Exploitation forest vs Nologging
Hi Experts,
Nice day.
Today in my backup of database online of RMAN prod, I have observed that some objects are sunk due to no record. By sous-query, I got below result
SQL > select distinct ss.owner, ss.object_name, ss.object_type, ss.tablespace_name, ts.logging tablespace_level_logging v$ segment_statistics ss and dba_tablespaces, v$ datafile df where ss.statistic_name = "direct physical writing" and ss.value > 0 and df.unrecoverable_change # > 0 and ss.ts #= df.ts # and ss.tablespace_name = ts.tablespace_name;
OWNER OBJECT_NAME OBJECT_TYPE NOM_TABLESPACE TABLESPACE_LEVEL_LOGGING
------------------------------ ------------------------------ ------------------------------------------------------ ------------------------------ ---------------------------
INTERSPC AIPARTRELATIONMAIN_ANCESTER INDEX SPECI NOLOGGING
INTERSPC ATPARTRELATIONMAIN_PK INDEX USERS OPENING A SESSION
INTERSPC AIPARTRELATION4JOB INDEX SPECI NOLOGGING
INTERSPC SYS_LOB0000252986C00008$ $ LOB SPECD LOGGING
INTERSPC ATTCINCRRT TABLE SPECD LOGGING
INTERSPC SYS_LOB0025576884C00002$ $ LOB SPECD LOGGING
INTERSPC SYS_LOB0000312079C00007$ $ LOB SPECD LOGGING
INTERSPC APKTCINCRRT INDEX SPECI NOLOGGING
INTERSPC XPKATCOMMONSCHEMETOPROCESS INDEX SPECI NOLOGGING
INTERSPC ATBRICK_GB28_COMPARE25JUN2014 TABLE SPECD LOGGING
INTERSPC SYS_LOB0000207679C00002$ $ LOB SPECD LOGGING
INTERSPC SYS_LOB0025571164C00008$ $ LOB SPECD LOGGING
INTERSPC AIPARTRELATIONMAIN_BOM INDEX SPECI NOLOGGING
PMLUSER SYS_LOB0000381874C00002$ $ LOB SPECD LOGGING
INTERSPC ATBRICK_GB34_COMPARE25JUN2014 TABLE SPECD LOGGING
I manually activated recording by sous-queries
SQL > Alter index INTERSPC. Record of the AIPARTRELATIONMAIN_ANCESTER;
The index is modified.
QL > Alter index INTERSPC. AIPARTRELATION4JOB logging;
The index is modified.
SQL > Alter index INTERSPC. Record of the APKTCINCRRT;
The index is modified.
SQL > Alter index INTERSPC. Record of the XPKATCOMMONSCHEMETOPROCESS;
The index is modified.
SQL > Alter index INTERSPC. Record of the AIPARTRELATIONMAIN_BOM;
The index is modified.
Yet once, I pulled the query in BOLD above. But there is no change in the result of the query. Why the NOLOGGING values are not replaced by logging in even after activation of LOGGING on the INDEX.
Should I resume a RMAN full online backup after you enable journaling?
Please enlighten us here.
Thank you..
Please check your own query.
You SELECT the dba_tablespaces logging column, if the storage logging attribute.
So, Yes, as you don't issue a command ALTER TABLESPACE, which has not changed.
In addition, all future objects will be created with the nologging attribute.
As for your second question: it will always be a 'hole' in your newspapers.
So if something happens, and you do not have a backup, you will only be able to run an incomplete recovery (which can affect the entire base)
So yes, I would take an RMAN backup.
Sybrand Bakker
Senior Oracle DBA
Tags: Database
Similar Questions
-
Exploitation forest region of memory
Dear users of Berkeley dbxml
I use an Oracle database accessed by two different clients through shared Web services. The amount of information stored in the database is quite low since both clients are still under development.
After 50 or if transactions, I get an exception that indicates "logging region of memory, you may need to increase its size.
I read in [this document | http://www.oracle.com/technology/documentation/berkeley-db/db/gsg_txn/JAVA/logconfig.html#logregionsize] that I might have to change the default settings based on my needs. But I find it a little strange to have to change the default configuration for such a small app.
It doesn't make sense for me to change the configuration of logging or am I missing something here?
Thank you all in advance for reading this.
Guillaume CHAPUISGuillaume,
This exception is not related to the size of the data; This means generally that you have many databases open. Length of path may also be involved. You have a lot of open containers or is the path of your long container?
Kind regards
George -
Dealing with acquisition from multiple sources
Hello
My problem is that I need to read up to 28 test data and acquisitions begin at different times for each test, and I have to read data at different speeds. I also need to show data and save in a MySQL database. And if the acquisition is out of the norm for the test, I need to stop this acquisition. Ideas of design patterns? I thought that it might be possible to do thar using multiple loops and connect with the main loop using global variables, is that correct?
Thank you
You don't want that several loops here. But global variables are not the way to make communication.
It seems that you alreay did a good job on the tasks you have. All those who might be in a loop separated. Have a loop for each trial, a loop for the backup of the database, possibly another loop to check your limits. Use queues to make communications between the loops. You will have another line for each parallel process, but then anyone can send the command to do anything.
I recommend having a look at the continuous measurement and exploitation forest sample project.
-
ACS 5.1.0.44 GUI connection failed!
Dear guys,
I'm trying to configure Cisco ACS (5.1.0.44) to the VMware Workstation in order to test/study. Installation went well. I can connect via SSH, but the failure of the connection of GUI with the same credentials. Please find the attached images.
Any help will be very appreciated!
_______________________________________________
Connect as: admin
Keyboard-interactive authentication.
Password:
Last login: kills Oct 30 17:31:24 2012
ACS - LAB / admin # show running-config
Building configuration...
!
ACS - LAB host name
!
IP - testlab domain name
!
interface GigabitEthernet 0
IP 10.10.10.50 255.255.255.0
!
8.8.8.8 IP name-server
!
default IP gateway - 10.10.10.254
!
time zone UTC
!
!
user name, password hash $1$ HRi10i.R admin $LHqyKJWVqDxfrcmaWGPOM1 admin role
!
Service sshd
!
password policy
Lower-box-required
Upper-case-required
numbers required
No - username
Disable-cisco-passwords
length-password - 6 min
!
exploitation forest localhost
exploitation forest loglevel 6
!
CDP timer 60
180 CDP hold time
CDP run GigabitEthernet 0
!
ICMP echo on
!
ACS - LAB / admin #.
__________________________________________________________________________-
Thank you.
Hello
The first time you access the GUI of the ACS, you need to use the default credentials:
Username: acsadmin
Password: default
After that the server will ask you to change the password. Please try it and let me know how it goes.
-
VG224 and Verifone xx810 chip and pin component terminal modem
Hi members of the community.
I have a very specific problem I'd appreciate help with if anyone else has experienced this or something similar.
We have a VG224 that provides analog lines for fax machines mainly on our campus. Recently, we had our Department of finance use machines to chip and PIN on these connections. Previously, we used streamline machinery, and they connect properly.
The specific case I have is a Verifone vx810 machine which is connected to a VG224. The Verifone unitis able to deal with success and to authorize a transaction, but it cannot complete a download batch process or a TMS. I talked to the support company that rent us machines to and identified that the computer uses the following baud rate, bits of parity and stop for 2 different operations:
For transactions: 2400 baud, parity/stop 7e1 (this works)
For the batch upload/TMS: 19200 baud, parity/top 8n1 (it does not).
In the case of the upload of batch/TMS, the machine connects, gets a connection to the remote end to the PSTN for about 10 to 20 seconds, then he tears because the modem negotiation fails. I've read various articles on forums CIHI and others say that data rates high speed can be a problem for the VG224, but nothing to suggest a problem with 19200. I also tried installing on an ATA186 and ATA showed the same symptoms, so I am inclined to think that this isn't just a firmware issue or bug with the VG224. I tried 3 different chip and PIN machines of the model vx810 and all have the same symptoms.
Here's a copy of my current VG224 config. The VG224 is recorded in the CUCM via SCCP.
version 12.4
no service button
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
no password encryption service
!
hostname vg224
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096
!
AAA new-model
!
!
AAA authentication login default local radius group
the AAA authentication enable default
AAA authorization exec default local radius group
failure to exec AAA accounting
action-type market / stop
RADIUS group
!
!
!
AAA - the id of the joint session
clock timezone GMT 0
clock summer-time recurring UTC 4 Sun Mar 01:00 4 Sun Oct 02:00
IP source-route
IP cef
no ip domain search
!
!
No ipv6 cef
!
stcapp ccm-Group 1
stcapp
!
stcapp function-access code
!
stcapp speed dial feature
!
!
voip phone service
Modem passthrough codec g711ulaw nse
!
!
voice-card 0
!
username
password Archives
The config log
hidekeys
!
!
!
interface FastEthernet0/0
no ip address
automatic duplex
automatic speed
!
interface FastEthernet0/0.644
encapsulation dot1Q 644
IP 10.1.160.4 255.255.255.0
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
default IP gateway - 10.1.160.1
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 10.1.160.1
no ip address of the http server
!
exploitation forest installation local6
interface FastEthernet0/0.644 source journaling
logging
SNMP-server
RO community SNMP server location
!
Server RADIUS
auth-port 1812 1813 acct-port host Server RADIUS
auth-port 1812 1813 acct-port host RADIUS 3 server timeout
RADIUS server key
!
control plan
!
!
!
voice-port 2/0
cptone GB
initial delays of 60
timeouts interdigit 60
timeout infinity ringtone
activation of the caller ID
!
voice-port 2/1
cptone GB
initial delays of 60
timeouts interdigit 60
timeout infinity ringtone
activation of the caller ID
!
voice-port 2/2
cptone GB
initial delays of 60
timeouts interdigit 60
timeout infinity ringtone
activation of the caller ID
!
voice-port 2/3
cptone GB
initial delays of 60
timeouts interdigit 60
timeout infinity ringtone
activation of the caller ID
!
voice-port 2/4
no echo - cancel enable
cptone GB
initial delays of 60
timeouts interdigit 60
timeout infinity ringtone
activation of the caller ID
!
!
CCM-manager cisco Protocol fax
CCM-Manager config server
CCM-Manager config
CCM-Manager local FastEthernet0/0.644 SCCP
CCM-Manager sccp
!
!
SCCP local FastEthernet0/0.644
SCCP ccm
version ID 1 6.0 SCCP ccm
2 identifier version 6.0 SCCP ccm
identifier 3 version 6.0 SCCP
!
SCCP ccm Group 1
associate the ccm 1 priority 1
associate priority 2 CCM 2
associate the ccm 3 priority 3
!
transcode dspfarm profile 1
associate the PCRS application
!
!
voice pots Dial-peer 999200
Service stcapp
port 2/0
!
voice pots Dial-peer 999201
Service stcapp
port 2/1
!
voice pots Dial-peer 999202
Service stcapp
port 2/2
!
voice pots Dial-peer 999203
Service stcapp
2/3 port
!
voice pots Dial-peer 999204
Service stcapp
port 2/4
!
