PROJECT VPN - CISCO ASA

Hi all

We have a large ongoing project in which we implement a Firewall / VPN service to the customers to provide VPN connections back to a single VPN server. We have about 1,000 users but only run about 200-250 concurrent sessions at any time and the IP Sec and SSL will be fine. As part of our evaluation and the construction phase we need to firstly consider hardware and Cisco is an obviuos because we have the expertise in house. However, I consider that for this client, it would be preferable to provide a solution that will scale that their subscribers grow and therefore my opinion is the ASA 5510 would be a good starting point and we can improve if their subscriber base grows. There are also run active failover / standby. However, the licenceing issues are a little confussing to say the least and so would like a second opinion from someone on this forum which has some recent experience of a similar build and install. Hardware and software specifications for this build are important, so any suggestions in this regard would be also welcome. We considered all connect premium, but this can be expensive looking at 250 concurrent sessions. These are fundamental questions.

1. what would be the best material to offer to this customer to get them started?

2. with Anyconnect is the example from the sessions simultaneous or registered user accounts or in other words we would have 1,000 accounts of users with 250 concurrent connections?

3. is there a better way to configure the VPN simultaneous 250 with about 1000 users?

Any help would be as always greatly appreciated.

Kind regards

>> 1. What would be the best material to offer to this customer to get them started?

The 5510 is a legacy that should not be bought and more like the first firewall. And the concurrent users are also too low. You should look into the 5525-X. This model supports VPN connections simultaneous 750. The next smallest model, the 5515-X only supports 250 simultaneous sessions.

>> 2. With Anyconnect is the example from the sessions simultaneous or registered user accounts, or in other words we would have 1,000 accounts of users with 250 concurrent connections?

Yes, concurrent sessions are what count.

>> 3. Is there a better way to configure the VPN simultaneous 250 with about 1000 users?

You must decide if you really need VPN without client. If your users could all use a complete tunnel (AnyConnect) client, then just buy the AnyConnect Essentials license which is pretty cheap.

Sent by Cisco Support technique iPad App

Tags: Cisco Security

Similar Questions

  • IPSec vpn cisco asa and acs 5.1

    We have configured authentication ipsec vpn cisco asa acs 5.1:

    Here is the config in cisco vpn 5580:

    standard access list acltest allow 10.10.30.0 255.255.255.0

    RADIUS protocol AAA-server Gserver

    AAA-server host 10.1.8.10 Gserver (inside)

    Cisco key

    AAA-server host 10.1.8.11 Gserver (inside)

    Cisco key

    internal group gpTest strategy

    gpTest group policy attributes

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list acltest

    type tunnel-group test remote access

    tunnel-group test general attributes

    address localpool pool

    Group Policy - by default-gpTest

    authentication-server-group LOCAL Gserver

    authorization-server-group Gserver

    accounting-server-group Gserver

    IPSec-attributes of tunnel-group test

    pre-shared-key cisco123

    GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

    When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

    error:

    22040 wrong password or invalid shared secret

    (pls see picture to attach it)

    the system still works, but I don't know why, we get the error log.

    Thanks for any help you can provide!

    Duyen

    Hello Duyen,

    I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

    Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

    authentication-server-group LOCAL Gserver

    authorization-server-group Gserver

    As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

    Please remove the authorization under the Tunnel of Group:

    No authorization-server-group Gserver

    Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

    Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

    I hope this helps.

    Kind regards.

  • Order of operations NAT on Site to Site VPN Cisco ASA

    Hello

    I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

    Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

    But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    tunnel-group 100.1.1.1 type ipsec-l2l

    tunnel-group 100.1.1.1 General-attributes

    Group Policy - by default-PHX_HK

    IPSec-attributes tunnel-group 100.1.1.1

    pre-shared key *.

    internal PHX_HK group policy

    PHX_HK group policy attributes

    VPN-filter no

    Protocol-tunnel-VPN IPSec svc webvpn

    card crypto inside_map 50 match address outside_cryptomap_50

    peer set card crypto inside_map 50 100.1.1.1

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    inside_map crypto 50 card value reverse-road

    the PHX_Local object-group network

    host of the object-Network 31.10.11.10

    host of the object-Network 31.10.11.11

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    the HK_Remote object-group network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

    outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

    public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

    public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

    public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

    public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

    He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

    the PHX_Local1 object-group network

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

    Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

    Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

    Thank you

    Kind regards

    Thomas

    Hello

    I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

    From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

    Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

    If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

    Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

    You have these guests who were not able to use the VPN L2L

    31.10.10.10 10.17.128.20

    31.10.10.11 10.17.128.21

    31.10.10.12 10.17.128.22

    31.10.10.13 10.17.128.23

    IF you want them to go to the VPN L2L with their original IP address then you must configure

    object-group, LAN

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    IF you want to use the L2L VPN with the public IP address, then you must configure

    object-group, LAN

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

    Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

    Be sure to mark it as answered if it was answered.

