ASA VPN client certificate authentication
Hi all
We finished our from the ASA Firewall VPN client. Is it possible to authenticate users with certificate. Certificate itself being our ASA server.
Our requirement is to have:-user must use one laptop company provided for the VPN connection. I think it's possible with certificate OmniPass. Y at - it another way to have this control.
Thank you
-John
Hi John,.
It is indeed possible to authenticate your users to VPN client with certificates and it will prevent guests who do not have the certificate installed on their computer to connect.
In the subject to use the ASA CA Local, I advise you to use only if you have Anyconnect client and not the classic IPSEC client.
The local ASA CA has been implemented for use for WebVPN and Anyconnect sessions only so I advise you to use an external CA if your customer is the IPSEC one.
Kind regards
Nicolas
Tags: Cisco Security
Similar Questions
-
The VPN client user authentication
When users connect to our network remotely via VPN user name field is already filled with the last person who logged. I know that they just delete the username and enter their own, but is there a way the client can be configured to where the username field will be always empty for all those who want access to the network via VPN? We have an ASA 5510 with version 7.0 (8) and a windows 2003 with IAS server for windows authentication. Thank you!
Hello
In FCP, you can configure a single line is not editable by the user (or the vpn client).
Simply insert an attack! Like this
! Username =
! SaveUserPassword = 0
! UserPassword =
! enc_UserPassword =
Subsequently the vpn client will not save registrations for these settings more.
-
Hello world
I would like to ask for help in order to correct a customer vpn tunnel. I'm not familiar with the AAS, so please do not laugh if I write something stupid
So I inherit one asa, which has two interface used physical and vlan more. Outdoors, office, management and management. I use my computer on the vlan management, and I can reach the computers on the desktop (192.168.12.0/24) and the branch (192.168.10.0/24). I would realize that I connect to thrught houses a vpn, and I should reach the 12.x and 10.x network as I was in these networks (due to the microsoft allowed wirewall to the local network traffic).
I inherited a vpn configuration which I added my user.
I'm trying to cite only the relevant portion of config:
SSH 192.168.99.0 255.255.255.0 management
access extensive list ip 192.168.99.0 nonat_management allow 255.255.255.0 192.168.99.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0IP local pool ippool 192.168.99.100 - 192.168.99.200
NAT-control
Global 1 interface (outside)NAT (management) - access list 0 nonat_management
nat_management_office list of access 5 NAT (management)
nat_management_branch list of Access 10 NAT (management)192.168.99.50 management - dhcpd addresses 192.168.99.79
enable dhcpd managementL2TP strategy of Group internal
monty password username * == encrypted nt
monty username attributes
Protocol-tunnel-VPN l2tp ipsec
VPN-framed-ip-address 192.168.99.99 255.255.255.0
attributes global-tunnel-group DefaultRAGroup
ippool address pool
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authenticationI quote the encryption settings, because I can connect to asa, I think that I have problems with the nat or access rules.
I have an ip local pool 192.168.99.100 - 192.168.99.200, but I have the fixed ip with the vpn-framed-ip-address 192.168.99.99 255.255.255.0
Happened when I connect and try to reach the following computers:
I can reach only a freenas 192.168.12.2, and I see in his journal that I have connected with 192.168.99.99 (vpn-framed-ip-address)
I can't reach the computers on networks, however I have two nat rules, working when I'm in the office network 99.0
access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0It seems that these two nat rules do not work with my vpn client.
And it is very important to arrive at the asa with ssh through the tunnel, but I can't.
I don't know if that is the ip address of the vpn client is in the management network, perhaps one should change to another network:
for example 192.168.95.0/24
A vpn asa for Dummies or any help is appreciated.
Thank you very much
Hi Chris,
The following should help:
access-list allowed 192.168.12.0 nonat_office 255.255.255.0 192.168.90.0 255.255.255.0
In this way, returning office subnet pool VPN traffic is exempt from nat. And so you will not get the failure of RPF checking.
