Question of authentication of domain AD Cross via VPN IPSEC RA on SAA
Hello
I installation of remote access for users that connect to an ASA 5540, the IPSEC policy uses the RADUIS via AD authentication as well as certificates. Users authenticate correctly and can access everything on the field without any problem. Lets say that the domain is (X). We recently merged with another company that manages the domain (Y), on the AD servers, the two domains are configured as areas of trust.
The problem we seem to be running, it of when users connect to the VPN network and authenticate in the domain X, then try to access resources in domain, it fails generally. They cannot systematically map readers by FQDN or IP and vice versa also (when authentication on domain Y and attempting to access the resources on the domain X). It seems to work sometimes for some users, but more often it doesn't. Real IP connectivity is fine, the problem is that the authentication will fail.
Someone at - he noted problems with the passage of the Kerberos authentication via an IPSEC tunnel? When you try to access these resources when you are locally connected to the network, there is no problem, so it seems to be only with remote access.
Any suggestion would be appreciated.
Thank you
Sam
Saami
Good fishing!
The VPN host search server TCP capable kerberos to authenticate to it.
The server must be joined to domain you.
If your kerberos/AD can talk TCP, it's just a matter of adding these records to your local DNS server. (Note that this is not a SRV record has in A)
That being said I think that this should not be the default option and is very often used as backup in case of failure of UDP communication, but it can depend on the client config - I'm not intimately Fall with this implementation on Microsoft systems.
Marcin
Tags: Cisco Security
Similar Questions
-
Question about authentication SDI on AnyConnct and ASA
Hi all
I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.
My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.
I understand that ASA provides two modes to allow authentication SDI.
Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.
So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).
The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...
I found the following information of CEC.
==========
When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
==========This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?
Your information would be appreciated.
Best regards
Shinichi
Shinichi,
I had a quick glance at the data sheet
http://www.RSA.com/node.aspx?ID=3481
I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)
Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)
Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.
Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.
Marcin
-
How to set authentication with domain name in PL/SQL WebService
Dear Sir
I could see the content of the Web service in a browser with the user name and password then I'v tested with soupUI and I had to enter the user name and password and domain but I couldn't
No information in pl/sql. I think my problem is how to define area.
Browser authentication: OK
username = "TST\saeed".
password = 'test '.
soupUI of authentication: OK
username = "Salam".
password = 'test '.
domain = "TST".
PL/SQL: failure
declare
Utl_http.req req;
resp utl_http.resp;
RW varchar2 (32767).
Start
Utl_http.set_Proxy ('http://127.0.0.0:80');
Req: = utl_http.begin_request ('http://test/sendDATA.ASMX');
UTL_HTTP. SET_AUTHENTICATION (req, 'TST\saeed', 'test', 'Basic', TRUE);
resp: = utl_http.get_response (req);
loop
Start
RW: = null;
Utl_http.read_line (RESP, rw, TRUE);
SYS. DBMS_OUTPUT. Put_line (RW);
exception when others then
"exit";
end;
end loop;
Utl_http.end_response (resp);
end;
Result:
< ! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict / / IN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" > ""
" < html xmlns =" http://www.w3.org/1999/xhtml ">
< head >
< meta http-equiv = "Content-Type" content = text/html"; charset = iso-8859-1 "/ >"
< title > 401 - Unauthorized: access is denied due to credentials not valid. < /title >
< / head >
< body >
< div id = "header" > < error Server h1 > < / h1 > < / div >
< div id = "content" >
< div class = "content-container" > < fieldset >
< h2 > 401 - Unauthorized: access is denied due to credentials not valid. < / h2 >
< h3 > you are not allowed to view this directory or page using the credentials you supplied. < / h3 >
< / fieldset > < / div >
< / div >
< / body >
< / html >
Kind regards
Saeed.
Dear all,
I found with the software "Fiddler Web Debugger" authentication type is notBasic"is"NTLM authentication"so it solved my problem.
Unfortunately, the Oracle UTL_HTTP package does not support NTLM authentication (it only supports basic via the SET_AUTHENTICATION procedure).
