External VPN groups on AAA server. strange behavior

Similar Questions

• several hosts aaa server for authentication vpn

  ASA5510 - 7.2 (1)

  Using the following configuration, I try to have several radius servers configured for authentication backup in case of failure of the primary vpn. This seems to work ok. But once the main server upward when the asa will begin to use it again. The release of "aaa-Server 172.25.4.20 host" said

  Server status: FAILURE, server disabled at 08:04:25.

  How do reactivate you it?

  RADIUS protocol AAA-server adauth

  adauth AAA-server 172.25.4.20

  key *.

  authentication port 1812

  accounting-port 1813

  adauth AAA-server 172.25.4.40

  key *.

  authentication port 1812

  accounting-port 1813

  tunnel-group group general attributes

  address pool pool

  authentication-server-group adauth

  by default-group-policy

  You can add the option in the Group aaa-server:

  "reactivation in timed mode.

  This causes a dead server is added to the pool after 30 seconds.

  The following link has some good info on the options available. I suggest looking for the doc for the "reactivation".

  http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.PDF

  -Eric

  Be sure to note all the useful messages.

• AAA server group does not work

  All,

  I have an aaa server group set up on my router to use for Wells, AAA, but it doesn't work that way, but when I simply specify a server and not the list of group everything works. Any ideas why this is. I'm going to pos the config.

  *****************************************************

  version 12.2

  horodateurs service debug datetime localtime

  Log service timestamps datetime localtime

  encryption password service

  !

  host BUSINESS name

  !

  AAA new-model

  AAA server Ganymede group + TACSLOG

  Server 192.x.x.x

  Server 192.x.x.x

  !

  Group AAA authentication login default local TACSLOG

  default AAA authorization exec TACSLOG local group

  AAA exec by default start-stop accounting TACSLOG group

  AAA commands 5 default start-stop accounting TACSLOG group

  AAA commands 15 arrhythmic default accounting TACSLOG group

  activate the password xxx

  !

  username password xxx xxx

  username privilege 15 xxx

  username xxx autocommand menu ADMIN1

  IP subnet zero

  !

  !

  IP - SBA.GOV domain name

  !

  !

  call the rsvp-sync

  !

  !

  !

  !

  !

  !

  !

  !

  interface FastEthernet0/0

  IP address 255.255.255.0 192.x.x.x

  automatic duplex

  automatic speed

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  IP classless

  no ip address of the http server

  !

  !

  ADMIN1 menu prompt ^ CSELECT YEAR OPTION PUNK ^ C

  ADMIN1 1 SHO IP INTERFACE BRIEF text menu

  by menu ADMIN1 1 SHOW IP INTERFACE BRIEF command

  menu text ADMIN1 2 SHOW the INTERFACE FA0/0

  order by menu ADMIN1 2 SHO INT FA0/0

  menu text ADMIN1 3 SHOW RUN the INTERFACE FA0/0

  order by menu ADMIN1 3 SHOW RUN INT FA0/0

  menu ADMIN1 text 4 see THE ARP

  4 ARP see by ADMIN1 menu command

  ADMIN1 5 OUTPUT text menu

  order by ADMIN1 5 LOGOUT menu

  !

  Dial-peer cor custom

  !

  !

  !

  !

  privilege exec level 5 show ip interface brief

  privilege exec level 5 show interface fa0/0

  privilege exec level 5 show show passage interface fa0/0

  show privileges exec level 5 show arp

  !

  Line con 0

  line to 0

  line vty 0 4

  password xxx

  !

  end

  When you define an AAA server group, you associate an IP address from the server on behalf of the group. You must always define the AAA server separately where you also set up the key that is used. In your case, you must add to your configuration:

  RADIUS-server host 192.x.x.x Council key

  RADIUS-server host 192.x.x.x Council key

  HTH

  Steve

• Strange behavior mouse Apple in ESXi VM (Windows Server 2008R2) / ESXi host is of type nested in Fusion Pro 8

  Hello

  my Apple mouse shows strange behavior when I start my VM and click in it.

  Its an ESXi host nested in a virtual machine in Fusion 8 Pro.

  Can someone explain it to me?

  Kind regards

  Roland

  He has always had problems when using nested desktop computers, and it is simply the result of the way the mouse behaves fundamentally and how this position gets interpolated differently with nested windows VMRC.

