.1.1 source f0/0

    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes of 10.1.1.1, time-out is 2 seconds:
    Packet sent with a source address of 172.41.1.1
    .....
    Success rate is 0% (0/5)

    ---------------------------------------------------------------------------------------------------------------------

    R1 #sh run
    ----------------------------------------------------------------------------------------------
    Building configuration...

    * 1 sep 11:20:11.163: % SYS-5-CONFIG_I: configured from console by console
    Current configuration: 2048 bytes
    !
    ! Last configuration change at 11:20:11 UTC Thu Sep 1 2016
    !
    version 12.2
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    No aaa new-model
    IP source-route
    no ip icmp rate-limit unreachable
    !
    !
    !
    !
    no ip domain search
    IP cef
    No ipv6 cef
    !
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    !
    synwait-time of tcp IP 5
    !
    !
    !
    !
    !
    !
    interface Loopback4
    10.1.1.1 IP address 255.255.255.0
    !
    interface Loopback5
    10.1.2.1 IP address 255.255.255.0
    !
    interface Loopback6
    10.1.3.1 IP address 255.255.255.0
    !
    interface Loopback7
    10.1.4.1 IP address 255.255.255.0
    !
    interface Loopback8
    10.1.5.1 IP address 255.255.255.0
    !
    interface Loopback9
    10.1.6.1 IP address 255.255.255.0
    !
    interface Loopback10
    IP 10.1.7.1 255.255.255.0
    !
    interface Serial2/0
    IP 172.12.1.2 255.255.255.0
    series 0 restart delay
    !
    router RIP
    version 2
    10.0.0.0 network
    network 172.12.0.0
    No Auto-resume
    !
    !
    !
    no ip address of the http server
    no ip http secure server
    IP route 172.41.0.0 255.255.255.0 Serial2/0
    !
    !
    !
    !
    control plan
    !
    !
    Line con 0
    exec-timeout 0 0
    privilege level 15
    Synchronous recording
    StopBits 1
    line to 0
    exec-timeout 0 0
    privilege level 15
    Synchronous recording
    StopBits 1
    line vty 0 4
    opening of session
    !
    end

    R2
    ------------------------------------------------------------------------------------------------------------
    R2 #sh run
    Building configuration...

    Current configuration: 2163 bytes
    !
    version 12.2
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    No aaa new-model
    IP source-route
    no ip icmp rate-limit unreachable
    !
    !
    no ip domain search
    IP cef
    No ipv6 cef
    !
    !
    Authenticated MultiLink bundle-name Panel
    !
    synwait-time of tcp IP 5
    !

    interface FastEthernet0/0
    no ip address
    Shutdown
    !
    interface Serial2/0
    IP 172.12.1.1 255.255.255.0
    series 0 restart delay
    !
    interface Serial2/1
    IP 172.23.1.1 255.255.255.0
    series 0 restart delay
    !
    interface Serial2/2
    IP 172.24.1.1 255.255.255.0
    series 0 restart delay

    !
    router ospf 1
    Log-adjacency-changes
    redistribute rip metric 1000 subnets rahul route map
    network 172.0.0.0 0.255.255.255 area 0
    !
    router RIP
    version 2
    redistribute ospf 1 metric 12-card route pooja
    network 172.12.0.0
    No Auto-resume
    !
    no ip address of the http server
    no ip http secure server
    !
    access-list 5 permit 10.1.1.0 0.0.0.255
    access-list 5 permit 10.1.2.0 0.0.0.255
    access-list 5 permit 10.1.3.0 0.0.0.255
    access-list 10 permit 172.30.1.0 0.0.0.255
    access-list 10 permit 172.30.2.0 0.0.0.255
    access-list 10 permit 172.30.3.0 0.0.0.255
    !
    route allowed rahul 10 map
    corresponds to the ip address 5
    the metric value 2000
    !
    route allowed rahul 20 map
    !
    route allowed pooja 10 map
    corresponds to the IP 10
    the metric value 15
    !
    route allowed pooja 20 map
    !
    control plan
    !
    !
    Line con 0
    exec-timeout 0 0
    privilege level 15
    Synchronous recording
    StopBits 1
    line to 0
    exec-timeout 0 0
    privilege level 15
    Synchronous recording
    StopBits 1
    line vty 0 4
    opening of session
    !
    end

    R4
    -----------------------------------------------------------------------------------
    R4 #sh run
    Building configuration...

