ASA VPN client certificate authentication

Hi all

We finished our from the ASA Firewall VPN client. Is it possible to authenticate users with certificate. Certificate itself being our ASA server.

Our requirement is to have:-user must use one laptop company provided for the VPN connection. I think it's possible with certificate OmniPass. Y at - it another way to have this control.

Thank you

-John

Hi John,.

It is indeed possible to authenticate your users to VPN client with certificates and it will prevent guests who do not have the certificate installed on their computer to connect.

In the subject to use the ASA CA Local, I advise you to use only if you have Anyconnect client and not the classic IPSEC client.

The local ASA CA has been implemented for use for WebVPN and Anyconnect sessions only so I advise you to use an external CA if your customer is the IPSEC one.

Kind regards

Nicolas

Tags: Cisco Security

Similar Questions

  • The VPN client user authentication

    When users connect to our network remotely via VPN user name field is already filled with the last person who logged. I know that they just delete the username and enter their own, but is there a way the client can be configured to where the username field will be always empty for all those who want access to the network via VPN? We have an ASA 5510 with version 7.0 (8) and a windows 2003 with IAS server for windows authentication. Thank you!

    Hello

    In FCP, you can configure a single line is not editable by the user (or the vpn client).

    Simply insert an attack! Like this

    ! Username =

    ! SaveUserPassword = 0

    ! UserPassword =

    ! enc_UserPassword =

    Subsequently the vpn client will not save registrations for these settings more.

  • ASA vpn client

    Hello world

    I would like to ask for help in order to correct a customer vpn tunnel. I'm not familiar with the AAS, so please do not laugh if I write something stupid

    So I inherit one asa, which has two interface used physical and vlan more. Outdoors, office, management and management. I use my computer on the vlan management, and I can reach the computers on the desktop (192.168.12.0/24) and the branch (192.168.10.0/24). I would realize that I connect to thrught houses a vpn, and I should reach the 12.x and 10.x network as I was in these networks (due to the microsoft allowed wirewall to the local network traffic).

    I inherited a vpn configuration which I added my user.

    I'm trying to cite only the relevant portion of config:

    SSH 192.168.99.0 255.255.255.0 management

    access extensive list ip 192.168.99.0 nonat_management allow 255.255.255.0 192.168.99.0 255.255.255.0

    access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
    access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0

    IP local pool ippool 192.168.99.100 - 192.168.99.200

    NAT-control
    Global 1 interface (outside)

    NAT (management) - access list 0 nonat_management
    nat_management_office list of access 5 NAT (management)
    nat_management_branch list of Access 10 NAT (management)

    192.168.99.50 management - dhcpd addresses 192.168.99.79
    enable dhcpd management

    L2TP strategy of Group internal
    monty password username * == encrypted nt
    monty username attributes
    Protocol-tunnel-VPN l2tp ipsec
    VPN-framed-ip-address 192.168.99.99 255.255.255.0
    attributes global-tunnel-group DefaultRAGroup
    ippool address pool
    Group Policy - by default-l2tp
    IPSec-attributes tunnel-group DefaultRAGroup
    pre-shared key *.
    tunnel-group DefaultRAGroup ppp-attributes
    ms-chap-v2 authentication

    I quote the encryption settings, because I can connect to asa, I think that I have problems with the nat or access rules.

    I have an ip local pool 192.168.99.100 - 192.168.99.200, but I have the fixed ip with the vpn-framed-ip-address 192.168.99.99 255.255.255.0

    Happened when I connect and try to reach the following computers:

    I can reach only a freenas 192.168.12.2, and I see in his journal that I have connected with 192.168.99.99 (vpn-framed-ip-address)

    I can't reach the computers on networks, however I have two nat rules, working when I'm in the office network 99.0

    access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
    access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0

    It seems that these two nat rules do not work with my vpn client.

    And it is very important to arrive at the asa with ssh through the tunnel, but I can't.

    I don't know if that is the ip address of the vpn client is in the management network, perhaps one should change to another network:

    for example 192.168.95.0/24

    A vpn asa for Dummies or any help is appreciated.

    Thank you very much

    Hi Chris,

    The following should help:

    access-list allowed 192.168.12.0 nonat_office 255.255.255.0 192.168.90.0 255.255.255.0

    In this way, returning office subnet pool VPN traffic is exempt from nat. And so you will not get the failure of RPF checking.