  I would just connect to the console of the VM (via vCenter) directly from the Mac, with the guest.

  (the 192.168.178.42 would be accessible from the Mac and the VMRC plugin works very well).

• IOS anyconnect vpn group lock and user restrictions

  Dear Experts,

  I now have two questions about cisco IOS vpn on ISR G2:

  1 is it possible to lock user group in IOS anyconnect VPN we can do in ASA? If so, can someone share the steps for her?

  2 - a customer wishes to restrict the anyconnect user login as it might turn the connection to the user on request. That is to say whenever the user wants to connect via vpn to ask the administrator to allow connection. can we do without deleting the username and create again?

  the other may be on ASA or IOS.

  Please see this guide:

  http://www.Cisco.com/c/en/us/support/docs/security/iOS-easy-VPN/117634-c...

  As he points out, "for the Cisco IOS group-lock and the ipsec: use vpn-group, it only works for IPSec (the easy VPN server)." In order to group-lock specific users in specific contexts of WebVPN (and strategies Group attached), authentication domains should be used. »

  If you lock a user to a policy that authenticates, but does provide real access permissions (say an ACL that blocks all traffic to the private network) then you have essentially made their ability to non-functional connection.

  If you use an external AAA server (for example, RADIUS or LDAP), then you can move in and out of the group which is authorized without disable VPN access / delete their account altogether.

• CIsco Anyconnect VPN with LDAP AAA

  Hi there, I was hoping that someone can point me in the right direction here. I created a VPN connection profile to match anyconnect SSL entering customers. I would like to use LDAP group membership as a sine qua non for authentication. I found a few online pages on what to do about it, I followed. Unfortunately, it seems my connection profile to allow access to any user in the ldap, not only those of the ldap group database. I'll post the relevant bits of the config here in hopes that someone can point my mistake!

  The idea of the config is to have the map of connections 2 by default a noaccess policy which has 0 simultaneous connections and the profile card (SSL_VPN) connection ssl to anyconnect to group_policy_SSL_VPN group policy.

  local pool CONTOSOVICVPN_DHCP_POOL 10.0.5.51 - 10.0.5.254 255.255.255.0 IP mask

  NAT (inside_int, any) static source NetworkGroup_Internal_networks NetworkGroup_Internal_networks Network_VPNRANGE_10.0.5.0 Network_VPNRANGE_10.0.5.0 non-proxy-arp-search of route static destination

  LDAP attribute-map AuthUsers
  name of the memberOf Group Policy map
  map-value memberOf memberOf CN = NETWORK_CONTOSO_ASA_VPN_DLSG, OR = network, OU = resources, OU = CONTOSO, OU = security, OU = Groups, DC = CONTOSO, DC = group

  ynamic-access-policy-registration DfltAccessPolicy

  AAA-server CONTOSOVIC_LDAP protocol ldap
  AAA-server CONTOSOVIC_LDAP (inside_int) 10.0.0.45
  LDAP-base-dn DC = CONTOSO, DC = group
  LDAP-group-base-dn DC = CONTOSO, DC = group
  LDAP-scope subtree
  LDAP-naming-attribute sAMAccountName
  LDAP-login-password *.
  LDAP-connection-dn CN = ASA_LDAP_USER, OU = network, OU = accounts, DC = CONTOSO, DC = group
  microsoft server type

  No vpn-addr-assign aaa
  No dhcp vpn-addr-assign

  SSL-trust ASDM_TrustPoint4 outside_int point
  WebVPN
  Select outside_int
  AnyConnect essentials
  AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  AnyConnect enable
  tunnel-group-list activate
  internal NoAccess group strategy
  Group Policy attributes NoAccess
  WINS server no
  VPN - concurrent connections 0
  Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
  value by default-field CONTOSO.group
  disable the split-tunnel-all dns
  attributes of Group Policy DfltGrpPolicy
  VPN - concurrent connections 0
  client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
  internal GroupPolicy_SSL_VPN group strategy
  attributes of Group Policy GroupPolicy_SSL_VPN
  WINS server no
  value of server DNS 10.0.0.45
  VPN - connections 1
  Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
  value of group-lock SSL_VPN
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list VPN_SPLIT_TUNNEL
  value by default-field CONTOSO.group
  activate dns split-tunnel-all
  the address value CONTOSOVICVPN_DHCP_POOL pools

