ASA/VPN tips
We currently hold double ASA 5510 s in c/o config on our main campus.
We would like to create a VPN tunnel on a branch campus. Trying to decide between a x 5505/5510/5512
We would like to extend many functions of our network on the campus of branch that will be 50 MB/10 MB 20-50 users on an internet connection.
Connect to the domain
Workstation System Center management
Cisco WCS
ShoreTel voip
(Cisco NAC?)
Several different VLAN for student traffic, personal traffic, voip, wireless comments traffic, etc.
That would be the best camera and should we get security more license with it?
Baseball stadium tips are very good. Probably not plan to make a/s there at the moment.
Thank you very much.
Hey,.
Seems to me the perspective or the bandwidth and users that you would be fine with one of these models.
When it comes to the amount of VLANS, the ASA5505 would require a security license more to be able to welcome more than 2 VLAN (Base license supports Vlan from DMZ limited 2 + 1).
Regarding the change to my knowledge, need you Security Plus matter model you have chosen.
I'd probably go with the model of ASA5512-X since
- Performance/throughput higher than other models
- If trunk VLANS to the ASA and ASA let you act as gateway of the VLAN then you will need a rate on the SAA that really does not provide originals of series ASA5500
- New hardware
- Original models of the ASA5500 series are endangered. But I must say that Cisco has always kept the wihtout ASA5505 EOL / EOS since its apparently been really popular that is quite natural since it is the least expensive model.
- Support for new services with the same box if you wish it someday
- ASA CX
- IPS
To my knowledge with current needs you wouldn't need the license of security more on the model of ASA5512-X as you do not want failover, security contexts (virtualization of the ASA) or the additional amount of connections taken in charge or amount of VLANs
Take a look at these pages for more information about the licenses of both ASA5500 and ASA5500-X series
Series ASA5500
http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp115318
ASA5500-X series
Also here are the specifications for both series
Series ASA5500
ASA5500-X series
http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.PDF
Hope this helps
-Jouni
Tags: Cisco Security
Similar Questions
-
Hello people!
I still have the problem with VPN... Laughing out loud
I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2
But if I ask the other peer to change in Group 2, the msg in the SAA is:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2The show isakmp his:
9 counterpart IKE: 179.124.32.181
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3I have delete and creat VPN 3 x and the same error occurs.
Everyone has seen this kind of problem?
Is it using Fortigate version 5 by chance?
I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.
The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?
Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)
Try on the side of the ASA:
debug crypto isakmp 7
You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property." -
ASA VPN - allow user based on LDAP Group
Hello friends
I have create a configuration to allow connection based on LDAP Group.
I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.
http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Anyone know how I can do?
Thank you
Marcio
I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:
https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide
-
Assign the static IP address by ISE, ASA VPN clients
We will integrate the remote access ASA VPN service with a new 1.2 ISE.
Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?
This means that the same VPN user will always get the same IP address. Thank you.
Daniel,
You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.
However if I may make a suggestion:
Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.
In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.
M.
-
Device behind a Firewall other, ASA VPN
I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet. Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.
Topology:
Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN
ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link
On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN. Inside = 192.168.254.1 outside = public IP address.
Configured on the VPN / ASA, ASA standard SSL Remote Access.
When I hit the NAT public IP address, nothing happens. I've run packet - trace on the FW outside, and everything seems good.
Someone at - it a sampling plan / config for a similar topology? Internet > ASA/FW > dmz-leg > ASA/VPN
Thanks in advance,
BobCan share you your NAT and routing configuration? Of these two ASAs
-
ASDM conc (ASA) VPN access
I have the script like this:
an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?
This sets up on the conc VPN:
management-access inside
After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
hth
Herbert
(note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will ) -
ASA VPN positive = SSL VPN?
Hello
I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750
Can I use an ASA5520 with ASA5500-SSL-750 instead
Regards Tony
Yes, it is always available on order. Part number: ASA5520-VPN-PL =
In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.
Thank you
Kiran
-
So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.
All I want this new ASA to do is handle my site anyconnect VPN connections. I'm pretty new to ASAs if any help would be great. I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.
My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN? ACLs are used for VPN traffic and do I need them to traffic the route via VPN?
I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.
Thank you
I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.
You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.
When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.
Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.
-
ASA VPN on physical IP address only?
Hello
Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?
