ASA 5512 different route by VPN Group (VRF as feature?)

Hello

Here's what I'm trying to do. I have a Nexus 7000 with several of the VRF, simplicity lets call it A VRF, VRF B, VRF C. VRF A simulates a network of management and VRF B and C are customer environments. VRF B and C VRF will be overlap of intellectual property. I have a 5512 ASA I use VPN in the environment, it also provides internet access for applications that run in A VRF, (VRF B and C do not require internet access). What I want to do is to implement three different access VPN on the SAA even, where some users will have VPN 1 group policy and have access to the VRF has, but should not have access to the VRF B or C, same VPN 2 should have access to the VRF B and 3 C VRF VPN.

My original intent was to configure the ASA with 0/0 to internet Gig, Gig 0/1 A VRF and then Gig 0/2 sub interfaced so 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.10.1 in 102 VLAN that connects to VRF C. However, better than I can tell ASA 5512 is not aware of VRF (or is it just a separate license, I would need?) and as such, it is not possible.

Next similar reflection, but instad configure as 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.11.1 in 102 VLAN that connects to VRF C. However, I throw it here, issues as the VPN 2 and 3 need access to devices with the same IP address, which is even better I can tell, the ASA is not able to make Policy based routing.

Is there another way to do this? Is there something that I am on?
I need to make sure that the 2A VPN users can access services available in the VRF B, they should not have the ability to access (intentionally or not) services on VRF A or C, nor the users VPN 1 or 3.

I have also a 5585 ASA w / context multi license, I can then creates a context by VRF (that I have), I then interfaces in each correct the VRF-related context. However, I do not think that I can terminate VPN here, best I can tell when in multi-contexte mode you can not have VPN license.

Your research led you to conclude correctly that the ASA is neither compatible with VRF nor can it be based on routing strategies. Also, you cannot terminate remote access VPN on an ASA multi-contexte.

Doing what you ask a single AAS is a bit problematic. If you had a unique internal addresses, the subinterfaces would work fine.

Because it looks like you have a virtualization infrastructure, have you considered using the low cost ASAv? You could run multiple instances, one per VRF. Everyone knows only the public address space and its respective assocated VRF.

Tags: Cisco Security

Similar Questions

VPN between ASA and cisco router [phase2 question]

Hi all

I have a problem with IPSEC VPN between ASA and cisco router

I think that there is a problem in the phase 2

Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

Looking forward for your help

Phase 1 is like that

Cisco_router #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

and ASA

ASA # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

Phase 2 on SAA

ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41

#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393AB

SAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: Y

Phase 2 on cisco router

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)

SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

VPN configuration is less in cisco router

access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

sheep allowed 10 route map
corresponds to the IP 105

Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101

crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4

Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

You currently have:

Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

It should be:

Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

To remove it and add it to the bottom:

105 extended IP access list

not 5

IP 172.19.194.0 allow 60 0.0.0.255 any

Then ' delete ip nat trans. "

and it should work now.

Site to Site VPN - ASA 5510 / 851 router - no Sas?

We have installed an ASA 5510, version 1.0000 software running. In a remote area, we have a Cisco router to 851 with tunneling IPSec VPN for a PIX 515e. I try to open a backup between the 851 and ASA connection new, and I have a problem. I used ASDM on the side of the ASA and CCP on the side 851 and created a new VPN site to site on both, with PSK encryption algorithms, etc.. I checked the connectivity between the external interfaces of the two devices, and the associated ACLs are simple, because they allow all IP traffic on the internal side of the two devices to talk with each other.

When I do a "crypto isakmp to show his" on the SAA, I get "there is no its isakmp. When I do the same on the 851 router, I see only the existing connection to the PIX. It seems that the tunnel does not run again. I turned on debug various crypto and sent a series of pings, and I don't see any tunnel initiaion even be attempted.

CCP has a VPN to test the tool built in to the router. ASDM has a similar feature? Here's the relevant configs (at least I think... the SAA is enough Greek to me):

ASA 5510 (within the network of 10.20.0.0/16. The perfectly functional PIX is also on this network, with a different public IP address)

access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 !

nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside

crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400

tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes

!
851 router (within the 10.192.4.0/24 network)

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key si9bw1u8woaz address 65.42.15.142

crypto isakmp key 123 address 12.49.251.3

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set transform-set ESP-3DES-SHA1

match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to12.49.251.3

set peer 12.49.251.3

set transform-set ESP_3DES_MD5

match address 102

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255

Michael,

Since you are using the same ACL, subnets, even and even while on your router to your VPN 1 tunnels config and 2, your second VPN tunnel will not succeed because the router already has a tunnel with the PIX for the same traffic.

