ASA5505 AD authentication

Hello

I'm trying to get the domain users to authenticate to my network via Active directory, but I can't get this working. local user on the SAA accounts properly.

I have a group of tunnel with policy, but I fight with him to talk to AD.

This is the configuration I made a demand for it:

RADIUS Protocol RADIUS AAA server
reactivation-mode timed
AAA-server host winserver RADIUS (inside)
Ray keys
RADIUS RADIUS-common-pw
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.16.0 255.255.255.0 inside

internal RemoteAccessVPN group strategy
attributes of Group Policy RemoteAccessVPN
value of 192.168.16.1 WINS server
Server DNS 192.168.16.1 value
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value RemoteAccessVPN-splitTunnelACL
AMCs.local value by default-field
the address value asaVPNPool pools

attributes global-tunnel-group DefaultRAGroup
address asaVPNPool pool
Group-LOCAL RADIUS authentication server
Server RADIUS authorization-group
Group accountant-Server RADIUS
Group Policy - by default-RemoteAccessVPN
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.

Do you use the Radius protocol to communicate with your ad? you use IAS server on your ad for authentication? or you want to authenticate natively via AD?

If you use native AD, then I suggest you use aaa-server with the LDAP protocol.

Here is an example configuration for authentication LDAP AD:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml

However, if you are using Radius, authentication of the IAS server on your ad, then you can check if the IAS server has any policy that could block the authentication of the ASA.

I also notice that you have authorization and accounting configured. You use these 2, if not, then you can remove the following lines:

Server RADIUS authorization-group
Group accountant-Server RADIUS

Finally, I also noticed that you have not set access remote vpn that you actually use, and that it has not been activated. You need to configure "vpn-tunnel-Protocol" under the Group Policy "RemoteAccessVPN." You must enable "ipsec" or "svc" or both if you plan to use both.

Tags: Cisco Security

Similar Questions

  • Try to set up authentication RADIUS on ASA5505 8.3

    I set up my firewall with local authentication for a regular dynamic VPN put in place, but I need to change it to authenticate with the server. The server is configured and ready to go, but I want to make sure that the firewall will also be.

    Here is my config:

    ASA # sh run
    : Saved
    :
    ASA Version 8.3 (1)

    ASA host name
    mydomain.local domain name
    activate the encrypted password of GmSL9emLLUC2J7jz
    2KFQnbNIdI.2KYOU encrypted passwd
    names of

    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0

    interface Vlan2
    nameif outside
    security-level 0
    PPPoE client vpdn group pppoe_group
    IP address pppoe setroute

    interface Ethernet0/0
    switchport access vlan 2

    interface Ethernet0/1

    interface Ethernet0/2

    interface Ethernet0/3

    interface Ethernet0/4

    interface Ethernet0/5

    interface Ethernet0/6

    interface Ethernet0/7

    boot system Disk0: / asa831 - k8.bin
    passive FTP mode

    clock timezone CST - 6
    clock to summer time recurring CDT

    DNS server-group DefaultDNS
    mydomain.local domain name

    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface

    network obj_any object
    subnet 0.0.0.0 0.0.0.0

    object obj-vpnPool network
    192.168.101.0 subnet 255.255.255.0

    the SERVER01 object network
    the host 192.168. *. *

    object obj-internal network - 192.168.1.0
    subnet 192.168.1.0 255.255.255.0

    network of the SERVER02 object
    the host 192.168. *. *

    network of the SERVER03 object
    the host 192.168. *. *

    object obj-OutsideIP network
    Home 74.164.148.6

    splittunnel list standard access allowed 192.168.1.0 255.255.255.0

    access extensive list ip 192.168.101.0 outside_in allow 255.255.255.0 192.168.1.0 255.255.255.0
    access extensive list ip 192.168.1.0 outside_in allow 255.255.255.0 192.168.101.0 255.255.255.0

    outside_in list extended access permit tcp any host 192.168. *. * eq www
    outside_in list extended access permit tcp any host 192.168. *. * eq https
    outside_in list extended access permit tcp any host 192.168. *. * eq smtp

    pager lines 24
    asdm of logging of information

    Within 1500 MTU
    Outside 1500 MTU

    IP local pool vpnpool 192.168.101.50 - 192.168.101.100

    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 524.bin
    don't allow no asdm history
    ARP timeout 14400

    NAT (inside, outside) source static obj-internal - 192.168.1.0 obj-internal - destination 192.168.1.0 static obj-vpnPool obj-vpnPool

    network obj_any object
    NAT dynamic interface (indoor, outdoor)

    the SERVER01 object network
    NAT (inside, outside) interface static tcp smtp smtp service

    network of the SERVER02 object
    NAT (inside, outside) interface static tcp www www service

    network of the SERVER03 object
    NAT (inside, outside) interface static tcp https https service

    Access-group outside_in in external interface

    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    AAA authentication http LOCAL console

    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside

    No snmp server location
    No snmp Server contact

    Community SNMP-server
    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map-RA - VPN 1 set of transformation-ESP-3DES-MD5
    Crypto dynamic-map-RA - VPN 1 set of security association lifetime seconds 28800
    cryptographic kilobytes 4608000 life of the set - the association of security of VPN - RA 1 dynamic-map
    Crypto than VPN-RA - dynamic-map 1jeu reverse-road
    Crypto map 65535 ipsec-isakmp dynamic VPN - RA RA - VPN
    RA - VPN interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow inside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400

    crypto ISAKMP policy 65535
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    ISAKMP crypto 10 nat-traversal
    crypto ISAKMP ipsec-over-tcp port 1000

    Telnet 0.0.0.0 0.0.0.0 inside
    Telnet 0.0.0.0 0.0.0.0 outdoors
    Telnet timeout 60

    SSH 0.0.0.0 0.0.0.0 inside
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 60

    Console timeout 0

    management-access inside

    VPDN group pppoe_group request dialout pppoe
    VPDN group pppoe_group localname [email protected] / * /
    VPDN group ppp authentication pap pppoe_group
    VPDN username [email protected] / * / password *.

