VPN 3000 - no access console
I have a 3000 VPN that needs to be reconfigured, but I get no output from the console port. Is there a way to set default values without access to consoles?
Thank you
Hello
have you tried different combination of port settings?
You can use this link to restore the default settings in your hub.
Use the option to force the code to load the config file ignoring.
regds
Tags: Cisco Security
Similar Questions
-
Console Cable - Cisco VPN 3000 Concentrator
Where can I get a cable from the console to the Cisco VPN 3000 Concentrator? The place I bought the hub of not sent me one with it.
Thank you
JP
JP,
Console port for the concentrator vpn being complient rs-232, you can buy two female DB9 to RJ45 / adapters, one for the concetrator and one for the PC to use in the COM1 port, then use a regular straight through CAT5 cable, that's the way I do and it is convenient as suppose to use the straight through serial rs-232 cable.
http://www.sealevel.com/product_detail.asp?product_id=787
With regard to the regular cable this hub comes with you can use it.
http://www.stonewallcable.com/product.asp?Dept%5Fid=35&PF%5Fid=SC%2DS9%2DFF
Adidtional information for your initial hub seup -.
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/3_6/getting/gs2inst.htm#1050260
Concerning
PLS rate useful posts
-
Hello
It is as sure to fix the public interface on a VPN 3000 Concentrator on the internet? Or should there be a firewall in front.
I understand that the public interface is "hardcoded" and only open ports you'd pass firewall anyway, but I just wanted to check with experts to ensure that :-)
Peter
Hi Peter,.
I don't think there are major problems involving the public interface of VPN 3030 Internet. It is means in reality for public access... it is a little hardened to allow only specific protocols... If you have an ID, you can monitor the traffic on this interface and shun unnecessary connections if necessary... you also have filters on the public interface, which allows you to restrict the traffic...
set the vpn behind a firewall increases the complexity of your network. You may as well have this behind, but it will be a little complicated.
I hope this helps... all the best
REDA
-
VPN between a PIX and a VPN 3000
I'm trying to set up a VPN between PIX and a VPN 3000. All configurations are complete, but the tunnel has not been established. On the PIX, to 'see the crypto engine' and ' show isakmp his ' orders, I do not see the tunnel. Of "show ipsec his ' command, I can see the mistakes"#send"continues to increase when I try to connect to the remote network. Here is the copy - paste command:
Tag crypto map: myvpnmap, local addr. 10.70.24.2
local ident (addr, mask, prot, port): (10.70.24.128/255.255.255.128/0/0)
Remote ident (addr, mask, prot, port): (10.96.0.0/255.224.0.0/0/0)
current_peer: 10.70.16.5:0
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts 0 digest
#pkts decaps: 0, #pkts decrypt: 0, #pkts check 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed:
#send 12, #recv errors 0
local crypto endpt. : 10.70.24.2, remote Start crypto. : 10.70.16.5
Path mtu 1500, fresh ipsec generals 0, media, mtu 1500
current outbound SPI: 0
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Obviously, the PIX identifies protected traffic but failed to establish the tunnel. I was wondering what could be the reason for these kind of mistakes? That means them growing '#send errors?
Thank you very much!
Sending error mean simply the PIX is grateful to encrypt this traffic, but there is no built tunnel and so it must drop the package.
you will need to look at why the tunnel is not under construction however, "sending error" are just a byproduct of some other configuration issue. On the PIX, it looks like you would have something like:
Crypto ip 10.70.24.128 access list allow 255.255.255.128 10.96.0.0 255.224.0.0
On the 3000 under the L2L section and the Local and remote network, you need the exact opposite of the latter, then it would be:
/ Local network mask = 10.96.0.0/0.31.255.255
/ Remote network mask = 10.70.24.128/0.0.0.127
If you have something else the tunnel will fail to come. Otherwise, we see that the Cryptography debugs the PIX and the trunk of the 3000 when the tunnel is built.
-
I have set up a cisco 861 as a vpn server. Could I help you if someone can tell what is the problem? Clients can connect, but cannot access local resources from lan for subnet 10.0.10.0
Building configuration...
Current configuration: 9770 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec localtimeShow time-zone
Log service timestamps datetime localtime show msec.time zone
encryption password service
sequence numbers service
!
hostname RT861W
!
boot-start-marker
start the flash c860-universalk9 - mz.124 - 24.T3.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 warnings
recording console critical
enable secret 5 xxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone IS - 4
clock save interval 24
!
Crypto pki trustpoint TP-self-signed-3796206546
enrollment selfsigned
name of the object cn = IOS-Self-signed-certificate-3796206546
revocation checking no
rsakeypair TP-self-signed-3796206546
!
