Authentication Telnet proxy
Hello
Telnet ip proxy authentication, it is true that the router only sends the username and password to the Radius servers? Not the source of the Insider host ip address. So how did source ip Insider host added to the acl download Radius Server? The router adds?
Thank you.
The Cisco IOS Firewall authentication Proxy for feature FTP and/or Telnet Sessions to specific versions of the Cisco IOS software is vulnerable to a remotely exploitable buffer overflow condition.
Devices that are not supported or are not configured for FTP or Telnet firewall authentication Proxy Services are not affected.
Devices configured with only the Proxy authentication for HTTP or HTTPS are not affected.
http://www.Cisco.com/en/us/products/products_security_advisory09186a00805117cb.shtml
Tags: Cisco Security
Similar Questions
-
Client certificate authentication and proxy HTTPS WSA
Hello
on a clients site, we have a virtual Proxy WSA with WCCP running behind a firewall of ASA. Only we are facing a problem: the customer has a site that authenticates the client through the certificate. It does not work. If I dasable the transparent proxy for this host, everything works fine.
I solved it now bypassing the proxy server for the spicific site. Is there another solution to allow clients to authenticate using certificates to a Web site?
Hello
Does it means that websites (some sites) request for client certificate to authenticate during the SSL negotiation?
If this is true, can you check your option since default CLI interface HTTPS when HTTPS servers request certificate of the client during the handshake, WSA will respond with unavailable certificate and the handshake will normally be breaks.
To check this:
1. log in to the CLI
2. control of type advancedproxyconfig
3. type HTTPS
4. keep pressing enter to accept the value by default until you reach "measures to be taken when the HTTPS servers request certificate of the client during the handshake:" and change it to "get through the operation.5. keep pressing enter until the initial scope guest
6. type commit to save the change. -
Configuration of the ASA to ISA authentication proxy support
I have an ASA configured for internet and remote vpn termination. I would use a proxy for remote access vpn clients ISA authentication. Configure this support on the SAA?
Topology: Inside ===> ISA ===> ASA ===> Internet network
David,
Given that this is a forum of Cisco (I can google it, but I'd rather have a recording directly in a thread), can you tell me what is the role of proxy of the ISA authentication? And how it works.
Normally proxy authentication (auth-proxy on the router and passage of a proxy in the firewalls) are transparent to other devices in the network on the network.
-
Why Firefox 18 behind a proxy server refuses all connections https?
I used to have Firefox 17 and everything worked ok but I just installed Firefox 18 in my environment of Windows XP sp3 and I can't connect to https through proxy of the company sites.
Company proxy requires LM/NTLM authentication, the proxy server is a machine IPCOP (squid proxy.)
After the update to Firefox 18, for all sites that uses an https connection, the answer is:
The proxy server refuses connectionsFirefox is configured to use a proxy server that is refusing connections. Check the proxy settings to make sure that they are correct. Contact your network administrator to make sure the proxy server is working.
Squid log shows lines with connection refused because of required authentication (domain/username and password) settings
1357912572.640 1 (my IP) TCP_DENIED/407 1586 CONNECT www.orange.ro:443 - NONE/text/html
As you can see no domain/username were filled in the newspaper.
Here is a line with authorization from another browser
1357920874.657 1348 (my IP) TCP_MISS/200 2549 CONNECT www.orange.ro:443 (mydomain\myusername) DIRECT/109.166.184.137-
I changed the sensitive dataThank you
I see a lot of proxy problems reported by users of Firefox 18. If you're not the only one with this problem.
For now, I advise you to go back to Firefox 17.0.1 until Mozilla fixes this bug.
Link:
http://www.Mozilla.org/en-us/products/download.html?product=Firefox-17.0.1 & OS = Win & lang = en-US
http://www.Mozilla.org/en-us/products/download.html?product=Firefox-17.0.1 & os = OSX & lang = en-US -
definition of password protected proxy users roles.
Hi all, I am using the option 'certified written' in eclipselink, using a pool of connections for readings and authenticated written proxy users using oracle for this functionality. However, I'll put these properties while creating the entitymanager according to the docs, like this.
