Access to the LDAP VPN ASA group

Hello, I have configured the access remote vpn on asa with ldap authentication. But I can't limit access vpn with specific ldap group.

Here is my config:

AAA-server AZPBTDC01 (DC_Internal) host 192.168.10.250
LDAP-base-dn dc = company, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = Netuser, OU = Services users, or is ASM HQ, dc is company, dc = com
microsoft server type
LDAP-attribute-map AZPBTDC01

LDAP attribute-map AZPBTDC01
name of the memberOf Group Policy map
map-value memberOf "CN = VPN_Admin, OU = ASM group, OU = ASM HQ, DC = company, DC = com" RA_ADMIN_GP

internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1
address pools no

internal RA_ADMIN_GP group policy
RA_ADMIN_GP group policy attributes
value of server DNS 192.168.10.251
VPN - connections 3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list IPSEC_RA_ACL_ADMIN

attributes global-tunnel-group DefaultRAGroup
NOACCESS by default-group-policy

type tunnel-group IPSEC_RA_ADMIN remote access
attributes global-tunnel-group IPSEC_RA_ADMIN
authentication-server-group LOCAL AZPBTDC01
authorization-server-group AZPBTDC01
Group Policy - by default-RA_ADMIN_GP

The problem is all the domen users can connect to the vpn. ASA does not ranking filter in a group, no VPN_Admin group users can connect, but the man should not be able to connect.

If it is possible to make this approach work, I wouldn't do it this way. Use rather DAP (Dynamic Access Policy).

The instructions for this are here:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/108000-DAP-Deploy-Guide.html

Search for "Active Directory group" to jump directly to the corresponding section. Note that you may need two policies DAP. One to match users living in VPN_Admin and another default policy to deny access to everyone.

Note for the default "opt-out" policy, that I often make it pop up a message to the end user, saying that they do not have VPN access and contact xxx if they want to fix it.

Tags: Cisco Security

Similar Questions

WiFi comments at the Public VPN (ASA-5510)

Hello

I have an ASA 5510, that has the following configuration:

interface Ethernet0/0

nameif outside

security-level 0

address IP 1.1.1.1 255.255.255.240 (fake IP for obvious reasons)

interface Ethernet0/1

nameif inside

security-level 100

IP 192.168.0.200:ABCD 255.255.0.0

interface Ethernet0/2

nameif comments

security-level 100

IP 10.10.10.1 255.255.0.0

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (guest) 0 access-list sheep

NAT (guest) 1 0.0.0.0 0.0.0.0

-------------------------------

What I do for a client (eth0/2) Wifi comments access to our VPN configured on the external interface? It is a Cisco AnyConnect VPN installation using the mobile client. As it is, they identify the DNS since the WAP and try to connect to "vpn.mysite.com", which resolves itself into the public IP (interface) outside my ASA.

When I was asked first to authorize this change, I thought it would be a simple NAT rule but I think I'm missing something that I can't get this to work.

Thank you

They are not capable of VPN for the external interface of the IP address of the guest network because it is by design not permitted.

They need to connect to the IP comments to be able to VPN to ASA comments network, and you will need to activate AnyConnect on the interface of comments as well. "vpn.mysite.com" would then need to resolve the IP comments when they are connected via the comments interface.

which product is right for the ssl vpn: asa 5505 cisco 1841 or

Hello

I want to install an outside link management related so that we can ssh to our cisco devices and microsoft RDP toour servers. It's my configuration (based on what I know):

Internet > DSL modem > ASA 5505 > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

or

Internet > 1841 with DSL HWIC > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

My questions are:

Should I go for ASA or 1841 router?

What options is better? and ASA will do the job?

Are there any technical support prior to purchase of products in Australia? I need technical advice on the choice of the right products, not justs eiling me products.

Hello

Its strongly suggested to go with ASA 5505 in the first place, it is supposed to feature for the main functionality of ssl vpn server from 1841 which has this feature to be a vpn server.

ASDM also gives you the freedom to config box on your own based on your condition.

regds

Unable to connect using the Cisco VPN client

Hi all. I recently configured a 5510 ASA to allow remote access using the Cisco VPN client. The problem is that everything works fine when I connect using a modem classic or on a computer with a public address that I use for testing purposes, but whenever I try to connect with on an ADSL line, I can't access to the resources. I have connection and after that nothing, I can not achieve anything.