If you want to configure the ASA as peer backup scratch the second card encryption and instead, add the public IP ASA as a second peer under the original crypto configuration.

Like this:

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set peer 12.49.251.3

game of transformation-ESP-3DES-SHA1

match address 102

The router will attempt to connect to the PIX and if this fails (which means that the PIX has never responded) then it will try to connect to the ASA.

To test it, you could do either of two things: 1. taking the internet conection low PIX will make the router try to connect to the secondary host. 2: change (temporarily) on the router address peer of the PIX to a bogus IP that won't respond, when only one omits the router must try to negotiate with the ASA.

I hope this helps.

Raga

IOS router with several groups of VPN

Similar to a discussion, I read with a PIX firewall, I need to set up multiple VPN groups on IOS-based router to support different levels of security. For example, a VPN "GUESTS" group would only have access to 1 server, while the VPN "ADMIN" group would have access to the entire network.

With a PIX firewall, you can simply specify additional group names (for example "group1 vpngroup',"vpngroup group2"and so on). However, I have not been able to find how do with IOS-based router (Cisco 831 12.3 (4) T) running.

For example, I have these dynamic groups of VPN:

the crypto isakmp client configuration group of GUESTS

password1 keys

DNS 10.1.1.1

swimming POOL1-IP pool

Configuration group customer crypto isakmp ADMIN

key password2

DNS 10.1.1.1

POOL2-IP pool

! - Users get authenticated to a RADIUS server

list of card crypto CRYPTOMAP customer VPN-USER authentication

! - The problem is that line taken out. "I can only specify an allow list (a group name) for this encryption card!)

card crypto CRYPTOMAP ADMIN isakmp authorization list

I did research on this site, Google, usenet and ORC and have not found what I'm looking for. Any ideas?

Thank you.

Command 'isakmp authorization list' you do it reference does not refer to the VPN group, it refers to a whitelist of AAA name which States that the groups are configured locally. Change to the following:

AAA authorization groupauthor LAN

card crypto isakmp authorization list groupauthor CRYPTOMAP

The "groupauthor" is just a label that matches the encryption to the aaa command. Your clients VPN will be accompanied to a specific group depends on what group name, they set up in their VPN client.

See http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080095106.shtml for details, it's a HW 3002 client to a router but the router config is exactly the same thing.

How to match tunnel-group with auth ASA 8.2 and IPSec VPN Client using digital certificates with Microsoft CA

Hello

I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml

Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:

% ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
% ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
% ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroup

So, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?

Please help me!

Kind regards

Fernando Aguirre

You can use the group certificate mapping feature to map to a specific group.

This is the configuration for your reference guide:

http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978

And here is the command for "map of crypto ca certificate": reference

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685

Hope that helps.

Multiple VPN groups on the ASA firewall

I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.

Thank you very much!

Hello

all you need to do is create another group strategy and attach it to a group of tunnel: -.

internal vpnsales group policy

attributes of the strategy of group vpnsales

banner - VPN access for the sales team

value x.x.x.x DNS server

split tunnel political tunnelspecified

Split-tunnel-network-list split-sales value

address-pools sales-pool

value by default-domain mydomain.com

type tunnel-group vpnsales remote access

tunnel-group vpnsales General-attributes

authentication-server-group vpnsales

Group Policy - by default-vpnsales

vpnsales ipsec tunnel - group capital

pre-share-key @.

you will also create a map of the attribute named vpnsales for acs auth.

Thank you

Manish

Configuration of VLAN 'Wi - Fi comments' on ASA 5512

I'm trying to configure a new vlan on my Cisco ASA 5512 running version 8.6 (1) 2. This vlan will give access to AP Wireless 'invited' into my network. I have the configuration of vlan comments through my switches, I am able to devote a switch port to 40 VLANS and acquire an IP address in the network 10.40.10.0/24. Below is an extract from what I think is relevent to the config information. I try to carry the traffic of comments on my ' outside' interface.

Obvious to me miss me another command here. Any help would be appreciated to greatling. If more running-config is required please advise. Thanks in advance!

