Multi frame ASA SSL VPN Question

Similar Questions

• ASA SSL VPN with RSA authentication

  All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

  Thank you

  Try this link

  http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

• Same license for different ASA SSL VPN

  Hello

  I have run ASA5510 SSL VPN is installed with a license. I want to replace it with the new ASA5510 without SSL VPN license. Is it possible to copy the license from my old ASA? Can I order different license for my new box?

  THX

  Iwan

  A new license is required.

  License key is created based off the serial number of the device.

  Gilbert

  -Rate, if it helps-

• Profile SSL VPN question

  I did some research and have not been able to find an answer to this. Is it possible to direct a user to a specific SSL VPN profile based on the URL they enter to access the SSL VPN page?

  For SAA, take a look at the following:

  If you want users to see a drop down menu to choose from:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808bd83d.shtml

  Otherwise, take a look at the Group-url command:

  http://Cisco.com/en/us/docs/security/ASA/asa80/command/reference/GH.html#wp1731227

  But it might not support/sales/marketing feature, you must have different URLS, I think

  WebVPN - ventes.com

  WebVPN - marketing.com

  Concerning

  Farrukh

• DHCP relay for users (ASA) SSL VPN

  I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:

  dhcprelay Server 10.100.2.101 on the inside

  dhcprelay activate vpn

  dhcprelay setroute vpn

  and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.

  You try to assign the IP address to the SSL vpn client using the DHCP server?

  If so, you don't need these commands contained in your message.

  Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.

  Here is an example of Ipsec client. Setup must be the same.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

• Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

  Hello

  Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

  

  PS.

  I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

  Thank you

  The default password is marked as disabled after expiry

  I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

  CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

  After you install this hotfix, you get an option to the user authentication settings is:

  -Disable the user account

  -Expire the password

  When the expiration period is exceeded

  If password is expired then user will be asked to change password next authentication

  Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

• ASA SSL VPN

  SSL VPN reliable, efficient and safe option for traffic from internet users on e-commerce sites where there may be user sessions 2000 per second from all over the world.

  Thank you.

  In my opionon - SSL is reliable, efficient and safe if not all banks around the world would not use it for online banking.

  HTH >

• ASA 5550 VPN question

  Dear Experts,

  
  

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : Arial ; mso-bidi-theme-font : minor-bidi ;}

  I configured Cisco ASA 5550 as a VPN server at the head office.

  I configured the material Cisco ASA5505 branch customer.

  Tunnel is up & I can access my local computer in the branch of LAN H.O. But I am unable to ping / LAN access machine from branch headquarters.

  It's just a communication face right now.

  
  

  Need help.

  
  

  Thank you

  
  

  I.A

  Is your customer/PAT ezvpn or NMS (network expansion Mode) mode?

  If the NEM, then you will need to add the following in your inside_nat0_outbound ACL:

  inside_nat0_outbound 10.10.10.0 ip access list allow 255.255.255.0

  Also, please add the following command on ASA5550:

  management-access inside

  And from the remote host, see if you can ping 10.10.10.1.

• ASA Cisco VPN question

  Hi Mokhalil82,

  It's pretty weird that the ASA will show phases 1 and 2 upward and the Watchguard show that phase 1 is not.

  It is possible that the tunnel will appear next to the ASA but gets terminated in the same instant that thus we see the phase 1 and 2 momentarily upward.
  Would you be able to share the outputs debug?

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages

  Thanks for the update, Mokhalil82

  For the last time, to simultaneously debug both sides and share issues, I think we can dig with that information.
  In addition, if we can capture packet as well, that will be useful.

  Make sure that the date and time is correct on both sides.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ASA SSL VPN problem with 8.2 (2)

  Hello everyone,

  I have a couple of ASA 5520 image 8.2 (1) running in active failover mode / standby.

  A few months ago, I downloaded the 8.2 (2) on the cisco website and charge to the ASA.
  After loading the new image, they called me for problems
  functioning of the application of webvpn.

  The web app seems to work, but in a mode of read-only, because you could not

  change the content of the files.

  I couldn't find a way to make it work, so I decided to downgrade to 8.2 (1).
  and as I loaded it the old image, the problem disappeared.

