I have an ASA5512 with an AnyConnect profile using LDAP to carry out authentication of users to a local AD server. This server is being migrated up to the cloud and shut down. There is a Site-to-Site VPN from the ASA to the cloud but I'm struggling on getting the ASA to use the cloud AD through the VPN. aaa-server OUR-CLOUD-AD (outside) host 10.254.x.x Whenever I try to do a test auth to the cloud it fails with Server not responding. Any advice or things I need to do?   TIA   ... View more

We're in the process of moving some services up into the cloud.  We have the S-2-S setup and working between Head Office and the cloud and want the servers to use the internet at the headend.  As it stands, the servers can ping our Outside interface but can't get to next-hop address and thus the wider internet.   We also need to be able to connect to the cloud through our existing Anyconnect tunnel which is working now.   I believe it's a NAT issue I'm hitting but not sure how to fix it - tried many things reading off of here already and either doesn't work or completely cuts off the hosts on the cloud.   nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup nat (dmz,outside) source static NETWORK_OBJ_172.16.12.0_24 NETWORK_OBJ_172.16.12.0_24 destination static Milton-Subnets Milton-Subnets no-proxy-arp route-lookup nat (any,outside) source static any any destination static AWS AWS no-proxy-arp ! object network VPN_Pool nat (any,outside) dynamic interface object network LILIN_NVR_Server nat (inside,outside) static interface service tcp www h323 object network dmz-subnet nat (dmz,outside) dynamic interface object network ITGL-AD1_internal nat (dmz,outside) static ITGL-AD1_external service tcp ldaps ldaps object network ITGL-Duo_internal-DAG nat (dmz,outside) static ITGL-Duo_external-DAG object network ITGL-Duo_internal-NG nat (dmz,outside) static ITGL-Duo_external-NG object network CUBE-1000v-webex_internal nat (dmz,outside) static CUBE-1000v-webex_external object network CUBE-1000v-PSTN_internal nat (any,outside) dynamic interface object network dmz2-subnet nat (any,outside) dynamic interface object network AWS nat (any,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface nat (dmz,outside) after-auto source static dmz-subnet dmz-subnet destination static VPN_Pool VPN_Pool Can anyone shed some light on where I'm going wrong please?   TIA ... View more

A customer of mine has an ASA5555 given to him in multi-context mode.  There's only the one context being used as it is so seems pointless to have it set up like that.   Is it just a case of changing to single mode and then copy and pasting his config back in to get it up and running again or is it a bit more involved than that?   I've had a look here - https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_contexts.html#63741 - but that seems to be converting to single mode after first being placed in multi-mode.   ... View more

Does anyone know if it is possible to set up an Anyconnect tunnel such that it uses Machine Authentication (from a cert) as well as querying a RADIUS server for the primary authentication with RSA SecurID used a the Secondary method?   Essentially want to tie down connections to domain registered devices in addition to the use of AAA and 2FA   TIA ... View more

Does anyone know if it is possible to view live data from a specific client IP, or more specifically, the ports the firewall is blocking from that client?   A client has a piece of hardware that’s trying to connect on some obscure port but the installers don’t seem to know what port it needs open and It would be really helpful if I can see which ports are being blocked. ... View more

I have a customer currently running 6.2.2 FirePower code managed via FMC.   They have 2 separate circuits from the same ISP with different ranges and want Circuit1 connected to Primary and Circuit2 to Secondary so that, should a failover happen, they use the second circuit on the second firewall.   Is this possible? If so then how might be the best way to implement it in regards to NAT/ACLS/Routes etc?   If not possible then how would be best to workaround so that it will work as a HA pair whilst retaining resiliency?    Many thanks ... View more

Want to deploy an ASA5506-X (running FTD v6.2.2) to a remote site and then be able to set up and manage a Site-to-Site VPN back to HQ where FMC server is located.   A) Is this even possible? B) What is the best way to do this?   Remote FTD -----> Internet -----> HQ --> FMC ... View more