_________________________________________________________

interface GigabitEthernet0/1.40

Description comments Wireless Network

VLAN 40

nameif guestwireless

security-level 50

IP 10.40.10.5 255.255.255.0

Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP address to X.X.X.X)

access extensive list ip 10.40.10.0 guestwireless_access_in allow 255.255.255.0 interface outside

guestwireless MTU 1500

Access-group guestwireless_access_in in the guestwireless interface

dhcpd address 10.40.10.50 - 10.40.10.250 guestwireless

dhcpd dns 8.8.8.8 interface guestwireless

guestwireless enable dhcpd

________________________________________________________

Here is the part of the killing

interface GigabitEthernet0/0

ISP Interface Description

nameif outside

security-level 100

To take

interface GigabitEthernet0/0

security level 0

You do not want the more precarious with the higher level hehe safety interface

Looking for a Networking Assistance?
Contact me directly to [email protected] / * /

I will fix your problem as soon as POSSIBLE.

See you soon,.

Julio Segura Carvajal
http://laguiadelnetworking.com

Password Cisco Anyconnect VPN group

In an earlier version of the Cisco VPN client (with VPN concentrator), we had the option to set the password for the group.

With anyconnect (SSL or IPSec, no browser based) there is no provision for this. How can I compensate for this in

AnyConnect since only the user name and passwords are used to establish the vpn?

I think that the problem with this approach is how to prevent a user who needs to be in a group of connection and choosing a different group on the login screen. The usual way to deal with this is with the locking of a group setting. Group lock works if users are authenticated using the local user ASA database. I got it to work when users are authenticated through RADIUS. I didn't see a way to get GANYMEDE pass the ID group ASA and so not sure that group lock will work when authenticating via GANYMEDE.

HTH

Rick

Traffic of Client VPN routing via VPN Site to Site

Hello

We have the following scenario:

Office (192.168.2.x)
Data Center (212.64.x.x)
Home workers (192.168.2.x) (scope DHCP is in the office subnet)

Connections:

Desktop to Data Center traffic is routed through a Site at IPSec VPN, which works very well.
Welcome to the office is routed through a Site IPSec VPN Client.

The question we have right now, is the Client VPN works, and we have implemented a split tunnel which includes only the subnet of the Office for a list of network.

What I have to do, is to route all traffic to home' to 'Data Center' by site to Site VPN is configured.

I tried to add the ranges of IP data center to the list of Client VPN Split tunnel, but when I do that and try to connect at home, I just get a "connection timed out" or denied, as if she was protected by a firewall?

Could you please let me know what I missed?

Result of the command: "show running-config"

: Saved

ASA Version 8.2(5)

hostname ciscoasa

domain-name skiddle.internal

enable password xxx encrypted

passwd xxx encrypted

names

name 188.39.51.101 dev.skiddle.com description Dev External

name 192.168.2.201 dev.skiddle.internal description Internal Dev server

name 164.177.128.202 www-1.skiddle.com description Skiddle web server

name 192.168.2.200 Newserver

name 217.150.106.82 Holly

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.3.250 255.255.255.0

time-range Workingtime

periodic weekdays 9:00 to 18:00

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server Newserver

domain-name skiddle.internal

same-security-traffic permit inter-interface

object-group service Mysql tcp

port-object eq 3306

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network rackspace-public-ips

description Rackspace Public IPs

network-object 164.177.132.16 255.255.255.252

network-object 164.177.132.72 255.255.255.252

network-object 212.64.147.184 255.255.255.248

network-object 164.177.128.200 255.255.255.252

object-group network Cuervo

description Test access for cuervo

network-object host Holly

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq https

access-list inside_access_in extended permit ip any any

access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!

access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime

access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!

