AAA local-override

Is there an equivalent of aaa local-override for the SAA? I would like to have local accounts to work on my ASA, even if the RADIUS server is operational.

Thanks, gary

Unfortunately not.

Tags: Cisco Security

EAP authentication

In order to troubleshoot the interaction between the WLC and the authentication server (RADIUS external or internal to the EAP server), use the command debug AAA all turn on, which shows the required details. This command must be used after the client to debug command and can be combined with other commands to debug as needed (for example, transfer).

 (Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.

The issue of local RADIUS?

Hello

I took just a glance to the local RADIUS on a router functionality. I found a strange problem which makes no sense to me and I was wondering if someone could explain to me what I see. As a basic laboratory to learn the tricks of the trade with local RADIUS, I created a server on my router's local radius and got the local vty lines to use for authentication.

This is my config:

interface Loopback0
the 192.168.0.1 IP address 255.255.255.255

!

radius of the IP source-interface Loopback0

!

AAA LOCAL RADIUS server group
192.168.0.1 Server ACCT-port auth-port 1812 1813
!
Group AAA authentication login default LOCAL-RADIUS
!

local RADIUS server
NAS 192.168.0.1 key 0
user mwhittle nthash 0
!
format of server RADIUS attribute 32 include-in-access-req hour
RADIUS-server host 192.168.0.1 key auth-port 1812 acct-port 1813
RADIUS vsa server send accounting
!

Now, it's the strange thing... If I configure the user radius to "mwhittle" with password "mwhittle" it works and I get an Access-Accept. If I configure anything other than the username password it doesn't work and I get an Access-Reject. I tried several combinations, but so long as the user name and password are the same it works and if they are not it isn't. This cannot be a normal behavior unless I'm missing something.

Any ideas?

Kind regards

Mike

Hello
```
What kind of RADIUS client application are you using with the IOS local  RADIUS server?  Please note that this server supports *only* wireless  clients,

and only for the LEAP and EAP-FAST EAP types, and also MAC authentication.  It does not provide support for other kinds of RADIUS clients.
The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username

is always equal to password.
If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
lemme know if this answered your question..
Regards

Surendra

====

Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull
```

Local users VPN SSL

Hello

I would like to know what are the best practices of security when you use the router local db for VPN users, I have only 3 users to access the VPN.

As far as I know... local users also have access to the router using series/ssh/telnet y at - it a way to disable it and make them VPN only?

I check AAA and it seems that you can not join Michael aaa local users lists.

I use Cisco 1900 series SRI

Hi Luka,

You have a reason you views Parser, see:

The CLI roles-based access

The LOCAL any network device database is useful for a small group of users, but it is always better to have an external database as AD maintenance and control level of access as GANYMEDE.

HTH.

Portu.

Please note all useful messages.

Cannot allow point Master overrides on selection

InDesign CS5 on a MacBook Pro OS 10.6
I created my master pages and started the layout of my document. On certain pages of the document, I would like to make a change to one of the elements of the master page. I tried to control + clicking on the topic, nothing helps. I looked in the Pages panel Menu and I can choose "Override all Master Page items" (which is not what I want), I noticed that "Allow Master overrides on selection of elements" is grayed out.
My questions are:
1 Why allow Master overrides on selection of the item is grayed out?
2. once I select 'Override all Master Page items', is there a way to block the master page items as soon as I did my review to this page?
Thank you.

rigoliarts wrote:

InDesign CS5 on a MacBook Pro OS 10.6

I created my master pages and started the layout of my document. On certain pages of the document, I would like to make a change to one of the elements of the master page. I tried to control + clicking on the topic, nothing helps. I looked in the Pages panel Menu and I can choose "Override all Master Page items" (which is not what I want), I noticed that "Allow Master overrides on selection of elements" is grayed out.

My questions are:

1 Why allow Master overrides on selection of the item is grayed out?

2. once I select 'Override all Master Page items', is there a way to block the master page items as soon as I did my review to this page?

Thank you.

First of all, the manual actuation on the page of the document is accomplished using Cmd + SHIFT + click.

In response to question 1, you must select an object on the master page to allow (default) or prevent the local override.