    Current configuration: 1512 bytes
    !
    version 12.2
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    !
    hostname R4
    !
    boot-start-marker
    boot-end-marker
    !
    !
    No aaa new-model
    IP source-route
    no ip icmp rate-limit unreachable
    !
    no ip domain search
    IP cef
    No ipv6 cef
    !
    !
    Authenticated MultiLink bundle-name Panel
    !
    synwait-time of tcp IP 5
    !
    interface FastEthernet0/0
    IP 172.41.1.1 255.255.255.0
    half duplex
    !
    interface Ethernet1/0
    no ip address
    Shutdown
    half duplex
    !
    interface Serial2/0
    IP 172.24.1.2 255.255.255.0
    series 0 restart delay
    !
    no ip address of the http server
    no ip http secure server
    IP route 0.0.0.0 0.0.0.0 172.24.1.1
    !
    control plan
    !
    Line con 0
    exec-timeout 0 0
    privilege level 15
    Synchronous recording
    StopBits 1
    line to 0
    exec-timeout 0 0
    privilege level 15
    Synchronous recording
    StopBits 1
    line vty 0 4
    opening of session
    !
    end

    Itinerary for R4 F0/0 is 172.41.1.1 do not have R1

    Add below the route on R1 and R2

    R1
    IP route 172.41.1.0 255.255.255.0 Serial2/0

    R2
    IP route 172.41.1.0 255.255.255.0 Serial2/2

  • Specific shell - ACS command authorization / GANYMEDE + on 2900XL

    Hello all-

    I was struggling with a particular issue here. I am running ACS 3.2 and tries to implement secure access to my switch. I have 'students' of my University I want to leave running specific functions, i.e. change the vlan port and write in memory, etc.

    I created with success the piece of the authorization, and my test account can connect. I have successfully assigned a privilege level of 7 also, that gives me a look of default base rights. Accountants strives also, indicating connections and commands me to come home.

    I want to do is use ACS to allow a particular group of controls, so I can change if needed in one place (ACS) and I not touch + 400 devices. ACS says can be done, but it doesn't seem to work. I created a Shell command group and specified commands, no luck. Even if I change the 'unmatched orders' rocking 'allow' (which should allow all orders, right?) it does not yet allow all orders. I added the Shell command group for the group, of which students are members...

    My AAA commands are as follows:

    AAA new-model

    AAA of default login authentication group local Ganymede +.

    Group AAA authorization exec default local Ganymede +.

    AAA authorization commands by default 7 Group Ganymede +.

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 7 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting system default start-stop Ganymede group.

    Any ideas? Any thoughts?

    Thank you!

    Michael

    QU.edu

    Michael,

    You perform permission to order order that exist with a privilege level of 7. By default, the configuration commands have a privilege to 15. There are two ways you can go about solving this problem. The first would be to authorization of installation for level 15 command. The second would be to change the privilege level of the commands that you want your students to be able to run level 15 at level 7. This can be done with the command of privilege. Here is a link that shows the use of the technology locally within the unit. http://www.Cisco.com/warp/public/480/Priv.html

    I don't know if the ACS can push the configuration of the device on a per user basis, so the first option may be your best bet. Be sure to allow access to all controls for yourself.

    Steve

  • Clientless SSL VPN - Source interface when traffic leaves firewall

    Hi all

    I'm trying to implement rules in my perimeter firewall WAN for all traffic coming from the Internet Firewall VPN.

    If the internet firewall is also the VPN endpoint. The user connects to the internet firewall through WebVPN clientless and undergoes several bookmarks that are the WAN customer servers.

    Now, I have a network firewall that must act as a second layer to filter traffic. I have to so allow rules for all the bookmarks that users access through to the WAN. The question here is what would be the source IP address of the traffic coming from the ASA of the Internet and going to the bookmark/Wan Server? Wouldn't be outside (internet access) interface or the interface inside?

    Thank you!

    Kind regards

    Riou

    Hey riri,.

    Referring to this document , he stated-

    "In a connection WebVPN, the security apparatus is as a proxy between the end user's web browser and web server target."

    This implies that ASA will act in proxy on the request of the WebVPN user to the destination. This proxy request will depend on the accessibility of the destination server. If the resources are available that inside the interface, then the source will be inside interface and same DMZ if the resources are accessed through the DMZ.

