ISE 1.3-> ASA ssh and attribute anyconnect

Hello

I created a condition made up to match the anyconnect client and allow, if necessary, but the problem is that if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA) he get authenticated to anyconnect and go to the default group of tunnel.

AnyConnect condition: type of device, NAS-PORT-Type = virtual and Cisco - VPN3000:CVPN3000/ASA/PIX7x - Client - Type = client Anyconnect

SSH status: device type, NAS-PORT-Type = virtual

Basically, if the user does not match the anyconnect condition it can still vpn through SSH condition.

Thank you

Khaled

There are several ways you can do. Probably the cleanest is to use different strategy games. One for VPN access and one for the administration of the unit.

But to keep things simple, you can use the same attribute 'Cisco VPN3000'... "in your SSH condition, but instead of '=' you can use 'Different' in this way if the SSH session sees the AnyConnect client, then the condition will not be matched.

Thank you for evaluating useful messages!

Tags: Cisco Security

Similar Questions

  • AnyConnect ASA laptop and iPad AnyConnect

    Hello

    I was wondering if there is a way to have the iPad AnyConnect SSl VPN Client and standard AnyConnect Client to connect to the same IP address on the external interface of the ASA and have the ASA determine if the system is and iPad or a normal laptop.  So, for example if I had SSL VPN configured on the SAA with an IP address of https://5.5.5.5 both users of the iPad and laptop users would connect ASA outside interface using this unique ip address.  Once authenticated, the ASA would be able to determine that the user is using an iPad and limit them or live in an area of the network and if the user is on your laptop by using the normal AnyConnect client pass through sales we have on our network and normal NAC security controls.

    So basically I want to use the iPad and using a laptop an IP only, ASA, but according to the device direct them to various areas of the network that we are unable to install anti-virus software and what not on the iPad and want to direct them to an area where they can't do as much damage if they have been compromised.

    Thank you

    Hi you can use DAP in this case to scan on the client that you are coming from and apply different policies depending on the client that connects.

    For example. You can apply a policy to all s BONES (mostly laptops) and if they enter the notebook computer category you can give them a different policy.

    Also the presence of anti-virus software can also be detected strategies with ssl vpn.

    http://www.Cisco.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml#T2

    Let me know if it helps.

  • ASA 5545 and Anyconnect Licenses

    Currently, we use several devices to Cisco ASA 5545.  Initially, we learned that we were automatically allowed using the Anyconnect Secure Mobility client with our ASA devices.   With recent security issues, we are trying to move to a solution that supports TLS 1.2, and it seems that anyconnect Mobility Client 4.0 will do exactly that.   My question is, the automatic authorization supplied with the unit of 5545 ASA include Client Anyconnect 4.0?   After an exhaustive search, I am still unable to find this information.   Also, is there an official document detailing exactly what licenses is part of 5545 device, with respect to other Cisco Software Solutions?

    Thank you

    David

    All * ASAs include two licenses AnyConnect Premium "free." Which is designed primarily for the evaluation, as most businesses need more two simultaneous remote access users. However, if that's all you need is free and fully functional. It was designed around the Client AnyConnect Secure Mobility 3.x and earlier offer.

    From 4.0, there is a new model of licence for AnyConnect. It is explained in the Guide of command AnyConnect. While it is not currently applied by technical means, use of AnyConnect 4.0 requires having a license to do so.

    For some additional supporting documents as you initially requested, see also "Feature Licenses" of the Configuration Guide of the SAA.

    * Some models do not support remote access VPN and either do not have the feature available or cannot use the license - for example ASA 1000v and an ASA working in multiple context mode.

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • How to accompany the IDS in ASA 5505 and 5520?

    Dear All;

    We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

    Part number: Description QTY.

    ASA5505-BUN-K9

    ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES

    1

    CON-SNT-AS5BUNK9

    SMARTNET 8X5XNBD ASA5505-BUN-K9

    1

    SF-ASA5505 - 8.2 - K8

    ASA 5505 Series Software v8.2

    1

    CAB-AC-C5

    Power supply cord Type C5 U.S.

