Hi,   From ASDM, go to:   Configuration -> Clientless SSL VPN Access -> Customization -> Select DfltCustomization on the right pane -> Click Edit -> Under Logon Page go to Copyright Panel -> Enable Display copyright panel, and type your text in the text box.   Kind Regards Aref ... View more

Hi, When you apply the global ACL, the implicit deny that you had on any other ACL will be moving to be at the end of the global ACL. But, any explicit deny will not be moved, it will remain on the other ACLs. Also, the order of matching will still start from the top of the other ACL applied, in your example, the check order will start on ACL outside_in from the top, as usual, if not match is found on outside_in ACL, then it will start checking from the top on the global ACL, if no match is found the implicit deny on the global ACL will be applied and the traffic will be dropped. The easiest way to think about the global ACL is that it will be appended to any other ACL applied on an interface. In your case, it has been appended to the ACL outside_in, like if the ACL outside_in has extended its lines. Also please remember that global ACL is applied in inbound direction. Regards, Aref ... View more

Technically speaking they are doing same thing, translating a source address for a specific port. nat (dmz,outside) source static dmz_host outside_IP service RDP RDP The above is a manual NAT/PAT. With that rule you are translating only the source object for RDP service. If you were translating also the destination address, then you are doing the twice NAT/PAT. object network NR-1010 nat (inside,outside) static interface service tcp 1010 1010 Here the above called object NAT, or auto NAT. With this one you are translating the source IP address defined in the object network NR-1010 to the outside interface IP address for port tcp/1010. The very important point to keep in mind here is the NAT order. Manual NAT is always being checked before the object NAT. Manual NAT is located in section 1 of the NAT table on the ASA. The first match will be applied, from top to bottom as you see it on the configuration lines, very similar to the way ACL matching work. You can place the manual NAT in section 3 which is after the object NAT section by using the keyword after-auto similar to the following example: nat (dmz,outside) after-auto source static dmz_host outside_IP service RDP RDP You can verify the NAT sections with the command "sh nat". Instead the object NAT order is different and quite tricky. The preference would be for the object that has less IP addresses, if equal, the one with lowest IP address, if equal then based on the object alphabetical names. Have a look at these links please: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html#wp1118157 https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli Regards, Aref ... View more

That would be needed only if you want to use the same switch you are currently using for other segments, and you want to isolate the ASA outside interface traffic in a dedicated VLAN on the same switch. If not, you can just connect the ASA to the ISP router directly. Regards, Aref ... View more

Hi, I think you can't do that on pre-8.3, but you might try something similar to the following on post-8.3, I have never used it on real life scenario, but it might work: object network HOST1  host 192.168.1.1 object network HOST2  host 192.168.1.1 object network MAPPED1  host 50.50.50.50 object network MAPPED2  host 50.50.50.50 object network HOST1  nat (inside,outside) static MAPPED1 service udp 8000 8000 object network HOST2  nat (inside,outside) static MAPPED2 service udp 8000 4569 Regards Aref ... View more

Hi, Putting the two ASAs in failover means that they both have to be in the same network, because both of them should be able to handle the traffic in the same way in case of failure of one of them. Also please keep in mind that failover requires both ASA to be identical under the hardware and software point of view. You can install same code of the currently working ASA on the sandboxed one, put them together in the same network and finally configure the failover. Regards, Aref ... View more

Hi, As already mentioned, yes you can use L3 capabilities which are enabled by default on 3560 platforms. If you tell us what are you trying to do we would give you an ad-hoc answer based on your needs. Regards | Aref. ... View more

You're welcome. Would you clarify what host is the 200.200.200.1? Also please share your topology with ip address scheme according to the above configuration for review. Regards | Aref. ... View more