Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About joe.ho
Stats
Member since
10-10-2006
87
Posts
5
Helpful
0
Solutions
Created by
joe.ho
in Security Documents
in Security Documents
12-10-2019
09:19 AM
12-10-2019
09:19 AM
I am following the example above to setup the snmp over vpn. It is not working for me. After doing some research, I found the route-lookup command is needed on my NAT command. nat (INSIDE,OUTSIDE) source static LOCAL-NETS LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS route-lookup Reference link https://www.tunnelsup.com/cisco-asa-drop-reason-unexpected-packet/
... View more
Created by
joe.ho
in Intrusion Prevention and Detection Systems (IPS - IDS)
in Intrusion Prevention and Detection Systems (IPS - IDS)
12-10-2018
07:21 AM
12-10-2018
07:21 AM
Does AMP connector support RHEL 5? If it does which version of the connector should be used?
... View more
- Tags:
- amp
Created by
joe.ho
in Wireless Security and Network Management
in Wireless Security and Network Management
08-12-2015
02:05 PM
08-12-2015
02:05 PM
I am running version 8.0.110.11 on the WLC. There are multiple Lobby Admin accounts. Each one of them have rights to create guest account. Is there a way to have each Lobby Admin only see the specific guest accounts they have created? For example Lobby adminA created guest1 and guest2, Lobby adminB created guest3 and guest4. When Lobby adminA login it will only display guest1 and guest2 but not all four. Thank you for your respond.
... View more
- Tags:
- Wireless Lobby Admin
10-03-2014
07:40 PM
I am trying to do a hairpin nat with ipsec L2L vpn on the ASA 8.4 but successful. The vpn tunnel going inside is fine. That mean the ike and transform set are fine. I am having issue reaching a host on the outside of the ASA ( direct connected ASA outside subnet 76.75.147.112) from remote end. Source 161.108.184.129, dest 76.75.147.129. I am getting send error from show crypto ipsec sa from router. I think I am not setting the NAT right for the hairpin. Can you see how to correct it. Thank you for your help. *** ASA partial config *** object-group network LHIN_inside_to_Compucom_VPN network-object 10.61.0.0 255.255.0.0 object-group network LHIN_to_Compucom_VPN network-object 10.61.0.0 255.255.0.0 network-object 10.62.0.0 255.255.0.0 network-object 76.75.147.112 255.255.255.240 object-group network Compucom_to_LHIN_VPN network-object 161.108.184.128 255.255.255.248 network-object 161.108.186.112 255.255.255.240 nat (inside,outside) source static LHIN_inside_to_Compucom_VPN LHIN_inside_to_Compucom_VPN destination static Compucom_to_LHIN_VPN Compucom_to_LHIN_VPN route-lookup access-list outside_1_cryptomap extended permit ip object-group LHIN_to_Compucom_VPN object-group Compucom_to_LHIN_VPN crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer x.x.x.x crypto map outside_map 1 set transform-set ESP-AES-128-SHA *** Hairpin config portial *** same-security-traffic permit intra-interface object-group network obj-Compucom-trans network-object 161.108.184.128 255.255.255.248 network-object 161.108.186.112 255.255.255.240 object-group network obj-lhinborder-trans network-object 76.75.147.112 255.255.255.240 nat (outside,outside) source static obj-Compucom-trans obj-Compucom-trans destination static obj-lhinborder-trans obj-lhinborder-trans *** Router partial config *** crypto map lhinmap 10 ipsec-isakmp set peer x.x.x.x set transform-set ESP-AES-128-SHA match address 100 access-list 100 permit ip 161.108.184.128 0.0.0.7 10.61.0.0 0.0.255.255 access-list 100 permit ip 161.108.184.128 0.0.0.7 10.62.0.0 0.0.255.255 access-list 100 permit ip 161.108.186.112 0.0.0.15 10.61.0.0 0.0.255.255 access-list 100 permit ip 161.108.186.112 0.0.0.15 10.62.0.0 0.0.255.255 access-list 100 permit ip 161.108.184.128 0.0.0.7 76.75.147.112 0.0.0.15 access-list 100 permit ip 161.108.186.112 0.0.0.15 76.75.147.112 0.0.0.15 show crypto ipsec sa from router: Getting send error local ident (addr/mask/prot/port): (161.108.184.128/255.255.255.248/0/0) remote ident (addr/mask/prot/port): (76.75.147.112/255.255.255.240/0/0) current_peer 76.75.147.115 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0
... View more
- Tags:
- ASA 8.4 Haripin
Labels:
09-12-2014
10:51 PM
I am running 6.2(2) on 7K. My woke on lan server is svi901 and physically on the 5K down stream. I am trying to setup wake on lan to sent direct broadcast from 7K out to the clients remote subnets. From other router WoL example it requires ip forward-protocol udp 7 in global config. I don't see that command availabe in 7K. Is this command available or is there other way to config WoL on 7K? Thanks
... View more
Labels:
07-18-2014
12:21 PM
Customer request to use destination NAT and port forwarding to access a server from inside to dmz. The packet tracer shows it is using the Dynamic NAT instead of the static NAT if I use the following command and traffic will fail. (traffic NAT out the outside Interface) nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface static (inside,dmzr) tcp 192.168.212.117 2383 192.197.205.154 2383 netmask 255.255.255.255 When I use this NAT command traffic will work. static (dmzr,inside) tcp 192.197.205.154 2383 192.168.212.117 2383 netmask 255.255.255.255 From packet tracer there is a phase 4 type UN-NAT before the route phase Phase: 4 Type: UN-NAT Subtype: static Result: ALLOW Config: static (dmzr,inside) tcp 192.197.205.154 2383 192.168.212.117 2383 netmask 255.255.255.255 nat-control match tcp dmzr host 192.168.212.117 eq 2383 inside any static translation to 192.197.205.154/2383 translate_hits = 0, untranslate_hits = 1 Additional Information: NAT divert to egress interface dmzr Untranslate 192.197.205.154/2383 to 192.168.212.117/2383 using netmask 255.255.255.255 What is the different between these two command? I notice the xlate table shows different. How to explain that? I never see Cisco document the 2nd way. static (inside,dmzr) tcp 192.168.212.117 2383 192.197.205.154 2383 netmask 255.255.255.255 static (dmzr,inside) tcp 192.197.205.154 2383 192.168.212.117 2383 netmask 255.255.255.255
