Problem with own access in OOB L3

Hello

We test clean access mode OOB - L3. Users are on a remote site behind a 3845 router. This remote site connects to the central site by a link to WAN\VPN.

CASE is hosted on the Central Site. We have the installer VRF\PBR correctly and works communication between remote hosts from one-Authenticated (in the Auth VLAN) and the CASE. They can also ping the CASE.

The problem is with DNS (or any traffic that is supposed to be passed by the CAs on behalf of remote users.

The Setup is similar to below

PC--> Rt2 (Remote) Rt1--> CASE<--WAN-->--> Trusted Network(DNS Servers etc)

I sniffed packets on the Interface of unreliable and confidence when the remote Client issues a DNS query with lower results

Package on the untrusted Interface:

Source MAC--> tn1 Interface MAC (Interface to CASE)

DST MAC--> unreliable CASE Interface

2. package 'leaving' trusted Interface (i.e. packets DNS provided by CBS)

Source MAC--> tn1 Interface MAC (Interface to CASE)

DST MAC--> unreliable CASE Interface

WITHOUT change of Mac Source\Dst... !

So, it seems that the CASE passes the packet without even changing the Mac of Source\Dst. I know that he is not supposed to change the IP Source\Dst address, but since it does not change even the Dst MAC, so any device on the Trusted Site picks up the package.

What is going on?

Just as a side note the communication between the PC and the CASE itself (on the untrusted interface) works very well and PC can even get to the Page for Re - direct\Auth on the CASE (of course I have to type the IP address in the URL because DNS does not work)

Thank you

Naman

Hi Naman-

I think that you must update the user Page with the new provider that you configured. This should affect both without customer and users of the CCA.

CAM--> Administration--> user--> Edit Pages

Check them label provider (which you already did) and check disable your supplier available, which should include the Radius server you want to use.

If you just want to use the RADIUS, then simply change the default provider.

Let us know if this helps,

Peter

Tags: Cisco Security

Similar Questions

  • problem with write access to truecrypt readers windows 7. The mounted drive is not writing priveliges. Read-only. Cannot change in the security permissions.

    problem with write access to truecrypt readers windows 7. The mounted drive is not writing priveliges. Read-only. Cannot change in the security permissions.

    Hi amcop4591,

    1. How is - that Mount you the drive on the computer?

    2 Di you use any third-party tool to mount the drive?

    I suggest that you remove the external drive using the disk management and check back later if you can change the permissions on the drive.

    If you change the permissions, make changes to the permissions on the drive and then mount the drive.

    Mount or dismount a drive

    http://Windows.Microsoft.com/en-us/Windows7/mount-or-dismount-a-drive

    I hope this helps!

    Halima S - Microsoft technical support.

    Visit our Microsoft answers feedback Forum and let us know what you think.

  • Problem with the Access toolbar buttons

    Hi, I have a problem with the Access toolbar buttons. instead of icons, it shows just 2 boxes, as we get police unknown boxes. Help, please.

    Hi, I have a problem with the Access toolbar buttons. instead of icons, it shows just 2 boxes, as we get police unknown boxes. Help, please.

    Hello

    Those who are not traditional icons they are symbols that belong to the Segoe UI police.

    See the following Web site for an excellent tutorial to solve this problem.

    [SOLVED] Unknown character or vertical Rectangles are appearing in place of metro icons in the Windows 8 start screen and login screen - tweaking with Vishal:

    http://www.askvg.com/fix-unknown-characters-or-vertical-rectangles-are-showing-in-place-of-Metro-icons-in-Windows-8-start-screen-and-login-screen/

    Let us know if it works for you.

    Concerning

  • Problem with user access rights invited after the installation of el capitan (10.11.6)

    After that I installed OS X El Capitan (10.11.6), I can't change the way the guest user can access applications.

    When I change the usage rights of the guest user in Control Panel (user admin), everything's fine. Safari is the only application that I leave available. But then, nothing has really changed and guest user can use all applications. When I make the change, the guest user is disconnected (otherwise changes cannot be made).

    Could someone help me in this problem.

    There are problems with Parental controls do not stick in El Capitan.

    There is a long thread about this; of some people have found workaround solutions, but they do not always seem to work.

    OS X El Capitan: controls parental NOT work

  • Problems with HTTPS access site after upgrading to FireFox 30.0

    I have problems to access our HTTPS Corporate sites after upgrade to FireFox 30.0 of the Mavericks MAC or receive an error message "user not authorized" or the page does not load. I was able to access Web sites mentioned above when you use 29,0 FF. I have read and tried all the items on support to clear the cache and cookies, remove and reinstall the software, trying to change the SSL level & remove the cert8.db and cookie files in the profile.

    Internal just to validate that it was not a problem with our Web site, I tried and was able to access these sites via Safari for MAC Mavericks. I'm looking for what anyone help possible.