HashMap emProps = new HashMap();
emProps.put (EntityManagerProperties.ORACLE_PROXY_TYPE, OracleConnection.PROXYTYPE_USER_NAME);
emProps.put (OracleConnection.PROXY_USER_NAME, user);
emProps.put (OracleConnection.PROXY_USER_PASSWORD, col);
emProps.put (OracleConnection.PROXY_ROLES, new String() {"password_protected_user_role"});
It works like a charm so far:
As we are the migration from an older application to three-tier architecture, in the old application every user got the role of closed like this:
DBMS_SESSION. SET_ROLE ('password_protected_user_role IDENTIFIED BY password');
Anyone know how I can use this with the users of proxy?
I tried setting the role using the above statement in a native query, but this leads to the effect that the role is lost after each commit(), I think it's because the setting of the role's ited to the connection somehow, after commti() the login form after the pool is used, then the role disappeared. But I don't know if this is the explanation.
Later,.
Tom
Edited by: hasTom the 27.07.2009 08:27You can configure EntityManager to the same connection. Add:
emProps.put (EntityManagerProperties.EXCLUSIVE_CONNECTION_MODE, 'Always');
Note that id in this case reading and writing made through that connection.
Be sure to close the EntityManager when you're finished with it - in order to avoid the leakage of connection.For SETTING / erases the in/of connection user-specific data, I would use postAcquireConnection/preReleaseConnection events.
-
ASA Anyconnect VPN do not work or download the VPN client
I have a Cisco ASA 5505 that I try to configure anyconnect VPN and thought, I've changed my setup several times but trying to access my static public IP address of the external IP address to download the image, I am not able to. Also when I do a package tracer I see he has been ignored through the acl when the packets from side to the ASA via port 443, it drops because of the ACL. My DMZ so will he look like something trying to access the ASA via the VPN's going to port 443. Here is my config
XXXX # sh run
: Saved
:
ASA Version 8.4 (3)
!
hostname XXXX
search for domain name
activate pFTzVNrKdD9x5rhT encrypted password
zPBAmb8krxlXh.CH encrypted passwd
names of
!
interface Ethernet0/0
Outside-interface description
switchport access vlan 20
!
interface Ethernet0/1
Uplink DMZ description
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
Ganymede + ID description
switchport access vlan 10
switchport monitor Ethernet0/0
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
Description Wireless_AP_Loft
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address x.x.x.249 255.255.255.248
!
Vlan30 interface
no interface before Vlan10
nameif dmz
security-level 50
IP 172.16.30.1 255.255.255.0
!
boot system Disk0: / asa843 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
search for domain name
network obj_any1 object
subnet 0.0.0.0 0.0.0.0
network of the Webserver_DMZ object
Home 172.16.30.8
network of the Mailserver_DMZ object
Home 172.16.30.7
the object DMZ network
172.16.30.0 subnet 255.255.255.0
network of the FTPserver_DMZ object
Home 172.16.30.9
network of the Public-IP-subnet object
subnet x.x.x.248 255.255.255.248
network of the FTPserver object
Home 172.16.30.8
network of the object inside
192.168.10.0 subnet 255.255.255.0
network of the VPN_SSL object
10.101.4.0 subnet 255.255.255.0
outside_in list extended access permit tcp any newspaper object Mailserver_DMZ eq www
outside_in list extended access permit tcp any newspaper EQ 587 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper SMTP object Mailserver_DMZ eq
outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq pop3 object
outside_in list extended access permit tcp any newspaper EQ 2525 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq imap4 object
outside_in list extended access permit tcp any newspaper EQ 465 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper EQ 993 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper EQ 995 object Mailserver_DMZ
outside_in list extended access permit tcp any newspaper EQ 5901 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper Mailserver_DMZ eq https object
Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
vpn_SplitTunnel list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer to 8192
logging trap warnings
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
local pool VPN_SSL 10.101.4.1 - 10.101.4.4 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 647.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside inside static destination VPN_SSL VPN_SSL
NAT (exterior, Interior) static source VPN_SSL VPN_SSL
!
network obj_any1 object
NAT static interface (indoor, outdoor)
network of the Webserver_DMZ object
NAT (dmz, outside) static x.x.x.250
network of the Mailserver_DMZ object
NAT (dmz, outside) static x.x.x.. 251
the object DMZ network
NAT (dmz, outside) static interface
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede HNIC +.