    In addition, you must change this:

    nat_vpn_office to access extended list ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    (incoming traffic on the VPN remote access would come from the VPN pool.) Not your home network.)

    You must have:

    No nat_vpn_office access list extended ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    access extensive list ip 192.168.90.0 nat_vpn_office allow 255.255.255.0 192.168.12.0 255.255.255.0

    NAT (outside) 5 nat_vpn_office list of outdoor access

    Hope this helps, and sorry for the delay.

    -Shrikant

    P.S.: Please check the question as answered if it was resolved. Do rates all useful messages. Thank you.

  • Unable to connect to other remote access (ASA) VPN clients

    Hello

    I have a cisco ASA 5510 appliance configured with remote VPN access

    I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.

    For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.

    Any help is welcome.

    Thanks in advance.

    Hello

    I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.

    It seems to me that you currently have dynamic PAT configured for the VPN users you have this

    NAT (outside) 1 10.40.170.0 255.255.255.0

    If your traffic is probably corresponding to it.

    The only thing I can think of at the moment would be to configure

    Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients

    list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

    NAT (outside) 0-list of access VPN-CLIENT-NAT0

    I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.

    -Jouni

  • Client certificate authentication and proxy HTTPS WSA

    Hello

    on a clients site, we have a virtual Proxy WSA with WCCP running behind a firewall of ASA. Only we are facing a problem: the customer has a site that authenticates the client through the certificate. It does not work. If I dasable the transparent proxy for this host, everything works fine.

    I solved it now bypassing the proxy server for the spicific site. Is there another solution to allow clients to authenticate using certificates to a Web site?

    Hello

    Does it means that websites (some sites) request for client certificate to authenticate during the SSL negotiation?

    If this is true, can you check your option since default CLI interface HTTPS when HTTPS servers request certificate of the client during the handshake, WSA will respond with unavailable certificate and the handshake will normally be breaks.

    To check this:

    1. log in to the CLI
    2. control of type advancedproxyconfig
    3. type HTTPS
    4. keep pressing enter to accept the value by default until you reach "measures to be taken when the HTTPS servers request certificate of the client during the handshake:" and change it to "get through the operation.

    5. keep pressing enter until the initial scope guest
    6. type commit to save the change.

  • ASA VPN clients

    I couldn't find the answer to this in google.

    You have to use the anyconnect software or you can use other as openvpn client software to connect to your asa.

    If it is for home, ASAs all equipped with 2 free licenses of AnyConnect Premium.

    You can even set up a VPN SSL without client using those and does not any client software - a simple browser.

    Purchase price for a small number of licenses AnyConnect is very cheap indeed.

    You can use generic third-party clients for IPsec VPN IKEv1 (not for the SSL VPN client-oriented).

  • Assign the static IP address by ISE, ASA VPN clients

    We will integrate the remote access ASA VPN service with a new 1.2 ISE.

    Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

    This means that the same VPN user will always get the same IP address. Thank you.

    Daniel,

    You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

    However if I may make a suggestion:

    Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

    In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

    M.

  • Configure Cisco ASA VPN client

    I did some research and the answers it was supposed to be possible, but no info on how to do it.  I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client.  The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers.

    The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505.

    So, how to set up an another ASA to connect to it as if it were a client?

    Hello

    Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client

    Although in this case, they use a PIX firewall as a client.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

    Here's another site with instructions related to this installation program

    http://www.petenetlive.com/kb/article/0000337.htm

    I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it.

    -Jouni

  • ASA VPN client and OWA Exchange/2013

    Hi all... quick question ASA...

    Does anyone know the status of support for OWA Exchange 2013 and the ASA webvpn client access?

    I know that the ASA has a model for 2010... It works with 2013? Is there is the 2013 model in the pipeline for the ASA?

    Thank you!

    Hi Paul,.

    There is an improvement (CSCul27869) that opens to Exchange 2013 be supported with ASA.

    CSCul27869
    It is an enhancement request to add support for OWA 2013 with webvpn.
    https://Tools.Cisco.com/bugsearch/bug/CSCul27869/?reffering_site=dumpcr

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Issue of ASA VPN client

    Hello.

    I have a question about a connection between an asa5505-sec-bun-k9 (who acts as easy VPN client) and an EASY VPN server.

    The connection with the easy VPN server is OK, but I can't connect to the internet and create VPN for my ASA5505 connections when I activated the feature.