    Ask more if necessary

    -Jouni

  • RV082 VPN Cisco ASA

    I have seen discussions on people who make reliable VPN connections to a RV082 at a remote site to a Cisco ASA 5500 security series device in a Home Office.  Can we get a FAQ/document displays the settings on both sides so that it works?  Even if mark you it as "This is a configuration not supported, use at your own discretion", it would be better than nothing.  Each Cisco, Linksys device or otherwise, must be able to communicate with other devices, especially on a standard IPSec protocols.

    Please see attached tech note on the definition of the tunnel VPN RVxx Linksys with Cisco

  • enabling remote vpn Cisco asa

    Dear team,

    I have a Cisco asa firewall, I would enable remote vpn (ssl vpn or customer).

    Please check the joint view version and suggest which are missing or need to enable them.

    Therefore, I will obtain concrete results and enable VPN.

    concerning

    SecIT

    With the license and the software version you have, you can only run the existing IPsec VPN client.

    To run AnyConnect SSL VPN client-based, you must acquire a license AnyConnect Essentials. For your platform that would be L-ASA-AC-E -5550=. (Clientless SSL VPN would be a different reference number.)

    I also suggest upgrading your system beyond 8.2 software (2) the current recommended release would be 9.0 (3). (9.1 (5) is the last on the 5550.)

  • Clientless vpn cisco asa

    All,

    I use the cisco ASA 5500 vpn device, and I need a specific configuration where clients vpn (vpn without customer) would authenticate in an external radius server.

    My problem is that I need to do different bookmarks for different users, so how can I do if my clients are not in the local database? (I do not even have accounts configured on the cisco device), DAP would be the solution?

    TKS in advance

    You are absolutely right. You can configure DAP to make specific bookmarks according to which the user connects via the WebVPN (Clientless SSL VPN).

  • Customization of SSL VPN Cisco ASA version 8

    Is there a way to customize the appearance of the SSL VPN? To change the features of the ASA custmization? To change the total look of the portal page the way we like it and not the Cisco default settings? For example, the RDP plugin has always display the help text on the right side, and we would like to show different text in this area. We were able to change it but could not import to the area of the asa.

    Import of SSL vpn customization ASA is not possible. Impossible also to change the appearance of the portal page.

  • Remote access VPN Cisco ASA

    Hello!

    I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to:

    MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443

    Phase: 1

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    developed 1.1.1.2 255.255.255.255 identity

    Phase: 2

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    developed 1.1.1.2 255.255.255.255 identity

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    the output interface: NP identity Ifc

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: (headwall) No. road to host

    Hello

    Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes.

    Some things related to the ASA are well known but not well documented.

    The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP)

    Note 
    

    For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.

    Source (old configuration guide):

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

    -Jouni

  • Is supported PPTP vpn cisco ASA 5520 firewall?

    Hi all

    I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn.

    Best regards

    MD.kamruzzaman

    Sorry, but the Cisco ASA firewall does not support PPTP VPN termination.

    You may terminate IPSec and SSL VPN but not of type PPTP.

    If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers.

  • NAT/VPN Cisco ASA

    Hello

    I have a question on a Cisco ASA.

    We strive to set up a VPN connection with a provider of our using the 172.16.1.0/24 subnet now that they already have another customer using 172.16.1.0/24, then NAT traffic on a different subnet before connecting to the provider. Is this possible? If yes how can I configure something like this?

    172.16.1.0/24 is also used to access the internet.

    That's what I have right now:

    !

    internet_cryptomap_2 to access ip 192.168.0.0 scope list allow 255.255.252.0 (subnet provider)

    !

    card crypto internet_map1 3 match address internet_cryptomap_2

    internet_map1 crypto map peer set 3 (IP address of provider)

    internet_map1 crypto map 3 the value transform-set tubis-transformset

    internet_map1 crypto map 3 the value reverse-road

    !

    This VPN works, but only for the subnet listed in the cryptomap_2 unfortunately, I can't use 172.16.1.0/24 for this.

    Anyone has any ideas how to solve this problem?

    Kind regards

    Tom

    Yes, you can...

    Assuming you want to 172.16.1.0/24 NAT to 10.16.1.0/24 when accessing the provider subnet 192.168.0.0

    access list static-nat-to-vendor permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0

    public static 10.16.1.0 (inside, outside) access static-nat-to-provider list

    access extensive list ip 10.16.1.0 internet_cryptomap_2 allow 255.255.255.0 192.168.0.0 255.255.252.0

    Assuming you have ASA 8.2 or lower.

    Otherwise, ASA 8.3 or higher:

    network object obj - 172.16.1.0

    subnet 172.16.1.0 255.255.255.0

    network object obj - 10.16.1.0

    10.16.1.0 subnet 255.255.255.0

    network object obj - 192.168.0.0

    Subnet 192.168.0.0 255.255.252.0

    NAT (inside, outside) source static obj - 172.16.1.0 obj - 10.16.1.0 destination static obj - 192.168.0.0 obj - 192.168.0.0

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • Client VPN Cisco ASA 5505 Cisco 1841 router

    Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

    My topology is almost as follows

    customer - tunnel - 1841 - ASA - PC

    ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

    Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

    ISAKMP nat-traversal crypto

    Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

  • VPN Cisco ASA Cisco ASA firewall via DHCP.

