AAA &; VPN
Hello
AAA server is today an essential product on businesses today to control network devices and provides authentication, authorization and accounting on all network devices. AAA is part of management policy.
In parallel, the same server can be used for VPN users.
so do you think that each company must ship two ACS servers to the company or we can use the same server for both services? (but that the ACS server administrators will be the same people so they can grant access distinguished in any network equipment)
can I have a clear analysis on this crucial issue?
As far as I know, it is not possible to restrict the admin for adding/removing/editing users or groups of specific criteria. Once the administrator has obtained the privilege to add or remote for example so he or she can do for all groups.
You can have two ACS servers to:
-Redundancy. If one goes down the users can still authenticate through it.
-load balancing. If you have a large number of users you can balance the load them between two or more-ACS servers.
Kind regards
Amjad
Rating of useful answers is more useful to say "thank you".
Tags: Cisco Security
Similar Questions
-
Hello
I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.
When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.
However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!
VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)
Please help me I need to find a solution as soon as POSSIBLE!
Thank you in advance.
Hello
Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:
No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination
NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination
After re-configured this way, make sure that this command is also available:
Sysopt connection permit VPN
This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,
Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY
XXXX--> server IP
AAAA--> VPN IP of the user
Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!
Thank you
David Castro,
-
IOS VPN will not respond to connections Cisco VPN Client.
Hi all
I'll put my routers fire here.
I have two 2921 SRI both with licenses of security concerning leased lines separated. I configured one to accept our workers to remote Client VPN Cisco VPN connections.
I have followed the set up process I used on another site with a router 1841/s and the same customers and I have also checked against the config given in the last guide of IOS15 EasyVPN.
With debugs all assets, all I see is
038062: 14:03:04.519 Dec 8: ISAKMP (0): received x.y.z.z dport-60225 Global (N) SA NEW 500 sport package
038063: 14:03:04.519 Dec 8: ISAKMP: created a struct peer x.y.z.z, peer port 60225
038064: 14:03:04.519 Dec 8: ISAKMP: new position created post = 0x3972090C peer_handle = 0x8001D881
038065: 14:03:04.523 Dec 8: ISAKMP: lock struct 0x3972090C, refcount 1 to peer crypto_isakmp_process_block
038066: 14:03:04.523 Dec 8: ISAKMP: (0): client setting Configuration parameters 3E156D70
038067: 14:03:10.027 Dec 8: ISAKMP (0): packet received x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATEHere is the abbreviated config.
System image file is "flash0:c2900 - universalk9-mz.» Spa. 154 - 1.T1.bin.
AAA new-model
!
!
AAA authentication login default local
local VPNAUTH AAA authentication login
AAA authorization exec default local
local authorization AAA VPN network
!
!
!
!
!
AAA - the id of the joint sessioncrypto ISAKMP policy 10
BA aes
preshared authentication
Group 14ISAKMP crypto group configuration of VPN client
key ****-****-****-****
DNS 192.168.177.207 192.168.177.3
xxx.local field
pool VPNADDRESSES
ACL REVERSEROUTECrypto ipsec transform-set aes - esp esp-sha-hmac HASH
tunnel modeProfile of crypto ipsec IPSECPROFILE
the HASH transform-set valuedynamic-map crypto VPN 1
the HASH transform-set value
market arriere-route
!
!
list of authentication of card crypto client VPN VPNAUTH
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 65535-isakmp dynamic VPN ipsec VPN
!
!
local IP VPNADDRESSES 172.16.198.16 pool 172.16.198.31REVERSEROUTE extended IP access list
IP 192.168.0.0 allow 0.0.255.255 everything
Licensing ip 10.0.0.0 0.0.0.255 anyscope of IP-FIREWALL access list
2 allow any host a.b.c.d eq non500-isakmp udp
3 allow any host a.b.c.d eq isakmp udp
4 ahp permits any host a.b.c.d
5 esp of the permit any host a.b.c.dIf anyone can see anything wrong, I would be very happy and it would save the destruction of a seemingly innocent router.
