authentication of remote access, vpn and ldap

Similar Questions

• Remote access VPN and VPN S2S

  Remote access users are not able to reach our remote network via a tunnel from site to site VPN between two ASA 5505.

  I've seen several threads about this here, I ran through the procedure step by step http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml ... I got stabbed at setting split tunneling and nat exemption, but it seems that I'm missing something. Remote access users can reach the main site, but not on the remote site.

  (Vpn-houston) remote access using 192.168.69.0/24.

  The main site (houston) using 10.0.0.0/24

  The remote site (lugoff) uses 10.0.1.0/24

  Could I get a new look on my configs and maybe point out where I have gone wrong?

  Thank you...

  at first glance,'re missing you 'same-security-traffic permit intra-interface' in houston

  you're also missing this in houston:

  access-list extended sheep allowed ip vpn-houston 255.255.255.0 255.255.255.0 lugoff

  and this:

  permit access list extended ip vpn-houston 255.255.255.0 outside_cryptomap_1 255.255.255.0 lugoff

  and you will need to remove the second card useless encryption 3 lugoff, delete them:

  No crypto outside_map 3 game card address outside_cryptomap_3

  no card crypto outside_map 3 set pfs

  no card crypto outside_map 3 set peer 75.148.248.81

  no card crypto outside_map 3 the value transform-set ESP-3DES-SHA

  Let us know how it goes

• PIX 515E and remote access VPN

  I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

  I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

  Any help is appreciated,

  Hello

  Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

  Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

  There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

• Remote access VPN group name and password

  Hi guys,.

  Can someone tell me please the command to display a remote access VPN group name and the password on a firewall version 8.0 of ASA? Any help will be greatly appreciated.

  Thank you

  Lake

  Remote VPN IPsec IKEv1 access are listed as groups of tunnel. If you enter

  more system:running-config | b tunnel-group

  You can see the config sections (starting with the first mention of the tunnel-group) as well as the pre-shared key ikev1 plaintext String.

• L2l VPN and remote access VPN

  Hello

  I have 2 Cisco Pix (Pix1, Pix2) 515E (8.0.4). Between these devices exist VPN L2L, which are configured on the external interfaces. On Pix2 I configured remote access VPN on the external interface, too.

  Is it possible to achieve LAN behind Pix1, by using remote access VPN on Pix2 then VPN L2L?

  I don't want to set up remote access on Pix1.

  Thank you very much.

  Kind regards

  Vladislav

  NAT (outside) 1 140.40.30.0 255.255.255.0 (PAT for RA vpn to access the internet if you complete tunnel)

  It is simply because I have configured tunnel RA as complete tunnel instead of split, nat (outside) 1 at the RA 140.40.30.0 pool have internet access through your firewall ASA_SITE_B and translate with global ID 1 who is your external interface of the firewall SA_SITE_B. This has nothing to do with what you are trying to accomplish, but I posted it because it was part of the very common scenario. There are some example PIX 6.3 cases where you will need split tunnel so that RA users have internet access not passing not through the encrypted tunnel code 6.0 does not feature of intra-interface support but 7.x above is of the code. Other examples are that some people configure split RA RA user tunnel will have access to their local resources in their homes as the printers network etc...

  It is therefore, I need to translate 172.27.1.0/24 RA pool?

  No there is no address translation in place in this scenario to work and you don't need to translate something too long, there is no of networks that overlap in one of the SITES u do not need to translate, this scenario is completely free sheep as you access lists free of nat in two firewalls for networks involved in communication in tunnels ASA_SITE_B.

  Because I want to see IP addresses from PIX_SITE_A to 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?

  Im not clear on this issue, but if I think what it means, it's possible but you need to have political NATing but I think this will make complicated setup, I would say to make this as simple as possible.

