SSL VPN using core instead of configured Group group
I have a 3000 configured for Ipsec using ACS to authenticate users. I tried to add SSL VPN. I can authenticate and install the SSL client, but I can't access anything whatsoever. I am connected via the base group, explains the newspaper on the 3000. How can I get SSL to work via the group which I configured and not the core group?
You should be able to achieve this with your RADIUS server. You must set the class attribute 25 as an ORGANIZATIONAL unit name equal on behalf of the particular group you want to connect to on the hub.
For example, suppose you want a SVC_User user to connect to a group called SSL_VPN. In the configuration of the RADIUS user, you would (under the attribute 25):
UO = SSL_VPN;
(... Do not omit the semicolon.)
Tags: Cisco Security
Similar Questions
-
SSL VPN using ASA 5520 mode cluster - several problems
I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.
The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.
The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.
Any suggestions?
To disable the drop-down menu, you can turn it off with the command
WebVPN
no activation of tunnel-group-list
This will take care of your last issue.
***************************
You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.
**************************
Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.
*****************************
-
2901 router as an SSL VPN using
Hello world!
I was wondering if someone could give me a hand on this. I'm trying to use a Cisco 2901 to allow remote workers to access resources on the local network using the Client AnyConnect Secure Mobility Client. I just read this doco
http://www.Cisco.com/c/en/us/support/docs/routers/3800-series-integrated...
But it seems it does not support the 2901 platforms. I quote:
WebVPN or VPN SSL technology relies on these router IOS platforms:
870, 1811, 1841, 2801, 2811, 2821, no. 2851
3725, 3745, 3825, 3845, 7200 and 7301
Is that all just because this topic is old?
Before I have to spend money on the wrong license, I decided to give it a go (above the following article). So, when I went to
' Configure > Security > VPN > SSL VPN > SSL VPN Manager "CCP says I need license"(securityk9). I then followed the link "activate license" and clicked on the tab 'evaluation licenses. But where there are two that seems good:
- securityk9 (the CCP one says it needs)
- SSL_VPN (one who seems reasonable as AnyConnect uses SSL VPN, right?)
What is the license of right? Anyone can enlighten us please?
Also, is there any resource that explains better than all the options and how to configure the AnyConnect on a router ISR2, using CLI?
Thanks in advance
Alvaro
Hello Alvaro,
What IOS version you are using?
Beginning in Cisco IOS version 15.0 (1) M, the SSL VPN gateway is a licensing feature sits a count on Cisco 880, 890 Cisco, Cisco 1900, Cisco 2900 and 3900 Cisco platforms. A Chair does refers to the maximum number of sessions allowed both.
For more information, go through:
http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_sslvpn/CONFIGU...
"Please note useful posts.
-
I work on the AnyConnect SSL VPN deployment and seeks to secure the connection with a certificate that is NOT provided by the internal CA of the ASA or a 3rd party. What I would do, is our domain CA (MS) approve the certificate - in this way, all users of portable computers that connect to the VPN will accept the certificate without asking for confirmation.
Is there any type of document from Cisco that describes this case? I looked at the Cisco configuration documents that show:
-install manually 3rd party SSL VPN vendor certs (IE. VeriSign)-to obtain digital certificates for a MS CA ASA (it emits only IPSec certificates for users - the lancers ASA an error on the EKU without specifying the role of authentication server)
-renew/install the certificate SSL with ADSM (applies only to the self-signed certificates)
-examined the anyconnect Administrator's guide
I found two similar positions in the community, but there is no answer from anyone whether or not this is possible.
https://supportforums.Cisco.com/message/259286#259286
https://supportforums.Cisco.com/message/1324901#1324901
I would be grateful for any feedback. I may end up copying the certificate self-signed ASA on all laptops users VPN: S
Greg
You treat the SSL VPN as a web server... Create a 3rd party application signing, load it onto your MS CA and select Web server profile... You will need the CA cert so the cert of identification. You load the CA cert first then the cert of the identity.
You then attach the cert to an interface.
I did it on my internal interface so that the customization pages would stop sent me some errors in my browser... I went with a cert of public own party 3rd for the external interface given that I expect no area machines to connect and telling users how to install certificates is a pain.
-
AnyConnect ssl vpn using digital certificates
people
I have an asa 5540 (8.4) used to stop vpn ssl connections
the device is used as a local certification authority and issued certificates to remote users and these are then used as part of the authentication process
I now have an obligation to replace the self-signed certificate and buy a third-party certificate, for example verisign etc.
can someone point me to a guide for the performance for this
can I still use the asa to generate certificates for guests to use as part of the authentication process
Thanks to anyone taking the time to answer or two reading this
greatly appreciated
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808b3cff.shtml
is the guide to install 3rd party cert.
