Question of console GANYMEDE

Hello

I just put GANYMEDE on some IOS devices, I'm only using a default group that is configured to provide level 15 privileges. As I use the same default group on the vty and console I would expect access by 2 methods are the same, but when I telnet in I get 15 directly to the guest level of #, but when I console in I always get prompt for the secret to activate it.

All ideas

Concerning

Chris Ayres

Chris

You can find a behavior that Cisco has done for a long time (and probably for good reason). The authentication/authorization GANYMEDE someone directly implement default privilege mode works on the vty and does not work on the console.

The reasoning is that if you make a mistake in the configuration of the authentication/authorization (very easy to do - especially if your understanding of what you are doing is a little weak), it would be easy to lock you out of the unit. By default it works on vty and does not work on console (prividing far to recover from problems). There is a hidden command that allows you to also have it working on the console (be very careful that your config works correctly before you activate it on the console).

If you want it, try this:

authorization AAA console

HTH

Rick

Tags: Cisco Security

Similar Questions

Question on console EAS 9.3.3

I have a question about the service console Sessions Regional 9.3.3 page. Sometimes we'll have sessions present with a blank application and Db connection time which is at 00:00:00. Are these users who might have been disconnected due to inactivity, or something? They are harmful in any way and is there something that we can plan to clean these if so? Thank you!

Yes, these are users who are not currently of any activity in Essbase. After a few minutes, they will be unlisted. No need to worry at all.

Question of 'console' VMWare Firefox

Hello
I have a little problem running VMWare Server 2.0.2.
When you use mozilla Firefox 3.6.2 I get the following error every time message I am trying to connect to the console of the guest operating system:
" ...
Unable to access the virtual machine console. The request has timed out.
The attempt to acquire a valid session for 'Virtual Machine' ticket took longer than expected. If the problem persists, contact your system administrator.
... "
However, when I try the same with Internet Explorer 8, everything works fine.
Someone has a clue on how to troublesahoot this device or what can happen?
Thank you
John Smith.

Hello

Yes. It seems that the console plugin remote vmware is not compatible with firefox 3.6. So maybe the only solution is firefox downgrade to version 3.5.

Best wishes / Saludos.

Pablo

Please consider providing any useful answer. Thank you!! - Por favor considered premiar las useful responses. ¡¡MUCHAS gracias!

Virtually noob blog

Why the ACS is blocking my connection to the Console?

I have aaa to my SWs one routers, but wen my server goes down that I can't have access to the console port.

My config is attached and debug aaa authorization.

These are debugs it for each access: Telnet user, consoling Ganymede user Ganymede and testing of Pentecost the local user.

Telnet access

Oct 15 01:03:09: AAA: analyze name = tty2 BID type =-1 ATS = - 1

Oct 15 01:03:09: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr'10.10.10.23 = 'authen_type = ASCII service = CONNECTION priv = 1 initial_task_id = ' 0', vrf = (id = 0)

Oct 15 01:03:10: CDP-4-NATIVE_VLAN_MISMATCH %: incompatibility of VLAN native on GigabitEthernet0/37 (102), was discovered with tst1-s2 GigabitEthernet0/1 (1).

Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ENABLE priv = 15 = ASCII service

Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ASCII = priv = 1 CONNECTION service

Access to consoles (work of Pentecost the ACS user)

Oct 15 01:08:57: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:08:57: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15

Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

Access console (not working whit the local user)

Oct 15 01:05:24: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:05:24: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) = user tweak "LOCAL_USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

Oct 15 01:05:36: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:05:36: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

Oct 15 01:06:09: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:06:09: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:06:09: AAA/MEMORY: create_user (0 x 2773004) = user tweak 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:06:41: AAA/MEMORY: free_user (0 x 2773004) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

Thanks for your help.

Change your orders

AAA of default login authentication group Ganymede + activate

the AAA authentication enable default group Ganymede +.

TO

AAA authentication login default group Ganymede + local

the AAA authentication enable default group Ganymede + activate

Kind regards

Prem

Please if it helps!

Cisco ASA GANYMEDE + mode does not

Hello

I'm setting the ASA 8.4 with GANYMEDE with below CLI configurations, I can only successfully connect on the MODE of USE of the ASA via GANYMEDE, but unable to get to the activation of the mode of the ASA via GANYMEDE. Also the ASA does not password enable local no more.

