prevent the SSL VPN user to access ASA cli

Similar Questions

• Control the access of the user for the SSL VPN profile.

  I have two ssl vpn profile, can I restricted the user to access only ssl vpn profile, when they get to the page of the ssl vpn service. Each profile to create different types of access, and they will have different client IP address.

  Hello

  Yes, using different ways; one of them is using group-lock, which is a simple check to validate if the Tunnel group or the connection profile as you called it with that sign corresponds to what you have defined under group policy. If the value of Tunnel-Group-Lock (condition true), the VPN remote access session is allowed to install;  otherwise the session is not allowed to be implemented.

  The tunnel-group-lock featurecan be defined as follows:

  • via the group-policy setting locally on ASA
  • via the LDAP attribute
  • via the Radius attribute

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/vpngrp.html#wp1134870

  Step 4

  Kind regards

• AnyConnect VPN users cannot access remote subnets?

  I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

  Cisco 5510 8.4

  Hello

  What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

  In addition to routing, you must have configured for each remote site and the VPN pool NAT0

  Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

  object-group network to REMOTE SITES

  object-network 10.10.10.0 255.255.255.0

  object-network 10.10.20.0 255.255.255.0

  object-network 10.10.30.0 255.255.255.0

  object-network 10.10.40.0 255.255.255.0

  network of the VPN-POOL object

  10.10.224.0 subnet 255.255.255.0

  NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

  The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

  Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

  My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

  Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

  -Jouni

• THE SSL VPN CLIENT ERROR!

  VPN concentrator running 4.7. I have to connect to the web vpn session. The SSL VPN Client installs. Message that says: "so that the SSL VPN connection is pending" and later another message appears that says "HTTP RESPONSE received from gateway SSL VPN is not valid" appears.

  What is strange is that the VPN concentrator lists me as it is connected with an IP address assigned to the ACS, but I can't access anything whatsoever. BTW, no ACLs WEB or IP filters are configured for this group that would not allow me access to the network. In addition, with the same information identification and the same group, I have no problem to access the network when the client SSL VPN is not configured to be used. IE web vpn before 4.7.

  Any ideas?

  The "VPN SSL HTTP RESPONSE received from gateway is incorrect" message may appear if the configuration of the client of the concentrator contains over split tunneling 26 entries.

• How will I know where all the reports of users has access

  Hi gurus,
  
  We use the Hyperion Financial Reporting 9.3.1 & we have 80 reports & 750 users. How will I know where all the reports of users has access. Where can I find this information. I checked the SSP, it only shows the provisioing details, but not the name of the report. I also checked the Essbase.sec but no use. Where can I get the info. Kindly help me.
  
  
  Kind regards
  Kris...

  There is no tool of Hyperion to display easily groups and security filters.

  But it really depends on how you set up your security model.

  Normally, you add users into groups and assign these groups to essbase and reports (via the BEEP groups) cubes, so you can check reports have access to correct group and the users are in a good group.

  There is a security tool to export available here, hosted by Applied Olap, and underground work Olap-based:
  http://www.appliedolap.com/free-tools/Advanced-Security-Manager

  Best regards, Iain

• ASA 5500 - to access the headquarters SSL VPN users

  I have a user who has access to our main office LAN using an SSL VPN. Of course, they can access all of our internal resources.

  Is it possible that, in the main office, I can access their machine?

  If so, should what configuration changes I give?

  Willemin

  Should be able to access their machine if they are connected.

  Just make sure you know their ip address which is attributed to their SSL VPN, and also if they have a personal firewall installed on their computer, it allows access (or off).

• which product is right for the ssl vpn: asa 5505 cisco 1841 or

  Hello

  I want to install an outside link management related so that we can ssh to our cisco devices and microsoft RDP toour servers. It's my configuration (based on what I know):

  Internet > DSL modem > ASA 5505 > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

  or

  Internet > 1841 with DSL HWIC > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

  My questions are:

  Should I go for ASA or 1841 router?

  What options is better? and ASA will do the job?

