monitor the ASA remote site and allow the ACS to authenticate
Hi all
I have a VPN site to set up and works fine, but am struggling to get two things configured, hope can get help from you all
I need to monitor the ASA distance of my HQ, I use kulvik with snmp, but I am afraid if he would be a threat if I open snmp on my external interface
'access-list extended permitted snmp 20.x.x.x 19.x.x.x acl_outside' - is this safe
my configuration:
Remote
10.8.0.0/20---ASA---Internet---ASA---10.0.0.0
I was wondering is it otherwise I get my remote ASA monitored
My next challenge is to add GANYMEDE ASA configuration, my CSA is 10.6.1.186 that can be reached from LAN(10.8.0.0/20) remote, but not the ASA because of politics, how can I get this to work
I searched how to add the source interface in config GANYMEDE but couldn't get
Thank you very much for the support
See you soon...
For the interface you want to use, can you pls add the following command:
access to the administration
For example:
access to the administration server - vlan
or
access to data management - vlan
You can only configure 1 interface for the management interface.
Tags: Cisco Security
Similar Questions
-
How can I monitor hyperic several remote sites with hyperic?
We have implemented a hyperic server in AWS.
We have a lot of remote sites with a server on site. Each site has its own public static IP address.
Here is how we have implemented hyperic right now:
agent.setup.camIP = static public IP of the server in AWS
agent.setup.camPort = 7080
agent.setup.camSSLPort = 7443
agent.setup.camSecure = yes
agent.setup.camLogin = login
agent.setup.camPword = pass
IP #agent.setup.agentIP = public site
agent.setup.agentPort = 2144
#agent.setup.resetupTokens = no
agent.setup.acceptUnverifiedCertificate = yes
At each site, we have a router that port forwarding on the server. If each server is behind a router and has private static IP such as 192.168.30.101
We have no problem setting up hyperic on the local server, the problem is that Hyperic HQ is overwhelming the servers. He takes the static private ip address and keep overwriting the latest version of the server.
Even if we have different server names and the public IP address different when we put in place the agent, once we have put in place the agent and he start shooting the metrics, hyperic just replaces the last installed server monitoring.
any way to disable the IP address local hyperic traction?
This could be referred as "PIN to a specific IP address" that is required when a platform has multiple NICs or IP address addresses and is accomplished by adding additional guidance to the agent.properties file. Because you specified a specific port of installation, it is better to pin which as well.
agent.listenIp =
agent.listenPort = 2144I suggest that you also uncomment:
#agent.setup.agentIP =
as well as (properly defined):
#agent.setup.unidirectional = no
The setting is described in the header section of the agent.properties file.
# Agent configuration file
#
# The following is the properties of the Agent recognizes:
#
# agent.listenPort
# Default: "2144.
#
# Description: Port that listens to the agent.
#
# agent.listenIp
# Default: «*»
#
# Description: Address that the agent to listen. If the value "*",
# the agent will listen on all available interfaces.1.), you now have:
agent.setup.camIP = static public IP of the server in AWS
agent.setup.camPort = 7080
agent.setup.camSSLPort = 7443
agent.setup.camSecure = yes
agent.setup.camLogin = login
agent.setup.camPword = pass
IP #agent.setup.agentIP = public site
agent.setup.agentPort = 2144
#agent.setup.resetupTokens = no
agent.setup.acceptUnverifiedCertificate = yes2.) stop of the agent:
3.) change this option and add the additional guidance.
agent.setup.camIP = static public IP of the server in AWS
agent.setup.camPort = 7080
agent.setup.camSSLPort = 7443
agent.setup.camSecure = yes
agent.setup.camLogin = login
agent.setup.camPword = pass
IP agent.setup.agentIP = public site
agent.setup.agentPort = 2144
agent.setup.resetupTokens = no
agent.setup.acceptUnverifiedCertificate = yes
IP agent.listenIp = public site
agent.listenPort = 21444.) remove the agent data directory (it is re-created later start)
5.) restart the agent (this will trigger a reconfigure)
6.) I accept agent inventory
-
Remote sites and them do not seem to communicate...