    Is this a normal phenomenon with Easy VPN active customer?

    Cool

    Please, note useful

  • ANyConnect Client certificate authentication and verify the Client against the Microsoft AD using DAP via LDAP domain membership

    Hello

    as described in the title one want to connect with AnyConnect Secure Mobility Client 3.0.2052 ASA 5540 Version 8.4 and licence Premium SSL.

    Customers using Maschine certificate to authenticate to ASA. It works very well.

    Now, I want to install a DAP to check the customer against the Microsoft AD using LDAP. I have configured the LDAP server in see ASA:

    AAA-Server LDAP protocol ldap
    AAA-Server LDAP (inside) host ldap.com
    LDAP-base-dn DC = x DC = x, DC = x DC = com
    LDAP-scope subtree
    LDAP-login-password *.
    LDAP-connection-dn *.
    microsoft server type

    I see that it works if I test via the testbotton server in ASDM and I also see in CLI "debugging ldap 255". But if I configure in DAP: AAA attribute ID:memberOf = Membre_domaine I can't see any request to the LDAP server as I try to connect with the Client und does not correspond to the DAP.

    No idea where the problem lies?

    Thanks in advance

    Hi Klaus,

    DAP will not make any call LDAP itself, it will only act based on the attributes received LDAP via the LDAP authentication or authorization.

    So you will need to enable the LDAP authorization in the tunnel - or connect to groups.

    Once you have, you can either use DAP or a map attribute LDAP for accept/deny access, see the example of these two methods.

    HTH

    Herbert

  • ASA VPN with certificates

    I'm after abit of consultation.

    I have an ASA 5510 in my hub, static public IP address.

    Then I have an ASA 5505 like my talk, with a dynamic IP address.

    I used a dynamic encryption with PSK card and everything seems functional.

    One of my concerns are that I was forced to use aggressive mode to make it work. I am well aware of the security risks.

    I seek to use certificates in read in aggressive mode.

    If I use an internal Windows certificate authority, what will happen with the revocations.

    If my trying to connect but cannot check Revocation because the server is internal to the VPN will connect?

    Also can I put my certifcates to be valid for a long time, for example ten years so that I don't have to worry about certificates expireing?

    Answer online

    If I use an internal Windows certificate authority, what will happen with the revocations.

    < if="" you="" enable="" revocation="" check,="" you="" have="" to="" make="" your="" internal="" server="" accessiable="" to="" the="" remote="">

    Otherwise you can disable revocation checking.

    If my trying to connect but cannot check Revocation because the server is internal to the VPN will connect?

    Also can I put my certifcates to be valid for a long time, for example ten years so that I don't have to worry about certificates expireing?

    < it="" is="" controled="" by="" ca="" server="" which="" issue="" the="" certificate="" to="">

  • Authentication IPsec VPN Client using the digital certificate

    Hello

    Please I need some clarification and help to set up my ASA 5540 with IOS 8.3 x for client certificate authentication remote.

    I have my certificate root from the Microsoft CA, but not quite sure if the steps described in the following cisco Web sites are exactly what I need since the firewall seems to generate the certificate to use.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008073b12b.shtml

    My setup is such that the CA will issue certificates to remote clients and the ASA firewall, and remote clients will authenticate and connect with their certificates which the firewall is constantly updating using the Revocation list updated by the certification authority.

    The dhcp pool must be issued by the DC inside network and not on the firewall.

    Are there any examples or best practices to achieve steps will be really appreciated.

    Thank you

    Hi Josh,.

    Let me explain briefly how Auth PKI:

    In a public key infrastructure configuration, devices trust not each other directly, but they have a certification authority, which is the one who issues the certificate. We call this root CA (there may be a more complex configuration WHERE intermediate are involved, but that's another story). So when the root CA issues a certificate, he signs it with its private key. To be able to verify this signature, we should have the CA public key, which is included with the certification authority.

    So for certificate authentication, you must create a trustpoint, that defines the parameters of the root certification authority.

    Then you will authenticate this trustpoint, which basically means that you will get the certificate of the root CA and store locally.

    After that, you sign up to this CA, which means that you will ask for (and get) your own certificate.

    Other users will do the same and have the same root CA Cert, but different personal (identity) certificates.

    So what happens on authentication is that both ends send their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the certificate received from the remote peer. If the signature is correct, this means that the certificate authority root actually issued the certificate, and this remote peer can be trusted (or not)

    Hope this is clear.