!
!
Line con 0
line to 0
line vty 0 4
!
NTP server
NTP server
end
And a version of the show of the vg224:
System to regain the power ROM
System restarted at 14:30:34 CEST Wednesday 9 may 2012
System image file is "slot0:vg224 - i6s - mz.124 - 22.T5.bin".
Cisco VG224 processor (R527x) (revision 4.1) with 119808 K/K 11264 bytes of memory.
Card processor ID FHK1432F2CC
R527x CPU at 225 MHz, 40, Rev 3.1 implementation
1 voice module 24 analog FXS edge V2.1
2 FastEthernet interfaces
Configuration of DRAM is 64 bits wide with disabled parity.
63K bytes of non-volatile configuration memory.
The system of fpga version is 250027
The system of readonly fpga version is 250027
Option for fpga system is 'system '.
62496K bytes of ATA Slot0 CompactFlash (read/write)
Configuration register is 0 x 2102
This problem is really driving me crazy, if anyone can shed some light on what is perhaps the root cause of that I would be very grateful.
I would say probably yes, devices compatible PCIDSS circulating on the network IP would be the way to go and that is something that we work, but currently we have units that can communicate using analog telephone lines.
OK, PRI is clean so you must relay setup for connection of modem modem high speed work.
I would not waste time with CSPC and go immediately to SIP or H.323.
-
ASA 5505 possibly interfere/blocking calls Incound UC560
ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462
All,
We had this problem the phone when we lose connectivity for some reason any. Here is an example:
We have an ASA 5505 before our UC560. Power lost to ASA (power connector from main Board loose) primary did identical backup with config. The layout-design is the following:
UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">---WAN(3>
After the passage of the ASAs, incoming calls have been piecemeal. I can see the traffic on the firewall when the calls log, nothing otherwise. OS on the device are:
UC560 - 15.0 XA (1r).
ASA 5505-4, 0000 38
Contacted the provider and after calls debugging support have been expire with the 408 SIP error.
Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.
So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA. Here is the config ASA (it's pretty long, sorry):
Output of the command: "show run".
: Saved
:
: Serial number:
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA 4,0000 Version 38
!
XXXXX-CA hostname
activate the encrypted password of WUGxGkjzJJSPhT9N
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
WUGxGkjzJJSPhT9N encrypted passwd
names of
DNS-guard
192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
!
interface Ethernet0/0
Description-> Internet
switchport access vlan 2
!
interface Ethernet0/1
Description-> inside
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Shutdown
No nameif
no level of security
no ip address
!
interface Vlan2
Description-> Internet<>
nameif outside
security-level 0
address IP XXX.XXX. XXX.242 255.255.255.240
!
interface Vlan10
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
!
exec banner * W A R N I N G *.
banner exec unauthorised access prohibited. All access is
banner exec monitored and the intruder may be continued
exec banner to the extent of the law.
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
Banner motd this is a private computer system.
Banner motd, access is allowed only by authorized employees or agents of the
company banner motd.
Banner motd system can be used only for the authorized company.
Banner motd business management approval is required for all access privileges.
Banner motd, as this system is equipped with a safety system designed to prevent
Banner motd and attempts of unauthorized access record.
Banner motd
Banner motd unauthorized access or use is a crime under the law.
banner asdm XXXXX Enterprises Inc. $(hostname)
boot system Disk0: / asa904-38 - k8.bin
boot system Disk0: / asa904-29 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS domain-lookup outside
permit same-security-traffic intra-interface
object obj voip network
10.1.1.0 subnet 255.255.255.0
network object obj - 192.168.254.0--->--->
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
object obj cue-network
10.1.10.0 subnet 255.255.255.0
object obj priv-network
192.168.10.0 subnet 255.255.255.0
object obj data network
subnet 10.0.1.0 255.255.255.0
network object obj - 192.168.0.0
192.168.0.0 subnet 255.255.255.0
Description not used
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
Description not used
object obj nj-asa-private-network
Subnet 192.168.2.0 255.255.255.0
network obj object -? asa-private-network
192.168.5.0 subnet 255.255.255.0
network obj object -? asa-private-network
192.168.6.0 subnet 255.255.255.0
network obj object -? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network obj object -? asa-priv-networl
subnet 192.168.4.0 255.255.255.0
network obj object -? asa-private-network
192.168.7.0 subnet 255.255.255.0
object obj-asa-Interior-voip-nic network
host 10.1.1.1
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object obj-vpn-nic network
Home 192.168.10.20
object obj XXXX-asa-private-network
192.168.8.0 subnet 255.255.255.0
House of XXXX description
network obj object -? asa-private-network
192.168.9.0 subnet 255.255.255.0
object asa inside-network data
subnet 10.0.1.0 255.255.255.0
asa data-outside-network object
subnet XXX.XXX. XXX.240 255.255.255.240
network of china-education-and-research-network-center object
Home 202.194.158.191
Acl explicitly blocked description
China unicom shandong network item
60.214.232.0 subnet 255.255.255.0
Acl explicitly blocked description
pbx-cue-Interior-nic network object
Home 10.1.10.2
pbx-cue-outside-nic network object
host 10.1.10.1
telepacific-voip-trunk network object
Home 64.60.66.250
Description is no longer used
us-la-mianbaodianying network object
Home 68.64.168.46
Acl explicitly blocked description
object network cue
10.1.10.0 subnet 255.255.255.0
private-network data object
192.168.10.0 subnet 255.255.255.0
pbx-outside-data-nic network object
host 10.0.1.2
pbx-voip-Interior-nic network object
host 10.1.1.1
voip network object
10.1.1.0 subnet 255.255.255.0
vpn-server-nic network object
Home 192.168.10.20
asa-data-outside-nic network object
host XXX.XXX. XXX.242
asa-voip-ctl-outside-nic network object
host XXX.XXX. XXX.244
the object 192.168.0.0 network
192.168.0.0 subnet 255.255.255.0
Description not used
the object 192.168.1.0 network
subnet 192.168.1.0 255.255.255.0
Description not used
nj-asa-priv-netowrk network object
Subnet 192.168.2.0 255.255.255.0
network of the 192.168.254.0 object
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
network of the object? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network of the object? asa-private-network
subnet 192.168.4.0 255.255.255.0
network of the object? asa-private-network
192.168.5.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.6.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.7.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.9.0 subnet 255.255.255.0
the XXXX-asa-private-network object network
192.168.8.0 subnet 255.255.255.0
network object XXX.XXX. XXX.242
host XXX.XXX. XXX.242
service object 47
tcp source eq eq 47 47 destination service
object network dvr
Home 192.168.10.16
network dvr-nat-tcp8888 object
Home 192.168.10.16
network dvr-nat-tcp6036 object
Home 192.168.10.16
network dvr-nat-udp6036 object
Home 192.168.10.16
dvr-8888 service object
destination eq 8888 tcp service
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service dvr-6036-tcp - udp
port-object eq 6036
détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
access-list out_in note remote access attempted
out_in list extended access deny ip object China unicom shandong network any4
access-list out_in note remote access attempted
out_in list extended access deny ip object we-the-mianbaodianying any4
out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
out_in list extended access allow icmp any4 object vpn-server-nic
out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
out_in list extended access allow accord any4 object vpn-server-nic
out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
Comment from out_in-HTTPS access outside the access list
out_in list extended access permitted tcp any4 object data-private-network eq https
outside_access_in list extended access allow icmp host 192.168.10.20 any4
access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
outside_access_in list extended access allowed host any4 object 47 192.168.10.20
outside_access_in list extended access allow accord any4 host 192.168.10.20
outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
outside_access_in list extended access allowed object dvr-8888 any object dvr
outside_access_in list extended access allow icmp any4 host 10.1.1.1
access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
go to list of access outside_access_in note incoming https.
outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
pager lines 24
Enable logging
exploitation forest-size of the buffer 1048576
monitor debug logging
debug logging in buffered memory
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest flash-bufferwrap
No registration message 106015
No message logging 313001
No registration message 313008
no logging message 106023
No message logging 710003
no logging message 106100
No message logging 302015
No message recording 302014
No message logging 302013
No message logging 302018
No message logging 302017
No message logging 302016
No message logging 302021
No message logging 302020
destination of exports flow inside 192.168.10.20 4432
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 3 burst-size 1
ICMP allow any response of echo outdoors
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP permitted host 75.140.0.86 outside
ICMP allow any inside
ASDM image disk0: / asdm-715 - 100.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
!
object obj-asa-Interior-voip-nic network
NAT XXX.XXX static (inside, outside). XXX.244
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT (inside, outside) dynamic obj - 0.0.0.0
object obj-vpn-nic network
NAT XXX.XXX static (inside, outside). XXX.254
network dvr-nat-tcp8888 object
NAT (inside, outside) interface static 8888 8888 tcp service
network dvr-nat-tcp6036 object
NAT (inside, outside) interface static 6036 6036 tcp service
network dvr-nat-udp6036 object
NAT (inside, outside) interface static service udp 6036 6036
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
authentication & encryption v3 private Server SNMP group
SNMP server group No_Authentication_No_Encryption v3 /noauth
SNMP-server host inside the 192.168.10.20 community *.
Server SNMP Ontario, CA location
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
Crypto ca trustpoint CAP-RTP-001_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint CAP-RTP-002_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_0 key pair
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_1 key pair
Configure CRL
Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
registration auto
full domain name no
name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
_internal_PP_ctl_phoneproxy_file key pair
Configure CRL
Crypto ca trustpoint Cisco-Mfg-CA
Terminal registration
Configure CRL
Crypto ca trustpoint phoneproxy_trustpoint
registration auto
full domain name XXXXXXXXXX.com
name of the object CN = XXXXXX - ASA
phoneproxy_trustpoint key pair
Configure CRL
trustpool crypto ca policy
string encryption CAP-RTP-001_trustpoint ca certificates
certificate ca 7612f960153d6f9f4e42202032b72356
quit smoking
string encryption CAP-RTP-002_trustpoint ca certificates
certificate ca 353fb24bd70f14a346c1f3a9ac725675
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
certificate e1aee24c
CA
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
certificate e4aee24c
quit smoking
Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
certificate e8aee24c
quit smoking
a string of ca crypto Cisco-Mfg-CA certificates
certificate ca 6a6967b3000000000003
quit smoking
Crypto ca certificate chain phoneproxy_trustpoint
certificate 83cbe64c
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.0.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access insidepriority-queue outdoors
TX-ring-limit of 256
!
maximum-session TLS-proxy 24
!
!
TLS-proxy tls_proxy
_internal_PP_ctl_phoneproxy_file point server trust
CTL-file ctl_phoneproxy_file
file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
!
Media-termination asdm_media_termination
address XXX.XXX. XXX.245 outside interface
address interface inside 10.0.1.245!
Phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
interface address 10.1.1.1 TFTP server on the inside
TLS-proxy tls_proxy
no settings disable service
XXX.XXX proxy server address. Outside the xxx.242 80 interface
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.10.60 source inside
internal group myGROUP strategy
Group myGROUP policy attributes
VPN-idle-timeout no
VPN-session-timeout no
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ezvpn1
allow to NEM
XXXXX group policy / internal remote
attributes of group XXXXX policy / remote
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
username fstorm attributes
type of remote access service
username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
attributes username cisco
type of remote access service
username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu8 attributes
type of remote access service
username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
username XXXXXU1 attributes
Strategy Group-VPN-XXXXX / remote
type of remote access service
username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu3 attributes
type of remote access service
username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu2 attributes
type of remote access service
username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu5 attributes
type of remote access service
username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu4 attributes
type of remote access service
username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu7 attributes
type of remote access service
username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu6 attributes
type of remote access service
tunnel-group XXXXX type remote access / remote
attributes global-tunnel-group XXXXX / remote
XXXXX address pool / remote
Group Policy - by default-XXXXX / remote
IPSec-attributes tunnel-group XXXXX / remote
IKEv1 pre-shared-key *.
type tunnel-group mytunnel remote access
tunnel-group mytunnel General-attributes
strategy - by default-group myGROUP
mytunnel group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-card CM-VOICE-SIGNAL
match dscp af31
class-map-outside-phoneproxy
match eq 2443 tcp port
class-map inspection_default
match default-inspection-traffic
Class-map data
match flow ip destination-address
match tunnel-group mytunnel
class-card CM-VOICE
match dscp ef
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
inspect the icmp
class class by default
Statistical accounting of user
flow-export-type of event all 192.168.10.20 destination
outside-policy policy-map
class outside-phoneproxy
inspect the thin phone-proxy asdm_phone_proxy
CM-VOICE class
priority
CM-VOICE-SIGNAL class
priority
World-Policy policy-map
!
global service-policy global_policy
207.46.163.138 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
: endIf someone could give a clue as to what could be the problem, I would appreciate it.
/ / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //
Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!
Now, given that your issue is resolved, you must mark the thread as "answered" :)
Thank you for evaluating useful messages!
-
cannot be configured in terminal mode in CISCO AP
I have a CISCO AIR-ANNUAL-A-k9.
When I try to run configure terminal command his does not work...
Please tell me how to solve this problem...
APfc99.4744.412b #show running-config
Building configuration...Current configuration: 17429 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname APfc99.4744.412b
!
Pulse 9 logging console
enable secret 5 T/UX $1$ $ g8VteI52q9TAGoKLdOnQq1
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
lwapp_eap_profile profile EAP
quick method
!
!
Crypto pki trustpoint Cisco_IOS_MIC_cert
revocation checking no
rsakeypair Cisco_IOS_MIC_Keys
!
Crypto pki trustpoint cisco-root-cert
revocation checking no
rsakeypair Cisco_IOS_MIC_Keys
!
Crypto pki trustpoint airespace-device-root-cert
revocation checking no
rsakeypair Cisco_IOS_MIC_Keys
!
Crypto pki trustpoint airespace-new-root-cert
revocation checking no
rsakeypair Cisco_IOS_MIC_Keys
!
Crypto pki trustpoint airespace-old-root-cert
revocation checking no
rsakeypair Cisco_IOS_MIC_Keys
!
!
string Cisco_IOS_MIC_cert crypto pki certificates
certificate 4F6C56A80000000A92D7
30820470 30820358 A0030201 02020A4F 6C56A800 00000 HAS 92 D7300D06 092A 8648
86F70D01 01050500 30393116 30140603 55040A 13 0D 436973 636F2053 79737465
301 0603 55040313 16436973 636F204D 616E7566 61637475 6D73311F 72696E67
1E170D31 20434130 32303930 31313732 3834325A 170 3232 30393031 31373338
34325A 30 818C310B A 30090603 55040613 02555331 13301106 03550408 130, 4361
6C69666F 726E6961 06035504 07130853 616E204A 6F736531 16301406 3111300F
0355040A 130D 4369 53797374 656 7331 1B, 301906 03550403 13124331 D 73636F20
66633939 34373434 34313262 3134302D 3120301E 06092A 86 4886F70D 01090116
706F7274 11737570 636F2E63 40636973 6F6D3082 0122300D 06092 HAS 86 4886F70D
01010105 00038201 0F003082 010 HAS 010100 0282 B 5 581D7B42 A 599227, 9 B4D65283
698CB21A 8EAAA985 647313C F8C58325 0 A670CC0C 57EFB31B 1FCDB064 EFFFE354
FDB34E0C AD1CCAC8 5C7345F5 0956EA6C 98B0DC6B D919BAF0 48966FFC 203AE7A3
57342DD3 F0044903 CF71534F 013699F1 816BE0E3 016EC32D 525B 2676 0BD79150
48 C 64674 B635DC0E 180BF03E 54FB5E16 E78D64BF 1A341C99 4C1F7391 A05A0374
25899C4A 796694DF AAC73E41 8AE1DB1F 4CBFF680 B5A08356 B9641FCD B14F5258
2DDEF4B5 F744881F 5AF16E42 C18C896B 64CF4023 F81979BD 985AB2EA 21590D2B
FE29DB7E 22C4FA87 45549C2D 3AFFB098 EA2F1ADB 498 4464 34DD7695 CDCFE840 D
C75EE07E 6BE7F77D 00727712 56F9E8CF F8C09702 03010001 30820120 A3820124
300E0603 551D0F01 01FF0404 A 030205-0 301D 0603 551D0E04 16041440 FFFDBDB4
4C4F19BE DE0FD134 EFB5E5E5 79BBE030 1 230418 30168014 D0C52226 1F060355
AB4F4660 ECAE0591 C7DC5AD1 B047F76C 303F0603 551D1F04 38303630 34A032A0
30862E68 7474703 HAS 2F2F7777 772E6369 73636F2E 73656375 72697479 636F6D2F
2F706B69 2F63726C 2F636D63 612E6372 6C304C06 082B 0601 05050701 01044030
082B 0601 05050730 02863068 7474703 3E303C06'S 2F2F7777 772E6369 73636F2E
73656375 72697479 2F706B69 2F636572 74732F63 6D63612E 63657230 636F6D2F
06010401 82371402 00490050 00530045 00430049 006E0074 04321E30 3F06092B
00650072 0065 00640069 00610074 0065004F 00660066 006 C 0069 006E0065 006D
300 D 0609 2A 864886 05050003 82010100 4198877F F0A136ED AC781855 F70D0101
5DCD6F48 56FCFDDD 47292E1B 9E7BC1C6 0415AD8E DC815863 D30A99BE 514F7674
0DE30212 EFEC2FD1 CDD895AC 7C9BC9C5 BD6A62C2 A1BD68CA 83E8A9E1 4F0D2599
6794C2F6 94034F89 D22B9334 E77B6D04 83C2F979 3653E3B1 27FA6C7A ED4F8458
A39FE3ED 9BC932B7 97B8C4A3 28596B9B 3E7B5302 CFEFD492 1B363AF7 60666780
5724ED8F 0BD14FEB E585BCEF B2FFACBC D18D8C6B 8D65FDE8 7896E479 1B6C12E7
F6517C37 E4DC4E1A EAC73589 42664557 24A9C82B B5A954BE 63814DB5 B0551E0A
20DC6263 633CEF0B E1E14733 C9ECB3D3 21EA5DF9 621B9C20 B31EB931 EE765152
C5403310 7FA886E5 B34E8501 1755044E 6BA12200
quit smoking
certificate ca 6A6967B3000000000003
308204 9 308203 1 A0030201 02020A6A 6967B 300 092 HAS 8648 00000000 03300D 06
86F70D01 01050500 30353116 30140603 55040A 13 0D 436973 636F2053 79737465
30190603 55040313 12436973 636F2052 43412032 30343830 6F6F7420 6D73311B
1E170D30 35303631 30323231 3630315A 170 3239 30353134 32303235 34325 HAS 30
39311630 14060355 040A130D 43697363 6F205379 7374656D 1 060355 73311F30
04031316 43697363 6F204D61 6E756661 63747572 696E6720 43413082 0120300D
06092A 86 01010105 00038201 0D A 003082 01080282 010100-0 C5F7DC96 4886F70D
943515F1 F4994EBB 9B41E17D DB791691 BBF354F2 414 HAS 9432 6262 C 923 F79AE7BB
9B79E807 294E30F5 AE1BC521 5646B0F8 F4E68E81 B816CCA8 9B85D242 81DB7CCB
94A 91161 121C5CEA 33201C9A 16A77DDB 99066AE2 36AFECF8 0AFF9867 07F430EE
A5F8881A AAE8C73C 1CCEEE48 FDCD5C37 F186939E 3D71757D 34EE4B14 A9C0297B
0510EF87 9E693130 F548363F D8ABCE15 E2E8589F 3E627104 8726 HAS 415 620125AA
D5DFC9C9 5BB8C9A1 077BBE68 A86CBD15 92939320 75D3445D 454BECA8 DA60C7D8
C8D5C8ED 41E1F55F 578E5332 9349D5D9 0FF836AA 07C C5A7AF1D 19FFF673 43241
99395 HAS 73 67621334 0D1F5E95 70526417 06EC535C 5CDB6AEA 35004102 0103 HAS 382
01E73082 01E33012 0603551D 130101FF 04083006 0101FF02 0100301 D 0603551 D
0E041604 14D0C522 26AB4F46 60ECAE05 91C7DC5A D1B047F7 6C300B06 03551D0F
04040302 01863010 06092B 06 01040182 37150104 03020100 30190609 2 B 060104
01823714 0A 005300 75006200 AND 43004130 1 230418 30168014 1F060355 02040C1E
27F3C815 1E6E9A02 0916AD2B A089605F DA7B2FAA 30430603 551D1F04 3C303A30
38A036A0 34863268 7474703A 2F2F7777 772E6369 73636F2E 636F6D2F 73656375
72697479 2F706B69 2F63726C 2F637263 382E6372 61323034 6 305006 082B 0601
05050701 01044430 42304006 082B 0601 05050730 02863468 7474703 A 2F2F7777
