AAA for VPN - Kerberos, LDAP or an NT domain?

All,

After that a small return on what you think is the best method for AAA authentication for VPN clients when authenticating against a Windows domain for remote access?

I have always used "NT Domain" because it seems to correspond roughly to the NT Auth I used to use on the old hubs. However, I (finally) decided to take a look at the Kerberos and LDAP, since they must have been added for a reason...

Far as I can tell LDAP adds the ability to search a little more finely (basic DN) AD, but that's all. Am I missing something? Are there more reason to use LDAP or Kerberos domain auth?

What is more reliable? That you guys use?

See you soon!

Either it is reliable, you can map users in different group policies or apply different DAP political, based on their belonging to a group. If you are basic authentication, then your method is still the best way to go.

Thank you

Tarik Admani
* Please note the useful messages *.

Tags: Cisco Security

Similar Questions

LDAP AAA for VPN configuration

Preface: I'm all new to Cisco Configuration and learn as I go.

I'm at the stage of configuration LDAP to configure a VPN on ASA 5520, software release 8.3 (1). Previously the programme installation and RADIUS authentication successfully tested, I tried to use similar logic to implement the LDAP authentication/authorization. I have acquired a service account that queries the pub for the identification of the registered user information. My main resource was the following Manual: Cisco ASA 5500 Series Configuration Guide using the CLI Software Version 8.3. I did initially configurations by using ASDM, but could not get tests to succeed. So I amazed the ASDM configs and went to the CLI. Here is the configuration.

AAA-server AAA_LDAP protocol ldap
AAA-server host 10,20,30,40 (inside) AAA_LDAP
Server-port 636
LDAP-base-dn domain.ad
LDAP-scope subtree
LDAP-naming-attribute uid
LDAP-login-password 8 *.
LDAP-connection-dn cn = commonname, OU = ou01, or = ou02, dc = domain, dc = ad
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_ATTRIB

---

type tunnel-group ASA_DEFAULT remote access
attributes global-tunnel-group ASA_DEFAULT
authorization-server-group AAA_LDAP

---

LDAP attribute-map LDAP_ATTRIB
name of the MemberOf IETF Radius-class card
map-value MemberOf "VPN users' asa_default

---

I tested all the naming-attribute ldap alternatives listed with the same results.

When I test the authentication using this configuration, I get the following error: ERROR: authentication server does not: AAA Server has been deleted

When I test authorization using this Setup, I get the same error (except for the word permission instead of authentication).

I am at a total loss. Any help would be appreciated.

I would use ldp.exe to see if you can make sure that the sytnax of your ldap-connection-dn is just as you have in your config, it really helps just copy and paste.

The problem I see is the following:

[210] link as st_domadm
[210] authentication Simple running to st_domadm to 10.20.30.30
[210] simple authentication for st_domadm returned credenti invalid code (49) als
[210] impossible to link the administrator returned code-(1) can't contact LDAP er

I suppose your ldap-connection-dn is st_domadm and you try to test with the administrator account?

Thank you

Tarik

authentication of remote access, vpn and ldap

I have a test environment with 2 hours fireval 5505: the first firewall is remote access VPN server and the Interior of this firewall is a network of domain with a domain controller, DNS server and a workstation. DHCP is disabled and the PC have a static address.outside of the VPN server is attached outside the other ASA 5505 firewall. on the inside of the firewall, there is a workstation.the workstation would be to connect via vpn for remote access on the domain network. I have configured the VPN server for remote access through a wizard and his

configuration is the following

Result of the command: "show running-config"

: Saved

ASA Version 8.2(1)

hostname ciscoasa

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.13.74.5 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.30.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns server-group DefaultDNS

domain-name dri.local

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240

access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record vpnldap

network-acl inside_nat0_outbound

aaa-server vpn protocol ldap

aaa-server vpn (inside) host 10.13.74.20

ldap-base-dn DC=DRI,DC=LOCAL

ldap-group-base-dn cn=test,cn=users,dc=dri,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=test,cn=users,dc=dri,dc=local

server-type microsoft

http server enable

http 10.13.74.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 10.13.74.9-10.13.74.40 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 10.13.74.20 10.8.2.5

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value dri.local

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:1fc23fb20a74f208b3cde5711633ad3d

: end

When I tried to workstation on the internal part of the second firewall (no remote access vpn server) to connect to the vpn, everything is ok. I used the cisco vpn client, but I can't ping domain controller, workstation, I can't use the shared folder on them. Why?

