ASA firewall identity
Hello
I have setup a firewall of identity on an ASA version 5.6 on a DMZ interface.
I installed the ADAgent on a Win2008 domain member and configured as follows:
RADIUS protocol AAA-server ADAGENT_SERVER
mode-agent-ad
key 172.17.v.x AAA-server host ADAGENT_SERVER (VPN) *.
I have configured the LDAP connection to the following domain controller:
AAA-server DOMAIN_SERVER protocol ldap
AAA-server DOMAIN_SERVER (VPN) host 172.17.v.z
LDAP-base-dn DC = YYY, DC = local
LDAP-scope subtree
LDAP-login-password *.
LDAP-connection-dn Lucas
microsoft server type
The configuration of the identity is:
field of the identity of the user YYY aaa-Server DOMAIN_SERVER
identity of the user by default-domain YYY
netbios-response-fail action, remove-user-ip user identity
user logout-probe netbios local system identity
identity of the user-agent ad server aaa-ADAGENT_SERVER
allow the user not found-identity of the user
122 extended access-list allow the user ip YYY\ashdew a whole
where ashdew is a domain user and ACL 122 (as one line) is applied on the interface of the dmz and NAT is configured correctly.
The ADagent has been properly tested and ASA may join it.
The ASA can connect to the DC AD controller and database user query.
I placed a portable ip 172.17.h.x on the DMZ and can test the DMZ interface.
The portable computer cannot authenticate to the domain and the asa does not seem to recover the identity of the user
Do I need to add additional rules in the access list 122 to allow DC traffic?
Can I record on the Agent AD if it can recover the user ip mapping?
Thank you
Ashley
Hi Ashley,
It must ensure that the domain controller is configured correctly, please follow the instructions here:
http://www.Cisco.com/en/us/docs/security/IBF/setup_guide/ibf10_install.html#wp1058066 (Configuration AD Agent to get information from AD domain controllers)
I suggest first check connection events are generated in the security of the domain controller event log. In 2008 of Windows, you will see event ID 4768. If they are not, you will need to modify the audit policy, as described in the link above.
Tags: Cisco Security
Similar Questions
-
Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming
HelloW everyone.
I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.
but the vpn does not come to the top. can someone tell me what can be the root cause?
Here is the configuration of twa asa: (I changed the ip address all the)
Singapore:
See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">
!
<--- more="" ---="">
interface GigabitEthernet0/3
<--- more="" ---="">
Shutdown
<--- more="" ---="">
No nameif
<--- more="" ---="">
no level of security
<--- more="" ---="">
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1--->--->--->--->--->--->--->--->--->
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http serverCommunity trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2--->--->--->
life 86400Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">
IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: endMalaysia:
:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">
Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything--->--->--->--->--->
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500--->
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">
Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http serverNo snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
--->--->--->
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">
tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: endGood news, that VPN has been implemented!
According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.
Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.
In addition, you can try to enable ICMP inspection:
Policy-map global_policy
class inspection_defaultinspect the icmp
inspect the icmp error
--->---> -
Multiple VPN groups on the ASA firewall
I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.
Thank you very much!
Hello
all you need to do is create another group strategy and attach it to a group of tunnel: -.
internal vpnsales group policy
attributes of the strategy of group vpnsales
banner - VPN access for the sales team
value x.x.x.x DNS server
split tunnel political tunnelspecified
Split-tunnel-network-list split-sales value
address-pools sales-pool
value by default-domain mydomain.com
type tunnel-group vpnsales remote access
tunnel-group vpnsales General-attributes
authentication-server-group vpnsales
Group Policy - by default-vpnsales
vpnsales ipsec tunnel - group capital
pre-share-key @.
you will also create a map of the attribute named vpnsales for acs auth.
Thank you
Manish
-
Diffie-Hellman - ASA firewall groups
Hi all
A couple of questions I hope you can help me with that.