    dhcpd dns 192.168. *. * 4.2.2.2
    dhcpd lease 8400
    dhcpd ping_timeout 750
    dhcpd mydomain.local domain
    dhcpd outside auto_config

    dhcpd address 192.168.1.2 - 192.168.1.33 inside
    dhcpd allow inside

    priority queue inside
    priority-queue outdoors

    a basic threat threat detection
    Statistics-list of access threat detection

    no statistical threat detection tcp-interception
    WebVPN

    internal examplevpn group policy
    attributes of the strategy of group examplevpn
    value of server DNS 192.168. *. * 4.2.2.2
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list splittunnel
    mydomain.local value by default-field

    vicky 9fO.vlLc77pAFoHp of encrypted privilege 15 password username
    username otherusers encrypted password privilege 10 hhckff6QokyoRdar
    examplevpn IKg0RMHfprF6Ya3u username encrypted password

    admin DwCTJcBn.Q0dDe9z encrypted privilege 15 password username
    attributes of user admin name
    VPN-group-policy examplevpn

    type tunnel-group RA - VPN remote access
    type tunnel-group examplevpn remote access
    tunnel-group examplevpn General-attributes
    address vpnpool pool
    authorization-server-group (outside LOCAL)
    Group Policy - by default-examplevpn

    examplevpn group of tunnel ipsec-attributes
    pre-shared key *.

    Global class-card class
    match default-inspection-traffic

    class-map class_sip_tcp
    sip port tcp eq game

    class-map inspection_default
    match default-inspection-traffic

    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512

    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect sqlnet
    inspect the tftp
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the icmp
    inspect the amp-ipsec
    Review the ip options
    class class_sip_tcp
    inspect the sip

    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad

    Did I all I have to add / is this correct?

    RADIUS protocol AAA-server RADIUSvpn
    Max - a attempts failed 5
    AAA-server vpn (DMZ) host 172.16.1.1
    interval before new attempt-1
    timeout 30
    key cisco123

    type tunnel-group RA - VPN remote access
    General-attributes of RA - VPN Tunnel-group
    address vpnpool pool
    authentication-server-group RADIUSvpn

    I'm still relatively new to firewalls and find the overwhelming online help sometimes. Help, please

    Vicky

    Can you comapre the config with the doc and see if something may be missing?

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml

    Use the troubleshooting area in the doc to find the DN, I think that you are missing a part of the DN string. Sorry for the late response

  • AnyConnect VPN client authentication using certificates

    Guys, I'm trying to configure my ASA5505 to authenticate the AnyConnect VPN clients using certificates. I have 'Certificates' defined as my method of authentication in my AnyConnect connection profile (see screenshot), but I get 'Certificate Validation failure' whenever I try to connect. The certificate I want to use is a computer issued by my CA certificate company root (Windows Server 2008 running Active Directory Certificate Services). Screenshot of certificate is attached. I added the root certificate on the SAA, and I tried all kinds of combinations by using the corresponding certificate in the AnyConnect Client profile. Each attempt failed, and I'm having no luck finding documentation on how to proceed. Any help would be greatly appreciated!

    Hello Shaun,

    The problem you're describing, not be able to authenticate through certificate through Microsoft Internet Explorer, is the fact that the certificate is in the computer store.  You do not want to confirm with Microsoft, but, I understand that only Microsoft Internet users explore the user store, this certificate is not available to attend the ASA via the Internet browser.

    -Craig

  • Problem of static-dynamic ASA5505 L2L

    The two ASA5505 using version 9.2.3 tried ikev1 and ikev2, it worked before, but I don't know what the problem is now...

    I can read dynamic end tunnel ASA (default behavior), I mean that I have to ping asa (DynASA (config) # ping inside the 172.22.82.5).

    When I try to ping resources or access for all clients behind DynamicASA to StaticASA, it appears in the log:

    6 June 25, 2015 21:40:50 302020 192.168.11.7 1 172.22.22.21 0 Built of outbound ICMP connection for faddr gaddr laddr 192.168.11.7/1 88.114.6.163/1 172.22.82.21/0

    After the tunnel is mounted I can connect clients behind StaticASA to resources behind DynamicASA, but not the other way around (clients behind DynamicASA behind StaticASA, a little two-way remedies does not?)

    I tried with DefaultL2L and DYNL2L-policies and both work in a sense...

    StaticASA config

    interface Vlan1
    nameif outside
    security-level 0
    IP 1.2.3.4 address 255.255.255.0
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 172.22.22.1 255.255.255.0
    !

    network of the ASA2_LAN object
    subnet 192.168.11.0 255.255.255.0
    network of the ASA1_LAN object
    172.22.22.0 subnet 255.255.255.0

    access-list tunneli-ASA2 allowed extended ip ASA1_LAN object ASA2_LAN
    NAT (inside, outside) static source ASA1_LAN ASA1_LAN ASA2_LAN ASA2_LAN non-proxy-arp-search of route static destination

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA trans1 ikev1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 ipsec-proposal
    Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road
    DYNL2L-ASA2 4 crypto dynamic-map correspondence address tunneli-ASA2
    Crypto dynamic-map DYNL2L-ASA2 4 set transform-set ESP-AES-256-SHA ikev1
    Crypto dynamic-map DYNL2L-ASA2 4 set DYNL2L VPN-ipsec-ikev2 proposal
    Crypto dynamic-map DYNL2L-ASA2 4 the value reverse-road
    card crypto OUTSIDE_MAP 65534-isakmp dynamic ipsec DYNL2L-ASA2
    card crypto OUTSIDE_MAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    OUTSIDE_MAP interface card crypto outside
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    internal GroupPolicy_ASA2 group strategy
    attributes of Group Policy GroupPolicy_ASA2
    VPN-tunnel-Protocol ikev1, ikev2

    IPSec-attributes tunnel-group DefaultL2LGroup
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.

    IPSec-l2l type tunnel-group DYNL2L-ASA2
    attributes global-tunnel-group DYNL2L-ASA2
    Group Policy - by default-GroupPolicy_ASA2
    IPSec-attributes tunnel-group DYNL2L-ASA2
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.

