How to match tunnel-group with auth ASA 8.2 and IPSec VPN Client using digital certificates with Microsoft CA
Hello
I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:
Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:
% ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
% ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
% ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroup
So, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?
Please help me!
Kind regards
Fernando Aguirre
You can use the group certificate mapping feature to map to a specific group.
This is the configuration for your reference guide:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978
And here is the command for "map of crypto ca certificate": reference
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685
Hope that helps.
Tags: Cisco Security
Similar Questions
-
How do I allow IPSec VPN client-to-client
Can someone briefly describe the steps on an ASA to allow both IPSec VPN clients talking to each other. They are in the same pool of addresses. I already have two same-security-traffic permit for inter and intra interface statements. Thank you!
Sent by Cisco Support technique iPhone App
try to including this traffic in the States of sheep you have
Alos, you may need to make changes to the acl split rules
-
PIX and ASA static, dynamic and RA VPN does not
Hello
I am facing a very interesting problem between a PIX 515 and an ASA 5510.
The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.
The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.
Someone saw something like that?
Here is more detailed information:
HQ - IOS 8.0 (3) - PIX 515
ASA 5510 - IOS 7.2 (3) - remote provider
Several Huawei and Cisco routers dynamically connected via ADSL
Several users remote access IPsec
A VPN site-to site static between PIX and ASA - does not.
Here is the config on the PIX:
Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac
Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
Crypto dynamic-map Dyn - VPN 100 the value reverse-road
VPN - card 30 crypto card matches the ACL address / remote
card crypto VPN-card 30 peers set 20 x. XX. XX. XX
card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value
VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec
interface card crypto VPN-card outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
Thank you.
Marcelo Pinheiro
The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.
Make sure that the acl is reversed.
-
How to allow access to a local area network behind the cisco vpn client
Hi, my question is about how to allow access to a local area network behind the cisco vpn client
With the help of:
- Cisco 5500 Series Adaptive Security Appliance (ASA) that is running version 8.2 software
- Cisco VPN Client version 5.0 software
Cisco VPN client allows to inject a local routes in the routing table Cisco ASA?
Thank you.
Hi Vladimir,.
Unfortunately this is not a supported feature if you connect through the VPN Client. With VPN Client, that the VPN Client can access the VPN Client LAN host/local machine, not host from the local network to business as customer VPN is not designed for access from the local company network, but to the local corporate network.
If you want to access from your local business to your LAN network, you need to configure LAN-to-LAN tunnel.
-
AAA ipsec vpn clients how to see the history of connection on asdm or asa5510
Hello all, I would like to know how see history of connection ipsec vpn client users, they authenticate to the local aaa, not in active directory. I am able to see the current logon session. go to monitoring\vpn\vpn statistics\sessions, this shows me sessions underway, but I would like to see for example the connections client vpn for the last month. I did some research and saw the info on aaa Server? I checked that article and does not see what I was looking for.
It's actually a called (NPS) network policy server microsoft radius server.
The one I used (ACS 5 and ACS 5) who was just an example.
You can review the below listed doc
http://fixingitpro.com/2009/09/08/using-Windows-Server-2008-as-a-RADIUS-server-for-a-Cisco-ASA/
Jatin kone
-Does the rate of useful messages-
-
Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).
Here is the presentation:
There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.
I was able to configure the Client VPN IPSec Site
(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa
(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.
But I was not able to make the tradiotional model Hairpinng to work in this scenario.
I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?
Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:
LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)
race-conf - Site VPN Customer normal work without internet access/split tunnel
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain cisco.campus.com
enable the encrypted password xxxxxxxxxxxxxx
XXXXXXXXXXXXXX encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside internet1
security-level 0
IP 1.1.1.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif outside internet2
security-level 0
IP address 2.2.2.2 255.255.255.224
!
interface GigabitEthernet0/2
nameif dmz interface
security-level 0
IP 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
IP 172.16.0.1 255.255.0.0
!
interface Management0/0
nameif CSC-MGMT
security-level 100
the IP 10.0.0.4 address 255.255.255.0
!