AAA-server host 192.168.10.2 HNIC (inside)
Timeout 60
key *.
identity of the user by default-domain LOCAL
Console HTTP authentication AAA HNIC
AAA console HNIC ssh authentication
Console AAA authentication telnet HNIC
AAA authentication secure-http-client
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ca trustpoint localtrust
registration auto
Configure CRL
Crypto ca trustpoint VPN_Articulate2day
registration auto
name of the object CN = vpn.articulate2day.com
sslvpnkey key pair
Configure CRL
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 30
SSH 192.168.10.0 255.255.255.0 inside
SSH timeout 15
SSH version 2
Console timeout 0
No vpn-addr-assign aaaDHCP-client update dns
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd outside auto_config
!
dhcpd address 192.168.10.100 - 192.168.10.150 inside
dhcpd allow inside
!
dhcpd address dmz 172.16.30.20 - 172.16.30.23
dhcpd enable dmz
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
authenticate the NTP
NTP server 192.168.10.2
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal VPN_SSL group policy
VPN_SSL group policy attributes
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_SplitTunnel
the address value VPN_SSL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 15
AnyConnect ssl deflate compression
AnyConnect ask enable
ronmitch50 spn1SehCw8TvCzu7 encrypted password username
username ronmitch50 attributes
type of remote access service
type tunnel-group VPN_SSL_Clients remote access
attributes global-tunnel-group VPN_SSL_Clients
address VPN_SSL pool
Group Policy - by default-VPN_SSL
tunnel-group VPN_SSL_Clients webvpn-attributes
enable VPNSSL_GNS3 group-alias
type tunnel-group VPN_SSL remote access
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect esmtp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: endXXXX #.
You do not have this configuration:
object network DMZ nat (dmz,outside) static interface
Try and take (or delete):
object network DMZ nat (dmz,outside) dynamic interface
-
problem with users to access remote vpn site to site vpn network
I did the Setup: asa 5510 configured remote access vpn. My vpn users receive asa 5510 range 192.168.50.0/24 addresses and users access my local lan 192.168.0.0/24. the second side of the local lan 192.168.0.0/24 on asa 5505, I did a vpn site-to-site with network 192.168.5.0/24.on that both sides of a site are asa 5505. inside the interface asa 5510 Elise 192.168.0.10 and inside the interface asa 5505 have address 192.168.0.17.third asa 5505 networked 192.168.5.0/24 address 192.168.5.1. I want my remote access vpn users can access resources on network 192.168.5.0/24. I create the static route on inside the asa 5510 static route 192.168.5.0 interface 255.255.255.0 192.168.0.17 and a static route on inside the asa 5505 static route 192.168.50.0 interface 255.255.255.0 192.168.0.10, but it's not working. What do I do?
execution of the configuration of my asa 5510 is
Result of the command: "show run"
: Saved
:
ASA Version 8.4(2)
!
hostname asa5510
domain-name dri.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
description Mreza za virtualne masine- mail server, wsus....
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dri.local
object network VPN-POOL
subnet 192.168.50.0 255.255.255.0
description VPN Client pool
object network LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
description LAN Network
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.10
host 192.168.0.10
object service ssl
service tcp destination eq 465
object service tls
service tcp destination eq 995
object network mail_server
host 172.16.20.201
object service StartTLS
service tcp destination eq 587
object service admin_port
service tcp destination eq 444
object service ODMR
service tcp destination eq 366
object service SSL-IMAP
service tcp destination eq 993
object network remote
host 172.16.20.200
object network test
host 192.168.0.22
object network mail
host 172.16.20.200
object network DMZ
host 172.16.20.200
object network Inside_DMZ
host 192.168.0.20
object service rdp
service tcp destination eq 3389
object network DRI_PS99
host 192.168.0.54
object service microsoft_dc
service tcp destination eq 445
object service https448
service tcp destination eq 448
object network mail_server_internal
host 172.16.20.201
object service Acronis_remote
service tcp destination eq 9876
object service Acronis_25001
service tcp destination eq 25001
object service HTTP3000
service tcp destination eq 3000
object network VPNPOOL
subnet 192.168.50.0 255.255.255.0
object-group network PAT-SOURCE-NETWORKS
description Source networks for PAT
network-object 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object admin_port
service-object object ssl
service-object object tls
service-object object https448
object-group service DM_INLINE_SERVICE_2
service-object object admin_port
service-object object https448
service-object object ssl
service-object object tls
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_3
service-object object admin_port
service-object object https448
service-object object ssl
service-object tcp destination eq smtp
service-object object tls
service-object object Acronis_remote
service-object tcp destination eq www
service-object object Acronis_25001
service-object object microsoft_dc
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object object Acronis_25001
service-object object Acronis_remote
service-object object microsoft_dc
service-object tcp destination eq www
service-object tcp
service-object ip
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object mail
access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
access-list DMZ extended permit object-group DM_INLINE_SERVICE_3 host 172.16.20.201 any
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 172.16.20.0 255.255.255.0 any inactive
access-list DMZ extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
!
