Client VPN CISCO ASA for Android

Hi guys

I just received a request from a client who said he expects the procedure to establish a VPN from an Android device, as far as I know there is a soft ANYCONNECT but in my case, the client uses a CISCO VPN CLIENT, in this case it is possible to configure a VPN connection on the device, or I should use ANYCONNECT?

Kind regards.

Connection via the android client will be like the legacy cisco VPN client connection. You need only anyconnect mobile licenses if you connect with the android anyconnect client. Using the android client built in will consume licenses peer IPSEC. If no additional license not required.

Tags: Cisco Security

Similar Questions

Client VPN Cisco ASA 5505 Cisco 1841 router

Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

My topology is almost as follows

customer - tunnel - 1841 - ASA - PC

ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

ISAKMP nat-traversal crypto

Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

IPSec vpn cisco asa and acs 5.1

We have configured authentication ipsec vpn cisco asa acs 5.1:

Here is the config in cisco vpn 5580:

standard access list acltest allow 10.10.30.0 255.255.255.0

RADIUS protocol AAA-server Gserver

AAA-server host 10.1.8.10 Gserver (inside)

Cisco key

AAA-server host 10.1.8.11 Gserver (inside)

Cisco key

internal group gpTest strategy

gpTest group policy attributes

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list acltest

type tunnel-group test remote access

tunnel-group test general attributes

address localpool pool

Group Policy - by default-gpTest

authentication-server-group LOCAL Gserver

authorization-server-group Gserver

accounting-server-group Gserver

IPSec-attributes of tunnel-group test

pre-shared-key cisco123

GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

error:

22040 wrong password or invalid shared secret

(pls see picture to attach it)

the system still works, but I don't know why, we get the error log.

Thanks for any help you can provide!

Duyen

Hello Duyen,

I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

authentication-server-group LOCAL Gserver

authorization-server-group Gserver

As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

Please remove the authorization under the Tunnel of Group:

No authorization-server-group Gserver

Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

I hope this helps.

Kind regards.

Client VPN Cisco router Cisco, MSW CA + certificates

Dear Sirs,
Let me approach you on the following problem.

I wanted to use a secure between the Cisco VPN client connection
(Windows XP) and Cisco 2821 with certificate-based authentication.
I used the Microsoft certification authority (Windows 2003 server).
Cisco VPN client used eTokenPRO Aladdin as a certificate store.

Certificate of MSW CA registration and implementation in eToken ran OK
Customer VPN Cisco doesn't have a problem with the cooperation of eToken.
Certificate of registration of Cisco2821 MSW ca ran okay too.

Cisco 2821 configuration is standard. IOS version 12.4 (6).

Attempt to connect to the client VPN Cisco on Cisco 2821 was
last update of the error messages:

ISAKMP: (1020): cannot get router cert or routerdoes do not have a cert: had to find DN!
ISAKMP: (1020): ITS been RSA signature authentication more XAUTH using id ID_FQDN type
ISAKMP (1020): payload ID
next payload: 6
type: 2
FULL domain name: cisco - ca.firm.com
Protocol: 17
Port: 500
Length: 25
ISAKMP: (1020): the total payload length: 25
ISAKMP (1020): no cert string to send to peers
ISAKMP (1020): peer not specified not issuing and none found appropriate profile
ISAKMP (1020): Action of WSF returned the error: 2
ISAKMP: (1020): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1020): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

Is there some refence where is possible to find some information on
This problem? There is someone who knows how to understand these mistakes?
Thank you very much for your help.

Best regards
P.Sonenberk

PS Some useful information for people who are interested in the above problem.

