Truly dynamic VPN, is this possible?

Consider the situation where you have ASA 'central' hosting of several l2l IPSec tunnels.

Apart from users uses Anyconnect to connect to ASA and is granted routing profile they choose.

Y at - it * any way * to use only group AnyConnect, that would create dynamically need VPN access list basic example ldap group info.

Small example:

L2L tunnel A specific tunnel and used Anyconnect Group A, only users on ldap goup XYA are allowed

L2L tunnel B has specific tunnel and used Anyconnect Group B, only users on ldap goup XYB are allowed

If the end user has the right to connect groups A and B (belongs to groups XYA XYB), can it be managed dynamic?

Case of the real world holds hundreds of split-tunnel, it is a simple example and question, if this is possible or not?

JRA-

Hi Jari

I'm not quite sure, I understand what you want to achieve, but I think that you should be able to do using a single group and a set of rules DAP.

That is a rule that says that 'if the user is a member of the XYA then apply ACLs A', another rule "If the user is a member of the XYB then apply acl B" etc.

See

HTH

Herbert

Tags: Cisco Security

Similar Questions

  • Is this possible with 11 subjects dynamically robohelp in Word/Pdf print numbers?

    Hello

    is it possible with 11 subjects dynamically robohelp in Word/Pdf printed numbers?

    For example in my project there

    -> 3 topics (TopicA TopicB, TopicC)

    -> 2 profile of printed documents (sales = > TopicA, TopicC) and (developers = > TopicB, TopicC)

    I want to dynamically dial as

    Sales

    1 TopicA

    2 TopicC

    Developers

    1 TopicB

    2 TopicC

    Is this possible?

    Best regards

    It might be possible if you have mapped to a Word template which has been implemented with the titles bunch. I don't know and not able to test this right now, but I think it should work.

    Otherwise, it must be somehow, in Word, post-build, and once generate your PDF file.

    Please post back how you are going.

    See www.grainge.org for creating tips and RoboHelp

    @petergrainge

  • IOS: Dynamic VPN with l2tp/CVPN Client

    It is possible to configure a router (12.3.9a) to accept dynamic vpn through MS l2tp (XP sp1) and Cisco VPN client (4.0.5 for XP) at the same time?

    without the line 'crypto map vpn client client authentication list userauthen' 2 vpn clients work but cisco vpn client does not request a user name and password.

    with this line, the l2tp MS client fails.

    Here is my config:

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    !

    VPDN enable

    !

    VPDN-group pino

    ! Default L2TP VPDN group

    accept-dialin

    L2tp Protocol

    virtual-model 1

    Force-local-chap

    no authentication of l2tp tunnel

    !

    crypto ISAKMP policy 100

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 5000

    BA 3des

    preshared authentication

    Group 2

    isakmp encryption key * address 0.0.0.0 0.0.0.0

    !

    ISAKMP crypto client configuration group pino

    key *.

    domain test.test

    pool pool_cvpn

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac set_3des

    Crypto ipsec transform-set esp-3des esp-md5-hmac set_l2tp

    transport mode

    !

    dynamic-map crypto CVPN 20

    Set transform-set set_l2tp

    match the address l2tp_acl

    !

    crypto dynamic-map CVPNN 10

    Set transform-set set_3des

    !

    crypto map vpn client client authentication list userauthen

    crypto map client-vpn isakmp authorization list groupauthor

    address of card crypto configuration vpn-client client answer

    Crypto map 10-client vpn ipsec-isakmp dynamic CVPN

    Crypto map 20-customer vpn ipsec-isakmp dynamic CVPNN

    Thank you

    Davide

    Hi David

    Although it is a L2TP/dynamic IPSEC, you must have authentication configured for dynamic clients.

    hope this link can clear things...

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00801dddbb.shtml

    regds

    Prem

  • Cisco ASA and dynamic VPN L2L Fortigate configuration

    I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

    I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

    However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key.  Abandonment
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key.  User switching to the tunnel-group: DefaultL2LGroup
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
    3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
    6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

    Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

    then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

    You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

    Assuming that you have configured the dynamic map and assign to the card encryption.

    Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    Hope that helps.

  • I want to use the registration of custom with hyper-site domain object merges? Is this possible?

    I want to use the registration of custom with hyper-site domain object merges? Is this possible?

    Hey,.

    At that time, saving custom object data cannot be used with following:

    • with Hypersite field mergers;
    • with the research data on the data in the field, only the number of overall;
    • on off key Dynamic Content in the emails

    Thank you

  • I want to create an interactive page or file in Muse for anyone to connect and enter information, close and someone else can do the same thing, etc.  Is this possible?

    I want to create an interactive page or file in Muse for anyone to connect and enter information, close and someone else can do the same thing, etc.  Is this possible?  I want to have spaces at least 10 names to register.  These people need to log on to this page or file to use it or to see it.

    Help with the help of Adobe Muse CC

    Impossible to establish such a thing with the HTML and the CSS just as Muse creates it. You need a dynamic system like Wordpress, Joomla, or the plans Business Catalyst paid Typo 3 etc...

    Mylenium

  • Is this possible? Subforms appeal based on the drop-down list associated with the database

    I'm hoping to make a dynamic shape and I wonder if it's possible.

    I have a database with about 300 entries - pieces of agricultural goods and a few little bits of info on each of these properties. I want to create a form where users can choose the piece there rather than the property in a drop-down list. Based on the property they select, another menu drop down to fill with the cultures associated with this property. Then based on the selection made in this drop-down list, a specific form will be brought upward.

