ASA VPN client and OWA Exchange/2013

Hi all... quick question ASA...

Does anyone know the status of support for OWA Exchange 2013 and the ASA webvpn client access?

I know that the ASA has a model for 2010... It works with 2013? Is there is the 2013 model in the pipeline for the ASA?

Thank you!

Hi Paul,.

There is an improvement (CSCul27869) that opens to Exchange 2013 be supported with ASA.

CSCul27869
It is an enhancement request to add support for OWA 2013 with webvpn.
https://Tools.Cisco.com/bugsearch/bug/CSCul27869/?reffering_site=dumpcr

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Tags: Cisco Security

Similar Questions

  • Cisco VPN Client and Windows XP VPN Client IPSec to ASA

    I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

    PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

    Config is:

    !

    interface GigabitEthernet0/2.30

    Description remote access

    VLAN 30

    nameif remote access

    security-level 0

    IP 85.*. *. 1 255.255.255.0

    !

    access-list 110 scope ip allow a whole

    NAT list extended access permit tcp any host 10.254.17.10 eq ssh

    NAT list extended access permit tcp any host 10.254.17.26 eq ssh

    access-list extended ip allowed any one sheep

    access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

    sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

    tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

    flow-export destination inside-Bct 192.168.1.27 9996

    IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

    ARP timeout 14400

    global (outside-Baku) 1 interface

    global (outside-Ganja) interface 2

    NAT (inside-Bct) 0 access-list sheep-vpn

    NAT (inside-Bct) 1 access list nat

    NAT (inside-Bct) 2-nat-ganja access list

    Access-group rdp on interface outside-Ganja

    !

    Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

    Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

    Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

    Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

    Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

    Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

    Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

    dynamic-access-policy-registration DfltAccessPolicy

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    Crypto ipsec transform-set newset aes - esp esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

    Crypto ipsec transform-set vpnclienttrans transport mode

    Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

    life crypto ipsec security association seconds 214748364

    Crypto ipsec kilobytes of life security-association 214748364

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

    card crypto interface for remote access vpnclientmap

    crypto isakmp identity address

    ISAKMP crypto enable vpntest

    ISAKMP crypto enable outside-Baku

    ISAKMP crypto enable outside-Ganja

    crypto ISAKMP enable remote access

    ISAKMP crypto enable Interior-Bct

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    No vpn-addr-assign aaa

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.192 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside Baku

    SSH 10.254.17.18 255.255.255.255 outside Baku

    SSH 10.254.17.10 255.255.255.255 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside-Ganja

    SSH 10.254.17.18 255.255.255.255 outside-Ganja

    SSH 10.254.17.10 255.255.255.255 outside-Ganja

    SSH 192.168.1.0 255.255.255.192 Interior-Bct

    internal vpn group policy

    attributes of vpn group policy

    value of DNS-server 192.168.1.3

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    BCT.AZ value by default-field

    attributes global-tunnel-group DefaultRAGroup

    raccess address pool

    Group-RADIUS authentication server

    Group Policy - by default-vpn

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    Hello

    For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

    Please see configuration below:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    or

    http://tinyurl.com/5t67hd

    Please see the section of tunnel-group config of the SAA.

    There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

    So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

    Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

    "crypto isakmp nat-traversal.

    Thirdly, change the transformation of the value

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    Let me know the result.

    Thank you

    Gilbert

  • OWA (Exchange 2013) with ADFS

    Hello

    I tried to connect our OWA (Exchange 2013) to our ADFS server according to this guide - https://eu.netdocuments.com/neWeb2/docCent.aspx?whr=CA-ISRRR0MN

    I got one of the last steps (Activate authentication ADFS OWA and ECP) but I got an error now - when you try to run the command

    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -LiveIdAuthentication $false -WindowsAuthentication $false

    I get an error - a parameter cannot be found that matches parameter name "LiveIdAuthentication".Any thoughts?

    Post in the Forums of Exchange Server:
    http://social.technet.Microsoft.com/forums/Exchange/en-us/home?category=exchangeserve

  • VPN client and contradictory static NAT entries

    Hello, we have a VPN IPSEC implemented on a router for remote access. It works very well, for the most part. We have also a few PAT static entries to allow access to a web server, etc. from the outside. We deny NATting from the range of IP addresses for the range of VPN client and it works except for entries that also have PAT configurations.

    So, for example, we have web server 10.0.0.1 and a PAT redirection port 10.0.0.1: 80 to the IP WAN port 80. If a VPN client tries to connect to 10.0.0.1: 80, the syn - ack packet back to the customer WAN IP VPN on the router! If the VPN client connects to the RDP server 10.0.0.2:3389, it works very well that this server is not a static entry PAT.