    1

    ASA5500-BA-K9

    ASA 5500 license (3DES/AES) encryption

    1

    ASA5505-PWR-AC

    ASA 5505 power adapter

    1

    ASA5505-SW-10

    ASA 5505 10 user software license

    1

    SSC-WHITE

    ASA 5505 hood SSC of the location empty

    1

    ASA-ANYCONN-CSD-K9

    ASA 5500 AnyConnect Client + Cisco Security Office software

    1
    Part number: Description QTY.

    ASA5520-BUN-K9

    ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES

    2

    CON-SNT-AS2BUNK9

    SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES

    2

    ASA5520-VPN-PL

    ASA 5520 VPN over 750 IPsec User License (7.0 only)

    2

    ASA-VPN-CLNT-K9

    Cisco VPN Client (Windows Solaris Linux Mac) software

    2

    SF - ASA - 8.2 - K8

    ASA 5500 Series Software v8.2

    2

    CAB - ACU

    Power supply cord (UK) C13 BS 1363 2.5 m

    2

    ASA-180W-PWR-AC

    Power supply ASA 180W

    2

    ASA5500-BA-K9

    ASA 5500 license (3DES/AES) encryption

    2

    ASA-ANYCONN-CSD-K9

    ASA 5500 AnyConnect Client + Cisco Security Office software

    2

    SSM-WHITE

    ASA/IPS SSM hood of the location

    2

    Thanks in advance.

    Rashed Ward.

    Okay, I was not quite correct in my first post.

    These modules - modules only available for corresponding models of ASA.

    They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

    When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

    When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

    In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

    To better understand, familiarize themselves with this link:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html

  • ASA 1000V and ASA 5500

    I hope someone can help me to answer this question:

    Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

    Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

    Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

    Thanks for your help.

    -Joe

    Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

    Here's the Q & A on ASA1000V which includes more information:

    http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

    Hope that answers your question.

  • SSH and SMB service starts not more

    Dear community,

    After you have installed the Add-it-Analyzer Log my RN10200 started having some problems that I was not able to see the shares via Samba more. I tried to connect via SSH to see what is the problem, but also the SSH no longer works. Since the web-admin panel still works, I tried to enable SMB and SSH in the Panel, but it briefly passes green and gray then again. I also tried to uninstall the add-on, but now get a package manager error. I then tried to reinstall the operating system using the boot option, but that did not help either.

    I removed the hard disks in the unit and their read-only to see what is poorly mounted. There, I found some permissions to be set wrong on the system partition:

    / mnt/systemOld # ls - la
    Total 124
    drwxr-xr-x 26 root root 4096 May 19 21:03.
    drwxr-xr-x 4 root root 4096 24 May 07:04...
    drwxr-xr-x 2 root root 4096 may 5, 2015 apps
    drwxr-xr-x 2 root root 4096 19 May 19:51 bin
    drwxr-xr-x 2 root 4096 17 June 2012 boot root
    drwxrwxrwt 2 root 4096 5 may 2015 given root
    drwxr-xr-x 4 root root 4096 19 May 19:51 dev
    drwxr-xr-x 79 root root 4096 19 May 21:32 etc.
    drwxr-xr-x 6 guest invited 4096 19 May 19:51 frontview
    drwxr-xr-x 2 root 4096 17 June 2012 home root
    lrwxrwxrwx 1 comments 5 houses 18 July 2015-> / home
    drwxr-xr-x 14 Guest invited 4096 19 May 19:51 lib
    drwxrwxrwx 2 Guest invited 16384 5 may 2015 lost + found
    drwxr-xr-x 2 root root 4096 media of 18 November 2012
    drwxr-xr-x 3 root root 4096 mnt 17 June 2012
    drwxr-xr-x 9 root root 4096 Nov 26 10:59 opt
    drwxr-xr-x 2 root root 4096 proc 17 June 2012
    -rwxrwxrwx 1 comments 1024 may 5, 2015 .rnd
    drwx - 5 root root 4096 May 19 19:51 root
    drwxr-xr-x 3 guest invited 4096 19 May 17:52 rsyslog
    drwxr-xr-x 2 root 4096 run of 18 August 2015 root
    drwxr-xr-x 2 4096 invited guest 19 May 19:51 sbin
    drwxr-xr-x 2 root root 4096 selinux 10 June 2012
    drwxr-xr-x 2 4096 comments 18 November 2012 srv
    drwxr-xr-x 2 root root 4096 sys 8 February 2013
    drwxrwxrwt 7 guest invited 4096 19 May 21:32 tmp
    -rwxrwxrwx 1 invited guest 33 19 May 17:48 .update_fail
    drwxr-xr-x 10 root root 4096 Nov 26 10:59 usr
    drwxr-xr-x 18 root root 4096 May 19 19:51 var