I had especially good luck with checking the files, edit and check their return, but had to reinstall Dreamweaver a few months back and lately, I don't know what is happening! When I check files out/in everything seems to work, but the pages on my website are not updated... we do a couple of weeks back and after a day or so it took, but I need to better understand the options. Test site works, but it seems that I can just check files in my C: drive. Anyone know of any "T" I'm not crossing, or 'I' I'm not sprinkling?
3G
So, should I just use the put / get process or manually download the files as they are published? ... and should I go ahead and synchronize the site with my C: drive, or vice versa?
That's how I build every site I've built since 1999. Work in the local site. Put on the remote site.
-
Expand the production VLAN behind ASA5510 to the remote site and 2821
I have a 5510 ASA and here to contact one of the subnets behind this ASA out to my house which has a modem cable, a switch/router wireless and then behind that I have a router 2821. I have read and it seems that L2TP can be the way to go, but can not find config examples. Yet once again, I'd extend an and nail a permanent connection of one of VLAN in the production network to the bottom of my house using my cable modem and the 2821. Examples of configuration would be very appreciated! In addition, any recommendations for the IOS 2821 would be very appreciated. Finally, the L2TP looks like how I need to go? I enclose a very basic Visio diagram of what I'm trying to do. Thank you, john
You must L2TPv3.
ASA does not support but will pass L2TPv3 borrowing.
At work, you will need to add another router. L3 switches does not support it.
The configuration of a router would be:
Pseudowire-class test
L2TPv3 encapsulation
IP local interface loopback0 (this will be the source of the tunnel, can use any interface with the IP address access remote xconnect)
!
int fas0/0.30
(do not put an ip address here)
encapsulation dot1q 30
pw-class xconnect X.X.X.X 1000 test
X.X.X.X is the IP the remote router interface, it serves to "interface local ip" in the remote configuration
Make sure that corresponds to 1000 (VC ID) on both sides
-
Routing between two remote sites connected over the VPN site to site
I have a problem ping between remote sites. Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked. Any ideas?
Main site:
192.168.100.0 - call manager / phone VLAN
192.168.1.0/24 - data VLAN
Site 1:
192.168.70.0/24 - phone VLAN
192.168.4.0/24 - data VLAN
Site 2:
192.168.80.0/24 - phone VLAN
192.168.3.0/24 - data VLAN
Main router
Expand the IP ACL5 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Expand the IP ACL6 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255Expand the No. - NAT IP access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
320 ip 192.168.1.0 allow 0.0.0.255 any
IP 192.168.100.0 allow 330 0.0.0.255 anySite 1:
ACL5 extended IP access list
IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 any
ip licensing 192.168.4.0 0.0.0.255 any
Site 2:
ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 any
ip licensing 192.168.3.0 0.0.0.255 anyWhat should I do for these two sites can ping each other? I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.
Thanks in advance!
Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:
Main router
Expand the IP ACL5 access list
IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
Expand the IP ACL6 access list
IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255
Make sure you add these lines before the last permit
Expand the No. - NAT IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255
Site 1:
ACL5 extended IP access list
IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
Make sure that these lines are added before the last permit
No. - NAT extended IP access list
deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255
Site 2:
ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
So make sure that these lines are added before the last permit
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).
I would like to know if this is what you need.
-
Dear Experts,
If we have 2 remote sites with the same shared storage, can mount us a drive on remote site?
- Assume that the oracle database is on the shared disk (for example HP 3PAR)
- Primary Oracle server with storage as a common drive (storage shared on sites geographical apart) have all the files database.
- failure, it is possible to mount the drive even at the remote site and mount the database oracle it?
There must be no effect on the as it should the same disk that has dismantled master site.
Thank you and best regards,
IVW
Thanks a lot mseberg
Is it a design valid ?
- We have remote sites and want to set up DR. As we only SE pare data is therefore no choice.
- We think of the SAN replication option.
Have you ever seen / configured such architecture or design?
Can you please throw some light on this. Thanks in advance for your ideas.
Thank you best regards &,.
IVW
-
How can I change the definition of remote site without breaking all the links?
I created a website and put it here http://home.Comcast.NET/~alpsf/index.html to test it during construction. Now when I change the definition of remote site to the local site in DW, all the links are broken. I suspect now that the problem is I did my site root and ~alpsf/ DW inserted in all the links. Is there a way to fix this?