    Hi all!

    Small question.  I have an ASA5520 (8.2) acting as a VPN server with the correct configuration to request a DHCP on behalf of the VPN Client address.  However, this ASAVPN is connected to a vpn - dmz on my other ASA5520 (8.0) is our main firewall.  I can see future demand across the demilitarized zone and the ASAFIREWALL interface inside and outside.  The DHCP server responds and refers to the x.x.x.0.   I had not initially installing dhcp on the ASAFIREWALL relay as I had open 67 upd, thinking it would allow just back through with number.  No idea how to get this working correctly?

    Thank you

    Raun

    Hello Raun,

    Please see the link among Cisco engineers.

    It will help you on this

    https://supportforums.Cisco.com/community/NetPro/security/firewall/blog/2011/01/07/ASA-PIX-DHCP-relay-through-VPN-tunnel

    Any other questions... Sure... Be sure to note all my answers.

    Julio

  • VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

    Hello

    I'm a little confused as to which is the problem. This is the premise for the problem I have face.

    One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

    Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

    So essentially the encryption field is configured as follows:

    access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
    access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
    access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

    Free NAT has been configured as follows (names modified interfaces):

    NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

    the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

    NAT (interface2) 0-list of access VPN-SHEEP

    VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

    After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

    There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

    The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

    Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

    This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit rule
    Additional information:
    MAC access list

    Phase: 2
    Type: FLOW-SEARCH
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    Not found no corresponding stream, creating a new stream

    Phase: 3
    Type:-ROUTE SEARCH
    Subtype: entry
    Result: ALLOW
    Config:
    Additional information:
    in 10.82.0.200 255.255.255.252 outside

    Phase: 4
    Type: ACCESS-LIST
    Subtype: Journal
    Result: ALLOW
    Config:
    Access-group interface interface1
    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    Additional information:

    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 6
    Type: INSPECT
    Subtype: np - inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    Policy-map global_policy
    class inspection_default
    inspect the http
    global service-policy global_policy
    Additional information:

    Phase: 7
    Type: FOVER
    Subtype: Eve-updated
    Result: ALLOW
    Config:
    Additional information:

    Phase: 8
    Type: NAT-FREE
    Subtype:
    Result: ALLOW
    Config:
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
    Exempt from NAT
    translate_hits = 32, untranslate_hits = 35251
    Additional information:

    -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

    Phase: 9
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
    NAT-control
    is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
    static translation at 10.231.0.0
    translate_hits = 153954, untranslate_hits = 88
    Additional information:

    -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

    Phase: 10
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    NAT (interface1) 5 10.231.191.0 255.255.255.0
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
    dynamic translation of hen 5 (y.y.y.y)
    translate_hits = 3048900, untranslate_hits = 77195
    Additional information:

    Phase: 11
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional information:

    Phase: 12
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional information:

    Phase: 13
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 14
    Type: CREATING STREAMS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    New workflow created with the 1047981896 id, package sent to the next module

    Result:
    input interface: interface1
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: allow

    So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

    And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
    current_peer: y.y.y.y

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

    Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

    If there is any essential information that I can give, please ask.

    -Jouni

    Jouni,

    8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

    If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

    Marcin

  • Client VPN CISCO ASA for Android

    Hi guys

    I just received a request from a client who said he expects the procedure to establish a VPN from an Android device, as far as I know there is a soft ANYCONNECT but in my case, the client uses a CISCO VPN CLIENT, in this case it is possible to configure a VPN connection on the device, or I should use ANYCONNECT?

    Kind regards.

    Connection via the android client will be like the legacy cisco VPN client connection. You need only anyconnect mobile licenses if you connect with the android anyconnect client.  Using the android client built in will consume licenses peer IPSEC. If no additional license not required.

Maybe you are looking for

  • TruLink and iOS 10?

    Anyone using the Starkey Trulink app on iOS 10? I have not updated yet because the site does not always say it is compatible.

  • Dungeon of Flash, Adobe is "failed to initialize".

    I did all the things recommended on the blog. I tried to remove any Flash from Adobe which was in the machine (I wonder!). The processes are very complex, so I wonder. My system is XP 3. I chose to run FireFox. I went through my Juno without result,

  • linear adjustment with a graphics buffer

    I want to be able to graph data and linear adjustment data stored in the buffer of real-time graphics.  I can't understand how split the x and y tables of the output of the graphics buffer.  Any help would be appreciated.  I have attached a sample pr

  • Pavilion dv9550eo: Upgrade CPU T7300 in dv9550eo since 2007

    I'm still in love with my old HP Pavilion dv9550eo since 2007. It is being upgraded with Windows 7 x 64, SSD and a new GPU-fan. Still going for my use I see in the owner's manual that adapted T7700 2.4 GHz my computer. But it's not a difference of sp

  • How to make a copy of windows 7 for my laptop

    I have a HP Pavilion Entertainment PC with windows 7. If I need to reload the OS on the pc, where can I get windows 7 to go because I don't have a cd/dvd with the operating system, when I bought the machine. I can make a cd... If Yes, where can I get