name of the tunnel-group
Hello
In the configuration below I put in place a tunnel-group name that is the same as the counterpart of VPN tunnel. Is that what you have to do, or could call you the tunnel-group what you want?
part of pre authentication ISAKMP policy 1
ISAKMP policy 1 3des encryption
ISAKMP policy 1 sha hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 43200
ISAKMP allows outside
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
l2l_list to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared key xxx
card crypto abcmap 1 match address l2l_list
card crypto abcmap 1 set counterpart 10.10.10.1
card crypto abcmap 1 set of transformation-FirstSet
abcmap interface card crypto outside
Robert,
The tunnekl group should be the IP address of the remote end - because it is used as ID. The only time where ever you need to use a specific name - is if you are certificate authentication.
HTH.
Tags: Cisco Security
Similar Questions
-
ASA by the issue of authentication of the tunnel-group
Is it possible to do so by the tunnel-group authentication on ASA 8.4.x?
Here are the scenarios:
(1) tunnel-group_A performs authentication using the digital certificate (PKI)
(2) tunnel-group_B performs the authentication using AAA (RSA SecurID token)
(3) tunnel-group_C performs authentication for LOCAL assistance (AAA user defined locally)
Tunnel-group_A, B, and C are all using the same physical interface and outside the interface.
I tested it, but it doesn't work the way I expected. BTW, I have already disabled "interface authentication ssl certificate outside of port 443"
Here are the results of the tests:
If the tunnel group_A is configured with the certificate, then tunnel_group_B connection will fail, but connection tunnel-group_C works very well.
It seems that tunnel-group_B trying to authenticate with certificate too, if she does not. BTW, it seems to authenticate to the LOCAL help will still work.
I understand that you can configure tunnel_group_A to "both" certificate and AAA, but that's not what I want.
Anyone seen this before? Is there a way to bypass?
Thank you
Joe,
Yes, I would then use Group-url. And I would create and profile of XML with the specific URL in the list of servers.
Let me know.
-
I still do not see where REMOVE them or even to add names to the created group folders.
I just downloaded thunderbird and import my address book. I want to remove some old files group and add a few names of other former group folders. all the options to remove are grayed out.
When you try to add a name to a group, I can add and click ok, but when I go back, it isn't here.
In addition, a new group that I put up is stored under the "personal address book", but will not be saved in a new group. the folder appears - twice in fact under the "Mac OSX address book" with no address in one of them... AND I can't delete them or some old bands I want more.I am a beginner and not that computer savvy, you please without irritable complicated instructions. I had rather you just shoot me.
If you are not satisfied with the jump between address books, you might look at tools | Import in Thunderbird address book and see if she invites you to import the mac address book in Thunderbird. So Thunderbird can show you the mac address book, but it's not quite accurate to describe this as having been 'imported '.
This leaves still worry about what's going on in your personal address book, you should be able to add and change entries, including mailing lists.
-
WCS 7.0.164.0, 'Name of the AP group' mandatory
Just upgraded 5.2.130.0 to 7.0.164.0 WCS.
I'm in one of my new AP set up and now I can not even change his name because I am asked that the AP group name attribute is mandatory, when I press save:
___________________________ ERRORS ____________________________
Name of the Group of the AP: this attribute is MANDATORY. Please specify.
Make the necessary corrections, and then try again
So my question is, what function has the attribute of name of AP group?
Can I create a single general group of AP and set all AP to use?
Or do I make groups based on location or something else?
We have about 70 AP (1010,1130 and 1140) spread over 9 locations.
So my question is, what function has the attribute of name of AP group?
The AP group allows you to assign SSID and interfaces for the SSIDS to specific groups of APs
Can I create a single general group of AP and set all AP to use?
Yes
Or do I make groups based on location or something else?
If your happy with your current set up, why bother? We use specific to certain areas groups AP to limit the SSID of the Department.
I didn't realize it was now mandatory, the top of my head, I guess the intent is to stop all your SSID broadcast without worrying, as soon as you plug in a new light AP.
I hope this helps.
Chris
-
Hide the tunnel-group in client anyconnect
Hi all
How to hide dropdown menu profiles that don't interest me not?
see always all tunnel group set up on asa.
in path of the cisco anyconnect client, I have preferences.xml.
Thanks in advance for your help
concerning
If the group alias are configured on the SAA, no matter which user goes to the external interface to connect to the VPN will see the list.
