monitor the ASA remote site and allow the ACS to authenticate

Similar Questions

• How can I monitor hyperic several remote sites with hyperic?

  We have implemented a hyperic server in AWS.

  We have a lot of remote sites with a server on site. Each site has its own public static IP address.

  Here is how we have implemented hyperic right now:

  agent.setup.camIP = static public IP of the server in AWS

  agent.setup.camPort = 7080

  agent.setup.camSSLPort = 7443

  agent.setup.camSecure = yes

  agent.setup.camLogin = login

  agent.setup.camPword = pass

  IP #agent.setup.agentIP = public site

  agent.setup.agentPort = 2144

  #agent.setup.resetupTokens = no

  agent.setup.acceptUnverifiedCertificate = yes

  At each site, we have a router that port forwarding on the server. If each server is behind a router and has private static IP such as 192.168.30.101

  We have no problem setting up hyperic on the local server, the problem is that Hyperic HQ is overwhelming the servers. He takes the static private ip address and keep overwriting the latest version of the server.

  Even if we have different server names and the public IP address different when we put in place the agent, once we have put in place the agent and he start shooting the metrics, hyperic just replaces the last installed server monitoring.

  any way to disable the IP address local hyperic traction?

  This could be referred as "PIN to a specific IP address" that is required when a platform has multiple NICs or IP address addresses and is accomplished by adding additional guidance to the agent.properties file. Because you specified a specific port of installation, it is better to pin which as well.

  agent.listenIp =
  agent.listenPort = 2144

  I suggest that you also uncomment:

  #agent.setup.agentIP =

  as well as (properly defined):

  #agent.setup.unidirectional = no

  The setting is described in the header section of the agent.properties file.

  # Agent configuration file
  #
  # The following is the properties of the Agent recognizes:
  #
  # agent.listenPort
  # Default: "2144.
  #
  # Description: Port that listens to the agent.
  #
  # agent.listenIp
  # Default: «*»
  #
  # Description: Address that the agent to listen.  If the value "*",
  # the agent will listen on all available interfaces.

  1.), you now have:

  agent.setup.camIP = static public IP of the server in AWS
  agent.setup.camPort = 7080
  agent.setup.camSSLPort = 7443
  agent.setup.camSecure = yes
  agent.setup.camLogin = login
  agent.setup.camPword = pass
  IP #agent.setup.agentIP = public site
  agent.setup.agentPort = 2144
  #agent.setup.resetupTokens = no
  agent.setup.acceptUnverifiedCertificate = yes

  2.) stop of the agent:

  3.) change this option and add the additional guidance.

  agent.setup.camIP = static public IP of the server in AWS
  agent.setup.camPort = 7080
  agent.setup.camSSLPort = 7443
  agent.setup.camSecure = yes
  agent.setup.camLogin = login
  agent.setup.camPword = pass
  IP agent.setup.agentIP = public site
  agent.setup.agentPort = 2144
  agent.setup.resetupTokens = no
  agent.setup.acceptUnverifiedCertificate = yes
  IP agent.listenIp = public site
  agent.listenPort = 2144

  4.) remove the agent data directory (it is re-created later start)

  5.) restart the agent (this will trigger a reconfigure)

  6.) I accept agent inventory

• Remote sites and them do not seem to communicate...

  I had especially good luck with checking the files, edit and check their return, but had to reinstall Dreamweaver a few months back and lately, I don't know what is happening!  When I check files out/in everything seems to work, but the pages on my website are not updated... we do a couple of weeks back and after a day or so it took, but I need to better understand the options.  Test site works, but it seems that I can just check files in my C: drive.  Anyone know of any "T" I'm not crossing, or 'I' I'm not sprinkling?

  3G

  So, should I just use the put / get process or manually download the files as they are published? ... and should I go ahead and synchronize the site with my C: drive, or vice versa?

  That's how I build every site I've built since 1999.  Work in the local site.  Put on the remote site.

• Expand the production VLAN behind ASA5510 to the remote site and 2821

  I have a 5510 ASA and here to contact one of the subnets behind this ASA out to my house which has a modem cable, a switch/router wireless and then behind that I have a router 2821.  I have read and it seems that L2TP can be the way to go, but can not find config examples.  Yet once again, I'd extend an and nail a permanent connection of one of VLAN in the production network to the bottom of my house using my cable modem and the 2821.  Examples of configuration would be very appreciated!  In addition, any recommendations for the IOS 2821 would be very appreciated.  Finally, the L2TP looks like how I need to go?  I enclose a very basic Visio diagram of what I'm trying to do.  Thank you, john

  You must L2TPv3.

  ASA does not support but will pass L2TPv3 borrowing.

  At work, you will need to add another router. L3 switches does not support it.

