ISE 1.3->; ASA ssh and attribute anyconnect
Hello
I created a condition made up to match the anyconnect client and allow, if necessary, but the problem is that if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA) he get authenticated to anyconnect and go to the default group of tunnel.
AnyConnect condition: type of device, NAS-PORT-Type = virtual and Cisco - VPN3000:CVPN3000/ASA/PIX7x - Client - Type = client Anyconnect
SSH status: device type, NAS-PORT-Type = virtual
Basically, if the user does not match the anyconnect condition it can still vpn through SSH condition.
Thank you
Khaled
There are several ways you can do. Probably the cleanest is to use different strategy games. One for VPN access and one for the administration of the unit.
But to keep things simple, you can use the same attribute 'Cisco VPN3000'... "in your SSH condition, but instead of '=' you can use 'Different' in this way if the SSH session sees the AnyConnect client, then the condition will not be matched.
Thank you for evaluating useful messages!
Tags: Cisco Security
Similar Questions
-
AnyConnect ASA laptop and iPad AnyConnect
Hello
I was wondering if there is a way to have the iPad AnyConnect SSl VPN Client and standard AnyConnect Client to connect to the same IP address on the external interface of the ASA and have the ASA determine if the system is and iPad or a normal laptop. So, for example if I had SSL VPN configured on the SAA with an IP address of https://5.5.5.5 both users of the iPad and laptop users would connect ASA outside interface using this unique ip address. Once authenticated, the ASA would be able to determine that the user is using an iPad and limit them or live in an area of the network and if the user is on your laptop by using the normal AnyConnect client pass through sales we have on our network and normal NAC security controls.
So basically I want to use the iPad and using a laptop an IP only, ASA, but according to the device direct them to various areas of the network that we are unable to install anti-virus software and what not on the iPad and want to direct them to an area where they can't do as much damage if they have been compromised.
Thank you
Hi you can use DAP in this case to scan on the client that you are coming from and apply different policies depending on the client that connects.
For example. You can apply a policy to all s BONES (mostly laptops) and if they enter the notebook computer category you can give them a different policy.
Also the presence of anti-virus software can also be detected strategies with ssl vpn.
http://www.Cisco.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml#T2
Let me know if it helps.
-
ASA 5545 and Anyconnect Licenses
Currently, we use several devices to Cisco ASA 5545. Initially, we learned that we were automatically allowed using the Anyconnect Secure Mobility client with our ASA devices. With recent security issues, we are trying to move to a solution that supports TLS 1.2, and it seems that anyconnect Mobility Client 4.0 will do exactly that. My question is, the automatic authorization supplied with the unit of 5545 ASA include Client Anyconnect 4.0? After an exhaustive search, I am still unable to find this information. Also, is there an official document detailing exactly what licenses is part of 5545 device, with respect to other Cisco Software Solutions?
Thank you
David
All * ASAs include two licenses AnyConnect Premium "free." Which is designed primarily for the evaluation, as most businesses need more two simultaneous remote access users. However, if that's all you need is free and fully functional. It was designed around the Client AnyConnect Secure Mobility 3.x and earlier offer.
From 4.0, there is a new model of licence for AnyConnect. It is explained in the Guide of command AnyConnect. While it is not currently applied by technical means, use of AnyConnect 4.0 requires having a license to do so.
For some additional supporting documents as you initially requested, see also "Feature Licenses" of the Configuration Guide of the SAA.
* Some models do not support remote access VPN and either do not have the feature available or cannot use the license - for example ASA 1000v and an ASA working in multiple context mode.
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
How to accompany the IDS in ASA 5505 and 5520?
Dear All;
We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?
Part number: Description QTY. ASA5505-BUN-K9
ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES
1
CON-SNT-AS5BUNK9
SMARTNET 8X5XNBD ASA5505-BUN-K9
1
SF-ASA5505 - 8.2 - K8
ASA 5505 Series Software v8.2
1
CAB-AC-C5
Power supply cord Type C5 U.S.
