Acesss ASA VPN question

Hi, I was able to migrate my clients off the VPN concentrator 3030 and on the ASA 5520 VPN. The problem I have is now the ASA sees these clients VPN from my external interface and they can get of the demilitarized zone, because I did the specific NAT and rules for inside. Is there a way to make the VPN client network seems like it comes from inside network?

You are welcome Daniel.

Don't forget to write down the message and choose "solved my problem" which was helpful and solved your problem.

Concerning

Tags: Cisco Security

Similar Questions

  • Ike ASA VPN question

    Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:

    IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

    IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.

    SH isakmp sa is:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: AAA. AA. AAA. A

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG4

    If the router is waiting for ack but not expected and there is no package.

    At both ends, I deleted:

    cry clear isa

    cry clear ipsec

    I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.

    I will be grateful if anyone can help, I'll debug and sniff for that.

    Here are the configs and small on isakmp debug information

    Router AAA. AA. AAA. A config:

    outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object

    Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1

    Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 60 match address outside_cryptomap_60

    game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC

    card crypto outside_map 60 value transform-set ESP-AES-SHA

    life safety association set card crypto outside_map 60 28800 seconds

    card crypto outside_map 60 set security-association life kilobytes 4608000

    outside_map interface card crypto outside

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    tunnel-group BBB. BBB. BB. B type ipsec-l2l

    tunnel-group BBB. BBB. BB. B ipsec-attributes

    pre-shared-key *.

    ASA BBB. BB. BBB. B:

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_cryptomap_1

    card crypto outside_map 1 set of AAA peers. AA. AAA. A

    card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA

    outside_map interface card crypto outside

    card crypto outside_map interface outsideadsl

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    ISAKMP crypto enable outsideadsl

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    ISAKMP crypto am - disable

    debugging isakmp 127

    28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256

    28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed

    No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

    Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.

    If there is still a problem, download him debugs on both sides at the same time please.

    Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?

    HTH

    Herbert

  • ASA (Active standby) site-to-Site VPN Question

    Hello

    I had the question as below

    Site A - 1 unit of VPN Netscreen firewall

    Site B - 2 units of ASA VPN firewall

    I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.

    Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.

    but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here

    Things that confuse me.

    (1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)

    (2) link failover and dynamic failover can be configured on the same interface?

    Please help in this case, configuring VPN from Site to Site with active configuration / standby.

    just to add to this,

    just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th

    so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected

    You can read more here

    https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759

  • Transfer between Cisco ASA VPN Tunnels

    Hi Experts,

    I have a situation where I need to set up the transfer between two VPN Tunnels completed in the same box ASA. A VPN Tunnel will incoming traffic and that traffic should be sent to the bottom of the other VPN Tunnel to the ASA. The two VPN Tunnels are from the Internet and speak with the same IP address of the ASA peers.

    Retail

    Tunnel A

    Source: 192.168.1.0/25

    Destination: 10.1.1.0/25

    Local counterpart: 170.252.100.20 (ASA in question)

    Remote peer: 144.36.255.254

    Tunnel B

    Source: 192.168.1.0/25

    Destination: 10.1.1.0/25

    Local peer IP: 170.252.100.20 (box of ASA in question)

    Distance from peer IP: 195.75.75.1

    Can this be achieved? what configurations are needed in the ASA apart cryptographic ACL entries?

    Thanks in advance for your time.

    Believed that, in this case your config is good, and you can avoid using routes on your asa since it must route based on its default gateway, make sure you have good sheep in place rules and the inter-to interface same-security-interface allowed return you will need.

  • New ASA/VPN configuration

    So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.

    All I want this new ASA to do is handle my site anyconnect VPN connections.  I'm pretty new to ASAs if any help would be great.  I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.

    My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN?  ACLs are used for VPN traffic and do I need them to traffic the route via VPN?

    I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.

    Thank you

    I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.

    You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.

    When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.

    Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.