    Instead of:

    ls - la /.
    total 120
    drwxr-xr-x 26 root root 4096 23 May 07:40.
    drwxr-xr-x 26 root root 4096 23 May 07:40...
    drwxrwxrwx 1 root root 116 23 May 20:45 apps
    drwxr-xr-x 2 root root 4096 23 May 07:39 bin
    drwxr-xr-x 2 root 4096 17 June 2012 boot root
    drwxr-xr-x 1 root root 250 given may 22, 10:36
    drwxr-xr-x 13 root root 3480 23 May 20:53 dev
    drwxr-xr-x 79 root root 4096 23 May 20:46 etc.
    drwxr-xr-x 6 root root 4096 23 May 07:39 frontview
    drwxr-xr-x 1 admin admin 0 19 May 22:17 home
    drwxr-xr-x 14 root root 4096 23 May 07:39 lib
    drwx - 2 root root 16384 19 May 22:17 lost + found
    drwxr-xr-x 2 root root 4096 19 May 22:49 md124
    drwxr-xr-x 4 root root 80 May 23 20:53 media
    drwxr-xr-x 4 root root 4096 24 May 07:04 mnt
    drwxr-xr-x 9 root root 4096 May 13 16:48 opt
    root of Dr-xr-xr-x 188 root 0 1 January 1970 proc
    -rw - 1 root root 1024 19 May 22:17 .rnd
    drwx - 3 root root 4096 23 May 07:39 root
    drwxrwxr-x 26 root admin 820 run 23 May 20:53
    drwxr-xr-x 2 root root 4096 23 May 07:39 sbin
    drwxr-xr-x 2 root root 4096 selinux 10 June 2012
    drwxr-xr-x 2 root root 4096 srv 18 November 2012
    Dr-xr-xr-x 11 root root 0 may 24 07:05 sys
    drwxrwxrwt 7 root root 4096 24 May 07:17 tmp
    -rw - r - r - 1 root root 0 23 May 07:38 .update_success
    drwxr-xr-x 10 root root 4096 13 May 16:48 usr
    drwxr-xr-x 17 root root 4096 23 May 07:39 var

    could be the cause of the problem? Other ideas how to get SSH and SMB work return service or more diagnostic information?

    I have a backup of everything so a complete reset would be an option. However, I would like to understand the problem and solve it rather by using telnet, as seems to be a simple problem? It would be enough to reset permissions? What else could be causing this behavior?

    Thanks for the tips

    Best

    Steffen

    You will have to go folder by folder and read all the files, he complains and chown the permissions back to root instead of comments. Loïc but eventually you can get everything again.

  • Did you come out ssh and now cannot use ssh - this had to happen one day

    Pro2 OS6 v 6.4.0

    SSH

    I logged in ssh [email protected]

    No files were open, but before I "exit" the session that the unit did a stop/delayed. I had completely lost track of time.

    Now, I can't ssh in. I've disabled the ssh, rebooted, activated the ssh and tried again.

    It happens just to expire without asking for my password.

    Is there one solution other than a reset of the OS or the factory re - install?

    Thank you very much

    David

    I don't know if everybody looked at it but he came good again after a few days.

    I have no idea why he decided to ask for a password... but it works.

    David

  • Native SSH and SFTP in LabVIEW

    At the risk of re-opening a Pandora's box, there is no consideration to add native SSH and SFTP support for LabVIEW?

    Using PuTTY/plink is heavy and not multiplatform.

    Calling a .NET (or other) an external assembly is heavy and not multiplatform.

    Labwerx SSH has a license model terrible (not to mention the extra cost).

    It is the year 2015, and SSH/SFTP is ubiquitous and does not go far. These protocols must be present natively in LabVIEW.

    I saw this idea on the Exchange (http://forums.ni.com/t5/LabVIEW-Idea-Exchange/Native-SSH-and-SFTP-Support/idi-p/1141529), , but there is no movement in 5 years. I'd like to get news of NEITHER here, even in the negative. If LabVIEW does not take over SSH any time soon, it would be better to know now.

    I doubt that this is likely to happen any time soon - the LabSSH Toolbox is a fairly reasonable price when compared to how long it would take to implement the feature yourself and there is nothing for you prevent its implementation yourself using the TCP/IP functions located in LabVIEW. Of course, you can use the command line to something like WinSCP / PuTTy as well.

    I also found a wrapper that someone had done for an Open Source .NET SSH library called in-depth

    I downloaded a copy of this thread: http://forums.ni.com/t5/LabVIEW/Plink-PuTTY-works-30-of-the-time-using-System-Exec-vi/td-p/3002261

    There is also an alternative implementation of wrapper here: https://decibel.ni.com/content/docs/DOC-41388

  • sharing files and attributes Office offices remotely

    I use my xp remote desktop to connect to three win 2003 Server DW1 and DW2 DW3. Because they all have enough similar content that it can become a bit confusing, so I thought I would use a different color for each office. But then I found that when I open them again, they all had the same color of desktop as a last that I've changed. Then I noticed that the names of computers changed in Solution Explorer, for example DW1 was now called DW2 etc. (but the remote window showed always DW1). So I thought I would put a text file on the desktop of each titled "It's DW1.txt", "it's DW2.txt" etc. But then text files started appearing on the machines incorrectly, for example DW1 was now a text file "TIS DW1" as a text file "is DW2" and DW2 had only a file called 'it's DW1 I tried to connect the machines using IP addresses instead of names, but they always do the same thing. It's as if all three machines somehow share files desktop and attributes. Any idea what goes wrong?