1
ASA5500-BA-K9
ASA 5500 license (3DES/AES) encryption
1
ASA5505-PWR-AC
ASA 5505 power adapter
1
ASA5505-SW-10
ASA 5505 10 user software license
1
SSC-WHITE
ASA 5505 hood SSC of the location empty
1
ASA-ANYCONN-CSD-K9
ASA 5500 AnyConnect Client + Cisco Security Office software
1
Part number: Description QTY. ASA5520-BUN-K9
ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES
2
CON-SNT-AS2BUNK9
SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES
2
ASA5520-VPN-PL
ASA 5520 VPN over 750 IPsec User License (7.0 only)
2
ASA-VPN-CLNT-K9
Cisco VPN Client (Windows Solaris Linux Mac) software
2
SF - ASA - 8.2 - K8
ASA 5500 Series Software v8.2
2
CAB - ACU
Power supply cord (UK) C13 BS 1363 2.5 m
2
ASA-180W-PWR-AC
Power supply ASA 180W
2
ASA5500-BA-K9
ASA 5500 license (3DES/AES) encryption
2
ASA-ANYCONN-CSD-K9
ASA 5500 AnyConnect Client + Cisco Security Office software
2
SSM-WHITE
ASA/IPS SSM hood of the location
2
Thanks in advance.
Rashed Ward.
Okay, I was not quite correct in my first post.
These modules - modules only available for corresponding models of ASA.
They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.
When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.
When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.
In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.
To better understand, familiarize themselves with this link:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html
-
I hope someone can help me to answer this question:
Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.
Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?
Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?
Thanks for your help.
-Joe
Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.
Here's the Q & A on ASA1000V which includes more information:
http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html
Hope that answers your question.
-
SSH and SMB service starts not more
Dear community,
After you have installed the Add-it-Analyzer Log my RN10200 started having some problems that I was not able to see the shares via Samba more. I tried to connect via SSH to see what is the problem, but also the SSH no longer works. Since the web-admin panel still works, I tried to enable SMB and SSH in the Panel, but it briefly passes green and gray then again. I also tried to uninstall the add-on, but now get a package manager error. I then tried to reinstall the operating system using the boot option, but that did not help either.
I removed the hard disks in the unit and their read-only to see what is poorly mounted. There, I found some permissions to be set wrong on the system partition:
/ mnt/systemOld # ls - la
Total 124
drwxr-xr-x 26 root root 4096 May 19 21:03.
drwxr-xr-x 4 root root 4096 24 May 07:04...
drwxr-xr-x 2 root root 4096 may 5, 2015 apps
drwxr-xr-x 2 root root 4096 19 May 19:51 bin
drwxr-xr-x 2 root 4096 17 June 2012 boot root
drwxrwxrwt 2 root 4096 5 may 2015 given root
drwxr-xr-x 4 root root 4096 19 May 19:51 dev
drwxr-xr-x 79 root root 4096 19 May 21:32 etc.
drwxr-xr-x 6 guest invited 4096 19 May 19:51 frontview
drwxr-xr-x 2 root 4096 17 June 2012 home root
lrwxrwxrwx 1 comments 5 houses 18 July 2015-> / home
drwxr-xr-x 14 Guest invited 4096 19 May 19:51 lib
drwxrwxrwx 2 Guest invited 16384 5 may 2015 lost + found
drwxr-xr-x 2 root root 4096 media of 18 November 2012
drwxr-xr-x 3 root root 4096 mnt 17 June 2012
drwxr-xr-x 9 root root 4096 Nov 26 10:59 opt
drwxr-xr-x 2 root root 4096 proc 17 June 2012
-rwxrwxrwx 1 comments 1024 may 5, 2015 .rnd
drwx - 5 root root 4096 May 19 19:51 root
drwxr-xr-x 3 guest invited 4096 19 May 17:52 rsyslog
drwxr-xr-x 2 root 4096 run of 18 August 2015 root
drwxr-xr-x 2 4096 invited guest 19 May 19:51 sbin
drwxr-xr-x 2 root root 4096 selinux 10 June 2012
drwxr-xr-x 2 4096 comments 18 November 2012 srv
drwxr-xr-x 2 root root 4096 sys 8 February 2013
drwxrwxrwt 7 guest invited 4096 19 May 21:32 tmp
-rwxrwxrwx 1 invited guest 33 19 May 17:48 .update_fail
drwxr-xr-x 10 root root 4096 Nov 26 10:59 usr
drwxr-xr-x 18 root root 4096 May 19 19:51 varInstead of:
ls - la /.
total 120
drwxr-xr-x 26 root root 4096 23 May 07:40.
drwxr-xr-x 26 root root 4096 23 May 07:40...
drwxrwxrwx 1 root root 116 23 May 20:45 apps
drwxr-xr-x 2 root root 4096 23 May 07:39 bin
drwxr-xr-x 2 root 4096 17 June 2012 boot root
drwxr-xr-x 1 root root 250 given may 22, 10:36
drwxr-xr-x 13 root root 3480 23 May 20:53 dev
drwxr-xr-x 79 root root 4096 23 May 20:46 etc.