Please help me

Thank you

Thanks for letting me know! Can you please give the station "answered"? Thank you!

CIsco Anyconnect VPN with LDAP AAA

Hi there, I was hoping that someone can point me in the right direction here. I created a VPN connection profile to match anyconnect SSL entering customers. I would like to use LDAP group membership as a sine qua non for authentication. I found a few online pages on what to do about it, I followed. Unfortunately, it seems my connection profile to allow access to any user in the ldap, not only those of the ldap group database. I'll post the relevant bits of the config here in hopes that someone can point my mistake!

The idea of the config is to have the map of connections 2 by default a noaccess policy which has 0 simultaneous connections and the profile card (SSL_VPN) connection ssl to anyconnect to group_policy_SSL_VPN group policy.

local pool CONTOSOVICVPN_DHCP_POOL 10.0.5.51 - 10.0.5.254 255.255.255.0 IP mask

NAT (inside_int, any) static source NetworkGroup_Internal_networks NetworkGroup_Internal_networks Network_VPNRANGE_10.0.5.0 Network_VPNRANGE_10.0.5.0 non-proxy-arp-search of route static destination

LDAP attribute-map AuthUsers
name of the memberOf Group Policy map
map-value memberOf memberOf CN = NETWORK_CONTOSO_ASA_VPN_DLSG, OR = network, OU = resources, OU = CONTOSO, OU = security, OU = Groups, DC = CONTOSO, DC = group

ynamic-access-policy-registration DfltAccessPolicy

AAA-server CONTOSOVIC_LDAP protocol ldap
AAA-server CONTOSOVIC_LDAP (inside_int) 10.0.0.45
LDAP-base-dn DC = CONTOSO, DC = group
LDAP-group-base-dn DC = CONTOSO, DC = group
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = ASA_LDAP_USER, OU = network, OU = accounts, DC = CONTOSO, DC = group
microsoft server type

No vpn-addr-assign aaa
No dhcp vpn-addr-assign

SSL-trust ASDM_TrustPoint4 outside_int point
WebVPN
Select outside_int
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal NoAccess group strategy
Group Policy attributes NoAccess
WINS server no
VPN - concurrent connections 0
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
value by default-field CONTOSO.group
disable the split-tunnel-all dns
attributes of Group Policy DfltGrpPolicy
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
internal GroupPolicy_SSL_VPN group strategy
attributes of Group Policy GroupPolicy_SSL_VPN
WINS server no
value of server DNS 10.0.0.45
VPN - connections 1
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
value of group-lock SSL_VPN
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_SPLIT_TUNNEL
value by default-field CONTOSO.group
activate dns split-tunnel-all
the address value CONTOSOVICVPN_DHCP_POOL pools

attributes global-tunnel-group DefaultRAGroup
authorization-server-group CONTOSOVIC_LDAP
NoAccess by default-group-policy
authorization required
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
attributes global-tunnel-group DefaultWEBVPNGroup
NoAccess by default-group-policy
type tunnel-group SSL_VPN remote access
attributes global-tunnel-group SSL_VPN
address CONTOSOVICVPN_DHCP_POOL pool
authentication-server-group CONTOSOVIC_LDAP
authorization-server-group CONTOSOVIC_LDAP
Group Policy - by default-GroupPolicy_SSL_VPN
authorization required
tunnel-group SSL_VPN webvpn-attributes
message of rejection-RADIUS-
Proxy-auth sdi
enable CONTOSOvicvpn.CONTOSOgroup.com.au group-alias

You must specify the NoAccess group policy as group policy by default for the Group of the SSL_VPN tunnel.

Remember to rate helpful answers. :)

access remote vpn with ldap

Hi all

IM, configuration of a vpn for remote access with ldap, for what I see in some examples, I need to create a user/pass.

In my case, I already configured the aaa for the ldap Protocol Server. I also have the Group tunnl with the authentication server.

I need to create a user/pass?

Thank you.

Hello

I see what you mean!

It is not necessary for the integration of LDAP.

You don't have authentication LDAP not the LOCAL database, so no need for this.

Do not forget to rate all my answers

Julio Carvajal
Main and specialist of the Core network security
CCIE #42930, 2-CCNP JNCIS-SEC
For immediate assistance commit to http://i-networks.us

ASA 5520 - VPN using LDAP access control

I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.

My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.

The Version of the software on the SAA is 8.3 (1).