    Is there a way to get around this?

    Thank you!

    There is a way to get around, use the same settings you have for your dynamic nat in your nat staitc entries, something like this:

    Currently, it should show as:

    IP nat inside source static XXXXX XXXX 80 80

    you need to take it

    IP nat inside source static 80 XXXX XXXX 80 map route AAAA

    When your itinerary map YYY refers to something with an acl that you refuse traffic from inside your router for the pool of vpn

    IP Access-list ext nonat

    deny ip 10.0.0.0 0.0.0.255

    Licensing ip 10.0.0.0 0.0.0.255 any

    route allowed AAAA 10 map

    match ip address sheep

    You even need all the static PAT

    HTH

    Ivan

  • Issue of ASA VPN client

    Hello.

    I have a question about a connection between an asa5505-sec-bun-k9 (who acts as easy VPN client) and an EASY VPN server.

    The connection with the easy VPN server is OK, but I can't connect to the internet and create VPN for my ASA5505 connections when I activated the feature.

    Is this a normal phenomenon with Easy VPN active customer?

    Cool

    Please, note useful

  • ASA VPN server and vpn client router 871

    Hi all

    I have ASA 5510 as simple VPN server and 871 router as simple VPN client. I want to have the user ID and permanent password on 871 and not to re - enter username and password since 871 uses dynamic IP address and every time I have to ' cry ipsec client ezvpn xauth "and type user name and password.

    any suggestions would be much appreciated.

    Thank you

    Alex

    Do "crypto ipsec client ezvpn show ' on 871, does say:

    ...

    Save password: refused

    ...

    ezVPN server dictates the client if it can automatically connect with saved password.

    Set "enable password storage" under the group policy on the ASA.

    Kind regards

    Roman

  • Remote VPN client and Telnet to ASA

    Hi guys

    I have an ASA connected to the Cisco 2821 router firewall.

    I have the router ADSL and lease line connected.

    All my traffic for web ports etc. of ADSL ftp and smtp pop3, telnet etc is going to rental online.

    My questions as follows:

    I am unable to telnet to ASA outside Interface although its configuered.

    Unable to connect my remote VPN Client, there is no package debug crypto isakmp, I know that I have a nat that is my before router device my asa, I owe not nat port 4500 and esp more there, but how his confusion.

    I'm ataching configuration.

    Concerning

    It looks like a config issue. Possibly need debug output "debug crypto isa 127".

    You may need remove the command «LOCAL authority-server-group»

    NAT-traversal is enabled by default on the ASA 8.x version. So you don't have to worry about NAT device in the middle.

  • 8.3 (1) ASA Cisco VPN Client and IP Communicator - one-way communication

    Community salvation.

    I have a strange problem with my setup and I'm sure it's either some type of routing (or NAT) or just missing one rule allows traffic. But I'm now at a point where I would like to ask your help.

    I have a few users remote access that have the Cisco IP Communicator (CICC) application installed on their laptops. So:

    The VPN with CPIC user <> ASA Firewall <> router voice <> MAC <> IP phone

    The VPN works fine for all other traffic. The connection of basis for the IP Communicator works well. He get is connected to the CallManager, is shown as registered and you can even call an internal phone and also external phones. BUT: while you can hear the called party (if the phone internal) it does not work for the other direction. There is no sound from the remote/appellant.

    I already understood that it is also not possible to ping from the phone VPN to the internal subnet IP phone. While the VPN user can ping any other device in the network internal, he cannot do for Cisco IP phones. But if the VPN phone calls a phone no-internal (mobile...) - it works!

    My thought is that the call cannot be build up properly between the VPN phone and the internal phone.

    I found similar situations with google, but they are all for the reverse: call for internal works, but not for VPN.

    What do you think?

    Hello

    Usually ASA lists specific to the customer networks VPN Split Tunnel runs.

    This would mean that there is a Split Tunnel ACL used in configurations of the SAA for this VPN connection that needs to have the missing network added to the VPN connection traffic.

    -Jouni

  • Cisco VPN Client and 64-Bit OS Support

    I'm in the stages of planning/testing of migrating users to the Cisco VPN client. Problem that I came across well is that I can't find a version that supports 64-bit operating systems. I looked through the Download Center with no luck. I'm a little more looking for a version out there? Thanks in advance.

    As much as I know there is no 64-bit support and is not yet on the roadmap of IPSEC VPN Client. For more details, see:

    http://www.Cisco.com/en/us/docs/security/ASA/compatibility/ASA-VPN-compatibility.html

    Concerning

    Farrukh

  • Unable to connect to other remote access (ASA) VPN clients

    Hello

    I have a cisco ASA 5510 appliance configured with remote VPN access

    I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.