  • Ensure the mobility Client Certificate Problem | CEP-transfer-url

    Hi all

    I'm having a problem CEP configuration for my secure mobilty client.  I created a connection profile to allow the certificate requests, but when I fill in the url-forwarding-CEP I get an error.

    The certification authority we use is an internal MS CA with PEIE already active.  It has been configured for a long time with our current Cisco VPN client using authentication certificate.  The ASA is running 8.4.1.

    Here is the error I get when I try to enter the command in the associated group policy to my registration certificate connection profile:

    SSLGP group policy attributes

    value of CEP-transfer-url http://10.1.1.2/certsrv/mscep/mscep.dll

    Attempts to retrieve the certificates of AC/AE by using the URL. Please wait...

    Received 3 certificates of AC/AE by using the URL of the CEP.

    NON-RESIDENT CERT: serial: 11111111000100000145, subject: cn = SCEP_ADD_ON, o = OUNIT, c = UK

    NON-RESIDENT CERT: serial: 11111111000100000146, subject: cn = SCEP_ADD_ON, o = OUNIT, c = UK

    NON-RESIDENT CERT: serial: 11111111478AAB288393FAFf2a3E274, subject: cn = CERTSVR-01

    ATTENTION: Please check if you have all the required certificates in the config to authenticate the certificates that will be issued using this URL CEP

    Can someone explain why this happens, because it will not take the config?

    Thanks in advance.

    Ian

    Hi Ian,

    in case you are still having problems with this (I think the question is one week): it seems that the ASA asking you first create a trustpoint (in your case in fact 3 can be required, one for each CA certificate) and import is the CA cert.

    HTH

    Herbert

  • Terminating the VPN client on 871W

    Hello

    I tried to install EasyVPN on a cisco 871W by SDM. The goal is to finish the VPN client with authentication with an external RADIUS/advertising (on a local subnet). I implemented the IAS on a win2003 Server advertising and checked the accounts.

    SDM was missing the 'crypto map' piece of config. After you add this in the CLI it still didn't work. Thus, EasyVPN is not as easy at is sounds...

    Could someone with some knowledge of VPN and IPsec and so forth please look at this config? Maybe it gives me an idea of what I did wrong (which, without a doubt, must be the case).