drwxr-xr-x 6 root root 4096 23 May 07:39 frontview
drwxr-xr-x 1 admin admin 0 19 May 22:17 home
drwxr-xr-x 14 root root 4096 23 May 07:39 lib
drwx - 2 root root 16384 19 May 22:17 lost + found
drwxr-xr-x 2 root root 4096 19 May 22:49 md124
drwxr-xr-x 4 root root 80 May 23 20:53 media
drwxr-xr-x 4 root root 4096 24 May 07:04 mnt
drwxr-xr-x 9 root root 4096 May 13 16:48 opt
root of Dr-xr-xr-x 188 root 0 1 January 1970 proc
-rw - 1 root root 1024 19 May 22:17 .rnd
drwx - 3 root root 4096 23 May 07:39 root
drwxrwxr-x 26 root admin 820 run 23 May 20:53
drwxr-xr-x 2 root root 4096 23 May 07:39 sbin
drwxr-xr-x 2 root root 4096 selinux 10 June 2012
drwxr-xr-x 2 root root 4096 srv 18 November 2012
Dr-xr-xr-x 11 root root 0 may 24 07:05 sys
drwxrwxrwt 7 root root 4096 24 May 07:17 tmp
-rw - r - r - 1 root root 0 23 May 07:38 .update_success
drwxr-xr-x 10 root root 4096 13 May 16:48 usr
drwxr-xr-x 17 root root 4096 23 May 07:39 varcould be the cause of the problem? Other ideas how to get SSH and SMB work return service or more diagnostic information?
I have a backup of everything so a complete reset would be an option. However, I would like to understand the problem and solve it rather by using telnet, as seems to be a simple problem? It would be enough to reset permissions? What else could be causing this behavior?
Thanks for the tips
Best
Steffen
You will have to go folder by folder and read all the files, he complains and chown the permissions back to root instead of comments. Loïc but eventually you can get everything again.
-
Did you come out ssh and now cannot use ssh - this had to happen one day
Pro2 OS6 v 6.4.0
SSH
I logged in ssh [email protected]
No files were open, but before I "exit" the session that the unit did a stop/delayed. I had completely lost track of time.
Now, I can't ssh in. I've disabled the ssh, rebooted, activated the ssh and tried again.
It happens just to expire without asking for my password.
Is there one solution other than a reset of the OS or the factory re - install?
Thank you very much
David
I don't know if everybody looked at it but he came good again after a few days.
I have no idea why he decided to ask for a password... but it works.
David
-
Native SSH and SFTP in LabVIEW
At the risk of re-opening a Pandora's box, there is no consideration to add native SSH and SFTP support for LabVIEW?
Using PuTTY/plink is heavy and not multiplatform.
Calling a .NET (or other) an external assembly is heavy and not multiplatform.
Labwerx SSH has a license model terrible (not to mention the extra cost).
It is the year 2015, and SSH/SFTP is ubiquitous and does not go far. These protocols must be present natively in LabVIEW.
I saw this idea on the Exchange (http://forums.ni.com/t5/LabVIEW-Idea-Exchange/Native-SSH-and-SFTP-Support/idi-p/1141529), , but there is no movement in 5 years. I'd like to get news of NEITHER here, even in the negative. If LabVIEW does not take over SSH any time soon, it would be better to know now.
I doubt that this is likely to happen any time soon - the LabSSH Toolbox is a fairly reasonable price when compared to how long it would take to implement the feature yourself and there is nothing for you prevent its implementation yourself using the TCP/IP functions located in LabVIEW. Of course, you can use the command line to something like WinSCP / PuTTy as well.
I also found a wrapper that someone had done for an Open Source .NET SSH library called in-depth
I downloaded a copy of this thread: http://forums.ni.com/t5/LabVIEW/Plink-PuTTY-works-30-of-the-time-using-System-Exec-vi/td-p/3002261
There is also an alternative implementation of wrapper here: https://decibel.ni.com/content/docs/DOC-41388
-
sharing files and attributes Office offices remotely
I use my xp remote desktop to connect to three win 2003 Server DW1 and DW2 DW3. Because they all have enough similar content that it can become a bit confusing, so I thought I would use a different color for each office. But then I found that when I open them again, they all had the same color of desktop as a last that I've changed. Then I noticed that the names of computers changed in Solution Explorer, for example DW1 was now called DW2 etc. (but the remote window showed always DW1). So I thought I would put a text file on the desktop of each titled "It's DW1.txt", "it's DW2.txt" etc. But then text files started appearing on the machines incorrectly, for example DW1 was now a text file "TIS DW1" as a text file "is DW2" and DW2 had only a file called 'it's DW1 I tried to connect the machines using IP addresses instead of names, but they always do the same thing. It's as if all three machines somehow share files desktop and attributes. Any idea what goes wrong?
