Concentrator VPN VPN ASA Conversion question

I sent our VPN3k config to the CTA and converted it to the format of the SAA.  A major problem that I see is that the hub has enabled a group name (which is equivalent to a group of tunnel on the SAA) with spaces inside and the ASA does not work.  Our primary RA VPN group is 'All staff' in the config converted, it's "All_Staff" and I guess that this is going to work for users with the existing VPN client configuration file.

We have hundreds of users a new file of confiog or attempt to explain how to fix this problem manually is out of the question.  Are there of the other workarounds?

Thank you.

Try to rename the group to "All staff" (including the quotation marks!)

so

dial type tunnel-group "everyone".

HTH

Herbert

Tags: Cisco Security

Similar Questions

  • Access Concentrator VPN GUI?

    We have Concentrator VPN 3030 with software version 4.7.2.J. We use to manage graphical interface using HTTPS access. The problem, now, is that we are not in a position of HTTPS (on the private interface) to manage the hub by GUI. However, the device can be telneted to port 443 and is also accessible by telnet. We have also restarted the unit twice.

    Is this some sort of BUG or something misconfigured?

    Here is some information for you on this issue.  I think you have to re - generate the certificate on the hub.  HTH

    https://supportforums.Cisco.com/docs/doc-1455

    http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2284/products_administration_guide_chapter09186a008015ce36.html#1882932

  • Concentrator VPN 3020 - wait of disconnection from the user before extinction

    Dear Forum community!

    We have a 3020 Cisco Concentrator VPN Balancing cluster configured, the device on main site with top priority. We would like to stop the master device due to short maintenance.

    I wonder if there is an option in GUI of VPN concentrator, waiting for all active sessions for volunteers end before the start/stop. Does anyone have experience on this feature?

    There are still about 80-100 remote user access VPN online and don't want to break the connections of these users with a simple poweroff.

    Thank you and BR

    Belabacsi

    Budapest, Hungary

    I just wanted to clarify two things.

    I always save my configuration file before restarting.  That's why I restart without saving the changes. I think that my wording could mislead.

    If you need your customers to be re - authenticate the VPN session after a period of time, for example 10 hours, the VPN session will be moved to another Member of the cluster when the session is authenticated again.  Each client must re-establish the VPN session on another hub in the cluster.   If you do not use this feature, you will need to wait until each of them ends its VPN session.

  • Network Concentrator VPN access.

    We have a 3000 Concentrator and is configured with a remote vpn on it. All inside network is allowed once a connceted to the vpn user. It is quite behind firewalls. I can access an external IP.

    But I can't log in to the vpn from the inside network. I can ping the public interface; but when I try to log in from the client, the server report displays no records to my IP.

    Why can't I connect from the inside?

    Thank you

    = Internal network = Concentrator VPN = FW = off-grid

    Why try you to VPN from the inside? The purpose of the VPN is to encrypt the traffic between your PC over the internet to the VPN concentrator, once traffic arrives to your VPN concentrator, it is decrypted, and he'll be in the clear to your internal network.

    So, what's the purpose of attempting to connect from the network Cabinet?

    The reason why it does not work is because of the delivery. You are on the internal network, while traffic will exit to the firewall and return by the same firewall to connect to the public interface of the VPN concentrator, which is why it does not work and if the goal is access to the internal network, you are already inside the network which complicates things as your ip pool must then be routed to the inside.

    Hope that makes sense.

  • Concentrator VPN config ASA

    Hello;

    Is there a document (s) that describes the steps to migrate the configuration of VPN concentrator to ASA?

    Thank you

    I think that there may be another link there not sure, if I remember seeing any other backwards.

    http://www.Cisco.com/en/us/docs/security/ASA/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html

  • Urgent question about loading image file to boot to a concentrator VPN 3030

    Hi Netpros,

    I really hope someone can help me with this URGENT matter. I have an upgrade in 12 hours. By reading the Cisco documentation, I also need to upgrade the boot image file. Here's my question... the cisco image file name is vpn30xxboot - 4.0.Rel.hex but the VPN concentrator would accept 8.3 file names i.e. BOOT file format. TXT... so the question is is it OK to just keep the same hexagonal extension without causing damage to the file... That is, name the file BOOT - 4.hex... your comments are very much appreciated...

