Cisco ASA and dynamic VPN L2L Fortigate configuration

Similar Questions

• Cisco ASA and AnyConnect VPN certificate error

  Hello

  I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:

  Error.jpg

  

  I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?

  Hello

  This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
  Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.

  Here is a document that you can refer to create a self-signed certificate.
  https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN

  Kind regards
  Dinesh Moudgil

  PS Please note the useful messages.

• Configure to integrate Cisco ASA and JOINT

  Hello

  We have Cisco ASA and JOINT, need assistance on the integration of the same thing; Please email me so that I'll share the details of the architecture.

  Thank you best regards &,.

  REDA

  Hi reda,.

  If I correctly your diagram, you do not want to send any traffic from the external switch to the JOINT with a SPAN port and all traffic from your DMZ interfaces with another.

  Is this correct?

  If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I said in my original answer, we generally advise putting IP addresses after the firewall.

  Not to mention that in your case, I guess that some traffic will be inspected twice so you will need to assign a different virtual sensors to each JOINT internal interfaces to ensure that the same instance does not see the traffic of several times.

  Kind regards

  Nicolas

• The traffic load between the power of Cisco ASA and FireSight Management Center fire

  Hi all

  I have a stupid question to ask.

  Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?

  Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.

  Maybe you all have no idea to provide.

  It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.

  Generally it is not a heavy load, however.

• IPSec vpn cisco asa and acs 5.1

  We have configured authentication ipsec vpn cisco asa acs 5.1:

  Here is the config in cisco vpn 5580:

  standard access list acltest allow 10.10.30.0 255.255.255.0

  RADIUS protocol AAA-server Gserver

  AAA-server host 10.1.8.10 Gserver (inside)

  Cisco key

  AAA-server host 10.1.8.11 Gserver (inside)

  Cisco key

  internal group gpTest strategy

  gpTest group policy attributes

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list acltest

  type tunnel-group test remote access

  tunnel-group test general attributes

  address localpool pool

  Group Policy - by default-gpTest

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  accounting-server-group Gserver

  IPSec-attributes of tunnel-group test

  pre-shared-key cisco123

  GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

  When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

  error:

  22040 wrong password or invalid shared secret

  (pls see picture to attach it)

  the system still works, but I don't know why, we get the error log.

  Thanks for any help you can provide!

  Duyen

  Hello Duyen,

  I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

  Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

  Please remove the authorization under the Tunnel of Group:

  No authorization-server-group Gserver

  Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

  Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

  I hope this helps.

  Kind regards.

• ASA IPP on VPN L2L w/NAT

  I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

  Any thoughts on where I can go wrong?

  Thank you

  Darren

  You have configured the following:

  crypto set reverse-road map

  If you do, can you remove and Add again and see if that fixes the problem?

• IKE Dead Peer Detection between Cisco ASA and Cisco PIX

  I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity.  The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3.  The hub office runs a version 8.2 (1) Cisco ASA.

  I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-

  Confidence interval - 10 seconds

  Retry interval - 2 seconds

  I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished.  Basically, the problem that I am facing is with several remote satellite offices.  What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office.  The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel.  The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.

  Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?

  What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?

  Thank you in advance for helping out with this.

  Hi Nicolas,.

  I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.

  In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.

• IPSec VPN between Cisco ASA and Fortigate1000

  Hello

  I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

  the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

  The question is: How do I configure the interface on the SAA ACCORD?

  Thanks in advance, Experts...

  Kind regards...

  ASA firewall does not support the interface/GRE GRE tunnel.

  If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

  If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

  Hope that helps.

• SSL VPN from Cisco ASA and ACS 5.1 change password

  Dear Sir.

  I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?

  Thank you

  Aphichat

  
  Dear Sir,
  I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
  Thank you
  Aphichat
  

  Hi Aphichat,

  Go to the password link below change promt via AEC in ASA: -.

  https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0

  Hope to help!

  Ganesh.H

  Don't forget to note the useful message

• Cisco ASA AnyConnect SSL VPN - certificates + token?

  Hello

  I'm looking for an answer is it possible such configuration:

  The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

  I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

  Thank you very much for the help!