Bob
Hello Bob K Niagara Falls,.
Please ask your question in the Remote Desktop Services forum in TechNet as they manage all the server related issues.
See you soon
-
How to use Ssh and Https for PC8164 PC5524
Hello!
How to use SSH and Https to connect to PC8164 and PC5524?
Kind regards!For SSH configuration, we want to watch the 1651 page controls, user guide.
(config) #crypto console key generate rsa
RSA key generation started, it may take a few minutes...
Complete RSA key generation.
#crypto console key (config) generate dsa
DSA key generation started, it may take a few minutes...
DSA key generation complete.
Console (config) #ip ssh server
For HTTPS orders, we look at page 255, 1770-1778, CLI Guide.
generate a crypto certificate of console (config) # 1
Console (config-crypto-cert) #key - generate
output console(config-crypto-CERT) #.
Console (config) # ip http secure-certificate 1
Console (config) # ip http secure server
-
LAN to Lan tunnel between ASA 5505 and 3030.
I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030. I tried all possible combinations except one that will work. I am able to ping each peer on the other site. Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works. Thank you
Hello
Please visit this link using config:
http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...
Kind regards
Aditya
Please evaluate the useful messages.
-
I try to activate SSH on a 3560G switch so I can't disable Telnet.
Some referred to a "sh-ssh' to see if I have ssh on the switch. It does not show. I also have 'transport input ssh' and ssh is not a valid input method.
I've decided to update the IOS on the switch. I am now at 12.2 (52) SE.
But I can not configure SSH. I get the same results as mentioned above.
Since it is the latest version of IOS can't I not assume that it contains SSH? Or do I need to download another version of IOS who specifically has SSH in?
Thanks for your help
There are two versions of the images switch Catalyst (K9/SSH and SSH). If you do a ' show versi
on "it displays the latest version of IOS running on the switch. If you run a non - ssh version, you must upgrade to a ssh (K9) image.Concerning
Farrukh
-
Log each ASA connection and router
Hello
I have a Cisco ASA 5520 and a Cisco 3825 router in my network. I want to log every connection to these devices. There are a few users who have different levels of access to these devices in n/w. I would like to connect all these users and what they actually change and to implement in the devices. Is this possible using a RADIUS server or any other method pls. I also have access to reading / writing to these devices. Thank you very much
You can do it too.
You can use auth-proxy (router) passage proxy (ASA) to have the user to authenticate to the connections he and do accounting of GBA. But I don't think you need to do this for all connections, for those who require the intervention of the user.
Let us know if that answers the question.
PK
-
Issue of ASA 5540 and secure desktop Configuration
Hey guys, I have the program installation and tested AnyConnect VPN and Cisco Secure Desktop successfully.
Here's my question: is it possible to install two groups of VPN users, using Secure Desktop and who does not. Example of the groups below:
Group 1: Corporate computers laptops that are not standard AnyConnect VPN Secure Desktop client.
Group 2: Contractor and personal computers that cannot use the Cisco Secure Desktop via AnyConnect VPN.
Thanks for you help guys!
It is now possible to the 8.2.1. You can disable the CSD on a per database connection profile, you use Group URL subject.
Maybe you are looking for
-
LapDock screen "blinking" - any ideas?
My screen LapDock, a few days (best I can tell) began to turn to the market, almost like it is re-synchronization of the video signal. The keyboard and mouse are still not working the screen is dark (if I'm in the middle of typing something, the word
-
Problem with Aspire-e1 - 571g very bad!
MY pc: i5 - 3230 m 2, 6hgz with turbo booost 710 M 1 GB Vram GeForce 4 GB ram DDR3750 GB HARD drive HI guys,. I have this pc already in a few months, but in the last two years, I have a very worryingproblem. When I play a game, all of a sudden the ga
-
Paid the Downgrade Option using Dell?
I called Dell technical support earlier and asked about my current OS (2012 R2) Server 2008 R2 downgrade. I learned that I had not chosen a field of eligibility of decommissioning over my car and so I would be able to downgrade for free. I have just
-
Hello I am considering the purchase of a Dell laptop and would like some advice about what to buy. I'll use it for navigation for most and a few games of light. I would also like to know whether or not be rehabilitated one that I am on a pretty tight
-
Hello I have laptop Compaq 6720 s Intel 1.7 Ghz, 1 GB of ram, running Windows XP Professional. When I went on the laptopm the wifi led is on, power led is not lit and the led above the charge point lights with a light blue color and blinks. The scree