object network mail_server
nat (DMZ,outside) static x.x.x.179
object network mail
nat (DMZ,outside) static x.x.x.180
access-group outside_access_in in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 178.254.133.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record dripolisa
aaa-server DRI protocol ldap
aaa-server DRI (inside) host 192.168.0.20
ldap-base-dn DC=dri,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet 192.168.1.12
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 195.222.96.223
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.14-192.168.0.45 inside
!
dhcpd address 172.16.20.2-172.16.20.150 DMZ
dhcpd dns x.x.x.177 interface DMZ
dhcpd auto_config outside interface DMZ
dhcpd option 6 ip x.x.x.177 interface DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_x.x.x.223 internal
group-policy GroupPolicy_x.x.x.223 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 192.168.0.20 192.168.0.254
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-network-list value Split_Tunnel_List
default-domain value dri.local
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
address-pool vpnadrese
authentication-server-group DRI
default-group-policy drivpn
tunnel-group drivpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.223 type ipsec-l2l
tunnel-group x.x.x.223 general-attributes
default-group-policy GroupPolicy_x.x.x.223
tunnel-group x.x.x.223 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect ip-options
inspect netbios
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69c651e94663fc570b67e0c4c0dcbae1
: endrunning config asa 5505
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 PALATA
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service Sharepoint8080 tcp
port-object eq 8080
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address
logging recipient-address level debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.13.74.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
http 10.15.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.0.53
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.15.100.15
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group 10.15.100.15 type ipsec-l2l
tunnel-group 10.15.100.15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
Cryptochecksum:4767b6764cb597f0a7b8b138587d4192
: endThank you
Hello
I have previously edited the my initial response was in fact not necessary since you were actually using full Tunnel
EDIT: Actually just noticed the the VPN client isnt using Split Tunnel. Its Full Tunnel at the moment since it doesnt have the "split-tunnel-policy tunnelspecified"
So you don't really have any of those.
Please mark the question answers and/or assess response
Ask more if necessary
-Jouni
-
Traffic of Client VPN routing via VPN Site to Site
Hello
We have the following scenario:
- Office (192.168.2.x)
- Data Center (212.64.x.x)
- Home workers (192.168.2.x) (scope DHCP is in the office subnet)
Connections:
- Desktop to Data Center traffic is routed through a Site at IPSec VPN, which works very well.
- Welcome to the office is routed through a Site IPSec VPN Client.
The question we have right now, is the Client VPN works, and we have implemented a split tunnel which includes only the subnet of the Office for a list of network.
What I have to do, is to route all traffic to home' to 'Data Center' by site to Site VPN is configured.
I tried to add the ranges of IP data center to the list of Client VPN Split tunnel, but when I do that and try to connect at home, I just get a "connection timed out" or denied, as if she was protected by a firewall?
Could you please let me know what I missed?
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name skiddle.internal
enable password xxx encrypted
passwd xxx encrypted
names
name 188.39.51.101 dev.skiddle.com description Dev External
name 192.168.2.201 dev.skiddle.internal description Internal Dev server
name 164.177.128.202 www-1.skiddle.com description Skiddle web server
name 192.168.2.200 Newserver
name 217.150.106.82 Holly
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.3.250 255.255.255.0
!