772E6369 73636F2E 73656375 72697479 2F706B69 2F636572 74732F63 636F6D2F
3034382E 72636132 63657230 5 C 060355 1 200455 30533051 060A2B06 01040109
15010200 30433041 06082B 06 01050507 02011635 68747470 3A2F2F77 77772E63
6973636F 2E636F6D 2F736563 75726974 792F706B 6 696369 65732F69 692F706F
6E646578 2E68746D 6C305E06 03551D 25 04573055 06082B 06 01050507 03010608
2B 060105 06082 06 05070302 01050507 03050608 2B 060105 06082 B 06 B 05070306
01050507 0307060 2B 060104 0182370 A 0301060 HAS 2B 060104 01823714 02010609
2B 060104 01823715 06300D 01050500 03820101 0030F330 86F70D01 06 092 A 8648
374A 6499 24290AF2 86AA42D5 23E8A2EA 2B6F6923 7A828E1C 4C09CFA4 2D8CF2CA
4FAB842F 37E96560 D19AC6D8 F30BF5DE D027005C 6F1D91BD D14E5851 1DC9E3F7
38E7D30B D168BE8E 22A54B06 E1E6A4AA 337D1A75 BA26F370 C66100A5 C379265B
A719D193 8DAB9B10 11291FA1 82FDFD3C 4B6E65DC 934505E9 AF336B67 23070686
22DAEBDC 87CF5921 421AE9CF 707588E0 243D5D7D 4E963880 97D56FF0 9B71D8BA
6019A5B0 6186ADDD 6566F6B9 27A2EE2F 619BBAA1 3061FDBE AC3514F9 B82D9706
AFC3EF6D CC3D3CEB 95E981D3 8A5EB6CE FA79A46B D7A25764 C43F4CC9 DBE882EC
0166 D 410 88A256E5 3C57EDE9 02 HAS 84891 6307AB61 264B1A13 9FE4DCDA 5F
quit smoking
cryptographic pki certificate root-cisco-cert chain
certificate ca 5FF87B282B54DC8D42A315B568C9ADFF
3082022B 30820343 A0030201 0202105F F87B282B 54DC8D42 A315B568 C9ADFF30
010105 05003035 31163014 06035504 0A130D43 6973636F 0D 864886F7 0D06092A
20537973 74656 73 311B 3019 06035504 AND 03131243 6973636F 20526F6F 74204341
38301E17 20323034 303430 35313432 30313731 32393035 31343230 325A170D 0D
32353432 5 303531 16301406 0355040 HAS 130D 4369 73636F20 53797374 656D 7331
1 B 301906 03550403 13124369 73636F20 20434120 32303438 30820120 526F6F74
300 D 0609 2A 864886 01050003 82010 00 30820108 02820101 00B09AB9 F70D0101
ABA7AF0A 77A7E271 B6B46662 94788847 C6625584 4032BFC0 AB2EA51C 71D6BC6E
7BA8AABA 6ED21588 48459DA2 FC83D0CC B98CE026 68704 HAS 78 DF21179E F46105C9
15C8CF16 DA356189 9443 HAS 884 A8319878 9BB94E6F 2C53126C CD1DAD2B 24BB31C4
2BFF8344 6FB63D24 7709EABF 2AA81F6A 56F6200F 75A725CE 11549781 596A 8265
EFB7EAE7 E28D758B 6EF2DD4F A65E629C CF100A64 D04E6DCE 2BCC5BF5 60 HAS 52747
8D69F47F CE1B70DE 701B20D6 6ECDA601 A83C12D2 A93FA06B 5EBB8E20 8B7A91E3
B568EEA0 E7C40174 A8530B2B 4A9A0F65 120E824D 8E63FDEF EB9B1ADB 53 HAS 61360
AFC27DD7 C76C1725 D473FB47 944CE1BF 64508180 AE4B1CDF 92ED2E05 DF020103
300B 0603 551D0F04 86300F06 04030201 A351304F 03551D 13 0101FF04 05300301
01FF301D 0603551D 0E041604 1427F3C8 151E6E9A 020916AD 2BA08960 5FDA7B2F
AA301006 092B 0601 04018237 15010403 02010030 0D06092A 864886F7 0D 010105
05000382 0101009D 9D8484A3 41A97C77 0CB753CA 4E445062 EF547CD3 75171CE8
E0C6484B B6FE4C3A B 198156 0 56EE1996 62AA5AA3 64C1F64E 5433 C 677 FEC51CBA
E55D25CA F5F0939A 83112EE6 CBF87445 FEE705B8 ABE7DFCB 4BE13784 DAB98B97
701EF0E2 8BD7B0D8 0E9DB169 D62A917B A9494F7E E68E95D8 83273CD 5 68490ED4
9DF62EEB A7BEEB30 A4AC1F44 FC95AB33 06FB7D60 0ADEB48A 63B09CA9 F2A4B953
068 A4277FAB FFE9FAC9 B439C684 40388867 0187D 6F57C953 DBBA8EEE C043B2F8
09836EFF 17B 35818 2509345E E3CBD614 B6ECF292 6F74E42F 812AD592 66CF3EEF
3 C 854BD1F7 326805 91E0E097 57E2521D 931A549F 0570C04A 71601E43 0B601EFE
A3CE8119 E10B35
quit smoking
Crypto pki certificate chain airespace-device-root-cert
AC 03 certificate
3082047F A 308203, 8 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
81A6310B 30090603 55040613 02555331 13301106 03550408 130A 4361 6C69666F
726E6961 06035504 07130853 616E204A 6F736531 0355040A 17301506 3111300F
72657370 61636520 31143012 06035504 0B130B45 6E67696E 496E632E 130E4169
65657269 30180603 55040313 11416972 65737061 63652052 6F6F7420 6E67311A
A 43413124 30220609 2 864886 F70D0109 01161573 72744061 69726573 7570706F
70616365 2E636F6D 30353034 32383232 33373133 5A170D31 35303132 301E170D
36323233 3731335 HAS A 3081, 831 0B 300906 03550406 13025553 31133011 06035504
A 08130, 43 616C 6966 6F726E69 0F060355 61311130 53616E20 04071308 4A6F7365
31173015 06035504 69726573 70616365 20496E63 2E311430 12060355 0A130E41
040B130B 456E6769 6E656572 696E6731 03550403 13134169 72657370 1C301A06
61636520 44657669 63652043 41312430 2206092A 864886F7 010901 16157375 0D
70706F72 74406169 72657370 6163652E 636F6D30 81DF300D 06092 HAS 86 4886F70D
01010105 000381CD 003081C A93C0158 E7284E75 FF86A57A 886ACA37 C 9 0281, 100
430BECF0 7582F56B DB6AC514 554FB06E AA327B3E CE3C9391 03C93BA4 0C0AF932
A6CB5DA3 F1C3C528 53BF4E19 2C1BFC48 467EBD93 06B4974A 1273BF35 8AD8540F
261E612B A2673B68 D239C87E 1E9E967B 2654 D 285 45BB7F78 5F4E9D4B 7B8001AA
2F455CFF 4552ECDB 5667E3FC E7093E06 8FAE353D 4228B48D 8B415D9B F496342D
C1459987 B69BFA4B 51FB67B4 A0C21E7F C6269A39 47EB1D48 5E83B129 8B079E5E
1EDAB5A0 BE5E1DE0 109FF0BD 4750E32B 02030100 01A 38201 37308201 33300 06
13 04053003 0101FF30 2E060960 86480186 F842010D 0421161F 41697265 03551D
73706163 65204465 76696365 20434120 43657274 69666963 61746530 1 060355
04140A 52 3BB12570 523B9CEA 747FB2AD 3D8F95EA 3FCC3081 D3060355 1D0E0416
1 230481 8014538 8360478 C20F8066 3232E9E1 7070552B 17EAA181 CB3081C8
ACA481A9 3081A 631 0B 300906 03550406 13025553 31133011 06035504 08130 HAS 43
616C 6966 6F726E69 61311130 0F060355 04071308 53616E20 4A6F7365 31173015
06035504 69726573 70616365 20496E63 2E311430 12060355 0A130E41 040B130B
456E6769 6E656572 696E6731 1 HAS 301806 03550403 13114169 72657370 61636520
526F6F74 09011615 73757070 6F727440 86F70D01 20434131 24302206 092A 8648
61697265 73706163 652E636F 6 D 820100 300 D 0609 2A 864886 F70D0101 04050003
81C100A0 E8D59D9B DA9EED0C 96045DFE A37084EC 59B5C3D3 71694DB0 70664E0C
8060D69E E366E81F 9F3CCF68 8AB0498E CCFA6CA7 2854F2D8 9 046690C 8FEC84EF
2F7F0F08 C90F719D C0F4C125 CED1B525 6DD93E51 777BD5E8 7F1DC79F CC502DC2
0242C05D 1682DEE3 DF7541B8 C55B433C 10DFE2BF D2E802E7 D923329A 23A2076F
86BCC048 D569B383 59AC8979 97F02C55 6F8FE318 754F605C 43CDA7C8 B 1847, 085
1DADF0D6 CD62C8DE A86E6E12 4A7CDCBF A6FCC7E1 852A1DB1 529D63B3 688305F6 7BD25F
quit smoking
encryption string airespace-news-root-cert pki certificate
certificate ca 00
3082045A 30820383 02020100 300 D 0609 2A 864886 F70D0101 04050030 A0030201
81A6310B 30090603 55040613 02555331 13301106 03550408 130A 4361 6C69666F
726E6961 06035504 07130853 616E204A 6F736531 0355040A 17301506 3111300F
72657370 61636520 31143012 06035504 0B130B45 6E67696E 496E632E 130E4169
65657269 30180603 55040313 11416972 65737061 63652052 6F6F7420 6E67311A
A 43413124 30220609 2 864886 F70D0109 01161573 72744061 69726573 7570706F
70616365 2E636F6D 30333037 33313133 34313232 5A170D31 33303432 301E170D
39313334 3132325 HAS A 3081, 631 0B 300906 03550406 13025553 31133011 06035504
A 08130, 43 616C 6966 6F726E69 0F060355 61311130 53616E20 04071308 4A6F7365
31173015 06035504 69726573 70616365 20496E63 2E311430 12060355 0A130E41
040B130B 456E6769 6E656572 696E6731 1 HAS 301806 03550403 13114169 72657370
526F6F74 09011615 73757070 86F70D01 61636520 20434131 24302206 092A 8648
61697265 73706163 652E636F 6D3081DF 2 F70D0101 6F727440 HAS 864886 300 D 0609
0030-81 C 90281 C100CCA0 F92330BD 49E947A4 3FA2ACF3 A4827F66 01050003 81CD
77BB66F4 6B1636BA 84EF0966 9CCAE0EA CA6F1D0F BA90FEFA 58B8502C 10FC78DC
C9D126D8 8F2AD059 A8A69BFE 90324BD6 4553CED9 131B99B0 282A73D9 8655EFAF
5EA54096 22E54B9F C4258988 78F1A51F F47B16F2 0C0A37A3 52603A5A B0DC4533
B0C0B7C8 02DF25F0 585DFF5F 43FDAE1F 48A34BDF F80AC27E 30BE931B D3490ADE
C81FF6F9 974F1408 55C8813F D334F1B8 A1892B0A 10D98A44 7DBF213E 20 64520
E78E9322 DA11CA7A 010001A 3 82011430 82011030 1 060355 46AB0203 46ACEB41
1D0E0416 0414538 D 8360478 D C20F8066 3232E9E1 7070552B 17EA3081 D3060355
1 230481 8014538 8360478 C20F8066 3232E9E1 7070552B 17EAA181 CB3081C8
ACA481A9 3081A 631 0B 300906 03550406 13025553 31133011 06035504 08130 HAS 43
616C 6966 6F726E69 61311130 0F060355 04071308 53616E20 4A6F7365 31173015
06035504 69726573 70616365 20496E63 2E311430 12060355 0A130E41 040B130B
456E6769 6E656572 696E6731 1 HAS 301806 03550403 13114169 72657370 61636520
526F6F74 09011615 73757070 6F727440 86F70D01 20434131 24302206 092A 8648
61697265 73706163 6 820100 0603 551 1304 05300301 01FF300B 300 652E636F
0603551D 0F040403 02010630 0D06092A 864886F7 010104 05000381 C10006E3 0D
653D4B19 FAA0C3B9 8EAE23C5 A3305E42 4522 HAS 961 BE1B5B88 56ED2E5A E42F7AC0
26AA2805 9824080D 1512169B 44E42847 2EBBA573 29F070DB 56011C7B E9F3A240
399A 3557 A50384EC A0353DCF 49E8EC01 94047469 0BC12079 2764873D 25943DCD
66A9726F 4A79EB40 1C7C6897 4E925D80 1F604763 A9D9AC1F DF0092F6 2313 C 126
57DF1AB4 9B904E22 CE5515CD 44F68A00 4E2BC861 FBC1540D C1F3A66B 8CDDC1C2
7 C E6241198 442027 B0E002DE 9E06D64F 0D 538987 96C1C0DB 12B0F581 6FED