Thank you
Paul
> I would be so happy and it would save the destruction of a seemingly innocent router.
No, which won't work! But instead of destroying the router, I can do it for you. Just send it to me... ;-)
OK, now more serious...
- The default Cisco IPSec client uses only DH group 2, while you set up the 14. Try to use Group 2 in your isakmp policy.
- You have your virtual model in place? She is not in the config.
-
client ipSec VPN and NAT on the router Cisco = FAIL
I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.
ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.
Suggestions?
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group myclient
key password!
DNS 1.1.1.1
Domain name
pool myVPN
ACL 111
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interfaceIP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">=================ipSec>
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45!
IP local pool myVPN 10.88.0.2 10.88.0.10
p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255Hello
I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool
For example, to do this kind of configuration, ACL and NAT
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.0.255 ay
overload of IP nat inside source list 100 interface GigabitEthernet0/0
EDIT: seem to actually you could have more than 10 networks behind the routerThen you could modify the ACL on this
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.255.255 ay
Don't forget to mark the answers correct/replys and/or useful answers to rate
-Jouni
-
Cannot access remote network via VPN
Hello
I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
There is also a public oriented Web server in the office which must be accessible.I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.
I'm quite puzzled as to why it does not work. Please could someone help.
The results of tests and the router configuration are listed below. Please let me know if you need additional information.
Thank you and best regards,
Simon1. routing on the router table
Router #sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
C XXX.yyy.zzz.192 is directly connected, Vlan10
GGG.hhh.125.0/32 is divided into subnets, subnets 1
C GGG.HHH.125.34 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S * 0.0.0.0/0 [1/0] via ggg.hhh.125.342. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
> ping 172.16.100.1
Ping 172.16.100.1 with 32 bytes of data:
Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 2553. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
> ping 172.16.100.10
Ping 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.4. ping the router to the successful local server
router #ping 172.16.100.10
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms5 see the version
Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
the availability of router is 1 hour, 9 minutes
System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN basic rate interface
Configuration register is 0 x 21026. router Config
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto ASI_Group
key mykey
DNS aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
ACL VPN_ACL
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
!
crypto dynamic-map 10 DYNMAP
game of transformation-TS1
market arriere-route
!
!
list of authentication of VPN client VPN crypto card
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
!
!
!
IP cef
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
username admin privilege 15 password mypassword
Archives
The config log
hidekeys
!
!
!
!
!
interface FastEthernet0
WAN description
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface FastEthernet2
Description Public_LAN_Interface
switchport access vlan 10
full duplex
Speed 100
!
FastEthernet6 interface
Description Private_LAN_Interface
switchport access vlan 100
full duplex
Speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
Public description
IP address xxx.yyy.zzz.193 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
172.16.100.1 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
IP unnumbered Vlan10
no ip unreachable
IP mtu 1452
IP virtual-reassembly
encapsulation ppp
no ip mroute-cache
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname myhostname
PPP chap password mychappassword
PPP ipcp dns request accept
failure to track PPP ipcp
PPP ipcp address accept
VPN crypto card
!
IP pool local VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip address of the http server
no ip http secure server
!
VPN_ACL extended IP access list
IP 172.16.100.0 allow 0.0.0.255 any
!
Dialer-list 1 ip protocol allow
not run cdp
!
!Simon,
Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.
Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.
Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like
IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255
Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.
I hope this helps.
Luis Raga
-
Cisco 877 VPN router LAN access
I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.
So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)
Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.
In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?
Appreciate the help:
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec localtime
encryption password service
!
hostname My877Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
clock timezone CST 9 30
!
Crypto pki trustpoint TP-self-signed-901674690
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 901674690
revocation checking no
rsakeypair TP-self-signed-901674690
!
!
TP-self-signed-901674690 crypto pki certificate chain
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
IP cef
!
