Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
We're using Anyconnect SSL VPN to ASA.* Asa inside interface is 192.168.1.1/24* There is nothing else but another firewall on the other end of "insde": 192.168.1.2* VPN clients use IP pools 172.16.1.0/24 and 172.16.2.0/24. This is mainly set up such ...
Hey,I don't get the followingnat (outside,dmz) source static any any destination static 1.1.1.2 2.2.2.1 unidirectional no-proxy-arp1) Why does the ASA respond using Proxy ARP for the global address? (The asa's own interface is 1.1.1.1/24)2) ASDM warn...
Hey,Using Radius dialog (no ACS) I would like to add one or two ACEs to a DAP(dynamic access policy)-chosen ACL/Webfilter.I neither want to* use filter-id to set a pre-defined ACL, nor* use downloadable ACLs to totally replace an existing ACL.Instead...
Hey,It seems you can just use some other SSL VPN client and/or post any result you like to the ASA. Also, endpoint attributes you might be using in your DAP are stored for everyone to see at this URL: https://$VPNGW/CACHE/sdesktop/data.xml Just read ...
This is an ASA 5515-X with software 9.6(3)20.The remote side didn't tell me what they use, it must be Strongswan or something.Using the following debug commands
debug crypto ipsec 255
debug crypto ikev2 protocol 255
debug crypto ikev2 platform 255
I ...
What topology? What exactly is unclear?There is an ASA with outside interface connected to the Internet.Then there is the inside interface which routes everything to the internal FW as described.
I don't see how using DHCP alone can assign a static IP to the user.DHCP has no notion of users. At best your get the hostname in the DHCP request. You don't even have the MAC address of the remote device in a VPN scenario.
Hmm so the definition of "identity nat" is any nat where one of the adresses (source and/or destination) is not translated?But why do you call my example a "twice nat"? Only either source or destination is translated (depending on which direction you...
They usually suggest that you contact your account team. Probably that wouldn't hurt if you can make it a business case that way.In any case, Cisco sometimes have trouble with correctly implementing even over 20 year old RFCs.RFC 5746 is only about 1...
I forgot to mention that this is in fact solely about Anyconnect. That's because I forgot that Cisco uses the terms "SSL VPN" or "WebVPN" for both Anyconnect as well as clientless. Oh well.... In any case Host Scan seems to be totally unsecure no ma...