Thank you very much.
You can do a search and replace to change the links in the world. Make sure you do a full backup of the site before doing this incase you do not correctly. Let me stress what still once, backup your entire site incase you need to restore. If you have created a "new site" and it will not part of the / ~ alpsf site, then you will need to define a new site and copy all the files in this folder (I'm guessing that this is the case). I copy the files outside Dreamweaver. You could do this without touching the files in the ~ alpsf directory. There are many variable here because I don't know exactly what you are doing.
On the file menu select window/results-select search. (This is done if the search engine is not open).
Find: all of the current Local Site
Search: Source Code
Search: "/ ~alpsf/".
Replace: ' / '.
That should do it, but it is a very delicate thing. I wouldn't have a problem doing this as long as I backed everything up.
Jim
Published: you will need to enter in your css, spry files and all others who has links to do the same (this time only select search in: current document when the document is open). Once this is done, delete the entire remote site and upload the changes once you check that everything is complete.
-
Requirements for vSphere remote site replication
I run 3 Enterprise 5.5 x vSphere hosts in A Site with vCenter. I want to add a new host in a remote site and configure vSphere replication between them. Issues related to the:
- Do I need to vCenter in slot 2?
- If vCenter Site of A is the Site management and hosts of the Site B and Site A goes down, vSphere replicated VMs can be restarted to Site B without problem?
- Is there a risk to not have a vCenter dedicated to Site B on the changeover plan?
Thank you
-Matt
Hello
(A) If you have vCenter in slot 2, you will need to deploy device VR and match two VR UI sites.
In the case where something happens to site A, losing vCenter and/or VR device, you can use vCenter and VR device to site B to perform a recovery after disaster and put in place the VMS to site B, inside of vCenter inventory B.
(B) If you have no server vCenter in slot 2:
1. There is no need to deploy handset unit of VR (embedded DB for server VRMS + VR + VRMS) for site B.
2. you can deploy additional device VR-server only for site B, so that the replication traffic goes directly from the source ESXi to the correct server in VR.
3. If the disaster arrives at the site, you must have vCenter Server and VRM in the combined unit of VR upward and running order to use the VR UI to perform a disaster recovery. If vCenter Server or VRMS manage warehouses of data target is corrupted/lost, the only way to recover after a disaster is to consolidate recovery replica logs manually rename and replicated configuration files and hope that consolidated records represent a coherent source VM instance. This procedure is subject, not officially supported, and care must be taken when building the redo logs, in order to ensure the consistency of the data in the disks of the virtual machine, not some partial block updates.
Kind regards
Martin
-
My question is on remote sites and routing for vSphere. I have two geographically separated sites connected by a fiber 80Mbit connection. Each site has it of own SAN, SAN switches dedicated and will have its own guests. I use vSphere 5 Standard.
I created my first site and everything works fine. At the beginning I put in place all hosts that I have on the first site to make sure everything was working correctly. Now, I'm ready to spend half of the guests at my second site.
I want to manage two sites from my server from vSphere existing on the first site.
What is the best way to set up my second site? Inbetween the websites traffic *is* routed, so I know that limits my options. I went into this project knowing that the link between my sites 80Mbit was not good enough for vMotion.
I used to Paul Kelly (thanks!) suggestions to set up my sites, they look like:
What is my best option here? My original CD thought I want to road traffic for network management only (VLAN 10 on the diagram) between my sites. Is that all that is needed for the server vCenter on my first site to see my second site? With this configuration I would be able to vMotion between hosts located on my second site? is there no other angle miss me here?
On a separate note - this time I have a Datacenter with a group inside (for my first site). My second site is a second group, or a whole new data center? I've read some threads on the forum and some people say to keep a data center, unless you have naming problems. Of course, the fact that you can cluster inbetween vMotion and not data centers isn't really make a difference in my scenario.
Welcome to the community - as long as your vCenter server is able to reach the management port on the ESXi hosts in the second, you'll be able to manage hosts with the single instance. I agree that you should route traffic in all of the privatelkink between the sites - management
In doing so the single instance of vCenetr that you can manage ESSXi host computers at each site and be able to trigger vmotion on each site.
-
How to restore a remote site after an accident?