!
inspect the IP router-traffic tcp name _OUTBOUND_
inspect the IP router traffic udp name _OUTBOUND_
inspect the name _OUTBOUND_ http IP
inspect the IP name _OUTBOUND_ https
inspect the IP dns _OUTBOUND_ name
inspect the IP router traffic icmp name _OUTBOUND_
no ip domain search
IP domain name mydomain.com.au
Name A.B.C.D IP-server
IP-name x.y.z.w Server
!
aes encryption password
!
!
username admin privilege 15 secret 5 #$% ^ & *.
Admin2 username privilege 15 secret 5 #$% ^ & *.
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600
!
ISAKMP crypto group configuration of VPN client
key 6 #$%^&_)(*&^%$%^&*(&^$
DNS 192.168.100.5
domain mydomain.com.au
pool VPN
ACL 100
Max-users 5
Max-Connections 1
netmask 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
!
Crypto-map dynamic dynmap 11
Set transform-set vpn1
market arriere-route
!
!
list of card crypto dynmap customer VPN authentication
card crypto dynmap VPN isakmp authorization list
client configuration address card crypto dynmap initiate
client configuration address card crypto dynmap answer
dynmap 11 card crypto ipsec-isakmp dynamic dynmap
!
Archives
The config log
hidekeys
!
!
!
type of class-card inspect VPN-match-all traffic
game group-access 100
!
!
type of policy-card inspect PCB-pol-outToIn
class type inspect VPN traffic
inspect
!
!
!
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description LAN_INTERFACE
IP 192.168.100.1 address 255.255.255.0
no ip redirection
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
interface Dialer0
ADSL description
the negotiated IP address
IP access-group 101 in
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the _OUTBOUND_ over IP
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap 7 76478678786 password
card crypto dynmap
!
local pool IP VPN 192.168.200.1 192.168.200.10
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
the IP nat inside source 1 interface Dialer0 overload list
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any eq 443 newspaper
access-list 101 permit tcp any any eq smtp newspaper
access-list 101 permit tcp any any eq 1352 newspaper
access-list 101 permit tcp A.B.C.D host any newspaper
access-list 101 permit tcp host x.y.z.w any log
access-list 101 permit tcp host r.t.g.u any log
access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
Dialer-list 1 ip protocol allow
not run cdp
!
!
route allowed sheep 11 map
corresponds to the IP 102
!
!
control plan
!
Banner motd ^ C
Unauthorized access prohibited! ^ C
!
Line con 0
exec-timeout 20 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
entry ssh transport
!
max-task-time 5000 Planner
x.x.x.x SNTP server
y.y.y.y SNTP server
endMy877Router #.
Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.
Can you please try to connect by a different ISP and see if that makes a difference?
You can also try to connect from another PC and see if that makes a difference?
The configuration on the router seems correct to me.
-
Hello guys,.
I have to configure an ASA 5510 as server of remote access for Windows XP machines. I tried to configure L2TP and IPSec, but not worked. I was referred to a correct document by a member of this forum (appreciated), but it seems that XP machines do not like L2TP and they more readily accept PPTP. Someone can reffer me a document how to configure ASA5510 with PPTP remote access. I checked the unit and see no option to use PPTP instead of L2TP. Guys thank you very much in advance.
Kind regards
RVR
! - Identifies the encryption and hash IPsec algorithms
! - to be used by the game of transformation.
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
! - Because the Windows 2000 L2TP/IPsec client uses IPsec transport mode,.
! - define the mode of transport.
! - The default is tunnel mode.
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
! - Specifies the transformation affects to be used in a dynamic crypto map entry.
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
! - Requires a given crypto map entry to refer to a pre-existing
! - dynamic crypto map.
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
! - Apply a defined encryption card previously set on an external interface.
outside_map interface card crypto outside
crypto ISAKMP allow outside
Crypto isakmp nat-traversal 20
! - Specifies the protocol IKE Phase I parameters of strategy.
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
! - Create a group of tunnel with the tunnel-group command, and specifies the local
! - name of the address pool used to assign the IP address to the client.
! - Associated with the AAA (VPN) server with the Group of the tunnel group.
attributes global-tunnel-group DefaultRAGroup
address clientVPNpool pool
Vpn server authentication group
! - Link the name of the group to the default tunnel
! - Tunnel group general attributes mode group.
