questions/active ASA

Similar Questions

• Question behaviour ASA

  Hi all

  I have a question in a test environment, mount the topology as the attachment and inserting the wing 172.16.2.0/24 road via 192.168.0.10 network the ping command works, but any protocol oriented to connect does not work. Monitors with the debug command and noticed that the parcel leaves the station whose 192.168.1.3 IP address to the IP 172.16.2.2 successfully, the package with the SYN flag arrives and when the 172.16.2.2 server responds with ACK flag returns without problem. But when the station which the IP 192.168.1.3 returns the package with flag SYN/ACK the Cisco ASA receives a packet and the acknowledgement of receipt is not returned by the ASA cisco asa result seems to lose the package and run a disassembly and the connection is not completed. I think it's because as the cisco asa can understand this behavior as a main-in-the-middle attack. Is there a way to disable this control in cisco ASA. I ask that the level of knowledge, because this scenario will not be used.

  Kind regards.

  8.4 is not a valid version of ASA. You can run 8.0 (4). This bypass feature state TCP is available after 8.2 (1) or after.

  "permit ip any any" simply States that all UDP and TCP connections are allowed. However, the ASA will always inspect two fittings for security of State and others. In the case of TCP, the first packet MUST be a SYN. otherwise without the SYN, we should never see a SYN - ACK packet. A syslog message, 'Right TCP (no relation)', would ensue if we saw the SYN - ACK without the SYN packet

  Best regards

  Kevin

• Cisco ISE 1.3 question Active Directory

  Hi people

  I'm having a problem with our Cisco ISE and would love some comments or a solution. I configured to ISE to use our Active Directory setup and so far it seems to be functional. I could connect to retrieve ad groups and use AD for authentication. The problem I encounter is that when I try to go to the ' Administration > Identity Management > Sources external page and select our instance AD in the window side left hand screen hangs and won't load.  Any advice?

  ad_error.PNG

  

  You are using a supported browser and have you tried an alternative one?

  If you are using a supported browser, it looks like a bug in the layout of the page. I was opening, in this case, a case of TAC. I had this same work of page very well for me in the three different 1.3 deployments.

• question of ASA

  Hi all

  I've got my asa will receive in a week or two and was looking around a few documents on the installation program. I can't seem to find much on the cisco site, but I saw a post here to try to make a link on the display of the portion of ssl vpn and a demo on the configuration. someone at - it such? the link did not work.

  Thank you

  R

  How about this?

  http://www.Cisco.com/Web/learning/le31/le29/configuring_asa_pix_security_appliances.html

  M

• Question: Active exporters for the development

  Currently working on a project that requires active exporters (iconography) in different sizes. I use Photoshop, by the way, if that makes a difference. Lets say I have an icon that's just 64px by 64px, and I have another icon that is 10px 64px (exclamation point icon). When exporting, it is smart to cut the transparent pixels and end up with a 10px PNG 64px or you export the entire canvas as a 64px by 64px so all .png files are the same size regardless of the size of the actual icon within the canvas?

  My apologies if this is an obvious answer.

  Hi James,

  He would not trim the transparent pixels by itself.

  The size of the image complete identical 64px by 64px would however transparent surface would not show up being a .png image.

  So, you can export the whole as a 64px by 64px canvas so that all the .png files are of the same size.

• Beginner question: 'active' setting does not

  Sorry for the very noob question but I am just learning AE scripting. I try to use a script command to disable the eyeball on a layer. As I understand it, the syntax for the parameter is:

  App.Project.Item (index) .layer (index) true

  For the test, I created a unique model, and in this model, I have a solid single. I created an expression with the line

  App.Project.Item (1) .layer (1) true = 'False ';

  But when I run it nothing happens. It returns an error but the layer remains enabled. Please can someone explain why it does not work?

  Try this way:

  App.Project.Item (1) .layer (1) true = false;

  Dan

• It's a long question - activating CS6

  So hang in there with me. I have a full license for Adobe Creative Suite CS6. Fortunately, it was installed on my Mac Pro 3.1 until my Mac started to crash too many times (not related). I bought a new Mac Pro and transferred my boot drive. When I tried to enter CS6, he asked my driver's license. I enter and it was rejected. I put the boot disk in the old machine and it still rejects my license #. He now has me in a free trial period of 30 days, and I'm going nuts! I'm in the middle of editing and need functional software. Help, please

  your cs5 and cs6 serial numbers may not be the same.  they are different.

  What follows is subordinate to support your cs6 is a cs5.5 upgrade.

  you correctly identify your cs6 and cs5.5 serial numbers.  If you purchased from or registered with adobe, check your account, Adobe ID Code

  you don't need to install cs5.5 cs6 (but you'll need two serial numbers).

  You must follow the same instructions in message 1.  When cs6 installed you will be asked for serial number.  the installation program detects that it is a serial number update and invite you to select a product calling.  Select cs5.5.  You will then be asked to enter your serial number of cs5.5.

