pain double authentication: asa webVPN access and browse networks
I'm an asa for device configuration web access: SSL VPN service. Can I have a user authenticates web session with their domain credentials to active directory (username and password). Once their web session began, moving to the function 'Browse networks' for a viewing of part requires to authenticate once again - "authenitcation required." I would like to set up the device so that authentication for windows file sharing will be attempted using the credentials previously entered.
How could do this if it is possible?
It is an ASA5510 with 8.4 (3) sw.
Thank you
John
John,
Start here:
Auto signon or single signon is the typical sentence.
M.
Tags: Cisco Security
Similar Questions
-
Original title: unidentified network, missing the default gateway
Hello
So one day out of the blue I lost connection with my router. I was able to reconnect but this time around I had only limited access and my network showed non-identified. I tried to connect to a different wireless network, same thing. When I run ipconfig, I'm missing a value for the default gateway.
I tried to:
-Reinstall the drivers for the adapter
-update the drivers
-Reset my router
-Gateway ipv4 manually of entry
-kill lan via Device Manager drivers
-scream at the computer
I have a Setup to dual boot with Linux Mint along side Windows 7. When I boot in Linux it connects to any network without problem.
Some help would be appreciated.
Plug
Windows 7 Ultlimate
I7-4700MQ @2.4
GTX 765M 2 GB
8 GB RAM
1 TB + 240SSD
Realtek RTL8188CE wireless
Hello Alex,.
Thank you for your response.
I appreciate your time.
I suggest you to uninstall the network driver wireless and reinstall in compatibility mode.
To uninstall the driver, follow these steps:
a. press Windows + R keys together, type devmgmt.msc in the run window and press ENTER.
b. Click to expand network adapters, right-click on the map and click Uninstall.
c. restart the computer.
Now you can Download driver from this link wireless.
Reference:
http://downloads.Eurocom.com/support/drivers/zip/238/238_RealtekWLAN_W764.zipFor reference:
EC http://www.Eurocom.com/EC/drivers (238)To reinstall the driver in compatibility mode, follow these steps:
a. right click the driver file, and then click Properties.
b. click on the compatibility tab.
c. click on check "run this program in compatibility mode for" and select Windows XP(Service pack 3).
d. click apply and ok.
Now, install the driver.
Please keep us updated.
Thank you
-
Double authentication using LDAP and RSA
I would use LDAP and RSA (double authentication) for my SSL VPN clients. Can I authenticated users if my logon page requires users to enter a second username. If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers. I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.
If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.
Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?
Thanks in advance.
Matt
Hi Matt,
I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:
CSCte66568 Double authentication broken in 8.2.2 during use-primary-username is CONF.
If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.
HTH
Herbert
-
Question about authentication SDI on AnyConnct and ASA
Hi all
I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.
My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.
I understand that ASA provides two modes to allow authentication SDI.
Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.
So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).
The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...
I found the following information of CEC.
==========
When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
==========This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?
Your information would be appreciated.
Best regards
Shinichi
Shinichi,
I had a quick glance at the data sheet
http://www.RSA.com/node.aspx?ID=3481
I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)
Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)
Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.
Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.
Marcin
-
My portfolio is currently configured to allow access when locked. I used to be able to double-click the home button and seems my card and I would enter my access code. I have updated to IOS 10 and I am no longer able to do this. All the settings are there. I have an IPhone 6.
Are? you double click in front of the screen of the iPhone are? (pending). This is what seems to work for me.
I hope this can help.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Cisco ASA 5505 VPN L2TP cannot access the internal network
Hello
I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.
Can you jhelp me to find the problem?
I have Cisco ASA:
within the network - 192.168.1.0
VPN - 192.168.168.0 network
I have the router to 192.168.1.2 and I cannot ping or access this router.
Here is my config:
ASA Version 8.4 (3)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 198.X.X.A 255.255.255.248
!
passive FTP mode
permit same-security-traffic intra-interface
the net-all purpose network
subnet 0.0.0.0 0.0.0.0
network vpn_local object
192.168.168.0 subnet 255.255.255.0
network inside_nw object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access deny ip any any newspaper
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool sales_addresses 192.168.168.1 - 192.168.168.254
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT dynamic interface of net-all source (indoor, outdoor)
NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local
NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search
!
network vpn_local object
dynamic NAT interface (outdoors, outdoor)
network inside_nw object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode
Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1
card crypto 20-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
Crypto isakmp nat-traversal 3600
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
management-access inside
dhcpd address 192.168.1.5 - 192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal sales_policy group policy
attributes of the strategy of group sales_policy
Server DNS 75.75.75.75 value 76.76.76.76
Protocol-tunnel-VPN l2tp ipsec
user name-
user name-
attributes global-tunnel-group DefaultRAGroup
address sales_addresses pool
Group Policy - by default-sales_policy
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.