quit smoking
Crypto pki certificate chain airespace-old-root-cert
certificate ca 00
30820406 3082032F A0030201 02020100 300 D 0609 2A 864886 F70D0101 04050030
818F310B 30090603 55040613 02555331 13301106 03550408 130A 4361 6C69666F
726E6961 06035504 07130853 616E204A 6F736531 0355040A 16301406 3111300F
130 6169 72657370 61636520 496E6331 0D300B06 0355040B 13046E6F 6E65310B
09011615 73757070 86F70D01 30090603 55040313 02636131 24302206 092A 8648
61697265 73706163 652E636F 6D301E17 303330 32313232 33333835 0D 6F727440
31323131 31313233 33383535 310B 3009 06035504 06130255 5A30818F 355A170D
53311330 11060355 0408130A 43616C 69 666F726E 69613111 300F0603 55040713
0853616E 65311630 14060355 61697265 73706163 040A130D 204A6F73 6520496E
63310 D 0B 060355 040 30 B 1304 310B 3009 06035504 03130263 61312430 6E6F6E65
2206092A 864886F7 010901 16157375 74406169 72657370 70706F72 0D 6163652E
06092A 86 4886F70D 01010105 81DF300D 636F6D30 000381CD 003081C 9 0281C 100
DB9D3901 30059DD1 05CB2793 9B9907F8 1FF57FA9 24065BF7 1A5865F8 B9CFCCB3
679354 D 69BAB847 4 1CA327AE EA006AAC 90479C9D C23B67DE FACC0D28 32C6103F
A59C41E2 E8B4250B 4D2903EB 52629 HAS 99 D618B747 C4A94151 1AB995BB 14905404
5F4A0B9F F387F346 D5F3A249 2AED1B6A 3DD639D8 4924366A 1234DD2D B13CD489
7E2EA101 63BCCC82 2F7A6D0B 33AB5705 3C784A6D A3DD1E5B 96CF54C6 CF4D59BC
1BFD6CB6 E72FCB29 88DCBE6D 4D76FB83 1FAF5683 E4E20822 00A9EB2E 3BEF0DF9
02030100 01A381EF 3081EC30 1 D 060355 1D0E0416 DF7D1482 04149457 2D31BB28
772E8996 1886DA46 84BA3081 1 230481 B43081B1 DF7D1482 80149457 BC060355
2D31BB28 772E8996 1886DA46 84BAA181 95 HAS 48192 30818F31 0B 300906 03550406
A 13025553 31133011 06035504 08130, 43 616C 6966 6F726E69 61311130 0F060355
04071308 53616E20 31163014 06035504 69726573 70616365 0A130D61 4A6F7365
20496E63 310D300B 06035504 0B13046E 0B, 300906 03550403 13026361 6F6E6531
31243022 06092 HAS 86 01090116 15737570 40616972 65737061 706F7274 4886F70D
63652E63 6F6D8201 00300C 06 13 04053003 0101FF30 0D06092A 864886F7 03551D
010104 05000381 C100AEB0 349DC0F9 2AAA3A57 75B3A79C 5421A9D0 15389261 0D
95 C 03479 04DA81D4 120F58FA E2299223 BEB54A90 6D70F7F7 2192EFAF A4B0F488
604E3094 BBCC77A3 60 HAS 88129 0849B87B 5CA1AA17 A 21922, 55 6B68E0D3 1ADC7264
C4C4D6B2 33345C 86 254E4988 096645CD 40F12761 8BC37E71 DAD91677 25322361
71D87A16 F92AF7C1 51CB8892 443BC666 59BEA47B 985E8866 68A1EBD4 88BBF6E7
7711 D 518 A80E203D A12BEBDC 6963EDA7 B76079A3 0CB8D324 22380C 96 A949FDF8
CADD949D EA39E0EF 033D
quit smoking
memory checksum validate 30
Cisco secret 5 $1$ WIs1 username $ wyjQZW5BvoaWvKmknJrYd.
!
!
property intellectual ssh version 2
!
!
interface Dot11Radio0
no ip route cache
gain of antenna 0
MBSSID
power-local 1
customer can local
attempts to package drop 64-package
No cdp enable
!
interface GigabitEthernet0
no ip route cache
automatic duplex
automatic speed
No keepalive
!
interface BVI1
IP 10.32.10.29 255.255.255.0
no ip route cache
!
default IP gateway - 10.32.0.1
no ip address of the http server
Logging trap errors
AP:fc99.4744.412 b logging origin-id string
Kern of logging mechanism
snmp logging trap notifications
exploitation forest-trap snmp to information
registration of debugging of snmp trap
logging 255.255.255.255
!
control plan
!
!
Line con 0
line vty 0 4
transport of entry no
line vty 5 15
transport of entry no
!
end# # # Ap ap ap AP #.
# # Ap ap AP #.This looks like a lightweight access point. In my view, there is no t conf option, because everything is done through the controller.
-
Cannot access within LAN of Cisco Anyconnect
I'm new to the firewall and try to get my Anyconnect test configuration to connect to addresses within my Local network. The Anyconnect client connects easily, I can get to addresses Internet and tracer package told me it falls to phase 6, svc-webvpn. Can someone post my config? I don't know I'm missing something pretty obvious. Config is pasted below:
!
interface Ethernet0/0
Description< uplink="" to="" isp="">
switchport access vlan 20
!
interface Ethernet0/1
Description< inside="">
switchport access vlan 10
Speed 100
full duplex
!
interface Ethernet0/2
Description< home="" switch="">
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.1.99 address 255.255.255.0
!
interface Vlan20
nameif OUTSIDE
security-level 0
DHCP client dns update
IP address dhcp setroute
!
Vlan30 interface
No nameif
no level of security
no ip address
!
Banner motd
Banner motd +... +
Banner motd |
Banner motd | Any unauthorized use or access prohibited * |
Banner motd |
Banner motd | The Officer allowed the exclusive use.
Banner motd | You must have explicit permission to access or |
Banner motd | configure this device. All activities performed.
Banner motd | on this unit can be saved and violations of.
Banner motd | This strategy may result in disciplinary action, and |
Banner motd | may be reported to the police authorities. |
Banner motd |
Banner motd | There is no right to privacy on this device. |
Banner motd |
Banner motd +... +
Banner motd
boot system Disk0: / asa824-k8
passive FTP mode
clock timezone cst - 6
clock to summer time recurring cdt
permit same-security-traffic intra-interface
ICMP-type of object-group DEFAULT_ICMP
Description< default="" icmp="" types="" permit="">
response to echo ICMP-object
ICMP-unreachable object
ICMP-object has exceeded the time
object-group network obj and AnyConnect
host of the object-Network 192.168.7.20
host of the object-Network 192.168.7.21
host of the object-Network 192.168.7.22
host of the object-Network 192.168.7.23
host of the object-Network 192.168.7.24
host of the object-Network 192.168.7.25
access-list 101 extended allow icmp a whole
!
Note access-list ACL_OUTSIDE < anyconnect="" permit=""> >
ACL_OUTSIDE list extended access permitted tcp everything any https eq
ACL_OUTSIDE list extended access permit icmp any any DEFAULT_ICMP object-group
!
VPN_NAT list extended access permit ip host 192.168.7.20 all
VPN_NAT list extended access permit ip host 192.168.7.21 all
VPN_NAT list extended access permit ip host 192.168.7.22 all
VPN_NAT list extended access permit ip host 192.168.7.23 all
VPN_NAT list extended access permit ip host 192.168.7.24 all
VPN_NAT list extended access permit ip host 192.168.7.25 all
access-list extended sheep allowed ip group object obj-AnyConnect 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
logging buffered information
logging trap information
exploitation forest asdm errors
MTU 1500 inside
Outside 1500 MTU
mask 192.168.7.20 - 192.168.7.25 255.255.255.0 IP local pool AnyconnectPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 645.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface OUTSIDE)
NAT (INSIDE) 1 192.168.1.0 255.255.255.0
NAT (OUTSIDE) 1 access-list VPN_NAT
Access-group ACL_OUTSIDE in interface OUTSIDE
!
router RIP
network 192.168.1.0
passive-interface OUTSIDE
version 2
!
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection tcpmss 1200
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4688000 association
Crypto-map dynamic dynmap 20 the value transform-set ESP-3DES-SHA
map outside_map 64553-isakmp ipsec crypto dynamic dynmap
outside_map interface card crypto OUTSIDE
!
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
VPN-addr-assign local reuse-delay 120
SSH 192.168.1.0 255.255.255.0 inside
SSH 192.168.2.0 255.255.255.0 inside
SSH timeout 60
Console timeout 0
management-access INTERIOR
DHCP-client broadcast-flag
dhcpd x.x.x.x dns
dhcpd rental 43200
dhcpd ping_timeout 2000
dhcpd auto_config OUTSIDE
!
dhcpd address 192.168.1.150 - 192.168.1.180 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 216.229.0.179 Server
SSL encryption, 3des-sha1-aes128-sha1 aes256-sha1 sha1 rc4
localtrust point of trust SSL outdoors
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-win-4.2.01035-k9.pkg 1 image
SVC disk0:/anyconnect-linux-64-4.2.01035-k9.pkg 2 image
Picture disk0:/anyconnect-macosx-i386-4.2.01035-k9.pkg 3 SVC
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal Anyconnect group strategy
attributes Anyconnect-group policy
value x.x.x.x DNS server
VPN-tunnel-Protocol svc
the address value AnyconnectPool pools
type tunnel-group remotevpn remote access
tunnel-group Anyconnect type remote access
tunnel-group Anyconnect General attributes
strategy-group-by default Anyconnect
tunnel-group Anyconnect webvpn-attributes
enable MY_RA group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Auto-update 30 3 1 survey period
Update automatic timeout 1
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
Hello
You are missing a NAT FREE for Anyconnect traffic would allow you to access inside the network.
