Problem Cisco ASA and downloadable ACLs

Hi all

Can someone shed some light on how configure ACS for acl user base download.

We used the TACCAS for remote access user authentication.

I need a config on ASA or should I just set up the strategy of /authorisation element profile and link the user profile?

Thanks in advance

Example of configuration.

Tags: Cisco Security

Similar Questions

  • The traffic load between the power of Cisco ASA and FireSight Management Center fire

    Hi all

    I have a stupid question to ask.

    Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?

    Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.

    Maybe you all have no idea to provide.

    It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.

    Generally it is not a heavy load, however.

  • ACS and download ACL for multiple clients-AAA

    Hello!

    I need to know if it is possible to download ACL on the DACL device that is not a part of the conversation of RADIUS? In other words, I have a user who needs access to certain resources and attempts to connect to the network via PIX1. I need to authenicate it by ACS and download ACL PIX1 and (attention) PIX2 also (some firewalls upstream). Is it possible to do?

    I don't think that you can do. As you mentioned that the other PIX has no Radius configuration. And you can push only DACL of the Radius on the PIX server, she asks, not in any other PIX.

    And I'm not aware of any mechanism or feature, which allows you to transfer the downloaded ACL of one PIX to another.

    Kind regards

    Prem

  • Configure to integrate Cisco ASA and JOINT

    Hello

    We have Cisco ASA and JOINT, need assistance on the integration of the same thing; Please email me so that I'll share the details of the architecture.

    Thank you best regards &,.

    REDA

    Hi reda,.

    If I correctly your diagram, you do not want to send any traffic from the external switch to the JOINT with a SPAN port and all traffic from your DMZ interfaces with another.

    Is this correct?

    If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I said in my original answer, we generally advise putting IP addresses after the firewall.

    Not to mention that in your case, I guess that some traffic will be inspected twice so you will need to assign a different virtual sensors to each JOINT internal interfaces to ensure that the same instance does not see the traffic of several times.

    Kind regards

    Nicolas

  • ASA auth-proxy Radius and downloadable ACLs

    Hello

    I want to have ACLs that decide what traffic to allow after authorization auth-proxy.

    1. What are the options I have to ASA + ACS?

    2. can I use auth-proxy on SAA with the CSA and download RADIUS and ACLs?

    3. can I use auth-proxy on SAA with the ACS and Ray 01/09/00-cisco-av-pair (will be ASA understeand it?)

    4. can I use auth-proxy on ASA attrbuts auth-proxy ACS and Ganymede (with ACLs)?

    Thanx

    Hello

    Take a look at this guide to see if that helps answer your question. You can use the downloadable ACLs or the cisco av pair, I saw that the cisco-av-pair method works a little better because he has the user name who logged in as part of the acl which facilitates troubleshooting.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_fwaaa.html#wp1150820

    Thank you

    Tarik Admani

  • Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs

    Hello

    I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.

    Kind regards

    RAM

    + 6 012-2918870

    Hello

    It is not possible.

    You cannot push the ACL in the NAC manager.

    If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.

    Using the Radius attributes you can then map users to roles.

    Please, take a look at this:

    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • IPSec vpn cisco asa and acs 5.1

    We have configured authentication ipsec vpn cisco asa acs 5.1:

    Here is the config in cisco vpn 5580:

    standard access list acltest allow 10.10.30.0 255.255.255.0

    RADIUS protocol AAA-server Gserver

    AAA-server host 10.1.8.10 Gserver (inside)

    Cisco key

    AAA-server host 10.1.8.11 Gserver (inside)

    Cisco key

    internal group gpTest strategy

    gpTest group policy attributes

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list acltest

    type tunnel-group test remote access

    tunnel-group test general attributes

    address localpool pool

    Group Policy - by default-gpTest

    authentication-server-group LOCAL Gserver

    authorization-server-group Gserver

    accounting-server-group Gserver

    IPSec-attributes of tunnel-group test

    pre-shared-key cisco123

    GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

    When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

    error:

    22040 wrong password or invalid shared secret

    (pls see picture to attach it)

    the system still works, but I don't know why, we get the error log.

    Thanks for any help you can provide!

    Duyen

    Hello Duyen,

    I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

    Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

    authentication-server-group LOCAL Gserver

    authorization-server-group Gserver

    As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

    Please remove the authorization under the Tunnel of Group:

    No authorization-server-group Gserver

    Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

    Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

    I hope this helps.

    Kind regards.