    Thank you

    Erik

    ==

    AAA new-model
    !
    AAA rad_eap radius server group
    auth-port 1645 10.128.7.5 Server acct-port 1646
    !
    AAA rad_mac radius server group
    !
    AAA rad_acct radius server group
    !
    AAA rad_admin radius server group
    !
    AAA server Ganymede group + tac_admin
    !
    AAA rad_pmip radius server group
    !
    RADIUS server AAA dummy group
    !
    AAA authentication login default local
    AAA authentication login eap_methods group rad_eap
    AAA authentication login mac_methods local
    AAA authentication login sdm_vpn_xauth_ml_1 local
    AAA authorization exec default local
    AAA authorization ipmobile default group rad_pmip
    AAA authorization sdm_vpn_group_ml_1 LAN
    AAA accounting network acct_methods
    action-type market / stop
    Group rad_acct
    !
    !
    !
    AAA - the id of the joint session
    clock timezone MET 1
    clock to DST DST PUTS recurring last Sun Mar 02:00 last Sun Oct 02:00
    !
    Crypto pki trustpoint TP-self-signed-1278336536
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 1278336536
    revocation checking no
    rsakeypair TP-self-signed-1278336536
    !
    !
    TP-self-signed-1278336536 crypto pki certificate chain
    certificate self-signed 01
    3082024A 308201B 3 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 31323738 33333635 6174652D 3336301E 170 3039 31303237 32313237
    32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32373833 65642D
    33363533 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    81008B 56 5902F5DF FCE1A56E 3A63350E 45956514 1767EF73 FEC6CD16 7E982A82
    B0AF8546 ABB3D35A B7C3A7E3 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC 37A 02103
    4EFC398B 0C8B6BE5 AD3E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
    32E6B3B7 861F87FA 222197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
    BF8F0203 010001A 3 72307030 130101 1 FF040530 030101FF 301D 0603 0F060355
    551 1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
    1 230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D 0603
    551D0E04 16041484 C9111E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
    010104 05000381 8693B 599 70EC1F1A D2995276 F3E4AF9D 81002F4A 0D 864886F7
    17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
    AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
    E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E38BC3 342C3AC9
    2BEF6821 E4C50277 493AD5B6 2AFE
    quit smoking
    dot11 syslog
    !
    IP source-route
    !
    !
    DHCP excluded-address IP 10.128.1.250 10.128.1.254
    DHCP excluded-address IP 10.128.150.250 10.128.150.254
    DHCP excluded-address IP 10.128.7.0 10.128.7.100
    DHCP excluded-address IP 10.128.7.250 10.128.7.254
    !
    pool IP dhcp VLAN30-COMMENTS
    import all
    Network 10.128.1.0 255.255.255.0
    router by default - 10.128.1.254
    10.128.7.5 DNS server
    -10.128.7.5 NetBIOS name server
    aaa.com domain name
    4 rental
    !
    IP dhcp VLAN20-STAFF pool
    import all
    Network 10.128.150.0 255.255.255.0
    router by default - 10.128.150.254
    10.128.7.5 DNS server
    -10.128.7.5 NetBIOS name server
    aaa.com domain name
    4 rental
    !
    IP dhcp SERVERS VLAN10 pool
    import all
    Network 10.128.7.0 255.255.255.0
    router by default - 10.128.7.254
    10.128.7.5 DNS server
    -10.128.7.5 NetBIOS name server
    aaa.com domain name
    4 rental
    !
    !
    IP cef
    no ip domain search
    IP domain name aaa.com
    inspect the tcp IP MYFW name
    inspect the IP udp MYFW name
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    VPDN enable
    !
    !
    !
    username privilege 15 secret 5 xxxx xxxx
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    ISAKMP crypto client configuration group vpn
    key xxxx
    pool SDM_POOL_1
    netmask 255.255.255.0
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    market arriere-route
    !
    !
    card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
    client configuration address map SDM_CMAP_1 crypto answer
    map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
    !
    Crypto ctcp port 10000
    Archives
    The config log
    hidekeys
    !
    !
    !
    Bridge IRB
    !
    !
    interface Loopback0
    10.128.201.1 the IP 255.255.255.255
    map SDM_CMAP_1 crypto
    !
    interface FastEthernet0
    switchport access vlan 10
    !
    interface FastEthernet1
    switchport access vlan 20
    !
    interface FastEthernet2
    switchport access vlan 10
    !
    interface FastEthernet3
    switchport access vlan 30
    !
    interface FastEthernet4
    no ip address
    Speed 100
    full-duplex
    PPPoE enable global group
    PPPoE-client dial-pool-number 1
    No cdp enable
    !
    interface Dot11Radio0
    no ip address
    Shutdown
    No dot11 extensions aironet
    !
    interface Vlan1
    address IP AAA. BBB. CCC.177 255.255.255.240
    no ip redirection
    no ip proxy-arp
    NAT outside IP
    no ip virtual-reassembly
    No autostate
    Hold-queue 100 on
    !
    interface Vlan10
    SERVER description
    no ip address
    IP nat inside
    no ip virtual-reassembly
    No autostate
    Bridge-group 10
    Bridge-group of 10 disabled spanning
    !
    interface Vlan20
    Description of the STAFF
    no ip address
    IP nat inside
    no ip virtual-reassembly
    No autostate
    Bridge-group 20
    Bridge-group 20 covering people with reduced mobility
    !
    Vlan30 interface
    Description COMMENTS
    no ip address
    IP nat inside
    no ip virtual-reassembly
    No autostate
    Bridge-group 30
    Bridge-group 30 covering people with reduced mobility
    !
    interface Dialer1
    MTU 1492
    IP unnumbered Vlan1
    no ip redirection
    no ip proxy-arp
    NAT outside IP
    inspect the MYFW over IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 1
    PPP authentication pap callin
    PPP pap sent-name of user password 7 xxxx xxxxx
    !
    interface BVI10