    Thank you
    Jim

    Many issues of the site can be caused by corrupted cookies or cache.

    • Clear the Cache

    Press < Alt > or < F10 > to display the toolbar.
    Followed;

    Windows; Tools > Options
    Linux; Edit > Preferences
    Mac; name of the application > Preferences

    Then Advanced > network > content caching Web: clear now

    and

    • Delete Cookies

    Press < Alt > or < F10 > to display the toolbar.
    Followed;

    Windows; Tools > Options
    Linux; Edit > Preferences
    Mac; name of the application > Preferences

    Then confidentiality.
    Under historical, select Firefox will use the custom settings.
    There is a button on the right side, called View the Cookies.

    If there is still a problem,
    Start Firefox in Safe Mode {web link}
    While you are in safe mode;
    Press < Alt > or < F10 > to display the toolbar.
    Followed;

    Windows; Tools > Options
    Linux; Edit > Preferences
    Mac; name of the application > Preferences

    Then Advanced > General.
    Find and stop using hardware acceleration.

    Dig safe web sites and see if there is still a problem. Then restart.

  • TECRA A10 - 11 M - problem with TOSHIBA accessibility

    Hello to the forum.
    I have a TECRA A10 - 11 M (a Greek market system) and after I faced many problems with Windows VISTA
    I installed with Windows XP Professional, the legendary Microsoft OS recovery CD.
    Here I have faced a problem with my buttons of accessibility. My function keys do not work!
    The message is: this system cannot be used "TOSHIBA accessibility.
    I uninstalled and installed again the feature, but nothing happened.
    Y at - it a program known that affect my system and prohibits any accessibility to work properly?
    Can anyone help with this?

    Thank you in advance,
    Vassilis

    _ @ dvass66_
    The FN keys need to installation of common Modules and Hotkey utilities for display devices.
    Common modules must be installed first!
    Also I recommend the update to the BIOS too

    _@korenisko_
    > I think that problem on this laptop is Wifi Atheros card
    I put t know why you think this, but I put agree t
    I have Atheros WLan card and since I use the latest BIOS and WLan driver everything works perfectly.
    Vista turn too stable, but indeed it needs MS patches and update my Vista updates more than once a week...

  • Problem with secure access TOSHIBA HDD 500 GB

    Hello
    I have a problem with access to my secure HARD drive. The problem is when tha HDD is pluged in the USB port, the software Nomad2 says that the disk is not formatted. Anyone have idea what type of partition is assembling the nomadic desktop software?

    What I want to know is: when you connect your HARD drive is recognized properly and listed in Windows Explorer?
    Can list you all the commands and data using Windows Explorer?

    You have the same problem with HARD drive with different laptops and desktop computers?

  • Problem with remote access in a residential group

    Having a problem with desktop sharing remote within a group of home access.  I don't have problem of access to the desktop from the laptop, but for some reason I can't access the laptop from the desktop.  I tried everything I could think of.  Remote access is enabled on both PCs.  Help, please.  Thank you very much!

    Hello

     

    1. who is the operating system installed on the desktop and laptop computers?

    2. what happens when you try to access the laptop from the desktop? You receive an error message?

    3. What are troubleshooting you performed?

    I suggest you follow these methods and check.

    In a first step of troubleshooting, I suggest to run the troubleshooter to group on the source and the destination computer.

    Step 1: Open the troubleshooter group living

    If your computer has problems viewing computers or files shared in your collective housing, try to use the collective dwelling Troubleshooter to fix the problem

    http://Windows.Microsoft.com/en-us/Windows7/open-the-HomeGroup-Troubleshooter

    Step 2: Share files and folders on a group of houses in the laptop using the method proposed below. Try to access from desktop and check.

    a. right click on the item you want to share, and then click share with.

    b. Select Home Group (read/write)

    c. this option share point with your entire Home Group and allows them to open, edit, or delete.

    Share files with someone: http://Windows.Microsoft.com/en-us/Windows7/share-files-with-someone

    See also:

    Home Group: frequently asked questions
    http://Windows.Microsoft.com/en-us/Windows7/HomeGroup-frequently-asked-questions

     

    I hope this helps!

  • Problems with internet access, troubleshooting, Windows 7 does not work.

    Hello, I have recently started up to Windows 7 on a partition of Windows 10, because a game wasn't working properly on Windows 10 system (has notified downgrade after a one hour session troubleshooting).

    I don't know if the game is causing these issues or anything else, but my internet connection goes away, even if the internet bar shows that it has internet.

    Right now, I'm typing this, it says I have a problem.

    Also, I have troubleshooted a lot of times, with the answer is:

    This happens at random, or whenever I join a game for Minecraft.

    Does anyone know the solution to this problem?