    DynamicASA config

    interface Vlan1
    nameif inside
    security-level 100
    192.168.11.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP address dhcp setroute

    network of the ASA1_LAN object
    172.22.22.0 subnet 255.255.255.0
    network of the ASA2_LAN object
    subnet 192.168.11.0 255.255.255.0

    access-list tunneli-ASA1 allowed extended ip ASA2_LAN object ASA1_LAN

    NAT (inside, outside) source Dynamics one interface
    NAT (inside, outside) static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination

    card crypto mymap 10 correspondence address tunneli-ASA1
    card crypto mymap 10 peer set 1.2.3.4
    card crypto mymap 10 set transform-set ESP-AES-256-SHA ikev1
    card crypto mymap 10 set ikev2 AES256 AES192 AES OF DYNL2L-VPN-3DES ipsec-proposal
    crypto mymap 10 card value reverse-road

    internal GroupPolicy_1.2.3.4 group strategy
    attributes of Group Policy GroupPolicy_1.2.3.4
    VPN-tunnel-Protocol ikev1, ikev2
    tunnel-group 1.2.3.4 type ipsec-l2l
    tunnel-group 1.2.3.4 General attributes
    Group - default policy - GroupPolicy_1.2.3.4
    tunnel-group 1.2.3.4 ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !

    WBR,

    Mr.O

    Hello

    Looks like you have dynamic nat above static nat exempt on-side dynamic IP ASA

    NAT (inside, outside) source Dynamics one interface
    NAT (inside, outside) static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination

    change the order to move the static nat over the dynamic nat

    no nat source (indoor, outdoor) public static ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination

    NAT (inside, outside) 1 static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination

    HTH

    Averroès.

  • ASA5505 and Microsoft RADIUS

    I currently have clients VPN ASA5505 authentication via the local database (which I consider a simple typo machine :)

    I am obliged for users to change their pwd to conform to the complexity and the min length, which, to my knowledge, cannot be done directly on ASA

    I install an IAS that uses RADIUS Standard for customer ASA5505

    now I have 2 groups of users using the same tunnel with the local database:

    users who are also users of the domain-> for users, I guess that IAS will solve the problem of synchronization with AD

    users who are NOT users of the domain-> how to apply these rules on these users?

    How do I configure the aaa on ASA server and what should I change in the Group of the tunnel in order to make all this work?

    Your AAA server should be a type of RADIUS with well sure the correct settings, ip key and so on. After this change has been done, you should enter the Group of tunnel mode (General attributes) and call your AAA server for authentication: LOCAL authentication server group

    Local will be there only for relief.

    After this change is made, and your IAS connects to the AD correctly, you should be able to authenticate. NOTE made this change on the config, will force all users to have a valid username on the schema of the ICD/AD, local database will be used only when the RADIUS fails.

    Now, to set the ability to change the password via the vpn clients, you need go ahead and activate "ms-chap v2" under the attributes PPP tunnel-group and at the moment it's done, the domain field will be displayed on the prompt of the vpn client XAUTH. For example, the keyword "password management" must be enabled under global attributes.

  • VPN authentication

    I have 2 tunnel-groups:

    tunnel-group test type ipsec-ra

    tunnel-group test general attributes

    address pool VPN_Pool

    LOCAL authority-server-group

    authorization-server-group (inside) LOCAL

    authorization-server-group (outside LOCAL)

    Group Policy - by default-test

    authorization required

    IPSec-attributes of tunnel-group test

    pre-shared-key *.

    and

    tunnel-group users type ipsec-ra

    attributes global-tunnel-group users

    address pool VPN_Pool

    Users by default-group-policy

    tunnel-group users ipsec-attributes

    pre-shared-key *.

    USAERS is access vpn production group, it uses the LOCAL authentication database and the most important for that matter - it works well.

    test as you can guess, is a group of tests that has been created in the time that I have configured ASA5505 for the first time. He also works.

    both groups use the same database LACAL, BUT as you can see it the users group has nothing to show.

    I need to change the authentication from the LOCAL RADIUS (I tested this ASA and works very well). I want to start by testing the test group and if it's all good - apply to the users group.

    How can I do?

    How can I make primary source with fall to the LOCAL RADIUS authentication if RADIUS is down?

    You'd go into your settings of tunnel group and change the settings as a result like this:

    tunnel-group test general attributes

    Group of LOCAL authentication server

    This will cause the tunnel group first use the RADIUS and the Local if radishes fails. Note You can remove the part of the authorization of your configuration.

  • Configuration VPN from Site to Site on two ASA5505

    I have two ASA5505 ver 8.4 (6) and ver 9.0 (2) configured for a laboratory site to site vpn, but without success.  I could do everything outside address from two ASA ping, but could not ping the LAN on the other end of the ASA.  Here is the error message when you try to check if the VPN tunnel is established. For reference, the configurations are provided below.  Any help is very appreciated.

    ASA1 # show crypto isakmp his

    There are no SAs IKEv1

    There are no SAs IKEv2

    ASA1 # show crypto ipsec his

    There is no ipsec security associations

    ASA1:

    crypto ISAKMP allow outside

    the local object of net network

    subnet 192.168.1.0 255.255.255.0

    net remote object network

    Subnet 192.168.2.0 255.255.255.0

    !

    outside_1_cryptomap list of allowed ip object local net net access / remote

    tunnel-group 200.200.200.1 type ipsec-l2l

    IPSec-attributes tunnel-group 200.200.200.1

    pre-shared-key pass1234

    ISAKMP retry threshold 10 keepalive 2

    !

    part of pre authentication isakmp crypto policy 10

    crypto ISAKMP policy 10 3des encryption

    crypto ISAKMP policy 10 sha hash

    10 crypto isakmp policy group 2

    crypto ISAKMP policy life 10 86400

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    peer set card crypto outside_map 1 200.200.200.1

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    !

    NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

    output

    ASA2:

    crypto ISAKMP allow outside

    the local object of net network

    Subnet 192.168.2.0 255.255.255.0

    net remote object network

    subnet 192.168.1.0 255.255.255.0

    !

    outside_1_cryptomap list of allowed ip object local net net access / remote

    tunnel-group 100.100.100.1 type ipsec-l2l

    IPSec-attributes tunnel-group 100.100.100.1

    pre-shared-key pass1234

    ISAKMP retry threshold 10 keepalive 2

    !

    part of pre authentication isakmp crypto policy 10

    crypto ISAKMP policy 10 3des encryption

    crypto ISAKMP policy 10 sha hash

    10 crypto isakmp policy group 2

    crypto ISAKMP policy life 10 86400

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    peer set card crypto outside_map 1 100.100.100.1

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    !

    NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

    output

    ASA1 # sh run int

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    ASA1 #.

    ASA1 # ping 192.168.2.1

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes 192.168.2.1, time-out is 2 seconds:

    ?????

