Hasn't the time come to replace these old EOL a/b/g APs? ... View more

In addition to Marvins recommendation, if you want to attend a classroom-training, I would go for the course SASAC (Implementing Core Cisco ASA Security). This is a five days training with the basic ASA stuff every ASA admin should know. ... View more

You have to specify both the Phase1 and Phase2 settings. The mentioned ones ( hash, authen , group , lifetime , encryption ) are phase1 and the screenshot is a config for phase2 that you will later reference in your crypto-config. ... View more

As a general advice I would go for the newest interim-release of 9.8 with the newest ASDM available and also the newest AnyConnect. And include the ASA in your patch-management and be prepared to update the ASA once or twice a year. ... View more

Basically, you can policy-route traffic for the VPN. What exactly do you want to do? ... View more

I see two solutions here: Configure Private VLAN Edge ("switchport protected") on the eight ports. Now they are not allowed to communicate to any other protected port but can communicate to unprotected ports. Configure IP Access-Lists on the eight ports to only allow traffic to the IP or IP-range behind the one port. ... View more

Duplicate post, Discussion started here: https://community.cisco.com/t5/intrusion-prevention-and/asa-5515-ips-configuration-help-needed/m-p/3810477 ... View more

This is the legacy IPS that is End of life for some time now. You shouldn't waste any time with that. If you want IPS, then uninstall that module and install the Firepower module or Firepower Threat Defense. ... View more

There are multiple ways to address this problem. The best way (IMO) is to reconfigure the verizon-device to "modem" mode, assuming that it is a DSL-router. With that, you control the public IP and the NAT on the ASA which is less complex.   If that is not possible, the typical configuration is done the following way: The DSL-router has a static route to all internal networks pointing to the ASA outside interface. Sometimes the is an option like "exposed Host" od "DMZ host" that has to point to the ASA. As the DSL-router is doing NAT/PAT here, the ASA should not have any NAT configured. You only need access-control from the internet (any) to your internal resources.   For your packet-tracer, if  192.168.1.140 is the IP of the ASA, repeat the packet-tracer with a public source like 1.2.3.4 and look for the result of that. ... View more

regardless of directly connected or not, if you have an inside ACL you still need a permit-entry for that traffic. Best to simulate the traffic with packet-tracer:   packet-tracer input inside tcp IP-OF-CLIENT 1234 IP-OF-SERVER PORT-ON-SERVER run that two times and show the output of the second run. ... View more

Although the VPN will allow your needed traffic, the interface ACL where your client is located (i.g. the inside-interface) still needs a permit-entry for that traffic. ... View more

You can configure it as part of your crypto map:   asa(config)# crypto map VPN 10 set connection-type answer-only ... View more