You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:
Policy-map global_policy
class inspection_default
inspect the icmp
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
AnyConnect to ASA 5505 ver 8.4 unable to ping/access within the network
My AnyConnect VPN to connect to the ASA, but I can not access my home network hosts (tried Split Tunnel and it didn't work either). I intend to use a Split Tunnel configuration, but I thought I would get this job until I've set up this configuration. My inside hosts are on a 10.0.1.0/24 network and networks 10.1.0.0/16. My AnyConnect hosts use 192.168.60.0/24 addresses.
I saw the messages of others who seem similar, but none of these solutions have worked for me. I also tried several configurations NAT and ACLs to allow my internal network to the ANYConnect hosts and return traffic shaping, but apparently I did it incorrectly. I undestand what this worm 8.4 is supposed to be easier to achieve, NAT and others, but I now have in the IOS router it is much simpler.
My setup is included below.
Thanks in advance for your help.
Jerry
*************************************************************
ASA Version 8.4 (4)
!
hostname mxfw
domain moxiefl.com
activate the (deleted) password
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
switchport trunk allowed vlan 20.22
switchport mode trunk
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan1
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan20
nameif dmz
security-level 50
IP 172.26.20.1 255.255.255.0
!
interface Vlan22
nameif dmz2
security-level 50
IP 172.26.22.1 255.255.255.0
!
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
name-server 208.67.222.222
Server name 208.67.220.220
domain moxiefl.com
permit same-security-traffic inter-interface
network of the Generic_All_Network object
subnet 0.0.0.0 0.0.0.0
network of the INSIDE_Hosts object
10.1.0.0 subnet 255.255.0.0
network of the AnyConnect_Hosts object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_26 object
255.255.255.192 subnet 192.168.60.0
network of the DMZ_Network object
172.26.20.0 subnet 255.255.255.0
network of the DMZ2_Network object
172.26.22.0 subnet 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
dmz2 MTU 1500
local pool VPN_POOL 192.168.60.20 - 192.168.60.40 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT dynamic interface of Generic_All_Network source (indoor, outdoor)
NAT (inside, outside) static source INSIDE_Hosts INSIDE_Hosts static destination AnyConnect_Hosts AnyConnect_Hosts-route search
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 non-proxy-arp-search to itinerary
NAT (dmz, outside) dynamic interface of Generic_All_Network source
NAT (dmz2, outside) dynamic interface of Generic_All_Network source
Route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 10.0.0.0 255.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
domain name full anyconnect.moxiefl.com
name of the object CN = AnyConnect.moxiefl.com
Keypairs AnyConnect
Proxy-loc-transmitter
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
certificate 439 has 4452
3082026c 308201d 5 a0030201 9a 445230 02020443 0d06092a 864886f7 0d 010105
05003048 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566 311f301d
6c2e636f 312530 2306092a 864886f7 0d 010902 1616616e 79636f6e 6e656374 6 d
2e6d6f78 6965666c 2e636f6d 31333039 32373037 32353331 5a170d32 301e170d
33303932 35303732 3533315a 3048311f 301D 0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 86f70d01 09021616 25302306 092a 8648
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092 has 8648
86f70d01 01010500 03818d 00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d 5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 a3633061 03010001 300f0603 b 5483, 102
1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 86301f06 04030201 551d
23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d 03551d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a 8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a 8348
5e62d6cd e430a758 47257243 2b 367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 6aa00675 e4df7859 f3590596 b1d52426 ca 35, 3902
226 dec 09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba 4e77f4b0 1e97a52c
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Telnet timeout 5
SSH 10.0.0.0 255.0.0.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd outside auto_config
!
dhcpd addresses 10.0.1.20 - 10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd allow inside
!
dhcpd address dmz 172.26.20.21 - 172.26.20.60
dhcpd dns 208.67.222.222 208.67.220.220 dmz interface
dhcpd enable dmz
!