    Success rate is 0% (0/5)

    ASA1 # ping google.com

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 173.194.46.71, wait time is 2 seconds:

    !!!!!

    Success rate is 100 per cent (5/5), round-trip min/avg/max = 12/10/20 ms

    ASA1 #.

    ASA2 # sh run int

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    Shutdown

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    Shutdown

    !

    interface Ethernet0/5

    Shutdown

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    Shutdown

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.2.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    ASA2 # ping 192.168.1.1

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:

    ?????

    Success rate is 0% (0/5)

    !

    ASA2 # ping google.com

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 173.194.46.64, wait time is 2 seconds:

    !!!!!

    Success rate is 100 per cent (5/5), round-trip min/avg/max = 14/10/20 ms

    ASA2 #.

    If you see any debugs the SAA, there is no encryption of any kind negoiations.

    The problem may be that you need to generate an interesting to match the ACL traffic.  I don't know if you on a physical laboratory or on GNS3.  If you use a physical laboratory, attach a laptop computer inside the interface and configure an IP address for this subnet.  You may need to do this for the other ASA.  Then iniatiate a ping to the other network.

  • ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

    Hello

    I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

    My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

    192.168.1.0/24-> 192.168.3.0/24

    192.168.2.0/24-> 192.168.3.0/24

    10.1.1.0/24-> 192.168.3.0/24

    -> 192.168.3.0/24 10.1.2.0/24

    10.1.10.0/24-> 192.168.3.0/24

    10.2.10.0/24-> 192.168.3.0/24

    The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

    192.168.1.25/32-> 10.10.10.83/32

    192.168.1.25/32-> 10.10.10.47/32

    192.168.1.26/32-> 10.10.10.83/32

    192.168.1.26/32-> 10.10.10.47/32

    Here's the info to other VPN (copy & pasted from the config)

    permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

    permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

    permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

    permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_1_cryptomap

    peer set card crypto outside_map 1 24.180.14.50

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    card crypto outside_map 2 match address eInfomatics_1_cryptomap

    peer set card crypto outside_map 2 66.193.183.170

    card crypto outside_map 2 game of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    tunnel-group 24.180.14.50 type ipsec-l2l

    IPSec-attributes tunnel-group 24.180.14.50

    pre-shared key *.

    tunnel-group 66.193.183.170 type ipsec-l2l

    IPSec-attributes tunnel-group 66.193.183.170

    pre-shared key *.

    Thanks in advance

    -Matt

    Hello

    The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

    So you can probalby try adding the following

    card crypto outside_map 2 pfs group2 set

    I think he'll simply enter as

    card crypto outside_map 2 set pfs

    Given that the 'group 2' is the default

    -Jouni

  • Site to site VPN router-ASA5505

    Hello

    I have a problem with the VPN between ASA5505 and 3825 router.

    behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.

    How we could solve this problem without sending a traffing who serve?

    How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN

    I used the VPN Wizard to configure on asa and CLI on router

    some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.

    Thanks in advance for your help

    ciscoasa # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 10.10.10.1
    Type: L2L role: initiator
    Generate a new key: no State: AM_ACTIVE

    Configuration of the SAA.

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    card crypto outside_map 1 set counterpart 10.10.10.1
    map outside_map 1 set of transformation-ESP-DES-MD5 crypto
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    the main router configuration

    crypto ISAKMP policy 1
    preshared authentication
    !
    crypto ISAKMP policy 5
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 10
    preshared authentication
    Group 2
    crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10

    Crypto ipsec transform-set esp - esp-md5-hmac xxxxx

    ETH0 2696 ipsec-isakmp crypto map
    defined peer 10.10.10.10
    Set transform-set xxxxx
    match address 2001

    access-list 2001 permit ip any 192.168.26.96 0.0.0.7

    Post edited by: adriatikb
    I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.

    I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1).  Since then, it works fine.

  • ASA5505 - VPN does not

    Hello everyone,

    I have problems to make IPsec VPN remote access work.

    The goal is to be able to connect to our internal network from home or elsewhere.

    When I try to connect to my home virtual private network, I will no further than Phase 1.

    My architecture is a Cisco ASA5505 behind a router-modem router from ISP. The IP address of the modem is 192.168.1.1 for outside.

    The IP address of the ASA is 192.168.1.254 for outdoor and 10.0.0.1 for indoors. I put the ASA in a demilitarized zone of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-bridge just as a simple gateway and handle other things with the ASA).

    So my problem is that I can't seem to connect to the VPN through the public IP address.

    Here is my config:

    : Saved
    

    :
    

    ASA Version 8.2(5)
    

    !
    

    hostname Cisco-ASA-5505
    

    enable password 8Ry2YjIyt7RRXU24 encrypted
    

    passwd 2KFQnbNIdI.2KYOU encrypted
    

    names
    

    !
    

    interface Ethernet0/0
    

    switchport access vlan 2
    

    !
    

    interface Ethernet0/1
    

    !
    

    interface Ethernet0/2
    

    !
    

    interface Ethernet0/3
    

    !
    

    interface Ethernet0/4
    

    !
    

    interface Ethernet0/5
    

    !
    

    interface Ethernet0/6
    

    !
    

    interface Ethernet0/7
    

    !
    

    interface Vlan1
    

    nameif inside
    

    security-level 100
    

    ip address 10.0.0.1 255.255.255.0
    

    !
    

    interface Vlan2
    

    nameif outside
    

    security-level 0
    

    ip address 192.168.1.254 255.255.255.0
    

    !
    