    Other images:

    Hello

    You can see the answer given by Arya S Asok by mentioning the problem with adapter or wireless access point

    Let us know how it goes.

    Kind regards

  • Problem with internet access point

    Hello, I saw that this question was asked before, but has never seen a solution to my problem, I will explain:

    I have like 5 months with this problem. I have a TP-LINK 300Mbps Wireless N Router, model No. TL-WR841ND. The fact is that when I plug in my router to the Modem, my wireless network seems to work fine, but when I try to connect to my computer or any other device to the network (mobile phones, playstation 3, tablets, etc.), I am unable to do so. On my laptop, I get the message: 'Problem with wireless adapter or access point', but the most confusing thing is that sometimes I can connect to the Internet via my network wireless without any problem.

    This time I decided to post my problem, because I'm tired of it. Sometimes it happens, sometimes it doesn't. Right now, I have two days without Internet connection (Via router), because my modem works properly.

    PS: I have another router (Linksys) and I can connect to this network, but I want to solve my problem with the TP-Link because the signal is stronger. Help!

    See links.

    How to install a TP-LINK wireless routers (Recommended)?

    http://www.TP-link.com/LK/article/?faqid=92

    Why can I not access the Internet after connecting the TP-LINK router to my modem.

    http://www.TP-link.com/LK/article/?faqid=138

    TP-Link FAQ.

    http://www.TP-link.com/LK/support/FAQ/?keywords=TL-WR841ND

  • Problems with "security access control list '.

    Hello

    My system is configured as follows
    UCM - 11 GR 1 material - 11.1.1.4.0 (Build: 7.3.0.180)
    -Database 11 GR 2
    OracleTextSearch - engine is used
    RoleEntityACL - component is enabled
    -Parts of my config.cfg
    SearchIndexerEngineName=OracleTextSearch
IndexerDatabaseProviderName=SystemDatabase
UseEntitySecurity=true
    I want to create lists of access control for users, groups, and roles. I followed the the next page http://download.oracle.com/docs/cd/E17904_01/ documentatoindoc.1111/e10792/c03_security.htm#CDDBCIDA
    Everything seems to work fine at first, because I'm able to add users, groups, and roles to the ACL of the document. The problem is that adding a user, group or role of the ACL of a document does not affect the rights of a user a of the document.

    Example:
    -Wear a read access to "public"-SecurityGroup
    -UserB is to check in a "document1" to the SecurityGroup 'public' and adds UserA to the ACL of "document1" give UserA 'read' and 'write' access to "document1".
    -The result is that UserA doesn't have to 'write' access to "document1", well it is in the ACL (same problem with groups and roles)

    In this scenario shouldn't UserA have "write" access "document1" or I have a bad understanding of access control lists?

    Thanks in advance
    Brahim

    You heard wrong...

    Permissions through ACL are subject to the same rules of intersection between the permissions granted by the intermediary of roles or accounts.

    If you want write access to a document, you must have at least write access to the security group of the document, account and have RW permissions in the ACL.

    In other words work ACL on top existing accounts/groups and roles that they do not replace the existing UCM permissions. You can restrict the permissions by an ACL but not grant permissions that the user has not already set for the account or the security group.

    And by are the ACL way ugly generally impassable and unmanageable so if you have to use them all to be very careful!

    hope tha helps
    Tim

  • problem with secure access

    Recently, I buy a scandisk 4 GB USB key.  It came with secure access software.  I failed and eventually remove the software.  Then I downloaded the software to access secure on my USB key.  I got the arch in place.  Then I closed it down.  Now, whenever I try to run access secure - it takes several minutes before I get the logon screen.  What's wrong?  What do I ned to do?  I am running windows 7 64 bit.

    OK, good analysis fb65.

    I have no experience with SecureAccess download but the blade I bought recently has SecureAccess on this and I have to suspect that they are similar if not identical.  Mine also shows a version of 1.1.19269.0.

    When I started the SecureAccess departure he asked if I wanted to sign up 2 GB of online storage, which I refused.  I suspect that you have accepted the offer, and that's why you try to connect to the ' net when you start SecureAccess.  I don't know how to disable this option, but I know not how to bypass links chiken.

    Go to your Windows\System32\drivers\etc.  You will find a file named hosts simply.  No extension.   Open the file with Notepad and down add this line:

    127.0.0.1 yuuwaa.com support.dmailer.com # SecureAccess

    Instead, you can try

    127.0.0.1 yuuwaa.com # SecureAccess

    One or the other should reduce to nil the impact that tries to connect online.

    HTH

  • problem with remote access to NMH405

    Hello

    I have the NMH405 connected to my PC (windows7 and windows xp with IE and Firefox). I was able to connect to the platform of media locally and also via a remote access through ciscomediahub.com. However, remote access Island suddenly no longer works. There is an error message saying that the device is in offline mode.