!
time-range Workingtime
periodic weekdays 9:00 to 18:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server Newserver
domain-name skiddle.internal
same-security-traffic permit inter-interface
object-group service Mysql tcp
port-object eq 3306
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network rackspace-public-ips
description Rackspace Public IPs
network-object 164.177.132.16 255.255.255.252
network-object 164.177.132.72 255.255.255.252
network-object 212.64.147.184 255.255.255.248
network-object 164.177.128.200 255.255.255.252
object-group network Cuervo
description Test access for cuervo
network-object host Holly
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip any any
access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime
access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3
access-list outside_access_in remark Public Skiddle Network > Dev server
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www
access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh
access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER
access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive
access-list inside_access_in_1 remark HTTP OUT
access-list inside_access_in_1 extended permit tcp any any eq www
access-list inside_access_in_1 remark HTTPS OUT
access-list inside_access_in_1 extended permit tcp any any eq https
access-list inside_access_in_1 remark SSH OUT
access-list inside_access_in_1 extended permit tcp any any eq ssh
access-list inside_access_in_1 remark MYSQL OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql
access-list inside_access_in_1 remark SPHINX OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312
access-list inside_access_in_1 remark DNS OUT
access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain
access-list inside_access_in_1 remark PING OUT
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 remark Draytek Admin
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433
access-list inside_access_in_1 remark Phone System
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp
access-list inside_access_in_1 remark Office to Rackspace OUT
access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_access_in_1 remark IMAP OUT
access-list inside_access_in_1 extended permit tcp any any eq imap4
access-list inside_access_in_1 remark FTP OUT
access-list inside_access_in_1 extended permit tcp any any eq ftp
access-list inside_access_in_1 remark FTP DATA out
access-list inside_access_in_1 extended permit tcp any any eq ftp-data
access-list inside_access_in_1 remark SMTP Out
access-list inside_access_in_1 extended permit tcp any any eq smtp
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224
access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh
access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any
access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227
access-list InternalForClientVPNSplitTunnel remark Inside for VPN
access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm warnings
logging from-address [email protected]/* */
logging recipient-address [email protected]/* */ level errors
mtu inside 1500
mtu outside 1500
ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ipv6 access-list inside_access_ipv6_in permit tcp any any eq www
ipv6 access-list inside_access_ipv6_in permit tcp any any eq https
ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh
ipv6 access-list inside_access_ipv6_in permit icmp6 any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255
static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable 4433
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map outside_map 1 match address RACKSPACE-cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 94.236.41.227
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxx
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 192.68.2.200 inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source outside prefer
webvpn
port 444
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy skiddlevpn internal
group-policy skiddlevpn attributes
dns-server value 192.168.2.200
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternalForClientVPNSplitTunnel
default-domain value skiddle.internal
username bensebborn password *** encrypted privilege 0
username bensebborn attributes
vpn-group-policy skiddlevpn
username benseb password gXdOhaMts7w/KavS encrypted privilege 15
tunnel-group 94.236.41.227 type ipsec-l2l
tunnel-group 94.236.41.227 ipsec-attributes
pre-shared-key *****
tunnel-group skiddlevpn type remote-access
tunnel-group skiddlevpn general-attributes
address-pool CiscoVPNDHCPPool
default-group-policy skiddlevpn
tunnel-group skiddlevpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect ftp
!
service-policy global_policy global
smtp-server 164.177.128.203
prompt hostname context
call-home reporting anonymous
Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b
: end
You must even-Security-enabled traffic intra-interface to allow communication between vpn VPN.
With respect,
Safwan
Remember messages useful rate.
-
Disable the NAT for VPN site-to-site
Hello world
I work in a company, and we had to make a VPN site-to site.
Everything works fine, except that the packages sent to my site are translated, in other words: the firewall on the other site (site_B) see only the IP address of my firewall (Site_A).
I tried to solve the problem, but without success, I think that natives of VPN packets is the problem.
Here is my current config running:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 9U./y4ITpJEJ8f.V encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.67.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CET 1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 41.220.X1.Y1
host 41.220.X1.Y1
object network NETWORK_OBJ_192.168.67.0_24
subnet 192.168.67.0 255.255.255.0
object network NETWORK_OBJ_172.19.32.0_19
subnet 172.19.32.0 255.255.224.0
object network 194.2.176.18
host 194.2.XX.YY (External IP address public of the other site (Site_B))
description 194.2.XX.YY
access-list inside_access_in extended permit ip any any log warnings
access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging
access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging
access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging
access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list 1111 standard permit 172.19.32.0 255.255.224.0
access-list 1111 standard permit 192.168.67.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging
access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging
access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list outside_access_in extended permit ip any any log warnings
access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging
access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging
access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0
access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0
pager lines 24
logging enable
logging monitor informational
logging asdm warnings
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.67.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap_2
crypto map outside_map 1 set peer 194.2.XX.YY
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 192.168.67.200 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15
username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15
tunnel-group 194.2.XX.YY type ipsec-l2l
tunnel-group 194.2.XX.YY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0398876429c949a766f7de4fb3e2037e
: end
If you need any other information or explanation, just ask me.