The local process of CA is independent of user certificate to authenticate the ASA, in fact, if you look at the CERT gives users that they are provided by the CA of the ASA and unsigned by cert used for authentication.
Take care of is not to remove too much of RSA keys ;-)
-
SSL VPN authentication using the ad group
Hi all
I tried to restrict users to authenticate to the SSL VPN using an ad server. I have install the AAA server with the IP address of the AD server and attributed to the connection profile as well; However, I see that any user who is a member of a group in AD is able to authenticate.
I want to only users who belong to the group "VPN users" get authenticated while everyone and all those who have credentials of the AD and not even a part of the 'VPN users' group is making authenticated.
Can someone advice how I can make the ASA authenticate users based on ad groups? I use the ASDM to configure my VPN RA.
Thanks in advance!
Kind regards
Riou
Hey riri,.
Try to use DAP to restrict access to users who belong to a specific ad group:
https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-poli...
Use the AAA attribute "LDAP .member of" to allow access to the users belonging to a specific group and deny access to other users.
concerning
Eric
-
Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)
Hello Cisco community support,
I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.
ISP network gateway: 10.1.10.0/24
ASA to the router network: 10.1.40.0/30
Pool DHCP VPN: 10.1.30.0/24
Network of the range: 10.1.20.0/24
Development network: 10.1.10.0/24
: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm historyCan you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?
-
Unable to connect to the internal network of SSL VPN
Setting the time first ASA 5512 and I did a lot of research to solve my problem but no luck. I really appreciate if I can get help.
After having successfully connected to ASA via SSL VPN. I am only able to ping to the outside interface (10.2.11.4).
Please check my config and I would like to know what the problem is. Thank you
: Saved
:
ASA 9.1 Version 2
!
hostname asa-01
domain corporate.local
activate t8tpEme73dn9e0.9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
t8tpEme73dn9e0.9 encrypted passwd
names of
sslvpn-ip-pool 10.255.255.1 mask - 255.255.255.0 IP local pool 10.255.255.100
!
interface GigabitEthernet0/0
nameif outside
security-level 50
IP 10.2.11.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 10.2.255.18 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
clock timezone STD - 7
clock to summer time recurring MDT
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 10.2.9.23
10.2.1.1 server name
Server name 10.2.9.24
domain corporate.local
network of Trusted subject
10.2.0.0 subnet 255.255.0.0
the object to the outside network
10.2.11.0 subnet 255.255.255.0
network ss object
10.2.11.0 subnet 255.255.255.0
network of the VPNlocalIP object
10.255.255.0 subnet 255.255.255.0
the object of the LAN network
10.2.9.0 subnet 255.255.255.0
network of the VPN-INSIDE object
subnet 10.2.255.16 255.255.255.248
tcp4433 tcp service object-group
port-object eq 4433
standard access list permits 10.2.255.16 SPLIT-TUNNEL 255.255.255.248
standard access list permits 10.2.11.0 SPLIT-TUNNEL 255.255.255.0
host of access TUNNEL of SPLIT standard allowed 10.2.9.0 list
global_access list extended access allowed object VPNlocalIP object LAN ip
global_access list extended access permitted ip LAN VPNlocalIP object
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.2.8.8
Debugging trace record
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 713.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
Static NAT to destination for LAN LAN static VPNlocalIP VPNlocalIP source (indoor, outdoor)
Access-Group global global_access
Route outside 0.0.0.0 0.0.0.0 10.2.11.1 1
Route inside 10.2.0.0 255.255.0.0 10.2.255.17 1
Route inside 10.255.255.0 255.255.255.0 10.2.255.17 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
CA-Kerberos kerberos protocol AAA-server
CA-Kerberos (inside) host 10.2.9.24 AAA-server
Corp.PRI Kerberos realm
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
http server enable 4431
http 192.168.1.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 outside
redirect http inside 80
redirect http outside 80
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs 4151
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint2
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint3
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint4
Terminal registration
name of the object CN = vpn.corp.com
ASA_PKC_One key pair
Configure CRL
trustpool crypto ca policyIKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Telnet timeout 15
SSH 10.2.0.0 255.255.0.0 inside
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
outside access management
management of 192.168.1.2 - dhcpd addresses 192.168.1.10
enable dhcpd management
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 10.2.9.23 source outdoors
SSL cipher aes128-sha1-3des-sha1
management of SSL trust-point ASDM_TrustPoint4