In addition, you must change this:
nat_vpn_office to access extended list ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
(incoming traffic on the VPN remote access would come from the VPN pool.) Not your home network.)
You must have:
No nat_vpn_office access list extended ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
access extensive list ip 192.168.90.0 nat_vpn_office allow 255.255.255.0 192.168.12.0 255.255.255.0
NAT (outside) 5 nat_vpn_office list of outdoor access
Hope this helps, and sorry for the delay.
-Shrikant
P.S.: Please check the question as answered if it was resolved. Do rates all useful messages. Thank you.
-
Unable to connect to other remote access (ASA) VPN clients
Hello
I have a cisco ASA 5510 appliance configured with remote VPN access
I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.
For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.
Any help is welcome.
Thanks in advance.
Hello
I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.
It seems to me that you currently have dynamic PAT configured for the VPN users you have this
NAT (outside) 1 10.40.170.0 255.255.255.0
If your traffic is probably corresponding to it.
The only thing I can think of at the moment would be to configure
Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients
list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0
NAT (outside) 0-list of access VPN-CLIENT-NAT0
I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.
-Jouni
-
Client certificate authentication and proxy HTTPS WSA
Hello
on a clients site, we have a virtual Proxy WSA with WCCP running behind a firewall of ASA. Only we are facing a problem: the customer has a site that authenticates the client through the certificate. It does not work. If I dasable the transparent proxy for this host, everything works fine.
I solved it now bypassing the proxy server for the spicific site. Is there another solution to allow clients to authenticate using certificates to a Web site?
Hello
Does it means that websites (some sites) request for client certificate to authenticate during the SSL negotiation?
If this is true, can you check your option since default CLI interface HTTPS when HTTPS servers request certificate of the client during the handshake, WSA will respond with unavailable certificate and the handshake will normally be breaks.
To check this:
1. log in to the CLI
2. control of type advancedproxyconfig
3. type HTTPS
4. keep pressing enter to accept the value by default until you reach "measures to be taken when the HTTPS servers request certificate of the client during the handshake:" and change it to "get through the operation.5. keep pressing enter until the initial scope guest
6. type commit to save the change. -
I couldn't find the answer to this in google.
You have to use the anyconnect software or you can use other as openvpn client software to connect to your asa.
If it is for home, ASAs all equipped with 2 free licenses of AnyConnect Premium.
You can even set up a VPN SSL without client using those and does not any client software - a simple browser.
Purchase price for a small number of licenses AnyConnect is very cheap indeed.
You can use generic third-party clients for IPsec VPN IKEv1 (not for the SSL VPN client-oriented).
-
Assign the static IP address by ISE, ASA VPN clients
We will integrate the remote access ASA VPN service with a new 1.2 ISE.
Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?
This means that the same VPN user will always get the same IP address. Thank you.
Daniel,
You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.
However if I may make a suggestion:
Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.
In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.
M.
-
Configure Cisco ASA VPN client
I did some research and the answers it was supposed to be possible, but no info on how to do it. I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client. The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers.
The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505.
So, how to set up an another ASA to connect to it as if it were a client?
Hello
Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client
Although in this case, they use a PIX firewall as a client.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml
Here's another site with instructions related to this installation program
http://www.petenetlive.com/kb/article/0000337.htm
I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it.
-Jouni
-
ASA VPN client and OWA Exchange/2013
Hi all... quick question ASA...
Does anyone know the status of support for OWA Exchange 2013 and the ASA webvpn client access?
I know that the ASA has a model for 2010... It works with 2013? Is there is the 2013 model in the pipeline for the ASA?
Thank you!
Hi Paul,.
There is an improvement (CSCul27869) that opens to Exchange 2013 be supported with ASA.
CSCul27869
It is an enhancement request to add support for OWA 2013 with webvpn.
https://Tools.Cisco.com/bugsearch/bug/CSCul27869/?reffering_site=dumpcrKind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Hello.