I don't want to use the physical IP address on my external interface.
Thank you
No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.
-
ASA Vpn load balancing and failover
Hi all.
We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.
Is it possible with this configuration (switch), configure the vpn load balancing/grouping?
Thank you
Daniele
Hi Daniele,
You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.
Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:
ASA1 (active FO) - ASA2 (TF Standby)
(VPN virtual master)
|
|
|
|
(Backup VPN device)
ASA3 (active FO) - ASA4 (TF Standby)
Kind regards
Wajih
-
Hi and thanks for reading.
I'm trying to configure IPSec VPN on the SAA. The initial phase was successful - I applied the certificate, anyconnect images, etc. and thus can connect to the gateway. The problem I face is that I can not reach one of VLAN internal, or I can't go outside... Any tips are appreciated, as I am running out of ideas.
The ASA configuration is as follows:
ASA 9.1 Version 2
!
ASA host name
activate the password * encrypted
names of
local pool VPN_POOL 10.194.0.10 - 10.194.0.100 255.255.254.0 IP mask
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 123.44.120.22 255.255.255.248 watch 123.44.120.21
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.90
VLAN 90
nameif bn_management
security-level 100
IP 10.192.0.1 255.255.255.0 watch 10.192.0.2
!
interface GigabitEthernet0/1.100
VLAN 100
main nameif
security-level 60
IP 123.45.139.254 255.255.252.0 watch 123.45.139.253
!
interface GigabitEthernet0/1,110
VLAN 110
nameif vpn
security-level 60
IP 10.194.0.1 255.255.254.0 watch 10.194.0.2
!
interface GigabitEthernet0/1.120
VLAN 120
nameif v120
security-level 70
IP 10.194.2.1 255.255.254.0 watch 10.194.2.2
!
interface GigabitEthernet0/1,130
VLAN 130
nameif v130
security-level 70
IP 10.194.4.1 255.255.254.0 watch 10.194.4.2
!
interface GigabitEthernet0/1,200
VLAN 200
nameif v200
security-level 40
IP 10.196.0.1 255.255.252.0 watch 10.196.0.2
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/6
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/7
Failover LAN Interface Description
!
interface Management0/0
management only
nameif management
security level 95
IP 192.168.1.1 255.255.255.0 ensures 192.168.1.2
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
network management_private object
10.192.0.0 subnet 255.255.255.0
network v200_public object
Home 123.44.120.19
network v200_private object
subnet 10.196.0.0 255.255.252.0
network management_services_public object
Home 123.44.120.20
service of the WWW_PORTS object
tcp destination eq https service
network v120_private object
10.194.2.0 subnet 255.255.254.0
network v130_private object
10.194.4.0 subnet 255.255.254.0
network vpn_pool object
10.194.0.0 subnet 255.255.254.0
network vpn_public object
Home 123.44.120.18
object-group network of WEB servers
host of the object-Network 123.45.136.200
host of the object-Network 123.45.136.202
the UW_SOURCE object-group network
host of the object-Network 109.74.242.9
host of the object-Network 109.74.242.11
the UW_DESTINATION object-group network
host of the object-Network 123.45.139.208
the DOMAIN_CONTROLLER object-group network
host of the object-Network 123.45.139.205
object-group service VPN_PORTS tcp - udp
port-object eq 1701
EQ port 1723 object
port-object eq 500
EQ object of port 443
port-object eq 50
port-object eq 4500
port-object eq 47
the INTERNAL_SUBNETS object-group network
Description object-group for internal subnets
object-network 10.192.0.0 255.255.255.0
network-object 10.196.0.0 255.255.252.0
network-object 10.194.2.0 255.255.254.0
network-object 10.194.4.0 255.255.254.0
object-group network the Super USERS
host of the object-Network 123.45.136.76
host of the object-Network 123.45.136.80
the v120_VLAN object-group network
network-object 10.194.2.0 255.255.254.0
the v120_SOURCES object-group network
host of the object-Network 123.45.136.24
the v130_VLAN object-group network
network-object 10.194.4.0 255.255.254.0
the v130_SOURCES object-group network
host of the object-Network 123.45.136.76
host of the object-Network 123.45.139.125
host of the object-Network 123.45.136.129
host of the object-Network 123.45.136.83
host of the object-Network 123.45.136.10
MAIN_IN list extended access allowed icmp object-group SUPER INTERNAL_SUBNETS a group of objects