In response to question 2, if it is substituted elements on the page, you will have two choices, depending on whether the substituted object is selected or not. If objects are selected, there will be an order to remove overrides the selected objects, otherwise the order will be edited to remove all overrides the.

Don't forget, also, Master objects located behind whatever it is added to the layer, even on the page of the document. This can make it a little more complicated to select and replace certain objects.

Win 7 client workstation control updates

Hello

Last week most of our customer does not seem able Tuesday Oct getting the 2nd patches from the wsus server. From the latest state of the client computer always wsus Server stuck at 10/12/16 and 13/10/16 report. We need help to check if the problem of the PC or the wsus server. The newspaper side client as below: -.

=================================================

2016-10-19 07:43:57:292 1132 1264 PT WARNING: caching of cookie has expired or new PID is available
2016-10-19 07:43:57:292 1132 1264 PT initialize cookies simple targeting, clientId = bbd72336-786e-4172-bd5d-f9b03a3ee5fb target = user driver, DNS = mkzlcnd43139rq.aaa.local name group
2016-10-19 07:43:57:292 1132 1264 PT server URL = http://wsus01/SimpleAuthWebService/SimpleAuth.asmx
2016-10-19 07:43:57:776 1132 1264 report download 1 events using the cookie, reports URL caching = http://wsus01/ReportingWebService/ReportingWebService.asmx
2016-10-19 07:43:57:916 1132 1264 report journalist download managed 1 events.
2016-10-19 07:43:58:665 1132 1 d 18 Service *.
2016-10-19 07:43:58:665 1132 1 d 18 Service * END * Service: out of Service [exit code = 0 x 240001]
2016-10-19 07:43:58:665 1132 1 d 18 Service *.
2016-10-19 07:48:44:068 1096 1bf0 Misc = logging initialized (build: 7.6.7601.19161, tz: + 0800) =.
2016-10-19 07:48:44:308 1096 1bf0 Misc = process: C:\Windows\system32\svchost.exe
2016-10-19 07:48:44:738 1096 1bf0 Misc = Module: c:\windows\system32\wuaueng.dll
2016-10-19 07:48:44:068 1096 1bf0 Service *.
2016-10-19 07:48:45:167 1096 1bf0 Service * START * Service: Service startup
2016-10-19 07:48:45:207 1096 1bf0 Service *.
2016-10-19 07:48:47:726 1096 1bf0 Agent * WU client version 7.6.7601.19161
2016-10-19 07:48:47:916 1096 1bf0 Agent * Base Directory: C:\Windows\SoftwareDistribution
2016-10-19 07:48:47:996 1096 1bf0 Agent * access type: no proxy
2016-10-19 07:48:48:175 1096 1bf0 Agent * network state: connected
2016-10-19 1096 848 CWERReporter::Init report 07:49:09:571 succeeded
2016-10-19 1096 848 Agent 07:49:09:571 * Agent: initialization of Windows Update Agent *.
2016-10-19 1096 848 Agent 07:49:09:571 * prerequisite roots succeeded.
2016-10-19 07:49:09:571 1096 848 Agent * Agent: initialization of the global parameters cache *.
2016-10-19 1096 848 Agent 07:49:09:571 * WSUS server: http://wsus01
2016-10-19 1096 848 Agent 07:49:09:571 * State WSUS server: http://wsus01
2016-10-19 07:49:09:571 1096 848 Agent * target group: user driver
2016-10-19 07:49:09:571 1096 848 Agent * Windows Update access disabled: Yes
2016-10-19 07:49:09:591 1096 848 DnldMgr Download manager restoring 0 downloads
2016-10-19 07:49:09:601 1096 848 DnldMgr recovered 1 persisted download jobs
2016-10-19 07:49:09:601 1096 848 DnldMgr * DnldMgr: restore download [n ° 0] *.
2016-10-19 07:49:09:601 1096 848 DnldMgr * BITS JobId = {BFCEFE64-9DDA-4001-B302-583D60179E62}
2016-10-19 07:49:09:601 1096 848 DnldMgr * ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}
2016-10-19 07:49:09:621 1096 848 DnldMgr * UpdateId = {02EDD51F-6734-4772-B877-ECDE0ACE87E1}.200
2016-10-19 07:49:09:731 1096 848 DnldMgr * job download restored.
2016-10-19 07:49:09:981 1096 1bf0 report * report: initialization of static data to report *.
2016-10-19 07:49:09:981 1096 1bf0 report * OS Version = 6.1.7601.1.0.65792
2016-10-19 07:49:09:981 1096 1bf0 report * OS Product Type = 0 x 00000004
2016-10-19 07:49:10:001 1096 1bf0 report * computer brand = Hewlett-Packard
2016-10-19 07:49:10:001 1096 1bf0 report * Computer Model = HP ProBook 440 G2
2016-10-19 07:49:10:001 1096 1bf0 report * Bios revision = M74 worm. 01.08
2016-10-19 07:49:10:001 1096 1bf0 report * the Bios name = default system BIOS