I have a question about a connection between an asa5505-sec-bun-k9 (who acts as easy VPN client) and an EASY VPN server.
The connection with the easy VPN server is OK, but I can't connect to the internet and create VPN for my ASA5505 connections when I activated the feature.
Is this a normal phenomenon with Easy VPN active customer?
Cool
Please, note useful
-
Hello
as described in the title one want to connect with AnyConnect Secure Mobility Client 3.0.2052 ASA 5540 Version 8.4 and licence Premium SSL.
Customers using Maschine certificate to authenticate to ASA. It works very well.
Now, I want to install a DAP to check the customer against the Microsoft AD using LDAP. I have configured the LDAP server in see ASA:
AAA-Server LDAP protocol ldap AAA-Server LDAP (inside) host ldap.com LDAP-base-dn DC = x DC = x, DC = x DC = com LDAP-scope subtree LDAP-login-password *. LDAP-connection-dn *. microsoft server type I see that it works if I test via the testbotton server in ASDM and I also see in CLI "debugging ldap 255". But if I configure in DAP: AAA attribute ID:memberOf = Membre_domaine I can't see any request to the LDAP server as I try to connect with the Client und does not correspond to the DAP.
No idea where the problem lies?
Thanks in advance
Hi Klaus,
DAP will not make any call LDAP itself, it will only act based on the attributes received LDAP via the LDAP authentication or authorization.
So you will need to enable the LDAP authorization in the tunnel - or connect to groups.
Once you have, you can either use DAP or a map attribute LDAP for accept/deny access, see the example of these two methods.
HTH
Herbert
-
I'm after abit of consultation.
I have an ASA 5510 in my hub, static public IP address.
Then I have an ASA 5505 like my talk, with a dynamic IP address.
I used a dynamic encryption with PSK card and everything seems functional.
One of my concerns are that I was forced to use aggressive mode to make it work. I am well aware of the security risks.
I seek to use certificates in read in aggressive mode.
If I use an internal Windows certificate authority, what will happen with the revocations.
If my trying to connect but cannot check Revocation because the server is internal to the VPN will connect?
Also can I put my certifcates to be valid for a long time, for example ten years so that I don't have to worry about certificates expireing?
Answer online
If I use an internal Windows certificate authority, what will happen with the revocations.
< if="" you="" enable="" revocation="" check,="" you="" have="" to="" make="" your="" internal="" server="" accessiable="" to="" the="" remote="">
Otherwise you can disable revocation checking.
If my trying to connect but cannot check Revocation because the server is internal to the VPN will connect?
Also can I put my certifcates to be valid for a long time, for example ten years so that I don't have to worry about certificates expireing?
< it="" is="" controled="" by="" ca="" server="" which="" issue="" the="" certificate="" to="">
-
Authentication IPsec VPN Client using the digital certificate
Hello
Please I need some clarification and help to set up my ASA 5540 with IOS 8.3 x for client certificate authentication remote.
I have my certificate root from the Microsoft CA, but not quite sure if the steps described in the following cisco Web sites are exactly what I need since the firewall seems to generate the certificate to use.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008073b12b.shtml
My setup is such that the CA will issue certificates to remote clients and the ASA firewall, and remote clients will authenticate and connect with their certificates which the firewall is constantly updating using the Revocation list updated by the certification authority.
The dhcp pool must be issued by the DC inside network and not on the firewall.
Are there any examples or best practices to achieve steps will be really appreciated.
Thank you
Hi Josh,.
Let me explain briefly how Auth PKI:
In a public key infrastructure configuration, devices trust not each other directly, but they have a certification authority, which is the one who issues the certificate. We call this root CA (there may be a more complex configuration WHERE intermediate are involved, but that's another story). So when the root CA issues a certificate, he signs it with its private key. To be able to verify this signature, we should have the CA public key, which is included with the certification authority.
