ASA VPN Clustering
I have 4 pairs of HA VPN in 4 different geographic regions of the world. Cisco ASA supports the Alliance of more than 2 VPN servers? Given that the AnyConnect client does not have the ability to store login as the old client IPSec profiles I need a way to provide 1 hostname which will be used for all 4 VPN servers. Any suggestions?
Eric
You will be very happy. Read this.
https://supportforums.Cisco.com/document/58711/AnyConnect-optimal-gateway-selection-operation
In short, AnyConnect can store profiles. However, it is best to create the same profile and store it on each VPN cluster allow users to shoot their next login.
On the modern Windows OS the XML profile is stored in:
%ProgramData%\Cisco\Cisco AnyConnect secure mobility Client\Profile
Tags: Cisco Security
Similar Questions
-
[ASA] VPN Clustering maximum features and Site to Site
I have a few questions about VPN Clustering with an ASA.
1. how many devices can be in a cluster?
2. I know that it is not possible to use the Site to Site VPN in a cluster, but near my cluster remote access VPN set a tunnel from Site to Site, which is not load balanced and terminated directly at the device of the cluster support?
To answer your questions: -.
(1) the max is 10 devices in a cluster
(2) Yes...
"Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (version 3.0 and later), the material Cisco VPN 3002 (version 3.5 and later) Client or the ASA 5505 functioning as a simple customer VPN." All other customers, including LAN-to-LAN connections, can connect to a safety device on which load balancing is enabled, but cannot participate in the load balancing. »
HTH.
-
Anconnect Cisco ASA VPN deployment
Hello
I have a request for information about the deployment for the ASA who must support more than 10000 clients. I understand that several ASA would be necessary for her however I was wondering what can be typical design for this? The ASA multiple is configured as vpn cluster/load balancing, etc... ?
I would if there is any design document for it. The current configuration is that a pair of ASA active / standby, I was wondering how to combine the total connection, if I need 15000 connections vpn; pairs of example 2 active / standby with vpn clustering/load balancing, etc... ?
Thank you.
You are right, that the vpn load-balancing is the technology, you need to deploy for this. With this, you can combine multiple devices to a cluster of load sharing. These devices may be different, for example two 5555 with two 5545 that would give you a total of 15000 VPN connections.
Of course, you plan for failure of the device. So you can deploy 4 * 5555 and also if an ASA is lost you yet 15000 connections (well, at least based on the datasheet; I would not push the number of connections to the limit).
You can also deploy these devices also as FO-systems for redundancy. 3 * 2 * 5555 would also give you redundancy.This is under the assumption that users connect to office even where the ASAs have one L2-connection to another which is necessary for the VPN load-balancing. If users connect through different places, then these ASAs cannot use VPN-load balancing, unless you have a L2 connection between the loacations.
If you have multiple sites, you should also think about the shared license server that could save a lot of money if your users do not always use the same gateway.
And last point: as much as possible for your AAA with a central RADIUS server set up to reduce the probability of a misconfiguration on ASAs multiples.
Sent by Cisco Support technique iPad App
-
Hello people!
I still have the problem with VPN... Laughing out loud
I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2
But if I ask the other peer to change in Group 2, the msg in the SAA is:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2The show isakmp his:
9 counterpart IKE: 179.124.32.181
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3I have delete and creat VPN 3 x and the same error occurs.
Everyone has seen this kind of problem?
Is it using Fortigate version 5 by chance?
I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.
The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?
Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)
Try on the side of the ASA:
debug crypto isakmp 7
You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property." -
ASA VPN - allow user based on LDAP Group
Hello friends
I have create a configuration to allow connection based on LDAP Group.
I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.
http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Anyone know how I can do?
Thank you
Marcio
I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:
https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide
-
Assign the static IP address by ISE, ASA VPN clients
We will integrate the remote access ASA VPN service with a new 1.2 ISE.
Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?
This means that the same VPN user will always get the same IP address. Thank you.
Daniel,
You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.
However if I may make a suggestion:
Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.
In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.
M.
-
Device behind a Firewall other, ASA VPN
I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet. Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.
Topology:
Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN
ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link
On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN. Inside = 192.168.254.1 outside = public IP address.
Configured on the VPN / ASA, ASA standard SSL Remote Access.
When I hit the NAT public IP address, nothing happens. I've run packet - trace on the FW outside, and everything seems good.
Someone at - it a sampling plan / config for a similar topology? Internet > ASA/FW > dmz-leg > ASA/VPN
Thanks in advance,
BobCan share you your NAT and routing configuration? Of these two ASAs
-
I have the script like this:
an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?
This sets up on the conc VPN:
management-access inside
After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
hth
Herbert
(note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will ) -
Hello
I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750
Can I use an ASA5520 with ASA5500-SSL-750 instead
Regards Tony
Yes, it is always available on order. Part number: ASA5520-VPN-PL =
In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.
Thank you
Kiran
-
So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.
All I want this new ASA to do is handle my site anyconnect VPN connections. I'm pretty new to ASAs if any help would be great. I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.