MAIN_IN list extended ip access allow the SUPER object-group INTERNAL_SUBNETS group of objects
MAIN_IN list extended access permitted ip object-group v130_SOURCES-group of objects v130_VLAN
MAIN_IN list extended access permitted ip object-group v120_SOURCES-group of objects v120_VLAN
MAIN_IN list extended access deny ip any object-group INTERNAL_SUBNETS
MAIN_IN of access allowed any ip an extended list
access-list v200_IN note v200 TRAFFIC
v200_IN list extended access permit icmp any one
v200_IN list extended access permit tcp any object-group servers WEB eq www
v200_IN list extended access permit tcp any object-group eq https WEB servers
v200_IN of access allowed any ip an extended list
Allow NETFLOW_HOSTS to access extensive ip list a whole
access-list to note ALLOWED INCOMING TRAFFIC
to the allowed extended access list icmp any object-group of WEB servers
to the allowed extended access list tcp any object-group eq www WEB servers
to the allowed extended access list tcp any object-group eq https WEB servers
to allowed extended access list tcp any object-group objects VPN_PORTS DOMAIN_CONTROLLER-group
to the list of allowed extensive access udp any object-group DOMAIN_CONTROLLER-group of VPN_PORTS objects
access-list be extended permitted tcp object-group objects UW_DESTINATION eq 5000 UW_SOURCE-group
access-list be extended permitted udp object-group objects UW_DESTINATION eq 5000 UW_SOURCE-group
v130_IN of access allowed any ip an extended list
v120_IN of access allowed any ip an extended list
access-list VPN_IN note authorized vpn traffic
VPN_IN list of allowed ip extended access any external interface
VPN_IN of access allowed any ip an extended list
pager lines 24
Enable logging
timestamp of the record
information recording console
asdm of logging of information
the logging queue 0
main host 123.45.136.30 record
Debugging trace record
message 313001 debug level logging
message 713130 level of registration information
message 713257 level of registration information
registration of notifications of message 713228 level
registration of notifications of message 713184 level
flow-export destination main 123.45.136.30 2055
timeout-rate flow-export model 1
time of flow-export flow - create 60
Outside 1500 MTU
bn_management MTU 1500
MTU 1500 main
MTU 1500 VPN
V120 MTU 1500
v130 MTU 1500
V200 MTU 1500
management of MTU 1500
failover
primary failover lan unit
FAILOVER_LINK GigabitEthernet0/7 failover LAN interface
failover UI FAILOVER_LINK 172.16.0.1 ip 255.255.255.0 ensures 172.16.0.2
the interface of the monitor bn_management
the interface of the primary monitor
Monitor-interface vpn
the v120 monitor interface
the v130 monitor interface
the v200 monitor interface
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any vpn
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (bn_management, outside) source Dynamics management_private management_services_public
NAT (v200, external) source Dynamics v200_private v200_public
NAT (v120, external) source Dynamics v120_private management_services_public
NAT (v130, external) source Dynamics v130_private management_services_public
NAT (vpn, external) source Dynamics vpn_pool vpn_public
Access-group compellingly in external interface
Access-group MAIN_IN in the main interface
Access-group interface vpn VPN_IN
Access-group v120_IN in interface v120
Access-group v130_IN in interface v130
Access-group v200_IN in interface v200
Route outside 0.0.0.0 0.0.0.0 123.44.120.17 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
SVC request to enable default svc
AAA-server BN_AAA protocol ldap
AAA-server (main) 123.45.139.201 BN_AAA
Timeout 5
Server auto-type detection
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.192.0.0 255.255.255.0 bn_management
Main host community 123.45.136.30 SNMP server *.
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
TRENDMICRO crypto ca trustpoint
Terminal registration
domain name full vpn.asa - gw.co
subject name CN = vpn.asa - gw.co, OR =, O = some, L = some, ST = some, C = GB
VPN_SERVICE key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
name of the object CN = 10.192.0.1, CN = ASA
Configure CRL
trustpool crypto ca policy
TRENDMICRO crypto ca certificate chain
certificate 34cc4cb00ae501b8
308204cd...
quit smoking
certificate ca 5b469990ec759d34
30820478...