2016-10-19 07:49:10:001 1096 1bf0 report * the Bios Release Date = 12 - 2014-T 12, 00: 00:00
2016-10-19 07:49:10:001 1096 1bf0 report * locale 1033 = ID
2016-10-19 07:49:33:872 1096 1bf0 to THE # to THE: initialization of automatic updates.
2016-10-19 07:49:33:882 1096 1bf0 to THE parameter timeout next detection to the 2016-10-18 23:49:33
2016-10-19 07:49:33:882 1096 1bf0 to THE # WSUS server: http://wsus01
detection frequency 2016-10-19 07:49:33:882 1096 1bf0 to THE #: 2
target group of 2016-10-19 07:49:33:882 1096 1bf0 to THE #: user driver
type of approval # to THE 2016-10-19 07:49:33:882 1096 1bf0: pre-install notify (policy)
2016-10-19 07:49:33:882 1096 1bf0 to THE # automatically install minor updates: no (political)
2016-10-19 07:49:33:882 1096 1bf0 to THE # will interact with non-admins (Non-admins are high (political))
2016-10-19 07:49:33:912 to THE 1096 1bf0 successfully wrote event to THE health state: 0
2016-10-19 07:49:33:912 1096 1bf0 updates to THE initializing featured
2016-10-19 07:49:33:912 1096 1bf0 to THE Found set 0 cached updates featured
2016-10-19 07:49:33:912 to THE 1096 1bf0 successfully wrote event to THE health state: 0
2016-10-19 07:49:33:912 to THE 1096 1bf0 successfully wrote event to THE health state: 0
2016-10-19 07:49:33:912 1096 1bf0 only to THE delayed finish to initialize
2016-10-19 07:49:33:912 1096 1bf0 to THE #.
2016-10-19 07:49:33:912 1096 to THE 1bf0 # START # to THE: research updates
2016-10-19 07:49:33:912 1096 1bf0 to THE #.
2016-10-19 07:49:33:932 1096 1bf0 to THE<## submitted="" ##="" au:="" search="" for="" updates="" [callid="">
2016-10-19 07:49:33:932 1096 1cac Agent *.
2016-10-19 07:49:33:932 1096 1cac Agent * START * Agent: finding updates [CallerId = AutomaticUpdates]
2016-10-19 07:49:33:932 1096 1cac Agent *.
2016-10-19 07:49:33:932 1096 1cac Agent * Online = No; Ignore download priority = No
2016-10-19 07:49:33:932 1096 1cac Agent * criteria = "IsInstalled = 0 and DeploymentAction = 'Installation' or IsPresent = 1 and DeploymentAction = 'Uninstall' or IsInstalled = 1 and 'Installation' and = 1 RebootRequired = DeploymentAction or IsInstalled = 0 and DeploymentAction = 'Uninstall' and RebootRequired = 1".
2016-10-19 07:49:33:932 1096 1cac Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} managed
2016-10-19 07:49:33:932 1096 1cac Agent * scope of search = {Machine}
2016-10-19 08:35:50:329 1096 11e4 detection with initiating at THE via API DetectNow
2016-10-19 08:35:50:329 1096 11e4 to THE will make the current sensing end detection
2016-10-19 09:11:06:067 to THE 1096 1bf0 successfully wrote event to THE health state: 0
2016-10-19 09:11:15:144 to THE 1096 1bf0 successfully wrote event to THE health state: 0
2016-10-19 09:32:33:818 1096 1bf0 to THE receipt policy change subscription event

===========================================

I did a Cleanup Wizard wsus Server also look doesn't help much.