  The configuration of a router would be:

  Pseudowire-class test

  L2TPv3 encapsulation

  IP local interface loopback0 (this will be the source of the tunnel, can use any interface with the IP address access remote xconnect)

  !

  int fas0/0.30

  (do not put an ip address here)

  encapsulation dot1q 30

  pw-class xconnect X.X.X.X 1000 test

  X.X.X.X is the IP the remote router interface, it serves to "interface local ip" in the remote configuration

  Make sure that corresponds to 1000 (VC ID) on both sides

• Routing between two remote sites connected over the VPN site to site

  I have a problem ping between remote sites.  Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked.  Any ideas?

  Main site:

  192.168.100.0 - call manager / phone VLAN

  192.168.1.0/24 - data VLAN

  Site 1:

  192.168.70.0/24 - phone VLAN

  192.168.4.0/24 - data VLAN

  Site 2:

  192.168.80.0/24 - phone VLAN

  192.168.3.0/24 - data VLAN

  Main router

  Expand the IP ACL5 access list
  10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
  20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
  30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
  IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
  50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
  Expand the IP ACL6 access list
  10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
  20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
  30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
  IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255

  Expand the No. - NAT IP access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
  20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
  30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
  40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
  320 ip 192.168.1.0 allow 0.0.0.255 any
  IP 192.168.100.0 allow 330 0.0.0.255 any

  Site 1:

  ACL5 extended IP access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255

  No. - NAT extended IP access list

  deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 any

  ip licensing 192.168.4.0 0.0.0.255 any

  Site 2:

  ACL6 extended IP access list
  IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
  ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
  ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
  No. - NAT extended IP access list
  deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
  deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
  deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 any
  ip licensing 192.168.3.0 0.0.0.255 any

  What should I do for these two sites can ping each other?  I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.

  Thanks in advance!

  Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:

  Main router

  Expand the IP ACL5 access list

  IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  Expand the IP ACL6 access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

  Make sure you add these lines before the last permit

  Expand the No. - NAT IP access list

  deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

  Site 1:

  ACL5 extended IP access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

  Make sure that these lines are added before the last permit

  No. - NAT extended IP access list

  deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

  Site 2:

  ACL6 extended IP access list

  IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  So make sure that these lines are added before the last permit

  No. - NAT extended IP access list

  deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).

  I would like to know if this is what you need.

• If we have 2 remote sites with the same shared storage, can we mount a drive shared on remote site?

  Dear Experts,

  If we have 2 remote sites with the same shared storage, can mount us a drive on remote site?

  • Assume that the oracle database is on the shared disk (for example HP 3PAR)
  • Primary Oracle server with storage as a common drive (storage shared on sites geographical apart) have all the files database.
  • failure, it is possible to mount the drive even at the remote site and mount the database oracle it?

  There must be no effect on the as it should the same disk that has dismantled master site.

  Thank you and best regards,

  IVW

  Thanks a lot mseberg

  Is it a design valid ?

  • We have remote sites and want to set up DR. As we only SE pare data is therefore no choice.
  • We think of the SAN replication option.

  Have you ever seen / configured such architecture or design?

  Can you please throw some light on this. Thanks in advance for your ideas.

  Thank you best regards &,.

  IVW

• How can I change the definition of remote site without breaking all the links?

  I created a website and put it here http://home.Comcast.NET/~alpsf/index.html to test it during construction.  Now when I change the definition of remote site to the local site in DW, all the links are broken.  I suspect now that the problem is I did my site root and ~alpsf/ DW inserted in all the links.  Is there a way to fix this?

  Thank you very much.

  You can do a search and replace to change the links in the world. Make sure you do a full backup of the site before doing this incase you do not correctly. Let me stress what still once, backup your entire site incase you need to restore. If you have created a "new site" and it will not part of the / ~ alpsf site, then you will need to define a new site and copy all the files in this folder (I'm guessing that this is the case). I copy the files outside Dreamweaver. You could do this without touching the files in the ~ alpsf directory. There are many variable here because I don't know exactly what you are doing.

  On the file menu select window/results-select search. (This is done if the search engine is not open).

  Find: all of the current Local Site

  Search: Source Code

  Search: "/ ~alpsf/".

  Replace: ' / '.

  That should do it, but it is a very delicate thing. I wouldn't have a problem doing this as long as I backed everything up.

  Jim

  Published: you will need to enter in your css, spry files and all others who has links to do the same (this time only select search in: current document when the document is open). Once this is done, delete the entire remote site and upload the changes once you check that everything is complete.

• Requirements for vSphere remote site replication

  I run 3 Enterprise 5.5 x vSphere hosts in A Site with vCenter.   I want to add a new host in a remote site and configure vSphere replication between them.  Issues related to the:

  • Do I need to vCenter in slot 2?
  • If vCenter Site of A is the Site management and hosts of the Site B and Site A goes down, vSphere replicated VMs can be restarted to Site B without problem?
  • Is there a risk to not have a vCenter dedicated to Site B on the changeover plan?