Reference: http://ora-00001.blogspot.co.uk/2011/08/ntlm-for-plsql.html by Morten Bråten
Kind regards
Saeed.
-
Questioning the authenticity of a self declared agent Tech Optimizer call me on my land line.
I got a call from Eric Wilson saying that he intended to call me by Windows because I had downloaded a file from an unauthorized source that would have corrupted my hard dirve. It was very convincing gave me a phone number, 210-767-3298 and his ID # as 10068 me getting a 'Run' command I don't know how to check the validity of such a request, but he was now ready to accept a phone call unsolicited to my line that is listed in the telephone directory under my name. I took his information and decided to enter the Windows Web site Query Optimizer Tech and this is where it takes me. I'd like some food to go back to that.
You were right to question the authenticity of the phone call. These scam calls are usually of a person representing Windows rather than Microsoft, but in any case, the call was nothing else than a phishing attempt! Do not give any information. Their intentions are simply to separate you from your money.
Because they use the internet lines and/or phone to complete their fraud, there may be federal agencies in your country who are interested in discovering their calls. Their report directly to the appropriate agency if you feel you can contribute to their arrest and the charges.
Microsoft do NOT pick up the phone and start dialing customers and never phones/e-mails asking for personal information or asking them to visit a web site! Please do not take into account these calls and hang up immediately.
Avoid scams that use the Microsoft name fraudulently
On another note, if you have problems with your computer, please do not hesitate to post a description of the situation and the error messages you received in those forums. We would be happy to help you. (information staff unnecessary or requested !)
-
Unable to access company LAN via VPN
Hello
I have an ASA 5505 that I used to test run them the IPSec VPN connection after having studied the different configs and crossing the ASDM I get the same question that I can not receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I placed the VPN clients in 192.168.10.0 255.255.255.0 network, 192 clients may not speak on the 10.8 network.
On the Cisco VPN client, I see a lot of packets sent but no receipt.
I think it could be to do with NAT, but the examples I've seen I think it should work.
I have attached the complete running-config, I might well have missed something.
Thanks a lot for all the help on this...
FWBKH (config) # show running-config
: Saved
:
ASA Version 8.2 (2)
!
hostname FWBKH
test.local domain name
activate the encrypted password of XXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXX
names of
name 9.9.9.9 zscaler-uk-network
name 10.8.50.0 Interior-network-it
Interior-nameservers 10.8.112.0
name 17.7.9.10 fwbkh-output
name 10.8.127.200 fwbkh - in
name 192.168.10.0 bkh-vpn-pool
!
interface Vlan1
nameif inside
security-level 100
IP fwbkh 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP fwbkh-out 255.255.255.248
!
interface Vlan3
nameif vpn
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
banner intruder connection will be shot, survivors will be prosecuted!
Banner motd intruder will be Shot, survivors will be prosecuted!