    For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.

    Any help is welcome.

    Thanks in advance.

    Hello

    I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.

    It seems to me that you currently have dynamic PAT configured for the VPN users you have this

    NAT (outside) 1 10.40.170.0 255.255.255.0

    If your traffic is probably corresponding to it.

    The only thing I can think of at the moment would be to configure

    Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients

    list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

    NAT (outside) 0-list of access VPN-CLIENT-NAT0

    I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.

    -Jouni

  • ASA VPN clients

    I couldn't find the answer to this in google.

    You have to use the anyconnect software or you can use other as openvpn client software to connect to your asa.

    If it is for home, ASAs all equipped with 2 free licenses of AnyConnect Premium.

    You can even set up a VPN SSL without client using those and does not any client software - a simple browser.

    Purchase price for a small number of licenses AnyConnect is very cheap indeed.

    You can use generic third-party clients for IPsec VPN IKEv1 (not for the SSL VPN client-oriented).

  • Between the VPN Client and VPN from Site to Site

    Looking for an example of ASA 8.0 configuration allowing traffic between a Cisco VPN client host and destination of remote access connected via LAN/Site-to-Site tunnel.  The remote access client and the tunnel site-to-site terminate on the same device of the SAA.

    Thanks in advance.

    -Rey

    Hi Rey,

    Here is an example of a config for what you are looking for.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

    I hope this helps.

    PS: This uses GANYMEDE + for authentication, you can replace it with your authentication method.

    Kind regards

    Assia

  • VPN client and redundant peering

    Hello world

    PC user's config with remote access VPN client.

    Tell the client pc has the configuration of the VPN client with backup servers and if ASA primary is the stop will be the secondary question of the new IP address of the client VPN gateway

    address automatically?

    Here the SAA is not in any failover mode.

    Concerning

    The list of backup server is used when establishing a new VPN connection.  If it the customer has an active connection and the VPN server is no longer available then the user will have to re-establish the connection manually.

    --

    Please do not forget to rate and choose a good answer

  • Configure Cisco ASA VPN client

    I did some research and the answers it was supposed to be possible, but no info on how to do it.  I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client.  The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers.

    The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505.

    So, how to set up an another ASA to connect to it as if it were a client?

    Hello

    Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client

    Although in this case, they use a PIX firewall as a client.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

    Here's another site with instructions related to this installation program

    http://www.petenetlive.com/kb/article/0000337.htm

    I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it.

    -Jouni

  • Have problems with the IPSec VPN Client and several target networks

    I use an ASA 5520 8.2 (4) running.

    My goal is to get a VPN client to access more than one network within the network, for example, I need VPN client IPSec and power establish tcp connections on servers to 192.168.210.x and 10.21.9.x and 10.21.3.x

    I think I'm close to having this resolved, but seems to have a routing problem. Which I think is relevant include:

    Net1: 192.168.210.0/32

    NET2: 10.21.0.0/16

    NET2 has several subnets defined VIRTUAL local network:

    DeviceManagement (vlan91): 10.21.9.0/32

    Servers (vlan31): 10.21.3.0/32

    # See the road

    Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

    D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

    N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

    E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

    i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

    * - candidate by default, U - static route by user, o - ODR

    P periodical downloaded static route

    Gateway of last resort is x.x.x.x network 0.0.0.0

    C 192.168.210.0 255.255.255.0 is directly connected to the inside

    C 216.185.85.92 255.255.255.252 is directly connected to the outside of the

    C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement

    C 10.21.3.0 255.255.255.0 is directly connected, servers

    S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor

    I can communicate freely between all networks from the inside.

    interface GigabitEthernet0/0

    Description * INTERNAL NETWORK *.

    Speed 1000

    full duplex

    nameif inside

    security-level 100

    IP 192.168.210.1 255.255.255.0

    OSPF hello-interval 2

    OSPF dead-interval 7

    !

    interface Redundant1.31

    VLAN 31

    nameif servers

    security-level 100

    IP 10.21.3.1 255.255.255.0

    !