... View more
Labels:
11-26-2013
06:42 AM
I found the answer to this. The debug on the router doesn't give me the detail. The debug on the ASA does. I am using IOS 15.1(4)M4. It supports object group however object group doesn't support with IPSec. Once I changed the ACL the tunnel works. http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132617
... View more
11-19-2013
03:02 PM
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance. GTO-ClientEdge-RT1#sh cry ipse sa interface: GigabitEthernet0/0 Crypto map tag: gto_share_map, local addr 192.33.232.209 protected vrf: vrf-veridian local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 173.46.8.98 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 15, #recv errors 0 local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: Crypto ISAKMP debugging is on GTO-ClientEdge-RT1# Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500 Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019 Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8 Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500 Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68 Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID Nov 19 22:46:29.702: ISAKMP:(0): c GTO-ClientEdgeonstructed NAT-T vendor-03 ID Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet. Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0 Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2 Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Nov 19 22:46:29.702: ISAKMP: encryption AES-CBC Nov 19 22:46:29.702: ISAKMP: keylength of 256 Nov 19 22:46:29.702: ISAKMP: hash SHA Nov 19 22:46:29.702: ISAKMP: default group 5 Nov 19 22:46:29.702: ISAKMP: auth pre-share Nov 19 22:46:29.702: ISAKMP: life type in seconds Nov 19 22:46:29.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0 Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0 Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0 Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4 Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400 Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400. Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2 Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet. Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0 Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0 Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box! Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch Nov 19 22:46:29.806: ISAKMP:received payload type 20 Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT Nov 19 22:46:29.806: ISAKMP:received payload type 20 Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM4 Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Nov 19 22:46:29.806: ISAKMP (9023): ID payload next-payload : 8 type : 1 address : 192.33.232.209 protocol : 17 port : 500 length : 12 Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12 Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet. Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM5 Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0 Nov 19 22:46:29.806: ISAKMP (9023): ID payload next-payload : 8 type : 1 address : 173.46.8.98 protocol : 17 port : 0 length : 12 Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0 Nov 19 22:46:29.806: ISAKMP:received payload type 17 Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status: authenticated Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98 Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8. Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5 New State = IKE_I_MM6 Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_I_MM6 Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903 Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet. Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398 Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1 spi 0, message ID = 1512038398, sa = 0x1235BF68 Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives. Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98) Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1" Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet. Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841 Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98) Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0 Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8 Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted" Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA New State = IKE_DEST_SA Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1# GTO-ClientEdge-RT1#sh cry isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 173.46.8.98 192.33.232.209 MM_NO_STATE 9023 ACTIVE (deleted) veridian-ike-prof IPv6 Crypto ISAKMP SA GTO-ClientEdge-RT1# Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500 Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8 Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500 Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984 Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID Nov GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet. Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0 Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2 Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Nov 19 22:46:59.702: ISAKMP: encryption AES-CBC Nov 19 22:46:59.702: ISAKMP: keylength of 256 Nov 19 22:46:59.702: ISAKMP: hash SHA Nov 19 22:46:59.702: ISAKMP: default group 5 Nov 19 22:46:59.702: ISAKMP: auth pre-share Nov 19 22:46:59.702: ISAKMP: life type in seconds Nov 19 22:46:59.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0 Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0 Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0 Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4 Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400 Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400. Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2 Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet. Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0 Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0 Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box! Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch Nov 19 22:46:59.802: ISAKMP:received payload type 20 Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT Nov 19 22:46:59.802: ISAKMP:received payload type 20 Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM4 Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Nov 19 22:46:59.802: ISAKMP (9024): ID payload next-payload : 8 type : 1 address : 192.33.232.209 protocol : 17 port : 500 length : 12 Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12 Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet. Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM5 Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0 Nov 19 22:46:59.806: ISAKMP (9024): ID payload next-payload : 8 type : 1 address : 173.46.8.98 protocol : 17 port : 0 length : 12 Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0 Nov 19 22:46:59.806: ISAKMP:received payload type 17 Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status: authenticated Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98 Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8. Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5 New State = IKE_I_MM6 Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_I_MM6 Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514 Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet. Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318 Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1 spi 0, message ID = 4129876318, sa = 0x1235C984 Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives. Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98) Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1" Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet. Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651 Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98) Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0 Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8 Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted" Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA New State = IKE_DEST_SA Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
... View more
Labels:
06-18-2012
12:46 PM
Thanks for the advise Julio. Reboot the modem works. For people who interested in the process. I didn't know which authentication type so I tried pap, chap, and mschap on the ASA but no luck. Debug on ASA doesn't tell me much. I have to use a router and debug to see what is going on. Router connected to PPPoE with issue and from the router debug I can see it is using pap. I switch back to the ASA using PAP and still no luck. Then I reboot the modem. After 3 to 5 min the ASA is connected. For some reason changing the authentication type on ASA is not as simple as the router. The modem doesn't pick up automatically.
... View more
05-31-2012
06:01 PM
I am setting up PPPoE client on the ASA trying to connect to a ADSL model. I can confirm the ADSL model is working fine with my laptop acting as the PPPoE client and I can get to the Internet (username and password are correct from ISP). I use the following config but I am not getting an IP address on the ASA. Am I missing something here? I put a parital config at the top and some show and debug command to follow. Below is the full show run. Thanks for you help. PPPoE Config vpdn group PPPOE request dialout pppoe vpdn group PPPOE localname xxxx@bellnet.ca vpdn group PPPOE ppp authentication chap vpdn username xxxx@bellnet.ca password ***** ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group PPPOE ip address pppoe CWMI-MAT-GW(config)# sh vpdn pppinterface PPP virtual interface id = 1 was deleted and pending reuse CWMI-MAT-GW(config)# CWMI-MAT-GW(config)# show vpdn session state %No active L2TP tunnels %No active PPTP tunnels PPPoE Session Information (Total tunnels=1 sessions=0) SessID TunID Intf State Last Chg 3580 2 outside PADI_SENT 4714 secs CWMI-MAT-GW(config)# sh vpdn tunnel pppoe state PPPoE Tunnel Information (Total tunnels=1 sessions=0) LocID RemID Last-Chg Sessions 2 0 1486 secs 1 CWMI-MAT-GW(config)# CWMI-MAT-GW(config)# sh int ip b Interface IP-Address OK? Method Status Protocol Ethernet0/0 unassigned YES unset up up Ethernet0/1 unassigned YES unset up up Ethernet0/2 unassigned YES unset down down Ethernet0/3 unassigned YES unset down down Ethernet0/4 unassigned YES unset down down Ethernet0/5 unassigned YES unset down down Ethernet0/6 unassigned YES unset down down Ethernet0/7 unassigned YES unset down down Internal-Data0/0 unassigned YES unset up up Internal-Data0/1 unassigned YES unset up up Vlan1 192.168.23.1 YES CONFIG up up Vlan2 unassigned YES manual up up Virtual0 127.0.0.1 YES unset up up CWMI-MAT-GW(config)# CWMI-MAT-GW(config)# sh debug debug