banner intruder asdm will be Shot, survivors will be prosecuted!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
test.local domain name
DM_INLINE_TCP_2 tcp service object-group
port-object eq www
EQ object of the https port
DM_INLINE_UDP_1 udp service object-group
port-object eq 4500
port-object eq isakmp
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-protocol udp
inside_access_in list extended access permitted tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 journal of inactive warnings
inside_access_in list allowed extended access computer-network-inside ip 255.255.255.0 any idle state
inside_access_in list extended access permitted tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www
inside_access_in list extended access allowed inside-servers ip 255.255.255.0 log warnings
list of access USER-ACL extended permitted tcp 10.8.0.0 255.255.0.0 any eq www
list of access USER-ACL extended permitted tcp 10.8.0.0 255.255.0.0 any https eq
outside_nat0_outbound list allowed extended access bkh-vpn-pool ip 255.255.255.0 10.8.0.0 255.255.0.0
outside_access_in list extended access permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 errors in the inactive log
inside_nat0_outbound list extended access allowed object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any
inside_nat0_outbound_1 to access extended list ip 10.8.0.0 allow 255.255.0.0 255.255.255.0 bkh-vpn-pool
UK-VPN-USERS_splitTunnel of the access list extended ip 10.8.0.0 allow 255.255.0.0 255.255.255.0 bkh-vpn-pool
UK-VPN-USERS_splitTunnel to the list of allowed extensive access inside-servers 255.255.255.0 bkh-vpn-pool ip 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 VPN
mask UK-VPN-POOL 192.168.10.10 - 192.168.10.60 255.255.255.0 IP local pool
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (inside) 1 interface
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 1 10.8.0.0 255.255.0.0 dns
NAT (0 outside_nat0_outbound list of outdoor outdoor access)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 17.7.9.10 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 10.8.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint BKHFW
registration auto
name of the object CN = FWBKH
Configure CRL
encryption BKHFW ca certificate chain
certificate fc968750
308201dd a0030201 30820146 020204fc 96875030 0d06092a 864886f7 0d 010105
310e300c b 05003033 06035504 03130546 57424, 48 3121301f 06092 has 86 4886f70d
ccc6f3cb 977029d 5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb
7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c 53 f2
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.8.0.0 255.255.0.0 inside
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
strategy of UK-VPN-USERS group internal
UK-VPN-USERS group policy attributes
value of 10.8.112.1 DNS server 10.8.112.2
Protocol-tunnel-VPN IPSec svc
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value UK-VPN-USERS_splitTunnel
test.local value by default-field
the address value UK-VPN-POOL pools
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol webvpn
username admin encrypted XXXXXXXXXXXXXXXXX privilege 15 password
karl encrypted XXXXXXXXXXXXXXX privilege 15 password username
type tunnel-group UK-VPN-USERS remote access
attributes global-tunnel-group UK-VPN-USERS
Address UK-VPN-POOL-pool
Group Policy - by default-UK-VPN-USERS
tunnel-group USERS of the UK VPN-ipsec-attributes
pre-shared key *.
type tunnel-group IT - VPN remote access
General attributes of IT - VPN Tunnel-group
Address UK-VPN-POOL-pool
Group Policy - by default-UK-VPN-USERS
tunnel-group IT - VPN ipsec-attributes
pre-shared key *.
!
ALLOW-USER-CLASS of the class-map
corresponds to the USER-ACL access list
type of class-card inspect all http ALLOW-URL-CLASS match
match without the regex ZSGATEWAY ALLOW request headers
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
type of policy-card inspect http ALLOW-URL-POLICY
parameters
ALLOW-URL-class
drop connection
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
Policy-map ALLOW-USER-URL-POLICY
ALLOW-USER-class
inspect the http
!
global service-policy global_policy
USER-URL-POLICY-ALLOW service-policy inside interface
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:00725d3158adc23e6a2664addb24fce1
: end
Hi Karl,
Please, make the following changes:
local IP VPN_POOL_UK_USERS 192.168.254.1 pool - 192.168.254.254
access extensive list 10.8.0.0 ip inside_nat0_outbound_1 255.255.0.0 allow 192.168.254.0 255.255.255.0
!
no nat (0 outside_nat0_outbound list of outdoor outdoor access)
!
UK-VPN-USERS_SPLIT of the allowed access list 10.8.0.0 255.255.0.0
!
UK-VPN-USERS group policy attributes
Split-tunnel-network-list value UK-VPN-USERS_SPLIT
!
No UK-VPN-USERS_splitTunnel scope 10.8.0.0 ip access list do not allow 255.255.0.0 255.255.255.0 bkh-vpn-pool
No list of UK-VPN-USERS_splitTunnel extended access not allowed inside-servers 255.255.255.0 bkh-vpn-pool ip 255.255.255.0
!
inside_access_in to access extended list ip 10.8.0.0 allow 255.255.255.0 192.168.254.0 255.255.255.0
!
management-access inside
******'
As you can see, I have create a new pool, since you already have an interface in the 192.168.10.0/24 network, which affects VPN clients.
Once you have finished, connect the client and try:
Ping 10.8.127.200
It work?
Try to ping so another internal IP.
Let me know how it goes.