So for certificate authentication, you must create a trustpoint, that defines the parameters of the root certification authority.
Then you will authenticate this trustpoint, which basically means that you will get the certificate of the root CA and store locally.
After that, you sign up to this CA, which means that you will ask for (and get) your own certificate.
Other users will do the same and have the same root CA Cert, but different personal (identity) certificates.
So what happens on authentication is that both ends send their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the certificate received from the remote peer. If the signature is correct, this means that the certificate authority root actually issued the certificate, and this remote peer can be trusted (or not)
Hope this is clear.
-
Ensure the mobility Client Certificate Problem | CEP-transfer-url
Hi all
I'm having a problem CEP configuration for my secure mobilty client. I created a connection profile to allow the certificate requests, but when I fill in the url-forwarding-CEP I get an error.
The certification authority we use is an internal MS CA with PEIE already active. It has been configured for a long time with our current Cisco VPN client using authentication certificate. The ASA is running 8.4.1.
Here is the error I get when I try to enter the command in the associated group policy to my registration certificate connection profile:
SSLGP group policy attributes
value of CEP-transfer-url http://10.1.1.2/certsrv/mscep/mscep.dll
Attempts to retrieve the certificates of AC/AE by using the URL. Please wait...
Received 3 certificates of AC/AE by using the URL of the CEP.
NON-RESIDENT CERT: serial: 11111111000100000145, subject: cn = SCEP_ADD_ON, o = OUNIT, c = UK
NON-RESIDENT CERT: serial: 11111111000100000146, subject: cn = SCEP_ADD_ON, o = OUNIT, c = UK
NON-RESIDENT CERT: serial: 11111111478AAB288393FAFf2a3E274, subject: cn = CERTSVR-01
ATTENTION: Please check if you have all the required certificates in the config to authenticate the certificates that will be issued using this URL CEP
Can someone explain why this happens, because it will not take the config?
Thanks in advance.
Ian
Hi Ian,
in case you are still having problems with this (I think the question is one week): it seems that the ASA asking you first create a trustpoint (in your case in fact 3 can be required, one for each CA certificate) and import is the CA cert.
HTH
Herbert
-
Terminating the VPN client on 871W
Hello
I tried to install EasyVPN on a cisco 871W by SDM. The goal is to finish the VPN client with authentication with an external RADIUS/advertising (on a local subnet). I implemented the IAS on a win2003 Server advertising and checked the accounts.
SDM was missing the 'crypto map' piece of config. After you add this in the CLI it still didn't work. Thus, EasyVPN is not as easy at is sounds...
Could someone with some knowledge of VPN and IPsec and so forth please look at this config? Maybe it gives me an idea of what I did wrong (which, without a doubt, must be the case).
Thank you
Erik
==
AAA new-model
!
AAA rad_eap radius server group
auth-port 1645 10.128.7.5 Server acct-port 1646
!
AAA rad_mac radius server group
!
AAA rad_acct radius server group
!
AAA rad_admin radius server group
!
AAA server Ganymede group + tac_admin
!
AAA rad_pmip radius server group
!
RADIUS server AAA dummy group
!
AAA authentication login default local
AAA authentication login eap_methods group rad_eap
AAA authentication login mac_methods local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ipmobile default group rad_pmip
AAA authorization sdm_vpn_group_ml_1 LAN
AAA accounting network acct_methods
action-type market / stop
Group rad_acct
!
!
!
AAA - the id of the joint session
clock timezone MET 1
clock to DST DST PUTS recurring last Sun Mar 02:00 last Sun Oct 02:00
!
Crypto pki trustpoint TP-self-signed-1278336536
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1278336536
revocation checking no
rsakeypair TP-self-signed-1278336536
!
!