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
NAT (inside) 0 access-list sheep
Add these two lines in the config file and you should be able to access the network interior.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hello
We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.
I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.
version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcpradius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authenticationany help would be really appreciated.
I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.
Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.
Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...
-
I have problems with our VPN to AWS. The configuration of the firewall is below:
Firewall 1
!
hostname FW
activate the password
names of!
interface GigabitEthernet0/0
Description Inside_To_SW-DISTRIBUTION-01_Gi1/0/2
nameif LAN
security-level 100
IP address 172.16.x.1 255.255.252.0
!
interface GigabitEthernet0/1
Description Outside_To_SW-DISTRIBUTION-01_Gi1/0/1
nameif WAN
security-level 0
IP address 212.x.x.201 255.255.255.248 watch 212.x.x.202
!
!
interface Management0/0
management only
nameif management
security-level 100
IP address 10.x.x.x 255.255.255.0
!
boot system Disk0: / asa913-smp - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup LAN
DNS server-group DefaultDNS
Name-Server 8.8.8.8
4.4.4.4 server name
permit same-security-traffic intra-interface
network of the object OBJ-LAN-SUB-NETWORK
subnet 172.x.128.0 255.255.252.0
object OBJ-POOL-A network
range 212.x.x.195 212.x.x.196
object obj-SrcNet network
subnet 0.0.0.0 0.0.0.0
network of object obj-amzn
10.32.0.0 subnet 255.255.0.0gamma of network object
subnet 88.215.48.0 255.255.240.0
tinet network object
subnet 89.149.128.0 255.255.192.0object-group service DM_INLINE_SERVICE_1
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
object-group service DM_INLINE_SERVICE_2
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
object-group service DM_INLINE_SERVICE_3
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
object-group service DM_INLINE_SERVICE_4
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_5
SIP service-purpose tcp - udp destination eq
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq ldap service
area of service-object udp destination eq
the purpose of the udp destination eq ntp service
object-group service tcp imp
EQ object Port 5222
rtp udp service object-group
60000 10000 port-object range
object-group service tcp sip1
port-object eq 8011
object-group service sip2 tcp
port-object eq 5080
DM_INLINE_TCP_2 tcp service object-group
port-object eq ftp
port-object eq ftp - data
EQ port ssh object
object-group service DHCP udp
port-object eq bootps
DHCPrange udp service object-group
ports of DHCP Description
Beach of port-object bootps bootpcobject-group grp-voip network
gamma of network-object object
network-object object tinetLAN_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 object OBJ-LAN-SUB-NETWORK any4
LAN_access_in list extended access allowed object-group TCPUDP object OBJ-LAN-SUB-NETWORK any eq field
LAN_access_in list extended access allowed object OBJ-LAN-SUB-NETWORK ip everything
LAN_access_in list extended access permitted ip 10.x.x.x 255.255.255.0 everything
LAN_access_in list extended access udp allowed any any DHCP object-group
list of access TUNNEL of SPLIT standard allowed 172.16.x.0 255.255.252.0extended access list acl-amzn allow any4 ip 10.32.0.0 255.255.0.0
extended access list acl-amzn allow icmp any4 10.32.0.0 255.255.0.0global_access deny ip extended access list a whole
10.32.0.0 IP Access-list extended filter amzn 255.255.0.0 allow 172.16.128.0 255.255.252.0
refuse the access-list extended ip a whole amzn-filterWAN_access_out list extended access allowed object-group DM_INLINE_SERVICE_4 object OBJ-LAN-SUB-NETWORK any4
WAN_access_out list extended access allowed object-group DM_INLINE_SERVICE_5 object OBJ-SUB-LAN-NETWORK-object-group grp-voip
WAN_access_out list extended access permitted udp object OBJ-SUB-LAN-NETWORK-object-group grp-voip-group of objects rtp
permit WAN_access_out to access extensive ip list object OBJ-LAN-SUB-NETWORK object obj-amzn
WAN_access_out list extended access allowed object-group TCPUDP object OBJ-LAN-SUB-NETWORK any eq field
WAN_access_out list extended access permitted tcp object OBJ-LAN-SUB-NETWORK any4 object-group DM_INLINE_TCP_1
WAN_access_out list extended access permit tcp any any DM_INLINE_TCP_2 object-group
WAN_access_out of access allowed any ip an extended list
permit access list extended ip host 52.17.201.49 WAN_access_in 212.84.183.201
permit access list extended ip host 52.18.197.187 WAN_access_in 212.84.183.201pager lines 24
Enable logging
emergency logging console
emergency logging monitor
exploitation forest asdm warnings
MTU 1500 LAN
MTU 1500 WAN
management of MTU 1500ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any WANARP timeout 14400
no permit-nonconnected arp
NAT (LAN, WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
NAT (LAN, WAN) static source any any destination static OBJ ANYCONNECT-SUB-NETWORK-OBJ-ANYCONNECT-UNDER-NETWORK non-proxy-arp-search directions
!
network of the object OBJ-LAN-SUB-NETWORK
OBJ-POOL-A dynamic pool pat flat interface include the NAT (LAN, WAN) reserves
!
OBJ-ANYCONNECT-SUB-NETWORK dynamic interface source NAT (all, WAN) after the automatic termination
LAN_access_in access to the LAN by-user-override interface group
WAN_access_in access to the WAN interface group
Access-group WAN_access_out WAN interface
Access-Group global global_access
Route WAN 0.0.0.0 0.0.0.0 212.x.x.x 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicyServer enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Sysopt connection tcpmss 1387
SLA 1 monitor
type echo protocol ipIcmpEcho 10.x.x.x WAN interface
frequency 5
SLA monitor Appendix 1 point of life to always start-time nowCrypto ipsec transform-set transform-amzn ikev1 aes - esp esp-sha-hmac
replay window-size 128 ipsec encryption security association
Crypto ipsec pmtu aging infinite - the security association
Crypto ipsec WAN clear-df df - bitcard crypto amzn_vpn_map 1 match address acl-amzn
card crypto amzn_vpn_map 1 set pfs
amzn_vpn_map card crypto peer 52.17.201.x 52.18.197.x 1jeu
amzn_vpn_map 1 set transform-set transform-amzn ikev1 crypto card
amzn_vpn_map card crypto 1 lifetime of security set association, 3600 seconds
card crypto amzn_vpn_map WAN interface
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = FW-INTERNET-LON
Configure CRL
trustpool crypto ca policy
crypto isakmp identity address
Crypto ikev2 enable port 443 of the WAN-customer service
Crypto ikev1 enable WAN
IKEv1 crypto policy 201
preshared authentication
aes encryption
sha hash
Group 2
lifetime 28800
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 WAN
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
source of x.x.x.x server NTP WAN
WebVPN
Select the WAN
AnyConnect enable
tunnel-group-list activate
GroupPolicy_ANYCONNECT-group-policy PROFILE internal
attributes of Group Policy GroupPolicy_ANYCONNECT-PROFILE
value of server DNS 8.8.8.8 4.4.4.4
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
IPv6-split-tunnel-policy excludespecified
crowdmix.me value by default-field
activate dns split-tunnel-all
internal filter group policy
attributes to filter group policy
VPN-value amzn-filtertunnel-group ANYCONNECT-PROFILE type remote access
tunnel-group ANYCONNECT-PROFILE general-attributes
ANYCONNECT-POOL address pool
GroupPolicy_ANYCONNECT-PROFILE of default-group-strategy
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
enable ANYCONNECT-PROFILE Group-alias
tunnel-group 52.17.201.x type ipsec-l2l
tunnel-group 52.17.201.x General-attributes
filter by default-group-policy
52.17.201.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
ISAKMP keepalive retry threshold 10 3
tunnel-group 52.18.197.x type ipsec-l2l
tunnel-group 52.18.197.x General-attributes
filter by default-group-policy
52.18.197.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
ISAKMP keepalive retry threshold 10 3
tunnel-group 52.30.177.x type ipsec-l2l
tunnel-group 52.31.131.x type ipsec-l2l
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
icmp_policy service-policy interface WAN
context of prompt hostname
!
Booking Jumbo-image
!
no remote anonymous reporting call
Cryptochecksum:ff493f0ff375e83710e6bc9d19476e0e
: endWhen I add a second VPN connection by using the commands below:
object obj-amzn2 network
10.34.0.0 subnet 255.255.0.0
NAT (LAN, WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn2 obj-amzn2
I see the tunnels going up, however, we immediately begin to see the Voip system lose the SIP traffic with its servers, and even if you can still use internet if you have an open socket you can not create a new session. It looks like a problem of routing for me, but I can't seem to find the place where
Any help greatly appreciated
So, you want to have two virtual private networks from Amazon to blocks of different destinations, 10.32.0.0/16, and 10.34.0.0/16, correct?
-
Ssh/telnet/web ASA5505 question
I can't access this ASA everywhere except the console.
I'm no expert, ASA, but I compared it to others I have configured asa, and I can't find the error of my ways.
It is expected to be easy, I just need a different set of eyes looking at it now. I hope I don't have too much censor, but I imagine that if I am able to SSH locally, will fix all issues of access I have.
:
ASA Version 7.2 (4)
!
host name X
domain X.local
activate the encrypted password of XXXXXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXX
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.27.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!Banner motd to USE OFFICIAL ONLY. Unauthorized use prohibited
Banner motd people who use this computer system is subject to having all
Banner motd of their activities on this system monitored and recorded without
new notice of Banner motd. Audit of users may include surveillance of the strike.boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name X.X.X.12
Name-Server 4.2.2.2
domain pain.local
permit same-security-traffic intra-interface
object-group service XX tcp - udp
60000 64999 object-port Beach
object-group network MySpace
object-network 67.134.143.0 255.255.255.0
object-network 204.16.32.0 255.255.255.0
network-object 216.178.32.0 255.255.224.0
object-group network Facebook
object-network 69.63.176.0 255.255.255.0
object-network 204.15.20.0 255.255.255.0
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
the DM_INLINE_NETWORK_1 object-group network
object-network 10.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
the LocalLAN object-group network
X subnet Local 192.168.27.x description
object-network 192.168.27.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
the DM_INLINE_NETWORK_3 object-group network
network-host 64.x.x.x object
network-host 71.x.x.x object
network-host 74.x.x.x object
network-host 99.x.x.x object
network-host 173.x.x.x object
object-network 192.168.27.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
192.168.27.0 IP Access-list extended sheep 255.255.255.0 allow object-group DM_INLINE_NETWORK_1
outgoing extended access-list deny ip any object-group inactive MySpace
outgoing extended access-list deny ip any object-group inactive Facebook
outgoing to the icmp a whole allowed extended access list
coming out to the one permitted all ip extended access list
extended access-list extended permitted ip object-LocalLAN group DM_INLINE_NETWORK_1 object
outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_3 all
outside_cryptomap list extended access permitted ip object-group LocalLAN-group of objects DM_INLINE_NETWORK_2
pager lines 24
Enable logging
timestamp of the record
registration of emergency critical list level
exploitation forest-size of the buffer 1048576
emergency logging console
monitor debug logging
recording of debug trap
notifications of logging asdm
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest-address recipient [email protected] / * / critical level
logging feature 23
forest-hostdown operating permits
registration of emergency of class auth trap
record labels of class config trap
record labels of class ospf trap
logging of alerts for the vpn trap class
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.X.X 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
x.x.x.x 255.255.255.255 out http
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.27.0 255.255.255.0 inside
redirect http outside 80
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection tcpmss 1360
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec df - bit clear-df outdoors
card crypto outside_map 2 match address outside_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set x.x.x.x
card crypto outside_map 2 game of transformation-ESP-AES-128-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
enable client-implementation to date
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 60
Console timeout 0
management-access inside
dhcpd 10.x.x.x 4.2.2.2 dns
dhcpd field pain.local
dhcpd outside auto_config
dhcpd option 156 ascii ftpservers = 10.x.x.x
dhcpd option 42 ip 208.66.175.36
!
dhcpd address 192.168.27.2 - 192.168.27.33 inside
dhcpd allow inside
!NTP-1 md5 authentication key *.
authenticate the NTP
NTP server 10.x.x.x source inside
username XXXXXXXXX XXXXXXXXXXXXXX encrypted privilege 15 password
tunnel-group 64.X.X.X type ipsec-l2l
IPSec-attributes tunnel-group 64.X.X.X
pre-shared key X
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: endThe party concerned to control where you are allowed to SSH in the ASA are these lines:
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
But you have generated public/private keys?