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate ca 272b67229745d2438bf9774186aebd
3082069c...
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate ca 00bb401c43f55e4fb0
308205ba...
quit smoking
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate of 590c 2254
308202ea...
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
trustpoint to ikev2 crypto TRENDMICRO remote access
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 123.45.138.202 255.255.255.255 bn_management
SSH 10.192.0.0 255.255.255.0 bn_management
SSH 123.45.136.0 255.255.252.0 main
SSH 123.45.138.202 255.255.255.255 main
SSH 123.45.138.202 255.255.255.255 management
SSH timeout 10
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
access to the administration bn_management
dhcpd dns 123.45.1.180 123.44.2.1
!
dhcpd address 10.192.0.200 - 10.192.0.230 bn_management
bn_management enable dhcpd
!
dhcpd address 10.194.3.200 - 10.194.3.230 v120
dhcpd enable v120
!
dhcpd address 10.196.0.32 - 10.196.1.31 v200
!
management of 192.168.1.3 - 192.168.1.254 addresses dhcpd
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 123.45.1.160 Server
NTP 123.44.2.160 Server
NTP 123.45.1.164 Server
NTP 123.44.2.164 Server
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
Trust ASDM_Launcher_Access_TrustPoint_0 bn_management vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 bn_management point
SSL-trust TRENDMICRO out point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.05182-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.05182-k9.pkg 2
AnyConnect image disk0:/anyconnect-linux-3.1.05182-k9.pkg 3
AnyConnect profiles BN_VPN_client_profile disk0: / BN_VPN_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_BN_VPN group strategy
attributes of Group Policy GroupPolicy_BN_VPN
WINS server no
value of 123.45.1.1 DNS server 123.44.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
value by default-domain asa - gw.co
WebVPN
AnyConnect value BN_VPN_client_profile type user profiles
admin EoGC0ChIqyj0NIb5 encrypted privilege 15 password username
rzachlod LnL.KcibQZ1OMF/d username encrypted password
type tunnel-group BN_VPN remote access
attributes global-tunnel-group BN_VPN
address VPN_POOL pool
Group Policy - by default-GroupPolicy_BN_VPN
tunnel-group BN_VPN webvpn-attributes
enable BN_VPN group-alias
!
class-map CX
match any
class-map inspection_default
match default-inspection-traffic
class-map NetFlow Traffic
corresponds to the NETFLOW_HOSTS access list
ins class-map
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the pptp
class NetFlow Traffic
destination 123.45.136.30 flow - create a flow-export-type of event
flow-export-type of event all the destination 123.45.136.30
class CX
cxsc rescue
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6be83997815380c8523971f8e7925de8
: endThe mention of VPN in the ACL refers to L2TP running on a Windows Server - I intend to replace this existing solution with IPSec to the ASA.
The "details of the itinerary"on AnyConnect only shows the route 0.0.0.0/0. " After connecting to the ASA, I essentially ends in a black hole. I have the problem is with NAT, but after trying to sort on, I'm still stuck...
My plan is to get VPN to work in the first instance and later to create a super users group, which allows access to the management of VLAN etc. I hope it's something trivial that I forgot, that I have set up the VPN to ASA in the past and doesn't not meet problems :/
As always, tips are greatly appreciated!
You can use an IP address for this traffic if you wish. And you can combine the NAT statements in a single statement. The config might look like this:
object network PAT-OUTSIDE host a.b.c.23 nat (any,outside) after-auto source dynamic any PAT-OUTSIDE
-
Hello
I want to apply AnyConnect VPN of RA IPSec on SAA with the users that can connect using cards to chip. So I need to install digital certificates on SAA.
Follows 4 things of my contacts (who is on holiday and so I have to find via this portal what exactly what I need to do with them)
1 root-ORG - CA.cer - Root CA from our own CA .cer format
2 Proc-ORG - CA.cer - he says that it is of "issued by: root-ORG-CA. Do not know what exactly is this certificate. Again the extension is .cer.
3 ASA - CERT.cer - here, he argues that it is "issued by: Proc-ORG-CA. The name I guess that's the identity certificate should I install on ASA. Once the extension is .cer
4 ASA - Priv.key - it is the private key in the .key file, I can read in Notepad.
Now according to my knowledge goes, I think: I have to install the root-ORG - CA.cer on SAA. Then, I need some kind installation private key + certificate of individual or combined identity. But I am confused how to proceed
(a) what could be the Proc-ORG - CA.cer ?