TP-self-signed-1278336536 crypto pki certificate chain
certificate self-signed 01
3082024A 308201B 3 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31323738 33333635 6174652D 3336301E 170 3039 31303237 32313237
32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32373833 65642D
33363533 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
81008B 56 5902F5DF FCE1A56E 3A63350E 45956514 1767EF73 FEC6CD16 7E982A82
B0AF8546 ABB3D35A B7C3A7E3 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC 37A 02103
4EFC398B 0C8B6BE5 AD3E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
32E6B3B7 861F87FA 222197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
BF8F0203 010001A 3 72307030 130101 1 FF040530 030101FF 301D 0603 0F060355
551 1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
1 230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D 0603
551D0E04 16041484 C9111E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
010104 05000381 8693B 599 70EC1F1A D2995276 F3E4AF9D 81002F4A 0D 864886F7
17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E38BC3 342C3AC9
2BEF6821 E4C50277 493AD5B6 2AFE
quit smoking
dot11 syslog
!
IP source-route
!
!
DHCP excluded-address IP 10.128.1.250 10.128.1.254
DHCP excluded-address IP 10.128.150.250 10.128.150.254
DHCP excluded-address IP 10.128.7.0 10.128.7.100
DHCP excluded-address IP 10.128.7.250 10.128.7.254
!
pool IP dhcp VLAN30-COMMENTS
import all
Network 10.128.1.0 255.255.255.0
router by default - 10.128.1.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
IP dhcp VLAN20-STAFF pool
import all
Network 10.128.150.0 255.255.255.0
router by default - 10.128.150.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
IP dhcp SERVERS VLAN10 pool
import all
Network 10.128.7.0 255.255.255.0
router by default - 10.128.7.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
!
IP cef
no ip domain search
IP domain name aaa.com
inspect the tcp IP MYFW name
inspect the IP udp MYFW name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
VPDN enable
!
!
!
username privilege 15 secret 5 xxxx xxxx
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpn
key xxxx
pool SDM_POOL_1
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
10.128.201.1 the IP 255.255.255.255
map SDM_CMAP_1 crypto
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 20
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 30
!
interface FastEthernet4
no ip address
Speed 100
full-duplex
PPPoE enable global group
PPPoE-client dial-pool-number 1
No cdp enable
!
interface Dot11Radio0
no ip address
Shutdown
No dot11 extensions aironet
!
interface Vlan1
address IP AAA. BBB. CCC.177 255.255.255.240
no ip redirection
no ip proxy-arp
NAT outside IP
no ip virtual-reassembly
No autostate
Hold-queue 100 on
!
interface Vlan10
SERVER description
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 10
Bridge-group of 10 disabled spanning
!
interface Vlan20
Description of the STAFF
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 20
Bridge-group 20 covering people with reduced mobility
!
Vlan30 interface
Description COMMENTS
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 30
Bridge-group 30 covering people with reduced mobility
!
interface Dialer1
MTU 1492
IP unnumbered Vlan1
no ip redirection
no ip proxy-arp
NAT outside IP
inspect the MYFW over IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication pap callin
PPP pap sent-name of user password 7 xxxx xxxxx
!
interface BVI10
Description the server network bridge
IP 10.128.7.254 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface BVI20
Description personal network bridge
IP 10.128.150.254 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface BVI30
Bridge network invited description
IP 10.128.1.254 255.255.255.0
IP access-group Guest-ACL in
IP nat inside
IP virtual-reassembly
!