  Thank you

  -Matt

  Hello

  (A) If you have vCenter in slot 2, you will need to deploy device VR and match two VR UI sites.

  In the case where something happens to site A, losing vCenter and/or VR device, you can use vCenter and VR device to site B to perform a recovery after disaster and put in place the VMS to site B, inside of vCenter inventory B.

  (B) If you have no server vCenter in slot 2:

  1. There is no need to deploy handset unit of VR (embedded DB for server VRMS + VR + VRMS) for site B.

  2. you can deploy additional device VR-server only for site B, so that the replication traffic goes directly from the source ESXi to the correct server in VR.

  3. If the disaster arrives at the site, you must have vCenter Server and VRM in the combined unit of VR upward and running order to use the VR UI to perform a disaster recovery. If vCenter Server or VRMS manage warehouses of data target is corrupted/lost, the only way to recover after a disaster is to consolidate recovery replica logs manually rename and replicated configuration files and hope that consolidated records represent a coherent source VM instance. This procedure is subject, not officially supported, and care must be taken when building the redo logs, in order to ensure the consistency of the data in the disks of the virtual machine, not some partial block updates.

  Kind regards

  Martin

• Routing between remote sites

  My question is on remote sites and routing for vSphere. I have two geographically separated sites connected by a fiber 80Mbit connection. Each site has it of own SAN, SAN switches dedicated and will have its own guests. I use vSphere 5 Standard.

  I created my first site and everything works fine. At the beginning I put in place all hosts that I have on the first site to make sure everything was working correctly. Now, I'm ready to spend half of the guests at my second site.

  I want to manage two sites from my server from vSphere existing on the first site.

  What is the best way to set up my second site? Inbetween the websites traffic *is* routed, so I know that limits my options. I went into this project knowing that the link between my sites 80Mbit was not good enough for vMotion.

  I used to Paul Kelly (thanks!) suggestions to set up my sites, they look like:

  http://3.BP.blogspot.com/-3z1mWR6wSkc/TopCRUzgSsI/AAAAAAAAAEU/gnLZoExAWRc/S1600/vSphere+5+-+6+NIC+IsolatedStorage+and+NoFT+design+v1.0.jpg

  What is my best option here? My original CD thought I want to road traffic for network management only (VLAN 10 on the diagram) between my sites. Is that all that is needed for the server vCenter on my first site to see my second site? With this configuration I would be able to vMotion between hosts located on my second site? is there no other angle miss me here?

  On a separate note - this time I have a Datacenter with a group inside (for my first site). My second site is a second group, or a whole new data center? I've read some threads on the forum and some people say to keep a data center, unless you have naming problems. Of course, the fact that you can cluster inbetween vMotion and not data centers isn't really make a difference in my scenario.

  
  

  Welcome to the community - as long as your vCenter server is able to reach the management port on the ESXi hosts in the second, you'll be able to manage hosts with the single instance. I agree that you should route traffic in all of the privatelkink between the sites - management

  In doing so the single instance of vCenetr that you can manage ESSXi host computers at each site and be able to trigger vmotion on each site.

• How to restore a remote site after an accident?

  I read the site FAQ management and he mentions to restore your files, you can go to your remote site and upload to your local site.

  Any that offered little help for my situation?

  I had a hard drive failure, I am running windows xp, dwcs4 and the site is hosted. I reinstalled windows and dw. The site has been created according to all the tutorials and I managed to save a copy of the site folder, but not according to the instructions of the savings in the FAQ. I have root just a folder with all the pages.

  Could someone point me to a tutorial or how to?

  Thanks in advance

  Jim

  "I managed to save a copy of the site folder, but not according to the instructions of savings in the FAQ." I have root just a folder with all the pages. »

  You lost me here. Not sure what you mean.

  Create a new definition of site for the local and remote sites, connect you to your remote site, and then click Get. That's all you need to do.

• ASA Site, Remote Site cannot access DMZ to the Hub site

  So I've been scratching my head and I just can't visualize what I what and how I want to do.

  Here is the overview of my network:

  Headquarters: ASA 5505

  Site1: ASA 5505

  Site2: ASA 5505

  Training3: ASA 5505

  All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.

  Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.

  Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.

  What should I do?

  My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?

  I enclose the show run from my ASA HQ

  See the race HQ ASA

  For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.

  For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.

  HTH

  PS. If you found this post useful, please note it.