My firewall model: ASA 5505
Thank you for the help.
Hey Houari,.
I suspect something with the order of your NATing statement which is:
NAT (inside, outside) static static source NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19
Can you please have this change applied to the ASA:
No source (indoor, outdoor) nat static static NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19
NAT (inside, outside) 1 static source NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 static destination NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19
Try and let me know how it goes.
If she did not help, please put the output form a package tracer will shape your internal network to the remote VPN subnet with the release of «see the nat detail»
HTH,
Mo.
-
I have install ACS 4.0 server but I can't work with tricky ror swich can someone send a confiuracion for me on the server and the router works well.
The missing part was 'aaa authentication login default group Ganymede + local', allow instead of connection (mixed-up...)
For some devices (aaa authentication TELNET connection group Ganymede + local), while others default (aaa authentication login default group Ganymede + local).
-
No report of Directors GANYMEDE + after upgrading to 4.1 ACS
Hello
I was running ACS 4.0 demo version. Everything worked very well.
After the upgrade, and keep the old configuration, I can't see logs in the reports of the directors of GANYMEDE. I kept the configurations of the router and get the same thing, so I think that the problem lies in the ACS software.
I tested a few debug, and it seems that the router sends the command that is typed to the ACS.
Here is the config I have? m using:
AAA new-model
GANYMEDE-Server 192.168.X.X XXXXXXXXXXX host key
AAA authentication telnet connection group Ganymede + activate
enable console AAA authentication login
the AAA authentication enable default group Ganymede + activate
AAA accounting send stop-record an authentication failure
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting arrhythmic telnet connection group Ganymede +.
Line con 0
exec authorization no.-AUTH
console login authentication
line vty 0 4
exec authorization AUTH
authentication telnet connection
AUTH AAA authorization exec group Ganymede + none
AAA authorization config-commands
No.-AUTH AAA authorization exec no
AAA authorization commands 0 default group Ganymede + none
1 default AAA authorization commands group Ganymede + none
default 15 AAA authorization commands group Ganymede + none
Hello
It is a known issue, you must apply the hotfix ACS 4.1.1.23.5 to solve the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Patch for windows acs is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
That should solve the problem
Kind regards
Jagdeep
Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.
-
AAA ACS RADIUS ASA administrative access
We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.
Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.
Installation on the ASA:
RADIUS protocol Server AAA rad-group1
AAA-server host of rad-Group1 (inside_pd) rad-server-1
key *.
AAA-server host of rad-Group1 (inside_pd) rad-Server-2
key *.
authentication AAA ssh console LOCAL rad-group1
AAA authentication telnet console LOCAL rad-group1
HTTP authentication AAA console LOCAL rad-group1
AAA authorization exec-authentication serverHave you tried pushing various combinations of these attributes of the ACS:
Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
Value of RADIUS-IETF Service-Type = administrative (6)
Cisco-av-pair value = "" shell: priv-lvl = 15 ""Hi Phil,
You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.