Also, I can successfully run "test the aaa of authentication GANYMEDE + username password password1 abc.

INFO: Authentication successful

Similarly, GANYMEDE ACS work for user mode and activate the mode for routers / switches.

Run ASA CLI

~~~~~~~~~~~~~

privilege of [ENTER ADMIN password PASSWORD HERE] user_name [ENTER name of USER HERE] 15

activate the password [ENTER ENABLE MODE PASSWORD HERE]

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

AAA-server GANYMEDE + (inside) host [ENTER GANYMEDE + SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10

GANYMEDE + LOCAL console for AAA of http authentication

authentication AAA ssh console GANYMEDE + LOCAL

Console telnet authentication GANYMEDE + LOCAL AAA

AAA authentication enable console LOCAL + GANYMEDE

AAA GANYMEDE + LOCAL authorization control

AAA accounting enable console GANYMEDE +.

AAA accounting console GANYMEDE + ssh

HeyRizwan,

What version of ACS are you running?

Make sure that you set the user name with a static 15 privilege level, otherwise it will not be able to pass authentication enable.

If ACS 5.x or higher to pass the elements of the policy: the Shell profile and make sure that you have assigned to a maximum static privilege to 15 and more important than its access policy rule

Looking for a Networking Assistance?
Contact me directly to [email protected] / * /

I will fix your problem as soon as POSSIBLE.

See you soon,.

Julio Segura Carvajal
http://laguiadelnetworking.com

LabManager 4.0.2.1269 Web Console error in IE 6 or 7

After installing a new LM 4.0.2.1269 Server I am unable to see the console config with IE 6 or 7 or model deployed without IE crashing.
I get the error message is:
Fatal error VMware Workstation: (app)
SSLLoadSharedLibrary: Could not load library ssleay32.dll:126
I have tested on several systems and concluded that if the vSphere Client version 4.0 is NOT installed there is no errors, but as soon as you install vSphere Client 4.0 it causes the error. I also tried vSphere Client 4.1 and the error disappeared, but then I get a black console screen if I'm not full screen worked.
If I use Firefox 3.5.10 (Enterprise version approved) there are no errors and it works perfectly, so I have a work around, but I'd like to see if anyone has a solution.
A few points:
My 4.0.1.1233 LM servers do not have this problem.
If I uninstall the vSphere Client error disappears.
I have tested it on XP 32-bit SP3.

Try to go in the following article. You may need to manually uninstall the first current plugin as well.

Uninstall manually:

http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1021554

4.0.2 question of console:

http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1020474

Use EAP-FAST with ACS 5.2

Hello everyone,

I use Active Directory as external identity for ACS store. In ACS 5.2 Web interface to navigate to of access policies > Access Services and going tab protocols allowed , the only protocol that works is PAP/ASCII. In the documentation of ACS, it is described as the less secure authentication for ACS.

I would use EAP-FAST. Should what command I enter on the aaa client to work with? The router's IOS version 12.4.

Here is his aaa configuration:

AAA new-model
!
!
AAA server Ganymede group + ACSTEST1
Server 1.1.1.1

2.2.2.2 Server

!
AAA authentication banner ^ CCCCCC * GANYMEDE + server is not available, use local defC
AAA-authentication failure message ^ C
AAA authentication login default group Ganymede +.
Connection authentication AAA VTY Ganymede + local group
Connection authentication AAA CONSOLE Ganymede + local group
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 1 default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
!
!
AAA - the id of the joint session

I have found no help in the Cisco IOS Security command reference or in the Internet.

Thank you for your help.

Best regards, Andy

Hello

GANYMEDE + authentication is only supported by the PAP, is not possible to use EAP-FAST.

Please keep in mind that the EAP methods using RADIUS, and not with GANYMEDE.

HTH,
Tiago

--

If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

Backup AAA for PIX

I have a PIX with the following configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5

RADIUS Protocol RADIUS AAA server

AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10

AAA-server local LOCAL Protocol

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

order of AAA for authorization GANYMEDE +.

AAA accounting correspond to aaa_acl inside RADIUS

Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?

There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.

Unable to switch to the privilege level using password set using ACS enable

Hi all

I am not able to not be able to visit the privilege level to help enable password set using ACS 1121 (5.4.0.46).

Please find details of the ASA-

ASA5580-20
version of the software - 9.1

LAB - FW / see the law # run | I have aaa
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 192.168.x.x
GANYMEDE + LOCAL console for AAA of http authentication
Console telnet authentication GANYMEDE + LOCAL AAA
AAA authentication enable console LOCAL + GANYMEDE