    Description the server network bridge
    IP 10.128.7.254 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    !
    interface BVI20
    Description personal network bridge
    IP 10.128.150.254 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    !
    interface BVI30
    Bridge network invited description
    IP 10.128.1.254 255.255.255.0
    IP access-group Guest-ACL in
    IP nat inside
    IP virtual-reassembly
    !
    pool of local SDM_POOL_1 192.168.2.1 IP 192.168.2.100
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 Dialer1
    IP http server
    access-class 2 IP http
    local IP http authentication
    IP http secure server
    IP http secure ciphersuite 3des-ede-cbc-sha
    IP http secure-client-auth
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    !
    overload of IP nat inside source list 101 interface Vlan1
    IP nat inside source static tcp 10.128.7.1 25 AAA. BBB. Expandable 25 CCC.178
    IP nat inside source static tcp 10.128.7.1 80 AAA. BBB. CCC.178 extensible 80
    IP nat inside source static tcp 10.128.7.1 443 AAA. BBB. CCC.178 extensible 443
    IP nat inside source static tcp 10.128.7.1 8333 AAA. BBB. CCC.178 extensible 8333
    IP nat inside source static tcp 10.128.7.2 25 AAA. BBB. Expandable 25 CCC.179
    IP nat inside source static tcp 10.128.7.2 80 AAA. BBB. CCC.179 extensible 80
    IP nat inside source static tcp 10.128.7.2 443 AAA. BBB. CCC.179 extensible 443
    IP nat inside source static tcp 10.128.7.2 8333 AAA. BBB. CCC.179 extensible 8333
    IP nat inside source static tcp 10.128.7.3 25 AAA. BBB. Expandable 25 CCC.180
    IP nat inside source static tcp 10.128.7.3 80 AAA. BBB. CCC.180 extensible 80
    IP nat inside source static tcp 10.128.7.3 443 AAA. BBB. CCC.180 extensible 443
    IP nat inside source static tcp 10.128.7.3 8333 AAA. BBB. CCC.180 extensible 8333
    IP nat inside source static tcp 10.128.7.4 25 AAA. BBB. Expandable 25 CCC.181
    IP nat inside source static tcp 10.128.7.4 80 AAA. BBB. CCC.181 extensible 80
    IP nat inside source static tcp 10.128.7.4 443 AAA. BBB. CCC.181 extensible 443
    IP nat inside source static tcp 10.128.7.4 8333 AAA. BBB. CCC.181 extensible 8333
    IP nat inside source static tcp 10.128.7.5 25 AAA. BBB. Expandable 25 CCC.182
    IP nat inside source static tcp 10.128.7.5 80 AAA. BBB. CCC.182 extensible 80
    IP nat inside source static tcp 10.128.7.5 443 AAA. BBB. CCC.182 extensible 443
    IP nat inside source static tcp 10.128.7.5 8333 AAA. BBB. CCC.182 extensible 8333
    IP nat inside source static tcp 10.128.7.6 25 AAA. BBB. Expandable 25 CCC.183
    IP nat inside source static tcp 10.128.7.6 80 AAA. BBB. CCC.183 extensible 80
    IP nat inside source static tcp 10.128.7.6 443 AAA. BBB. CCC.183 extensible 443
    IP nat inside source static tcp 10.128.7.6 8333 AAA. BBB. CCC.183 extensible 8333
    IP nat inside source static tcp 10.128.7.7 25 AAA. BBB. Expandable 25 CCC.184
    IP nat inside source static tcp 10.128.7.7 80 AAA. BBB. CCC.184 extensible 80
    IP nat inside source static tcp 10.128.7.7 443 AAA. BBB. CCC.184 extensible 443
    IP nat inside source static tcp 10.128.7.7 8333 AAA. BBB. CCC.184 extensible 8333
    IP nat inside source static tcp 10.128.7.8 25 AAA. BBB. Expandable 25 CCC.185
    IP nat inside source static tcp 10.128.7.8 80 AAA. BBB. CCC.185 extensible 80
    IP nat inside source static tcp 10.128.7.8 443 AAA. BBB. CCC.185 extensible 443
    IP nat inside source static tcp 10.128.7.8 8333 AAA. BBB. CCC.185 extensible 8333
    IP nat inside source static tcp 10.128.7.9 25 AAA. BBB. Expandable 25 CCC.186
    IP nat inside source static tcp 10.128.7.9 80 AAA. BBB. CCC.186 extensible 80
    IP nat inside source static tcp 10.128.7.9 443 AAA. BBB. CCC.186 extensible 443
    IP nat inside source static tcp 10.128.7.9 8333 AAA. BBB. CCC.186 extensible 8333
    IP nat inside source static tcp 10.128.7.10 25 AAA. BBB. Expandable 25 CCC.187
    IP nat inside source static tcp 10.128.7.10 80 AAA. BBB. CCC.187 extensible 80
    IP nat inside source static tcp 10.128.7.10 443 AAA. BBB. CCC.187 extensible 443
    IP nat inside source static tcp 10.128.7.10 8333 AAA. BBB. CCC.187 extensible 8333
    IP nat inside source static tcp 10.128.7.11 25 AAA. BBB. Expandable 25 CCC.188
    IP nat inside source static tcp 10.128.7.11 80 AAA. BBB. CCC.188 extensible 80
    IP nat inside source static tcp 10.128.7.11 443 AAA. BBB. CCC.188 extensible 443
    IP nat inside source static tcp 10.128.7.11 8333 AAA. BBB. CCC.188 extensible 8333
    IP nat inside source static tcp 10.128.7.12 25 AAA. BBB. Expandable 25 CCC.189
    IP nat inside source static tcp 10.128.7.12 80 AAA. BBB. CCC.189 extensible 80
    IP nat inside source static tcp 10.128.7.12 443 AAA. BBB. CCC.189 extensible 443
    IP nat inside source static tcp 10.128.7.12 8333 AAA. BBB. CCC.189 extensible 8333
    !
    Guest-ACL extended IP access list
    deny ip any 10.128.7.0 0.0.0.255
    deny ip any 10.128.150.0 0.0.0.255
    allow an ip
    IP Internet traffic inbound-ACL extended access list
    allow udp any eq bootps any eq bootpc
    permit any any icmp echo
    permit any any icmp echo response
    permit icmp any any traceroute
    allow a gre
    allow an esp
    !
    access-list 1 permit 10.128.7.0 0.0.0.255
    access-list 1 permit 10.128.150.0 0.0.0.255
    access-list 1 permit 10.128.1.0 0.0.0.255
    access-list 2 allow 10.0.0.0 0.255.255.255
    access-list 2 refuse any
    access-list 101 permit ip 10.128.7.0 0.0.0.255 any
    access-list 101 permit ip 10.128.150.0 0.0.0.255 any
    access-list 101 permit ip 10.128.1.0 0.0.0.255 any
    Dialer-list 1 ip Protocol 1
    !
    !
    !
    !
    format of server RADIUS attribute 32 include-in-access-req hour
    RADIUS-server host 10.128.7.5 auth-port 1645 acct-port 1646 borders 7 xxxxx
    RADIUS vsa server send accounting
    !
    control plan
    !
    IP route 10 bridge
    IP road bridge 20
    IP road bridge 30
    Banner motd ^.
    Unauthorized access prohibited. *
    All access attempts are logged! ***************