Please can you tell me where I would change the Diffie-Hellman group for phase 1 on an ASA firewall and is - it possible on the ASDM?
Also, you must enable PFS have to DH on the phase 2?
Thank you very much
Alex
Hello Alex,.
You can change the Diffie-Hellman group for phase 1 of ASA by configuring the following command:
crypto ISAKMP policy
Group
To configure the same ASDM, go to the
Configuration > VPN Site to Site > connection profiles > add/edit
You will find in settings, IPsec, encryption algorithms. Click on 'Manage' icon on the right of "IKE policy". Click OK.
Click on Add/Edit and there will be an option to change the Diffie-Hellman group.
And finally, what about the PFS application, you can enable PFS to be DH in phase 2. activation of PFS will force a new Exchange of key DH for phase 2.
Note: it is not mandatory, its optional. If its configured on one side, then it must be on the remote side as well.
Kind regards
Dinesh Moudgil
-
Hi to everyone.
I have a firewall asa with the external interface pointing to a router on the subnet 192.168.1.0
And the inside of the 192.168.0.0 subnet interface
I want to know if is required to configure the Nat object between the two interface or is not a prerequisite to have connectivity to the Internet behind the asa in the LAN segment
Thank you all!
Hello
It is not necessary to configure the NAT on the SAA, providing your gateway router knows how to route the packets intended for your home network and routers NAT ACL can be configured to include your home subnet.
If you have a router in bridge base that can not configure static routes or dynamic routing and cannot have its edited NAT policy, then you need to configure NAT on the SAA.
see you soon,
SEB.
-
Hello everyone.
I have a question about ASA 5505 firewall.
Output interface is dry level 0:
interface Vlan10
nameif outside
security-level 0ACL created to filter traffic from site to site and filtering of tunnel triggered:
No vpn sysopt connection permit
network ipsec_subnet object
subnet 192.168.11.0 255.255.255.248l2l-filter extended permit icmp any one access-list
access-list l2l-filter extended permit tcp any object ipsec_subnet eq www
access-list l2l-filter extended permit tcp any object ipsec_subnet eq https
access-list l2l-filter extended permitted tcp ipsec_subnet eq ftp objectsl2l-filter in interface outside access-group
Since I was only working with routers, as far as I understand, in theory ipsec peers should not be able to establish ipsec with ASA tunnels since I did not allow UDP incoming 500,4500 and work to the ESP in l2l-filter ACL but in reality tunnels.
Can you please explain why ACL entering on the external interface allows inbound ipsec connections.
Thank you
Kind regards
Alex
Hi Alex,
The only way to block UDP 500 traffic is to use an ACL control plan.
We see even hits on the ACL:
Inbound_Filter of access list lengthened 2 line denies object-group IPSEC throughout a (hitcnt = 7)
Have you tried the connection of compensation?
Use 'clear conn address all the
' to delete the connection. Kind regards
Aditya
Please evaluate the useful messages.
-
How to set up the ASDM/HTTP access for Cisco ASA firewall
Hi all
I am looking for a solution / guide that will allow our ASA 5510, V8.4 (5) Firewall, ASDM version 6.4 (9) to help users Active Directory. I want to activate our administrators to access the ASA via ASDM using their AD accounts (a local administrator account also exist but not a password of General knowledge)
Anyone would be abe to advise on a guide / Solution.
Thank you very much
If that you issue correctly you want active tpo AD authention for AMPS/HTTP access to the ASA. If it is correct that you have need of the following using the CLI to enable that command
ASA-32-22 (config) # aaa authentication http console?
set up the mode commands/options:
LOCAL server predefined Protocol AAA 'local' tag
Name WORD of RADIUS or GANYMEDE + aaa-server for the administrative group
authentication
After the console you needd to defind the name of the AD server you have configured on the SAA.
You can do the same thing by using ASDM:
Change LOCAL to the announcement that there are listed.
I hope that answers your question.
Thank you
Jeet Kumar
-
VPN Cisco ASA Cisco ASA firewall via DHCP.