Help, please.

Thank you

Hi Yu,

Advanced support regarding your concern, we suggest you to post your query in the TechNet forum.

Kind regards.

GANYMEDE + Configuration

Hello

I am trying to build a Ganymede + config on my network devices. I have an ACS do the authentication. I want to do is to have GBA authenticate my users and allow them access. However, I would like to leave a console access using both local and local user name select the password so that I have a backdoor in case of future problems. I have everything working except the ability to go to activate the console mode using the local enable password. I get an auth error, because I think that the device tries to ACS auth password enable result:

the AAA authentication enable default group Ganymede + activate

I can get around it by applying a level 15 privlive to next line directly in the activation of the mode, but it seems less sure.

Any ideas?

Here's my config relevent bits (and I don't have a local user name and enable defined)

AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication local console connection
the AAA authentication enable default group Ganymede + activate
default AAA authorization exec group Ganymede + local no
Console exec AAA local authorization
0 default AAA authorization commands group Ganymede + local no
default 1 AAA authorization commands group Ganymede + local no
default 15 AAA authorization commands group Ganymede + local no
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA - the id of the joint session

Line con 0
password 7
console login authentication

Thanks in advance

Hi Rose,
```
Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.
Named method list for enable authentication is not supported.
Regards,

~JG
Do rate helpful posts
```

Joint connect to Cisco router

Hi all:

I have configured Radius on all devices on my network, but I need allow the joint connection (RADIUS and local agents) for one of them (creating a local administrator user)

Could someone help me?

Thank you!!

W.

Walter,

In this case, you will need to use local first.

by default the authentication of connection AAA local group RadiusServers

Kind regards

~ JG

Note the useful messages

UC500 and IPsec VPN client - disconnects

Just throw a question out there.
I have a UC560 running uc500-advipservicesk9 - mz.151 - 2.T2 site HQ. Remote users, about 8 of them, attempt to connect via IPsec VPN (v5.0.07.0440) HQ clients to access files, etc.. The behavior I see is 5 users to connect successfully, but only 5. As soon as more users trying to connect, they have either:
1. connect with success for a minutes, then unmold
2. get a 412, remote peer is not responding
3. connect, but someone of another session kickoff.
Users use the same VPN profile, but with names of single user and passwords.

Here are some of the CPU configs for VPN clients
Configuration group customer crypto isakmp USER01
key *.
DNS 192.168.0.110
pool USER01_POOL
ACL USER01_ACL

local RAUTHEN AAA authentication login
permission of AAA local RAUTHOR network authenticated by FIS

Crypto isakmp USER01_PROF profile
match of group identity USER01
list of authentication of client RAUTHEN
RAUTHOR of ISAKMP authorization list.
client configuration address respond

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
lifetime 28800
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
life 3600
crypto ISAKMP policy 1000
BA 3des
preshared authentication
Group 2

I enabled debugging
Debug crypto ISAKMP
Debug crypto ipsec

Here are some of the things that I see on him debugs
604899: 16:41:13.333 Aug 21: ISAKMP: (2073): HASH payload processing. Message ID = 284724149
604900: 16:41:13.333 Aug 21: ISAKMP: (2073): treatment protocol NOTIFY DPD/R_U_THERE 1
0, message ID SPI = 284724149, a = 0x8E7C6E68
604901: 16:41:13.333 Aug 21: ISAKMP: (2073): error suppression node 284724149 FALSE reason 'informational (en) State 1.
604902: 16:41:13.333 Aug 21: ISAKMP: (2073): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
604903: 16:41:13.333 Aug 21: ISAKMP: (2073): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