  Now I see that it is available the image 8.2 (3).
  To avoid the risk of hard work I tetsted on a piece of spare 5510, and with the disappoint, I found
  the problem was the same.

  Everyone is facing such a problem or can suggest me how to solve?

  Thanks in advance.

  Marco.

  Can you please provide more details about what application does not work through WebVPN interface without client?  Have you tried to activate Smart Tunneling for this application?

• Cisco ASA (SSL VPN)-based user portal?

  Hi all

  I am looking for a solution, different portals (WEBVPN) that can be assigned to different users.

  For example:

  -'test1' user and see the portal "-1".

  -user "test2", "test3" connect and see the portal "-2".

  I know, it can be done with the alias for each portal entry, but I want a transparent solution for the user (such as Juniper SA2000).
  In addition, it should be possible to authenticate via RADIUS (no local authentication on the SAA).

  Who did such a set upward?

  Thank you

  Norbert

  Hello

  The attribute 25 (it's called 'Class') and set its value to UO = MyVPNGroupPolicy where MyVPNGroupPolicy is the name of your group strategy in the SAA.

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

• local access over ssl vpn

  Hello

  Here is the configuration:

  (Location A) - Internet users - ASA (ssl vpn) - location

  situation users use ssl vpn over the Internet to connect to resources in the location b. is successful.

  However, A users location need access to their own network resources internal to A while they are still connected to the SSL VPN.

  So if a user of location is connected to the ssl vpn, they can ping to ip addresses in the location B, but their own network internal ip is second to pings.

  ASA worm is 8.0 (4)

  Please help, how it can be done, and if there is a different Setup for this. Do we need to use the tunnel.

  Thanks in advance.

  Correct, so instead of tunneling ALL traffic, you only tunnel 154.65.0.0/22

  sslvpnsplittunnel standard access list ip 154.65.0.0 allow 255.255.252.0

  Apply the ACL to the SSL VPN group policy

• ASA 5500 SSL VPN Failover license

  Hello

  I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

  His question is:

  Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

  This would also be true for two security contexts that are included with the firewall?

  For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

  Here is my response to his request:

  Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

  It was mentioned that:

  "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

  It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

  Thanks in advance!

  Ice Flancia

  Cisco partner Helpline Tier 2 team

  Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

  2 SSL included license on SAA in failover pair is combined as 4 license SSL.

  2 license of background on ASA in failover pair is combined as license frame 4.

  Here's the URL on ASA combined license failover:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

  Hope that helps.

• Third-party SSL VPN ended the DMZ ASA

  Hi all

  Any help is appreciated. Is it possible:

  I have a DMZ set in ASA 5520, and worked well so far. The DMZ subnet is 192.168.10.0/24 and IP on the DMZ interface is 192.168.10.1. Now, I'm trying to add a third-party SSL VPN device (not Cisco). The device has an IP 192.168.10.101. The SSL VPN appliance will give IP addreess SSLVPN customers in the range of 192.168.20.x. After the connection is established, the client is indeed getting the IP addr 192.168.20.x. However, clients are unable to connect to the internal LAN. If I change the IP address range clients on the same subnet that the area demilitarized, everything works. My question is that, as customers SSLVPN are complete on the demilitarized zone and get a different subnet IP address, how can I / road map these addresses before they6 can access internal network inside the interface, or it can be done at all?

  All advice is appreciated.

  You just need to add the routes appropriate on the SAA for this pool. And also on any Layer 3 routing devices inside the ASA.

  Concerning

  Farrukh

• which product is right for the ssl vpn: asa 5505 cisco 1841 or

  Hello

  I want to install an outside link management related so that we can ssh to our cisco devices and microsoft RDP toour servers. It's my configuration (based on what I know):

  Internet > DSL modem > ASA 5505 > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

  or

  Internet > 1841 with DSL HWIC > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

  My questions are:

  Should I go for ASA or 1841 router?

  What options is better? and ASA will do the job?

  Are there any technical support prior to purchase of products in Australia? I need technical advice on the choice of the right products, not justs eiling me products.

  Hello

  Its strongly suggested to go with ASA 5505 in the first place, it is supposed to feature for the main functionality of ssl vpn server from 1841 which has this feature to be a vpn server.

  ASDM also gives you the freedom to config box on your own based on your condition.

  regds