    Bob

    Hello Bob K Niagara Falls,.

    Please ask your question in the Remote Desktop Services forum in TechNet as they manage all the server related issues.

    See you soon

  • How to use Ssh and Https for PC8164 PC5524

    Hello!

    How to use SSH and Https to connect to PC8164 and PC5524?

    Kind regards!

    For SSH configuration, we want to watch the 1651 page controls, user guide.

    (config) #crypto console key generate rsa

    RSA key generation started, it may take a few minutes...

    Complete RSA key generation.

    #crypto console key (config) generate dsa

    DSA key generation started, it may take a few minutes...

    DSA key generation complete.

    Console (config) #ip ssh server

    For HTTPS orders, we look at page 255, 1770-1778, CLI Guide.

    generate a crypto certificate of console (config) # 1

    Console (config-crypto-cert) #key - generate

    output console(config-crypto-CERT) #.

    Console (config) # ip http secure-certificate 1

    Console (config) # ip http secure server

  • LAN to Lan tunnel between ASA 5505 and 3030.

    I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

    Hello

    Please visit this link using config:

    http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

    Kind regards

    Aditya

    Please evaluate the useful messages.

  • Enable SSH and disable Telnet

    I try to activate SSH on a 3560G switch so I can't disable Telnet.

    Some referred to a "sh-ssh' to see if I have ssh on the switch. It does not show. I also have 'transport input ssh' and ssh is not a valid input method.

    I've decided to update the IOS on the switch. I am now at 12.2 (52) SE.

    But I can not configure SSH. I get the same results as mentioned above.

    Since it is the latest version of IOS can't I not assume that it contains SSH? Or do I need to download another version of IOS who specifically has SSH in?

    Thanks for your help

    There are two versions of the images switch Catalyst (K9/SSH and SSH). If you do a ' show versi
    on "it displays the latest version of IOS running on the switch. If you run a non - ssh version, you must upgrade to a ssh (K9) image.

    Concerning

    Farrukh

  • Log each ASA connection and router

    Hello

    I have a Cisco ASA 5520 and a Cisco 3825 router in my network. I want to log every connection to these devices. There are a few users who have different levels of access to these devices in n/w. I would like to connect all these users and what they actually change and to implement in the devices. Is this possible using a RADIUS server or any other method pls. I also have access to reading / writing to these devices. Thank you very much

    You can do it too.

    You can use auth-proxy (router) passage proxy (ASA) to have the user to authenticate to the connections he and do accounting of GBA. But I don't think you need to do this for all connections, for those who require the intervention of the user.

    Let us know if that answers the question.

    PK

  • Issue of ASA 5540 and secure desktop Configuration

    Hey guys, I have the program installation and tested AnyConnect VPN and Cisco Secure Desktop successfully.

    Here's my question: is it possible to install two groups of VPN users, using Secure Desktop and who does not. Example of the groups below:

    Group 1: Corporate computers laptops that are not standard AnyConnect VPN Secure Desktop client.

    Group 2: Contractor and personal computers that cannot use the Cisco Secure Desktop via AnyConnect VPN.

    Thanks for you help guys!

    It is now possible to the 8.2.1. You can disable the CSD on a per database connection profile, you use Group URL subject.

Maybe you are looking for

  • LapDock screen "blinking" - any ideas?

    My screen LapDock, a few days (best I can tell) began to turn to the market, almost like it is re-synchronization of the video signal. The keyboard and mouse are still not working the screen is dark (if I'm in the middle of typing something, the word

  • Problem with Aspire-e1 - 571g very bad!

    MY pc: i5 - 3230 m 2, 6hgz with turbo booost 710 M 1 GB Vram GeForce 4 GB ram DDR3750 GB HARD drive HI guys,. I have this pc already in a few months, but in the last two years, I have a very worryingproblem. When I play a game, all of a sudden the ga

  • Paid the Downgrade Option using Dell?

    I called Dell technical support earlier and asked about my current OS (2012 R2) Server 2008 R2 downgrade. I learned that I had not chosen a field of eligibility of decommissioning over my car and so I would be able to downgrade for free. I have just

  • Buying a laptop

    Hello I am considering the purchase of a Dell laptop and would like some advice about what to buy. I'll use it for navigation for most and a few games of light. I would also like to know whether or not be rehabilitated one that I am on a pretty tight

  • Compaq 6720 s won't start not

    Hello I have laptop Compaq 6720 s Intel 1.7 Ghz, 1 GB of ram, running Windows XP Professional. When I went on the laptopm the wifi led is on, power led is not lit and the led above the charge point lights with a light blue color and blinks. The scree