Group Policy - by default-DefaultRAGroup
! - Use the command of tunnel group ipsec-attributes
! - to enter the mode of configuration of ipsec-attribute.
! - The value of the preshared key.
! - This key must match the key configured on the Windows machine.
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
. - Configure the PPP authentication with the type of authentication protocol
! - tunnel ppp-attributes group mode command.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
-
Why I can't ping the internal network?
I configured a remote VPN access. I can connect my login and my password, but I can't ping any computer on the network in-house. Please helpme... the router configuration is:
SH run.
AAA new-model
connection of local AAA VPN authentication.
local authorization AAA VPN network
username vpnuser password 0 vpnpass
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP client configuration group HOME
key 123456!
DNS 10.10.10.2
VPN - D pool
include-local-lan
!
Crypto ipsec transform-set esp - the esp-hmac-md5 TEST
!
dynamic-map crypto VPN 1
transformation-TEST set
market arriere-route
!
VPNSS crypto map list of authentication of VPN client
card crypto VPNSS VPN isakmp authorization list
crypto card for the VPNSS client configuration address respond
map VPNSS 1-isakmp dynamic VPN ipsec crypto
!
interface FastEthernet0/0
Description ==> link to ISP<>
DHCP IP address
NAT outside IP
card crypto VPNSS
!
interface FastEthernet0/1
Red ==> Lan description<>
IP 192.168.1.1 255.255.255.0
IP nat inside
local pool IP VPN - D 192.168.20.1 192.168.20.20
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 dhcp
!
IP nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
Hello
I guess you get an IP address from the pool and the route is available in the router's routing table. In this case, you will need to tell the NAT router not the intended traffic to the VPN client:
IP nat inside source map route sheep interface FastEthernet0/0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 101
!
The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
HTH
Laurent.
-
LDAP AAA for VPN configuration
Preface: I'm all new to Cisco Configuration and learn as I go.
I'm at the stage of configuration LDAP to configure a VPN on ASA 5520, software release 8.3 (1). Previously the programme installation and RADIUS authentication successfully tested, I tried to use similar logic to implement the LDAP authentication/authorization. I have acquired a service account that queries the pub for the identification of the registered user information. My main resource was the following Manual: Cisco ASA 5500 Series Configuration Guide using the CLI Software Version 8.3. I did initially configurations by using ASDM, but could not get tests to succeed. So I amazed the ASDM configs and went to the CLI. Here is the configuration.
AAA-server AAA_LDAP protocol ldap
AAA-server host 10,20,30,40 (inside) AAA_LDAP
Server-port 636
LDAP-base-dn domain.ad
LDAP-scope subtree
LDAP-naming-attribute uid
LDAP-login-password 8 *.
LDAP-connection-dn cn = commonname, OU = ou01, or = ou02, dc = domain, dc = ad
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_ATTRIB---
type tunnel-group ASA_DEFAULT remote access
attributes global-tunnel-group ASA_DEFAULT
authorization-server-group AAA_LDAP---
LDAP attribute-map LDAP_ATTRIB
name of the MemberOf IETF Radius-class card
map-value MemberOf "VPN users' asa_default---
I tested all the naming-attribute ldap alternatives listed with the same results.
When I test the authentication using this configuration, I get the following error: ERROR: authentication server does not: AAA Server has been deleted
When I test authorization using this Setup, I get the same error (except for the word permission instead of authentication).
I am at a total loss. Any help would be appreciated.
I would use ldp.exe to see if you can make sure that the sytnax of your ldap-connection-dn is just as you have in your config, it really helps just copy and paste.
The problem I see is the following:
[210] link as st_domadm
[210] authentication Simple running to st_domadm to 10.20.30.30
[210] simple authentication for st_domadm returned credenti invalid code (49) als
[210] impossible to link the administrator returned code-(1) can't contact LDAP erI suppose your ldap-connection-dn is st_domadm and you try to test with the administrator account?