dhcpd address 172.26.22.21 - dmz2 172.26.22.200
dhcpd dns 208.67.222.222 208.67.220.220 dmz2 interface
dmz2 enable dhcpd
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
AnyConnect profiles AnyConnect_client_profile disk0: / AnyConnect_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_AnyConnect group strategy
attributes of Group Policy GroupPolicy_AnyConnect
WINS server no
value of server DNS 208.67.222.222 208.67.220.220
client ssl-VPN-tunnel-Protocol ikev2
moxiefl.com value by default-field
WebVPN
AnyConnect value AnyConnect_client_profile type user profiles
password username user1 $ $ encrypted privilege 15
password username user2 $ $ encrypted privilege 15
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address VPN_POOL pool
Group Policy - by default-GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: end
Hello
You may have problems with the NAT configurations
Look at these 2 high page configurations
NAT dynamic interface of Generic_All_Network source (indoor, outdoor)
NAT (inside, outside) static source INSIDE_Hosts INSIDE_Hosts static destination AnyConnect_Hosts AnyConnect_Hosts-route search
The solution is either to reconfigure the dynamic PAT with the lowest priority (goes tearing down the current normal outbound connections) OR reposition the exempt NAT / configurations NAT0
Dynamic change of PAT could be done with
no nat dynamic interface of Generic_All_Network source (indoor, outdoor)
NAT automatic interface after (indoor, outdoor) dynamic source Generic_All_Network
NAT0 configuration change could be done with
no nat source (indoor, outdoor) public static INSIDE_Hosts static destination INSIDE_Hosts AnyConnect_Hosts AnyConnect_Hosts-route search
NAT (inside, outside) 1 static source INSIDE_Hosts INSIDE_Hosts static destination AnyConnect_Hosts AnyConnect_Hosts-route search
Changing the order of the NAT0 configurations as described above is probably the simplest solution and does not cause a teardown of connections for users. Of course change the dynamic configuration PAT would avoid future problems if it can generate. For example, it could overide static PAT (Port Forward) configured with Auto NAT configurations.
Try option suites you best and let know us if it solved the problem
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
ASA 5505 IPSEC VPN connected but cannot access the local network
ASA: 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
Pool VPN: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.
I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.
Here is my setup, wrong set up anything?
ASA Version 8.2 (5)
!
hostname asatest
domain XXX.com
activate 8Fw1QFqthX2n4uD3 encrypted password
g9NiG6oUPjkYrHNt encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.1.253 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
address IP XXX.XXX.XXX.XXX 255.255.255.240
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain vff.com
vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
logging trap warnings
asdm of logging of information
logging - the id of the device hostname
host of logging inside the 10.1.1.230
Within 1500 MTU
Outside 1500 MTU
IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt AD
AAA-server host 10.1.1.108 AD (inside)
NT-auth-domain controller 10.1.1.108
Enable http server
http 10.1.0.0 255.255.252.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.1.0.0 255.255.252.0 inside
SSH timeout 20
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntest strategy
Group vpntest policy attributes
value of 10.1.1.108 WINS server
Server DNS 10.1.1.108 value
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the password-storage
disable the IP-comp
Re-xauth disable
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntest_splitTunnelAcl
value by default-domain XXX.com
disable the split-tunnel-all dns
Dungeon-client-config backup servers
the address value vpnpool pools
admin WeiepwREwT66BhE9 encrypted privilege 15 password username
username user5 encrypted password privilege 5 yIWniWfceAUz1sUb
the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username
tunnel-group vpntest type remote access
tunnel-group vpntest General attributes
address vpnpool pool
authentication-server-group AD
authentication-server-group (inside) AD
Group Policy - by default-vpntest
band-Kingdom
vpntest group tunnel ipsec-attributes
pre-shared-key BEKey123456
NOCHECK Peer-id-validate
!
!
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege see the level 3 exec command mode dynamic filters
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
privilege clear level 3 exec command mode dynamic filters
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: end
Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.
The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.
On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.
-
ASA 5505 - remote access VPN to access various internal networks
Hi all
A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.