I enclose the relevant configuration information in the attachment. Any help is welcome.

Depending on the version, add...

ISAKMP nat-traversal

or

ISAKMP nat-traversal crypto

Should be all you need.

Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

Thank you

interface Ethernet0/0

Speed 100

full duplex

nameif outside

security-level 0

IP x.x.x.x 255.255.255.240

!

interface Ethernet0/1

Speed 100

full duplex

nameif inside

security-level 100

IP 10.88.10.254 255.255.255.0

!

interface Management0/0

Shutdown

nameif management

security-level 0

no ip address

!

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of the PAT_to_Outside_ClassA object

10.88.0.0 subnet 255.255.0.0

network of the PAT_to_Outside_ClassB object

subnet 172.16.0.0 255.240.0.0

network of the PAT_to_Outside_ClassC object

Subnet 192.168.0.0 255.255.240.0

network of the LocalNetwork object

10.88.0.0 subnet 255.255.0.0

network of the RemoteNetwork1 object

Subnet 192.168.0.0 255.255.0.0

network of the RemoteNetwork2 object

172.16.10.0 subnet 255.255.255.0

network of the RemoteNetwork3 object

10.86.0.0 subnet 255.255.0.0

network of the RemoteNetwork4 object

10.250.1.0 subnet 255.255.255.0

network of the NatExempt object

10.88.10.0 subnet 255.255.255.0

the Site_to_SiteVPN1 object-group network

object-network 192.168.4.0 255.255.254.0

object-network 172.16.10.0 255.255.255.0

object-network 10.0.0.0 255.0.0.0

outside_access_in deny ip extended access list a whole

inside_access_in of access allowed any ip an extended list

11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

NAT static NatExempt NatExempt of the source (indoor, outdoor)

NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

!

network of the PAT_to_Outside_ClassA object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassB object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassC object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-registration DfltAccessPolicy

Sysopt connection timewait

Service resetoutside

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic dynmap 10 the value reverse-road

card crypto mymap 1 match address outside_1_cryptomap

card crypto mymap 1 set counterpart x.x.x.x

card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

card crypto mymap 86400 seconds, 1 lifetime of security association set

map mymap 1 set security-association life crypto kilobytes 4608000

map mymap 100-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

Crypto isakmp nat-traversal 30

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 50

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

preshared authentication

aes-256 encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

Telnet timeout 5

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal BACKDOORVPN group policy

BACKDOORVPN group policy attributes

value of VPN-filter 11

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelall

BH.UK value by default-field

type tunnel-group BACKDOORVPN remote access

attributes global-tunnel-group BACKDOORVPN

address pool Admin_Pool

Group Policy - by default-BACKDOORVPN

IPSec-attributes tunnel-group BACKDOORVPN

IKEv1 pre-shared-key *.

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group ipsec-attributes x.x.x.x

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

Excellent.

Evaluate the useful ticket.

Thank you

Rizwan James

ASA 5505 VPN cannot access inside the host

I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.

framework for configuration below

interface Vlan1

nameif inside

security-level 100

10.1.1.1 IP address 255.255.255.0

IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 set pfs

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

PFS set 40 crypto dynamic-map outside_dyn_map

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

Crypto-map dynamic inside_dyn_map 20 set pfs

Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map

inside crypto map inside_map interface

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

global service-policy global_policy

XXXXXXX strategy of Group internal

attributes of the strategy group xxxxxxx

banner value xxxxx Site Recovery

WINS server no

24.xxx.xxx.xx value of DNS server

VPN-access-hour no

VPN - connections 3

VPN-idle-timeout 30

VPN-session-timeout no

VPN-filter no

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelall

by default no

disable secure authentication unit

disable authentication of the user

user-authentication-idle-timeout no

disable the IP-phone-bypass

disable the leap-bypass

disable the NEM

disable the NAC

NAC-sq-period 300

NAC-reval-period 36000

NAC-by default-acl no

the address value xxxxxx pools

enable Smartcard-Removal-disconnect

the firewall client no

WebVPN

url-entry functions

Free VPN of CNA no

No vpn-addr-assign aaa

No dhcp vpn-addr-assign

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general attributes

xxxx address pool

Group Policy - by default-xxxx

blountdr group of tunnel ipsec-attributes

pre-shared-key *.