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Customer remote cannot access the server LAN via VPN
Hi friends,
I'm a new palyer in ASA.
My business is small. We need to the LAN via VPN remote client access server.
I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.
Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.
Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.
Who can help me?
Thank you very much.
The following configuration:
ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10
username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5ssh timeout 10
console timeout 0: end
Topology as follows:
Hello
Configure the split for the VPN tunneling.
Create the access list that defines the network behind the ASA.
ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0
Mode of configuration of group policy for the policy you want to change.
ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#
Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.
ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List
Type this command:
ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes
Associate the group with the tunnel group policy
ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn
Leave the two configuration modes.
ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#
Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.
Kind regards
Abhishek Purohit
CCIE-S-35269 -
Traffic of Client VPN routing via VPN Site to Site
Hello
We have the following scenario:
- Office (192.168.2.x)
- Data Center (212.64.x.x)
- Home workers (192.168.2.x) (scope DHCP is in the office subnet)
Connections:
- Desktop to Data Center traffic is routed through a Site at IPSec VPN, which works very well.
- Welcome to the office is routed through a Site IPSec VPN Client.
The question we have right now, is the Client VPN works, and we have implemented a split tunnel which includes only the subnet of the Office for a list of network.
What I have to do, is to route all traffic to home' to 'Data Center' by site to Site VPN is configured.
I tried to add the ranges of IP data center to the list of Client VPN Split tunnel, but when I do that and try to connect at home, I just get a "connection timed out" or denied, as if she was protected by a firewall?
Could you please let me know what I missed?
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name skiddle.internal
enable password xxx encrypted
passwd xxx encrypted
names
name 188.39.51.101 dev.skiddle.com description Dev External
name 192.168.2.201 dev.skiddle.internal description Internal Dev server
name 164.177.128.202 www-1.skiddle.com description Skiddle web server
name 192.168.2.200 Newserver
name 217.150.106.82 Holly
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.3.250 255.255.255.0
!
!
time-range Workingtime
periodic weekdays 9:00 to 18:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server Newserver
domain-name skiddle.internal
same-security-traffic permit inter-interface
object-group service Mysql tcp
port-object eq 3306
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network rackspace-public-ips
description Rackspace Public IPs
network-object 164.177.132.16 255.255.255.252
network-object 164.177.132.72 255.255.255.252
network-object 212.64.147.184 255.255.255.248
network-object 164.177.128.200 255.255.255.252
object-group network Cuervo
description Test access for cuervo
network-object host Holly
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip any any
access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime
access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3
access-list outside_access_in remark Public Skiddle Network > Dev server
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www
access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh
access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER
access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive
access-list inside_access_in_1 remark HTTP OUT
access-list inside_access_in_1 extended permit tcp any any eq www
access-list inside_access_in_1 remark HTTPS OUT
access-list inside_access_in_1 extended permit tcp any any eq https
access-list inside_access_in_1 remark SSH OUT
access-list inside_access_in_1 extended permit tcp any any eq ssh
access-list inside_access_in_1 remark MYSQL OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql
access-list inside_access_in_1 remark SPHINX OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312
access-list inside_access_in_1 remark DNS OUT
access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain
access-list inside_access_in_1 remark PING OUT
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 remark Draytek Admin
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433
access-list inside_access_in_1 remark Phone System
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp
access-list inside_access_in_1 remark Office to Rackspace OUT
access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_access_in_1 remark IMAP OUT
access-list inside_access_in_1 extended permit tcp any any eq imap4
access-list inside_access_in_1 remark FTP OUT
access-list inside_access_in_1 extended permit tcp any any eq ftp
access-list inside_access_in_1 remark FTP DATA out
access-list inside_access_in_1 extended permit tcp any any eq ftp-data
access-list inside_access_in_1 remark SMTP Out
access-list inside_access_in_1 extended permit tcp any any eq smtp
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224
access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh
access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any
access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227
access-list InternalForClientVPNSplitTunnel remark Inside for VPN
access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm warnings
logging from-address [email protected]/* */
logging recipient-address [email protected]/* */ level errors
mtu inside 1500
mtu outside 1500
ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ipv6 access-list inside_access_ipv6_in permit tcp any any eq www
ipv6 access-list inside_access_ipv6_in permit tcp any any eq https
ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh
ipv6 access-list inside_access_ipv6_in permit icmp6 any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255
static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable 4433
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map outside_map 1 match address RACKSPACE-cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 94.236.41.227
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxx
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 192.68.2.200 inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source outside prefer
webvpn
port 444
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy skiddlevpn internal
group-policy skiddlevpn attributes
dns-server value 192.168.2.200
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternalForClientVPNSplitTunnel
default-domain value skiddle.internal
username bensebborn password *** encrypted privilege 0
username bensebborn attributes
vpn-group-policy skiddlevpn
username benseb password gXdOhaMts7w/KavS encrypted privilege 15
tunnel-group 94.236.41.227 type ipsec-l2l
tunnel-group 94.236.41.227 ipsec-attributes
pre-shared-key *****
tunnel-group skiddlevpn type remote-access
tunnel-group skiddlevpn general-attributes
address-pool CiscoVPNDHCPPool
default-group-policy skiddlevpn
tunnel-group skiddlevpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect ftp
!