Here is the config:
:
ASA Version 8.2 (5)
!
ciscoasa hostname
enable encrypted password xxx
XXX encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 200.190.1.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 255.255.255.0 xxxxxxx
!
exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED
connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED
banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED
passive FTP mode
access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in list extended access permit icmp any external interface
access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0
Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0
MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0
access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192
inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 200.190.1.0 255.255.255.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1
Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1
Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1
Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 10443
http server idle-timeout 5
Server of http session-timeout 30
HTTP 200.190.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
(omitted)
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet timeout 5
SSH 200.190.1.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 5
dhcpd outside auto_config
!
a basic threat threat detection
scanning-threat shun threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal MD_SSL_Gp_Pol group strategy
attributes of Group Policy MD_SSL_Gp_Pol
VPN-tunnel-Protocol webvpn
WebVPN
list of URLS no
disable the port forward
hidden actions no
disable file entry
exploration of the disable files
disable the input URL
internal MD_IPSEC_Tun_Gp group strategy
attributes of Group Policy MD_IPSEC_Tun_Gp
value of banner welcome to remote VPN
VPN - connections 1
VPN-idle-timeout 5
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl
the address value Remote_IPSEC_VPN_Pool pools
WebVPN
value of the RDP URL-list
attributes of username (omitted)
VPN-group-policy MD_IPSEC_Tun_Gp
type of remote access service
type tunnel-group MD_SSL_Profile remote access
attributes global-tunnel-group MD_SSL_Profile
Group Policy - by default-MD_SSL_Gp_Pol
type tunnel-group MD_IPSEC_Tun_Gp remote access
attributes global-tunnel-group MD_IPSEC_Tun_Gp
address pool Remote_IPSEC_VPN_Pool
Group Policy - by default-MD_IPSEC_Tun_Gp
IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp
pre-shared key *.
!
!
context of prompt hostname
: end
The following ACL and NAT exemption ACL split tunnel is incorrect:
MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0
inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192
It should have been:
Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0
access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192
Then 'clear xlate' and reconnect with the VPN Client.
Hope that helps.
-
ASA VPN client and OWA Exchange/2013
Hi all... quick question ASA...
Does anyone know the status of support for OWA Exchange 2013 and the ASA webvpn client access?
I know that the ASA has a model for 2010... It works with 2013? Is there is the 2013 model in the pipeline for the ASA?
Thank you!
Hi Paul,.
There is an improvement (CSCul27869) that opens to Exchange 2013 be supported with ASA.
CSCul27869
It is an enhancement request to add support for OWA 2013 with webvpn.
https://Tools.Cisco.com/bugsearch/bug/CSCul27869/?reffering_site=dumpcrKind regards
Dinesh MoudgilPS Please rate helpful messages.
-
ClearQuest through WebVPN access
HI guys,.
When you access the web application from ClearQuest through the Cisco WebVPN that javascript is rewritten to allow access to him through the WebVPN. The javascript rewrite no longer works, but no errors are saved with the javascript debugger. It is possible that the javascript is not 100% standards, for example a missing at the end of a single statement semi colon between a pair of braces. The code cannot be set as it produced a third. Is there a work around that will stop the rewritten javascript and what security impact it can be?
Thank you
Hello
This highlights usually Java mangling problem on the SAA.
To prevent that from happening, just chip-tunnel your bookmark to the Clearquest application as shown the following image:
It will prevent the calendering ASA your application and it should work as if you were connected to your Local network.
Kind regards
Nicolas
-
Cisco ASA webvpn - recording of the ACL
Hello
I try to configure my cisco asa 5520 without customer webvpn connections get recorded. My ACEs getting hit, but no logentry is created:
SSLVPN_Personal list of access; 2 items
access-list SSLVPN_Personal line 1 webtype allow url https://*. XYZ. ABC.de 1 interval (hitcnt = 41) alertsHow can I check the webvpn users do?
Look at syslogs 716003 and 716004 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/system/message/logmsgs.html#wp4776945
716003
Error Message %ASA-6-716003: Group group User user IP ip WebVPN access "GRANTED: url"
Explanation of the WebVPN user in this group at the specified IP address has access to that URL. The user access to various locations can be controlled using WebVPN specific ACL.
Recommended not required action.
716004
Error Message %ASA-6-716004: Group group User user WebVPN access DENIED to specified location: url
WebVPN user explanation in this group has denied access to this URL. The user access to various places of WebVPN can be controlled using WebVPN specific ACL. In this case, a particular entry is denying access to this URL.
Recommended not required action.
-
Hi all
We have a router in 1841 with enable webvpn and the split tunneling. This router is also connected to a second office using a VTI. We would like the remote clients of webvpn (using anyconnect) accessing the remote network through VTI.