SSL-trust outside ASDM_TrustPoint4 point
SSL-trust ASDM_TrustPoint4 inside point
WebVPN
allow outside
No anyconnect essentials
AnyConnect image disk0:/anyconnect-win-3.1.04063-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
list of chip-tunnel TerminalServer mstsc.exe Terminal windows platform
attributes of Group Policy DfltGrpPolicy
value of server DNS 10.2.9.23
L2TP ipsec VPN-tunnel-Protocol ikev1
field default value corp.com
WebVPN
value of customization DfltCustomization
internal group CA-SSLVPN-TEST strategy
attributes of CA-SSLVPN-TEST-group policy
WINS server no
value of server DNS 10.2.9.23
client ssl-VPN-tunnel-Protocol
field default value corp.com
internal group CA-CLIENTLESS-TEST strategy
attributes of group CA-CLIENTLESS-TEST policy
clientless ssl VPN tunnel-Protocol
WebVPN
value of URL-list of the contractors list
chip-tunnel enable TerminalServer
ssluser nS2GfPhvrmh.I/qL encrypted password username
username ssluser attributes
Group-VPN-CA-SSLVPN-TEST strategy
client ssl-VPN-tunnel-Protocol
group-lock AnySSLVPN-TEST value
type of remote access service
username admin privilege 15 encrypted password f4JufzEgsqDt05cH
cluser 3mAXWbcK2ZdaFXHb encrypted password username
cluser attributes username
Group-VPN-CA-CLIENTLESS-TEST strategy
clientless ssl VPN tunnel-Protocol
value of locking group OLY-Clientless
type of remote access service
attributes global-tunnel-group DefaultRAGroup
Group-CA LOCAL Kerberos authentication server
tunnel-group DefaultRAGroup webvpn-attributes
CA-ClientLess-portal customization
attributes global-tunnel-group DefaultWEBVPNGroup
sslvpn-pool ip address pool
Group-CA LOCAL Kerberos authentication server
tunnel-group DefaultWEBVPNGroup webvpn-attributes
CA-ClientLess-portal customization
remote access to tunnel-group AnySSLVPN-TEST type
tunnel-group AnySSLVPN-TEST general attributes
sslvpn-pool ip address pool
CA-group-Kerberos authentication server
CA-SSLVPN-TEST of the policy by default-group
tunnel-group AnySSLVPN-TEST webvpn-attributes
OLY-portal customization
Disable Group-alias AnySSLVPN-TEST
Disable AnySSLVPN-TEST-group-alias aliases
OLY-SSLVPN disable group-alias
enable SSLVPN group-alias
type tunnel-group OLY-Clientless Remote access
OLY-Clientless General attributes tunnel-group
CA-group-Kerberos authentication server
Group Policy - by default-CA-CLIENTLESS-TEST
OLY-Clientless webvpn-attributes tunnel-group
CA-ClientLess-portal customization
try to master timeout NBNS-server 10.2.9.23 2 2
Group-alias Clientless enable
Group-aka cl disable!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group 3 monthly periodic inventory
Subscribe to alert-group configuration periodic monthly 3
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ceea6b06a18781a23e6b5dde6b591704
: end
ASDM image disk0: / asdm - 713.bin
don't allow no asdm historyHello
I'm glad to hear it works
Please do not forget to mark a reply as the right answer or useful answers to rate
-Jouni
-
RVL200 firmware 1.1.12.1 - Windows 7 still does not work for SSL VPN
Try to connect RVL200 SSL VPN using Windows 7, IE 8.
After update to firmware 1.1.12.1, I am able to install the webcachecleaner, but when I tried to click on the padlock on the screen, I get
"Error: Virtual Passage not installed." Please install as Administrator".
I'm already the only administrator on the computer, and I installed the C++ 2005 Redistributable Package (x 64) according to the accompanying note. Date shows the add-on XTunnel IE 3 March 2010. The certificate is updated (expires 2011).
Any ideas how to get around this problem?
Thank you. Christina
On Windows 7 or Vista, Internet Explorer does not always run with administrator privileges. You must select the "Run As Administrator" option when you start the IEv8.
-
SSL VPN and RSA on demand tokens
Hello
I tried scouring the web and can't find anything on how to get this working. We have our SSL VPN using RSA atm but would also like to be able to use the version on request as well.
I was not able to find any doco on how to enable this.
Any help in pointing me in the right direction would be thank you much
Kris,
Any name of username/password authentication is (nearly) transparent to ASA.
ASA or any device authentication sends a request containing the credentials to the back-end server that meets the acceptance, rejection or in some cases, a challenge.
A notable exception side RSA's Adaptive Authentication (sometimes called tokenless) that requires further customization on the SAA.
The people on the side RSA are a smart bunch they can usually answer how their solution integrates with different vendors/solutions. If I am that prepare properly (that I could find with a quick query) there is no additional considerations side ASA save to set the right server and point it as the service of the methods (and if any NAT/ACL to allow users access to the server where you can request the token to send - usually in a zone demilitarized).
I am based on:
http://www.RSA.com/products/SecurID/datasheets/9240_SIDODA_DS_0310.PDF
and
http://www.RSA.com/experience/SID/OnDemand.swf
M.