    I tried to unplug and turn off the mediahub that did not work. I have also resorted to reset the mediahub that did not help also. Even now when I access it locally, I can't even connect via the browser to configure the media center.

    I would be grateful if someone could give advice on how to solve this problem.

    Thank you!

    just to close the loop on this. I called Cisco and their identified technical support it was a hardware problem. Since then, I exchanged for a new device. It works fine now.

    Thank you very much!

  • Problem with users accessing the CIFS; sent anonymous user name.

    I am running on a Cisco ASA 5500 WebVPN.

    The ASA version: 8.0 (4) 8

    ASDM Version: 6.1 (5)

    I have a setup of CIFS share. I'm a domain administrator on our AD 2003 domain and when I connect to the VPN, I click on the CIFS and invited my user name and password. When I enter the username as DOMAIN\account and password, I am able to browse the CIFS share.

    However, when I have a user that is not a domain administrator to perform the same task, get an "Authentication failure" error and cannot access the same CIFS share.

    I checked the event viewer on the server and I see that when a domain user tries to access the CIFS share is to launch an event ID 529, and the passed username is anonymous and not their domain\account name.

    I checked my account so the other user accounts, and our primary group is the domain users.

    Does anyone have any suggestions?

    It comes from looks like this might be quite related to the CSCsk91498. After the instrumentation of code, I saw the username being poorly analyzed and defined as the host when there are special characters in the password (I have tested with ' # '). If you have the character # (or possibly other special characters) in your password this is the same problem. Even if the two could still not be linked.

  • Problems with remote access IPSec VPN

    Dear Experts,

    Kindly help me with this problem of access VPN remotely.

    I have configured remote access VPN IPSec using the wizard. The remote client connects to fine enough seat, gets the defined IP address, sends the packets and bytes, BUT do not receive all the bytes or decrypt packets. On the contrary, the meter to guard discarded rising.

    What could be possibly responsible or what another configuration to do on the SAA for the connection to be fully functional?

    It can help to say that Anyconnect VPN is configured on the same external Interface on the ASA, and it is still functional. What is the reason?

    AnyConnect VPN is used by staff for remote access.

    Kindly help.

    Thank you.

    Hello

    So if I understand correctly, you have such an interface for LAN and WAN and, naturally, the destination networks you want to reach via the VPN Client connection are all located behind the LAN interface.

    In this case the NAT0 configuration with your software most recent could look like this

    object-group, LAN-NETWORKS-VPN network

    network-object

    network-object

    network-object

    network of the VPN-POOL object

    subnet

    destination of LAN-NETWORKS-VPN VPN-NETWORKS-LAN static NAT (LAN, WAN) 1 static source VPN-VPN-POOL

    Naturally, the naming of interfaces and objects might be different. In this case its just meant to illustrate the purpose of the object or interface.

    Naturally I'm not sure if the NAT0 configuration is the problem if I can't really say anything for some that I can't see the configuration.

    As for the other question,

    I have not implemented an ASA to use 2 interfaces so WAN in production environments in the case usually has separate platforms for both or we may be hosting / providing service for them.

    I imagine that there are ways to do it, but the main problem is the routing. Essentially, we know that the VPN Client connections can come from virtually any public source IP address, and in this case we would need to default route pointing to the VPN interface since its not really convenient to set up separate routes for the IP address where the VPN Client connections would come from.

    So if we consider that it should be the default route on the WEBSITE of the ASA link, we run to the problem that we can not have 2 default routes on the same active device at the same time.

    Naturally, with the level of your software, you would be able to use the NAT to get the result you wanted.

    In short, the requirements would be the following

    • VPN interface has a default route, INTERNET interface has a default route to value at the address below
    • NAT0 between LAN and VPN interface configuration to make sure that this traffic is passed between these interface without NAT
    • Interfaces to special NAT configuration between LAN and INTERNET which would essentially transfer all traffic on the INTERNET interface (except for VPN traffic that we have handled in the previous step)

    The above things would essentially allow the VPN interface have the default route that would mean that no matter what the VPN Client source IP address it should be able to communicate with the ASA.

    The NAT0 configuration application would be to force ASA to pass this traffic between the LAN and VPN (pools) for VPN traffic.

    The special configuration of NAT then match the traffic from LAN to ANY destination address and send to the INTERNET interface. Once this decision is made the traffic would follow the lower value default route on this interface.

    I would say that this isn't really the ideal situation and the configuration to use in an environment of productin. It potentially creates a complex NAT configuration such that you use to manipulate the traffic instead of leave the mark of table routing choice in the first place.

    Of course, there could be other options, but I have to test this configuration before I can say anything more for some.

    -Jouni

Maybe you are looking for