    ftp mode passive
    

    clock timezone GMT 1
    

    access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
    

    pager lines 24
    

    logging asdm informational
    

    mtu inside 1500
    

    mtu outside 1500
    

    ip local pool VPNpool 10.0.1.1-10.0.1.50
    

    icmp unreachable rate-limit 1 burst-size 1
    

    no asdm history enable
    

    arp timeout 14400
    

    global (outside) 1 interface
    

    nat (inside) 0 access-list NONAT
    

    nat (inside) 1 0.0.0.0 0.0.0.0
    

    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    

    route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
    

    timeout xlate 3:00:00
    

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    

    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    

    timeout tcp-proxy-reassembly 0:01:00
    

    timeout floating-conn 0:00:00
    

    dynamic-access-policy-record DfltAccessPolicy
    

    aaa authentication ssh console LOCAL
    

    http server enable
    

    http 192.168.1.0 255.255.255.0 inside
    

    no snmp-server location
    

    no snmp-server contact
    

    snmp-server enable traps snmp authentication linkup linkdown coldstart
    

    crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
    

    crypto ipsec security-association lifetime seconds 28800
    

    crypto ipsec security-association lifetime kilobytes 4608000
    

    crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
    

    crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
    

    crypto map VPN-MAP interface outside
    

    crypto isakmp enable outside
    

    crypto isakmp policy 20
    

    authentication pre-share
    

    encryption aes-256
    

    hash sha
    

    group 2
    

    lifetime 3600
    

    telnet timeout 5
    

    ssh 192.168.1.0 255.255.255.0 inside
    

    ssh 10.0.0.0 255.255.255.0 inside
    

    ssh timeout 5
    

    console timeout 0
    

    dhcpd address 10.0.0.10-10.0.0.40 inside
    

    dhcpd dns 81.253.149.9 80.10.246.1 interface inside
    

    dhcpd update dns both override interface inside
    

    dhcpd enable inside
    

    !
    

    threat-detection basic-threat
    

    threat-detection statistics access-list
    

    no threat-detection statistics tcp-intercept
    

    tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
    

    webvpn
    

    username admin password 4RdDnLO1w2ilihWc encrypted
    

    username test password zGOnThs6HPdiZhqs encrypted
    

    tunnel-group testvpn type remote-access
    

    tunnel-group testvpn general-attributes
    

    address-pool VPNpool
    

    tunnel-group testvpn ipsec-attributes
    

    pre-shared-key *****
    

    !
    

    !
    

    prompt hostname context
    

    no call-home reporting anonymous
    

    Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c
    

    : end

    My config to the client is attached.

    When I look at what happened during the connectin with Wireshark, I see 'Port Unreachable '. I have to do something on my ISP router? Because I read that it is not necessary to use NAT if the device is in the demilitarized zone.

    Can you help me please?

    Because you have the address on your external interface, you will need to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.

    I guess you don't have a single address public IP assigned by your ISP.

    Kind regards

    Jan

  • VPN site-to-site does not not between PIX515e and ASA5505

    Hello

    I was hoping that someone could help me to get this vpn to work. IPSec tunnels are not and I noticed the error:

    3 August 9, 2011 05:13:26 IP = 39.188.41.188, error during load processing: payload ID: 1

    Read on this it seems that this could be a problem of IKE, but I am struggling to find the cause (not helped by the News 8.4 orders).

    The configuration is as follows: -.

    Head office

    PIX515e v6.3 (4)

    IP LAN 10.0.160.254/24

    Branch

    ASA5505 v8.4 (1)

    IP LAN 192.168.47.254/24

    I have attached the configs - can someone help me with this?

    See you soon,.

    Huw

    Huw,

    1. you do not have an ISAKMP policy that corresponds to the remote site (BTW, you do not have a lot of policies of serving, you may want to consider cleaning your config before adding a new policy)

    HQ you have this:

    part of pre authentication ISAKMP policy 20

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 md5 hash

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 86400

    You need this on remote sites:

    IKEv1 crypto policy xx

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    2. your interesting traffic is not appropriate:

    At the remote sites, you must

    the DM_INLINE_NETWORK_1 object-group network

    object-network 10.0.160.0 255.255.255.0

    object-network 192.168.1.0 255.255.255.0

    access extensive list ip 192.168.47.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_1 object-group

    On the AC:

    name 10.0.160.0 ENO_LAN

    name 192.168.47.0 EASTMOORS_LAN

    outside_cryptomap_20 ENO_LAN 255.255.255.0 ip access list allow EASTMOORS_LAN 255.255.255.0

    Need to add this:

    inside_outbound_nat0_acl ENO_DMZ 255.255.255.0 ip access list allow EASTMOORS_LAN 255.255.255.0

    Once you have applied these changes try to ping through the tunnel. If this still does not please take a show crypto isa's and see the crypto ipsec its on both sites.

    Thank you.

    Raga

  • ASA5505-Site-toSite 3825

    I invested more than 60 hours trying to understand this.

    I have an ASA5505 which does not connect to my 3825.

    Its 'sister' running the same config (except inside subnets and outside ip addresses which is) connects very well.

    Here is the config on the ASA:

    ZAKASA # sh run
    : Saved
    :
    ASA Version 8.0 (4)
    !
    hostname ZAKASA
    domain name *.
    activate the password * encrypted
    passwd * encrypted
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 172.16.64.254 255.255.240.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address IP * *.9 255.255.255.0
    !
    interface Vlan5
    nameif VLAN5
    security-level 100
    IP 192.168.12.254 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    switchport trunk allowed vlan 1-2 5, 1002-1005
    switchport trunk vlan 1 native
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    Shutdown
    !
    interface Ethernet0/5
    Shutdown
    !
    interface Ethernet0/6
    Shutdown
    !
    interface Ethernet0/7
    switchport trunk allowed vlan 1-2 5, 1002-1005
    switchport trunk vlan 1 native
    switchport mode trunk
    !
    passive FTP mode
    clock timezone IS - 5
    DNS lookup field inside
    DNS server-group DefaultDNS
    Server name 172.16.18.10
    Server name 172.16.18.11
    Name-Server 4.2.2.2
    domain name *.
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.16.0 255.255.240.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.32.0 255.255.240.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.48.0 255.255.240.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.96.0 255.255.240.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.2.2.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.3.3.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.4.4.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.12.12.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.13.13.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.14.14.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 172.16.80.0 255.255.240.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.5.5.0 255.255.255.0
    access extensive list ip 172.16.64.0 inside_nat0_outbound allow 255.255.240.0 10.7.7.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.1.1.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.2.2.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.3.3.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.4.4.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.5.5.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.7.7.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.12.12.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 10.13.13.0 255.255.255.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.16.0 255.255.240.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.32.0 255.255.240.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.48.0 255.255.240.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.80.0 255.255.240.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.96.0 255.255.240.0
    access extensive list ip 172.16.64.0 outside_1_cryptomap allow 255.255.240.0 172.16.112.0 255.255.240.0
    access-list extended capout allowed host ip * *.162 host * *.9
    access-list extended capout allowed host ip * *.9 host * *.162
    access-list extended capout permit udp host * *.9 4500 host eq * *.162
    access-list extended capout permit udp host * *.9 isakmp host eq * *.162
    access-list extended capout permit udp host * *.162 host * *.9 eq isakmp
    access-list extended capout permit udp host * *.162 host * *.9 eq 4500
    VoIp-Traffic_out extended permitted ip 172.16.16.0 access list 255.255.240.0 172.16.64.0 255.255.240.0
    VoIp-Traffic_out extended permitted ip 172.16.64.0 access list 255.255.240.0 172.16.16.0 255.255.240.0
    list of access VoIP-Traffic_IN extended permitted tcp 172.16.16.0 255.255.240.0 172.16.64.0 255.255.240.0 eq h323
    list of access VoIP-Traffic_IN extended permitted tcp 172.16.16.0 255.255.240.0 172.16.64.0 255.255.240.0 eq sip
    list of access VoIP-Traffic_IN extended permitted tcp 172.16.16.0 255.255.240.0 172.16.64.0 255.255.240.0 eq 2000
    vl5_nat to access extended list ip 192.168.12.0 allow 255.255.255.0 any
    pager lines 24
    Within 1500 MTU
    Outside 1500 MTU
    MTU 1500 VLAN5
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (VLAN5) 1 192.168.12.0 255.255.255.0
    Route outside 0.0.0.0 0.0.0.0 * *.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    Enable http server
    http 0.0.0.0 0.0.0.0 inside
    http 0.0.0.0 0.0.0.0 outdoors
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set esp-3des esp-md5-hmac Myset1
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 peer set * *.162
    map outside_map 1 transform-set Myset1 crypto
    outside_map map 1 lifetime of security association set seconds 28800 crypto
    card crypto outside_map 1 set security-association life kilobytes 4608000
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 10
    preshared authentication
    aes encryption
    sha hash
    Group 5
    life 86400
    Telnet timeout 60
    SSH 0.0.0.0 0.0.0.0 inside
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 0.0.0.0 0.0.0.0 VLAN5
    SSH timeout 60
    Console timeout 0
    management-access inside
    dhcpd lease 14400
    dhcpd field *.
    !
    dhcpd address 172.16.64.101 - 172.16.64.200 inside
    dhcpd 172.16.18.11 dns 4.2.2.2 interface inside
    lease interface 14400 dhcpd inside
    interface ping_timeout 750 dhcpd inside
    dhcpd field * inside the interface
    dhcpd allow inside
    !
    dhcpd address 192.168.12.101 - 192.168.12.200 VLAN5
    dhcpd 172.16.18.11 dns 4.2.2.2 interface VLAN5
    14400 VLAN5 dhcpd lease interface
    dhcpd ping_timeout 750 interface VLAN5
    dhcpd field * interface VLAN5
    enable VLAN5 dhcpd
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    username * password * encrypted privilege 15
    tunnel-group * *.162 type ipsec-l2l
    tunnel-group * *.162 ipsec-attributes
    pre-shared-key *.
    !
    class-map Voice_OUT
    match dscp ef
    class-map Voice_IN
    match dscp ef
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect xdmcp
    Policy-map VoicePolicy
    class Voice_OUT
    priority
    class Voice_IN
    priority
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum: *.
    : end
    ZAKASA #.

    The 3825 is set up even for the other 5505, 891, 3825 and 2621 who connect.

    Any help would be most appreciated.

    Hello

    Glad to hear it's upward and running

    Please check the question as answered so future users can learn from your answer

    Concerning

  • Configuration VPN Cisco ASA5505 new 800

    I have 2 office buildings using routers Cisco 800 series with a L2L VPN between the two.  I'm upgrading from the router to an ASA5505 at one of the offices but cannot understand the L2L VPN on the SAA.  Specifically, may not know how to set the pre-shared key.  On the Cisco 800 there:

    ISAKMP crypto key address

    This doesn't seem to work on the SAA.  Can anyone help this?  Here is my current config on the Cisco 800...

    crypto ISAKMP policy 10

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key

    address

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac DUMAC3

    Crypto ipsec df - bit clear

    !

    MYmap 10 ipsec-isakmp crypto map

    defined by peer 75.148.153.217

    Set security-association second life 36000

    game of transformation-DUMAC3

    match address 101

    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255

    in your crypto-maps, the '10' and '65535' are the sequence numbers. A CM handset might look like this:

    address for correspondence primaryisp_map 10 101 crypto card

    peer set card crypto primaryisp_map 10 99.119.80.165

    primaryisp_map 10 set transform-set DUMAC3 ikev1 crypto card

    primaryisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    card crypto primaryisp_map interface primaryisp

  • ASA5505-Site-Site & RA on the same device

    Howdy all,

    I am trying to set one up for a VPN site to site and remote access.  Site-to-site works fine, however when I connect using the Cisco client, after the password and the initial connection calls I get a State "not connected".  The log shows that a political card match is not found.  I have successfully set the unit for remote access with any site-to-site and has faced another set of issues when adding the website-site for the configuration of remote access to work, so I started during the implementation of site to site first.  I tried this through ADSM (hate) - the current configuration is a cli.  Any thoughts would be appreciated, I am sure that Miss just a piece or two.