Hi all!
Small question. I have an ASA5520 (8.2) acting as a VPN server with the correct configuration to request a DHCP on behalf of the VPN Client address. However, this ASAVPN is connected to a vpn - dmz on my other ASA5520 (8.0) is our main firewall. I can see future demand across the demilitarized zone and the ASAFIREWALL interface inside and outside. The DHCP server responds and refers to the x.x.x.0. I had not initially installing dhcp on the ASAFIREWALL relay as I had open 67 upd, thinking it would allow just back through with number. No idea how to get this working correctly?
Thank you
Raun
Hello Raun,
Please see the link among Cisco engineers.
It will help you on this
Any other questions... Sure... Be sure to note all my answers.
Julio
-
Cisco ASA5505. Not available through the firewall identity web services
Hello, everyone!
Then put the puzzle patterns to ensure that users are connected using AD and went to the internet.
Given Cisco ASA 5505. On the domain controller expected agent AD (which says dc - up and customer - facing upwards), ASA quietly takes user connections.IP addresses on the network are distributed by DHCP, which is triggered on a domain controller.The essence of the problem is that, after the authentication of the user online falls after awhile. That is the user logged on to the computer, and then open the browser, open a few sites, then went 5-7 minutes of inactivity, and Internet is not available. Internet appears when the reconnection of the user at a certain time or the computer disable "LAN network connection" for 1 minute. You don't have to dig?
This configuration on the SAA as follows:
object-group user ACTIVE_ALLOW
user-group DCU\\CASA61_Allow
user DCU\User1
user DCU\User2access-list inside_access_in_1 extended permit ip object-group-user ACTIVE_ALLOW
192.168.1.0 255.255.255.0 any log debuggingaaa-server ADA protocol radius
ad-agent-mode
interim-accounting-update
reactivation-mode depletion deadtime 1
merge-dacl after-avpair
aaa-server ADA (inside) host dc61-01
key *****
radius-common-pw *****
no mschapv2-capable
aaa-server AD protocol ldap
reactivation-mode depletion deadtime 1
aaa-server AD (inside) host dc61-01
ldap-base-dn dc=DCU,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=CISCOASA61,OU=Users_MC,dc=DCU,dc=local
server-type microsoft
user-identity domain DCU aaa-server AD
user-identity domain DC61-01 aaa-server AD
user-identity default-domain DCU
user-identity action domain-controller-down DCU disable-user-identity-rule
no user-identity action mac-address-mismatch remove-user-ip
no user-identity inactive-user-timer
user-identity logout-probe netbios local-system probe-time minutes 60 retry-interval seconds 5 retry-count 5 match-any
user-identity poll-import-user-group-timer hours 12
user-identity ad-agent active-user-database full-download
user-identity ad-agent aaa-server ADA
user-identity user-not-found enableAt this point, while writing this message here (20 min), 1 hour from the Internet threw.
Hello;
Remove the NetBios sensors and see if the problem goes away.
Mike.
-
Levels of security ASA Firewall interface and access lists
Hello
I am trying to understand the correlation between the ACL and the levels of security on an ASA of the interface.
I work with an ASA using both! ??
Is this possible?
Assumptions: Any ACL applied below is on the wire of transmission (interface) only in the inbound direction.
Scenario 1
interface level high security to security level low interface.
No ACLs = passes as I hope
What happens if there is an ACL refusing a test package in the above scenario?
Scenario 2
Low security to high
No traffic = ACL will not pass as I hope
What happens if there is an ACL that allows the trial above package.
I have trawled through documentation on the web site and cannot find examples, including the two (using ACL in conjunction with security levels).
Thank you in advance for any help offered.
Levels of security on the interfaces on the SAA are to define how much you agree with the traffic from this interface. Level 100 is the most reliable and 0 is least reliable. Some people will use a DMZ 50 because trust you him so of internet traffic, but less traffic then internal.