  Concerning

  All helpful PLS rate valid if it helped

• Cisco Asa 5505 and level 3 with remote access VPN switch

  Today I had a new CISCO LAYER 3 switch... So here's my scenrio

  Cisco Asa 5505

  I have

  Outside of the == 155.155.155.x

  Inside = 192.168.7.1

  Address POOL VPN = 10.10.10.1 - 10.10.10.20

  3 layer switch configuration

  VLAN 2

  ip address of the interface = 192.168.1.1

  VLAN 2

  ip address of the interface = 192.168.2.1

  VLAN 2

  ip address of 192.168.3.1 = interface

  VLAN 2

  ip address of the interface = 192.168.4.1

  VLAN 2

  ip address of the interface = 192.168.5.1

  IP Routing

  So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

  Thanks to you all

  Al ready has responded

  Sent by Cisco Support technique iPad App

• remote access VPN not connected - no access inside

  Hi, I have successfully configured remote access VPN router, it is connected, but no access to the inside, none of my ip addresses. I do not know SPLIT_ACL is ok and I've denied NATting them. For me, everything is ok. I did a lot in ASA, without anyproblem. Thanks for the comments.

  enable secret 5 $1$ y0AJ$ rhrjbrpe5NDiAyHGlfeNi.

  !

  AAA new-model

  !

  !

  AAA authentication login bcc_users local

  AAA authorization bcc_group LAN

  !

  crypto ISAKMP policy 10

  BA aes

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group ra_vpn_bcc

  key *.

  DNS 8.8.8.8

  bcc.local field

  pool vpn_pool

  ACL SPLIT_ACL

  Max-users 7

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set RIGHT aes - esp esp-sha-hmac

  tunnel mode

  !

  !

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  market arriere-route

  !

  !

  card crypto client CRYPTO_VPN of authentication list bcc_users

  card crypto isakmp authorization list bcc_group CRYPTO_VPN

  crypto card for the CRYPTO_VPN client configuration address respond

  map CRYPTO_VPN 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface GigabitEthernet0/0/4

  IP address %.

  NAT outside IP

  auto negotiation

  BFD interval 50 50 5 min_rx multiplier

  card crypto CRYPTO_VPN

  !

  !

  IP local pool vpn_pool 172.31.255.0 172.31.255.250

  NAT extended IP access list

  deny ip 10.0.0.0 0.255.255.255 172.31.255.0 0.0.0.255

  deny ip 172.16.0.0 0.0.255.255 172.31.255.0 0.0.0.255

  deny ip 192.168.0.0 0.0.255.255 172.31.255.0 0.0.0.255

  IP address 172.16.0.0 allow 0.15.255.255 all

  IP 192.168.0.0 allow 0.0.255.255 everything

  IP 10.0.0.0 allow 0.255.255.255 everything

   

  SPLIT_ACL extended IP access list

  IP 10.0.0.0 allow 0.255.255.255 172.31.255.0 0.0.0.255

  IP address 172.16.0.0 allow 0.0.255.255 172.31.255.0 0.0.0.255

  IP 192.168.0.0 allow 0.0.255.255 172.31.255.0 0.0.0.255

  Take a look at the delivery.

  You do not have a route to the VPN pool on a nearby device.

• Configuring remote access VPN

  Hi all

  I need help with remote access vpn configuration. I want to some remote users who have access to the internet on their system to connect and access an application server in my seat social cisco vpn client user. I use Cisco 881. I am unable to use the SDM configuration because it seems that SDM is not supported by the router so I'm using command line. I'd appreciate any help I can get. Thank you.

  This is the configuration I have:

  VPNROUT #sho run
  Building configuration...