ppp auth enabled at level 1 debug pppoe packet enabled at level 1 CWMI-MAT-GW(config)# PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:001f.9e82.aa54 Type:0x8863=PPPoE-Discovery PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12 PPPoE: Type:0101:SVCNAME-Service Name Len:0 PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4 PPPoE: 00000002 CWMI-MAT-GW(config)# sh run : Saved : ASA Version 8.2(5) ! hostname CWMI-MAT-GW domain-name map.priv enable password ************* encrypted passwd ********** encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description To Internal nameif inside security-level 100 ip address 192.168.23.1 255.255.255.0 ! interface Vlan2 description To Internet nameif outside security-level 0 pppoe client vpdn group PPPOE ip address pppoe setroute ! boot system disk0:/asa825-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name map.priv object-group icmp-type icmp_allowed icmp-object echo-reply icmp-object time-exceeded icmp-object unreachable icmp-object echo access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.21.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 192.168.21.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 192.168.22.0 255.255.255.0 pager lines 24 logging enable logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 outside http 192.168.20.0 255.255.252.0 inside snmp-server host inside 192.168.21.8 community ***** snmp-server location Skymark no snmp-server contact snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 173.46.12.26 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal telnet 192.168.20.0 255.255.252.0 inside telnet timeout 5 ssh 192.168.20.0 255.255.252.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 20 console timeout 0 management-access inside vpdn group PPPOE request dialout pppoe vpdn group PPPOE localname xxxx@bellnet.ca vpdn group PPPOE ppp authentication chap vpdn username xxxx@bellnet.ca password ***** dhcpd dns 192.168.21.5 192.168.21.11 dhcpd domain map.priv ! dhcpd address 192.168.23.201-192.168.23.254 inside dhcpd enable inside ! priority-queue outside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username admin password ************* encrypted privilege 15 tunnel-group 173.46.1.26 type ipsec-l2l tunnel-group 173.46.1.26 ipsec-attributes pre-shared-key ***** ! class-map global-class match default-inspection-traffic class-map Voice match precedence 5 ! ! policy-map Voicepolicy class Voice priority policy-map global-policy class global-class inspect ctiqbe inspect dns inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect mgcp inspect netbios inspect rsh inspect sip inspect snmp inspect sqlnet inspect tftp inspect xdmcp ! service-policy global-policy global service-policy Voicepolicy interface outside prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:026e367c520e8a4c9e581ab925c8eccf : end
... View more
Labels:
05-30-2012
02:25 PM
Not to confuse people. I put the upgrade part number. I will need L-ASA-SSL-250. Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual
... View more
05-30-2012
02:21 PM
I understand now. I only need L-ASA-SSL-100-250 and that will give me client and clientless SSL VPN capabilites.
... View more
05-30-2012
01:55 PM
Thanks for the information. I just want to double confirm. I don't want to order the wrong license. The name are too close to get confuse. I want to get name straight because I need to get a quote for clientless and client SSL VPN. I only have a single ASA 5510. If I want the clientless and client SSL VPN should I be listing these AnyConnect Premium (client SSL VPN) L-ASA-SSL-250 Browser-based clientless SSL VPN ASA-VPNS-500= Is that all I need to get the clientless and client SSL VPN going? No additional license on top of that? Is 500 clientless SSL VPN is the minimum? Nothing less than that?
... View more
05-30-2012
08:03 AM
12-10-2019
I am following the example above to setup the snmp over vpn. It is not
working for me. After doing s...
07-19-2019
I have 2 SFR firepower module on the ASA 5555x. I upgraded the code from
6.2.3.10 to 6.2.3.13 last n...
Created by
joe.ho
in Intrusion Prevention and Detection Systems (IPS - IDS)
12-10-2018
12-10-2018
Does AMP connector support RHEL 5? If it does which version of the
connector should be used?
Created by
joe.ho
in Wireless Security and Network Management
08-12-2015
08-12-2015
I am running version 8.0.110.11 on the WLC. There are multiple Lobby
Admin accounts. Each one of the...
10-03-2014
I am trying to do a hairpin nat with ipsec L2L vpn on the ASA 8.4 but
successful. The vpn tunnel goi...
09-12-2014
I am running 6.2(2) on 7K. My woke on lan server is svi901 and
physically on the 5K down stream. I a...
07-18-2014
Customer request to use destination NAT and port forwarding to access a
server from inside to dmz. T...
11-26-2013
I found the answer to this. The debug on the router doesn't give me the
detail. The debug on the ASA...
11-19-2013
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head
office and ASA is at the cu...
06-18-2012
Thanks for the advise Julio. Reboot the modem works.For people who
interested in the process. I didn...
05-31-2012
I am setting up PPPoE client on the ASA trying to connect to a ADSL
model. I can confirm the ADSL mo...
05-30-2012
Not to confuse people. I put the upgrade part number. I will need
L-ASA-SSL-250.Licensed features fo...
05-30-2012
I understand now. I only need L-ASA-SSL-100-250 and that will give me
client and clientless SSL VPN ...
Public Statistics
| Date Registered | 10-10-2006 09:04 PM |
| Date Last Visited | 12-10-2019 09:09 AM |
| Total Messages Posted | 87 |
| Total Helpful Votes Received | 5 |