    I tested, but for your confirmation, you can run a capture wireshark on the LAN interfaces and you can see HTTP requests being mandated by the ASA LAN interfaces.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • The AAA authentication & accounting using the command of Ganymede-orders

    In the page of the cisco Remote Access Companion guide 394 book we got these configuration lines:

    RTA (config) #tacacs - server host 192.168.0.11

    RTA (config) #tacacs - host 192.168.0.12 server

    RTA (config) #tacacs - server key topsecret

    RTA (config) #aaa new-model

    Ganymede + RTA (config) #aaa authentication login default group

    If I want to add to the configuration above, the following command:

    RTA (config) #aaa accounting connection defult stop / start Ganymede +.

    Is it necessary that the above lines be in a specific order when I configure the RTA?

    No, the order in which you enter commands doesn't matter.

  • Can I use a dimension of import command line using table interface?

    Hi guys

    I'm using EPMA to load dimensions by using the interface of the table, but I want to know if it is possible to launch using a command line?

    Concerning

    Yes, use client batch epma, have a read of http://john-goodwin.blogspot.com/2011/11/loading-to-epma-planning-applications.html

    See you soon

    John

    http://John-Goodwin.blogspot.com/

  • Is there an equivalent command t crs_stat at 11.2 improved?

    DB version: 11.2.0.1
    Operating system: Solaris

    In 10 g 2, we used
    crs_stat -t
    to check the status of the cluster. Is there an equivalent reinforced this command at 11.2?

    Order crs_stat has been deprecated in 11 GR 2, no more, use it to determine the user resource state all use them,

    + $GRID_HOME/bin/crsctl stat res - t +.

    Also by default ora.gsd is offline if there is no Database 9i in the cluster,

    In addition, 11 GR 2 or above, you can use the command to find out the status of the clusterware below process:

    + $GRID_HOME/bin/crsctl stat res-t--init +.

    Concerning
    Rajesh

  • Are there Windows Media Script equivalent command in FMS?

    I'm looking to stop using the windows media for my live stream encoder.  I used this encoder for years alongside a windows media server to present live sessions and use script commands to modify the html source of the page for a specific frame on a Web page.  It works well, but in IE, and only on a PC.  I would like to support other browsers and other platforms (ipad, etc.).   FMS appears to be a good solution to the sides of JW Player, but I don't know if I would be able to run this on-line ordering script that will change the image on the page that hosts the jpg files.

    Any thoughts?

    Thank you.

    No built-in. You will need to develop 3 possibilities for this:

    1. a customer "side" controller application that sends information to the server about what URL should be loaded in the "main" frame.

    2. a client application side reading which shows the video and receives / messages from the server handles everything that needs to be loaded as part of "principal".

    3. an application server to receive messages from the controller side and turns to the player application.

    1 & 2 would be flash or flex applications. #3 would be actionscript on the server side.

    I should also mention that this will work for Flash Media Interactive Server. Streaming server does not support the script side server.

  • Just to confirm that the VPN endpoint must be on a physical interface on a SAA

    I have a client who changes their public IP address range, currently the FORMER IP exists on the physical Interface Internet and the NEW is the ASA, to be able to use the NEW IP to the endpoint of the VPN, it must be on a physical interface, so I think having a trunk to the Internet router, so that the NEW can have a physical address.then IP can pass another on the NEW for VPN.

    Hi Richard,

    Yes, it must be on a physical interface. Because you cannot configure secondary ip on the ASA, the only approach I can think of, is to set up a trunk according to your suggestion. Unless you use a proxy-arp :).

    HTH.

    Kind regards

    Terence

Maybe you are looking for

  • iCloud Mail has been down for hours and a half

    According to the system state of Apple anyway. Apparently affects only a 0.86% (LOL) of users, which means myself and two other people. However, my question is, is anyone know why the system is shut down, and someone has an idea when the "0.86%" of u

  • Drag the FIRST results in JPG format.

    I try to keep my Photos in sync with my Aperture library app. Basically, I open the album in Aperture, select all and drag them into a new photo album. It works, kind of, but all my RAW images show as jpg. will change in Photos shows the 'use RAW ori

  • can I reinstall vista, removed hard drive?

    I bought a laptop computer with a hard drive deleted, if I get a new hard then re - install vista if they product key sticker is on the bottom of the laptop?

  • piroform

    How can I get piroform cleaner?

  • Camcorder and camera

    How do you add date stamp and time to the actual video or a photo?