  Current configuration: 6832 bytes
  !
  ! Last configuration change at 10:50:45 UTC Saturday, May 30, 2015, by thomas
  version 15.2
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname VPNROUT
  !
  boot-start-marker
  boot-end-marker
  !
  !
  logging buffered 51200 warnings
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login userauthen1 local
  AAA authorization groupauthor1 LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  iomem 10 memory size
  !
  Crypto pki trustpoint TP-self-signed-1632305899
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1632305899
  revocation checking no
  rsakeypair TP-self-signed-1632305899
  !
  !
  TP-self-signed-1632305899 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31363332 33303538 6174652D 3939301E 170 3134 30313233 31323132
  33325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36333233 65642D
  30353839 3930819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100BC0C 341CD79B A38572CE 1F0F9A91 F96B133C A889B564 E8352034 1CF5EE4B
  B505616B 6014041B EC498C0A F6C5CD2B F5BF62DA BD6E1C44 0C7B9089 1FD0C6E5
  299CEB40 28CD3F3B ADE3468A B07AAA9F AC42F0A7 4087172A 33C4013D 9A50884D
  5778727E 53A4940E 6E622460 560C F597DD53 3B 261584 E45E8776 A848B73D 5252
  92 50203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 D
  551 2304 18301680 14E85AD0 DEF133D8 E09516FD 0AA5FDAD E10EAB1A FA301D06
  03551D0E E85AD0DE 04160414 F133D8E0 9516FD0A A5FDADE1 0EAB1AFA 300 D 0609
  2A 864886 818100A 5 05050003 5B23ED5B 9A380E1F 467ABB03 BAB1070B F70D0101
  7A 218377 73089DC1 D32DA585 C5FD7ECE 0D000F96 7F3AB6CC 71509E8F 3F1C55AE
  E37536A3 1008FBF9 A29329D5 6F76DDC0 AA1C70AE 958AAE5D 32388BE4 2C1C6839
  0369 D 533 027B612C 8D199C35 C008FE00 F7E1DF62 9C73E603 85C3240A 63611D 93
  854A61E2 794F8EF5 DA535DCC B209DA
  quit smoking
  !
  !
  !
  no record of conflict ip dhcp
  DHCP excluded-address IP 10.10.10.1
  DHCP excluded-address IP 172.20.0.1 172.20.0.50
  !
  DHCP IP CCP-pool
  import all
  Network 10.10.10.0 255.255.255.248
  default router 10.10.10.1
  Rental 2 0
  !
  IP dhcp pool 1
  network 172.20.0.0 255.255.240.0
  domain meogl.net
  router by default - 172.20.0.1
  172.20.0.4 DNS server 41.79.4.11 4.2.2.2 8.8.8.8
  8 rental
  !
  !
  !
  no ip domain search
  IP domain name meogl.net
  name of the IP-server 172.20.0.4
  name of the IP-server 41.79.4.11
  IP-server names 4.2.2.2
  8.8.8.8 IP name-server
  IP cef
  No ipv6 cef
  !
  !
  license udi pid CISCO881-K9 sn FCZ1804C3SL
  !
  !
  username secret privilege 15 thomas 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
  username privilege 15 secret 4 mowe hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
  !
  !
  !
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  ISAKMP crypto client configuration group moweclients
  XXXXXXX key
  DNS 172.20.0.4
  meogl.net field
  pool mowepool
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac moweset
  tunnel mode
  !
  !
  !
  Dynmap crypto dynamic-map 1
  Set transform-set moweset
  market arriere-route
  !
  !
  card crypto client mowemap of authentication list userauthen1
  card crypto isakmp authorization list groupauthor1 mowemap
  client configuration address card crypto mowemap answer
  mowemap 1 card crypto ipsec-isakmp dynamic dynmap
  !
  !
  !
  !
  !
  interface Loopback0
  IP 172.30.30.1 255.255.255.0
  IP nat inside
  IP virtual-reassembly in
  !
  interface FastEthernet0
  no ip address
  !
  interface FastEthernet1
  no ip address
  !
  interface FastEthernet2
  switchport access vlan 100
  no ip address
  !
  interface FastEthernet3
  no ip address
  !
  interface FastEthernet4
  IP 41.7.8.13 255.255.255.252
  NAT outside IP
  IP virtual-reassembly in
  intellectual property policy map route VPN-CLIENT
  Shutdown
  automatic duplex
  automatic speed
  mowemap card crypto
  !
  interface Vlan1
  Description $ETH_LAN$
  IP 10.10.10.1 255.255.255.248
  IP tcp adjust-mss 1452
  !
  interface Vlan100
  IP 172.20.0.1 255.255.240.0
  IP nat inside
  IP virtual-reassembly in
  !
  local pool IP 192.168.1.1 mowepool 192.168.1.100
  IP forward-Protocol ND
  IP http server
  23 class IP http access
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  IP nat inside source overload map route interface FastEthernet4 LAT
  IP route 0.0.0.0 0.0.0.0 41.7.8.12
  !
  access-list 23 allow 10.10.10.0 0.0.0.7
  access-list 23 allow 172.20.0.0 0.0.15.255
  access-list 100 permit ip 172.20.0.0 0.0.15.255 everything
  access-list 144 allow ip 192.168.1.0 0.0.0.255 any
  not run cdp
  !
  LAT route map permit 1
  corresponds to the IP 100
  IP 41.7.8.12 jump according to the value
  !
  route VPN-CLIENT map permit 1
  corresponds to the IP 144
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  !
  !
  end

  Please the configuration above, give me the desired output.