  attributes global-tunnel-group DefaultRAGroup
  authorization-server-group CONTOSOVIC_LDAP
  NoAccess by default-group-policy
  authorization required
  tunnel-group DefaultRAGroup webvpn-attributes
  message of rejection-RADIUS-
  attributes global-tunnel-group DefaultWEBVPNGroup
  NoAccess by default-group-policy
  type tunnel-group SSL_VPN remote access
  attributes global-tunnel-group SSL_VPN
  address CONTOSOVICVPN_DHCP_POOL pool
  authentication-server-group CONTOSOVIC_LDAP
  authorization-server-group CONTOSOVIC_LDAP
  Group Policy - by default-GroupPolicy_SSL_VPN
  authorization required
  tunnel-group SSL_VPN webvpn-attributes
  message of rejection-RADIUS-
  Proxy-auth sdi
  enable CONTOSOvicvpn.CONTOSOgroup.com.au group-alias

  You must specify the NoAccess group policy as group policy by default for the Group of the SSL_VPN tunnel.

  Remember to rate helpful answers. :)

• Multiple VPN groups on the ASA firewall

  I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.

  Thank you very much!

  Hello

  all you need to do is create another group strategy and attach it to a group of tunnel: -.

  internal vpnsales group policy

  attributes of the strategy of group vpnsales

  banner - VPN access for the sales team

  value x.x.x.x DNS server

  split tunnel political tunnelspecified

  Split-tunnel-network-list split-sales value

  address-pools sales-pool

  value by default-domain mydomain.com

  type tunnel-group vpnsales remote access

  tunnel-group vpnsales General-attributes

  authentication-server-group vpnsales

  Group Policy - by default-vpnsales

  vpnsales ipsec tunnel - group capital

  pre-share-key @.

  you will also create a map of the attribute named vpnsales for acs auth.

  Thank you

  Manish

• Strange behavior USB Flash Drive Satellite A100-626

  Hello

  I did install Windows Vista Business Edition on my Satellite A100-626 (PSAA9) following the instructions provided in the Web page of drivers.

  So far, everything works as expected, except for one little (or no) question.

  When I ask Vista to 'Remove hardware safely' my USB Flash drive, a Popup appears telling me to remove it. So far, so good :D

  The only thing is that the flash player is not put out as could be expected and and yellow question mark appears in Device Manager.

  Opening of the question mark can read what follows:

  "Windows cannot use this hardware device because it has been developed to remove safely, but it has not been removed from the computer. (Code 47) To resolve this issue, disconnect the device from your computer and plug it in again. »

  Following the instructions above, the light turns off, lol...

  Someone else met this strange behavior? If so, any solution?

  I tried a few USB flashes that run well on XP and they both do the same thing.

  Thank you, Nuno!

  Hi Nuno

  It's very strange. I have the Satellite A100-504 (comes with Windows XP Home edition). Last week, I installed Vista and all the stuff followed Toshiba document instructions facilities. I use the mouse wireless, external HDD USB web cam. With the help of these external devices together I never noticed a similar behavior.

  You have the same situation with all the USB ports?

• IPsec IKEV2 Cisco AAA server

  Nice day

  Is it possible to configure the VPN Ipsec IKEv2 without AAA server? Or the use of any the less the ASA 5508 x as an AAA server for VPN users?

  Hello

  I have attached the screenshot ASDM to do LOCAL authentication and assignment of DHCP addresses for VPN users.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• How to use 2 AAA server to different connection end

  Hello, could you help me?

  It is a part of my setup; I would add another RADIUS server, witch should take care of the telnet at vty 0 4.

  10,20,30,40 RADIUS server supports virtual access, and I have another RADIUS server which takes care of to connect to our network equipment.

  ! Cisco 7204 with system flash c7200-io3s56i - mz.121 - 4.bin

  !

  AAA new-model

  AAA authentication login default group Ganymede +.

  enable AAA authentication login no_tacacs

  AAA authentication ppp default group Ganymede +.

  AAA authorization exec default group Ganymede +.

  AAA authorization network default group Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  AAA accounting network default start-stop Ganymede group.

  Default connection accounting AAA power Ganymede group.