Thank you
Tarik
-
several hosts aaa server for authentication vpn
ASA5510 - 7.2 (1)
Using the following configuration, I try to have several radius servers configured for authentication backup in case of failure of the primary vpn. This seems to work ok. But once the main server upward when the asa will begin to use it again. The release of "aaa-Server 172.25.4.20 host" said
Server status: FAILURE, server disabled at 08:04:25.
How do reactivate you it?
RADIUS protocol AAA-server adauth
adauth AAA-server 172.25.4.20
key *.
authentication port 1812
accounting-port 1813
adauth AAA-server 172.25.4.40
key *.
authentication port 1812
accounting-port 1813
tunnel-group group general attributes
address pool pool
authentication-server-group adauth
by default-group-policy
You can add the option in the Group aaa-server:
"reactivation in timed mode.
This causes a dead server is added to the pool after 30 seconds.
The following link has some good info on the options available. I suggest looking for the doc for the "reactivation".
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.PDF
-Eric
Be sure to note all the useful messages.
-
Hello
We have a router - ASA VPN internet. ASA is the central site, the router is on the remote site. We have an ACS server in the central site behind the ASA, need us the remote router do AAA with the ACS server when someone it connect now. I added the config on ACS and the router, but the problem is remote site router cannot reach the ACS server unless the source IP is ip LAN. Anyone know if we can define the source ip address to ip LAN for package reqeust AAA on the router?
Thank you. Leo
Leo-
Ganymede IP source interface FastEthernet0/0
It will be useful.
-
CIsco Anyconnect VPN with LDAP AAA
Hi there, I was hoping that someone can point me in the right direction here. I created a VPN connection profile to match anyconnect SSL entering customers. I would like to use LDAP group membership as a sine qua non for authentication. I found a few online pages on what to do about it, I followed. Unfortunately, it seems my connection profile to allow access to any user in the ldap, not only those of the ldap group database. I'll post the relevant bits of the config here in hopes that someone can point my mistake!
The idea of the config is to have the map of connections 2 by default a noaccess policy which has 0 simultaneous connections and the profile card (SSL_VPN) connection ssl to anyconnect to group_policy_SSL_VPN group policy.
local pool CONTOSOVICVPN_DHCP_POOL 10.0.5.51 - 10.0.5.254 255.255.255.0 IP mask
NAT (inside_int, any) static source NetworkGroup_Internal_networks NetworkGroup_Internal_networks Network_VPNRANGE_10.0.5.0 Network_VPNRANGE_10.0.5.0 non-proxy-arp-search of route static destination
LDAP attribute-map AuthUsers
name of the memberOf Group Policy map
map-value memberOf memberOf CN = NETWORK_CONTOSO_ASA_VPN_DLSG, OR = network, OU = resources, OU = CONTOSO, OU = security, OU = Groups, DC = CONTOSO, DC = groupynamic-access-policy-registration DfltAccessPolicy
AAA-server CONTOSOVIC_LDAP protocol ldap
AAA-server CONTOSOVIC_LDAP (inside_int) 10.0.0.45
LDAP-base-dn DC = CONTOSO, DC = group
LDAP-group-base-dn DC = CONTOSO, DC = group
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = ASA_LDAP_USER, OU = network, OU = accounts, DC = CONTOSO, DC = group
microsoft server typeNo vpn-addr-assign aaa
No dhcp vpn-addr-assignSSL-trust ASDM_TrustPoint4 outside_int point
WebVPN
Select outside_int
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal NoAccess group strategy
Group Policy attributes NoAccess
WINS server no
VPN - concurrent connections 0
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
value by default-field CONTOSO.group
disable the split-tunnel-all dns
attributes of Group Policy DfltGrpPolicy
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
internal GroupPolicy_SSL_VPN group strategy
attributes of Group Policy GroupPolicy_SSL_VPN
WINS server no
value of server DNS 10.0.0.45
VPN - connections 1
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
value of group-lock SSL_VPN
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_SPLIT_TUNNEL
value by default-field CONTOSO.group
activate dns split-tunnel-all
the address value CONTOSOVICVPN_DHCP_POOL poolsattributes global-tunnel-group DefaultRAGroup
authorization-server-group CONTOSOVIC_LDAP
NoAccess by default-group-policy
authorization required
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
attributes global-tunnel-group DefaultWEBVPNGroup
NoAccess by default-group-policy
type tunnel-group SSL_VPN remote access
attributes global-tunnel-group SSL_VPN
address CONTOSOVICVPN_DHCP_POOL pool
authentication-server-group CONTOSOVIC_LDAP
authorization-server-group CONTOSOVIC_LDAP
Group Policy - by default-GroupPolicy_SSL_VPN
authorization required
tunnel-group SSL_VPN webvpn-attributes
message of rejection-RADIUS-
Proxy-auth sdi
enable CONTOSOvicvpn.CONTOSOgroup.com.au group-aliasYou must specify the NoAccess group policy as group policy by default for the Group of the SSL_VPN tunnel.