    interface Redundant1.91

    VLAN 91

    nameif DeviceManagement

    security-level 100

    IP 10.21.9.1 255.255.255.0

    permit same-security-traffic inter-interface

    NO_NAT list of allowed ip extended access all 172.31.255.0 255.255.255.0

    IP local pool vpnpool 172.31.255.1 - 172.31.255.254 mask 255.255.255.0

    Overall 101 (external) interface

    NAT (inside) 0-list of access NO_NAT

    NAT (inside) 101 192.168.210.0 255.255.255.0

    NAT (servers) 101 10.21.3.0 255.255.255.0

    NAT (DeviceManagement) 101 10.21.9.0 255.255.255.0

    static (inside, DeviceManagement) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

    static (inside, servers) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

    static (servers, upside down) 10.21.3.0 10.21.3.0 netmask 255.255.255.0

    static (DeviceManagement, upside down) 10.21.9.0 10.21.9.0 netmask 255.255.255.0

    access list IN LAN extended permitted tcp 192.168.210.0 255.255.255.0 any

    access list IN LAN extended permit udp 192.168.210.0 255.255.255.0 any

    LAN-IN scope ip 192.168.210.0 access list allow 255.255.255.0 any

    LAN-IN extended access list allow icmp 192.168.210.0 255.255.255.0 any

    access list IN LAN extended permitted tcp 10.21.0.0 255.255.0.0 any

    access list IN LAN extended permitted udp 10.21.0.0 255.255.0.0 any

    LAN-IN scope 10.21.0.0 ip access list allow 255.255.0.0 any

    LAN-IN extended access list allow icmp 10.21.0.0 255.255.0.0 any

    standard access list permits 192.168.210.0 SPLIT-TUNNEL 255.255.255.0

    standard access list permits 10.21.0.0 SPLIT-TUNNEL 255.255.0.0

    group-access LAN-IN in the interface inside

    internal VPNUSERS group policy

    attributes of the VPNUSERS group policy

    value of server DNS 216.185.64.6

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value of SPLIT TUNNEL

    field default value internal - Network.com

    type VPNUSERS tunnel-group remote access

    tunnel-group VPNUSERS General attributes

    address vpnpool pool

    strategy-group-by default VPNUSERS

    tunnel-group VPNUSERS ipsec-attributes

    pre-shared key *.

    When a user establishes a VPN connection, their local routing tables have routes through the tunnel to the 10.21.0.0/16 and the 192.168.210.0/32.

    They are only able to communicate with the network 192.168.210.0/32, however.

    I tried to add the following, but it does not help:

    router ospf 1000

    router ID - 192.168.210.1

    Network 10.21.0.0 255.255.0.0 area 1

    network 192.168.210.0 255.255.255.252 area 0

    area 1

    Can anyone help me please with this problem? There could be a bunch of superfluous things here, and if you could show me, too, I'd be very happy. If you need more information on the config, I'll be happy to provide.

    Hello Kenneth,

    Based on the appliance's routing table, I can see the following

    C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement

    C 10.21.3.0 255.255.255.0 is directly connected, servers

    C 192.168.210.0 255.255.255.0 is directly connected to the inside

    And you try to connect to the 3 of them.

    Politics of Split tunnel is very good, the VPN configuration is fine

    The problem is here

    NO_NAT list of allowed ip extended access all 172.31.255.0 255.255.255.0

    NAT (inside) 0-list of access NO_NAT

    Dude, you point to just inside interface and 2 other subnets are on the device management interface and the interface of servers... That is the question

    Now how to solve

    NO_NAT ip 192.168.210.0 access list allow 255.255.255.0 172.31.255.0 255.255.255.0

    no access list NO_NAT extended permits all ip 172.31.255.0 255.255.255.0

    NO_NAT_SERVERS ip 10.21.3.0 access list allow 255.255.255.0 172.31.255.0 255.255.255.0

    NAT (SERVERS) 0 ACCESS-LIST NO_NAT_SERVERS

    Permit access-list no.-NAT_DEVICEMANAGMENT ip 10.21.9.0 255.255.255.0 172.31.255.0 255.255.255.0

    NAT (deviceManagment) 0-no.-NAT_DEVICEMANAGMENT access list

    Any other questions... Sure... Be sure to note all my answers.

    Julio

Maybe you are looking for

  • yafd:tabs

    When I open the new tab, it opens me a yafd:tabs how can I change the standart on: newtab

  • How firefox can load a full page of a Facebook game instead of half page?

    When I play zynga Facebook games (mafia wars), the page will appear completely. It starts normally, but the game will not show completely even if I scroll down, it would still be incomplete.

  • Satellite L300 - external screen works fine until the Windows login

    Hello world I am trying to use an external display with my Toshiba Satellite L300 and it works up until I have to Log in Windows (or in Ubuntu just had the same problem). At this point, the laptop does not seem to recognize the external display more

  • Comments from customers

    Hello I don't really like El Capitan. Maybe everyone there thinks its great. I don't care. A number of my useful apps does not work without disabling "SIP", which I can't do. I'd just as soon responsible for my own safety without going through someon

  • 1000 HP: hp 1000

    my book of 1000 hp can no longer see the hard drive. I can replace it, but someone can help me with the software original Windows 7 regestered as he came upon a partision and now lost. Thank you Paul