    ASA Version 8.2 (5)
    !
    ASA5505 hostname
    activate the encrypted password of XXXXXXXXX
    passwd encrypted XXXXXXXXX
    names of
    192.168.0.0 MainOffice name
    name 192.168.251.0 RAAddresses
    name of 10.10.10.0 MainSiteIP
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 192.168.250.147 255.255.255.0
    !
    passive FTP mode
    access-list 101 extended allow ip 192.168.1.0 255.255.255.0 255.255 MainOffice.
    255.0
    access-list 101 extended allow MainOffice 255.255.255.0 ip 192.168.1.0 255.255.
    255.0
    access-list 102 scope ip allow a whole
    access-list 102 extended allow MainOffice 255.255.255.0 ip 192.168.1.0 255.255.
    255.0
    access-list 103 extended allow ip RAAddresses 255.255.255.0 192.168.1.0 255.255
    . 255.0
    access-list 103 extended allow ip 192.168.1.0 255.255.255.0 255.255 RAAddresses
    . 255.0
    pager lines 24
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP pool local RAPool 192.168.251.100 - 192.168.251.120
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    (Inside) NAT 0-list of access 101
    NAT (inside) - 0 103 access list
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Access-group 102 in the interface inside
    Route outside 0.0.0.0 0.0.0.0 192.168.250.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    MainOffice 255.255.255.0 inside http
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-aes-256 CryptoSet, esp-sha-hmac
    Crypto ipsec transform-set esp-3des esp-sha-hmac RA
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic dyn1 1jeu transform-set RA
    correspondence address 1 card crypto outsidemap0 101
    outsidemap0 card crypto 1jeu peer MainSiteIP
    outsidemap0 card crypto 1jeu transform-set CryptoSet
    outsidemap0 interface card crypto outside
    dynamic mymap 100 dyn1 ipsec-isakmp crypto map
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 3600
    crypto ISAKMP policy 100
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 43200
    VPN-addr-assign local reuse / time 5
    Telnet 192.168.1.0 255.255.255.0 inside
    Telnet timeout 60
    SSH timeout 5
    Console timeout 0
    dhcpd outside auto_config
    !
    dhcpd address 192.168.1.5 - 192.168.1.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    value of VPN-filter 101
    encrypted user user1 password IQM/O64OATR4zXx7 name
    tunnel-group MainSiteIP type ipsec-l2l
    IPSec-attributes tunnel-group MainSiteIP
    pre-shared key *.
    type tunnel-group RAGroup remote access
    attributes global-tunnel-group RAGroup
    address pool RAPool
    IPSec-attributes tunnel-group RAGroup
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:07120668869a94278df931162ae4d7a5
    : end

    Hello Robert,.

    IP pool local RAPool 192.168.251.100 - 192.168.251.120

    permit 192.168.1.0 ip access list No_NAT_RA 255.255.255.0 192.168.251.0 255.255.255.0

    no nat (inside) - 0 103 access list

    NAT (inside) 0-list of access No_NAT_RA

    attributes of Group Policy DfltGrpPolicy

    no value of vpn-filter 101

    access-list standard Split allow 192.168.1.0 255.255.255.0

    internal group R_A strategy

    value of group-lock RAGroup

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value Split

    Kind regards

    Julio

  • Need help to access the internal network via VPN on ASA5505 8.4 (1)

    Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.

    I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.

    My configuration:

    ASA Version 8.4 (1)

    !

    ASA5505 hostname

    domain xxxxxxxx.dyndns.org

    enable encrypted password xxxxxxxxxxxx

    xxxxxxxxxxxxxxx encrypted passwd

    names of

    nameserver 192.168.10.2

    Office of name 192.168.10.3

    name Canon 192.168.10.5

    name 192.168.10.6 mvix

    name 192.168.10.7 xbox

    name 192.168.10.8 dvr

    name 192.168.10.9 bluray

    name 192.168.10.10 lcd

    name 192.168.10.11 mp620

    name 192.168.10.12 kayla

    name 192.168.1.1 asa5505

    name 192.168.1.2 ap1

    name 192.168.10.4 mvix2

    name 192.168.10.13 lcd2

    name 192.168.10.14 dvr2

    !

    interface Vlan1

    nameif management

    security-level 100

    IP address asa5505 255.255.255.248

    management only

    !

    interface Vlan2

    0050.8db6.8287 Mac address

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    interface Vlan10

    nameif private

    security-level 100

    IP 192.168.10.1 255.255.255.224

    !

    interface Vlan20

    nameif Public

    security-level 100

    IP 192.168.20.1 255.255.255.224

    !

    interface Ethernet0/0

    Description pointing to WAN

    switchport access vlan 2

    !

    interface Ethernet0/1

    Uplink port Linksys 12 description

    switchport access vlan 10

    !

    interface Ethernet0/2

    Description Server 192.168.10.2/27

    switchport access vlan 10

    !

    interface Ethernet0/3

    Uplink Eth1 management description

    !

    interface Ethernet0/4

    switchport access vlan 30

    !

    interface Ethernet0/5

    switchport access vlan 30

    !

    interface Ethernet0/6

    switchport access vlan 30

    !

    interface Ethernet0/7

    Description of Cisco 1200 Access Point

    switchport trunk allowed vlan 1,10,20

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    Banner motd users only, all others must disconnect now!

    boot system Disk0: / asa841 - k8.bin

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS server-group DefaultDNS

    domain xxxxxxx.dyndns.org

    network object obj - 192.168.50.0

    192.168.50.0 subnet 255.255.255.0

    Server network objects

    host 192.168.10.2

    network object obj - 192.168.10.0

    192.168.10.0 subnet 255.255.255.224

    network object obj - 192.168.20.0

    subnet 192.168.20.0 255.255.255.224

    network server-01 object

    host 192.168.10.2

    network server-02 object

    host 192.168.10.2

    xbox network object

    Home 192.168.10.7

    xbox-01 network object

    Home 192.168.10.7

    xbox-02 network object

    Home 192.168.10.7

    xbox-03 network object

    Home 192.168.10.7

    xbox-04 network object

    Home 192.168.10.7

    network server-03 object

    host 192.168.10.2

    network server-04 object

    host 192.168.10.2

    network server-05 object

    host 192.168.10.2

    Desktop Network object

    host 192.168.10.3

    kayla network object

    Home 192.168.10.12

    Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224

    outside_access_in list extended access permit tcp any any eq 3389

    outside_access_in list extended access permit tcp any any eq 2325

    outside_access_in list extended access permit tcp any eq ftp server object

    outside_access_in list extended access permit tcp any any eq 5851

    outside_access_in list extended access udp allowed any any eq 5850

    outside_access_in list extended access permit tcp any any eq pptp

    outside_access_in list extended access udp allowed any any eq syslog

    outside_access_in list extended access udp allowed any any eq 88

    outside_access_in list extended access udp allowed any any eq 3074

    outside_access_in list extended access permit tcp any any eq 3074

    outside_access_in list extended access permit tcp any any eq field

    outside_access_in list extended access udp allowed any any eq field

    outside_access_in list extended access permitted tcp everything any https eq

    outside_access_in list extended access permit tcp any eq ssh server object

    outside_access_in list extended access permit tcp any any eq 2322

    outside_access_in list extended access permit tcp any any eq 5900

    outside_access_in list extended access permit icmp any any echo response

    outside_access_in list extended access permit icmp any any source-quench

    outside_access_in list extended access allow all unreachable icmp

    outside_access_in list extended access permit icmp any one time exceed

    outside_access_in list extended access udp allowed any any eq 5852

    KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224

    pager lines 24

    Enable logging

    timestamp of the record

    exploitation forest-size of the buffer of 36000

    logging warnings put in buffered memory

    recording of debug trap

    asdm of logging of information

    address record [email protected] / * /

    exploitation forest-address recipient [email protected] / * / level of errors

    Management Server host forest

    MTU 1500 management

    Outside 1500 MTU

    MTU 1500 private

    MTU 1500 Public

    local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask

    local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow all outside

    ASDM image disk0: / asdm - 641.bin

    don't allow no asdm history

    ARP timeout 14400

    !

