DHCP relay for users (ASA) SSL VPN
I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:
dhcprelay Server 10.100.2.101 on the inside
dhcprelay activate vpn
dhcprelay setroute vpn
and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.
You try to assign the IP address to the SSL vpn client using the DHCP server?
If so, you don't need these commands contained in your message.
Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.
Here is an example of Ipsec client. Setup must be the same.
Tags: Cisco Security
Similar Questions
-
Same license for different ASA SSL VPN
Hello
I have run ASA5510 SSL VPN is installed with a license. I want to replace it with the new ASA5510 without SSL VPN license. Is it possible to copy the license from my old ASA? Can I order different license for my new box?
THX
Iwan
A new license is required.
License key is created based off the serial number of the device.
Gilbert
-Rate, if it helps-
-
Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password
Hello
Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?
PS.
I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password
Thank you
The default password is marked as disabled after expiry
I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:
CSCtk32168: Add an option to change the password when the password expires (T + and Radius)
After you install this hotfix, you get an option to the user authentication settings is:
-Disable the user account
-Expire the password
When the expiration period is exceeded
If password is expired then user will be asked to change password next authentication
Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative
-
ASA SSL VPN with RSA authentication
All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?
Thank you
Try this link
http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html
-
SSL VPN reliable, efficient and safe option for traffic from internet users on e-commerce sites where there may be user sessions 2000 per second from all over the world.
Thank you.
In my opionon - SSL is reliable, efficient and safe if not all banks around the world would not use it for online banking.
HTH >
-
ASA5505: Configure the ASA for IPSec and SSL VPN?
Hello-
I currently have my 5505 for SSL AnyConnect VPN connections Setup. Is it possible to set up also the 5505 for IPSec VPN connections?
So, basically my ASA will be able to perform SSL and IPSec VPN tunnels, at the same time.
Thank you!
Kim,
Yes, you can configure your ASA to support the AnyConnect VPN IPSec connections and at the same time. In short, for the configuration of IPSec, you should configure at least a strategy ISAKMP, a set of IPSEC, encryption, tunnel group card processing and associated group policy.
Matt
-
Cisco ASA (SSL VPN)-based user portal?
Hi all
I am looking for a solution, different portals (WEBVPN) that can be assigned to different users.
For example:
-'test1' user and see the portal "-1".
-user "test2", "test3" connect and see the portal "-2".
I know, it can be done with the alias for each portal entry, but I want a transparent solution for the user (such as Juniper SA2000).
In addition, it should be possible to authenticate via RADIUS (no local authentication on the SAA).Who did such a set upward?
Thank you
Norbert
Hello
The attribute 25 (it's called 'Class') and set its value to UO = MyVPNGroupPolicy where MyVPNGroupPolicy is the name of your group strategy in the SAA.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Multi frame ASA SSL VPN Question
Hello
We have a pair of firewalls, we do multiple contexts on clients. We have recently updated their and have been using the newly Anyconnect customer support. This all works fine but I feel I'm missing something. If the customer does not have the anyconnect client already how do get? Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?
Any information would be helpful.
Chris L.
Hi Chris,
The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.
There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:
https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
ASA SSL VPN problem with 8.2 (2)
Hello everyone,
I have a couple of ASA 5520 image 8.2 (1) running in active failover mode / standby.
A few months ago, I downloaded the 8.2 (2) on the cisco website and charge to the ASA.
After loading the new image, they called me for problems
functioning of the application of webvpn.The web app seems to work, but in a mode of read-only, because you could not
change the content of the files.
I couldn't find a way to make it work, so I decided to downgrade to 8.2 (1).
and as I loaded it the old image, the problem disappeared.Now I see that it is available the image 8.2 (3).
To avoid the risk of hard work I tetsted on a piece of spare 5510, and with the disappoint, I found
the problem was the same.Everyone is facing such a problem or can suggest me how to solve?
Thanks in advance.
Marco.
Can you please provide more details about what application does not work through WebVPN interface without client? Have you tried to activate Smart Tunneling for this application?
-
Hello
Here is the configuration:
(Location A) - Internet users - ASA (ssl vpn) - location
situation users use ssl vpn over the Internet to connect to resources in the location b. is successful.
However, A users location need access to their own network resources internal to A while they are still connected to the SSL VPN.
So if a user of location is connected to the ssl vpn, they can ping to ip addresses in the location B, but their own network internal ip is second to pings.
ASA worm is 8.0 (4)
Please help, how it can be done, and if there is a different Setup for this. Do we need to use the tunnel.
Thanks in advance.
Correct, so instead of tunneling ALL traffic, you only tunnel 154.65.0.0/22
sslvpnsplittunnel standard access list ip 154.65.0.0 allow 255.255.252.0
Apply the ACL to the SSL VPN group policy
-
Firmware 1.4.0.88 for SG300-52 seems to break DHCP relay
My VLAN to end my switches, so I use a DHCP relay with Option82 to distribute addresses for the subnet of the VIRTUAL LAN. After the transition from 1.3.7.18 to 1.4.0.88, DHCP isn't being delivered on my VLAN. Does anyone else have this problem?