  !

  virtual-virtual-model profile 1

  virtual - profile aaa

  !

  interface Serial2/0:15

  ISDN30 description

  no ip address

  encapsulation ppp

  no ip route cache

  No keepalive

  Dialer pool-Member 10

  primary-net5 ISDN switch type

  first request ISDN tei negotiation

  XXXXXXX calling ISDN

  no fair queue

  compress the stac

  No cdp enable

  Chap PPP authentication protocol

  multilink PPP Panel

  !

  interface virtual-Template1

  IP unnumbered FastEthernet1/0

  NAT outside IP

  Chap PPP authentication protocol

  !

  host key 10,20,30,40 radius-server *.

  !

  Line con 0

  exec-timeout 20 0

  password *.

  connection of authentication no_tacacs

  transport of entry no

  FlowControl hardware

  line to 0

  line vty 0 4

  access-class 1

  exec-timeout 60 0

  password *.

  connection of authentication no_tacacs

  transport telnet entry

  telnet output transport

  If I just add

  AAA authentication login vtymethod group Ganymede + activate

  10.50.60.70 host key radius-server *.

  line vty 0 4

  connection of authentication vtymethod

  My telnet request 10,20,30,40 and I refused! Could help you make a secure solution?

  Thank you

  Jens

  I think that your solution would be to set up a group of different RADIUS servers with the new server of the new group and use the new group to authenticate your vty. The config might look like this:

  AAA server Ganymede group + vty_TAC

  Server 10.50.60.70

  enable AAA authentication login vtymethod group vty_TAC

  10.50.60.70 host key radius-server *.

  I set up this kind of thing and it worked fine. When I set it up I have explicitly configured (so named) two different RADIUS server groups and referenced groups of specific servers for each authentication method. I did not understand if it works to keep the default group Ganymede + and use it for your authentication normal or if you may need to configure a default group for this.

  Try it and tell us what is happening.

  HTH

  Rick

• Strange behavior of audio subsystem after update Dev Alpha 10 to 10.0.9.388

  Hello world!

  Has anyone noticed a strange behavior of the behavior of 10.0.9.388 audio subsystem firmware. Recently, after firmware update Dev Alpha 10 to 10.0.9.388 subsystem audio misbehavies in the following way:

  (1) if the external headphones/speakers connected to the audio line-out looks to be preprocessed by low-pass filter and surround effect. The device reported by AudioManager is/dev/snd/pcmPrefferedp. Would it be a bug in formware and re-routing audio internal speaker to the line-out socket did not exclude specific pre-treatment?

  (2) on the previous firmwares if audio goes out of the internal speaker and then the helmet is connected to Jack line out change of itinerary was seemlesly happening and he kept playing with headphones without additional measures in the application. Now, peripheral audio is not consume audio samples and so crashes until it is closed and reopened.

  On the previous firmwares were not all the problems of this kind. Would be - what a few unlucky flashing firmware try (if it is still possible) or bug of 10.0.9.388.

  It will be good to hear comments & thoughts about these questions.

  Best regards

  Dmitry.

  I suggest to create two entries Issue Tracker: https://www.blackberry.com/jira

• access to AAA server to remote problems

  Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.

  I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.

  February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
  February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
  February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
  February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
  February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00

  Here is my config from aaa

  AAA-server protocol Ganymede MYGROUP +.
  Max - a failed attempts 4
  AAA-server host AAA_SERVER MYGROUP (inside)
  timeout 3
  Console Telnet AAA authentication LOCAL MYGROUP
  Console to enable AAA authentication LOCAL MYGROUP
  privilege MYGROUP 15 AAA accounting command

  I can ping AND trace on the RADIUS server

  ATLUSA01-FW01 # ping AAA_SERVER
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
  ATLUSA01-FW01 # trace AAA_SERVER

  Type to abort escape sequence.
  The route to 151.162.239.239

  1 17.2.2.3 0 ms 0 ms 0 ms
  2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
  3 10.4.7.1 0 0 0 ms ms ms
  4 10.4.7.13 0 0 0 ms ms ms
  5 10.4.7.193 0 0 0 ms ms ms
  6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 ms

  You'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.

  Ask him or her to do the following:

  Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.

  If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.

  I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.

  If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).

  You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)

  That's all you can do on your side, unfortunately tha ASA isn't a telnet client.

  Rgds,

  MiKa

• Urgent issue: remote vpn users cannot reach server dmz

  Hi all

  I have an asa5510 firewall in which remote vpn client users can connect but they cannot ping or access the dmz (192.168.3.5) Server

  They also can't ping the out interface (192.168.2.10), below is the show run, please help.