access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3

access-list outside_access_in remark Public Skiddle Network > Dev server

access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www

access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh

access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER

access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive

access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive

access-list inside_access_in_1 remark HTTP OUT

access-list inside_access_in_1 extended permit tcp any any eq www

access-list inside_access_in_1 remark HTTPS OUT

access-list inside_access_in_1 extended permit tcp any any eq https

access-list inside_access_in_1 remark SSH OUT

access-list inside_access_in_1 extended permit tcp any any eq ssh

access-list inside_access_in_1 remark MYSQL OUT

access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql

access-list inside_access_in_1 remark SPHINX OUT

access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312

access-list inside_access_in_1 remark DNS OUT

access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain

access-list inside_access_in_1 remark PING OUT

access-list inside_access_in_1 extended permit icmp any any

access-list inside_access_in_1 remark Draytek Admin

access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433

access-list inside_access_in_1 remark Phone System

access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable

access-list inside_access_in_1 remark IPSEC VPN OUT

access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500

access-list inside_access_in_1 remark IPSEC VPN OUT

access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp

access-list inside_access_in_1 remark Office to Rackspace OUT

access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips

access-list inside_access_in_1 remark IMAP OUT

access-list inside_access_in_1 extended permit tcp any any eq imap4

access-list inside_access_in_1 remark FTP OUT

access-list inside_access_in_1 extended permit tcp any any eq ftp

access-list inside_access_in_1 remark FTP DATA out

access-list inside_access_in_1 extended permit tcp any any eq ftp-data

access-list inside_access_in_1 remark SMTP Out

access-list inside_access_in_1 extended permit tcp any any eq smtp

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips

access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224

access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips

access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh

access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips

access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any

access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227

access-list InternalForClientVPNSplitTunnel remark Inside for VPN

access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0

access-list InternalForClientVPNSplitTunnel remark Rackspace

access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252

access-list InternalForClientVPNSplitTunnel remark Rackspace

access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252

access-list InternalForClientVPNSplitTunnel remark Rackspace

access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252

access-list InternalForClientVPNSplitTunnel remark Rackspace

access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

logging asdm warnings

logging from-address [email protected]/* */

logging recipient-address [email protected]/* */ level errors

mtu inside 1500

mtu outside 1500

ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ipv6 access-list inside_access_ipv6_in permit tcp any any eq www

ipv6 access-list inside_access_ipv6_in permit tcp any any eq https

ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh

ipv6 access-list inside_access_ipv6_in permit icmp6 any any

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255

static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255

access-group inside_access_in in interface inside control-plane

access-group inside_access_in_1 in interface inside

access-group inside_access_ipv6_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.3.254 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

http server enable 4433

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto map outside_map 1 match address RACKSPACE-cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 94.236.41.227

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xxx

quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcprelay server 192.68.2.200 inside

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 194.35.252.7 source outside prefer

webvpn

port 444

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

group-policy skiddlevpn internal

group-policy skiddlevpn attributes

dns-server value 192.168.2.200

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value InternalForClientVPNSplitTunnel

default-domain value skiddle.internal

username bensebborn password *** encrypted privilege 0

username bensebborn attributes

vpn-group-policy skiddlevpn

username benseb password gXdOhaMts7w/KavS encrypted privilege 15

tunnel-group 94.236.41.227 type ipsec-l2l

tunnel-group 94.236.41.227 ipsec-attributes

pre-shared-key *****

tunnel-group skiddlevpn type remote-access

tunnel-group skiddlevpn general-attributes

address-pool CiscoVPNDHCPPool

default-group-policy skiddlevpn

tunnel-group skiddlevpn ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

policy-map global-policy

class inspection_default

inspect icmp

inspect icmp error

inspect ipsec-pass-thru

inspect ftp

service-policy global_policy global

smtp-server 164.177.128.203

prompt hostname context

call-home reporting anonymous

Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b

: end

You must even-Security-enabled traffic intra-interface to allow communication between vpn VPN.

With respect,

Safwan

Remember messages useful rate.

Cisco 2911 and ASA 5512 remove double NAT

Greetings,

I have 2 subnets on Cisco 2911 router

192.168.3.0/24 and 192.168.1.0/24

3rd network 192.168.4.0/24 is natting internal interface to the modem for internet access. creating 2 NAT (NAT in router) and NAT in Modem

I just bought Cisco ASA 5512, no chance I could remove the Cisco 2911 router NAT and set the default gateway for Cisco ASA?

Yes you are right...

You must ensure that you get the routed LAN traffioc to hit inside the interface ASA in ASA, you can do PAT/NAT to access...

Concerning

Knockaert

IOS anyconnect vpn group lock and user restrictions

Dear Experts,

I now have two questions about cisco IOS vpn on ISR G2:

1 is it possible to lock user group in IOS anyconnect VPN we can do in ASA? If so, can someone share the steps for her?

2 - a customer wishes to restrict the anyconnect user login as it might turn the connection to the user on request. That is to say whenever the user wants to connect via vpn to ask the administrator to allow connection. can we do without deleting the username and create again?

the other may be on ASA or IOS.

Please see this guide:

http://www.Cisco.com/c/en/us/support/docs/security/iOS-easy-VPN/117634-c...