Address IP of Cisco 2821 10.1.1.220, client VPN IP address is 10.1.1.133.
MSW's IP 10.1.1.50.
Important parts of the Cisco 2821 configuration:

!
cisco-ca hostname
!
................
AAA new-model
!
AAA authentication login default local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization sdm_vpn_group_ml_1 LAN
!
...............
IP domain name firm.com
host IP company-cu 10.1.1.50
host to IP cisco-vpn1 10.1.1.133
name of the IP-server 10.1.1.33
!
Authenticated MultiLink bundle-name Panel
!
Crypto pki trustpoint TP-self-signed-4097309259
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 4097309259
revocation checking no
rsakeypair TP-self-signed-4097309259
!
Crypto pki trustpoint company-cu
registration mode ra
Enrollment url http://10.1.1.50:80/certsrv/mscep/mscep.dll
use of ike
Serial number no
IP address no
password 7 005C31272503535729701A1B5E40523647
revocation checking no
!
TP-self-signed-4097309259 crypto pki certificate chain
certificate self-signed 01
30820249 308201B 2 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
.............
FEDDCCEA 8FD14836 24CDD736 34
quit smoking
company-cu pki encryption certificate chain
certificate 1150A66F000100000013
30820509 308203F1 A0030201 02020 HAS 11 092A 8648 01000000 13300 06 50A66F00
...............
9E417C44 2062BFD5 F4FB9C0B AA
quit smoking
certificate ca 51BAC7C822D1F6A3469D1ADC32D0EB8C
30820489 30820371 A0030201 BAC7C822 02021051 D1F6A346 9D1ADC32 D0EB8C30
...............
C379F382 36E0A54E 0A6278A7 46
quit smoking
!
...................
crypto ISAKMP policy 30
BA 3des
md5 hash
authentication rsa-BA
Group 2
ISAKMP crypto identity hostname
!
Configuration group customer isakmp crypto Group159
key Key159Key
pool SDM_POOL_1
ACL 100
!
the crypto isakmp client configuration group them
domain firm.com
pool SDM_POOL_1
ACL 100
!
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5
!
crypto dynamic-map SDM_DYNMAP_1 1
the transform-set 3DES-MD5 value
market arriere-route
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
................
!
end

status company-cu of Cisco-ca #show cryptographic pki trustpoints
Trustpoint company-cu:
Issuing CA certificate configured:
Name of the object:
CN = firm-cu, dc = company, dc = local
Fingerprint MD5: 5026582F 8CF455F8 56151047 2FFAC0D6
Fingerprint SHA1: 47B 74974 7C85EA48 760516DE AAC84C5D 4427E829
Universal router configured certificate:
Name of the object:
host name = cisco - ca.firm.com
Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC DC6F3B7E 00138
State:
Generated keys... Yes (general purpose, not exportable)
Authenticated issuing certification authority... Yes
Request certificate (s)... Yes

Cisco-ca #sh crypto pubkey-door-key rsa
Code: M - configured manually, C - excerpt from certificate

Name of code use IP-address/VRF Keyring
C Signature name of X.500 DN default:
CN = firm-cu
DC = company
DC = local

C signature by default cisco-vpn1

IMPORTANT: I don't have a Cisco IOS Software: 12.4 (5), 12.3 (11) T08, 12.4 (4.7) PI03c,.
12.4 (4.7) T - there is error in the cryptographic module.

Hey guys, it's weird that the router is not find cert after IKE is the cert and validates, it is certainly not reason, but I would go ahead and set up the mapping of certificate on this router to force the client to associate with Group of IKE, for that matter, that you need to change your config a bit for use iskamp profiles :

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_isakp.html

Order of operations NAT on Site to Site VPN Cisco ASA

Hello

I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

inside_map crypto 50 card value transform-set ESP-3DES-SHA

tunnel-group 100.1.1.1 type ipsec-l2l

tunnel-group 100.1.1.1 General-attributes

Group Policy - by default-PHX_HK

IPSec-attributes tunnel-group 100.1.1.1

pre-shared key *.