My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN? ACLs are used for VPN traffic and do I need them to traffic the route via VPN?
I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.
Thank you
I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.
You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.
When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.
Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.
-
ASA VPN on physical IP address only?
Hello
Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?
I don't want to use the physical IP address on my external interface.
Thank you
No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.
-
ASA Vpn load balancing and failover
Hi all.
We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.
Is it possible with this configuration (switch), configure the vpn load balancing/grouping?
Thank you
Daniele
Hi Daniele,
You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.
Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:
ASA1 (active FO) - ASA2 (TF Standby)
(VPN virtual master)
|
|
|
|
(Backup VPN device)
ASA3 (active FO) - ASA4 (TF Standby)
Kind regards
Wajih
-
Hello
I want to apply AnyConnect VPN of RA IPSec on SAA with the users that can connect using cards to chip. So I need to install digital certificates on SAA.
Follows 4 things of my contacts (who is on holiday and so I have to find via this portal what exactly what I need to do with them)
1 root-ORG - CA.cer - Root CA from our own CA .cer format
2 Proc-ORG - CA.cer - he says that it is of "issued by: root-ORG-CA. Do not know what exactly is this certificate. Again the extension is .cer.
3 ASA - CERT.cer - here, he argues that it is "issued by: Proc-ORG-CA. The name I guess that's the identity certificate should I install on ASA. Once the extension is .cer
4 ASA - Priv.key - it is the private key in the .key file, I can read in Notepad.
Now according to my knowledge goes, I think: I have to install the root-ORG - CA.cer on SAA. Then, I need some kind installation private key + certificate of individual or combined identity. But I am confused how to proceed
(a) what could be the Proc-ORG - CA.cer ?
(b) what is the exact order in which I should install things?
(c) is the most convenient for these things or paste content in CLI ASDM?
(d) for each file what extensions do I need? I need to convert certificates in other formats?
Thanks in advance!
Hello
Here are answers to your questions:
a. Proc-ORG - CA.cer seems to be the server intermediate CA that signs the certificate and it has been authorized by your certification authority root to do it.
b. you must first import the root CA, then intermediate authority and finally the ASA CA
c. you can do both using ASDM and CLI. However, I personally prefer CLI
d. REB is good for the intermediate and root. For SAA, if you RECs and a private key, you must convert the pkcs12 format.
Hope this is clear.
Thank you
PS: Please do not forget to rate and score as correct answer if this answered your question
-
Unable to connect to other remote access (ASA) VPN clients
Hello
I have a cisco ASA 5510 appliance configured with remote VPN access
I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.
For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.
Any help is welcome.
Thanks in advance.
Hello
I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.
It seems to me that you currently have dynamic PAT configured for the VPN users you have this
NAT (outside) 1 10.40.170.0 255.255.255.0
If your traffic is probably corresponding to it.
The only thing I can think of at the moment would be to configure
Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients
list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0
NAT (outside) 0-list of access VPN-CLIENT-NAT0
I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.
-Jouni
-
Can I run an ASA VPN dedicated?
I currently have a 5525 ASA that I use for general purposes of firewall. This includes mainly the Nat'ed surfing and some translations static address for some servers such as mail and so on. I realized that it is only a year old, is running well and I am reluctant to change the config and add features to it. I have a new 5525 to be used as a replacement, but also via Anyconnect VPN. I have several unused public IPs from my ISP, and there is a switch between the router of the provider and my ASA current. Could I let just the current firewall to do its work and put the new in place by using a different ip address on the inside and the outside and connect it to the switch between the router and my main ASA? This we would tweek the VPN without endangering the work of the company's main production.
Thanks in advance for your help
Hi Brad,
Yes you can do it.
It should work fine, as the new ASA would serve as the endpoint Anyconnect which seems fine and the ASA old would still serve the NATTING and static translations for your internal servers.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
Maybe you are looking for
-
FF22: no box orange, so the options or add-ons. No bar appears. Help?
Today I've updated 16.2 FF to the latest version. But now FF misses the orange box in the left corner above. Or he showed all the bars. With no navigation bar, that I can't even type a url. Without the orange box and/or the bars, I can't reach my Add
-
Export PDF geht nicht mehr (Tiara 10.2)
Hallo, seit kurzem nicht mehr unter der DIAdem 10.2 works (Windows XP SP3) PDF-export. Weder mit folgendem Script... Option Explicit Const PdfPath = "R:\temp\Test.PDF". PrintName = "winspool, LPT1, DIAdem PDF Export:PDFFileName = PdfPathPrintOrient =
-
more money will not let me delete live id.
Updated since 2004 money. Can connect is more to money 2004, only sunset. Help! Can't find no answers. Is there a registry item that I could remove? Quicken 2011 will not import due to "incorrect password", which is the same one used to connect
-
When I use my pc games (solitaire) it will be reastar many many times, if I use another program the monitor I becomes black. I Wend reastar the pc and go into the internet is fine, the problem will be solved to use as any video online is fine it just
-
When I restart Windows 8 the Num Lock key turns off. Why? How can I stop this happening?