SSL VPN from Cisco ASA and ACS 5.1 change password
Dear Sir.
I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?
Thank you
Aphichat
Dear Sir,
I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
Thank you
Aphichat
Hi Aphichat,
Go to the password link below change promt via AEC in ASA: -.
https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0
Hope to help!
Ganesh.H
Don't forget to note the useful message
Tags: Cisco Security
Similar Questions
-
IPSec vpn cisco asa and acs 5.1
We have configured authentication ipsec vpn cisco asa acs 5.1:
Here is the config in cisco vpn 5580:
standard access list acltest allow 10.10.30.0 255.255.255.0
RADIUS protocol AAA-server Gserver
AAA-server host 10.1.8.10 Gserver (inside)
Cisco key
AAA-server host 10.1.8.11 Gserver (inside)
Cisco key
internal group gpTest strategy
gpTest group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list acltest
type tunnel-group test remote access
tunnel-group test general attributes
address localpool pool
Group Policy - by default-gpTest
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
accounting-server-group Gserver
IPSec-attributes of tunnel-group test
pre-shared-key cisco123
GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.
When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get
error:
22040 wrong password or invalid shared secret
(pls see picture to attach it)
the system still works, but I don't know why, we get the error log.
Thanks for any help you can provide!
Duyen
Hello Duyen,
I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.
Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.
Please remove the authorization under the Tunnel of Group:
No authorization-server-group Gserver
Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.
Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.
I hope this helps.
Kind regards.
-
Hello
I'm trying to get my ipad to VPN to our Cisco ASA5520.
I think I have all the correct settings on both ends (I am able to vpn to the asa using a cisco 871 as the remote client).
I think that for some reason the client vpn on ipad is not even make the asa. My question is: How can I monitor the ASA logs to see if the same connection attempt and eventually find the failure?
Thank you
M
try: -.
Debug crypto ISAKMP
Debug crypto ipsec
Vpn-sessiondb SH remote control (to see if the client is connected)
I have configured ipad for remote vpn client, the user could connect to the 5520 but why that I had to use the ip addresses to access, but I couldn't use internal dns names. try to understand that at this moment.
It may be useful
Manish
-
IPSec VPN between Cisco ASA and Fortigate1000
Hello
I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...
the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...
The question is: How do I configure the interface on the SAA ACCORD?
Thanks in advance, Experts...
Kind regards...
ASA firewall does not support the interface/GRE GRE tunnel.
If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.
If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
-
The traffic load between the power of Cisco ASA and FireSight Management Center fire
Hi all
I have a stupid question to ask.
Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?
Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.
Maybe you all have no idea to provide.
It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.
Generally it is not a heavy load, however.
-
Configure to integrate Cisco ASA and JOINT
Hello
We have Cisco ASA and JOINT, need assistance on the integration of the same thing; Please email me so that I'll share the details of the architecture.
Thank you best regards &,.
REDA
Hi reda,.
If I correctly your diagram, you do not want to send any traffic from the external switch to the JOINT with a SPAN port and all traffic from your DMZ interfaces with another.
Is this correct?
If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I said in my original answer, we generally advise putting IP addresses after the firewall.
Not to mention that in your case, I guess that some traffic will be inspected twice so you will need to assign a different virtual sensors to each JOINT internal interfaces to ensure that the same instance does not see the traffic of several times.
Kind regards
Nicolas
-
SSL VPN on Cisco ISR G2 license 2921?
Hi, quick question. We have a CISCO 2921/K9, who has all of the features securityk9 (reflects Permanent under show version)
I thought including SSL VPN, but make a "show license all" it does not reflect that:
J:: feature 4: SSL_VPN Version: 1.0
License type: EvalRightToUse
The license status: Active, in use
The total period of assessment: 8 weeks 4 days
Assessment period left: 8 weeks 2 days
Used period: 1 day 5 hours
Transition date: 11 January 2013 23:05:41
Number of licenses: 100/0 (in-use/Violation)
License priority: bass
Can someone please provide some clarification?
Thank you!
-rya
securityK9 does not include the SSL VPN license. This just activate the security features on the ISRG2, and you would need this license to run VPN SSL, and the SSL VPN itself license.
Here is the URL for your reference:
http://www.Cisco.com/en/us/docs/routers/access/sw_activation/SA_on_ISR.html#wp1151975
To run SSL VPN, you must securityK9 and SSL VPN license.
-
What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
Hi all
Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.
Michael
Please note all useful posts
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
Cisco ASA and dynamic VPN L2L Fortigate configuration
I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.
I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.
However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, dropYes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be
then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.
You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.
Assuming that you have configured the dynamic map and assign to the card encryption.
Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:
Hope that helps.