581504: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node-1455244451
581505: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node 840814618
581506: 16:59:13.933 Aug 20: ISAKMP (2147): received 201.195.231.162 packet dport 4500 sport 37897 Global (R) QM_IDLE
581507: 16:59:13.933 Aug 20: ISAKMP: node set 801982813 to QM_IDLE
581508: 20 August 16:59:13.933: ISAKMP: (2147): HASH payload processing. Message ID = 801982813
581509: 16:59:13.933 Aug 20: ISAKMP: receives the payload type 18
581510: 16:59:13.933 Aug 20: ISAKMP: (2147): treatment remove with load useful reason
581511: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the doi = 0
581512: 16:59:13.933 Aug 20: ISAKMP: (2147): remove Protocol id = 1
581513: 16:59:13.933 Aug 20: ISAKMP: (2147): remove spi_size = 16
581514: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the spis num = 1
581515: 16:59:13.933 Aug 20: ISAKMP: (2147): delete_reason = 2
581516: 20 August 16:59:13.933: ISAKMP: (2147): load DELETE_WITH_REASON, processing of message ID = 801982813, reason: DELETE_BY_USER_COMMAND
581517: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

581518: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

581519: 16:59:13.933 Aug 20: ISAKMP: (2147): removal of State of SA reason 'Order BY user' (R) QM_IDLE (post 201.195.231.162)
581520: 16:59:13.933 Aug 20: ISAKMP: (2147): error suppression node 801982813 FALSE reason 'informational (en) State 1.
581521: 16:59:13.933 Aug 20: ISAKMP: node set-878597687 to QM_IDLE
581522: 20 August 16:59:13.937: ISAKMP: (2147): lot of 201.195.231.162 sending peer_port my_port 4500 37897 (R) QM_IDLE
581523: 16:59:13.937 Aug 20: ISAKMP: (2147): sending a packet IPv4 IKE.
581524: 16:59:13.937 Aug 20: ISAKMP: (2147): purge the node-878597687
581525: 16:59:13.937 Aug 20: ISAKMP: (2147): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
581526: 16:59:13.937 Aug 20: ISAKMP: (2147): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

I opened a case with TAC on this and they do not understand what is the cause. For them, it looks like a bug without papers. And their recommendation is to reboot, upgrade or try configuring L2TP for remote users.

Thank you

JP

JP,

An update of IOS is worth it, even if him debugs seems to indicate that there is a problem with the client. If possible, I always suggest test with another client to see if it is unique to the Cisco VPN Client on Win7. Regarding the limit of 20 tunnel, it is very probably the number of IPsec security associations. If you issue a 'show crypto eli', this example displays the number of Sessions that are currently active IPSec.

HTH,

Frank

VPN site-to-site between ASA 5505 and 2911

Hi all

I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.

2911 config:

version 15.2

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

host name 2911

boot-start-marker

Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin

boot-end-marker

Min-length 10 Security passwords

logging buffered 51200 warnings

No aaa new-model

min-threshold queue spd IPv6 62

Max-threshold queue spd IPv6 63

No ipv6 cef

the 5 IP auth-proxy max-login-attempts

max-login-attempts of the IP 5 admission

DHCP excluded-address IP 192.168.10.1 192.168.10.99

DHCP excluded-address IP 192.168.22.1 192.168.22.99

DHCP excluded-address IP 192.168.33.1 192.168.33.99

DHCP excluded-address IP 192.168.44.1 192.168.44.99

DHCP excluded-address IP 192.168.55.1 192.168.55.99

192.168.10.240 IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.22.240 192.168.22.254

DHCP excluded-address IP 192.168.33.240 192.168.33.254

DHCP excluded-address IP 192.168.44.240 192.168.44.254

DHCP excluded-address IP 192.168.55.240 192.168.55.254

desktop IP dhcp pool

import all

network 192.168.33.0 255.255.255.0

router by default - 192.168.33.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

wi - fi IP dhcp pool

import all

network 192.168.44.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.44.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

DMZ IP dhcp pool

import all

network 192.168.55.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.55.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.22.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP domain name of domain

