Problem of AAA in ASA

Hi all

I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:

name 172.30.xx.xx DCC-1

name 172.30.yy.yy DCC-2

Ganymede + Protocol Ganymede + AAA-server

AAA-server Ganymede + host DCC-1

Cisco key

AAA-server Ganymede + host DCC-2

Cisco key

AAA authentication telnet console Ganymede + LOCAL

AAA authentication telnet console Ganymede + Ganymede +.

the AAA authentication console ssh Ganymede + LOCAL

AAA authentication enable console LOCAL + Ganymede

activate the encrypted password of V3VzjwYzTRfTLwOb

piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username

ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username

Even added my user name & password in the local data base on ASA as on ACS. Still no progress...

Can all give his suggestion on the same.

Kind regards

Piyush

I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15

Tags: Cisco Security

Similar Questions

Problem of pptp Windows ASA 8.4 (4) 1

Hi all

I hope someone can help I have an ASA 5505 that replaces a legacy firewall. Everything works apart from the Dáil in pptp sessions. These are sent to the windows 2003 server.

See below for my config, I'm really stuck now. See below for my config

ASA 4,0000 Version 1

!

hostname ITEFW01

domain ite.local

activate the encrypted password of X/3Ef.pSbYW/QCVY

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

Speed 100

full duplex

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

the IP 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 83.218.142.244 255.255.255.248

!

passive FTP mode

DNS server-group DefaultDNS

domain ite.local

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the External01 object

Home 83.218.142.242

external description

the object Exchange service

tcp destination eq smtp service

network of the External02 object

Home 83.218.142.243

VPN description

service of the PPTP01 object

tcp destination eq pptp service

service of the PPTP02 object

tcp destination eq whois service

network of the External03 object

Home 83.218.142.243

Description address VPN

service object HTTPS

tcp destination eq https service

network of the ITEServer object

host 10.0.0.2

ITE server description

network of the ITEServer02 object

host 10.0.0.3

object-group service Blackberry01 tcp - udp

Description Blackberry01

port-object eq 3101

object-group service Blackberry02 tcp - udp

Description of the Ports of Blackberry

port-object eq 4101

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

the BrianBass object-group network

Email Filtering Proxy description

object-network 217.64.175.0 255.255.255.0

host of the object-Network 62.133.28.58

object-network 83.246.65.0 255.255.255.0

host of the object-Network 87.224.100.82

host of the object-Network 87.224.86.194

network-object 94.100.128.0 255.255.255.240

inside_access_in list extended access permit icmp any one

inside_access_in of access allowed any ip an extended list

inside_access_in list extended access will permit a full

global_access list extended access allow icmp a whole

outside_access list extended access allow accord any object ITEServer

outside_access list extended access permit tcp any object ITEServer eq 1701

outside_access list extended access permit tcp any object ITEServer eq pptp

outside_access list extended access allow HTTPS object any object ITEServer

outside_access list extended access allow object Exchange object-group Brian

s object ITEServer

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

!

network of the ITEServer object

NAT External01 static (inside, outside)

!

NAT source auto after (indoor, outdoor) dynamic one interface

inside_access_in access to the interface inside group

Access-group outside_access in interface outside

Access-Group global global_access

Route outside 0.0.0.0 0.0.0.0 83.218.142.241 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:0

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication LOCAL telnet console

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmst cold start

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130

010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a

30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504

0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269

65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332

68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329

302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f

63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d

010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201

082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101

ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff

45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a

1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1

6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603

445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04

1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d

2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit smoking

Telnet 10.0.0.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

dhcpd outside auto_config

!

dhcpd address 10.0.0.10 - 10.0.0.132 inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

username

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

World-Policy policy-map

class class by default

inspect the pptp

!

service-policy-international policy global

context of prompt hostname

anonymous reporting remote call

Cryptochecksum:59ea3f04159c32cce049d9654c6ade4d

: end

ITEFW01 #.

I have to admit that I don't know if PPTP requires nothing else was open.

But the most common problem is usually lack the "inspect pptp" you have.

I suggest you simply followed the ASA through the ASDM while trying the VPN connection to eliminate situations where the firewall might block connections

There isn't a lot of NAT rules on the firewall itself that I can't prevent connections

You can use the command "packet - trace" to ensure that the firewall (or would rather) to certain connection tent

entry Packet-trace out tcp 1.2.3.4 1234

-Jouni

Problem with the Cisco ASA 5525 X SFR and Firesight high school

Hi team,

We have two ASA 5525 X installed on them and Firesight in a Linux VM whose two SFRs are registered with SFR failover mode. We use the SAA secondary off the hook if the primary fails to turn on the secondary manually switch the wan cable. I turn on the ASA secondary every weekend to take the configuration of the primary for the ASA and the SFR and close by button walk / stop.