  Are there any technical support prior to purchase of products in Australia? I need technical advice on the choice of the right products, not justs eiling me products.

  Hello

  Its strongly suggested to go with ASA 5505 in the first place, it is supposed to feature for the main functionality of ssl vpn server from 1841 which has this feature to be a vpn server.

  ASDM also gives you the freedom to config box on your own based on your condition.

  regds

• How SSL VPN packages for two ASAs clustered licenses

  Hi all!

  If I have installed two Cisco ASA 5550 (ASA5550-BUN-K9) in failover mode, which I know support only 2 concurrent sessions of SSL VPN and you want to upgrade my boxes to support 15 AnyConnect SSL VPN sessions, how many licenses packages I need to buy?

  An ASA5500-SSL-25 for both boxes or two ASA5500-SSL-25 for one per box?

  Depends on what version of ASA you are running.

  If you are running version 8.3 and above, then you just buy 1 ASA5500-SSL-25 for a failover pair and it would work. If you buy 2 ASA5500-SSL-25, one license per box in failover pair, then the license gets grouped into 50 SSL user license.

  Here is the license information for ASA version 8.3 for failover pair:

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1315746

  For ASA running version 8.2 and below, you are required to buy 2 ASA5500-SSL-25 (one of each ASA in the failover pair) as the license should be exactly the same for the pair to failover to work, in the earlier version of the SAA.

  Hope that makes sense.

• ACL rule does not work after the SSL VPN connection

  Hello

  I have the following configuration:

  -VLAN LAN (192.168.5.0/24)

  -VLAN WLAN (192.168.20.0/24)

  -SSL VPN VLAN (192.168.200.0/24)

  Default policy denies access to the local network. If the value rule ACL to allow traffic between WLAN and LAN. Works very well.

  Now I connect with AnyConnect and access resources on the network VLAN. Works.

  After you have disconnected the VPN I can't access the LAN to WLAN VLAN. If I disable the ACL rule and turn it back on, it works again until someone connects with SSL VPN.

  I use firmware 1.2.15. Any ideas when this bug fixed?

  Kind regards

  Simon

  HI Simon,.

  This bug will be fixed in 1.2.16.

  I don't know the exact date for the release.

  But it should be out soon. If you need the fix sooner,

  Please open a case of pension.

  Kind regards

  Wei

• Remote VPN users cannot access tunnel from site to site

  Cisco ASA5505.

  I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC.  I'm not a network engineer and have spent way too much time just to get to this point.

  It works very well since within the office, but users remote VPN can not access the tunnel from site to site.  All other remote access looks very good.

  The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

  Any help or advice would be greatly appreciated.  It is probably super simple for someone who knows what they're doing to see the question.

  Hi Paul.

  Looking at your configuration:

  Remote access:

  internal RA_GROUP group policy
  RA_GROUP group policy attributes
  value of server DNS 8.8.8.8 8.8.4.4
  Protocol-tunnel-VPN IPSec
  value of Split-tunnel-network-list Split_Tunnel_List

  permit same-security-traffic intra-interface
   
  type tunnel-group RA_GROUP remote access
  attributes global-tunnel-group RA_GROUP
  address RA_VPN_POOL pool
  Group Policy - by default-RA_GROUP
  IPSec-attributes tunnel-group RA_GROUP
  pre-shared key *.
   
  local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 mask

  Site to site:

  card crypto outside_map 1 match address acl-amzn
  card crypto outside_map 1 set pfs
  peer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP
  card crypto outside_map 1 set of transformation transformation-amzn
   
   
  I recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:
   
  NAT_EXEMPT list of ip 10.0.0.0 access allow 255.255.255.0 172.17.0.0 255.255.0.0
   
  NAT (outside) 0-list of access NAT_EXEMPT
   
  Now, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.
   
  I would like to know how it works!
   
  Please don't forget to rate and score as correct the helpful post!
   