Missing nat exemption for vpn clients. Add the following and you should be good to go.

inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

NAT (inside) 0-list of access inside_nat0_outbound

prevent the SSL VPN user to access ASA cli

Hello

I set up multiple users on my ASA in its local database.

These users are used for the ssl vpn connection, but the problem I have is that users

also have SSH access. Is it possible to avoid this?

Thank you

Hello Raf,

If you do something like this:

username xxx attributes

type of remote access service

the user should not get access CLI more.

Kind regards

Bastien

Cisco ASA 5505 remote VPN access to the local network

I have installed two ASA 5505 VPN site to site that works perfectly. Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer. I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network. can someone take a look and see what I'm missing? I have attached the ASA running config.

Apologize for the misunderstanding.

To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.

Please please share the following ACL:

FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224

TO:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all

Hope that helps.

block access to the local asa firewall vpn accounts

I'm looking for the local accounts on the firewall and would like to make sure that users who have local accounts for vpn do not have for the firewall itself through asdm, telnet, ssh to the management.

Is the only aaa on the firewall command

the ssh LOCAL console AAA authentication

With this command, if I change the local account setting to 'NO ASDM, SSH, Telnet or access Console' (see attached screenshot) will that still allow users to vpn in and access the network because they have to take off but any what potential access to the firewall?

Thank you

Hello

Yes, if you select the option "No., ASDM, SSH, TELNET or Console access" allows to block only the admin access to the firewall. Here's the equivalent CLI for this option:

myASA(config-username) # type of service?

the user mode options/controls:
Admin user is authorized to access the configuration prompt.
NAS-prompt user is allowed access to the exec prompt.
remote user has access to the network.

If you use this option you will be on the third option in the above list that is remote access. Users will have the option of VPN in but no admin (asdm, ssh, telnet or console)

Thank you

Waris Hussain.

Cannot find the next jump - ASA 5505 VPN routing l2l

We have a 5505 (soon to be replaced by two 5515-x) firewall with two VPN l2l.

"Were trying to allow a remote site traffic flow through the other remote site but the syslog shows."

10.5.25.4

172.16.10.10

Could not locate the next hop for ICMP outside:10.5.25.4/1 to inside:172.16.10.10/0 routing

Config is less than

ASA Version 8.4 (3)

names of

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

<--- more="" ---="">

interface Ethernet0/7

switchport access vlan 10

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

IP 10.5.19.254 255.255.255.0

interface Vlan2

WIMAX Interface Description

nameif outside

security-level 0

IP address x.247.x.18 255.255.255.248

passive FTP mode

clock timezone GMT 1

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network guestwifi object

10.1.110.0 subnet 255.255.255.0

<--- more="" ---="">

network of the NETWORK_OBJ_10.5.19.0_24 object

10.5.19.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.5.31.0_24 object

10.5.31.0 subnet 255.255.255.0

network of the NETWORK_OBJ_172.16.0.0_16 object

subnet 172.16.0.0 255.255.0.0

the object DS365-Cloud network

172.16.10.0 subnet 255.255.255.0

Description DS365-Cloud

network of the object to the inside-network-16

10.5.0.0 subnet 255.255.0.0

atanta network object

10.5.16.0 subnet 255.255.255.0

Atanta description

network guest_dyn_nat object

10.5.29.0 subnet 255.255.255.0

network of the NETWORK_OBJ_172.16.254.0_25 object

subnet 172.16.254.0 255.255.255.128

network of the NETWORK_OBJ_10.5.16.0_20 object

subnet 10.5.16.0 255.255.240.0

network of the NETWORK_OBJ_10.5.16.0_26 object

255.255.255.192 subnet 10.5.16.0

network of the LDAP_DC7 object

Home 10.5.21.1

<--- more="" ---="">

LDAP description

network c2si object

range 10.5.21.180 10.5.21.200

network of the NETWORK_OBJ_10.5.25.0_24 object

10.5.25.0 subnet 255.255.255.0

object-group network rfc1918

object-network 192.168.0.0 255.255.0.0

object-network 172.16.0.0 255.255.240.0

object-network 10.0.0.0 255.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 10.5.19.0 255.255.255.0