• remote VPN and vpn site to site vpn remote users unable to access the local network

  As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

  The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

  ASA Version 8.2 (2)
  !
  host name
  domain kunchevrolet
  activate r8xwsBuKsSP7kABz encrypted password
  r8xwsBuKsSP7kABz encrypted passwd
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  PPPoE client vpdn group dataone
  IP address pppoe
  !
  interface Ethernet0/1
  nameif inside
  security-level 50
  IP 192.168.215.2 255.255.255.0
  !
  interface Ethernet0/2
  nameif Internet
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  management only
  !
  passive FTP mode
  clock timezone IST 5 30
  DNS server-group DefaultDNS
  domain kunchevrolet
  permit same-security-traffic intra-interface
  object-group network GM-DC-VPN-Gateway
  object-group, net-LAN
  access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
  tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 Internet
  IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  enable ASDM history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  AAA authentication http LOCAL console
  AAA authentication enable LOCAL console
  LOCAL AAA authentication serial console
  Enable http server
  x.x.x.x 255.255.255.252 out http
  http 192.168.215.0 255.255.255.252 inside
  http 192.168.215.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 65500 transform-set RIGHT
  card crypto 10 VPN ipsec-isakmp dynamic dynmap
  card crypto VPN outside interface
  card crypto 10 ASA-01 set peer 221.135.138.130
  card crypto 10 ASA - 01 the transform-set RIGHT value
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  the Encryption
  sha hash
  Group 2
  lifetime 28800
  Telnet 192.168.215.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  management-access inside
  VPDN group dataone request dialout pppoe
  VPDN group dataone localname bb4027654187_scdrid
  VPDN group dataone ppp authentication chap
  VPDN username bb4027654187_scdrid password * local store
  interface for identifying DHCP-client Internet customer
  dhcpd dns 218.248.255.141 218.248.245.1
  !
  dhcpd address 192.168.215.11 - 192.168.215.254 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Des-sha1 encryption SSL
  WebVPN
  allow outside
  tunnel-group-list activate
  internal kun group policy
  kun group policy attributes
  VPN - connections 8
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value split tunnel
  kunchevrolet value by default-field
  test P4ttSyrm33SV8TYp encrypted password username
  username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
  username kunauto attributes
  Strategy Group-VPN-kun
  Protocol-tunnel-VPN IPSec
  tunnel-group vpngroup type remote access
  tunnel-group vpngroup General attributes
  address pool VPN_Users
  Group Policy - by default-kun
  tunnel-group vpngroup webvpn-attributes
  the vpngroup group alias activation
  vpngroup group tunnel ipsec-attributes
  pre-shared key *.
  type tunnel-group test remote access
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
  : end
  kunauto #.

  Hello

  Looking at the configuration, there is an access list this nat exemption: -.

  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

  But it is not applied in the States of nat.

  Send the following command to the nat exemption to apply: -.

  NAT (inside) 0 access-list sheep

  Kind regards

  Dinesh Moudgil

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• Filtering of VPN and local access to the remote site

  Hello

  I set up vpn, filtering on all my VPN l2l. I have limited access to remote resources at the local level to the specified ports. It works perfectly.

  But I want to have as full access from local to remote networks (but still retain the remote access to the local level). VPN filter now works as I have two-way with a simple ACL. So is it possible to open all the traffic from the local to remote and all by limiting the remote to the local traffic?

  ASA 5520 8.4 (3)

  Thanks in advance

  Tomasz Mowinski

  Hello

  Well let's say you have a filtering ACL rule when you allow http local network traffic to the remote host

  LAN: 10.10.10.0/24

  remote host: 192.168.10.10/32

  The filter ACL rule is the following:

  FILTER-ACL access-list permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0

  I think that this ACL rule would mean also that until the remote host has been using source port TCP/80, it may access any port on any host tcp in your local network as long as it uses the source TCP/80 port.

  I guess you could add a few ranges of ports or even service groups of objects to the ACL rules so that not all well-known ports would be accessible on the LAN. But I guess that could complicate the configurations.

  We are usually management customer and completely different in ASA L2L VPN that allows us to all traffic on another filtering device and do not work in this kind of problems. But of course there are some of the situations/networks where this is not only possible and it is not a feasible option for some because of the costs of having an ASA extra.

  Please indicate if you have found any useful information

  -Jouni

• The scrolling has been weird bar type doesn't appear on the Web sites and is not allowing me to scroll properly.

  For some reason any bar type appears on Web sites and is not allowing me to use scrolling properly the top and bottom of the page. It is present at each Web site. However, when I switched to another browser it can't.

  By pressing F7 solve your problem? (it could be that something called keyboard navigation)

• When bi-ecrans is used, and firefox is on the second monitor, the Firefox menu does not appear. Same thing happens to the bar when typing already visited sites of addresses.

  When bi-ecrans is used, and Firefox is on the second monitor, the Firefox menu does not appear. Same thing happens to the bar when typing already visited sites of addresses.

  I have the same problem and I got rid of it by disabling hardware acceleration of rendering in the settings dialogue. Now I see the Firefox menu properly on a secondary monitor.