  • IKE Dead Peer Detection between Cisco ASA and Cisco PIX

    I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity.  The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3.  The hub office runs a version 8.2 (1) Cisco ASA.

    I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-

    Confidence interval - 10 seconds

    Retry interval - 2 seconds

    I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished.  Basically, the problem that I am facing is with several remote satellite offices.  What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office.  The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel.  The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.

    Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?

    What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?

    Thank you in advance for helping out with this.

    Hi Nicolas,.

    I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.

    In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.

  • Cisco ASA and dynamic VPN L2L Fortigate configuration

    I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

    I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

    However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key.  Abandonment
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key.  User switching to the tunnel-group: DefaultL2LGroup
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
    3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
    6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

    Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

    then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

    You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

    Assuming that you have configured the dynamic map and assign to the card encryption.

    Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    Hope that helps.

  • Problem Cisco ASA VPN/ACL

    All,

    The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside.

    The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside.

    Is there something smart, that I can do on the SAA to solve this problem?

    Thank you

    D

    Hello

    Use the following command on the ASA:

    permit same-security-traffic intra-interface

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • Problem IOS 15 and VTY ACL

    Dear community!

    We have recently installed a router C2951 running the version IOS 15.0 (1). However, we have a VTY ACL configuration problem. When trying to connect to the router via SSH, the ACL VTY has some matches on the SSH client's IP address, but the router refuses the SSH connection when the standard of the "VTY_ACL" called ACL is set on line vty (marked by red color). If no ACL VTY has assinged to the vty router line, the SSH connection is OK.

    The current configuration seems to be OK, see below:

    ...

    [(Il y a certaine configuration AAA, y compris TACACS + et enfin l'auth local à la fin de la liste de séquence).]

    ...

    line vty 0 4

    access-class VTY_ACL in

    response login timeout 10
    preferred no transport
    entry ssh transport
    output transport ssh
    !

    IP access-list standard VTY_ACL
    [host IP] allow
    allow [subnet range] 0.0.0.255
    !

    Could someone help with this problem? Does anyone have an experience about it?

    Thanks in advance!

    Best regards

    Belabacsi

    Hello

    What you see, is the correct behavior. It's a problem in earlier versions of IOS (allowing ssh even without the "vrf-also" option) that we had corrected in 15.0 (1 M) and later versions, please visit:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv86113

    Thank you

    Wen

  • IPsec VPN site to site between router problem Cisco ASA. Help, please

    Hello community,

    I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

    Attachment is router configuration and ASA. I also include the router debug output.

    It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

    Please help me. Any help appreciated.

    Thank you

     
     

    I didn't look any further, but this may be a reason:

     crypto map mymap 1 ipsec-isakmp dynamic dyn1

    The dynamic CM must always be the last sequence in a card encryption:

     no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1

    Try this first, then we can look further.

  • SSL VPN from Cisco ASA and ACS 5.1 change password

    Dear Sir.

    I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?

    Thank you

    Aphichat

    

    Dear Sir,
    

    I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
    

    Thank you
    

    Aphichat

    Hi Aphichat,

    Go to the password link below change promt via AEC in ASA: -.

    https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0

    Hope to help!

    Ganesh.H

    Don't forget to note the useful message

  • IPSec VPN between Cisco ASA and Fortigate1000

    Hello

    I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

    the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

    The question is: How do I configure the interface on the SAA ACCORD?

    Thanks in advance, Experts...

    Kind regards...

    ASA firewall does not support the interface/GRE GRE tunnel.

    If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

    If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

    Hope that helps.

  • I have problems with viewing and downloading videos

    Hi I'm trying to watch videos in youtube and windows media player, but I can't do it. I use Windows XP Professional when I start watching a video, it starts to download and then I get the circle to peas autour going around and around but it does not play when she plays it stops and how can I solve this problem?

    Thank you
    E-mail address is removed from the privacy *.

    Hi upthearts,

    One of the possible reasons could be the speed of the internet thanks to which time can take to the buffer. It has one or more of the following could cause this;

    ·         The Internet connection speed

    ·         Amount of RAM (Random Access Memory) used on the computer

    ·         Amount of memory available on the computer

    Method 1: You can pause the video and let the video buffer for a few minutes before selecting the 'Play' button again. Giving the download a few minutes to catch up while the video is paused can help solve the problem.

    When the bar of State indicates the video transfer or the download is complete, resume playback of the video using the controls.

    Method 2: You can also contact your ISP (Internet Service Provider) to check connection problems.

Maybe you are looking for