    Fernando,

    Take it out '-' usage just and naming BOOT40.hex

    What type of hub? If it's a 3005, you wouldn't need an upgrade of startup code.

    There is enough of an upgrade of startup code if memory is upgraded from 256 to 512 MB - just an info.

    Good luck in your upgrade.

    See you soon

    Gilbert

  • Cisco VPN 3060 - Cisco ASA conversion

    We are about to embark on the passage of all extensions L2L and network (Cisco ASA 5505 s) of the Cisco VPN 3060 concentrator to a Cisco ASA 5520.

    We bsemblable woul to see if there is a simple method to do this as a converter?  Also, there are lessons learned?  We run 8.4.3 so that we know that the NAT configuration has differed.  The 3060 configuration can be changed in anyway for help in configuring the ASA?

    Thank you

    Dwane

    Thank you for your understanding Dwane.

    Please mark this message as answered.

    Good day.

  • Question about the connection of a customer VPN ASA

    Hi guys,.

    I have a question about Tunneling VPN. I have an ASA 5505 with static PPPoE address external and local 192.168.202.0/24 network, operates as an EasyVPN server. On the other side is an another ASA 5505 without dynamic PPPoE outside interface acting as EasyVPN customer in customer ode. The internal network is 192.168.1.0/24

    It works very well! But now, I created another user who uses EasyVPN client software to connect to the EasyVPN server. This works as well.

    But how am I able to connect customer network 192.168.1.0/24 on the connections of the ASA?

    Please give me a hint.

    "But how am I able to connect customer network 192.168.1.0/24 on the connections of the ASA?

    Yes, if you set the ACL of split tunnel correctly you should be able to connect to the remote client ASA.

    Please follow the method of configuration of Cisco doc split tunnel, at the bottom of the link.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

    Evaluate the useful ticket.

    Thank you

    Rizwan James

  • Spend 3000 Concentrator VPN L2L ASA

    Hello

    We migrate an ASA5500 450 LAN to LAN VPN a VPN concentrator. Is there a reasonable way to do it? If I remember correctly, the configuration file for the VPN concentrator is in XML is not trivial to even read the config for each VPN. If it took say 15 minutes a VPN which is estimated at about three weeks of the working man!

    Patrick,

    I hope the post below helps.

    http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=security&TopicId=.ee6b2b8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1b2c5/6#selected_message

    Kind regards

    Arul

    * Please note all useful messages *.

  • Access VPN ASA and cisco ISE Admin

    Hello

    Currently I'm deployment anyconnect VPN Solution for my client on ASA 9.2 (3). We use the ISE 1.3 to authenticate remote users.

    In the policy stipulates the conditions, I put the condition as below.

    Policy name: Anyconnect

    Condition: DEVICE: Device Type Device Type #All Device Types #Dial - in access EQUALS AND
    RADIUS: NAS-Port-Type is equal to virtual

    I'm authenticating users against the AD.

    I am also restrict users based on group membership in authorization policies by using the OU attributes.

    This works as expected for remote users.

    We also use the ISE to authenticate administrators to connect to the firewall. Now what happens is, Cisco ASA valid also against policy, administrators and their default name Anyconnect.

    Now the question is, how to set up different political requirement for access network admin and users the same Firewall VPN.

    Any suggestions on this would be a great help.

    See you soon,.

    Sri

    You can get some ideas from this article of mine:

    http://ltlnetworker.WordPress.com/2014/08/31/using-Cisco-ISE-as-a-generic-RADIUS-server/

  • which product is right for the ssl vpn: asa 5505 cisco 1841 or

    Hello

    I want to install an outside link management related so that we can ssh to our cisco devices and microsoft RDP toour servers. It's my configuration (based on what I know):

    Internet > DSL modem > ASA 5505 > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

    or

    Internet > 1841 with DSL HWIC > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

    My questions are:

    Should I go for ASA or 1841 router?

    What options is better? and ASA will do the job?

    Are there any technical support prior to purchase of products in Australia? I need technical advice on the choice of the right products, not justs eiling me products.