ASA (config) # crypto key generate rsa key general module 2048
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
I try to display the traffic logs. Can someone help me with the command?
Here are the steps to install syslog server.
First of all, you need to install syslog on a computer server software. You can
Download one of the popular kiwisyslog Server
http://www.kiwisyslog.com/software_downloads.htm . He is listed as Kiwi
Syslog Daemon and the latest version is 8.2.8. You can download the standard edition, which works as
a program.
Once the syslog server is installed, then you should connect to the ASA in
the terminal configuration mode and enter the following commands.
Logging host [in_if_name] ip_address
(example: host inside 1.2.3.4 record)
We assume syslog server is installed on the computer with 1.2.3.4 IP address in the
inside the network.)
timestamp of the record
exploitation forest siphon 4
opening of session
These commands allow the ASA begin sending messages syslog on the syslog server.
For more information about the logging commands, you can see at this URL:
http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_command_refer
ence_chapter09186a008010578b.html #1028090
----------------------------------------------------------------------------------
Levels of trap
. 0-emergency-system unusable messages
. 1-alerts-take immediate action
2 State - criticism-criticism
. 3 errors error message
. 4 warnings-Warning message
. 5 notifications-Normal but significant condition
message information. 6-Information
. 7-debug-Debug messages and orders of FTP and WWW URL log
Note the useful messages.
Kind regards
Sushil
-
Windows - Internet access, no split Tunnel L2TP VPN Clients does not
Greetings!
I have four ASA 5505 that I configured with 4 site to site VPN tunnels (works perfectly) to connect to our company facilities 4. The ASA is also configured with remote access L2TP/IPsec so that a specific group of users of portable computers can connect to and access to all facilities. It also works very well except for one important exception - my split tunnel setting doesn't seem to work, because I can't connect to the Internet outside the VPN resources.
I accept the inherent risk of allowing tunnels to split from a security point of view since I take the necessary steps to secure the systems used for remote access. I would appreciate any feedback on how to get the job of split tunnel.
Here is the configuration:
: Saved
:
ASA Version 1.0000 11
!
SGC hostname
domain somewhere.com
names of
COMMENTS COMMENTS LAN 192.168.2.0 name description
name 75.185.129.13 description of SGC - external INTERNAL ASA
name 172.22.0.0 description of SITE1-LAN Ohio management network
description of SITE2-LAN name 172.23.0.0 Lake Club Network
name 172.24.0.0 description of training3-LAN network Southwood
description of training3 - ASA 123.234.8.124 ASA Southwoods name
INTERNAL name 192.168.10.0 network Local INTERNAL description
description of name 192.168.11.0 INTERNAL - VPN VPN INTERNAL Clients
description of Apollo name 192.168.10.4 INTERNAL domain controller
description of DHD name 192.168.10.2 Access Point #1
description of GDO name 192.168.10.3 Access Point #2
description of Odyssey name 192.168.10.5 INTERNAL Test Server
CMS internal description INTERNAL ASA name 192.168.10.1
name 123.234.8.60 description of SITE1 - ASA ASA management Ohio
description of SITE2 - ASA 123.234.8.189 Lake Club ASA name
description of training3-VOICE name Southwood Voice Network 10.1.0.0
name 172.25.0.0 description of training3-WIFI wireless Southwood
!
interface Vlan1
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan2
nameif INSIDE
security-level 100
255.255.255.0 SGC-internal IP address
!
interface Vlan3
nameif COMMENTS
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
Time Warner Cable description
!
interface Ethernet0/1
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
interface Ethernet0/6
Description for Wireless AP Trunk Port
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
interface Ethernet0/7
Description for Wireless AP Trunk Port
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport vlan trunk native 2
switchport mode trunk
!
boot system Disk0: / asa821-11 - k8.bin
Disk0: / config.txt boot configuration
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
INTERNAL DNS domain-lookup
DNS domain-lookup GUEST
DNS server-group DefaultDNS
Name-Server 4.2.2.2
domain somewhere.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
the DM_INLINE_NETWORK_1 object-group network
network-object SITE1-LAN 255.255.0.0
network-object SITE2-LAN 255.255.0.0
network-object training3-LAN 255.255.0.0
object-group training3-GLOBAL network
Southwood description Global Network
network-object training3-LAN 255.255.0.0
network-object training3-VOICE 255.255.0.0
network-object training3-WIFI 255.255.0.0
DM_INLINE_TCP_2 tcp service object-group
EQ port 5900 object
EQ object Port 5901
object-group network INTERNAL GLOBAL
Description Global INTERNAL Network
network-object INTERNAL 255.255.255.0
network-object INTERNALLY-VPN 255.255.255.0
access-list outside_access note Pings allow
outside_access list extended access permit icmp any CMS-external host
access-list outside_access note that VNC for Camille
outside_access list extended access permit tcp any host CMS-external object-group DM_INLINE_TCP_2
access-list outside_access note INTERNAL Services
outside_access list extended access permit tcp any host CMS-external object-group DM_INLINE_TCP_1
DefaultRAGroup_splitTunnelAcl list standard access allowed INTERNAL 255.255.255.0
access-list sheep extended ip INTERNAL 255.255.255.0 allow INTERNAL VPN 255.255.255.0
access-list extended sheep allowed ip IN-HOUSE-GLOBAL SITE1-LAN 255.255.0.0 object-group
access-list extended sheep allowed ip IN-HOUSE-GLOBAL SITE2-LAN 255.255.0.0 object-group
access-list extended sheep allowed ip object-IN-HOUSE-GLOBAL object group training3-GLOBAL
access-list INTERNAL-to-SITE1 extended permit ip IN-HOUSE-GLOBAL SITE1-LAN 255.255.0.0 object-group
access-list INTERNAL-to-training3 extended permitted ip object-IN-HOUSE-GLOBAL object group training3-GLOBAL
access-list INTERNAL-to-SITE2 extended permit ip IN-HOUSE-GLOBAL SITE2-LAN 255.255.0.0 object-group
no pager
Enable logging
exploitation forest asdm warnings
Debugging trace record
Outside 1500 MTU
MTU 1500 INTERNAL
MTU 1500 COMMENTS
192.168.11.1 mask - local 192.168.11.25 pool IN-HOUSE VPN IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
enable ASDM history
ARP timeout 14400
Global 1 interface (outside)
(INTERNAL) NAT 0 access-list sheep
NAT (INTERNAL) 1 0.0.0.0 0.0.0.0
NAT (GUEST) 1 0.0.0.0 0.0.0.0
5900 5900 Camille netmask 255.255.255.255 interface static tcp (GUEST, outdoor)
3389 3389 Apollo netmask 255.255.255.255 interface static tcp (INDOOR, outdoor)
public static tcp (INDOOR, outdoor) interface www Apollo www netmask 255.255.255.255
public static tcp (INDOOR, outdoor) interface https Apollo https netmask 255.255.255.255
public static tcp (INDOOR, outdoor) interface smtp smtp Apollo netmask 255.255.255.255
5901 puppy 5901 netmask 255.255.255.255 interface static tcp (GUEST, outdoor)
Access-group outside_access in interface outside
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server Apollo
Apollo (INTERNAL) AAA-server Apollo
Timeout 5
key *.
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
Enable http server
http 0.0.0.0 0.0.0.0 INTERNAL
http 0.0.0.0 0.0.0.0 COMMENTS
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
correspondence address 1 card crypto outside_map INTERNAL SITE1
card crypto outside_map 1 set of peer SITE1 - ASA
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
address for correspondence card crypto outside_map 2 INTERNAL training3
outside_map 2 peer training3 - ASA crypto card game
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
address for correspondence outside_map 3 card crypto INTERNAL SITE2
game card crypto outside_map 3 peers SITE2 - ASA
card crypto outside_map 3 game of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
delimiter group @.
Telnet training3 - ASA 255.255.255.255 outside
Telnet SITE2 - ASA 255.255.255.255 outside
Telnet SITE1 - ASA 255.255.255.255 outside
Telnet 0.0.0.0 0.0.0.0 INTERNAL
Telnet 0.0.0.0 0.0.0.0 COMMENTS
Telnet timeout 60
SSH enable ibou
SSH training3 - ASA 255.255.255.255 outside
SSH SITE2 - ASA 255.255.255.255 outside
SSH SITE1 - ASA 255.255.255.255 outside
SSH 0.0.0.0 0.0.0.0 INTERNAL
SSH 0.0.0.0 0.0.0.0 COMMENTS
SSH timeout 60
Console timeout 0
access to the INTERNAL administration
Hello to tunnel L2TP 100
interface ID client DHCP-client to the outside
dhcpd dns 4.2.2.1 4.2.2.2
dhcpd ping_timeout 750
dhcpd outside auto_config
!
address INTERNAL 192.168.10.100 dhcpd - 192.168.10.200
dhcpd Apollo Odyssey interface INTERNAL dns
dhcpd somewhere.com domain INTERNAL interface
interface of dhcpd option 150 ip 10.1.1.40 INTERNAL
enable dhcpd INTERNAL
!