authentication AAA ssh console GANYMEDE + LOCAL
Console telnet accounting AAA GANYMEDE +.
AAA accounting console GANYMEDE + ssh
AAA accounting enable console GANYMEDE +.
No vpn-addr-assign aaa

I created the Shell profile so & given privilege 15 it.please find wink 1 similarly in word doc attached

However, when I try to create the service profile I get the error message, please find snap 2 in word doc attached.

Kindly share your expertise.

Hello Dominic,.

For authorization privileges to take effect, you must add the following command to your configuration on the ASA:

AAA authorization exec-authentication server

After adding it, the ASA will take into account the level of privilege that are sent by the ACS.

Associated with the error you are getting on the graphical interface of the ACS, please make sure that you are using a browser supported for ACS 5.4 version based on the release notes:

http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

Note: Please mark it as answered as appropriate.

Integration of ASA with ACS

Hi all

I try to incorporate some ASA (8,6) with ACS (5,7), here is the configuration of the SAA.

SH run | in aaa
RADIUS Protocol RADIUS AAA server
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (management) host 10.243.14.24
GANYMEDE + LOCAL console for AAA of http authentication
authentication AAA ssh console GANYMEDE + LOCAL
Console telnet authentication GANYMEDE + LOCAL AAA
AAA accounting console GANYMEDE + ssh
AAA accounting command 15 GANYMEDE privilege +.
Console telnet accounting AAA GANYMEDE +.
AAA authorization exec-authentication server
AAA authorization GANYMEDE + loCAL command

The problem is that I can get connected to ASA, but I can't type all commands in the CLI, I get the error message "failure of command approval.

I have the same sets of commands and the shell profiles created for switches and it works perfectly.

This is the behavior of ACS journals

1. once I am having authenticated, I can see the logs in ACS with my username
2 but when I type any commnds, is put down my permission and I see in the newspapers of the authorization of the CSA that this username is "enable_15".

Can someone help me identify what the problem is

Thank you
Reverchon

This happens when we have control permission enabled on ASA and try to run any command level 15 on SAA. To correct this problem you must check enable authentication of a user against GBA / GANYMEDE.

AAA authentication enable console LOCAL + GANYMEDE

After above listed licensing order, ASA will start to check the enable password against ACS/Ganymede and you use Ganymede activate the password that we can put on by user.

~ Jousset

Problem of AAA in ASA

Hi all

I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:

name 172.30.xx.xx DCC-1

name 172.30.yy.yy DCC-2

Ganymede + Protocol Ganymede + AAA-server

AAA-server Ganymede + host DCC-1

Cisco key

AAA-server Ganymede + host DCC-2

Cisco key

AAA authentication telnet console Ganymede + LOCAL

AAA authentication telnet console Ganymede + Ganymede +.

the AAA authentication console ssh Ganymede + LOCAL

AAA authentication enable console LOCAL + Ganymede

activate the encrypted password of V3VzjwYzTRfTLwOb

activate the encrypted password of V3VzjwYzTRfTLwOb

piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username

ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username

Even added my user name & password in the local data base on ASA as on ACS. Still no progress...

Can all give his suggestion on the same.

Kind regards

Piyush

I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15

in PIX with SSH connection issues

Hello

I have a PIX 506 running OS 6.2 (2) which is located in a demilitarized zone known as the PIX from the outside. It's behind an another PIX506 (PIX inside). The two PIX have Ganymede + configured for authentication of the connection.

Last week the outdoor PIX crushed physically and I replaced it with a spare PIX part and he completely reconfigured.

Now I can't connect to this outside PIX using SSH, despite the list of access inside PIX is correct and can SSH and Ganymede +. However, I can telnet to it.

I use Putty to connect and when I start the session SSH from the PIX, the login window appears and disappears immediately without having the time to do anything myself.

Any help would be greatly appreciated. Thanks in advance.

A.G.

##################################################

Inside PIX config:

access-list inside allow TCP Company-Interior-Net 255.255.255.0 host outsidepix-Interior-interface eq ssh

list Company-Interior-Net 255.255.255.0 access inside permit tcp host eq telnet interface-inside-outsidepix

access-list inside allow the ICMP messages to echo DMZNet 255.255.255.192 Company-Interior-Net 255.255.255.0

access-list inside allow Company-Interior-Net icmp 255.255.255.0 DMZNet 255.255.255.192 - response to echo

dmzacl list of access allowed icmp echo host outsidepix-Interior-interface company-Interior-Net 255.255.255.0

dmzacl list of access allowed icmp host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 - response to echo

access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server1 eq Ganymede