-
AnyConnect VPN for Cisco ASA 5505 refused connections
I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:
interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any anyaccess-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outsidewebvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enablegroup-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpnpolicy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!When I try to connect, I get this error in the real-time log viewer:
TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
Here are the details of the license:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledThis platform has a Base license.
Can someone tell me what I am doing wrong or what access list I'm missing?
I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.
Hi Matt,
You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:
WebVPN
tunnel-group-list activate
Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.
HTH
Herbert
-
Order SSL VPN with Cisco Cloud Web Security
We have implemented Cisco Cloud Web Security with the connector of the ASA and transfer all traffic port 80 and 443 to the Tower of the CCW. We have enabled HTTPS inspection, and I was wondering if there was anything, we can add in the configuration that would allow us to control (allow/block) SSL VPN?
#Clientless SSL VPN is not supported with Cloud Security Web; don't forget to exempt all SSL VPN traffic without client service ASA for Cloud Web Security Strategy.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/gu...
-
IKE Dead Peer Detection between Cisco ASA and Cisco PIX
I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity. The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3. The hub office runs a version 8.2 (1) Cisco ASA.
I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-
Confidence interval - 10 seconds
Retry interval - 2 seconds
I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished. Basically, the problem that I am facing is with several remote satellite offices. What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office. The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel. The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.
Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?
What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?
Thank you in advance for helping out with this.
Hi Nicolas,.
I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.
In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.
-
NAT before going on a VPN Tunnel Cisco ASA or SA520
I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?
Help or direction would be very useful.
Hello
I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.
Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.
Naturally, there are also a lot of the basic configuration which is not mentioned below.
For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route
interface Vlan2
WAN description
nameif outside
security-level 0
Add IP x.x.x.x y.y.y.y
Route outside 0.0.0.0 0.0.0.0 z.z.z.z
interface Ethernet0
Description WAN access
switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1
LAN description
nameif inside
security-level 100
10.10.1.0 add IP 255.255.255.0
Note to access the INSIDE-IN list allow all local network traffic
access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any
group-access INTERIOR-IN in the interface inside
Configuring NAT and VPN L2L - ASA 8.2 software and versions prior
Global 1 interface (outside)
NAT (inside) 1 10.10.1.0 255.255.255.0
Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host
card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address
card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c
card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256
card crypto WAN-CRYPTOMAP 10 set security-association second life 3600
CRYPTOMAP WAN interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
pre-shared key, PSK
NAT and VPN L2L - ASA 8.3 software configuration and after
NAT source auto after (indoor, outdoor) dynamic one interface
Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host
card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address
card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c
card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1
card crypto WAN-CRYPTOMAP 10 set security-association second life 3600
CRYPTOMAP WAN interface card crypto outside
crypto isakmp identity address
Crypto ikev1 allow outside
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
IKEv1 pre-shared key, PSK
I hope that the above information was useful please note if you found it useful
If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more
-Jouni
-
Cisco VPN 3060 - Cisco ASA conversion
We are about to embark on the passage of all extensions L2L and network (Cisco ASA 5505 s) of the Cisco VPN 3060 concentrator to a Cisco ASA 5520.
We bsemblable woul to see if there is a simple method to do this as a converter? Also, there are lessons learned? We run 8.4.3 so that we know that the NAT configuration has differed. The 3060 configuration can be changed in anyway for help in configuring the ASA?
Thank you
Dwane
Thank you for your understanding Dwane.
Please mark this message as answered.
Good day.
Maybe you are looking for
-
How to restore a security entrancecode that was not installed by updating to ios10?
Work with the 5s iphone I recently could update to ios10. I did it during the evening. In the morning, I was told the update required an entrycode that was not installed. I use an entrycode before this and the same works after that. No longer is my a
-
I was forced to reinstall windows... After this, Thunderbird was gone and I was forced to reinstall as well. Now, I've lost my email, the message accounts and contacts. How can I get that?
-
Satellite A60 - USB 2.0 TVBox does not work
I connect a model USB TVbox PV-TV414U made by Prolink Pixelview for my Satellite A60, I install all the drivers and all the updates for this computer and when I run the program to watch TV from the computer with a BugCode_Usb_Error message blue scree
-
How to select a specific portion of the worksheet?
Hello I have 8 sensor of color and form that I'm getting the information as shown below. /S0 = 0 s1 = s2 2 = 4 /////////////////////Sensor 6////////////////////// ////////////// Sensor_6_rot? 74.08/ Sensor_6_blau? 18.13/ Sensor_6_gruen? 0.00/S0 = 1 s
-
Computer does not display the Sansa Clip
For about a week, my computer no longer displays my Sansa Clip when I plug upward with the USB cable. I can still hear the computer, the connection of detection, but it does not show in Windows Explorer, as before. I checked the setting on the clip a