network-object 10.5.20.0 255.255.254.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.30.0 255.255.255.0

object-network 192.168.100.0 255.255.255.0

the Sure_Signal object-group network

network-object x.183.x.128 255.255.255.192

network-host x.183.133.177 object

network-host x.183.133.178 object

network-host x.183.133.179 object

network-host x.183.133.181 object

network-host x.183.133.182 object

the LDAP_source_networks object-group network

network-object 135.196.24.192 255.255.255.240

<--- more="" ---="">

object-network 195.130.x.0 255.255.255.0

network-object x.2.3.128 255.255.255.192

network-object 213.235.63.64 255.255.255.192

object-network 91.220.42.0 255.255.255.0

object-network 94.x.240.0 255.255.255.0

object-network 94.x.x.0 255.255.255.0

the c2si_Allow object-group network

host of the object-Network 10.5.16.1

host of the object-Network 10.5.21.1

network-object object c2si

the DM_INLINE_NETWORK_2 object-group network

network-object 10.5.20.0 255.255.254.0

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.29.0 255.255.255.0

network-object, object NETWORK_OBJ_10.5.19.0_24

the DM_INLINE_NETWORK_3 object-group network

object-network 10.5.19.0 255.255.255.0

network-object 10.5.20.0 255.255.254.0

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

atanta network-object

the DM_INLINE_NETWORK_4 object-group network

network-object 10.5.20.0 255.255.254.0

<--- more="" ---="">

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.23.0 255.255.255.0

object-network 10.5.30.0 255.255.255.0

network-object, object NETWORK_OBJ_10.5.19.0_24

atanta network-object

network-object DS365-Cloud

inside_access_in list extended access permit tcp any eq 50 Sure_Signal object-group

inside_access_in list extended access permit tcp any object-group Sure_Signal eq pptp

inside_access_in list extended access permits will all object-group Sure_Signal

inside_access_in list extended access permit udp any eq ntp Sure_Signal object-group

inside_access_in access list extended icmp permitted no echo of Sure_Signal object-group

inside_access_in list extended access permit udp any eq 50 Sure_Signal object-group

inside_access_in list extended access permit udp any eq Sure_Signal object-group 4500

inside_access_in list extended access permit udp any eq isakmp Sure_Signal object-group

inside_access_in of access allowed any ip an extended list

255.255.0.0 allow access list extended ip 10.5.0.0 clientvpn 10.5.30.0 255.255.255.0

access-list extended BerkeleyAdmin-clientvpn ip 10.5.0.0 allow 255.255.0.0 10.5.30.0 255.255.255.0

IP 10.5.21.0 allow to Access-list BerkeleyUser-clientvpn extended 255.255.255.0 10.5.30.0 255.255.255.0

outside_cryptomap extended access list permit ip object inside-network-16 10.5.25.0 255.255.255.0

access extensive list ip 10.5.29.0 guest_access_in allow 255.255.255.0 any

state_bypass allowed extended access list tcp 192.168.100.0 255.255.255.0 10.5.30.0 255.255.255.0 connect

state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 192.168.100.0 255.255.255.0 connect

state_bypass allowed extended access list tcp 10.5.29.0 255.255.255.0 10.5.30.0 255.255.255.0 connect

<--- more="" ---="">

state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 10.5.29.0 255.255.255.0 connect

outside_access_in list extended access permit icmp any one

access extensive list ip 10.5.16.0 outside_cryptomap_1 allow 255.255.240.0 10.5.16.0 255.255.255.192

access-list extended global_access permitted tcp object-group LDAP_source_networks host 10.5.21.1 eq ldap

access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud

outside_cryptomap_3 list extended access allowed object-group ip DM_INLINE_NETWORK_4 10.5.25.0 255.255.255.0

pager lines 24

Enable logging

exploitation forest-size of the buffer of 100000

recording of debug console

debug logging in buffered memory

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool clientvpn 10.5.30.1 - 10.5.30.100

mask 172.16.254.1 - 172.16.254.100 255.255.255.0 IP local pool VPN_IP_Pool

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) source static rfc1918 rfc1918 destination rfc1918 static rfc1918

NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.31.0_24 NETWORK_OBJ_10.5.31.0_24 non-proxy-arp-search of route static destination

<--- more="" ---="">

NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source to the static inside-network-16 inside-network-16 destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_26 NETWORK_OBJ_10.5.16.0_26 non-proxy-arp-search of route static destination

NAT (inside, outside) source static c2si_Allow c2si_Allow NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) source static atanta atanta static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DS365-DS365-cloud static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 static destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source to the inside-network-16 inside-network-16 destination static NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination

network obj_any object

NAT dynamic interface (indoor, outdoor)

network of the LDAP_DC7 object

NAT 194.247.x.19 static (inside, outside) tcp ldap ldap service

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Access-Group global global_access

Router eigrp 143

No Auto-resume

Network 10.5.19.0 255.255.255.0

<--- more="" ---="">

Network 10.5.29.0 255.255.255.0

Network 10.5.30.0 255.255.255.0

redistribute static

Route outside 0.0.0.0 0.0.0.0 194.247.x.17 1 track 1

Route inside 10.5.16.0 255.255.255.0 10.5.19.252 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

RADIUS protocol for AAA-server group

AAA (inside) 10.5.21.1 host server group

key *.

AAA (inside) 10.5.16.1 host server group

key *.

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication LOCAL telnet console

Enable http server

<--- more="" ---="">

http 192.168.1.0 255.255.255.0 inside

http 10.5.16.0 255.255.240.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Sysopt connection tcpmss 1350

SLA 1 monitor

type echo protocol ipIcmpEcho 8.8.4.4 outside interface

SLA monitor Appendix 1 point of life to always start-time now

Crypto ipsec transform-set ikev1 strong-comp esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set strong aes-256-esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec ikev2 strong ipsec proposal

Protocol esp encryption aes-256

Esp integrity sha-1 protocol

<--- more="" ---="">

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto-map dynamic dyn1 1 set transform-set ikev1 strong

1 correspondence address outside_cryptomap_1 outside crypto map

crypto card outside pfs set 1

1 set 83.x.172.68 counterpart outside crypto map

Crypto card outside 1 set transform-set ESP-AES-256-SHA ikev1

1 set ikev2 AES256 ipsec-proposal outside crypto map

card crypto off game 2 address outside_cryptomap_3

map external crypto 2 peers set 23.100.x.177

card external crypto 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

<--- more="" ---="">

map external crypto 2 set AES256 AES192 AES strong proposal ipsec ikev2

Crypto card outside 2 kilobytes of life of security association set 102400000

card crypto outside match 3 address outside_cryptomap_2

3 set pfs outside crypto map

map external crypto 3 peers set 91.x.3.39

crypto card outside ikev1 set 3 transform-set ESP-3DES-SHA

map external crypto 3 3DES ipsec-ikev2 set proposal

dynamic outdoor 100 dyn1 ipsec-isakmp crypto map

card crypto outside interface outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

IKEv1 crypto policy 2

preshared authentication

3des encryption

sha hash

Group 2

life 86400

track 1 rtr 1 accessibility

Telnet 10.5.16.0 255.255.240.0 inside

Telnet timeout 5

SSH 83.x.x.90 255.255.255.255 outside

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

dhcprelay Server 10.5.21.1 on the inside

time-out of 60 dhcprelay

a basic threat threat detection

statistical threat detection port

<--- more="" ---="">

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP 10.5.19.253 Server prefer

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

AnyConnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal GroupPolicy_c2si group strategy

attributes of Group Policy GroupPolicy_c2si

WINS server no

value of 10.5.16.1 DNS server 10.5.21.1

client ssl-VPN-tunnel-Protocol

by default no

internal GroupPolicy_91.x.3.39 group strategy

attributes of Group Policy GroupPolicy_91.x.3.39

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy_83.x.172.68 group strategy