My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.

https://supportforums.Cisco.com/message/3232649#3232649

Thanking all in advance for everything offered thoughts and advice.

Configuration (AAA LDAP, group policy and group of tunnel) is below.

AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP

AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!

attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policy

Hello

The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)

The following link will explain how to set up the same.

http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Traffic permitted only one-way for VPN-connected computers

Hello

I currently have an ASA 5505. I put up as a remote SSL VPN access. My computers can connect to the VPN very well. They just cannot access the internal network (192.168.250.0). They cannot ping the inside interface of the ASA, nor any of the machines. It seems that all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN. It seems that the traffic allows only one way. I messed up with ACL with nothing doesn't. Any suggestions please?

Pool DHCP-192.168.250.20 - 50--> for LAN

Pool VPN: 192.168.250.100 and 192.168.250.101

Outside interface to get the modem DHCP

The inside interface: 192.168.1.1

Courses Running Config:

: Saved

:

ASA Version 8.2 (5)

!

hostname HardmanASA

activate the password # encrypted

passwd # encrypted

names of

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.250.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

IP address dhcp setroute

!

passive FTP mode

DNS lookup field inside

DNS domain-lookup outside

pager lines 24

Within 1500 MTU

Outside 1500 MTU

mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 10 192.168.250.0 255.255.255.0

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.250.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH 192.168.250.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.250.20 - 192.168.250.50 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

value of server DNS 8.8.8.8

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

tunnel-group AnyConnect type remote access

tunnel-group AnyConnect General attributes

address pool VPN_Pool

tunnel-group AnyConnect webvpn-attributes

enable AnyConnect group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:30fadff4b400e42e73e17167828e046f

: end

Hello

No worries

As we change the config I would do as well as possible.

First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

NAT (inside) 0-list of access NAT_0

Then give it a try and it work note this post hehe

Auth of remote VPN through LDAP allow all users!

Hello

I have 5505 firewall and security license. I have configure remote VPN on firewall through CLI with the commands below. Remote VPN works well, but the problem is, it allows all remote VPN users. I need to restrict remote VPN access bit user, I need to configure via CLI, I don't want to go through ASDM, can someone help me with CLI?

ASDM I can able to perfom below things I'm not able to perform through CLI

Configuration-> access to the network (Client)-> dynamic access policies

Through ASDM I'm able to set the VPN users are allow to remote VPN access, how to set up same thing through CLI

Here's my CLI:

LDAP attribute-map CISCOMAP

name of the KFG IETF Radius-class card

map-value VPN CN = VPN, DC = domain, DC = com noaccess_pri

map-value VPN CN = VPN, DC = domain, DC = com noaccess_bk

map-value VPN CN = VPN, DC = domain, DC = com splitgroup_pri

map-value VPN CN = VPN, DC = domain, DC = com splitgroup_bk

AAA-server ldapgroup protocol ldap

ldapgroup AAA-server (inside) host 10.1.10.5

LDAP-base-dn dc = domain, dc = com

LDAP-scope subtree

LDAP-naming-attribute sAMAccountName

LDAP-login-password Inf0rmati0n1

LDAP-connection-dn cn = VPN, dc = domain, dc = com

microsoft server type

LDAP-attribute-map CISCOMAP

internal noaccess_pri group policy

attributes of the strategy of group noaccess_pri

VPN - concurrent connections 0

output

internal noaccess_bk group policy

attributes of the strategy of group noaccess_bk

VPN - concurrent connections 0

output

internal splitpolicy_pri group policy

Protocol-tunnel-VPN IPSEC l2tp ipsec

tunnel-group splitgroup_pri General-attributes

ldapgroup group-LOCAL authentication server

internal splitpolicy_bk group policy

Protocol-tunnel-VPN IPSEC l2tp ipsec

tunnel-group splitgroup_bk General-attributes

ldapgroup group-LOCAL authentication server

Thank you

Abhishek

Hello

You cannot configure the DAP via CLI Protocol because the configuration is saved in a file dap.xml and is stored in flash of the SAA.

You can configure the DAP protocol using the following link:

http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml#T4

Also note that the link mentions the following:

Note:

The dap.xml file that contains the attributes of selection policies DAP, is stored in flash of the SAA. Although you can export the file dap.xml out, the edit box (if you know about the xml syntax), and re - import again, be very careful, because you might ASDM stop treatment of DAP files if you have misconfigured something. There is no CLI to handle this part of the configuration.

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this message as answered if you feel that your query is resolved. Note the useful messages.