Last week I turn on high school ASA and the Firesight couldn't see the secondary SFR and show the message below:

Module device heartbeat: device > don't send heartbeats.

(I should mention I can Pinger the IP ADDRESS)

I tried to study the problem without success.

I also deleted the sensor just Firesight devices management in case something is stuck, and I'm trying to re added without success.

I'm new in firepower so... any ideas?

Thank you

Finally, this problem has been resolved by the redefinition of firepower:

see detailed here procedure to perform this redefinition;

http://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-service...

Before that, it appeared that firepower was not very healthy:

After a success "" configure Manager add xxxxx"command.

the command of managers show show nothing;

He should have shown this result:

> Display managers
Host: 193.193.2.75
Registration key: AZERTY
Inscription: pending
State of the PRC:

on the other hand, in expert mode, the following command shows several processes (and not in the normal state):

sudo pmtool status | grep-i down

Last point,

After the recreation and reconfigure all this fire power, installed in the ASA secondary standby, was considered to be OK under Firesight health Monitor,.

but after 10mins, it appeared in critical condition with the following message:

"Interface"DataPlaneInterface0"receives not all packages.

This is normal and due to the fact that Eve ASA receives no flow and the same goes for firepower inside this ASA;

by performing a failover from the primary to the secondary ASA, this critical message disappeared for firepower inside the ASA Sec and appeared for firepower inside the ASA elementary school

Configuration guide benefits of Cisco context directory Agent (CDA) and AAA (on ASA)

Hello

I would like to set up and test AAA on a Cisco ASA (5505 or 5510).
1 are there any other tools or server required to use this feature? And you have good configuration guides?

I already tested a CDA of Cisco. He was able to show users active directory and their IP equivalent.
2. do you have a brief explanation what kind of opportunities I have with this server/tool? It is perhaps usable for the AAA mentioned on the SAA?

Thanks in advance

Best regards

1. Yes, you need a Radius like Windows Server NPS or RADIUS server such as Cisco ACS/ISE server.

2. He's just a man in the middle of the ADC, you will always need an AAA server: radius or Ganymede (see # 1).

Problem setting out by ASA 5505 VPN

While inside a network secured by an ASA 5505, I can't establish a PPTP VPN on. The ASA will connect the following:

09-2009 20:50:09 creating 305006 24.13.209.125 regular translation failed for the internal protocol 47 src: 192.168.132.108 dst outside:xxx.xxx.xxx.125

I looked at the msg of error in line, but for some reason, I'm just not understand what he says. How can I fix it? Let me know if you have any questions... Thank you guys!

Colombia-British

Hello

Enable pptp inspection

pixfirewall (config) #policy - map global_policy

pixfirewall(config-pmap) #class inspection_default

pixfirewall (config-pmap-c) #inspect pptp

Go to this link for the use of pptp/gre info background detail under various codes.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Concerning

Problem starting of an ASA (9.0) config file to disk1

The State of Cisco web site:

By default, the ASA boots a boot configuration which is a hidden file. You can also set any configuration to the startup configuration by entering the following command:

HostName (config) # boot config {disk0: / | disk1: /} [path/]filename

When I put this command, wr mem and reload the ASA, it does not come to the top with the correct configuration.

It comes up with the old configuration, and it also to zero the curve on the corresponding on my disk1.

config reg is set to 0x1.

What Miss me?

Hi Jimmyc_2,

First copy the running configuration file in disk0/1/or no matter what path you want, and then start the command config like below.

copy, run disk0:/.private/startup-config
boot config disk0:/.private/startup-config
WR mem

I think that changes to configuration boot path commands where ASA can extract the default startup configuration file, it will load hidden file, but if change you it during boot, it will take care of the place where you explicitly set.

HTH

Murali.

Problem with the Cisco ASA vpn redundancy?

Hi all

I have a series ASA 5500 firewall and need to set a different peer ip for the connection of site2sitevpn. In fact, my goal is, ASA tent first pair ip of the site2site tunnel, when ASA may not reach this ip, try to reach another ip I set before. I can configure this scenerio on Cisco router with this command;
```
    crypto map tohub 1 ipsec-isakmp 
```
```
 set peer 10.1.1.1 default 
```
```
 set peer 10.2.2.2

    
```
but I wonder what can I do about ASA?

Thank you.

Best regards.