  Enter the correct number at the right time and to proceed with the installation.

  before you start the installation, in order to avoid misleading error messages, How to open third-party developers not identified in Mac OS X applications ' Mac Tips .

• PS Cs6 Question - activating/deactivating tools with keyboard

  This new behavior of PS wherein you can press a button to select a tool of some, and then pressing the tool itself yet will select the next within this category of tool tool. Is it possible to disable it? Its make my workflow a mess right now. As in the past, that I have never had to depend on watching what icon I use to know what tool is selected, now have to search each time to make sure that the tool of the right subcategory is selected gets unbearably boring. I already had my key assignments directly related to the subcategory tools my workflow has been fast since I have never had to check anything, I just had to press the '1' and that's all. Now, I'll have to take an extra step of thousands of times in an afternoon because I always find myself not being is not the tool right sup.

  If I didn't have the 5 d MKIII I would just stick with CS4 but I'm stuck since CR7 is so much better than the canons DPP software. Blargh.

  I'm not sure what you want, but maybe help the following option:

  

• Can build two ASA balancing as active/active mode?

  Hi, professionals

  I wonder if two ASA able to set up a balancing as active/active mode, balance the traffic?

  Thanks in advance,

  Yang

  Yes, that running in active/active ASA is so you can load balance traffic. Here is a link with more information.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080834058.shtml

  It will be useful.

• The ASA - Client to use SSL and connections options I have?

  We have a large site and have only allowed using IPSEC for all our branch in branch and the user tunnels. We tried SSL years but she limits so we stopped deployment. We must now begin the SSL VPN user and I have a few questions basic ASA.

  I have a unused ASA 5510 for tests that currently holds the 8.3.2 on it, Security code more license, 100 SSL VPN peers and 250 total peers of VPN, VLAN max 100, 2 seconds, active/active contexts, 2 proxies of phone CPU and everything else is disabled. We do not intend on using a SSL connection web anywhere (Anyconnect essentials?) and will not use the entire customer VPN SSL which will be hand loaded on machines or downloaded from the ASA and loaded on the computer if possible. I want to know is what version of the current code can install on my ASA without losing my existing SSL VPN 100 peers license and that the Anyconnect customer would be sustained? I've seen talk about premium Anyconnect but do not know its relationsonship. If I improve the ASA of new releases or versions of code my peer SSL VPN license turns into an Anyconnect Premium license?

  Any help to get started you in the right direction would be appreciated. I know I can spend days trying to understand Cisco licenses and traps and still get burned in the end with the function or the wrong license. Basically, I want to know what I have to install the end-user complete SSL VPN clients and I have to do with the ASA to provide this functionality with current license / feature set there. I also want to know what the end user should be used because it seems that Anyconnect Secure Mobile is the same if I use all its security features. Example - I am not able to check for firewall/malware etc programs but we currently have a policy in place which does not allow browsing the Internet or access when end users have connections VPN tunnel on our site. That restriction will always be kept if this is possible thanks to the SSL VPN connection also.

  Thank you

  Paul

  The SSL VPN client-based license will remain active on your box through Software ASA updates later. AnyConnect Essentials (which you already have) will work with the feature of SSL VPN license.

  You would be upgrading to AnyConnect Premium only if you wanted to add features like clientless SSL VPN (purely based on a browser) or other items such as Advanced Endpoint Assessment (AEA). AnyConnect Premium can coexist with Anyconnect Essentials on the SAA even if you can't mix and match licenses Premium and Essentials.

  Essential distinction or Premium is mainly directed towards the installation of the ASA. The same AnyConnect Secure Mobility client software (version 3.1 is the latest for Windows and OS X and is quite a nice new version) is used in both cases. Functional additional client plug-ins are things such as the AEA and the NAC 802.1 x. Your group policies based on the SAA as no split tunneling, etc. remain in force.

  If you intend to allow clients of mobile devices (iPhone, iPad, and Android (a very limited support for the last BTW)) to access your VPN, you will need to add the mobile on the SAA AnyConnect license and install the client from the respective AppStore. Note that Windows Phone and Blackberry don't are not supported as client AnyConnect.

• Active Desktop Recovery appears at night & won't go away!

  Active Desktop Recovery won't and I did not what they ask if I ask please help me!

  Dear DelmaPhebus

  Please indicate your question Active Desktop Recovery appears at night & will not disappear! as answer if you say you got your answer. Mark as helpful if it helped you.

  Concerning

  Zeeshan Ahmad

• ASA firewall inbound

  Hello everyone.

  I have a question about ASA 5505 firewall.