  Kind regards
   
  David Castro,
   
   

• Moving from SSL VPN licenses to other ASA

  Hello

  Be gentle, it's my first post.  We currently have an ASA 5520 with 25 remost SSL VPN licenses.  We have also some 5510's unused.  Anyone know if the SSL licenses are transferable to the 5510 unused to the 5520 to increase the amount that the 5520 has?

  Thank you

  Alistair

  Unfortunately the licenses are not transferable to one ASA to another.

  Here is the URL for your reference:

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp194956

  second indent under the 'Guidelines and additional Limitations' section)

  Hope that answers your question.

• Cannot change the SSL VPN customization

  Hello

  I have ASA 5520 and activate SSL VPN

  I want to optimize my portal page, removing the "Cisco SSL VPN" and put my company name and logo.

  I created a new customization, but when click on Edit to change a wen page appears but the load.

  can someone help me?

  Concerning

  If you want to change the Cisco logo for your company logo, please follow this example configuration for personalization of Portal:

  Change the logo:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808bd92b.shtml

  Change the title:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808bd861.shtml

  Hope that helps.

• images of the SSL vpn-html-content filtering

  Hello

  I'm trying to do content filtering via ssl VPN (clientless) on ASA 5505

  Above command is supposed to block anything with the html img tag, but it seems not to do.

  # sh run Group Policy

  Group without internal customer-grp-policy policy

  attributes without customer-grp-policy-group policy

  value of server DNS 8.8.8.8

  VPN-tunnel-Protocol webvpn

  Split-tunnel-policy tunnelall

  WebVPN

  bookmark URL-list value

  filtering the content-HTML-java images cookies

  SVC request to enable default webvpn

  #sh run tunnel-group

  Remote clientless-tunnel tunnel-group type

  attributes global-tunnel-group clientless-tunnel

  without client group policy - by default-grp-policy

  tunnel-group clientless-tunnel webvpn-attributes

  Group-alias clientless-alias enable

  What I'm missing here? or am I just misunderstood how it works?

  Thank you!

  Hello

  How it works for you?

  HTML-content-filter

  Thank you.

  Portu.

• Track the activities of users while accessing the request of ADF

  Hello

  We have an obligation to follow all the activities of the user while accessing our ADF application such as what pages users navigate login to connect, what are the user of the actions performed on a particular page as button click... etc and what queries are invoked for this page.

  Please suggest the best approach to implement this.

  Do we need to write code to catch all that information or us to have predefined tools / frameworks for this specific feature.

  Thank you

  KT

  Well, you must first know what info to follow exactly. This isn't a simple task, because you'll find yourself with a lot of info, most do not used any time. Here, you have to work with the customer to know what it takes to follow when. Second task is to think about how to store the info in the comic book, so that you can see later what action belongs to which user in the right timeline. Third part is to find a way to store the info at runtime in a way that the application always responds to user events. Here, you will need to take into account, that you can not use the same operation to store the info, but must be guaranteed the right timeline in the db of the track. I suggest using a jms queue that your application writes the measures to follow in and another process reads the queue and stores them in the comic book.

  Timo

• Type of transaction SOUL in the management of users (additional access authorization)

  We are looking for use the feature "Request additional access" self-service in the user management to allow existing users to request additional responsibilities (we're on EBS 12.1.3, all user access is entirely in EBS without integration of SSO).

  I was able to set up so that it works very well if no approval is required for the new responsibility, but we would also like some requiring approval of line manager/supervisor until responsibility is granted - documentation related to the management of users tells us that we can add a Type of Transaction SOUL in the field "Type of Transaction for approval" when creating a new registration process , but nothing more than that. I wonder if someone could point me to any more detailed documentation that would help us to work on the question of whether we can use an existing transaction of the SOUL - or how to create a new one for this particular task?

  Thank you.

  Andrew

  In case anyone else has this problem in the future, I connected an SR and support pointed me to a really useful note on My Oracle Support on how to do

  How to create the Type of Transaction for approval of the SOUL. B or higher? (Doc ID 420387.1)