boot system Disk0: / asa821 - k8.bin
boot system Disk0: / asa843 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain cisco.campus.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group network cmps-lan
the object-group CSC - ip network
object-group network www-Interior
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
port udp-object-group service
object-group service ftp
object-group service ftp - data
object-group network csc1-ip
object-group service all-tcp-udp
access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3
access-list extended SCC-OUT permit ip host 10.0.0.5 everything
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp
list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3
access CAMPUS-wide LAN ip allowed list a whole
access-list CSC - acl note scan web and mail traffic
access-list CSC - acl extended permit tcp any any eq smtp
access-list CSC - acl extended permit tcp any any eq pop3
access-list CSC - acl note scan web and mail traffic
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3
access-list extended INTERNET2-IN permit ip any host 1.1.1.2
access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0
access list DNS-inspect extended permit tcp any any eq field
access list DNS-inspect extended permit udp any any eq field
access-list extended capin permit ip host 172.16.1.234 all
access-list extended capin permit ip host 172.16.1.52 all
access-list extended capin permit ip any host 172.16.1.52
Capin list extended access permit ip host 172.16.0.82 172.16.0.61
Capin list extended access permit ip host 172.16.0.61 172.16.0.82
access-list extended capout permit ip host 2.2.2.2 everything
access-list extended capout permit ip any host 2.2.2.2
Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Internet1-outside of MTU 1500
Internet2-outside of MTU 1500
interface-dmz MTU 1500
Campus-lan of MTU 1500
MTU 1500 CSC-MGMT
IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1
IP check path reverse interface internet2-outside
IP check path reverse interface interface-dmz
IP check path opposite campus-lan interface
IP check path reverse interface CSC-MGMT
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
interface of global (internet1-outside) 1
interface of global (internet2-outside) 1
NAT (campus-lan) 0-campus-lan_nat0_outbound access list
NAT (campus-lan) 1 0.0.0.0 0.0.0.0
NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
Access-group INTERNET2-IN interface internet1-outside
group-access INTERNET1-IN interface internet2-outside
group-access CAMPUS-LAN in campus-lan interface
CSC-OUT access-group in SCC-MGMT interface
Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1
Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
HTTP 1.2.2.2 255.255.255.255 internet2-outside
HTTP 1.2.2.2 255.255.255.255 internet1-outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
crypto internet2-outside_map outside internet2 network interface card
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit smoking
ISAKMP crypto enable internet2-outside
crypto ISAKMP policy 10
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
Telnet 10.0.0.2 255.255.255.255 CSC-MGMT
Telnet 10.0.0.8 255.255.255.255 CSC-MGMT
Telnet timeout 5
SSH 1.2.3.3 255.255.255.240 internet1-outside
SSH 1.2.2.2 255.255.255.255 internet1-outside
SSH 1.2.2.2 255.255.255.255 internet2-outside
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal VPN_TG_1 group policy
VPN_TG_1 group policy attributes
Protocol-tunnel-VPN IPSec
username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx
privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx
username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx
username vpnuser1 attributes
VPN-group-policy VPN_TG_1
type tunnel-group VPN_TG_1 remote access
attributes global-tunnel-group VPN_TG_1
address vpnpool1 pool
Group Policy - by default-VPN_TG_1
IPSec-attributes tunnel-group VPN_TG_1
pre-shared-key *.
!
class-map cmap-DNS
matches the access list DNS-inspect
CCS-class class-map
corresponds to the CSC - acl access list
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
CCS category
CSC help
cmap-DNS class
inspect the preset_dns_map dns
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN
Please tell what to do here, to pin all of the traffic Internet from VPN Clients.
That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)
I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.
Thank you & best regards
MAXS
Hello
If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.
I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.
The command format is
packet-tracer intput tcp
That should tell what the SAA for this kind of package entering its "input" interface
Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)
-Jouni
-
Have problems with the IPSec VPN Client and several target networks
I use an ASA 5520 8.2 (4) running.
My goal is to get a VPN client to access more than one network within the network, for example, I need VPN client IPSec and power establish tcp connections on servers to 192.168.210.x and 10.21.9.x and 10.21.3.x
I think I'm close to having this resolved, but seems to have a routing problem. Which I think is relevant include:
Net1: 192.168.210.0/32
NET2: 10.21.0.0/16
NET2 has several subnets defined VIRTUAL local network:
DeviceManagement (vlan91): 10.21.9.0/32
Servers (vlan31): 10.21.3.0/32
# See the road
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is x.x.x.x network 0.0.0.0
C 192.168.210.0 255.255.255.0 is directly connected to the inside
C 216.185.85.92 255.255.255.252 is directly connected to the outside of the
C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement
C 10.21.3.0 255.255.255.0 is directly connected, servers
S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor
I can communicate freely between all networks from the inside.
interface GigabitEthernet0/0
Description * INTERNAL NETWORK *.