Shane,

You can configure multiple IP addresses, under the same entry of homologous set on ASA, but it works the same on IOS with preferred peer, it passes between defined peer.

Marcin

Problem connecting l2l on ASA 5510

I have setup VPN connections 2. a concentrator 3000 seller and the second to a branch.

The branch connects with a L2L type, however the connection of my suppliers is a type of 'user '. I have to rebuild the connection and the same thing happens.

piece of the screen the crypto isa HS

1 peer IKE: 68.xxx.xxx.xxx

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

2 IKE peers: 12.xxx.xxx.xxx

Type: user role: initiator

Generate a new key: no State: MM_WAIT_MSG2

the only difference in the config, it's that the seller uses a set of transformation of

Crypto ipsec transform-set aes - esp esp-md5-hmac seller

and using the branch is

Crypto ipsec transform-set esp-3des esp-sha-hmac branch

any help?

Set transformation acceptable combinations include:

(1) ah-md5-hmac

ESP - 2)

(3) esp-3des and hmac-md5-esp

(4) ah-sha-hmac and esp - an and hmac-sha-esp

(5) comp-lzs and hmac-sha-esp and esp - aes (as a general rule, all comp-lzs transformation can be included in any legal combination that does not already include the transformation of the model-lzs.)

(6) esp-seal and esp-md5-hmac

Try to use 'esp-3des esp-sha-hmac' or 'aes - esp and esp-md5-hmac' at the ends of the seller and branch.

See the following url for more information:

http://www.Cisco.com/en/us/docs/iOS/12_3t/secur/command/reference/sec_c2gt.html#wp1199028

ACS 5.4 ASA 8.2.5 disable AAA for the particular user

Hello!

I want to disable journaling Ganymede + for the particular user. This user is used only for automated (python script) pooling of vpn tunnel ASA (limited command set - permission on ACS) group to verify the number of users authenticated via VPN. The problem is that this user generate a bunch of logs according to authentication authorization and accounting on ACS. Is there a solution, disable Ganymede + newspapers on ACS for this particular user? Maybe it is possible to modify the AAA on ASA to not connect this particular user?

Thanks in advance.

Hi Pawel,

You can create filters collection for that specific user. When you configure monitoring filters & Report Viewer does not record these events in the database.

Navigate to: Configuration of the analysis > System Configuration > filters Collection > add a filter

What follows is the attributes that can be used. You must use the user.

-Access service

-User

-Mac-add

-Nas - IP

Example: We get several hits of ASA by 'user' and we want ACS to ignore it. Create a filter by using the user. ACS must now ignore any attempt from the IP Address of the NAS.

Jatin kone
-Does the rate of useful messages-

VPN Tunnel access to several subnets ASA 5505

Greetings,

We spent a little time trying to configure our ASA 5505 in order to TUNNEL into several different subnets. Subnets include 192.168.1.0 / 192.168.2.0 / 192.168.10.0

Someone is about to review this setup running and indicate where we have gone wrong. When I connect via the VPN Client, I can access the 192.168.1.0 network, no problem. But fail to reach the other two. Thank you very much.

Output from the command: 'show running-config '.

: Saved

:

ASA Version 8.2 (5)

!

hostname BakerLofts

activate kn7RHw13Elw2W2eU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 74.204.54.4 255.255.255.248

!

interface Vlan12

nameif Inside2

security-level 100

IP address 192.168.10.254 255.255.255.0

!

passive FTP mode

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

outside_access_in of access allowed any ip an extended list

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.3.0 255.255.255.0

Inside2_access_in of access allowed any ip an extended list

permit Inside2_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 Inside2

IP local pool vpn 192.168.3.1 - 192.168.3.254 mask 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 0 192.168.3.0 255.255.255.0 outside

NAT (Inside2) 0-list of access Inside2_nat0_outbound

NAT (Inside2) 1 0.0.0.0 0.0.0.0

Access-group outside_access_in in interface outside

Access-group Inside2_access_in in the interface Inside2

Route outside 0.0.0.0 0.0.0.0 74.204.54.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication LOCAL telnet console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130

010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a

30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504

0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269

65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332

68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329

302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f

63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d

010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201

082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101

ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff

45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a

1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1

6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603

445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04

1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d

2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal vpn group policy

attributes of vpn group policy

value of server DNS 8.8.8.8

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpn_splitTunnelAcl

username, password samn aXJbUl92B77AGcc. encrypted privilege 0

samn attributes username

Strategy-Group-VPN vpn

username password encrypted QUe2MihLFbj2.Iw0 privilege 0 jmulwa

username jmulwa attributes

Strategy-Group-VPN vpn

jangus Uixpk4uuyEDOu9eu username encrypted password

username jangus attributes

Strategy-Group-VPN vpn

vpn tunnel-group type remote access

VPN tunnel-group general attributes

vpn address pool

Group Policy - by default-vpn

Tunnel vpn ipsec-attributes group

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

anonymous reporting remote call

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

I see two problems:

1. your ASA has not an interior road to the Incas inside networks. You must add:

Route inside 192.168.2.0 255.255.255.0

Route inside 192.168.10.0 255.255.255.0

.. .specifying your gateway address of these networks.