  Output interface is dry level 0:

  interface Vlan10
  nameif outside
  security-level 0

  ACL created to filter traffic from site to site and filtering of tunnel triggered:

  No vpn sysopt connection permit

  network ipsec_subnet object
  subnet 192.168.11.0 255.255.255.248

  l2l-filter extended permit icmp any one access-list
  access-list l2l-filter extended permit tcp any object ipsec_subnet eq www
  access-list l2l-filter extended permit tcp any object ipsec_subnet eq https
  access-list l2l-filter extended permitted tcp ipsec_subnet eq ftp objects

  l2l-filter in interface outside access-group

  Since I was only working with routers, as far as I understand, in theory ipsec peers should not be able to establish ipsec with ASA tunnels since I did not allow UDP incoming 500,4500 and work to the ESP in l2l-filter ACL but in reality tunnels.

  Can you please explain why ACL entering on the external interface allows inbound ipsec connections.

  Thank you

  Kind regards

  Alex

  Hi Alex,

  The only way to block UDP 500 traffic is to use an ACL control plan.

  We see even hits on the ACL:

  Inbound_Filter of access list lengthened 2 line denies object-group IPSEC throughout a (hitcnt = 7)

  Have you tried the connection of compensation?

  Use 'clear conn address all the ' to delete the connection.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• How do you define your asa?

  Hi all

  I've known ASA is powerful, but normally, I put only NAT, access list, VPN, dhcp server, management interfaces, NTP, RPC connection account. I think I lost it.

  I knew that each task has different setting. But I want to know what function you always set on the device.

  If in doubt, always check the manufacturer database practices guide.

  Cisco Firewall best practices Guide:

  http://www.Cisco.com/Web/about/security/intelligence/firewall-best-pract...

  Not all that it applies in each case of use, but it is a very good starting point. I think about her often questioned rubbing ASA client configurations.

  In addition, to an existing firewall, I have looking for things like unused objects, access lists and access the entries in the list. The tunnelsup.cm tool is very good for this:

  http://www.tunnelsup.com/config-cleanup/

• View the ASA 5540 framework

  I have a question about ASA on the GUI, I have the choice to choose the framework which I wish to see. I have 2 one called mgmt and the other admin one. When I ssh into the asa all I can see is the context view admin how to look at the configuration of the display of the mgmt context?

  Warren,

  To implement a different context than the context admin you simply have to changeto context followed by the name of context mgmt which is your another context.

  e.i

  context of ASA #changeto

  Go to this link which explains how to navigate between context through the command line.

  See section change between contexts and space of system performance

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#changto

  HTH

  Rgds

  Jorge

• Luvin 3.1, but just a few questions on machines with bootcamp...

  Hi all, v3.1 is fantastic and everything works fine. But I have some questions that the admin of de facto in a studio with lotsa imacs. What I do for machines with boot camp, it is creating a WINCLONE of an image for deployment and perform restorations on the machine with bootcamp when I want to update. Works perfectly :)

  But I wonder if using VMWare to make updates on my main image will in any way mess things, in other words, when a player of bootcamp partition running virtual in VMWare interface, installation of software and whatnot will be the same as if the installation of the software if the native boot? In more words, have VMWare tools installed on the Boot Camp partition will do anything to disrupt things when running native than boot camp?

  Many Boot Camps that I update don't have VMWare installed, because they are mainly used on the side PC anyway, to these people that I can not/never get clean windows. I want to assure you that I am not having problems using VMWare on the master Bootcamp partition that I use to clone.

  And just a side note: while I like your product, I can't tell you how much not having not not firewire support in virtual images is to play with a / V. Heads We absolutely need to have support firewire audio and video workstations. If there is support, I would never mess with boot camp again!

  Well, thx and hope to hear from you soon.

  Jigs

  Herojig says:

  But, I wonder if using VMware (Fusion) to make updates on my main image in any way will mess up things, in other words, when a Boot Camp partition drive is virtual running in the interface of VMware (Fusion), installation of software and which will not be the same as if installation of the software if the native boot? In still more words, will have the VMware Tools installed on the Boot Camp partition anything to disrupt things during this training camp native execution?

  Yes, you can perform maintenance of software (for example patches from Microsoft) for the Boot Camp partition in VMware Fusion almost identical initializing natively in the machine.  The only differences are the detection for device drivers that need to access the host hardware to update (this should be very rare).  Update in general things like Windows, Office, Adobe CS/Acrobat, etc. will be fine.

  As for VMware in Boot Camp tools, virtual pilots are designed to remain latent (inactive) without any problems, that is not loaded == not used.  There is only one question: activation software updates.  VMware swap files of activation for Windows and Office preserve activation in each environment.  If you move the activation of copies of Vista, 7, Office 2007/2010 via WinClone, this will trigger reactivation.  Also starting in VMware Fusion will require more activation by machine for VMware environments and British Colombia are activated.  As long as you don't replace Boot Camp partitions, activations should stay.  For the use of this type of activation, he preferred to a Service (KMS) key management to manage your licenses on site because copies at retail have limited the number of activations.