Speed 1000
full duplex
nameif inside
security-level 100
IP 192.168.210.1 255.255.255.0
OSPF hello-interval 2
OSPF dead-interval 7
!
interface Redundant1.31
VLAN 31
nameif servers
security-level 100
IP 10.21.3.1 255.255.255.0
!
interface Redundant1.91
VLAN 91
nameif DeviceManagement
security-level 100
IP 10.21.9.1 255.255.255.0
permit same-security-traffic inter-interface
NO_NAT list of allowed ip extended access all 172.31.255.0 255.255.255.0
IP local pool vpnpool 172.31.255.1 - 172.31.255.254 mask 255.255.255.0
Overall 101 (external) interface
NAT (inside) 0-list of access NO_NAT
NAT (inside) 101 192.168.210.0 255.255.255.0
NAT (servers) 101 10.21.3.0 255.255.255.0
NAT (DeviceManagement) 101 10.21.9.0 255.255.255.0
static (inside, DeviceManagement) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (inside, servers) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (servers, upside down) 10.21.3.0 10.21.3.0 netmask 255.255.255.0
static (DeviceManagement, upside down) 10.21.9.0 10.21.9.0 netmask 255.255.255.0
access list IN LAN extended permitted tcp 192.168.210.0 255.255.255.0 any
access list IN LAN extended permit udp 192.168.210.0 255.255.255.0 any
LAN-IN scope ip 192.168.210.0 access list allow 255.255.255.0 any
LAN-IN extended access list allow icmp 192.168.210.0 255.255.255.0 any
access list IN LAN extended permitted tcp 10.21.0.0 255.255.0.0 any
access list IN LAN extended permitted udp 10.21.0.0 255.255.0.0 any
LAN-IN scope 10.21.0.0 ip access list allow 255.255.0.0 any
LAN-IN extended access list allow icmp 10.21.0.0 255.255.0.0 any
standard access list permits 192.168.210.0 SPLIT-TUNNEL 255.255.255.0
standard access list permits 10.21.0.0 SPLIT-TUNNEL 255.255.0.0
group-access LAN-IN in the interface inside
internal VPNUSERS group policy
attributes of the VPNUSERS group policy
value of server DNS 216.185.64.6
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value of SPLIT TUNNEL
field default value internal - Network.com
type VPNUSERS tunnel-group remote access
tunnel-group VPNUSERS General attributes
address vpnpool pool
strategy-group-by default VPNUSERS
tunnel-group VPNUSERS ipsec-attributes
pre-shared key *.
When a user establishes a VPN connection, their local routing tables have routes through the tunnel to the 10.21.0.0/16 and the 192.168.210.0/32.
They are only able to communicate with the network 192.168.210.0/32, however.
I tried to add the following, but it does not help:
router ospf 1000
router ID - 192.168.210.1
Network 10.21.0.0 255.255.0.0 area 1
network 192.168.210.0 255.255.255.252 area 0
area 1
Can anyone help me please with this problem? There could be a bunch of superfluous things here, and if you could show me, too, I'd be very happy. If you need more information on the config, I'll be happy to provide.
Hello Kenneth,
Based on the appliance's routing table, I can see the following
C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement
C 10.21.3.0 255.255.255.0 is directly connected, servers
C 192.168.210.0 255.255.255.0 is directly connected to the inside
And you try to connect to the 3 of them.
Politics of Split tunnel is very good, the VPN configuration is fine
The problem is here
NO_NAT list of allowed ip extended access all 172.31.255.0 255.255.255.0
NAT (inside) 0-list of access NO_NAT
Dude, you point to just inside interface and 2 other subnets are on the device management interface and the interface of servers... That is the question
Now how to solve
NO_NAT ip 192.168.210.0 access list allow 255.255.255.0 172.31.255.0 255.255.255.0
no access list NO_NAT extended permits all ip 172.31.255.0 255.255.255.0
NO_NAT_SERVERS ip 10.21.3.0 access list allow 255.255.255.0 172.31.255.0 255.255.255.0
NAT (SERVERS) 0 ACCESS-LIST NO_NAT_SERVERS
Permit access-list no.-NAT_DEVICEMANAGMENT ip 10.21.9.0 255.255.255.0 172.31.255.0 255.255.255.0
NAT (deviceManagment) 0-no.-NAT_DEVICEMANAGMENT access list
Any other questions... Sure... Be sure to note all my answers.
Julio
-
ASA static IP Addressing for IPSec VPN Client
Hello guys.
I use a Cisco ASA 5540 with version 8.4.I need to assign a static IP address to a VPN client. I saw in the documentation Cisco that this can be done to validate the user against the local ASA and in the user account database, you assign a dedicated IP address, or using the vpn-framed-ip-address CLI command.The problem is that the customer never gets this address and it always gets one of the pool in the political group. If I delete this pool, the client can't get any address.No idea on how to fix this or how can I give this static IP address to a specific VPN client?Thank you.Your welcome please check the response as correct and mark.
See you soon
-
Remote IPSec VPN - client Windows 7 and ASA 5505
Hello
I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.
Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.
In the log, I see the warnings of this type:
TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)
I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.