dhcpd address 192.168.2.100 - 192.168.2.200 COMMENTS
dhcpd dns 4.2.2.1 4.2.2.2 interface COMMENTS
enable dhcpd COMMENTS
!a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.43.244.18 prefer external source
WebVPN
allow outside
CSD image disk0:/securedesktop-asa-3.4.2048.pkg
SVC disk0:/sslclient-win-1.1.4.179.pkg 1 image
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 2 image
enable SVC
Group Policy DefaultRAGroup INTERNAL
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.10.4 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
value by default-domain somewhere.com
Group Policy DefaultWEBVPNGroup INTERNAL
attributes of Group Policy DefaultWEBVPNGroup
VPN-tunnel-Protocol webvpn
Group Policy DefaultL2LGroup INTERNAL
attributes of Group Policy DefaultL2LGroup
Protocol-tunnel-VPN IPSec l2tp ipsec
Group Policy DefaultACVPNGroup INTERNAL
attributes of Group Policy DefaultACVPNGroup
VPN-tunnel-Protocol svc
attributes of Group Policy DfltGrpPolicy
value of 192.168.10.4 DNS Server 4.2.2.2
VPN - 25 simultaneous connections
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
value by default-domain somewhere.com
the value INTERNAL VPN address pools
chip-removal-disconnect disable card
WebVPN
SVC keepalive no
client of dpd-interval SVC no
dpd-interval SVC bridge no
value of customization DfltCustomization
attributes global-tunnel-group DefaultRAGroup
VPN INTERNAL address pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Disable ISAKMP keepalive
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
VPN INTERNAL address pool
Group Policy - by default-DefaultWEBVPNGroup
tunnel-group 123.234.8.60 type ipsec-l2l
IPSec-attributes tunnel-group 123.234.8.60
pre-shared-key *.
tunnel-group 123.234.8.124 type ipsec-l2l
IPSec-attributes tunnel-group 123.234.8.124
pre-shared-key *.
tunnel-group 123.234.8.189 type ipsec-l2l
IPSec-attributes tunnel-group 123.234.8.189
pre-shared-key *.
type tunnel-group DefaultACVPNGroup remote access
attributes global-tunnel-group DefaultACVPNGroup
VPN INTERNAL address pool
Group Policy - by default-DefaultACVPNGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the http
inspect the they
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:423c807c0d63cb3e9aeceda977053f84
: end
ASDM image disk0: / asdm - 623.bin
ASDM location Camille 255.255.255.255 INTERNAL
ASDM location INTERNAL CGT-external 255.255.255.255
ASDM location INTERNAL SITE1-LAN 255.255.0.0
ASDM location INTERNAL SITE2-LAN 255.255.0.0
ASDM location INTERNAL training3-LAN 255.255.0.0
ASDM location INTERNAL training3 - ASA 255.255.255.255
ASDM location INTERNAL GDO 255.255.255.255
ASDM location INTERNAL SITE1 - ASA 255.255.255.255
ASDM location INTERNAL SITE2 - ASA 255.255.255.255
ASDM location INTERNAL training3-VOICE 255.255.0.0
ASDM location puppy 255.255.255.255 INTERNAL
enable ASDM historyI should also mention that my test clients are a combination of Windows XP, Windows 7, and Windows Mobile. Other that in specifying the preshared key and forcing L2TP/IPsec on the client side, the VPN settings on clients are the default settings with the help of MS-CHAP/MS-CHAPv2.
You must configure * intercept-dhcp enable * in your group strategy:
attributes of Group Policy DefaultRAGroup
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.10.4 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
value by default-domain somewhere.comIntercept-dhcp enable
-Latptop VPN clients (which I assume are on windows computers) is also the * use on remote network default gateway * box unchecked. It is located on the Advanced tab of VPN client TCP/IP properties. Select Client VPN > properties > Networking > TCP/IP Internet Protocol > properties > advanced and uncheck the box.
Alex
-
ISE foreign CWA / deployment WLC - missing user of anchor names
I'm not sure if this belongs to the section mobility or security - I'll just give it a try here.
I've set up wireless access visitor with Cisco ISE 1.3 (patch 2) and a stranger WLC / anchor of deployment (7.6.130.0).
So far almost everything works fine - but I probably have a problem with logging Cisco ISE.In exploitation forest 'authentications Live', I see the authentication successful, but the identity of the column, it shows just the MAC address of endpoint.
If navigation to the identity store of endpoint endpoint of comments is in the right group (guestendpoints) and when you look at the details of the endpoint, I can see the "portalusername" who created the user.If I click on endpoints active view (see attachment), I can see all active clients (Authz profile "PermitAccess"). I guess the user name of the client must be filled out there as well, no?
Someone has an idea what is the cause for this? Or is the normal behavior?
My rules of authentication are:
If "wireless_mab" and "RADIUS: Called-Station-ID ENDS WITH comments-SSID" then use "endpoints internal" and continue if "user not found".My authorization rules are:
1.) if GuestEndpoints AND (Wireless_MAB AND RADIUS: Called-Station-ID ENDS_WITH Guest SSID) then PermitAccess
2.) if (Wireless_MAB AND RADIUS: Called-Station-ID ENDS_WITH Guest SSID) then GUEST_WEBAUTH
The profile GUEST_WEBAUTH Authz defined the CWA and preauthentication ACL for the WLCThe WLC I just configured the WLC foreign with the RADIUS (ISE) server and active authentication MAC the SSID.
All parameters such as aaa-override and RADIUS of the NAC are defined. The defined RADIUS is set on "settler" to comply with the ISEAccording to my experience, this is the expected behavior. The new workflow for the use case of comments starting at the point 1.3 of the ISE typically includes registration of endpoint, you're. Your strategy for authz for post-portail of authentication (after the certificate of authenticity) needs the MAC address to use as the identity for permissions invited, not the guest credentials used on the portal.
That being said, I would like to be able to see the username of the user portal whenever a registered endpoint point authenticates (until it is served using endpoint political purges, of course).
Tim
-
ASA Anyconnect VPN do not work or download the VPN client
I have a Cisco ASA 5505 that I try to configure anyconnect VPN and thought, I've changed my setup several times but trying to access my static public IP address of the external IP address to download the image, I am not able to. Also when I do a package tracer I see he has been ignored through the acl when the packets from side to the ASA via port 443, it drops because of the ACL. My DMZ so will he look like something trying to access the ASA via the VPN's going to port 443. Here is my config
XXXX # sh run
: Saved
:
ASA Version 8.4 (3)
!
hostname XXXX
search for domain name
activate pFTzVNrKdD9x5rhT encrypted password
zPBAmb8krxlXh.CH encrypted passwd
names of
!
interface Ethernet0/0
Outside-interface description
switchport access vlan 20
!
interface Ethernet0/1
Uplink DMZ description
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
Ganymede + ID description
switchport access vlan 10
switchport monitor Ethernet0/0
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
Description Wireless_AP_Loft
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address x.x.x.249 255.255.255.248
!
Vlan30 interface
no interface before Vlan10
nameif dmz
security-level 50
IP 172.16.30.1 255.255.255.0
!
boot system Disk0: / asa843 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
search for domain name
network obj_any1 object
subnet 0.0.0.0 0.0.0.0
network of the Webserver_DMZ object
Home 172.16.30.8
network of the Mailserver_DMZ object
Home 172.16.30.7
the object DMZ network
172.16.30.0 subnet 255.255.255.0
network of the FTPserver_DMZ object
Home 172.16.30.9
network of the Public-IP-subnet object
subnet x.x.x.248 255.255.255.248
network of the FTPserver object
Home 172.16.30.8
network of the object inside
192.168.10.0 subnet 255.255.255.0
network of the VPN_SSL object
10.101.4.0 subnet 255.255.255.0
outside_in list extended access permit tcp any newspaper object Mailserver_DMZ eq www
outside_in list extended access permit tcp any newspaper EQ 587 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper SMTP object Mailserver_DMZ eq
outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq pop3 object
outside_in list extended access permit tcp any newspaper EQ 2525 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq imap4 object
outside_in list extended access permit tcp any newspaper EQ 465 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper EQ 993 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper EQ 995 object Mailserver_DMZ
outside_in list extended access permit tcp any newspaper EQ 5901 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper Mailserver_DMZ eq https object
Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
vpn_SplitTunnel list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer to 8192
logging trap warnings
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
local pool VPN_SSL 10.101.4.1 - 10.101.4.4 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 647.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside inside static destination VPN_SSL VPN_SSL
NAT (exterior, Interior) static source VPN_SSL VPN_SSL
!
network obj_any1 object
NAT static interface (indoor, outdoor)
network of the Webserver_DMZ object
NAT (dmz, outside) static x.x.x.250
network of the Mailserver_DMZ object
NAT (dmz, outside) static x.x.x.. 251
the object DMZ network
NAT (dmz, outside) static interface
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede HNIC +.
AAA-server host 192.168.10.2 HNIC (inside)
Timeout 60
key *.
identity of the user by default-domain LOCAL
Console HTTP authentication AAA HNIC
AAA console HNIC ssh authentication
Console AAA authentication telnet HNIC
AAA authentication secure-http-client
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ca trustpoint localtrust
registration auto
Configure CRL
Crypto ca trustpoint VPN_Articulate2day
registration auto
name of the object CN = vpn.articulate2day.com
sslvpnkey key pair
Configure CRL
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 30
SSH 192.168.10.0 255.255.255.0 inside
SSH timeout 15
SSH version 2
Console timeout 0
No vpn-addr-assign aaaDHCP-client update dns
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd outside auto_config
!
dhcpd address 192.168.10.100 - 192.168.10.150 inside
dhcpd allow inside
!
dhcpd address dmz 172.16.30.20 - 172.16.30.23
dhcpd enable dmz
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
authenticate the NTP
NTP server 192.168.10.2
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal VPN_SSL group policy
VPN_SSL group policy attributes
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_SplitTunnel
the address value VPN_SSL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 15
AnyConnect ssl deflate compression
AnyConnect ask enable
ronmitch50 spn1SehCw8TvCzu7 encrypted password username
username ronmitch50 attributes
type of remote access service
type tunnel-group VPN_SSL_Clients remote access
attributes global-tunnel-group VPN_SSL_Clients
address VPN_SSL pool
Group Policy - by default-VPN_SSL
tunnel-group VPN_SSL_Clients webvpn-attributes
enable VPNSSL_GNS3 group-alias
type tunnel-group VPN_SSL remote access
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect esmtp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: endXXXX #.
You do not have this configuration:
object network DMZ nat (dmz,outside) static interface
Try and take (or delete):
object network DMZ nat (dmz,outside) dynamic interface
Maybe you are looking for
-
Model name: iMac Model identifier: iMac7, 1 Processor name: Intel Core 2 Duo Processor speed: 2.4 GHz Number of processors: 1 Total number of cores: 2 L2 Cache: 4 MB Memory: 4 GB Bus speed: 800 MHz Boot ROM version: IM71.007A.B03
-
Nightshift is NOT included in my old version 9.3 of iPads news. What the *?
Nightshift is NOT included in new 9.3 update my old iPad. What the *?
-
Replace the print cartridge 8600
I am trying to replace the black ink cartridge. When I open the door on the front of the printer, nothing happens. The printer cartridge door does not move and is inaccessible. The printer seems to be on. The green light is fading power on and of
-
I have a T5 of rebel, I just bought a few months ago. I like it as it is a great entry DSLR. I will consider the upgrade in a few months. But in the meantime, I just bought a Flash kit (not Canon) and it came with 2 flashes and tripping distance and