I'm just creating DHCP relay for the first time with my SG 300-28, 1.4.0.88 firmware and noticed that the DHCPDISCOVER promulgated by the relay had the same source and destination (67) port, while the original DHCPDISCOVER used 67 & 68. In addition the 1.3.7.18 firmware is not exchange these autour:
Excerpts from Wireshark:
1.4.088-
Original DHCPDISCOVER to the customer:
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Relayed SG300 DHCPDISCOVER:
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
This seems a bit suspect to me
1.3.7.18
Original DHCPDISCOVER to the customer:
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Relayed SG300 DHCPDISCOVER:
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
I am not sure that this is your problem (it does not solve my problem), but I want to underline the thought
-
ASA 5520 - SSL VPN (Anyconnect) licenses
Hello
Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license? Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. Our current license looks like this:
The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 150
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
Total of the VPN peers: 750
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabledThis platform includes an ASA 5520 VPN Plus license.
I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.
I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect. The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?
Thank you
Rob
Hello
The essentials license is per device and does not allow full-tunnel.
If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.
Federico.
-
Requirements of LDAP for SSL - VPN on ASR 1002
Hi all
I intend to implement SSL - VPN (AnyConnect) on a rputer ASR 1002 running IOS - XE Software Version 15.1 (3) S2.
I need to use LDAP for authentication of users and need to understand what are the requirements for RADIUS/GANYMEDE use LDAP.
What I have to use Cisco ACS or can I use something like Microsoft IAS or free Raduis?
Any helo will be greatly appreciated.
Thank you
Dmitry.
Yes, you can use either use LDAP, Radius or Ganymede protocols to authenticate users of SSL VPN.
You can use no matter what authentication server (doesn't have to be Cisco ACS), as long as they have either 3 supports authentication (ldap, radius or Ganymede) protocols.
Hope that answers your question.
-
Greetings. I currently have an ASA5520 in place running 8.0 (2) IOS. We have configured a clientless SSL VPN portal that we currently use as a 'test '. We try to solve the question deals with the use of the SSL VPN connection page groups. Currently, the ASA is set to authenicate names of username/password to a Microsoft Windows 2003 using IAS (RADIUS) server. It works very well.
What we want to do, is to "lock" the user account to a group alias in the VPN SSL ASA login page. For example, our SSL VPN connection page displays two options for 'Group', 'sales and 'tech'. In its current form, a sales user can select one of the displayed groups and always be authenicated. Anyway is to deny the login information if a user does not select the appropriate menu GROUP drop-down? It would certainly help to ensure that users choose the right GROUP in the menu dropdown.
Any information would be greatly appreciated.
Joe
In order to put the user in the appropriate group, set the attribute RADIUS 25 as OU = ASAGroupPolicyName. then try the locking of group control to lock the users.
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/gh_72.html
-
Hello
I have 2 5510 ASA and I'm in a pinch with needing a failover ASA to implement. I have an ASA test I put in as a firewall waiting in an active scenario / in sleep, and this ASA a user 10 SSL VPN license applied. My ASA primary I'll put this in place with only 2 standard user and fails it of Wizard config HA when I run through it. The message I get is "Test of compatibility of the license for many clientless SSL VPN peers has failed." How can I deactivate the license 10 user on my unit of analysis so I can bring it failover?
The two ASA have a license of SecPlus.
Thanks for any help,
Brett
Keep your current activation key you can reapply after your tests, and request a new activation key of [email protected] / * / unlicensed SSL VPN to test your failover.
Maybe you are looking for
-
The motoblur 2.1 for cliq really get a leak?
I've been a little more on the cliq forum look to see if they had a word on the 2.1 update, and looks like it has been leaked from somewhere! Is this really true, or am I reading it wrong? Thank you J
-
Anyone need and found a sleeve (not a laptop bag) which corresponds to the 17 predator? I checked the dimensions of many sleeves, I found on Amazon, and none seems not to work in all dimensions.
-
IM bought an OEM version of windows xp to install on a computer that I had built, when I finally finished the computer I put the windows disk and booted the system it booted from the disc and said he was checking the configuration of the system, but
-
Blu - Ray player works only on some new bluray disks vista hp g70
Hello Some new bluray discs will not play on my system. I tried a thread in the forum who advised: uninstall the dvd player use ccleaner install hp mediasmart However, I can't find a version of the mediasmart for windows vista. Please can you advise.
-
I recently bought a laptop computer Vostro and had very little time after problems in that the screen was frozen. I called Dell technical support line and connected to iyogi in India. They said that the problems are software related and there are fil