  Thank you.

  Hello Thomas,.

  I'm glad to hear that you have found useful in the example configuration.

  I checked your configuration and everything seems ok with him, especially the statements of nat.

   ip local pool mowepool 192.168.1.1 192.168.1.100 access-list 100 deny ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 172.20.0.0 0.0.15.255 any route-map LAT permit 1 match ip address 100 ip nat inside source route-map LAT interface FastEthernet4 overload interface Vlan100 ip address 172.20.0.1 255.255.240.0 ip nat inside ip virtual-reassembly in 

  Try to generate ICMP traffic behind your 100 VLANS to the client VPN in order to answer the following questions:

  -The router receives this traffic between VLAN100 unit?

  -The router is encrypt this traffic, after receiving the ICMP packet?

  #show crypto ipsec router its can help you with this question. Look for the program/decaps counters.

  -The same, but the other way around (from VPN client to device behind VLAN100) try to locate the problem.

  The following document explains more this crypto commands and debugs if necessary.

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation-IKE-protocols/5409-IPSec-debug-00.html#iosdbgs

• Remote access VPN pix version 8.0 (3)

  Hi all

  First of all, I would like to thank to all members of the forum who got help in several messages on the configuration of the pix 515.

  I am now configuring remote VPN access with radius authentication to my network, but I can't connect.

  I use the cisco vpn client 5.0.03.0560, I have also tested my pix radius (inside) server authentication and works very well.

  I already tried to retype the key of the cli, but I still can't remote access vpn to work.

  I also tried to create another remote vpn with another name and local authentication, but I have the same problem.

  I use 8.0 (3) version pix.

  Can someone help me

  I attach the log file of the cisco vpn client to help solve the problem, as well a configuration of the pix folder.

  Thank you very much in advance and I seek prior information.

  http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/vpnadd.html#wp999516

  [Pls RATE if HELP]

• How to use ACS 5.2 to create a static ip address user for remote access VPN

  Hi all

  I have the problem. Please help me.

  Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.

  I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:

  1Ajouter step to attribute a static IP address to the user attribute dictionary internal:

  Step 2select System Administration > Configuration > dictionaries > identity > internal users.

  Step 3click create.

  Static IP attribute by step 4Ajouter.

  5selectionnez users and identity of the stage stores > internal identity stores > users.

  6Click step create.

  Step 7Edit static IP attribute of the user.

  I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.

  so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.

  Wait for you answer, no question right or not, please answer, thank you.

  There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached

• Remote access VPN with ASA 5510 by using the DHCP server

  Hello

  Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

  I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

  !

  ASA Version 8.2 (5)

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 10.6.0.12 255.255.254.0

  !

  IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

  !

  Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto-map dynamic dyn1 1jeu transform-set FirstSet

  dynamic mymap 1 dyn1 ipsec-isakmp crypto map

  mymap map crypto inside interface

  crypto ISAKMP allow inside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 43200

  !

  VPN-addr-assign aaa

  VPN-addr-assign dhcp

  !

  internal group testgroup strategy

  testgroup group policy attributes

  DHCP-network-scope 10.6.192.1

  enable IPSec-udp

  IPSec-udp-port 10000

  !

  username testlay password * encrypted

  !

  tunnel-group testgroup type remote access

  tunnel-group testgroup General attributes

  strategy-group-by default testgroup

  DHCP-server 10.6.20.3

  testgroup group tunnel ipsec-attributes

  pre-shared key *.

  !

  I got following output when I test connect to the ASA with Cisco VPN client 5.0

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

  4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

  [OK]

  KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

  Kind regards

  Lay

  For the RADIUS, you need a definition of server-aaa:

  Protocol AAA - NPS RADIUS server RADIUS

  AAA-server RADIUS NPS (inside) host 10.10.18.12

  key *.

  authentication port 1812

  accounting-port 1813

  and tell your tunnel-group for this server:

  General-attributes of VPN Tunnel-group

  Group-NPS LOCAL RADIUS authentication server

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• ASA 5505 - remote access VPN to access various internal networks

  Hi all

  A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.