attributes of Group Policy GroupPolicy_83.x.172.68

VPN-tunnel-Protocol ikev1, ikev2

<--- more="" ---="">

internal GroupPolicy_23.100.x.177 group strategy

attributes of Group Policy GroupPolicy_23.100.x.177

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy_user group strategy

attributes of Group Policy GroupPolicy_user

WINS server no

value of 10.5.21.1 DNS server 10.5.16.1

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyAdmin-clientvpn

myberkeley.local value by default-field

internal GroupPolicy_23.101.x.122 group strategy

attributes of Group Policy GroupPolicy_23.101.x.122

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

VPN-tunnel-Protocol ikev1, ikev2

internal BerkeleyUser group strategy

attributes of Group Policy BerkeleyUser

value of 10.5.21.1 DNS server 10.5.16.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyUser-clientvpn

myberkeley.local value by default-field

internal DS365 group policy

<--- more="" ---="">

DS365 group policy attributes

VPN-idle-timeout no

VPN-filter no

IPv6-vpn-filter no

VPN-tunnel-Protocol ikev1, ikev2

internal BerkeleyAdmin group strategy

attributes of Group Policy BerkeleyAdmin

value of 10.5.21.1 DNS server 10.5.16.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyAdmin-clientvpn

myberkeley.local value by default-field

acsadmin encrypted V6hUzNl366K37eiV privilege 15 password username

atlanta uxelpvEvM3I7tw.Z encrypted privilege 15 password username

username of berkeley Kj.RBvUp5dtyLw5T encrypted password

type tunnel-group BerkeleyUser remote access

attributes global-tunnel-group BerkeleyUser

address clientvpn pool

authentication-server-group

Group Policy - by default-BerkeleyUser

IPSec-attributes tunnel-group BerkeleyUser

IKEv1 pre-shared-key *.

type tunnel-group BerkeleyAdmin remote access

attributes global-tunnel-group BerkeleyAdmin

address clientvpn pool

<--- more="" ---="">

authentication-server-group

Group Policy - by default-BerkeleyAdmin

IPSec-attributes tunnel-group BerkeleyAdmin

IKEv1 pre-shared-key *.

type tunnel-group user remote access

tunnel-group user General attributes

address pool VPN_IP_Pool

authentication-server-group

Group Policy - by default-GroupPolicy_user

tunnel-group user webvpn-attributes

enable-alias of user group

type tunnel-group c2si remote access

tunnel-group c2si-global attributes

address pool VPN_IP_Pool

authentication-server-group

Group Policy - by default-GroupPolicy_c2si

tunnel-group c2si webvpn-attributes

Group-alias c2si enable

tunnel-group 83.x.172.68 type ipsec-l2l

tunnel-group 83.x.172.68 General-attributes

Group - default policy - GroupPolicy_83.x.172.68

83.x.172.68 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

<--- more="" ---="">

pre-shared-key authentication local IKEv2 *.

tunnel-group 23.101.x.122 type ipsec-l2l

tunnel-group 23.101.x.122 General-attributes

Group - default policy - GroupPolicy_23.101.x.122

23.101.x.122 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

tunnel-group 91.x.3.39 type ipsec-l2l

tunnel-group 91.x.3.39 general-attributes

Group - default policy - GroupPolicy_91.x.3.39

91.x.3.39 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

tunnel-group 23.100.x.177 type ipsec-l2l

tunnel-group 23.100.x.177 General-attributes

Group - default policy - GroupPolicy_23.100.63.177

23.100.x.177 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

class-map state_bypass

corresponds to the state_bypass access list

Policy-map state_bypass_policy

class state_bypass

set the advanced options of the tcp-State-bypass connection

service-policy state_bypass_policy to the inside interface

context of prompt hostname

anonymous reporting remote call

Cryptochecksum:bbc6f2ec2db9b09a1b6eb90270ddfeea

: end

PTB-ch-asa5505 #.

Ah OK I see now.

Your cryptomap for the cloud of DS365 is:

access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud

so, which covers interesting traffic.

However, your NAT statement is:

NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search

Network 10.5.25.0 is remote, then it will actually appear to be an "outside" network so I think you need this statement to begin "nat (outside, outside).

Control the access of the user for the SSL VPN profile.