Remember to rate helpful answers. :)
-
AAA ipsec vpn clients how to see the history of connection on asdm or asa5510
Hello all, I would like to know how see history of connection ipsec vpn client users, they authenticate to the local aaa, not in active directory. I am able to see the current logon session. go to monitoring\vpn\vpn statistics\sessions, this shows me sessions underway, but I would like to see for example the connections client vpn for the last month. I did some research and saw the info on aaa Server? I checked that article and does not see what I was looking for.
It's actually a called (NPS) network policy server microsoft radius server.
The one I used (ACS 5 and ACS 5) who was just an example.
You can review the below listed doc
http://fixingitpro.com/2009/09/08/using-Windows-Server-2008-as-a-RADIUS-server-for-a-Cisco-ASA/
Jatin kone
-Does the rate of useful messages-
-
External SSL VPN via AAA authentication
Greeting from all the
How can I exchange a group policy for users between the SAA and an external AAA (authentication via ldap or RADIUS)
Let's say I have user1 I want only him to use groupPolicy "gpSales" for its VPN access, how can the ASA Exchange this information with the radius or LDAP server
Thank you
Glad to hear that you guessed it work. Please rate this post if you found it useful.
-
AAA for VPN - Kerberos, LDAP or an NT domain?
All,
After that a small return on what you think is the best method for AAA authentication for VPN clients when authenticating against a Windows domain for remote access?
I have always used "NT Domain" because it seems to correspond roughly to the NT Auth I used to use on the old hubs. However, I (finally) decided to take a look at the Kerberos and LDAP, since they must have been added for a reason...
Far as I can tell LDAP adds the ability to search a little more finely (basic DN) AD, but that's all. Am I missing something? Are there more reason to use LDAP or Kerberos domain auth?
What is more reliable? That you guys use?
See you soon!
Either it is reliable, you can map users in different group policies or apply different DAP political, based on their belonging to a group. If you are basic authentication, then your method is still the best way to go.
Thank you
Tarik Admani
* Please note the useful messages *.
Maybe you are looking for
-
I need to store Visio files in VDX format for compatibility of Subversion.When I ask Firefox to open a VOD on the network, it shows correctly the file is a Visio file and asks if I want to save it. I select Yes, then the file opens in Visio.When I as
-
Toshiba Stack BT + Windows Mobile Device Center
Greetings! Tell me when it will be possible to use the battery of BT from Toshiba with 'Windows Mobile Device Center'? Yours, Tim
-
IMac running el Capitan will not save time machine on external hard drive
Since the installation of El Capitan, my time machine not backup external hard disk. I have tried to turn off the drive and restart, deselected as the HARD drive, and then restart.
-
I forgot my password of my 7 inch Tablet dual power. I need help bypasing password not to lose my data. But if need to master reset, how? There is no volume key button
-
Missing registry key (USBSTOR)
Recently I went to one of my Vista laptops and changed the starting value of HKLM\System\CurrentControlSet\Services\USBSTOR to 4 to prevent the use of USB on the computer mass storage. I then changed permission for the key setting to remove a complet