ASA administrator may eventually publish a URL shortcut using the "group-url" attribute when configuring the SSL VPN. Here is a link to the section of the configuration guide to do so. in this place you can browse (or point AnyConnect) directly to this URL and skip having to select from the drop-down list.
-
Select the Tunnel-Group based on OS devices
Hello
having an ASA5512x is possible to have anyconnect-dial-in-PC-users asking their IDs AND also a one-time-password
Whereas smartphone users only need to provide their username and a password without the need to manually select the profile?
I've set up two groups of tunnel:
(1) requires an LDAP server for authentication
(2) is in contact with a RADIUS server running the software One Time Password.
Is it possible to have the asa affect smartphone users (based on their OS) that it automatically uses the first profile (which has limited access to the resources of the intranet) and Anyconnect-PC-users pinned to the second category of tunnel? Dynamic access policies seem to be able to differentiate only ' in' a tunnel-group.
Thank you very much!
Kind regards
David
I never tried this way, but if it does not (as I suspect) there is a solution:
- Point your customers on the two different groups of tunnel with the help of tunnel-group-URL.
- Later in the DAP impose that the customer does not use the wrong tunnel-group.
-
Need to display the name of the tab group, while the group is open
I have a lot of groups. When a group is opened, I would like to see the name of this group without clicking on the icons in groups
Hello, you could try an addon like this:
https://addons.Mozilla.org/firefox/addon/tab-groups-button/ -
name of the site 2 site tunnel (peer IP) must match on both sides?
Hello.
I'm trying to set up some private networks virtual site 2 site between 3 offices using 3 cisco ASA 5505.
In the manul to these ASAs, it is said that when you set up the connection (I use ASDM and the wizard of easyVPN) it is said that when you use a PSK for authentication between the two sites, the name of tunnel must be the IP address of the peer. Is it OK so far?
Because I always thought that the names of the tunnel must be identical on each side. So it means that the site one tunnel name will be site of 2 IP address while on site 2, the tunnel will be the IP address of the site from 1. Is this correct? As I said I always thought that the names of tunnel should match the other.
Also, can someone tell me if this configuration works.
I have 3 sites that I want to put in a mesh VPN site2site scenario.
So basically, I have 3 routers. And on each router, there will be 2 site2site tunnels configured (via easyVPN ASDM) for the other 2. This sound is feasible? And if so, the names of tunnel for each connection on each router will be the IP address peer?
Appreciate any idea.
Hi Matthew
Tunnel name musnt/beveled or even on the two sites. Only IP address peer and tunnel-group must be same to site A.
Lets say that the site will allow you to create a VPN as follows
A B - C
An interface IP = x.x.x.x site
Interface of the site B IP = y.y.y.y
Interface of the site C IP = z.z.z.z
Thus, in the ASA in site a.
tunnel-group y.y.y.y type ipsec-l2l
xmap 10 crypto map peer set y.y.y.y
ASA in site b.
tunnel-group x.x.x.x type ipsec-l2l
xmap 10 crypto map peer set x.x.x.x
tunnel-group z.z.z.z type ipsec-l2l
card crypto xmap 20 peers set z.z.z.z
ASA in site C
tunnel-group y.y.y.y type ipsec-l2l
xmap 10 crypto map peer set y.y.y.y
Concerning
-
UDP connection via wifi in the name of 8320 tunnel met IOException:Invalid
I am new to Java, trying to open a UDP connection on wifi in my BB8320 (V4.2.2.180).
I have connected to my 8320 to a WiFi network and that you can access Web page in the browser (configuration: Wi - Fi browser).
I tried with: Connector.open (DatagramConnection) (datagram://192.168.1.101:5009) and Connector.open (DatagramConnection) (udp://192.168.1.101:5009), but all got IOException:Invalid name of the tunnel.)
Here's my Mobile Network Options in the camera: Data Services - on; Connection preference - Wi - Fi only.
The same code works fine in the emulator, tested in a wired network.
I googled this IOException, it seems that the TCP APN cannot be null, I tried with blackberry.net cmnet, wap.voicestream.com and even the name of the Wi - Fi connection, everyone met time-out problem.
I have some questions below:
1. is there any configuration that I missed?
2. the UDP connection via wifi check the AFN? The APN configured in the emulator is null.
3. do UDP and TCP connection API need permission in the device?
Appreciate for any suggestions!
Sam
I did in the past, and IIRC the trick was to add: «;» interface = wifi; deviceside = true"to your connection string. for example:
Connector.Open ("udp://192.168.1.101:5009; interface = wifi; deviceside = true ")"
-
want to 700: Ho I change the name of the computer
I want to change the name of the local computer - the user account administrator. I can't find a way to do it without starting with the operating system. Is it possible to change the name?