access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server2 eq Ganymede

The outdoor PIX config:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host Ganymede-server1 1234 timeout 10

AAA-server GANYMEDE + (inside) host Ganymede-server2 1234 timeout 10

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Console telnet authentication GANYMEDE AAA +.

the AAA console ssh GANYMEDE authentication +.

AAA authentication enable console GANYMEDE +.

Telnet Company-Interior-Net 255.255.255.0 inside

Telnet timeout 5

SSH-company-Interior-Net 255.255.255.0 inside

SSH DMZNet 255.255.255.192 inside

SSH timeout 5

did you follow the steps to configure ssh? the domain name and host name is defined on it? CA has generated you any rsa... to create the encryption keys?

Example configuration for the TACCAS + ASA 8.22

I'm looking for an example configuration to TACCAS + on 5.2 ACS with an ASA 8.2.2.

Any help would be appreciated.

I think the following should about do - but it is MUCH easier to do this in the GUI

AAA-server protocol Ganymede GANYMEDE +.
x.x.x.x host AAA-server GANYMEDE (management) key *.
GANYMEDE LOCAL console for AAA of http authentication
authentication AAA ssh console LOCAL GANYMEDE
AAA authentication serial console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
Console Telnet AAA authentication RADIUS LOCAL
AAA accounting ssh console GANYMEDE
Console Telnet accounting AAA GANYMEDE
AAA accounting serial console GANYMEDE
AAA accounting enable console GANYMEDE
GANYMEDE AAA accounting command

Remember that you must create the network device in ACS with the same shared key.

Paul

PIX, PDM and AAA issues

I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

Here's a current configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

Console telnet authentication GANYMEDE AAA +.

the AAA console ssh GANYMEDE authentication +.

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

Console AAA authentication http GANYMEDE +.

order of AAA for authorization GANYMEDE +.

Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

Let me know if you need more info. Thank you!

Hello

Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

Scott

Cannot access remote network by VPN Site to Site ASA

Hello everyone

First of all I must say that I have configured the VPN site-to site a million times before. Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

ASA local:
hostname gyd - asa
domain bct.az
activate the encrypted password of XeY1QWHKPK75Y48j
XeY1QWHKPK75Y48j encrypted passwd
names of
DNS-guard
!
interface GigabitEthernet0/0
Shutdown
nameif vpnswc
security-level 0
IP 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
Vpn-turan-Baku description
nameif outside Baku
security-level 0
IP 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
Vpn-ganja description
nameif outside-Ganja
security-level 0
IP 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. * 255.255.255.0
!
interface GigabitEthernet0/3
Description BCT_Inside
nameif inside-Bct
security-level 100
IP 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
IP 192.168.251.1 255.255.255.0
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
name-server 192.168.1.3
domain bct.az
permit same-security-traffic intra-interface
object-group network obj - 192.168.121.0
object-group network obj - 10.40.60.0
object-group network obj - 10.40.50.0
object-group network obj - 192.168.0.0
object-group network obj - 172.26.0.0
object-group network obj - 10.254.17.0
object-group network obj - 192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj - 10.254.17.18
object-group network obj - 10.254.17.10
object-group network obj - 10.254.17.26
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
icmp_inside list extended access permit icmp any one
icmp_inside of access allowed any ip an extended list
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
RDP list extended access permit tcp any host 192.168.45.3 eq 3389
rdp extended permitted any one ip access list
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
Enable logging
emblem of logging
recording of debug console
recording of debug trap
asdm of logging of information
Interior-Bct 192.168.1.27 host connection
flow-export destination inside-Bct 192.168.1.27 9996
vpnswc MTU 1500
outside Baku MTU 1500
outside-Ganja MTU 1500
MTU 1500 remote access
Interior-Bct MTU 1500
management of MTU 1500
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any outside Baku
ICMP allow access remotely
ICMP allow any interior-Bct
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
3 overall (RAS) interface
azans access-list NAT 3 (outside-Ganja)
NAT (remote access) 0 access-list sheep-vpn-city
NAT 3 list nat-vpn-internet access (remote access)
NAT (inside-Bct) 0-list of access inside_nat0_outbound
NAT (inside-Bct) 2-nat-ganja access list
NAT (inside-Bct) 1 access list nat
Access-group rdp on interface outside-Ganja
!
Router eigrp 2008
No Auto-resume
neighbor 10.254.17.10 interface outside Baku
neighbor 10.40.50.66 Interior-Bct interface
Network 10.40.50.64 255.255.255.252
Network 10.250.25.0 255.255.255.0
Network 10.254.17.8 255.255.255.248