  Here is the config:

  :

  ASA Version 8.2 (5)

  !

  ciscoasa hostname

  enable encrypted password xxx

  XXX encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 200.190.1.15 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 255.255.255.0 xxxxxxx

  !

  exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

  connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

  banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

  passive FTP mode

  access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in list extended access permit icmp any external interface

  access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0

  Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0

  MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

  access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

  inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool

  IP verify reverse path to the outside interface

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 200.190.1.0 255.255.255.0

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1

  Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1

  Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1

  Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  http server enable 10443

  http server idle-timeout 5

  Server of http session-timeout 30

  HTTP 200.190.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

  (omitted)

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 3600

  Telnet timeout 5

  SSH 200.190.1.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 5

  dhcpd outside auto_config

  !

  a basic threat threat detection

  scanning-threat shun threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  internal MD_SSL_Gp_Pol group strategy

  attributes of Group Policy MD_SSL_Gp_Pol

  VPN-tunnel-Protocol webvpn

  WebVPN

  list of URLS no

  disable the port forward

  hidden actions no

  disable file entry

  exploration of the disable files

  disable the input URL

  internal MD_IPSEC_Tun_Gp group strategy

  attributes of Group Policy MD_IPSEC_Tun_Gp

  value of banner welcome to remote VPN

  VPN - connections 1

  VPN-idle-timeout 5

  Protocol-tunnel-VPN IPSec webvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl

  the address value Remote_IPSEC_VPN_Pool pools

  WebVPN

  value of the RDP URL-list

  attributes of username (omitted)

  VPN-group-policy MD_IPSEC_Tun_Gp

  type of remote access service

  type tunnel-group MD_SSL_Profile remote access

  attributes global-tunnel-group MD_SSL_Profile

  Group Policy - by default-MD_SSL_Gp_Pol

  type tunnel-group MD_IPSEC_Tun_Gp remote access

  attributes global-tunnel-group MD_IPSEC_Tun_Gp

  address pool Remote_IPSEC_VPN_Pool

  Group Policy - by default-MD_IPSEC_Tun_Gp

  IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp

  pre-shared key *.

  !

  !

  context of prompt hostname

  : end

  The following ACL and NAT exemption ACL split tunnel is incorrect:

  MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

  inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

  It should have been:

  Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0

  access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

  Then 'clear xlate' and reconnect with the VPN Client.

  Hope that helps.

• active monitoring of remote access vpn connections

  Hi all

  I use asa 5520, and asa 5540 for remote access vpn connections. Is it possible to active my vpn connections monitoring so that there would be alerts for vpn tunnels which fail to implement for other reasons other than the authentication of users? Pls advise. Thks in advance.

  Kiwi Syslog will work fine - as long as you have a licensed version, a 'free' version does not support e-mail extras.

  See the url below and search for "VPN", you will see what VPN syslog codes you can choose from.

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/system/message/logmsgs.html

  HTH >

• ODA IP ASA when you browse the web via remote access vpn

  Hi all

  I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.

  The firmware version of the ASA is 9.1 (6)

  Thanks in advance

  Hello

  What you want to achieve is calles u-turn.

  You must enable the feature allowed same-security-traffic intra-interface

  For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem

• Remote access VPN user permission

  Hi support them.

  It is a way for a remote access VPN to allow some users access to "Host A, B, C" and other users to access hosts D, E, F? Basically, we want to have some users have access at home to a few servers and other users have access only to some other servers. Is this possible without a GANYMEDE or some other device? Thank you guys!

  Hi John,.

  Yes, you can configure split tunneling to allow a specific group of users access to specific hosts.
  How this is achieved, it is that you create a connection profile different for different users, associate a policy group and the title of each group policy, you have a split tunnelling access-list defined with entries of different hosts.

  You must create 2 profiles of connection here and match them with 2-group policy allowing access to 2 differernt resources (they can be multiple as well)

  Here is a reference document: -.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-AnyConnect-config.html

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.