I have two ssl vpn profile, can I restricted the user to access only ssl vpn profile, when they get to the page of the ssl vpn service. Each profile to create different types of access, and they will have different client IP address.

Hello

Yes, using different ways; one of them is using group-lock, which is a simple check to validate if the Tunnel group or the connection profile as you called it with that sign corresponds to what you have defined under group policy. If the value of Tunnel-Group-Lock (condition true), the VPN remote access session is allowed to install; otherwise the session is not allowed to be implemented.

The tunnel-group-lock featurecan be defined as follows:
- via the group-policy setting locally on ASA
- via the LDAP attribute
- via the Radius attribute
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/vpngrp.html#wp1134870

Step 4

Kind regards

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Remote access to the site to site VPN

We currently have a VPN site-to-site set up on a direct line between our two data centers. Hosts on site one can speak to guests at site B, and talk to the hosts to site A to site B guests.

I've recently implemented a site A. VPN VPN remote access clients can access all of the resources behind the ASA at A site without problem. However, strange things happen when they try to contact the site B.

I have set up corresponding exemptions of NAT on each side of the connection. The remote site reported no abnormalities. When you attempt to connect to a remote VPN client to site B, the only errors that appear are on the SAA to site A. When a remote client attempts to connect to a host at site B, the following errors appear in the log:

% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

I have the exemption following NAT set up on site A:

access-list sheep; 3 items

access-list 1 permit line sheep extended ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt = 0)

allowed to Access-list sheep lengthened 2 ip line 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt = 0)

allowed to Access-list sheep line 3 extended ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt = 0)

I work on it for a few days now and hesitate to open a ticket of TAC. I've seen a few similar questions on the forums, but have found zero with a working solution. I tried to follow the technical notes on Cisco's Web site for a configuration similar to, but had no luck.

Also, I enabled same-security-traffic on intra and inter-interface interface.

Any help would be appreciated.

HUB of the ASA, is this your topology? If so try below suggestions.

Inside 10.1.1.0/16 Net

Net 172.16.0.0/28 - net through Tunnel L2L 10.0.0.0/16 end DS3

VPN RA Net 10.3.0.0/24

To RA to access the L2L tunnel end hosting you will need to exempt sheep rule applied to the ds3 interface.

based on the journal

% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

Try this

no scope list ip 10.3.0.0 access test allow 255.255.255.0 10.0.0.0 255.255.0.0

test the ip 10.0.0.0 allowed extended access list 255.255.0.0 10.3.0.0 255.255.255.0

test access list 0 Tan (ds3)

on the end of the tunnel (spoke), to allow the network of RA from the FOCUS of the ASA in the interesting traffic.

Let us know how it works

Concerning

Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

Hello Cisco community support,

I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

ISP network gateway: 10.1.10.0/24

ASA to the router network: 10.1.40.0/30

Pool DHCP VPN: 10.1.30.0/24

Network of the range: 10.1.20.0/24

Development network: 10.1.10.0/24

: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history

Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?

SSL VPN - ASA - Active Directory LDAP

Hello

Scenario: ASA 8.0 (3) running SSL VPN for remote users. LDAP also authenticates access and connect to the ASA.

For some reason any (we had a power failure, but the problem may be caused by other reasons as well), I can not connect to the ASA, as my login ID does not work, and remote users get connection error when trying to authenticate via SSL VPN web gui.

I have rebooted the ASA and AD without any change in the situation. This service worked very well before and the problem happened suddenly. No one has all the changes for the configs. Customer do not have a backup configuration. Any suggestion on what would be the best next action to solve this problem? I'm not expert on the Microsoft LDAP configuration, and if anyone knows where I can check in Microsoft windows server 2003 for the possible LDAP problem, that would be greatly appreciated.

Thank you

rdianat

the ldap bind account is just a normal user account. He didn't need even administrative permissions. If you want to use ldap for password changes he needs to password change permissions, but otherwise just a normal user account - make sure it cannot be locked in AD or the password never expires none of this things. you will see the name of the ldap account in the config of the SAA.

LDAP-login-password *.

LDAP-connection-dn *.

Access to the LDAP VPN ASA group

Similar Questions

Maybe you are looking for