    Hello

    Its strongly suggested to go with ASA 5505 in the first place, it is supposed to feature for the main functionality of ssl vpn server from 1841 which has this feature to be a vpn server.

    ASDM also gives you the freedom to config box on your own based on your condition.

    regds

  • Bad VPN ASA injection road on OSPF when using remote access

    Has anyone ever seen the ASA by inserting a bad road in a connection that has been set up with it?  I'll explain more below:

    I'm using a reverse road Injection. When access remotely with IPSEC (CLIENT) connects to the camera ASA, ASA create a static route to the remote access to the closest router for the SAA to come to this remote access. This itinerary is distributed on OSPF. OK, it may be a normal situation. But, the problem is when I ask another participant of this OSPF area, which is the road to this remote access (CLIENT), the answer is the router closer to the ASA and don't have to ASA. Does anyone have a solution for this? I tried to create a roadmap but that you did not.

    If I understand your question, my question for you is whether the OSPF route to the remote VPN client is source by ASA or another device?

    Is the IP address in the space I wrote ASA_ROUTER_ID ASA router ID or it is the router from another device ID?  What I've listed below are an example of the output of "show ip route.  The value in bold must be ASA router ID, if she is from the road to the VPN client.  Other OSPF routers will forward packets destined to VPN to ASA client.

    #sh ip route 1.1.1.0
    Routing for 1.1.1.0/24 entry
    Known through the "ospf 1", metric 110, distance 310, type intra zone
    Last updated on GigabitEthernet0 1.2.2.2, 2w there
    Routing descriptor blocks:
    * 1.2.2.2, ASA_ROUTER_ID, there is, through GigabitEthernet0 2w
    Path metric is 310, number of shares of traffic 1

  • Site2Site VPN ASA 5505 - allow established traffic

    Hello

    I have an ikev1/Ipsec tunnel between two ASA.

    Network with local 10.31.0.0/16

    The other network with local 172.21.0.0/24

    But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

    (to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

    Best regards, Steffen.

    Hello

    If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

    The ASA has the following global configuration, which is the default if you don't the have not changed

    Sysopt connection permit VPN

    This show CUSTOMARY in CLI configuration given above is the default setting.

    You can check this with the command

    See the race all the sysopt

    This will list even the default setting

    Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

    What you could do is to insert the following configuration

    No vpn sysopt connection permit

    What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

    If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

    So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.

    • Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
    • Return for this connection of course traffic be would allow by the same ASA like all other traffic.
    • IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL

    Hope this made sense and helped

    Think about scoring the answer as the answer if it answered your question.

    Naturally ask more if necessary

    -Jouni

  • Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE

    I can't find any reference to anywhere else.

    We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.

    We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.

    I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.

    When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.

    Is this a bug?

    I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?

    I'm building a Rube Goldberg?

    Thank you

    George

    Hi George,.

    It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ?  A package tracer could clarify wha that the ASA is actually sending.

    In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly.   For example; Source NAT (all, outside) static...

    It may be useful

    -Randy-

  • slow when they are connected via anyconnect VPN, ASA OS 9.0

    Hi guys

    My users are complaining that they are experience slowness when they are connected via vpn anyconnect for ASA os 9.x, 5 Mb files tikes 15 mts rough with them, even if these users also have a connection broadband on their place

    any guy insight

    Thank you

    Hi Ibrahim.

    My first suggestion to you is to follow the recommendations of Cisco, associated with latency problems.

    hostname (config) #-group attributes policy
    hostname (config-Group-Policy) #webvpn
    hostname (config-group-webvpn) select #svc dtls
    hostname (config-group-webvpn) #svc df-bit-ignore enable
    hostname (config-group-webvpn) #svc routing-filtering-ignore enable
    hostname (config-group-webvpn) mtu #svc 1200
    hostname (config-group-webvpn) #svc compression no

    (a more recent version, you can use the command "anyconnect" instead of "svc")

    If after this the problem persists please let me know when is the right time to reproduce the problem and collect the balls, debugs and catches. I also need the current configuration of the SAA (see technology in a txt file)

    Kind regards

    Aditya

    Please evaluate the useful messages.

Maybe you are looking for