name-server IP 192.168.10.10

IP cef

connection-for block 180 tent 3-180

Timeout 10

VLAN ifdescr detail

Authenticated MultiLink bundle-name Panel

Crypto pki token removal timeout default 0

Crypto pki trustpoint TP-self-signed-3956567439

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3956567439

revocation checking no

rsakeypair TP-self-signed-3956567439

TP-self-signed-3956567439 crypto pki certificate chain

certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

license udi pid sn CISCO2911/K9

the FULL_NET object-group network

full range of the network Description

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

object-group network limited

description without servers and router network

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

VTP version 2

password username admin privilege 0 password 7

redundancy

no passive ftp ip

crypto ISAKMP policy 10

BA aes 256

sha512 hash

preshared authentication

ISAKMP crypto key admin address b.b.b.b

invalid-spi-recovery crypto ISAKMP

Crypto ipsec transform-set esp - aes esp-sha-hmac SET

10 map ipsec-isakmp crypto map

the value of b.b.b.b peer

Set transform-set

match address 160

Interface Port - Channel 1

no ip address

waiting-150 to

Interface Port - channel1.1

encapsulation dot1Q 1 native

IP 192.168.11.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.10

encapsulation dot1Q 10

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.22

encapsulation dot1Q 22

IP 192.168.22.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.33

encapsulation dot1Q 33

IP 192.168.33.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.44

encapsulation dot1Q 44

IP 192.168.44.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.55

encapsulation dot1Q 55

IP 192.168.55.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

no ip address

Shutdown

automatic duplex

automatic speed

interface GigabitEthernet0/1

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/2

Description $ES_LAN$

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/0/0

IP address a.a.a.a 255.255.255.224

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

crypto map

IP forward-Protocol ND

no ip address of the http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0

IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

NAT_INTERNET extended IP access list

refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255

refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255

permit ip FULL_NET object-group everything

access-list 1 permit 192.168.44.100

access-list 23 allow 192.168.10.7

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

control plan

Line con 0

password password 7

opening of session

line to 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class 23 in

privilege level 15

local connection

entry ssh transport

line vty 5 15

access-class 23 in

privilege level 15

local connection

entry ssh transport

Scheduler allocate 20000 1000

end

The ASA config:

: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1   no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable

ASA:

# show crypto ipsec his

There is no ipsec security associations

# show crypto isakmp his

There are no SAs IKEv1

There are no SAs IKEv2

2911:

#show crypto ipsec his

Interface: GigabitEthernet0/0/0

Tag crypto map: map, addr a.a.a.a local

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)

current_peer b.b.b.b port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors of #send 4, #recv errors 0

local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b

Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

-Other - arrival ah sas:

-More-

-More - CFP sas on arrival:

-More-

-More - outgoing esp sas:

-More-

-More - out ah sas:

-More-

-More - out CFP sas:

Thanks for your time,

Nick

Please add

map Office 2 set transform-set OFFICE ikev1 crypto

If it is not helpful, please enable debug crypto ipsec 255 and paste here.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.

How to set up the ASDM/HTTP access for Cisco ASA firewall

Hi all

I am looking for a solution / guide that will allow our ASA 5510, V8.4 (5) Firewall, ASDM version 6.4 (9) to help users Active Directory. I want to activate our administrators to access the ASA via ASDM using their AD accounts (a local administrator account also exist but not a password of General knowledge)

Anyone would be abe to advise on a guide / Solution.

Thank you very much

If that you issue correctly you want active tpo AD authention for AMPS/HTTP access to the ASA. If it is correct that you have need of the following using the CLI to enable that command

ASA-32-22 (config) # aaa authentication http console?

set up the mode commands/options:

LOCAL server predefined Protocol AAA 'local' tag

Name WORD of RADIUS or GANYMEDE + aaa-server for the administrative group

authentication

After the console you needd to defind the name of the AD server you have configured on the SAA.

You can do the same thing by using ASDM:

Change LOCAL to the announcement that there are listed.

I hope that answers your question.

Thank you

Jeet Kumar

Customer remote cannot access the server LAN via VPN

Hi friends,

I'm a new palyer in ASA.

My business is small. We need to the LAN via VPN remote client access server.

I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

Who can help me?

Thank you very much.

The following configuration:

ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10

username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3

no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5

ssh timeout 10
console timeout 0

: end

Topology as follows:

Hello

Configure the split for the VPN tunneling.

Create the access list that defines the network behind the ASA.

ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

Mode of configuration of group policy for the policy you want to change.

ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
```
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified 
```

Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

Type this command:

ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes

Associate the group with the tunnel group policy

ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn

Leave the two configuration modes.

ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

Kind regards
Abhishek Purohit
CCIE-S-35269

AAA local-override

Similar Questions

EAP authentication

Maybe you are looking for