service-policy global_policy global
smtp-server 164.177.128.203
prompt hostname context
call-home reporting anonymous
Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b
: end
You must even-Security-enabled traffic intra-interface to allow communication between vpn VPN.
With respect,
Safwan
Remember messages useful rate.
-
Cannot access remote network via VPN
Hello
I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
There is also a public oriented Web server in the office which must be accessible.I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.
I'm quite puzzled as to why it does not work. Please could someone help.
The results of tests and the router configuration are listed below. Please let me know if you need additional information.
Thank you and best regards,
Simon1. routing on the router table
Router #sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
C XXX.yyy.zzz.192 is directly connected, Vlan10
GGG.hhh.125.0/32 is divided into subnets, subnets 1
C GGG.HHH.125.34 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S * 0.0.0.0/0 [1/0] via ggg.hhh.125.342. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
> ping 172.16.100.1
Ping 172.16.100.1 with 32 bytes of data:
Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 2553. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
> ping 172.16.100.10
Ping 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.4. ping the router to the successful local server
router #ping 172.16.100.10
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms5 see the version
Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
the availability of router is 1 hour, 9 minutes
System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN basic rate interface
Configuration register is 0 x 21026. router Config
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto ASI_Group
key mykey
DNS aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
ACL VPN_ACL
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
!
crypto dynamic-map 10 DYNMAP
game of transformation-TS1
market arriere-route
!
!
list of authentication of VPN client VPN crypto card
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
!
!
!
IP cef
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
username admin privilege 15 password mypassword
Archives
The config log
hidekeys
!
!
!
!
!
interface FastEthernet0
WAN description
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface FastEthernet2
Description Public_LAN_Interface
switchport access vlan 10
full duplex
Speed 100
!
FastEthernet6 interface
Description Private_LAN_Interface
switchport access vlan 100
full duplex
Speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
Public description
IP address xxx.yyy.zzz.193 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
172.16.100.1 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
IP unnumbered Vlan10
no ip unreachable
IP mtu 1452
IP virtual-reassembly
encapsulation ppp
no ip mroute-cache
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname myhostname
PPP chap password mychappassword
PPP ipcp dns request accept
failure to track PPP ipcp
PPP ipcp address accept
VPN crypto card
!
IP pool local VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip address of the http server
no ip http secure server
!
VPN_ACL extended IP access list
IP 172.16.100.0 allow 0.0.0.255 any
!
Dialer-list 1 ip protocol allow
not run cdp
!
!Simon,
Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.
Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.
Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like
IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255
Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.
I hope this helps.
Luis Raga
-
ASA5505 management via VPN/Anyconnect without group
I have 2 questions about the configuration of the SAA.
The first is related to the SSL VPN configuration. Just one group of users to which you connect to our main office via remote access. Is there a way to configure SSL VPN to not display a group selection?
I have the omission of the list of the groups-tunnel-enable command and configuration group on user accounts locking, but neither work.