(b) what is the exact order in which I should install things?
(c) is the most convenient for these things or paste content in CLI ASDM?
(d) for each file what extensions do I need? I need to convert certificates in other formats?
Thanks in advance!
Hello
Here are answers to your questions:
a. Proc-ORG - CA.cer seems to be the server intermediate CA that signs the certificate and it has been authorized by your certification authority root to do it.
b. you must first import the root CA, then intermediate authority and finally the ASA CA
c. you can do both using ASDM and CLI. However, I personally prefer CLI
d. REB is good for the intermediate and root. For SAA, if you RECs and a private key, you must convert the pkcs12 format.
Hope this is clear.
Thank you
PS: Please do not forget to rate and score as correct answer if this answered your question
-
Unable to connect to other remote access (ASA) VPN clients
Hello
I have a cisco ASA 5510 appliance configured with remote VPN access
I can connect all hosts on the INSIDE and DMZ network, but not able to access other clients connected to the same VPN.
For example, if I have 2 clients connected to the VPN, customer and CustomerB, with a pool of vpn IP addresses such as 10.40.170.160 and 10.40.170.161 respectively, these two clients are not able to communicate with each other.
Any help is welcome.
Thanks in advance.
Hello
I'm a little rusty on the old format NAT, but would be what I would personally try to configure NAT0 on the 'outer' interface.
It seems to me that you currently have dynamic PAT configured for the VPN users you have this
NAT (outside) 1 10.40.170.0 255.255.255.0
If your traffic is probably corresponding to it.
The only thing I can think of at the moment would be to configure
Note of VPN-CLIENT-NAT0-access-list NAT0 for traffic between VPN Clients
list of access VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0
NAT (outside) 0-list of access VPN-CLIENT-NAT0
I don't know if it works. I did not really have to configure it on any ASAs running older software. There was some similar questions here on the forums for the new format.
-Jouni
-
Can I run an ASA VPN dedicated?
I currently have a 5525 ASA that I use for general purposes of firewall. This includes mainly the Nat'ed surfing and some translations static address for some servers such as mail and so on. I realized that it is only a year old, is running well and I am reluctant to change the config and add features to it. I have a new 5525 to be used as a replacement, but also via Anyconnect VPN. I have several unused public IPs from my ISP, and there is a switch between the router of the provider and my ASA current. Could I let just the current firewall to do its work and put the new in place by using a different ip address on the inside and the outside and connect it to the switch between the router and my main ASA? This we would tweek the VPN without endangering the work of the company's main production.
Thanks in advance for your help
Hi Brad,
Yes you can do it.
It should work fine, as the new ASA would serve as the endpoint Anyconnect which seems fine and the ASA old would still serve the NATTING and static translations for your internal servers.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hello
I have a question concerning the VPN, is it possible to configure the two IPsec VPN site-to-site and remote access vpn on the same ASA and working at the same time, does require one or two different public ip addresses?
I have cisco ASA 5540 - version 9.1
Best regards
Hello
Yes, you can with 1 single public ip address. You need to activate the same-security-traffic allow intra-interface functionality to allow a customer vpn site-to-site vpn access if you need.
Take a look at the Cisco documentation;
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
Maybe you are looking for
-
How can I remove the search engines grouped?
I can't delete or disable the search engines related to companies who commit serious violations of human rights through the menu settings of Firefox for Android. What are my other options? Firefox has become literally offensive. Alternatively, what a
-
It is compatible with the Explorer, but I'd really prefer to work with Firefox, but I also really like this HP program. Thank you
-
DV7-lights remain on after stopping
I have a problem with laptop DV7 - 3164CL s. Everything works perfectly EXCEPT when I stopped, the machine stops (power led on front left goes and top off) but the mute led, the volume, the multimedia control slider of the duct and the stay of the a
-
HP Color LaserJet CP 4525 57.07 error
I have a problem with: PRINTER: HP CP4525 REF: CC495A SN: [personal information]
-
Several programs, I can't uninstall
I have several programs, I would like to get rid of that. When I try to uninstall it, I get a message that says "the system administrator has set policies to prevent this installation. When I click on this box, another box says "you don't have suffic