Your system - an are:
You can change the name of the computer:
Control Panel > display icon > System > Advanced system settings >
the computer name tab >
Next to rename this computer or change its domain... name > click Edit
NOTE:
Generally, for home use, do not change the name of the Working Group.
===========================================================
You cannot change the name of the built-in account"Administrator".
To create an administrator account on the computer (in C:\Users\) home folder is named how you like - and still use your connection to Microsoft:
- Create a LOCAL account on the computer
- Once the account is created >
- Change the account and change the type of administrator >
- Log in to the new local account >
- Windows key > settings > account > sign in with a Microsoft account
When you see a post that will help you,
Who inspires you, gives a cool idea,
Or you learn something new.
Click the 'Thumbs Up' on this post.
My answer-click accept as Solution to help others find answers.
-
How to remove the Working Group?
How can I delete a group to work on Vista, I've created? I don't want to change the name of the working group. I want to remove it completely from my computer. Is this possible?
Help, please.Hello, RajD1
Just make sure each other the correspondence of name of working group on both machines, there is no way to remove/uninstall. Is the corresponding name and makes things easier, or it doesn't.
The following link useful information on how to get your Windows Vista and Windows XP machines talk to each other: http://social.answers.microsoft.com/Forums/en-US/vistanetworking/thread/a9a03050-cc02-4a0c-a7d2-56800b8fbcab
If you just need the XP machine is displayed in the Vista network map, see: http://support.microsoft.com/kb/922120
Let us know if that helps.
David
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
-
ACS 5.2 assign VLAN based on the ad group
I am trying to configure ACS 5.2 to assign the VLAN to a dynamic user based on the group to which the user belongs. I went to:
Users and identity stores-> external identity-> Active Directory-> tab directory stores groups
and selected the name of the pub group. If I understand correctly, I should now see this group by virtue:
Elements of strategy-> authorization and permissions->-> authorization profiles for access to the network-> common tasks-> VLAN ID/name
However, it is not. Am I missing something?
N °
' VLAN id/name "is, in the name clearly States, a vlan id or name. Not a "group name".
You don't assign it a group name in the vlan.
The name of the group must go to the condition 'if' in your authorization profile. If "usergroup AD = x" and then assign this vlan.
Then the id/name vlan's you type manually what vlan refers to the users AD Group.
If you create too many rules because you have a lot of ad groups, you can do is create an AD AD attribute to store the number of vlan name and ACS will simply return that.
Nicolas
-
Why only a Yahoo Group displays the column group name?
I belong to several Yahoo groups and get individual emails from 3 of them. They all worked well until May 8, 2014, when the Freex news group began to display only "[email protected]" in the column. It's always like that. I can't be sure it's a Yahoo problem, like the other groups I am a member of display the senders display name and e-mail address.
The attachment is a snip of the CT showing how it was and how it has changed.
Please tell us how to get back to the display names and addresses.locate this address in your address book, and then delete.
-
Before the change, the field would display the senders address or name (link) If no name was provided. After changing the group name / email (link) is displayed in the sender field.
The sender is now displayed at the bottom of the page as "posted by: xxxx xxxx [email protected].
Curiously the pop-up notification window appears the name of shippers. Whatever the change took place may 9, 2014. Webmail applications including Blackberry are not affected by this change.
Any suggestions?
Try the menu (ALt + T) tools > Options > advanced > reading and display and turn to the use of display names in the address book.
Does the display list and the match of notification?
If so, you can re - turn on the option and locate the e-mail address of groups in your address book and disable the display use for this entry name. Note that the next version of Thunderbird will be termination of the use of the address book as a whitelist for graphs, so you can be able to simply remove the address in the next release.
Maybe you are looking for
-
I don't know if it's records after a certain period of time is there at - it a work around that.
-
How to connect a USB-wireless printer to a wireless network without PC
Some HP printers do not have a Wizard of wireless configuration integrated into the façade to connect to a network. These models install to a computer via a USB connection and the software then sends information wireless via the USB cable to the pri
-
Outlook express spell corrector does not
Original title: program of Outlook express my express tab (orthographic) outlook does not activate
-
Aspire E 15. the NumLock key
The number keys on the right are locked and I can't use them. When I press the NumLock key it sounds right and a lock open and close on the screen. Can anyone help? I bought this laptop mainly for these keys.