I forgot the password for VPN record how I opened

First I have to buy the phone add password for VPN and I forgot how I fix this

You can try to perform a repair of the system as it will be your phone factory reset or below, try to perform a factory reset, but in order to achieve a system repair

Turn off your phone and unplug the PC (Hold to increase the volume and power for 10 seconds)
Start PC Companion and select the area of support then updated my phone/Tablet then blue fix my phone/Tablet and follow the instructions on the screen - when you are prompted, always connect your phone off press and hold volume or back button - this should begin the process of repair or reformatting

If you use Windows 8/8.1 or a 64-bit operating system and then adjust the settings for PC Companion and run in compatibility mode and choose Windows 7 or XP

Backup AAA for PIX

I have a PIX with the following configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5

RADIUS Protocol RADIUS AAA server

AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10

AAA-server local LOCAL Protocol

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

order of AAA for authorization GANYMEDE +.

AAA accounting correspond to aaa_acl inside RADIUS

Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?

There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.

ASA - several IPS for VPN

I'll put up Anyconnect to replace our customers of Cisco IPsec VPN, since it is end of life. A part of the process is to get an SSL certificate and a FULL domain name to use for this. I've got that and it is applied to the ASA very well. Now we don't get these warnings to the subject it is not not sure and such.

The problem is that we use a non-standard port for the SSL VPN from 443 is already sent to an internal device. I have unused public addresses to the external interface of the ASA, but I don't know how I could use them. I would like to have a different IP address for SSL VPN, so I don't have to mess with the port forward that is currently in place. I read on proxy arp, but that looks like it could be a problem. I could have someone connect another cable to a different interface on the ASA (5512-X) and assign this static interface I want for the VPN, but I'm not sure it will work well. We have connections VPN site to site in place as well. Can I have the ASA listening on two different interfaces at the same time?

Recap:

IP 1 - address primary NAT, Site at tunnels put end here, some Cisco IPsec VPN terminate customer

IP 2 - want to have all customers of Anyconnect connect here, to migrate all legacy Cissco IPsec clients until they are all over Anyconnect.

Key is that I can not stop listening on IP 1 for site-to-site connections.

Thoughts?

Thank you!

On the SAA, you cannot use the additional IPS for VPN.

If tcp/443 is already used for an external server, then I would reconfigure the DNS entry for it to use the second IP address that must be sent to the internal server. You can then use the IP interface of the ASA for AnyConnect.

ASA for vpn only

Hello

I would like to configure the ASA for vpn only. By default, ASA allows traffic from the interface of high security to low security interface. I want to stop it. Is it possible to do without resorting to access lists.

Thank you

John

Define interfaces for the same level of security and make sure that you do not have same-security-traffic permits inter-interface enabled.

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807fc191.shtml

Hope that helps.

Can the NAT of ASA configuration for vpn local pool

We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel.

Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA. I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool. If so, how to set up this NAT.

Thank you

Haiying

Elijah,

NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0

public static 192.168.33.0 (external, outside) - NAT_VPNClients access list

The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers).

To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order:

permit same-security-traffic intra-interface

Federico.

Policy NAT for VPN L2L

Summary:

We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

Here is the config:

# #List of OUR guests

the OURHosts object-group network

network-host 192.168.x.y object

# Hosts PARTNER #List

the PARTNERHosts object-group network

network-host 10.2.a.b object

###ACL for NAT

# Many - to - many outgoing

access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

# One - to - many incoming

VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

# #NAT

NAT (INSIDE) 2-list of access NAT2

NAT (OUTSIDE) 2 172.20.n.0

NAT (INSIDE) 3 access-list VIH3

NAT (OUTSIDE) 3 172.20.n.1

# #ACL for VPN

access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

# #Tunnel

tunnel-group type ipsec-l2l

card <#>crypto is the VPN address

card crypto <#>the value transform-set VPN

card <#>crypto defined peer

I realize that the ACL for the VPN should read:

access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

Thanks in advance.

Patrick

Here is the order of operations for NAT on the firewall:

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

If you can try

(1) a static NAT with an access list that will have priority on instruction of dynamic NAT

(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

Jon

How to open the manual mini port for vpn connection in win7?

How to open the manual mini port for vpn connection in win7?

Hi Andrew,

Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It would be better suited to the TechNet community.

Please visit the link below to find a community that will provide the support you want.

http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

AAA for VPN - Kerberos, LDAP or an NT domain?

Similar Questions

Maybe you are looking for