Thank you for your help.
Petar Koraca
That's what you would have needed on versions 8.3 and earlier versions:
permit same-security-traffic intra-interface
Global 1 interface (outside)
NAT (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.150.0_24 object
dynamic NAT interface (outdoors, outdoor)
Give it a shot and let me know how it goes.
-
ASA allows 1 only RAS VPN Client IPSEC
Hi all
I have a strange problem where an ASA 5510 configured for IPSEC - over - udp VPN RAS allows only one 1 customer vpn traffic through.
Other clients can connect successfully (obtain IP/DNS etc., auth using LDAP) but only the all connected client is first able to browse internal resources. Others show 0 decrypted packets when I check the statistics. I have confirmed that it is not a problem with the license that the ipsec default license allows customers up to 250 I believe. Does anyone had this problem in the past?
TKS,
Donavan
It is usually a problem with the translations, which intervened on the NAT/PAT device in front of these multiple machines:
http://www.ciscotaccc.com/Kaidara-Advisor/security/showcase?case=K71102938
Check the translations look correct initially on this device. There should be a translation for each VPN.
There were also a few bugs on multiple clients behind the same PAT, such as CSCse03299, but these had to do with IPSec over TCP connections.
-heather
-
All necessary licenses on ASA 5510 for old Cisco VPN Client
We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?
Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).
You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.
-
Create the Ipsec tunnel using digital certificates
Hello
I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.
Before that I added the CA server all go smoothly.
Attached is my configuration, attached debug commands from the configuration of server and router CA
It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:
#
R3 #.
R3 #show cryptographic pki certificate cisco talkative
CA
Status: available
Version: 3
Certificate serial number (hex): 01
Use of certificates: Signature
Issuer:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Object:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Validity date:
start date: 10:12:13 UTC Sep 8 2013
end date: 10:12:13 UTC Sep 7 2016
Subject key information:
Public key algorithm: rsaEncryption
RSA Public Key: (512 bits)
Signature algorithm: MD5 with RSA encryption
Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
X509v3 extensions:
X509v3 Key use: 86000000
Digital signature
Key Cert sign
Signature of the CRL
X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
Access to information the authority:
Related Trustpoints: cisco
Storage: nvram:cisco1ciscoc #4CA.cerR3 #.
Appreciate your support and I will send additional if necessary evidence
TX
Roee
I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:
To view the pending requests:
information cryptographic pki server router 'CA '.
To grant requests pending:
Info Server 'CA' router cryptographic pki grant all
-
How to write a group with 2 parents in xml file?
Hi all
In my xml file, I use the following queries.
Q1:
Select q xxx;
Q2:
Select w to yyy;
Q3:
Select: q-: double w;
Q3 is to get values of Q1 and Q2 and calculate some values.
While writing a group is possible to write a group such as both parents?
If so, what is the syntax for that?have you tried that?
-
NAT, ASA, 2 neworks and a VPN tunnel
Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.
Something like this:
new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses
It is possible to add the new policy, but sometimes it can conflict with the former.
-
Every time to enter an e-mail address, when have an attachmente I have intention to open but bring a dialog box telling me: 'Microsoft Open XML Converter. Click here to open bring another dialog box telling me: "Save." In the final, a small dialog box tell me: not recorded in any file. What should I do?
Hi MarioVidal
1. what email program are you using? What is windows live mail, Hotmail, Gmail, etc.?
2. meet the issue only with some specific files types with come as attachments or with each of them?
3. during how long have you had this problem?
4. the problem occurs for all e-mail programs?
Let us know the answers to help you best.
Maybe you are looking for
-
IPod classic 5th generation has no audio headphones.
IPod classic 5th generation has no audio headphones, but it can play songs via computer, when connected to the computer. IPod recognizes when earphones are plugged and hold when deployed switch. Is the likely problem the headphone jack or a material
-
Windows 7 - error Code: 0 X (failed installation update) 8007002
Running Windows 7 Ultimate 64 bit. Never had a problem installing Microsoft programs before. Tried to install Microsoft "Windows Xp Mode". I get error information "update installation failed' 0 x 80070002 when trying to install the validation tool. O
-
How can I make yahoo.com my default mail client... If I may respond to craigslist
-
Problem with eHome Infrared Receiver Driver
I have an IR receiver USB that I got from Dell which came with my old computer (XPS 210, I had to have my computer replaced if... the motherboard was fried on this subject). When I plug in the usual Windows searches for a driver and install. The driv
-
Manual for Dell place 8 Pro 750-LT. Stylus?
So I just got the 'new' pen and it works fine. It seems that all the bugs people are complaining were crushed. However, it might work even better if it had some actual instructions. I searched and returned empty. Any ideas?