internal PHX_HK group policy

PHX_HK group policy attributes

VPN-filter no

Protocol-tunnel-VPN IPSec svc webvpn

card crypto inside_map 50 match address outside_cryptomap_50

peer set card crypto inside_map 50 100.1.1.1

inside_map crypto 50 card value transform-set ESP-3DES-SHA

inside_map crypto 50 card value reverse-road

the PHX_Local object-group network

host of the object-Network 31.10.11.10

host of the object-Network 31.10.11.11

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

the HK_Remote object-group network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

the PHX_Local1 object-group network

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

Thank you

Kind regards

Thomas

Hello

I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

You have these guests who were not able to use the VPN L2L

31.10.10.10 10.17.128.20

31.10.10.11 10.17.128.21

31.10.10.12 10.17.128.22

31.10.10.13 10.17.128.23

IF you want them to go to the VPN L2L with their original IP address then you must configure

object-group, LAN

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

object-group, REMOTE network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

IF you want to use the L2L VPN with the public IP address, then you must configure

object-group, LAN

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

object-group, REMOTE network

host of the object-Network 102.1.1.10

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

Be sure to mark it as answered if it was answered.

Ask more if necessary

-Jouni

PPTP VPN or IPSEC for Android and iPAD

Being new on the RV180 (and routers VPN besides) I had trouble getting a VPN's, supporting my iPad and Android devices. However, I understand that an IPSEC connection would be a safer sollution. Unfortunately I can't find a clear statement anywhere to do it.

I found descriptions/parameters in the different RV180 of the setting of the (few) in mobile platforms. So far not managed to get the installation program.

Little help to start would be great!

Thank you very much.

Ronald

Hello Robert.

My name is Chris and I work at the Cisco Small Business Support Center.

The PPTP option will be much easier to install, and most devices have a built-in capability of PPTP.

The RV180 supports the IPSEC tunnels, but only for links from site to site or a remote user with the client software. Some of the other features of our support SSL VPN connections, which would allow you to use the Cisco Anyconnect client available for android, but SSL VPN is not a characteristic of the RV180.

On my Android (Droid X running Android 2.3.4) phone he built in VPN, IPSEC and PPTP client. Yours is probably as well, but if not there should be a few apps available.

If you decide to go with PPTP you can configure it like this on the RV180:

1. go to the router admin page and click on VPN > IPsec > VPN users.

2. check the box to enable the PPTP server.

3. complete the range of internal addresses for your customers to use PPTP (192.168.1.200 - 192.168.1.210 for example)

4. click on save.

5. Once you click on save, you should be able to edit the table of parameters of VPN client.

6. click on add, check enabled, enter a user name and password for the PPTP user to use and for the protocol type, select PPTP.

7. click Save to add the user.

Once this is done, you should be able to go into the settings on your Android device and add a VPN for PPTP connection. Fill in the same information you setup of the RV180 and you should be able to connect.

The server address will be the WAN IP of your RV180.

As far as IPSEC goes, the process is similar but a little more complicated.

1. on the router admin page go to VPN > IPsec > Basic VPN configuration.

2. choose the VPN client for peer type.

3. name connection (it is used on the router)

4. choose a pre-shared key to be used with this connection.

5. for remote WAN IP address, you can leave the default remote.com

6. for the Local gateway Type, you'll want to choose IP

7. to Local WAN IP select IP and enter the IP address of the RV180 (WAN IP)

8. for LAN Local, enter the local network for the RV180 ID (default is 192.168.1.0)

9. to the Local LAN subnet mask enter 255.255.255.0

10. click on save.

The steps above create a VPN IPSec tunnel using the default values of the router, which you can view by clicking on default settings under VPN > IPSEC.

Now you just set your phone. On my phone, I have an option for Advanced IPSEC VPN, but yours may be different, or you may need to use an application like a customer, if your phone does not have built-in IPSEC VPN.

On my Droid X, I want to go wireless and networks, VPN settings, Advanced IPSEC VPN, add a new virtual private network.

My phone uses models of connection, so be sure to choose one that fits your tunnel on the RV180 parameters.

Enter the RV180 WAN IP address as the VPN server, as well as the pre-shared key, install you on the RV180.

Make sure that all connection settings that you have configured on the RV180.

You will also be asked for an internal subnet IP address, and for this, you must enter the Local LAN and subnet mask, that you configured on the RV180 in steps 8 and 9 above.

I wish I could be more specific, but it seems that there are several different menus and options depending on what Android phone using your.