That's how I look at the levels of security:
A security level of 1 to 99 always two implicit ACL. To allow traffic down interfaces of security and the right to refuse traffic toward higher level security interfaces. 100 has a security level IP implicitly allowed a full and level 0 has implicit deny ip any one.
In scenario 1, if you apply an ACL to deny a security level of 1-99, it will eliminate implicit permit than an entire intellectual property and deny traffic based on the ACL and all traffic. You create an ACL to allow some other desired traffic. If this ACL is applied to a security level of 100, he'll refuse essentially all traffic because it will remove the authorization implicit ip any any ACL. Once again, you will need to create an another ACL to allow traffic.
In scenario 2, if you apply a permit ACL to an interface of level 0 of security, it will allow that traffic, but continue to deny all other traffic. However, if the security level is 1-100, it will be all traffic to that destination and remove the implicit ACL (permit and deny)
-
Recording capacity for ASA firewall using ASA-SSM-20 IPS module.
Hello
Please could someone give some tips on how to get the ASA-SSM-20 to record information about something like Kiwi Syslog services etc. We just need to get the IPS alerts to generate the SMS/email feature to alert the various intervention teams.
Thank you
unfortantely, no syslog support
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807335ca.shtml
You can configure rules to send snmp traps, and you can pull events using CETS, IPS Manager Express and Cisco.
If you have logging enabled on the ASA a syslog msg appears when the IPS is asking or blocking traffic.
Here is a link to IPS configuration guides
http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/tsd_products_support_configure.html
-
block access to the local asa firewall vpn accounts
I'm looking for the local accounts on the firewall and would like to make sure that users who have local accounts for vpn do not have for the firewall itself through asdm, telnet, ssh to the management.
Is the only aaa on the firewall command
the ssh LOCAL console AAA authentication
With this command, if I change the local account setting to 'NO ASDM, SSH, Telnet or access Console' (see attached screenshot) will that still allow users to vpn in and access the network because they have to take off but any what potential access to the firewall?
Thank you
Hello
Yes, if you select the option "No., ASDM, SSH, TELNET or Console access" allows to block only the admin access to the firewall. Here's the equivalent CLI for this option:
myASA(config-username) # type of service?
the user mode options/controls:
Admin user is authorized to access the configuration prompt.
NAS-prompt user is allowed access to the exec prompt.
remote user has access to the network.If you use this option you will be on the third option in the above list that is remote access. Users will have the option of VPN in but no admin (asdm, ssh, telnet or console)
Thank you
Waris Hussain.
-
site-to-site between two ASA firewall
Hello
I have two ASA and I have set up the two ASA til S2S. ASA1 is in HQ and ASA2 is in Office of Brunch. HQ ASA has multi S2S connection and Brunch ASA has only S2S to Headquarters. The Senario is I want to send all traffic (both Internet and LAN in the ASA HQ) ASA2 throug the tunnel. The problem is that when the tunnel is up and there is ASA2 connevtivity (brunch office) for the network local behinde ASA1 (HQ), but the client behinde ASA2 has no conectivity when they try to go to the Internet. Tanks a lot in advance for any help!
ASA HQ extern ip 192.x.y.z/24, LAN 10.70.0.0/16
Brunch of the ASA Office a extern ip 168.x.y.z/24, LAN 10.79.1.0/24
This should help you:
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0access extensive list ip 10.79.1.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 x.x.x.x
access extensive list ip 10.79.1.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 x.x.x.xx.x.x.x = subnet HQ, in the ASA HQ you need of the opposite ACL:
permit inside_nat0_outbound to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0
permit outside_1_cryptomap to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0This way to the internet traffic will be coordinated because it turns off and traffic to the VPN will be
not be translated as she goes down the tunnel -
Can I use Radius AAA on an ASA 5505 to block outbound access by user name of users in a group? Thank you
Hello
I think you might be interested on the verification of the new feature of 8,4 ASA: Firewall identity
Identity of firewall
Generally, a firewall is not aware of the identity of the user and, therefore, impossible to implement identity-based security policies.