  Hi Alex,

  I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

  https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

  Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

  It may be useful

  -Randy-

• Cisco ASA 5510, ipsec vpn. What address to connect the client to

  Hello

  It's maybe a stupid question, but I can't find the answer anywhere.

  I used the ipsec vpn configuration wizard, I activated the external interface to access ipsec and went through SCW pools of addresses etc. When I try to connect with the cisco vpn client to my address of the external interface (of a remote host) I'm unable to connect. I scanned the interface for open ports, but there is not, I have to allow traffic to ipsec at this interface?

  Best regards

  Andreas

  No, once you have configured the access remote vpn ipsec, it will be automatically activated, and you should be able to connect to the ASA outside the ip address of the interface.

  Can you please share the configuration? and also which group name you are trying to access the vpn client?

• Cisco ASA 5505 remote VPN access to the local network

  I have installed two ASA 5505 VPN site to site that works perfectly.  Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer.  I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network.  can someone take a look and see what I'm missing?  I have attached the ASA running config.

  Apologize for the misunderstanding.

  To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.

  Please please share the following ACL:

  FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224

  TO:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all

  Hope that helps.

• Problem Cisco ASA and downloadable ACLs

  Hi all

  Can someone shed some light on how configure ACS for acl user base download.

  We used the TACCAS for remote access user authentication.

  I need a config on ASA or should I just set up the strategy of /authorisation element profile and link the user profile?

  Thanks in advance

  Example of configuration.

• VPN site to site ASA and SSL VPN

  Hello

  Already configured vpn site to site for both sites. Now, I try to configure vpn remote access to one site.

  But I'm starting to config some command like below to access remote vpn, the existing site-to-site vpn disconnected auto.

  No crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  Please, help me to check.

  Thank you

  Ko Htwe

  Hello

  You can have a single card encryption for an interface, you must configure both tunnels (access site to & remote) in a single card with number of different sequesnce encryption. Please make sure that the sequence number for the remote access is higher than for the site to site.

  You can also get this back to the config command, why did you remove it.

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  If you still have a problem, please let us know the configuration.

  Kind regards

  Mohammad

• Cisco ASA 5510 VPN with PIX 515

  Hello

  I have VPN between Cisco ASA and Cisco PIX.

  I saw in my syslog server this error that appears once a day, more or less:

  Received a package encrypted with any HIS correspondent, drop

  I ve seen issue in another post, but in none of then the solution.

  Here are my files from the firewall configuration:

  Output from the command: 'show running-config '.

  : Saved
  :
  ASA Version 8.2 (1)
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
  card crypto WAN_map2 2 set pfs
  card crypto WAN_map2 2 peer 62.80.XX game. XX
  map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
  card crypto WAN_map2 2 defined security-association 2700 seconds life
  card crypto WAN_map2 2 set nat-t-disable
  card crypto WAN_map2 WAN interface
  enable LAN crypto ISAKMP
  ISAKMP crypto enable WAN
  crypto ISAKMP policy 1
  preshared authentication
  the Encryption
  md5 hash
  Group 5
  lifetime 28800
  No encryption isakmp nat-traversal
  tunnel-group 62.80.XX. XX type ipsec-l2l
  tunnel-group 62.80.XX. IPSec-attributes of XX
  pre-shared-key *.
  

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  8.0 (4) version PIX
  !
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
  card encryption VPN_map2 3 set pfs
  card crypto VPN_map2 3 peer 194.30.XX game. XX
  VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
  card encryption VPN_map2 3 defined security-association life seconds 2700
  card encryption VPN_map2 3 set security-association kilobytes of life 4608000
  card VPN_map2 3 set nat-t-disable encryption
  VPN crypto map VPN_map2 interface
  crypto ISAKMP enable VPN
  crypto ISAKMP allow inside
  crypto ISAKMP policy 30
  preshared authentication
  the Encryption
  md5 hash
  Group 5
  lifetime 28800
  No encryption isakmp nat-traversal
  ISAKMP crypto am - disable
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec
  tunnel-group 194.30.XX. XX type ipsec-l2l
  tunnel-group 194.30.XX. IPSec-attributes of XX
  pre-shared-key *.
  

  If you need more information dedailed ask me questions.

  Thanks in advance for your help.

  Javi

  Hi Javi,

  Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426

  Thank you and best regards,

  Assia