Secondly, I am at a loss on how to configure ssh to allow users connected via VPN connections. I guess:
SSH 172.16.1.0 255.255.255.0 inside
with 172.16.1.0 24 is the ip pool assigned to remote access vpn users would do so, however, it's a no go. How can users of remote access (which are for the most part, all technicians) granted the possibility to connect to the device?
Thanks for your help.
To be able to manage the ASA via SSH via a VPN tunnel, you will need to enter the configuration command "in man".
-
Situation: we have a few portable computers test Ubuntu running DHCP servers. We need get the updates and other changes in corporate network sometimes. Today, we turn off the DHCP server, set up to get an IP via DHCP (besides) and make our updates.
Problem: we do not want someone accidentally connect the laptop to the corporate network, while its DHCP server is running.
Question: so, if we go via wifi using a Cisco VPN client, the DHCP server IP addresses above the tunnel?
Thanks for reading.
N ° DHCP uses layer 2 broadcasts to disseminate IP addresses. Because your clients are connected via VPN, there is no contiguity of layer 2. The only way he would accidentally do it is if you have configured an address to support IP dhcp as one of your VPN clients on the network, which I imagine you wouldn't.
-
Cannot ping inner network via VPN site-2-site
I have the following Setup of the site 2 site VPN.
The pain I feel is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and vice versa. Think I've added static routes and lists ACLs correctly on 3560 switches (acting as an access point) and the two PIX to access internal networks. 172.168.9.3 host can ping 172.168.200.3 very well. All advice is appreciated.
Thank you very much.
My configs are as follows:
PIX HAS
8.0 (3) version PIX
!
PIX - A host name
activate u18hqwudty78klk9s encrypted password
names of
!
interface Ethernet0
Speed 100
full duplex
nameif outside
security-level 0
IP address x.x.x.250 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
IP 172.168.9.1 255.255.255.0
!
uh78mklh78yMs encrypted passwd
connection of the banner it is a private network. Unauthorized access is prohibited!
Banner motd this is a private network. Unauthorized access is prohibited!
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BST recurring 1 Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS server-group Ext_DNS
Server name 82.72.6.57
Server name 63.73.82.242
the LOCAL_LAN object-group network
object-network 172.168.9.0 255.255.255.0
object-network 172.168.88.0 255.255.255.0
Internet_Services tcp service object-group
port-object eq www
area of port-object eq
EQ object of the https port
port-object eq ftp
EQ object of port 8080
EQ port ssh object
port-object eq telnet
the WAN_Network object-group network
object-network 172.168.200.0 255.255.255.0
ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq log field
ACLOUT list extended access allow icmp object-group LOCAL_LAN no matter what paper
ACLOUT list extended access permitted tcp object-group LOCAL_LAN connect to any object-group Internet_Services
Access extensive list ip 172.168.88.0 ACLOUT allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
access-list extended ACLIN all permit icmp any what newspaper echo-reply
access-list extended ACLIN all permit icmp any how inaccessible journal
access-list extended ACLIN allowed icmp no matter what newspaper has exceeded the time
IP 172.168.200.0 allow Access - list extended ACLIN 255.255.255.0 172.168.9.0 255.255.255.0 connect
standard access list split_tunnel_list allow 172.168.9.0 255.255.255.0
Access log list split_tunnel_list note LOCAL_LAN
access-list extended SHEEP allowed ip object-group LOCAL_LAN 172.168.100.0 255.255.255.0 connect
access extensive list ip 172.168.9.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
pager lines 24
Enable logging
logging buffered information
logging trap information
host of logging inside the 172.168.88.3
Outside 1500 MTU
Within 1500 MTU
IP local pool testvpn 172.168.100.1 - 192.168.100.99
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image Flash: / pdm
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ACLIN in interface outside
ACLOUT access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.45 1
Route inside 172.168.88.0 255.255.255.0 172.168.88.254 1
Route inside 172.168.199.0 255.255.255.0 172.168.199.254 1
Route outside 172.168.200.0 255.255.255.0 172.168.9.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 172.168.9.1 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac Set_1
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto dynamic-map outside_dyn_map 1 set of transformation-Set_1
Crypto dynamic-map outside_dyn_map 1 the value reverse-road
outside_map 1 card crypto ipsec-isakmp dynamic outside_dyn_map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set x.x.x.253
outside_map crypto 20 card value transform-set ESP-AES-256-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
No encryption isakmp nat-traversal
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
NTP server 130.88.203.12 prefer external source
internal testvpn group policy
attributes of the strategy of group testvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_tunnel_list
Viv ZdlkjGlOTGf7dqdb encrypted user name password
type tunnel-group testvpn remote access
tunnel-group testvpn General-attributes
address testvpn pool
Group Policy - by default-testvpn
testvpn group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group x.x.x.253 type ipsec-l2l
x.x.x.253 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:bb6ead3350227b3745c14b9ba340b84a
: end
B PIX
8.0 (3) version PIX
!