I read the site FAQ management and he mentions to restore your files, you can go to your remote site and upload to your local site.
Any that offered little help for my situation?
I had a hard drive failure, I am running windows xp, dwcs4 and the site is hosted. I reinstalled windows and dw. The site has been created according to all the tutorials and I managed to save a copy of the site folder, but not according to the instructions of the savings in the FAQ. I have root just a folder with all the pages.
Could someone point me to a tutorial or how to?
Thanks in advance
Jim
"I managed to save a copy of the site folder, but not according to the instructions of savings in the FAQ." I have root just a folder with all the pages. »
You lost me here. Not sure what you mean.
Create a new definition of site for the local and remote sites, connect you to your remote site, and then click Get. That's all you need to do.
-
ASA Site, Remote Site cannot access DMZ to the Hub site
So I've been scratching my head and I just can't visualize what I what and how I want to do.
Here is the overview of my network:
Headquarters: ASA 5505
Site1: ASA 5505
Site2: ASA 5505
Training3: ASA 5505
All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.
Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.
Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.
What should I do?
My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?
I enclose the show run from my ASA HQ
See the race HQ ASA
For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.
For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.
HTH
PS. If you found this post useful, please note it.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Filtering of VPN and local access to the remote site
Hello
I set up vpn, filtering on all my VPN l2l. I have limited access to remote resources at the local level to the specified ports. It works perfectly.
But I want to have as full access from local to remote networks (but still retain the remote access to the local level). VPN filter now works as I have two-way with a simple ACL. So is it possible to open all the traffic from the local to remote and all by limiting the remote to the local traffic?
ASA 5520 8.4 (3)
Thanks in advance
Tomasz Mowinski
Hello
Well let's say you have a filtering ACL rule when you allow http local network traffic to the remote host
LAN: 10.10.10.0/24
remote host: 192.168.10.10/32
The filter ACL rule is the following:
FILTER-ACL access-list permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0
I think that this ACL rule would mean also that until the remote host has been using source port TCP/80, it may access any port on any host tcp in your local network as long as it uses the source TCP/80 port.
I guess you could add a few ranges of ports or even service groups of objects to the ACL rules so that not all well-known ports would be accessible on the LAN. But I guess that could complicate the configurations.
We are usually management customer and completely different in ASA L2L VPN that allows us to all traffic on another filtering device and do not work in this kind of problems. But of course there are some of the situations/networks where this is not only possible and it is not a feasible option for some because of the costs of having an ASA extra.
Please indicate if you have found any useful information
-Jouni
-
For some reason any bar type appears on Web sites and is not allowing me to use scrolling properly the top and bottom of the page. It is present at each Web site. However, when I switched to another browser it can't.
By pressing F7 solve your problem? (it could be that something called keyboard navigation)
-
When bi-ecrans is used, and Firefox is on the second monitor, the Firefox menu does not appear. Same thing happens to the bar when typing already visited sites of addresses.
I have the same problem and I got rid of it by disabling hardware acceleration of rendering in the settings dialogue. Now I see the Firefox menu properly on a secondary monitor.
Maybe you are looking for
-
gt013dx: administrator Bios password
Cannot cross a screen enter the password administrator or power on password at startup to the top Enter the normal password or the letters/numbers combination three times gives an error: System disabled 79790915 Y at - it by default bios admin passwo
-
Is Satellite A105 - compatible with Windows 7?
Hi all I want to install Windows 7 on my Satellite A105-S4344. I run Windows 7 compatibility test and it said the laptop is compatible, but on the Toshiba site it says my laptop does not support Windows 7. Who to believe?
-
Re: Satellite M300 - can I restore Vista from Windows 7?
Hi, my laptop model is Satellite M300 I want to ask all can I have used the recovery disks that I created last time when I was with Windows Vista Home Premium, to restore it back to Vista after I format my C drive and install the new OS which is Wind
-
Several producers response queue
In my application, I'm working on an API that is the queue of conduit. Several different parts of the code can send a 'command' and wait for a response. Obviously if two separate sections of code send a different command roughly at the same time, we
-
The laptop screen has a model of sqiggly, across the entire screen, from top to bottom, making power up power down. Also when the screensaver came him also said he requires a newer video card. Not sure if this is the same problem or separated. I'm do