pool of local SDM_POOL_1 192.168.2.1 IP 192.168.2.100
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
IP http secure ciphersuite 3des-ede-cbc-sha
IP http secure-client-auth
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
overload of IP nat inside source list 101 interface Vlan1
IP nat inside source static tcp 10.128.7.1 25 AAA. BBB. Expandable 25 CCC.178
IP nat inside source static tcp 10.128.7.1 80 AAA. BBB. CCC.178 extensible 80
IP nat inside source static tcp 10.128.7.1 443 AAA. BBB. CCC.178 extensible 443
IP nat inside source static tcp 10.128.7.1 8333 AAA. BBB. CCC.178 extensible 8333
IP nat inside source static tcp 10.128.7.2 25 AAA. BBB. Expandable 25 CCC.179
IP nat inside source static tcp 10.128.7.2 80 AAA. BBB. CCC.179 extensible 80
IP nat inside source static tcp 10.128.7.2 443 AAA. BBB. CCC.179 extensible 443
IP nat inside source static tcp 10.128.7.2 8333 AAA. BBB. CCC.179 extensible 8333
IP nat inside source static tcp 10.128.7.3 25 AAA. BBB. Expandable 25 CCC.180
IP nat inside source static tcp 10.128.7.3 80 AAA. BBB. CCC.180 extensible 80
IP nat inside source static tcp 10.128.7.3 443 AAA. BBB. CCC.180 extensible 443
IP nat inside source static tcp 10.128.7.3 8333 AAA. BBB. CCC.180 extensible 8333
IP nat inside source static tcp 10.128.7.4 25 AAA. BBB. Expandable 25 CCC.181
IP nat inside source static tcp 10.128.7.4 80 AAA. BBB. CCC.181 extensible 80
IP nat inside source static tcp 10.128.7.4 443 AAA. BBB. CCC.181 extensible 443
IP nat inside source static tcp 10.128.7.4 8333 AAA. BBB. CCC.181 extensible 8333
IP nat inside source static tcp 10.128.7.5 25 AAA. BBB. Expandable 25 CCC.182
IP nat inside source static tcp 10.128.7.5 80 AAA. BBB. CCC.182 extensible 80
IP nat inside source static tcp 10.128.7.5 443 AAA. BBB. CCC.182 extensible 443
IP nat inside source static tcp 10.128.7.5 8333 AAA. BBB. CCC.182 extensible 8333
IP nat inside source static tcp 10.128.7.6 25 AAA. BBB. Expandable 25 CCC.183
IP nat inside source static tcp 10.128.7.6 80 AAA. BBB. CCC.183 extensible 80
IP nat inside source static tcp 10.128.7.6 443 AAA. BBB. CCC.183 extensible 443
IP nat inside source static tcp 10.128.7.6 8333 AAA. BBB. CCC.183 extensible 8333
IP nat inside source static tcp 10.128.7.7 25 AAA. BBB. Expandable 25 CCC.184
IP nat inside source static tcp 10.128.7.7 80 AAA. BBB. CCC.184 extensible 80
IP nat inside source static tcp 10.128.7.7 443 AAA. BBB. CCC.184 extensible 443
IP nat inside source static tcp 10.128.7.7 8333 AAA. BBB. CCC.184 extensible 8333
IP nat inside source static tcp 10.128.7.8 25 AAA. BBB. Expandable 25 CCC.185
IP nat inside source static tcp 10.128.7.8 80 AAA. BBB. CCC.185 extensible 80
IP nat inside source static tcp 10.128.7.8 443 AAA. BBB. CCC.185 extensible 443
IP nat inside source static tcp 10.128.7.8 8333 AAA. BBB. CCC.185 extensible 8333
IP nat inside source static tcp 10.128.7.9 25 AAA. BBB. Expandable 25 CCC.186
IP nat inside source static tcp 10.128.7.9 80 AAA. BBB. CCC.186 extensible 80
IP nat inside source static tcp 10.128.7.9 443 AAA. BBB. CCC.186 extensible 443
IP nat inside source static tcp 10.128.7.9 8333 AAA. BBB. CCC.186 extensible 8333
IP nat inside source static tcp 10.128.7.10 25 AAA. BBB. Expandable 25 CCC.187
IP nat inside source static tcp 10.128.7.10 80 AAA. BBB. CCC.187 extensible 80
IP nat inside source static tcp 10.128.7.10 443 AAA. BBB. CCC.187 extensible 443
IP nat inside source static tcp 10.128.7.10 8333 AAA. BBB. CCC.187 extensible 8333
IP nat inside source static tcp 10.128.7.11 25 AAA. BBB. Expandable 25 CCC.188
IP nat inside source static tcp 10.128.7.11 80 AAA. BBB. CCC.188 extensible 80
IP nat inside source static tcp 10.128.7.11 443 AAA. BBB. CCC.188 extensible 443
IP nat inside source static tcp 10.128.7.11 8333 AAA. BBB. CCC.188 extensible 8333
IP nat inside source static tcp 10.128.7.12 25 AAA. BBB. Expandable 25 CCC.189
IP nat inside source static tcp 10.128.7.12 80 AAA. BBB. CCC.189 extensible 80
IP nat inside source static tcp 10.128.7.12 443 AAA. BBB. CCC.189 extensible 443
IP nat inside source static tcp 10.128.7.12 8333 AAA. BBB. CCC.189 extensible 8333
!