hostname PIX - B
enable password ul; encrypted jk89A89hNC0Ms
names of
!
interface Ethernet0
Speed 100
full duplex
nameif outside
security-level 0
IP address x.x.x.253 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
IP 172.168.200.1 255.255.255.0
!
interface Ethernet2
Shutdown
No nameif
no level of security
no ip address
!
2ljio897hFB.88fU encrypted passwd
Banner motd this is a private network. Unauthorized access is prohibited!
passive FTP mode
DNS domain-lookup outside
DNS server-group Ext_DNS
Server name x.x.x.57
Server name x.x.x.242
the LOCAL_LAN object-group network
object-network 172.168.200.0 255.255.255.0
Internet_Services tcp service object-group
port-object eq www
area of port-object eq
EQ object of the https port
port-object eq ftp
EQ object of port 8080
the WAN_Network object-group network
networks WAN Description
object-network 172.168.88.0 255.255.255.0
ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq field
ACLOUT list extended access allow icmp object-group LOCAL_LAN all
ACLOUT list extended access permitted tcp object-group LOCAL_LAN any Internet_Services object-group
access-list extended ACLIN allow all unreachable icmp
access-list extended ACLIN permit icmp any one time exceed
access-list extended ACLIN permit icmp any any echo response
IP 172.168.88.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0
IP 172.168.9.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0
IP 172.168.199.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0
access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.9.0 255.255.255.0
access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0
pager lines 24
Enable logging
monitor debug logging
debug logging in buffered memory
logging trap information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ACLIN in interface outside
ACLOUT access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.253 1
Route outside 172.168.88.0 255.255.255.0 172.168.200.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set x.x.x.250
outside_map crypto 20 card value transform-set ESP-AES-256-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
No encryption isakmp nat-traversal
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
tunnel-group x.x.x.250 type ipsec-l2l
x.x.x.250 Group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ccb8392ce529a21c071b85d9afcfdb30
: end
3560 G/W
version 12.2
no service button
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
hostname 3560_GW
!
enable secret 5 $1$ cOB4$ Uklj8978/jgWv? TSSP
!
No aaa new-model
mtu 1500 routing system
IP subnet zero
IP routing
!
!
!
!
No file verify auto
pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
uplink Description to Cisco_ASA
switchport access vlan 9
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
switchport access vlan 88
switchport mode access
spanning tree portfast
!
interface GigabitEthernet0/24
switchport access vlan 9
switchport mode access
spanning tree portfast
!
interface GigabitEthernet0/25
trunk of the description and the port of A_2950_88 1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
trunk of the description and the port of A_2950_112 1
switchport trunk encapsulation dot1q
Shutdown
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan9
IP 172.168.9.2 255.255.255.0
!
interface Vlan88
IP 172.168.88.254 255.255.255.0
!
interface Vlan199
IP 172.168.199.254 255.255.255.0
!
IP classless
IP route 0.0.0.0 0.0.0.0 172.168.9.1
IP route 172.168.88.0 255.255.255.0 172.168.9.1
IP route 172.168.100.0 255.255.255.0 172.168.9.1
IP route 172.168.200.0 255.255.255.0 172.168.9.1
IP http server
!