  SH run

  ASA5510 (config) # sh run
  : Saved
  :
  : Serial number: JMX1243L2BE
  : Material: ASA5510, 256 MB RAM, Pentium 4 Celeron 1599 MHz processor
  :
  ASA 5,0000 Version 55
  !
  Majed hostname
  activate the encrypted password of UFWSxxKWdnx8am8f
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  DNS-guard
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 192.168.2.10 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  192.168.1.10 IP address 255.255.255.0
  !
  interface Ethernet0/2
  nameif servers
  security-level 90
  192.168.3.10 IP address 255.255.255.0
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  boot system Disk0: / asa825-55 - k8.bin
  passive FTP mode
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  acl_outside to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
  acl_outside list extended access allow icmp 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
  acl_outside of access allowed any ip an extended list
  acl_outside list extended access permit icmp any one
  acl_inside list extended access allowed host ip 192.168.1.150 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host icmp 192.168.1.150 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host ip 192.168.1.200 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host icmp 192.168.1.200 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host ip 192.168.1.13 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host icmp 192.168.1.13 192.168.5.0 255.255.255.0
  acl_inside to access ip 192.168.1.0 scope list allow 255.255.255.0 host 192.168.3.5
  acl_inside list extended access allow icmp 192.168.1.0 255.255.255.0 host 192.168.3.5
  acl_inside list extended access deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
  acl_inside list extended access deny icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
  acl_inside of access allowed any ip an extended list
  acl_inside list extended access permit icmp any one
  acl_server of access allowed any ip an extended list
  acl_server list extended access permit icmp any one
  Local_LAN_Access list standard access allowed 10.0.0.0 255.0.0.0
  Local_LAN_Access list standard access allowed 172.16.0.0 255.240.0.0
  Local_LAN_Access list standard access allowed 192.168.0.0 255.255.0.0
  access-list nat0 extended ip 192.168.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0
  allow acl_servers to access extensive ip list a whole
  acl_servers list extended access allow icmp a whole
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 servers
  IP local pool 192.168.5.1 - 192.168.5.100 mask 255.255.255.0 vpnpool
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  interface of global (servers) 1
  NAT (inside) 0 access-list nat0
  NAT (inside) 1 192.168.1.4 255.255.255.255
  NAT (inside) 1 192.168.1.9 255.255.255.255
  NAT (inside) 1 192.168.1.27 255.255.255.255
  NAT (inside) 1 192.168.1.56 255.255.255.255
  NAT (inside) 1 192.168.1.150 255.255.255.255
  NAT (inside) 1 192.168.1.200 255.255.255.255
  NAT (inside) 1 192.168.2.5 255.255.255.255
  NAT (inside) 1 192.168.1.0 255.255.255.0
  NAT (inside) 1 192.168.1.96 192.168.1.96
  NAT (servers) - access list 0 nat0
  NAT (servers) 1 192.168.3.5 255.255.255.255
  static (inside, servers) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (servers, inside) 192.168.3.5 192.168.3.5 netmask 255.255.255.255
  Access-group acl_outside in interface outside
  Access-group acl_servers in the servers of the interface
  Route outside 0.0.0.0 0.0.0.0 192.168.2.15 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.3.5 255.255.255.255 servers
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA
  Crypto-map dynamic outside_dyn_map 10 set security-association life seconds288000
  Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
  Crypto-map dynamic outside_dyn_map 10 the value reverse-road
  map Outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
  Outside_map interface card crypto outside
  ISAKMP crypto identity hostname
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 192.168.2.0 255.255.255.0 outside
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet 192.168.3.0 255.255.255.0 servers
  Telnet 192.168.38.0 255.255.255.0 servers
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal vpn group policy
  attributes of vpn group policy
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list Local_LAN_Access
  allow to NEM
  password encrypted qaedah Ipsf4W9G6cGueuSu user name
  password encrypted moneef FLlCyoJakDnWMxSQ user name
  chayma X7ESmrqNBIo5eQO9 username encrypted password
  sanaa2 zHa8FdVVTkIgfomY encrypted password username
  sanaa x5fVXsDxboIhq68A encrypted password username
  sanaa1 x5fVXsDxboIhq68A encrypted password username
  bajel encrypted DygNLmMkXoZQ3.DX privilege 15 password username
  daris BgGTY7d1Rfi8P2zH username encrypted password
  taiz Ip3HNgc.pYhYGaQT username encrypted password
  damt gz1OUfAq9Ro2NJoR encrypted privilege 15 password username
  aden MDmCEhcRe64OxrQv username encrypted password
  username hodaidah encrypted password of IYcjP/rqPitKHgyc
  username yareem encrypted password ctC9wXl2EwdhH2XY
  AMMD ZwYsE3.Hs2/vAChB username encrypted password
  haja Q25wF61GjmyJRkjS username encrypted password
  cisco 3USUcOPFUiMCO4Jk encrypted password username
  ibbmr CNnADp0CvQzcjBY5 username encrypted password
  IBBR oJNIDNCT0fBV3OSi encrypted password username
  ibbr 2Mx3uA4acAbE8UOp encrypted password username
  ibbr1 wiq4lRSHUb3geBaN encrypted password username
  password username: TORBA C0eUqr.qWxsD5WNj encrypted
  username, password shibam xJaTjWRZyXM34ou. encrypted
  ibbreef 2Mx3uA4acAbE8UOp encrypted password username
  username torbah encrypted password r3IGnotSy1cddNer
  thamar 1JatoqUxf3q9ivcu encrypted password username
  dhamar pJdo55.oSunKSvIO encrypted password username
  main jsQQRH/5GU772TkF encrypted password username
  main1 ef7y88xzPo6o9m1E encrypted password username
  password username Moussa encrypted OYXnAYHuV80bB0TH
  majed 7I3uhzgJNvIwi2qS encrypted password username
  lahj qOAZDON5RwD6GbnI encrypted password username
  vpn tunnel-group type remote access
  VPN tunnel-group general attributes
  address vpnpool pool
  Group Policy - by default-vpn
  Tunnel vpn ipsec-attributes group
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !

  Hello brother Mohammed.

  "my asa5510 to work easy as Server & client vpn at the same time.?

  Yes, it can work as a client and a server at the same time.

  I have never seen anyone do it but many years of my understanding, I have no reason to think why it may be because the two configurations (client/server) are independent of each other.

  Your ASA function as server uses the "DefaultL2LGroup" or it uses standard group policy and tunnel-group are mapped to the remote clients ASA?

  Thank you

• Remote access to the network when AAA server is out of service help

  Hi all, I have a Cisco ASA 5510. I configured Cisco Anyconnect to authenticate via IAS from Windows. We recently had a server crash and I tried to control it remotely and via anyconnect and couldn't. Once the IAS server came, I could come back in the network.

  Y at - there a command that I'm missing that will allow me to connect to the network, even if my AAA server fell Anyconnect?

  Here is my part of the config AAA command...

  RADIUS protocol AAA-server WindowsIAS

  Max - a attempts failed 5

  AAA-server host 192.168.2.15 WindowsIAS (inside)

  XXXXXXXXXX key

  RADIUS-common-pw xxxxxxxxxx

  Thanks in advance... Dan

  Dan,

  Try to add the LOCAL keyword to your authentication server group statement in your group of tunnel or group policy.

  http://www.Cisco.com/en/us/docs/security/ASA/asa90/command/reference/A3...

  Thank you

  Sent by Cisco Support technique iPad App

• Bar chart stacked - strange behavior on display null values

  Hi all

  I'm trying to graph a county of the end dates of the activities over several years by months grouped by project.

  The problem I have is that there is a gap of 3 months where none of the activities that I am tracking complete. The default value for the stacked bar chart is to ignore the columns with no data (in my case it October-December 2015).

  To view these any given month I went to properties graphic and ticked the box "Include Null values. At this point, I get a very strange behavior. Once this option is selected, the legend explodes, showing each project in the database regardless if it meets my criteria for analysis.

  Has anyone another considering that happen? I'm doing something wrong?

  If it's important I'm in the OBI 11.1.1.7.150120

  Thank you for your help,

  Kevin Wolfe

  
  

  Hello

  You have a filter on the list of projects you want to see?

  Based on the way you describe your analysis I guess you don't have any what filter on the list of projects, but some of the filters on the other dimensions/attributes and these filters were limiting the list of projects.

  If this is the case then what you see is not a weird behavior, but everything you've asked your analysis.

  "Include null values" is not limited to the time dimension, it fits any dimension of your analysis, so no filter on projects = all projects.