Network 10.254.17.16 255.255.255.248
redistribute static
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede GANYMEDE +.
AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
key *.
AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
key *.
RADIUS protocol AAA-server TACACS1
AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
key *.
AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
key *.
authentication AAA ssh console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
Console Telnet AAA authentication RADIUS LOCAL
AAA accounting ssh console GANYMEDE
Console Telnet accounting AAA GANYMEDE
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Interior-Bct
http 192.168.139.0 255.255.255.0 Interior-Bct
http 192.168.0.0 255.255.255.0 Interior-Bct
Survey community SNMP-server host inside-Bct 192.168.1.27
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.10
card crypto mymap 10 transform-set RIGHT
correspondence address card crypto mymap 20 110
card crypto mymap 20 peers set 10.254.17.11
mymap 20 transform-set myset2 crypto card
card crypto mymap interface outside Baku
correspondence address card crypto ganja 10 110
10 ganja crypto map peer set 10.254.17.18
card crypto ganja 10 transform-set RIGHT
card crypto interface outside-Ganja ganja
correspondence address card crypto vpntest 20 110
peer set card crypto vpntest 20 10.250.25.1
newset vpntest 20 transform-set card crypto
card crypto vpntest interface vpnswc
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = gyd - asa .az .bct
sslvpnkeypair key pair
Configure CRL
map of crypto DefaultCertificateMap 10 ca certificate

crypto isakmp identity address
ISAKMP crypto enable vpnswc
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 Interior-Bct
SSH timeout 35
Console timeout 0
priority queue outside Baku
queue-limit 2046
TX-ring-limit 254
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.168.1.3
SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
SSL-trust ASDM_TrustPoint0 remote access point
WebVPN
turn on remote access
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal group ssl policy
attributes of group ssl policy
banner welcome to SW value
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
group-lock value SSL
WebVPN
value of the SPS URL-list
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the PFS
BCT.AZ value by default-field
ssl VPN-group-strategy
WebVPN
value of the SPS URL-list
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP retry threshold 20 keepalive 5
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
IPSec-attributes tunnel-group DefaultWEBVPNGroup
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.10
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type SSL tunnel-group remote access
attributes global-group-tunnel SSL
ssl address pool
Authentication (remote access) LOCAL servers group
Group Policy - by default-ssl
certificate-use-set-name username
Group-tunnel SSL webvpn-attributes
enable SSL group-alias
Group-url https://85. *. *. * / activate
tunnel-group 10.254.17.18 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.18
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.11 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.11
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type tunnel-group DefaultSWITGroup remote access
attributes global-tunnel-group DefaultSWITGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultSWITGroup
pre-shared key *.
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
class flow_export_cl
flow-export-type of event all the destination 192.168.1.27
class class by default
flow-export-type of event all the destination 192.168.1.27
Policy-map Voicepolicy
class voice
priority
The class data
police release 80000000
!
global service-policy global_policy
service-policy interface outside Baku Voicepolicy
context of prompt hostname

Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
GYD - asa #.

ASA remote:
ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of XeY1QWHKPK75Y48j
2KFQnbNIdI.2KYOU encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif inside
security-level 100
IP 192.168.80.14 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 10.254.17.11 255.255.255.248
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
access-list 110 scope ip allow a whole
192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
management of MTU 1500
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0 access-list sheep
Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.9
mymap 10 transform-set myset2 crypto card
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN

tunnel-group 10.254.17.9 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.9
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname

Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa # $

Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

Would appreciate any help. Thank you in advance...

If the tunnel is up (phase 1), but no traffic passing the best test is the following:

Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

Test on both directions.

Please post the results.

Federico.

Question of console GANYMEDE

Similar Questions

Maybe you are looking for