    ^
    !
    Line con 0
    password 7 xxxx
    no activation of the modem
    line to 0
    line vty 0 4
    access-class 2
    privilege level 15
    transport input telnet ssh
    !
    max-task-time 5000 Planner
    AAA.BBB.CCC.ddd NTP server
    end

    Erik,

    The address pool you are talking about is to assign to the customer or the public router interface?  If you want to set up your vpn client software point a full domain name instead of an IP address that you can do it too long you can ensure the use of the name is resolved by a DNS SERVER.

    The range of addresses that you can be asigned to your Dialer interface will depend on your ISP.

    -Butterfly

Maybe you are looking for

  • Satellite L755 - 1 CG cannot find the correct drivers

    I bought a toshiba Satellite L755 - 1 CG today.I installed windows 7 Home premium x 32, but I can't find the drivers anywhere appropriate. Could you please help me?

  • 6 D &amp; EOS Utility matching

    Anyone successful with this? It seems to pair with the computer, but not with EOS Utility. I cycles then EOS Utility "Target not found connection" during opening and closing. In addition: I deleted all the settings twice and entered the key correctly

  • scrolling on facebook

    I can't scroll down a whole page on facebook, I can see about 10 posts then the page stops... Also, I can't open links or if it says 'see more' I can't open it... I can help on my cell phone, but not my... counter top!

  • Windows XP Disk Defragmenter does not work

    I can't get my windows Defragmenter to work... When I click on the analysis / defragment buttons, it does nothing... Anyone know what I can do to solve my problem?

  • LTO-5 maximum goes up / loads tape media

    Hello We currently use a tape library with HP LTO - 5 Ultrium tapes. Over the past five years, we have LTO - 5 tape with many media, (up to 15000) and I wonder if the mounts of a LTO-5 tape jeopardizes data integrity.  What I'm asking is if the LTO-5