  • ASA VPN with Fortgate

    Hello people!

    I still have the problem with VPN... Laughing out loud

    I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    But if I ask the other peer to change in Group 2, the msg in the SAA is:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

    Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    The show isakmp his:

    9 counterpart IKE: 179.124.32.181
    Type: user role: answering machine
    Generate a new key: no State: MM_WAIT_MSG3

    I have delete and creat VPN 3 x and the same error occurs.

    Everyone has seen this kind of problem?

    Is it using Fortigate version 5 by chance?

    I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

    The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

    Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

    Try on the side of the ASA:

    debug crypto isakmp 7
    You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

  • ASA VPN - allow user based on LDAP Group

    Hello friends

    I have create a configuration to allow connection based on LDAP Group.

    I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

    http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Anyone know how I can do?

    Thank you

    Marcio

    I like to use the Protocol DAP (dynamic access policies) to control this.  Follow this guide:

    https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

  • Assign the static IP address by ISE, ASA VPN clients

    We will integrate the remote access ASA VPN service with a new 1.2 ISE.

    Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

    This means that the same VPN user will always get the same IP address. Thank you.

    Daniel,

    You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

    However if I may make a suggestion:

    Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

    In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

    M.

  • Device behind a Firewall other, ASA VPN

    I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet.  Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

    Topology:

    Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

    ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

    On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN.  Inside = 192.168.254.1 outside = public IP address.

    Configured on the VPN / ASA, ASA standard SSL Remote Access.

    When I hit the NAT public IP address, nothing happens.  I've run packet - trace on the FW outside, and everything seems good.

    Someone at - it a sampling plan / config for a similar topology?     Internet > ASA/FW > dmz-leg > ASA/VPN

    Thanks in advance,
    Bob

    Can share you your NAT and routing configuration? Of these two ASAs

  • ASDM conc (ASA) VPN access

    I have the script like this:

    an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

    This sets up on the conc VPN:

    management-access inside
    

    After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
    

    hth
    
    Herbert
    
    (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )

  • ASA VPN positive = SSL VPN?

    Hello

    I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750

    Can I use an ASA5520 with ASA5500-SSL-750 instead

    Regards Tony

    Yes, it is always available on order. Part number: ASA5520-VPN-PL =

    In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.

    Thank you

    Kiran

  • ASA VPN on physical IP address only?

    Hello

    Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?

    I don't want to use the physical IP address on my external interface.

    Thank you

    No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.

  • ASA Vpn load balancing and failover

    Hi all.

    We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

    Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

    Thank you

    Daniele

    Hi Daniele,

    You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

    Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

    ASA1 (active FO) - ASA2 (TF Standby)

    (VPN virtual master)

    |

    |

    |

    |

    (Backup VPN device)

    ASA3 (active FO) - ASA4 (TF Standby)

    Kind regards

    Wajih

  • Concentrator VPN VPN ASA Conversion question

    I sent our VPN3k config to the CTA and converted it to the format of the SAA.  A major problem that I see is that the hub has enabled a group name (which is equivalent to a group of tunnel on the SAA) with spaces inside and the ASA does not work.  Our primary RA VPN group is 'All staff' in the config converted, it's "All_Staff" and I guess that this is going to work for users with the existing VPN client configuration file.

    We have hundreds of users a new file of confiog or attempt to explain how to fix this problem manually is out of the question.  Are there of the other workarounds?

    Thank you.

    Try to rename the group to "All staff" (including the quotation marks!)

    so

    dial type tunnel-group "everyone".

    HTH

    Herbert

  • Multi frame ASA SSL VPN Question

    Hello

    We have a pair of firewalls, we do multiple contexts on clients.  We have recently updated their and have been using the newly Anyconnect customer support.  This all works fine but I feel I'm missing something.  If the customer does not have the anyconnect client already how do get?  Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?

    Any information would be helpful.

    Chris L.

    Hi Chris,

    The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.

    There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:

    https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

Maybe you are looking for