Office network 1: 192.168.10.0
Office 2 (remote) network: 192.168.11.0
I think split webvpn with tunneling installation is properly install, however I do not know how to get the 192.168.60.0 package (pool dhcp client webvpn) to 192.168.11.0 network.
Does someone have an idea?
Kind regards
Olivier
Router config:
interface Tunnel0
VTI description to the office 2
192.168.50.1 IP address 255.255.255.0
source of Dialer1 tunnel
ipv4 ipsec tunnel mode
destination 217.x.x.133 tunnel
tunnel path-mtu-discovery
protection of profile vti ipsec tunnel
!
interface FastEthernet0/0
LAN Interface Description
IP address 192.168.10.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Dialer1
Description for ADSL
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP chap hostname x
PPP chap password 7 x
!
IP pool local PoolVpnAdsl 192.168.60.1 192.168.60.10
IP forward-Protocol ND
!
IP nat inside source overload map route IspADSL interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 192.168.11.0 255.255.255.0 192.168.50.2
!
exploitation forest esm config
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny all
access ip-list 100 permit a whole
Dialer-list 1 ip protocol allow
!
allowed IspADSL 1 route map
corresponds to the IP 10
match interface Dialer1
!
WebVPN gateway GateSslAdsl
IP address 193.x.x.113 port 443
redirect http port 80
SSL trustpoint xxx
development
!
WebVPN context VpnSslAdsl
SSL authentication check all
!
!
policy_1 political group
functions compatible svc
SVC-pool of addresses "PoolVpnAdsl."
SVC Dungeon-client-installed
SVC split dns 'domain.dom '.
SVC split include 192.168.10.0 255.255.255.0
SVC split include 192.168.11.0 255.255.255.0
Primary dns 192.168.10.X SVC-Server
Group Policy - by default-policy_1
XauthRadius of AAA authentication list.
Gateway GateSslAdsl
development
Hi Olivier,.
You must change your extended '10' to an ACL ACL
"access-list 10 permit 192.168.10.0 0.0.0.255.
Please create an ACL 101 as shown below.
access-list 101 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
Delete this line: IspADSL route map permit 1
Delete this line: corresponds to the IP 10
allowed IspADSL 1 route map
corresponds to the IP 101
In addition, please make sure you that you have a static route in place other end of TIV to push "192.168.60.0 0.0.0.255.
Let me know if it helps.
Thank you
Post edited by: Mohamed Rizwan
-
You can activate the port 8080 to access by browser first Infrastructure 2.0?
By the official document, port 8080 is pre-defintied for access by browser, but it is disabled by default.
I found a way to activate the port, but I can't find any guide on the cisco site.
Anyone know how to activate the port 8080?
Thanks in advance.
Louis
HIi Hoi;
According to the document from cisco: http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/administrator/guide/config_server_settings.html#wp1082023
Configuration of server settings
The server settings page allows you to enable or disable the TFTP, FTP, HTTP, HTTPS, or compliance department. To activate the server settings or disable:
Step 1 Choose Administration > the settingsof the system.
Step 2 In the left sidebar menu, choose the setting on the server.
Step 3 If you want to change the directories FTP and TFTP or HTTP and HTTPS which had been established when installing ports, enter the port (or port number, and root if necessary) number that you want to change, and then click enable or disable.
The changes are reflected after a reboot.
I don't know, but try to change the port 8080 number in the HTTP forward option and save it, then restart.
I think it will work.
Concerning
Remember messages useful rates
Maybe you are looking for
-
Hello I have problem in my business with one of notebooks and the problem is that when I connect dynadock on my portege R830 my portege screen flashes a few times and then I get a blue screen. The portege and dynadock are new and the portege has a pr
-
Hi all (I search for it but could not find an exact answer. So where this has been asked before, just tell me at this link and sorry). What is the difference between the charger 65W and 90W (if any?) It is better to spend the extra $55?
-
What are the databases, we can use with html5 in playbook
What is the best database used with html5 in playbook
-
Hello My update of 10.3.1.1565 sali writing entry to the top on my phone. so I tried the downgrade to 10.2.1 to do all my files are gone, however I thought I was smart by making this morning during the execution of 10.3.1.1565 a full backup before a
-
VPN OK on 1812 - not on 2811!
Hello I'm losing my mind... I configured a remote access of the IPSec VPN client on 2 routers 1812. It works like charm. I take the same configuration and apply it on a 2811, it does not work... Error during phase 2 of IPsec. I re-re-re-re-double che