Guest-ACL extended IP access list
deny ip any 10.128.7.0 0.0.0.255
deny ip any 10.128.150.0 0.0.0.255
allow an ip
IP Internet traffic inbound-ACL extended access list
allow udp any eq bootps any eq bootpc
permit any any icmp echo
permit any any icmp echo response
permit icmp any any traceroute
allow a gre
allow an esp
!
access-list 1 permit 10.128.7.0 0.0.0.255
access-list 1 permit 10.128.150.0 0.0.0.255
access-list 1 permit 10.128.1.0 0.0.0.255
access-list 2 allow 10.0.0.0 0.255.255.255
access-list 2 refuse any
access-list 101 permit ip 10.128.7.0 0.0.0.255 any
access-list 101 permit ip 10.128.150.0 0.0.0.255 any
access-list 101 permit ip 10.128.1.0 0.0.0.255 any
Dialer-list 1 ip Protocol 1
!
!
!
!
format of server RADIUS attribute 32 include-in-access-req hour
RADIUS-server host 10.128.7.5 auth-port 1645 acct-port 1646 borders 7 xxxxx
RADIUS vsa server send accounting
!
control plan
!
IP route 10 bridge
IP road bridge 20
IP road bridge 30
Banner motd ^.
Unauthorized access prohibited. *
All access attempts are logged! ***************^
!
Line con 0
password 7 xxxx
no activation of the modem
line to 0
line vty 0 4
access-class 2
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
AAA.BBB.CCC.ddd NTP server
endErik,
The address pool you are talking about is to assign to the customer or the public router interface? If you want to set up your vpn client software point a full domain name instead of an IP address that you can do it too long you can ensure the use of the name is resolved by a DNS SERVER.
The range of addresses that you can be asigned to your Dialer interface will depend on your ISP.
-Butterfly
Maybe you are looking for
-
Satellite L755 - 1 CG cannot find the correct drivers
I bought a toshiba Satellite L755 - 1 CG today.I installed windows 7 Home premium x 32, but I can't find the drivers anywhere appropriate. Could you please help me?
-
6 D &; EOS Utility matching
Anyone successful with this? It seems to pair with the computer, but not with EOS Utility. I cycles then EOS Utility "Target not found connection" during opening and closing. In addition: I deleted all the settings twice and entered the key correctly
-
I can't scroll down a whole page on facebook, I can see about 10 posts then the page stops... Also, I can't open links or if it says 'see more' I can't open it... I can help on my cell phone, but not my... counter top!
-
Windows XP Disk Defragmenter does not work
I can't get my windows Defragmenter to work... When I click on the analysis / defragment buttons, it does nothing... Anyone know what I can do to solve my problem?
-
LTO-5 maximum goes up / loads tape media
Hello We currently use a tape library with HP LTO - 5 Ultrium tapes. Over the past five years, we have LTO - 5 tape with many media, (up to 15000) and I wonder if the mounts of a LTO-5 tape jeopardizes data integrity. What I'm asking is if the LTO-5