As he points out, "for the Cisco IOS group-lock and the ipsec: use vpn-group, it only works for IPSec (the easy VPN server)." In order to group-lock specific users in specific contexts of WebVPN (and strategies Group attached), authentication domains should be used. »

If you lock a user to a policy that authenticates, but does provide real access permissions (say an ACL that blocks all traffic to the private network) then you have essentially made their ability to non-functional connection.

If you use an external AAA server (for example, RADIUS or LDAP), then you can move in and out of the group which is authorized without disable VPN access / delete their account altogether.

Cisco SG300 / ASA 5505 intervlan routing problem

Dear all

I have a problem with the configuration correctly sg300 layer 3 behind the ASA 5505 switch (incl. license more security)

The configuration is the following:

CISCO SG300 is configured as a layer 3 switch

VLAN native 1: 192.168.1.254, default route ip address (inside interface ASA 192.168.1.1)

VLAN defined additional switch

VLAN 100 with 192.168.100.0/24, default gateway 192.168.100.254

VLAN 110 with 192.168.110.0/24, default gateway 192.168.110.254

VLAN 120 with 172.16.0.0/16, default gateway 172.16.10.254

Of the VLANS (100,110,120) different, I am able to connect to all devices on the other VIRTUAL local networks (with the exception of Native VLAN 1; is not the ping requests)

From the switch cli I can ping my firewall (192.168.1.1) and all the other gateways of VLANs and vlan (VLAN1, 100, 110, 120) devices

Asa cli I can only ping my switch (192.168.1.254) port, but no other devices in other VLAN

My question is this. What should I change or installation in the switch configuration or asa so that other VLANs to access the Internet through the ASA. I will not use the ASA as intervlan routing device, because the switch does this for me

I tried to change the asa int e0/1 in trunkport (uplink port switch also), to enable all the VLANS, but as soon as I do that, I can not ping 192.168.1.254 ASA cli more.

Any help is greatly appreciated

Concerning

Edwin

Hi Edwin, because the switch is layer 3, the only necessary behavior is to ensure that default gateways to the computer are set on the SVI interface connection to the switch to make sure that the switch is transfer traffic wished to the ASA.

The configuration between the ASA and the switch must stay true by dot1q, such as the vlan all other, unidentified native VLAN tagged.

Also, if I'm not wrong, on the SAA you must set the security level of the port to 100.

-Tom
Please evaluate the useful messages

ASA-6-110003: routing could not locate the next hop

Hello

I have a problem with our ASA firewall. I have a firewall that's inside, outside and DMZ interface. I have VPN clients that connect correctly and can access the internal network. However, for profiles that I have configured to connect via VPN to the DMZ network fails with the following messages.

ASA-6-110003: routing could not locate the next hop

&

ASA-6-302014: disassembly of the TCP connection... No contiguity valid

I have connections in the DMZ, but aren't VPN via internal and external interfaces without problem.

The routing table has a route to this network and I have a nat in place - I'm quite puzzled by the present.

Thank you

Ed

Hello Ed,

Well, Nat seems good but you can do the following for me please:

network of the DMZ_subnet object

10.1.213.0 subnet 255.255.255.0

network of the VPN_Subnet object

subnet 255.255.x.x x.x.x.x

public static DMZ_subnet DMZ_subnet destination NAT source (dmz - 2 outside) public static VPN_Subnet VPN_Subnet

Kind regards

Julio

2 internet connection teminated to ASA 5512

Hi all

I have 2 internet lines (leased and ADSL lines). My requirement is now ASA 5512 at the top of the network with IPS. I have 6 VLAN in the switch.

1 Vlan to the internet ensuring normal line ADSL .and all other Vlans and traffic to leased lines. Is this possible? It does not appear and is not primary and secondary.

Our goal: 5 VLAN left wear of leased lines

ADSL line that a single vlan wear for navigation.

Thanks for giving me your valuable thoughts and ideas...

Hi Sheikh,

ASA does not support load balancing or division of traffic over two different WAN links. You can do a primary and the other as a backup.

HTH

Concerning

Knockaert

Remote access VPN group name and password

Hi guys,.

Can someone tell me please the command to display a remote access VPN group name and the password on a firewall version 8.0 of ASA? Any help will be greatly appreciated.

Thank you

Lake

Remote VPN IPsec IKEv1 access are listed as groups of tunnel. If you enter

more system:running-config | b tunnel-group

You can see the config sections (starting with the first mention of the tunnel-group) as well as the pre-shared key ikev1 plaintext String.

ASA 5512 different route by VPN Group (VRF as feature?)

Similar Questions

Maybe you are looking for