    Server network objects

    NAT (private, foreign) static tcp ftp 5851 service interface

    network object obj - 192.168.10.0

    NAT (private, foreign) dynamic interface

    network object obj - 192.168.20.0

    NAT (outside) dynamic public interface

    network server-01 object

    NAT (private, outside) interface static 2325 2325 tcp service

    network server-02 object

    NAT (private, outside) interface static udp syslog syslog service

    xbox network object

    NAT (private, outside) interface static service udp 88 88

    xbox-01 network object

    NAT (private, outside) interface static service udp 3074-3074

    xbox-02 network object

    NAT (private, outside) interface static service tcp 3074-3074

    xbox-03 network object

    NAT (private, outside) interface static tcp domain domain service

    xbox-04 network object

    field of the udp NAT (private, foreign) of the static interface function

    network server-03 object

    NAT (private, outside) interface static tcp https https service

    network server-04 object

    Static NAT (private, outside) interface service tcp ssh 2322

    network server-05 object

    NAT (private, outside) interface static 5900 5900 tcp service

    Desktop Network object

    NAT (private, outside) interface static service tcp 3389 3389

    kayla network object

    NAT (private, outside) interface static service udp 5852 5852

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication enable LOCAL console

    AAA authentication http LOCAL console

    the ssh LOCAL console AAA authentication

    AAA authentication LOCAL telnet console

    Enable http server

    http 192.168.1.0 255.255.255.248 management

    redirect http outside 80

    location of SNMP server on the Office floor

    SNMP Server contact [email protected] / * /

    Community SNMP-server

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    No vpn sysopt connection permit

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map pfs set 20 Group1

    Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

    life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

    Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    Crypto ikev1 allow outside

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.248 management

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 30

    Console timeout 30

    access to administration management

    dhcpd dns 24.205.1.14 66.215.64.14

    dhcpd ping_timeout 750

    dhcpd field xxxxxxxx.dyndns.org

    dhcpd outside auto_config

    !

    dhcpd manage 192.168.1.4 - 192.168.1.5

    dhcpd enable management

    !

    dhcpd address private 192.168.10.20 - 192.168.10.30

    enable private dhcpd

    !

    dhcpd 192.168.20.2 public address - 192.168.20.30

    dhcpd enable Public

    !

    a basic threat threat detection

    statistical threat detection port

    Statistical threat detection Protocol

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    Server NTP 192.43.244.18

    Server NTP 129.6.15.28

    WebVPN

    internal Home_VPN group strategy

    attributes of Group Policy Home_VPN

    value of 8.8.8.8 DNS Server 4.2.2.2

    Ikev1 VPN-tunnel-Protocol without ssl-client

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list Home_VPN_splitTunnelAcl

    value by default-field www.xxxxxx.com

    the address value IPPOOL pools

    WebVPN

    the value of the URL - list ClientlessBookmark

    political group internal kikou

    group attributes political kikou

    value of 8.8.8.8 DNS Server 4.2.2.2

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list KaileY_splitTunnelAcl

    XXXXXXX.dyndns.org value by default-field

    username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx

    user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx

    username joek encrypted password privilege 0 xxxxxxxxxxxx

    eostrike encrypted xxxxxxxxxxxx privilege 15 password username

    username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx

    username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0

    type tunnel-group Home_VPN remote access

    attributes global-tunnel-group Home_VPN

    IPPOOL address pool

    LOCAL authority-server-group

    authorization-server-group (outside LOCAL)

    Group Policy - by default-Home_VPN

    authorization required

    IPSec-attributes tunnel-group Home_VPN

    IKEv1 pre-shared-key *.

    type tunnel-group SSLClientProfile remote access

    tunnel-group SSLClientProfile webvpn-attributes

    enable SSLVPNClient group-alias

    tunnel-group type ClientLESS remote access

    tunnel-group kanazoé type remote access

    attributes global-tunnel-group kanazoé

    address VPN_POOL pool

    by default-group-policy kikou

    tunnel-group KaileY ipsec-attributes

    IKEv1 pre-shared-key *.

    by default-group Home_VPN tunnel-Group-map

    !

    !

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86

    : end

    ASA5505 #.

    Here are the declarations of NAT for your first question:

    network object obj - 192.168.100.0

    255.255.255.0 subnet 192.168.100.0

    NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0

    NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

    And 'clear xlate' after the above and that should fix your first question.

    I would check your second question and get back to you shortly.

Maybe you are looking for

  • Dv7 HP ENVY notebook: HP ENVY dv7 laptop disk hard failure and no access to the technical officer of HP

    Greetings, I am in a bind and need help to repair disk hard "do-it-yourself". My fault ID: 9C353G-GLV870-QFPJWJ-60E703 I am no longer under warranty and have no funds currently to be considered in a service center (if it is still available for my loc

  • Refresh Windows 8.1 on TBT2

    Hello My Thinkpad Tablet 2 has acted in a variety of ways, and I think about refreshing or repair the operating system. Question is though: this will restore Windows 8 again? Or I will always keep Windows 8.1? Thanks in advance.

  • Stuck on a black screen on startup in normal mode.

    Vista Home Premium 32 bit SP2 Every time I start up in normal mode I meet the dreaded black screen with cursor. I do ctrl alt delete to get the Manager of tasks and processes, I end explorer.exe and then start a new explorer.exe task that happens to

  • Vista - Error Code: 643 (cannot install KB2416447)

    I tried to install the update of security for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista and Windows Server 2008 x 86 (KB2416447) and get error Code 643...  I'm not sure what to do to fix this problem - please advise...

  • 8900 of the XPS hard drive upgrade

    Hello I recently bought a desktop computer Dell XPS 8900 running Windows 10. I would like to replace the original 1 TB harddrive with a 6 TB drive. Both are Seagate disks. My plan was to copy all of the original content of drive to the new drive. Thi