    For example, a person selects property #102 in the drop-down list. In the database, property #102 is associated with wheat, barley and corn, so the next drop would be complete with these three cultures. The user selects the wheat in the drop-down list and the form of wheat would be called. 

    I hope I explained that well enough.

    Is this possible? And if it's possible, how complicated to do? Assuming that I already have the database and subforms, it would be a long process from weeks to the script, or it would be simple enough?

    Yes, this could be done, here is an example that should help: Drop dependent dropdown (specimen attached)

    On the basis of selection (change event of the second menu drop-down), you can show or hide a subform.

    -Wasil

  • is this possible?

    Here's the situation... My GF installed spyware on my phone, I would like to see if I can allow the tracking by GPS, but do not allow the follow-up... Is this possible?

    If your phone is not jailbroken, it's impossible. It's jailbroken, it is not tenable and therefore safer.

  • I have a Mac Book Pro with a CD/DVD drive.  I want to copy a home made DVD.  Is this possible with iMovie or another application?

    I have a Mac Book Pro with a CD/DVD drive.  I want to copy a home made DVD.  Is this possible with iMovie or another application?

    Look for the hand brake.

    It is a free application which can convert your DVD to QuickTime formats.

  • I live in the United States and would like to buy a song from the Germany. Is this Possible?

    I live in the United States and would like to buy a song from the Germany. Is this possible?

    Hello

    You can buy songs that are available on iTunes Store for your country.

  • I would like to see all the emails of my 3 email addresses different all in one component - as in Outlook. Is this possible?

    I get emails from multiple email addresses and would like to see them all in one place instead of having to click 5 different folders to see what's new in each of them. Is this possible? Any help is appreciated!

    Question in 2014

    How can I read my incoming e-mails in a single folder? As I do in Live mail and Outlook express.
    https://support.Mozilla.org/en-us/questions/1009047

    Looks like you need.

    TB - 38, 3 Win10-PC

  • 'iPhone has been severely infected by viruses -' is this possible?

    Surf the internet (safari) pops up a window that says that the iPhone has been severely infected by viruses (respectively 7) and I have to follow the instructions to repair the phone. Is this possible or is it a fake?

    JavaScript:;

    No, there is no virus in the wild for iOS. This popup is just a scam to try to get you to reveal personal information. Quit Safari and go to safari settings and delete cookies and clear history and cache.

  • I need to sync bookmarks between Firefox Sync and Seamonkey. Is this possible and if so how?

    I use Firefox and Seamonkey, as well on the same computer and also on other computers. I would like to use Firefox Sync to synchronize bookmarks between Firefox and Seamonkey on all my computers, but I do not understand how to do this, because the browsers seem to use their own separate servers.

    Is this possible and if so can you tell me how to put in place.

    Thank you.

    I understand the confusion!

    I'm not a Mozilla support person, but according to my experience, synchronization must be called Sync in Mozilla, Firefox or Seamonkey Sync...

    If you create an account in Firefox, this account is accessible to Seamonkey.

    According to the instructions of Mozilla in Firefox, you open 'Options, sync, add a device' and in Seamonkey "sync Setup, I already have an account. The text here is a little confusing because you have to read 'I already have a Mozilla sync account', otherwise, you tend to think that it involves a Seamonkey sync account...

    Then click 'connect' and Seamonkey then provides three fields of characters that you enter in the appropriate fields in the dialog 'Add a device' Firefox.

    I think it's confusing that in Firefox, the server is called 'Server of Firefox Sync' and same Seamonkey offers a "Seamonkey Sync Server', which suggests that they are two completely separate entities, not connected.

    I hope this helps!

  • Closure of a SELECTION of tabs at once. Is this possible?

    Hi, I'm an average user of tabs. Let's say I opened 25 tabs in a window/session. I want to select 5 tabs to close, at one time, but without using the tabs groups/panorama that I am too clumsy use this feature.  :-) I mean it takes more time to create your groups and then close the group. I would prefer to select my tabs and close them then directly from my window screen. Is this possible?

    See:

  • I am looking to buy a 'new' ipod classic. IPod Superstore claims get the new Apple iPod that Apple is still making them for 5 years, but only to sell them to a few suppliers for resale. Is this possible?

    I am looking to buy a 'new' ipod classic. IPod Superstore claims get the new Apple iPod that Apple is still making them for 5 years, but only to sell them to a few suppliers for resale. Is this possible?

    Probably not still making them, but Apple political is to the service of produced at least five years after they is no longer manufactured and sold

    "Owners of iPhone, iPad, iPod or Mac products can get the services and Apple parts or service providers from Apple for 5 years after that the product is longer manufactured,' which is

    Vintage and obsolete products - Apple Support

    With the iPod, 'maintenance' means often giving you a replacement to pay the off-guarantee fee, which is $ 299 for the last classic model of the iPod, according to this document

    Pricing of the Service - The Apple iPod Support

    So Apple probably has a stock that's enough to last up to five years after 2014 (when the last classic model of the iPod has been abandoned).  This provider is unlikely to be an authorized dealer, as well as the iPod has not perhaps be covered by the standard warranty of one year.  That's why it comes in a regular white box, not a retail box.  It's supposed to be a replacement of maintenance for the iPod classic (latest model) owners.  It can be 'used', but it is still old.  Parts like LCD, HDD and the age of the battery by sitting in a warehouse.

Maybe you are looking for