I hope that this helps, but if not feel free to respond and I'll try to explain.

enabling remote vpn Cisco asa

Dear team,

I have a Cisco asa firewall, I would enable remote vpn (ssl vpn or customer).

Please check the joint view version and suggest which are missing or need to enable them.

Therefore, I will obtain concrete results and enable VPN.

concerning

SecIT

With the license and the software version you have, you can only run the existing IPsec VPN client.

To run AnyConnect SSL VPN client-based, you must acquire a license AnyConnect Essentials. For your platform that would be L-ASA-AC-E -5550=. (Clientless SSL VPN would be a different reference number.)

I also suggest upgrading your system beyond 8.2 software (2) the current recommended release would be 9.0 (3). (9.1 (5) is the last on the 5550.)

Clientless vpn cisco asa

All,

I use the cisco ASA 5500 vpn device, and I need a specific configuration where clients vpn (vpn without customer) would authenticate in an external radius server.

My problem is that I need to do different bookmarks for different users, so how can I do if my clients are not in the local database? (I do not even have accounts configured on the cisco device), DAP would be the solution?

TKS in advance

You are absolutely right. You can configure DAP to make specific bookmarks according to which the user connects via the WebVPN (Clientless SSL VPN).

Client VPN CISCO 857

Hello

I would like to know if CISCO 857 allows customers of Cisco VPN remote apart from site to site VPN software. I have heard that all cable cisco VPN devices allow connections to cisco VPN client software, is it true?

Thanks a lot for your help

Juan Manuel

Juan,

Let me explain a little further in order to clarify some of the terminology used, which could lead to confusion.

Router Cisco VPN may terminate the following types of tunnels.

Lan to Lan tunnels has.

b. dynamic tunnels of Lan to Lan

c. connections from VPN clients

d. ends for easy VPN clients

a & b are very similar

c & d are very similar

except - option c uses VPN (software) clients installed on the PC or MAC systems

Option d, material uses to connect to the IOS routers. You can use a router or a PIX firewall or a 3002 or ASA to connect to the Cisco router that would act as an IOS Easy VPN server. But the device to connect to the easy VPN server is called an easy VPN client.

Hope that explains the terminology a little more in detail.

To answer your question, safety feature Easy VPN client and server support.

And what you're trying to accomplish is option c. Thus, security feature option should work well for you.

Hope that explains your queries.

The rate of this post, if that helps!

Thank you

Gilbert

Client VPN to ASA

Hello

We have a firewall Cisco 5505 and installation work VPN through the firewall, which Cisco vpn client, should download us for our users to have the right customer on their computer desktop/latops.

Thank you

While the Cisco's VPN IPsec client is compatible with the ASA 5505, this product is end-of-sales and eventually be completely abandoned (end of support). (reference)

New remote VPN (IPsec or SSL) access should use the AnyConnect Secure Mobility client. (data sheet) You should have the essential AnyConnect bought and activated to support customers of license (at least). (reference) The part number (if you do not already) is L-ASA-AC-E-5505 = (cost less USD $100).

If you want to use clientless SSL VPN, you must purchase the AnyConnect Premium license. That option is authorized by user levels (25, 50, etc.)

'show version' on your device will display your current level of license, among other things.

False claims RADIUS of customer VPN Cisco ASA 5510

Hello world

I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

What is the source of such behavior?

The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

Debugging of ASA:

-First application-

RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

-The second request-

RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

GBA debug:

-First application-

AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

-The second request-
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

The ASA config:

Crypto ikev1 allow outside
Crypto ikev1 allow inside
IKEv1 crypto ipsec-over-tcp port 10000
life 86400
IKEv1 crypto policy 65535
authentication rsa - sig
3des encryption
md5 hash
Group 2
life 86400

!

internal Cert_auth group strategy
attributes of Group Policy Cert_auth
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list aclVPN2
the address value vpnpool pools
rule of access-client-none

!

attributes global-tunnel-group DefaultRAGroup
address (inside) vpnpool pool
address vpnpool pool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
Group Policy - by default-Cert_auth

!