-
Hello
I configured on ASA windows L2TP/Ipsec connections. Phase 1 and 2 are successful, the tunnel is created but immediately after this deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is by default not - limitation of windows). Here is my config:
attributes of Group Policy DfltGrpPolicy
value of 10.1.1.1 WINS server
value of server DNS 10.1.1.1
VPN-idle-timeout 300
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
the authentication of the user activation
allow to NEM
NAC-parameters DfltGrpPolicy-NAC-framework-create value
WebVPN
SVC keepalive no
client of dpd-interval SVC no
dpd-interval SVC bridge no
value of customization DfltCustomizationattributes global-tunnel-group DefaultRAGroup
asa-admins address pool
authentication-server-group CSACS
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Disable ISAKMP keepalive
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authenticationCrypto-map dynamic outside_dyn_map 10 the value transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 MD5-ESP-3DES ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outsideAnd here are some logs:
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 10
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/4500
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: outgoing remote access to ITS (SPI = 0xAEA59455) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a msg KEY_ADD for SA: SPI = 0xaea59455
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: incoming remote access to ITS (SPI = 0x9D3B8BDE) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, pitcher: received KEY_UPDATE, spi 0x9d3b8bde
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, timer to generate a new key to start P2: 3060 seconds.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % 713120-5-ASA: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid = 00000001)
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193>mask <0xFFFFFFFF>port<4204>
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/1701
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-6-302016: connection UDP disassembly 56281479 for outside:193.193.193.193/4204 of identity: outside-interface/1701 duration 0:01:07 431 bytes
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-302015: built connection UDP incoming 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to the identity: outside-interface/1701 (outside-interface/1701)
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603106: L2TP Tunnel created, tunnel_id 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id 1, client_dynamic_ip is 0.0.0.0 username is user1
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50 remote_peer_ip = 193.193.193.19317 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-4-113019: Group = DefaultRAGroup, username =, IP = 193.193.193.193, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 03 s, xmt bytes: 795 bytes RRs: 1204, reason: L2TP initiated
What's wrong?
Thanx
Please go ahead and activate the following command:4204>0xFFFFFFFF>193.193.193.193>
ISAKMP nat-traversal crypto
Try again.
-
Hello
How to configure Ganymede for ASA 5550 with acs4.2. I have two asa, one is active and others in mode. pls tell me how to set up. I couldn't find any good docs either.
Thank you.
Hi Gavin,
Here is the sample config for ASA's telnet authentication from Tacacs: username admin password xxxxx privilege 15 aaa-server TEST protocol tacacs+ aaa-server TEST (inside) host x.x.x.x yyy [x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and yyy is the shared secret key.] aaa authentication telnet console TEST LOCAL [This will send the telnet authentication request to the tacacs server first and if it is not reachable then use the local database of the ASA] aaa authentication ssh console TEST LOCAL [same as above but for ssh session] aaa authorization exec authentication-server [this enables exec authorization for the telnet and ssh sessions.]
aaa authentication http console TEST LOCAL [for HTTP]
order of accounting AAA TEST [this helps accountants of the order for all orders entered in the telnet or ssh session.] On the Ganymede server we need to add this ASA as a RADIUS client with shared secret key yyy.You can find more details: -.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/mgaccess.html#wp1042026
The GBA, you need to add ASA as device under config network with Protocol Ganymede.
Thank you
Vinay
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Hi all
I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:
name 172.30.xx.xx DCC-1
name 172.30.yy.yy DCC-2
Ganymede + Protocol Ganymede + AAA-server
AAA-server Ganymede + host DCC-1
Cisco key
AAA-server Ganymede + host DCC-2
Cisco key
AAA authentication telnet console Ganymede + LOCAL
AAA authentication telnet console Ganymede + Ganymede +.
the AAA authentication console ssh Ganymede + LOCAL
AAA authentication enable console LOCAL + Ganymede
activate the encrypted password of V3VzjwYzTRfTLwOb
activate the encrypted password of V3VzjwYzTRfTLwOb
piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username
ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username
Even added my user name & password in the local data base on ASA as on ACS. Still no progress...
Can all give his suggestion on the same.
Kind regards
Piyush
I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15
Maybe you are looking for
-
Satellite Pro A660 - wireless network adapter issues
Hi guys hope you can help! I have a Satellite Pro A660 - 11 M Windows 7-64 bit The wireless network adapter does not work... I tried to reinstall the bios and the driver wireless. The wireless button is lit to Yes as the key Fn + F8 doesn't show not
-
Satellite Pro A300 - I get the 'Windows search' if I left click on any folder
I just bought a Satellite Pro A300 and it downgraded to Windows XP SP3. When I click the icon of any folder on my hard drive I got the "Windows Search" window instead of the folder. When I right click on any folder icon, the first item on the menu (i
-
Add the space from one partition to the other
I have three partitions on one external drive. I have reduced the space on a partition and would like to add that extra space for another partition. Is this possible?
-
I just got a used Iomega Home Media Cloud Edition (2 TB). I did a reset (small button on the back) and you can use etc. HOWEVER: It reports:
-
C4380: Network with C4380 scanning
Hi all I wonder if the network scanning / remote is possible on a C4380 printer. It works fine on USB or WiFi as USB scanner and printer connection. How can I do?