The identity of the ASA firewall provides more granular control of access based on the identity of users. You can configure access rules and security policies based on the user and groups rather than name names by source IP addresses. The ASA applies security policies based on an association of IP addresses to the Windows Active Directory connection information and reports on the events based on the names of mapped instead of IP addresses of network users.
Identity firewall integrates with the Active Directory window in conjunction with an external Agent of Active Directory (AD) that provides the mapping of the real identity. The ASA uses Windows Active Directory as a source to retrieve the identity information of the current user for specific IP addresses.
In a company, some users log on the network using other authentication mechanisms, such as authentication with a web portal (passage of proxy) or by using a VPN. You can configure the firewall of identity to allow these types of identity-based authentication under access policies.
We introduced or modified the following commands: user-identity enable user-default-domain identity, user-identity domain, logout-probe user-identity, user-identity inactive-user-timer, user-identity poll-import-user-group-timer, user-identity netbios-response-fail action, user-identity user-not-found, user-identity ad-agent-down action, user-identity action mac-address-mismatch, user-identity domain-controller-down action, user-identity ad-agent active-user-database, user-identity ad-agent hello-timer, user-identity ad-aaa-server agent, user-identity update user import-, user-identity static user, ad-agent-mode, dns domain-lookup, dns poll-timer , dns expire-entry-timer, user of the object-group, show the identity of the user, see the dns, Configure clear - user identity, clear dns, debug the identity of the user agent test ad-aaa-Server.
Please find the Configuration Guide Chapter referring to the firewall attached identity.
Hope that does you in the right direction.
Kind regards.
-
Identity firewall does not work with NAT
We implement an environment that restrict access to Internet with rules based on users and groups to Active Directory.
There were many difficulties, but the current state is:
-The 'Test' of the firewall server-> identity Options results GOOD group
-The 'Test' of Agent of Active Directory on Windows-> identity Options GOOD results
-The rules we applied on the inside Firewall identity-based Interface are no "respected".
The environment:
-We have two ASA 5520 to failover.
-There are four contexts in this pair of ASA.
-Now we are activating the firewall of identity in a context.
-Of course, the AD are in one of the inside of this context, networks.
On the Configuration Guide of the identity of Firewall, to
We have seen that there are a lot of features that are not supported:
...
The following features of ASA do not support the use of the object based on the identity and the FULL domain name:
Route-map
-Crypto card
-WCCP
-NAT
-Group (except filter VPN) policy
-DAP
...
When using NAT does not, just remove NAT.
How to configure this feature? Identity with NAT work?
This is the reason why you have not any user ip in ASA mappings.
Domain configured in ASA name must be the netbios domain name and it must be matched with one that you see 'adacfg dc list' output, otherwise ASA will drop all user agent AD ip report.
You can have a try with the following new configs.
field of the identity of the user TEST4 aaa-Server AD-TEST4
identity of the user by default-field TEST4
inside_access_in list extended access deny the user ip TEST4\rodrigo a whole
Maybe you are looking for
-
Good afternoon... It seems that whenever I surf the web, watch a video on Youtube, etc., my temporary internet file is stored on my hard drive. I decided this because I run a security scan every time I find myself with the files of nearly 2 million s
-
Signature of the problem Additional information about the problem
-
Unable to laod Windows because the system registry file is missing or damaged
Is there a way to restore a corrupt registry file?
-
Hello world I work on my first image of maintenance, and had answered a question that I have not seen anywhere. When I build in image for WDS deployment, I always build the image in audit mode and configure everything that he, as the built-in Adminis
-
BlackBerry classic again classic "BOLD" data transfer
I have now spent several hours trying to get my xferred of data from my old "BOLD" to my new classic. I downloaded and installed the software Link. I plugged my "BOLD" into my USB port, it finds the phone and seems to have copied all of the normal da