-
access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.
We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page. I wonder if possible separate employees and contractors to access internal pages. The internal web page has no authentication of users. They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic. Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.
Hello
Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.
You can follow this link to set up an acl of web:
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...
Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you, please note!
-
Greetings. I currently have an ASA5520 in place running 8.0 (2) IOS. We have configured a clientless SSL VPN portal that we currently use as a 'test '. We try to solve the question deals with the use of the SSL VPN connection page groups. Currently, the ASA is set to authenicate names of username/password to a Microsoft Windows 2003 using IAS (RADIUS) server. It works very well.
What we want to do, is to "lock" the user account to a group alias in the VPN SSL ASA login page. For example, our SSL VPN connection page displays two options for 'Group', 'sales and 'tech'. In its current form, a sales user can select one of the displayed groups and always be authenicated. Anyway is to deny the login information if a user does not select the appropriate menu GROUP drop-down? It would certainly help to ensure that users choose the right GROUP in the menu dropdown.
Any information would be greatly appreciated.
Joe
In order to put the user in the appropriate group, set the attribute RADIUS 25 as OU = ASAGroupPolicyName. then try the locking of group control to lock the users.
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/gh_72.html
-
SSL VPN authentication using different sequences of identity Sources
Morning,
At the moment we have SSL VPN configuration passing security to GBA. This is accomplished by using strong authentication. GBA the
Sequence identity Sources is WBS then AD.
We want to implement on the same firewall a few users select proper respect by AD authentication, they will have a group name different tunnel connecting etc.
GBA im not sure how I would setup two sequences of Sources Identidy therefor using the same Service selection rule. At the moment I have if RAY and IP is XXX then political use of XXX
We are currently installed ISE so in the not to distant future is ACS can not do this can ISE?
If it's confusing that I can extend were nesscessary
Thank youS
Hello
I don't know how it looked like GBA but on its flexible ISE
If the rule is simple
If the RADIUS request is device ASA type formed then check the tunnel-group-name attribute (146) and will benefit from its interventions to the string value choose LOCAL or AD store.
hope this helps
concerning
-
ASA 5520: SSL VPN by using a different IP address that the ASA public IP address
Hi guys,.
I'm trying to configure an SSL VPN on a Cisco ASA5520.
Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.
I don't not want to use a different port so to keep life easy for users.
I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?
Thank you
Dario
Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.
The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.
-
How to limit maximum SSL VPN sessions by group policy on ASA5510?
How to limit maximum SSL VPN sessions by group policy on ASA5510?
There are ideas?
There are 2-Group Policy: within a maximum of 10 connections, in the second - 15 (total licenses for SSL VPN 25 connections).
Hi Anton,.
It is an interesting question.
Please check the following options, depending on your scenario:
simultaneous VPN connections
Pour configurer configure the number of simultaneous connections allowed for a user, use the command simultaneous vpn connections in the configuration of group policy or username configuration mode. To remove the attribute from the running configuration, don't use No form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable the connection and prevent the access of the user.
simultaneous vpn connections {integer}
No vpn - connections
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/uz.html#wp1664777
There is a global command, although may not be useful, I wanted to share it with you:
VPN-sessiondb max-session-limit
--> To specify the maximum limit of VPN session.
Best option:
What you can do is to create a pool of IP 10 IP addresses in one and 15 in the other, this way you let only 10 connections and 15 respectively.
IP local pool only_10 192.168.1.1 - 192.168.1.10
IP local pool only_15 192.168.2.1 - 192.168.1.15
Then,
attributes of the strategy of group only_10
the address value only_10 pools
!
attributes of the strategy of group only_20
the address value only_20 pools
Maybe you are looking for
-
Why do I get a message temporary profile w / no access to my files, & how to fix it?
Whenever I try to open a session (for all users) I get a message that I am connected to a temporary profile and can't access or save all files. The suggestion to disconnect & try to connect later worked again (for about 100 connections later, anyway)
-
partitioning drive HARD Hp problem
Hi, recently I bought hp core i3 with pre-installed windows 7 Home Basic (64-bit) Model: Hp 1000 Notebook Pc RAM: 2 GB HARD drive: 465 GB This disc contains 4 primary drives c HP tools recovery System I wanted to make another record to store my perso
-
How to undo what I did when I opened an attachment to an email I can read
-
connection for iPad 2 Hotmail... fails to sign vew Received an iPad 2 for Christmas and the first thing I try to do is to add my additional emails... whenever I have try to sign in to Windows Live accounts or Hot Mail, the answer is "password" is fal
-
Gmail stopped syncing over the weekend
I'm still on 1.3.1 as says my device information, but this weekend my gmail sync has stopped working. Not only that, I can't seem to delete the account. He was tried for about 15 minutes now. I restarted the phone and tried again, but it is 10 minute