!
control plan
!
Banner motd ^ C is a private network. ^ C
!
Line con 0
line vty 0 4
opening of session
line vty 5 15
opening of session
!
end
Hi Robert,.
I went through the configuration on both the PIX firewall and see that trafficking is not defined for 172.168.88.0/24-->172.168.200.0/24.
If you check the card crypto a PIX configuration, it says:
address for correspondence outside_map 20 card crypto outside_cryptomap_20<--This acl="" defines="" interesting="">--This>
and the outside_cryptomap_20 of the acl says:
access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
Is the same on the PIX B:
address for correspondence outside_map 20 card crypto outside_cryptomap_20
access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0
To allow users to talk to each other, apply to these commands:
On the PIX:
access extensive list ip 172.168.88.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0
access extensive list ip 172.168.88.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0
and PIX B:
IP 172.168.200.0 allow access-list extended outside_cryptomap_20 255.255.255.0 172.168.88.0 255.255.255.0
access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.88.0 255.255.255.0
Let me know if it helps.
Thank you
Vishnu Sharma
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
-
How to implement a local SOA/BPM project using remote resources via VPN
Hello world
Sorry for the dummy question, but I am a beginner and I'm in trouble with this problem.
This is the scenario: I have to carry a BPM project using JDev 11.1.1.7 on my local environment and then deploy them on remote servers via VPN where a development environment is configured.
All services are on remote servers.
My question is: what I put up in my local environment?
1 DB connection (distance connettion)
2 configuration of MDS to share components?
3 WebLogic server?
3. what else?
Any link o idea to share?
Thank you.
Fairlie
Hello
If you need to deploy and test in your front room to deploy remotely, then you will need to set up all the people in your premises + SOA Suite... If you need to do is put on your local, but can check remotely, you only JDev and connections...
See you soon,.
Vlad
-
Cannot connect remotely via VPN since installing the new modem/router
Can anyone help please. Since the acquisition of a new router / modem I can no longer connect via VPN to my work PC remotely. It comes in I receive the error message. Can someone tell me if I need to change the settings for the new modem / router to access?
Hello Joanna,
Here are the steps you need to do first:
- Off static IP for my server and let the router assign IP address and changed the IP address of the port forward.
- Check the IP address because obviously, that changed when you plugged into the router again.
- Updated to the latest firmware for the router and NIC.
For more detailed troubleshooting you can refer to this link: troubleshooting common VPN related errors.
Let us know how it goes.
-
Programmatic access to remote files via VPN on Playbook
Hello
It is technically possible to download remote files via VPN programmatically?
I can't find any documentation on this topic.
Thank you
Oh, not... I don't think it's possible.
Maybe you are looking for
-
I have a dv7t with a 1680 x 1050 infinity and continuous dust screen from getting caught between the screen and the display of the infinite. This is the second time his happnened. (the first time I had the screen replaced) and dirt has gotten there y
-
Crash of Webkit in Safari since 9.1 update
I get a lot of crash since the last round of updates (e.g. Safari 9.1) 'content Web Safari close unexpectedly' and 'a problem several times occurred with www.website.com Any ideas? Crash Log: Process: com.apple.WebKit.WebContent [1235] Path: /System/
-
VISTA (32-bit) Monte is no longer a FAT disk format
My bridge 151 X notebook with VISTA 32 bit Monte is no longer a FAT to the disc format. It allows you to mount any flash drive and my iPod. No change of material fact, only VISTA updates. Already tried reinstalling the drivers, same result. VISTA
-
I tried all the possible suggestions on the forum. I opened all the ports suggested by HP support on my Belkin of N600 router. DMZ has changed IP address on the printer. We even directly wired ethernet for printer, still cannot connect to Web Service
-
In BLackberry AES256 encryption,
How can I do in Blackberry AES256 encryption, I use this method but the result does not come to the standard... private static ubyte [] encrypt (byte [] keyData, byte [] data) throws IOException, CryptoException{Create the AES key to use for data enc