RADIUS protocol AAA-server RADIUS01
AAA-server host 10.2.9.224 RADIUS01 (inside)
key *.
RADIUS-common-pw *.
AAA-server host 10.4.2.223 RADIUS01 (inside)
key *.

Hello

It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

If you remove this line:

authorization-server-group RADIUS01

you will see that it starts to work properly

In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

HTH

Herbert

Customization of SSL VPN Cisco ASA version 8

Is there a way to customize the appearance of the SSL VPN? To change the features of the ASA custmization? To change the total look of the portal page the way we like it and not the Cisco default settings? For example, the RDP plugin has always display the help text on the right side, and we would like to show different text in this area. We were able to change it but could not import to the area of the asa.

Import of SSL vpn customization ASA is not possible. Impossible also to change the appearance of the portal page.

Remote access VPN Cisco ASA

Hello!

I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to:

MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443

Phase: 1

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

developed 1.1.1.2 255.255.255.255 identity

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

developed 1.1.1.2 255.255.255.255 identity

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

the output interface: NP identity Ifc

the status of the output: to the top

output-line-status: to the top

Action: drop

Drop-reason: (headwall) No. road to host

Hello

Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes.

Some things related to the ASA are well known but not well documented.

The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP)
```
Note 
For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.
```
Source (old configuration guide):

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

-Jouni

NAT/VPN Cisco ASA

Hello

I have a question on a Cisco ASA.

We strive to set up a VPN connection with a provider of our using the 172.16.1.0/24 subnet now that they already have another customer using 172.16.1.0/24, then NAT traffic on a different subnet before connecting to the provider. Is this possible? If yes how can I configure something like this?

172.16.1.0/24 is also used to access the internet.

That's what I have right now:

!

internet_cryptomap_2 to access ip 192.168.0.0 scope list allow 255.255.252.0 (subnet provider)

!

card crypto internet_map1 3 match address internet_cryptomap_2

internet_map1 crypto map peer set 3 (IP address of provider)

internet_map1 crypto map 3 the value transform-set tubis-transformset

internet_map1 crypto map 3 the value reverse-road

!

This VPN works, but only for the subnet listed in the cryptomap_2 unfortunately, I can't use 172.16.1.0/24 for this.

Anyone has any ideas how to solve this problem?

Kind regards

Tom

Yes, you can...

Assuming you want to 172.16.1.0/24 NAT to 10.16.1.0/24 when accessing the provider subnet 192.168.0.0

access list static-nat-to-vendor permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

public static 10.16.1.0 (inside, outside) access static-nat-to-provider list

access extensive list ip 10.16.1.0 internet_cryptomap_2 allow 255.255.255.0 192.168.0.0 255.255.252.0

Assuming you have ASA 8.2 or lower.

Otherwise, ASA 8.3 or higher:

network object obj - 172.16.1.0

subnet 172.16.1.0 255.255.255.0

network object obj - 10.16.1.0

10.16.1.0 subnet 255.255.255.0

network object obj - 192.168.0.0

Subnet 192.168.0.0 255.255.252.0

NAT (inside, outside) source static obj - 172.16.1.0 obj - 10.16.1.0 destination static obj - 192.168.0.0 obj - 192.168.0.0

How to export a client certificate on Firefox for Android?

In the process of registration on www.startssl.com a client certificate was added to my Firefox for Android.
Now I want to save this client certificate, but I don't know how I could export it to the mobile version.

I would also like to use this certificate on my Firefox Desktop, is it possible?

Thanks for any help!

HI SumoAlex,
Thank you for your question. I apologize for being a little late in coming in responses. If we are unable to find an answer, please post your question again once.

I understand that you would like to know how to export the client certificate to the Android and also use it on the desktop.

IT may not work on the desktop, but I don't know that you can turn on remote debugging in Firefox. The cert.db on the desktop stores all certificates. (is it the same on the Android device?)

Try the Cert Manager add on for Firefox for Android. Ref stackoverflow.com

I hope this helps.

Client VPN CISCO ASA for Android

Similar Questions

Maybe you are looking for