2. the statement "access-list standard vpn_splitTunnelAcl permit 192.168.1.0 255.255.255.0" sends only a route for 192.168.1.0/24 to your customer. You need to add entries for the other two networks.

4.2 of the ACS and EAP - TLS with AD and prefix problem

Hello

We have the following situation:

-2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

-2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

This is the normal output of the Remote Agent, he finds the host but then nothing happens:

CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

This could be the problem, or if someone sees no other problem?

Best regards

Dominic

Hello

I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

Ike ASA VPN question

Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:

IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.

SH isakmp sa is:

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: AAA. AA. AAA. A

Type: user role: initiator

Generate a new key: no State: MM_WAIT_MSG4

If the router is waiting for ack but not expected and there is no package.

At both ends, I deleted:

cry clear isa

cry clear ipsec

I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.

I will be grateful if anyone can help, I'll debug and sniff for that.

Here are the configs and small on isakmp debug information

Router AAA. AA. AAA. A config:

outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object

Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1

Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 60 match address outside_cryptomap_60

game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC

card crypto outside_map 60 value transform-set ESP-AES-SHA

life safety association set card crypto outside_map 60 28800 seconds

card crypto outside_map 60 set security-association life kilobytes 4608000

outside_map interface card crypto outside

ISAKMP allows outside

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

tunnel-group BBB. BBB. BB. B type ipsec-l2l

tunnel-group BBB. BBB. BB. B ipsec-attributes

pre-shared-key *.

ASA BBB. BB. BBB. B:

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_cryptomap_1

card crypto outside_map 1 set of AAA peers. AA. AAA. A

card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA

outside_map interface card crypto outside

card crypto outside_map interface outsideadsl

crypto ISAKMP allow inside

crypto ISAKMP allow outside

ISAKMP crypto enable outsideadsl

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

ISAKMP crypto am - disable

debugging isakmp 127

28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148

28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload

28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID

28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256

28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256

28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed

No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.

If there is still a problem, download him debugs on both sides at the same time please.

Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?

HTH

Herbert

I can't boot on my Cisco ASA 5505

Hello;

I am facing a problem with my cisco ASA 5505 firewall. When I connect my cable to console the firewall to start setting firewall load and stop until the copyright. ICN can't access to the firewall to view the configuration. I start also with Rommon but I am facing the same problem. Does anyone have an idea of this problem and can help me?

Please, it's so urgencly!

Hello

What version of software is on the asa and the amount of memory is on the device?

Thank you

John

ASA: S2S Tunnel stops with higher traffic

Hello

I have no idea where I have to start solving our problem:

Site A: ASA 5520/9.2 (4) 5 ~ 20 IPsec tunnels

Site b: ASA 5505/9.2 (4) 5

When I do a SSH (or HTTP or any other TCP) session from Site A to any Linux on Site B server, I can connect, but when I do something as a "dmesg" or long "ls - al", the session hooked after 10 to 20 lines. Also HTTP sessions (as a site to set up a printer), smaller Web sites are okay (but slow), more big sites stops with a browser timeout.

This only happens on one site, all other sites work very well (which have the same config, same OS ASA).

Just to test, I opened the ssh port to the external IP address on the external interface and it works very well, as well as with the traffic through the tunnel going something wrong.

Any idea, where do I start debugging?

Gruss ivo

PS: How is stupid cloudflare, they check this text and do not allow to write the ls command linux less al, but ls space space space less al works!

You can twist on the SAA mss using this doc and empty the outside df bit as well. Follow the steps described in the section "VPN encryption error."

Crypto ipsec df - bit clear-df outdoors

Let us know how it rates.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

ASA and TLS 1.3

Hello

I have a problem with a 5550 ASA with IOS version 9.1 (7). and I want to upgrade the version LTS 1.0 to 1.1 or 1.3

How can I do?

Thank you

You can not. You need ASA version 9.3 + for what is only available for the newer model x.

Problem of AAA in ASA

Similar Questions

Maybe you are looking for