Search results for query: *

The interface on the AIP-SSM is just for management. Traffic is sent to the AIP-SSM via the ASA backplane. That is the only sniffing interface. Depending on how you configure the ASA to send traffic to the AIP-SSM you can use it in in-line or promiscuous mode. This doc describes sending...

It looks like the SSL VPN Client is not supported with Vista. http://www.cisco.com/en/US/products/ps6657/products_qanda_item09186a0080553209.shtml#errfg If you can upgrade the ASA, you should upgrade to the latest version of 8.x code and use the AnyConnect client. SSL VPN is much improved in...

Yeah, nat-control was not introduced until 7.0. Same with Transparent mode. Brent, the Mail Server doc is a good call. Burt, it's a shame you can't set it up like that! Pursuing two different paths here: 1. Why do you want to add the PIX? Especially given that it's an old one. If you...

In my experience: For junior people or interns, it's interesting to ask them to explain how they think something that they are not familiar with works. For example, we once asked a potential intern to explain how the 7960 on the desk was able to call the cell phone in my pocket. This can shed...

And that's a great example! It's just the other way around! :-) Matt http://www.wr-mem.com

Why would DYNDNS not work here? Natesin wants to initiate a connection from an ASA with a static IP address to an ASA with a dynamic IP address. This could work at least two ways. 1. If the static ASA is configured as an EZVPN client it can be configured to connect to a hostname...

You could use a service like DynDNS to provide a domain name for the dynamic ASA. The ASA doesn't have a DynDNS client, though, so you would need a PC or something behind the ASA to update the service when the dynamic IP changes. Matt http://www.wr-mem.com

Since you already have split tunneling working, all you should have to do is add that new network to your split tunnel list. Matt http://www.wr-mem.com

I think I have it figured out. Messing with security levels and an ACL will not help. Sorry for that lousy suggestion. I just labbed your configuration up and it appears that NAT is applied on a per-interface basis on the ASA, not a per-flow basis. This means that if you apply any NAT...

Hmm. And you're sure that traffic flowed between the interfaces before? ;-) Here are some ideas: 1. Turn on logging and look for clues in your log. Look for translation errors or deny messages. 2. Try removing the line: access-list inside_nat0_outbound extended permit ip 192.168.200.0...

nat statements are interface specific, and it appears that you only have a nat statement configured for your "inside" network. You don't have one for your "inside2" network. You have: nat (inside) 1 0.0.0.0 0.0.0.0 Keep that and try adding: nat (inside2) 1 0.0.0.0 0.0.0.0 Also, just a...

Please post your whole configuration. It sounds like NAT might be the culprit, but you did not include that part of the config. Matt http://www.wr-mem.com

To enable/disable the tunnel group dropdown in ASDM on 8.0: Configuration | Remote Access VPN | Clientless SSLVPN Access | Connection Profiles check/uncheck "Allow user to select connection..." near the bottom of the right pane. Matt http://www.wr-mem.com

It's not quite clear what you're asking here. The address pool in an RAVPN configuration is the pool of addresses that get assigned to clients when they connect. The pool does not have an impact on who can connect to the ASA with the VPN Client. Generally, anyone should be able to connect...

Sounds like you don't have FTP inspection configured. ASA(config)#policy-map global_policy ASA(config-pmap)#class inspection_default ASA(config-pmap-c)#inspect FTP Matt http://www.wr-mem.com

First a bit of shameless self-promotion. ;-) http://www.wr-mem.com - My CCIE Security Blog and general tips I also follow: http://cisconews.co.uk/ - General Cisco stuff and tips http://blog.internetworkexpert.com/ - A lot of excellent CCIE-level material http://www.ciscoblog.com/ - General...

Excellent! Matt CCIE Security http://www.wr-mem.com

Is your PC permitted to connect to the ASA with ASDM? For example any host can connect to this ASA with ASDM on the "man" interface: ASA# sh run http http server enable 8080 http 0.0.0.0 0.0.0.0 man What about routing? Does the ASA have a route to send packets back to your PC? Post your...

Good news! The Cisco AnyConnect client, which uses SSL, supports Vista. In fact, it's the only way you can do full tunnel VPN on Vista x64 - there's no Ipsec client for it. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html -----...

Do you mean you have two subnets that are on two separate VLANs (one subnet per VLAN)? If so, you need to configure subinterfaces on the ASA. One subnet can be on interface "inside" and the other one can be "inside2" or whatever you want to call it...