!
chain pki crypto TP-self-signed certificates.3796206546
certificate self-signed 01
30820259 308201 2 A0030201 02020101 300 D 06092A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 31312F302 536967 6E65642D 43657274
69666963 33373936 32303635 6174652D 3436301E170 3130 30363130 32323534
33395A 17 0D 323030 31303130 30303030 305A 303106035504 03132649 312F302D
65642 43 65727469 5369676E 656C662D 4F532D5366696361 74652 33 37393632
3630819F 30363534 300 D 0609 2A 864886 F70D010101050003 818 0030 81890281
81009C 68 0509FEBA BA0D4251 52AA3F1C DBB7CACB138D0D3D 8017AB75 04AABD97
16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6EB32858B 4385DE6C 3ED11616
2B997D14 C6C86431 9A 956161 2D0581F4 767D60E182FF426A 911D503E 8995A69B
6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464E6DA7E06 44F94B16 3EA57809
5B 710203 010001 HAS 3 8180307E 300F0603 551D 130101FF0405 FF302B06 30030101
11 04243022 82205254 38363157 2E636F6C 03551D6C696E73 2E316661 6D696C79
756E6974 65642E63 6F6D301F 0603551D 230418301680142C 21E7314B D28AFE1A
26115A1B F53AFB03 1 060355 1D0E0416 0ED1A83004142C 21 E7314BD2 8AFE1A26
115A1BF5 3AFB030E D1A8300D A 06092, 86 4886F70D01010405 00038181 008CC48F
6A1BFB52 0F268B05 B977AE8E CA450936 8272 D 889B46DE9FB 5680782C 59DA2354
04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22C7BED922 73C35C32 54696F37
89E424C2 561FFF54 99573AC6 713E58D8 E3B67064295 4331 845FCDEC F6CD8017 D
58006 58 F94A8771 78217788 FE63AA11 0E5DF6B11A8D0111 CDD87A1D CC
quit smoking
no ip source route
no ip free-arps
chip-Relay IP dhcp
ignore the IP dhcp bootp
DHCP excluded-address IP 10.0.1.1 10.0.1.10
DHCP excluded-address IP 10.0.10.1 10.0.10.10
!
dhcp VLAN_10 IP pool
Network 10.0.10.0 255.255.255.224
router by default - 10.0.10.1
Domain xxxxxx
10.0.10.1 DNS server
!
dhcp VLAN_1 IP pool
Network 10.0.1.0 255.255.255.224
default router 10.0.1.1
Domain xxxxxx
10.0.1.1 DNS server
!
!
IP cef
inspect the IP log drop-pkt
IP inspect high 1100 max-incomplete
IP inspect 1100 max-incomplete bass
IP inspect a high minute 1100
IP inspect a minute low 1100
inspect the IP udp idle time 60
inspect the IP dns-timeout 10
inspect the name firewall tcp timeout IP 3600
inspect the name firewall udp timeout 15 IP
inspect the name firewall ftp queue time 3600 IP
inspect the name firewall rcmd timeout IP 3600
IP inspect alert firewall smtp name on timeout 3600
inspect the name firewall sqlnet timeout IP 3600
inspect the IP name firewall tftp timeout 30
inspect the name firewall icmp time 15 IP
inspect the name firewall ssh timeout 15 IP
IP inspect name Connection Firewall audit trail on
inspect the name webster firewall IP
IP inspect skinny firewall name
inspect the router IP firewall name
inspect the IP firewall cifs name
inspect the name cuseeme firewall IP
IP inspect the dns name of the firewall
inspect the name realaudio firewall IP
inspect the name firewall rtsp IP
inspect the name streamworks firewall IP
inspect the name vdolive firewall IP
inspect the IP sip firewall name
inspect the name firewall pop3 alert on reset IP
inspect the name ftps firewall IP
inspect the name isakmp firewall IP
inspect the IP name of firewall ipsec-msft
inspect the name ntp FIREWALL IP
inspect the IP name firewall imap
inspect the name imaps firewall IP
inspect the name imap3 FIREWALL IP
inspect the name pop3s firewall IP
no ip bootp Server
IP domain name xxxxxxxxx
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name-server IP 208.67.222.222
IP-server names 208.67.220.220
name of the IP-server 74.128.19.102
name of the IP-server 74.128.17.114
!
!
notify licensing agenthttp://10.0.10.11:9710 / clm/servlet/HttpListenServlet
dummy dummy 2.0
!
!
username privilege 15 secret 5 xxxx xxxxxx
username xxxxx xxxxx secret 5
!
!
crypto ISAKMP policy 3
BA aes 256
preshared authentication
Group 2
ISAKMP crypto nat keepalive 3600
!
ISAKMP crypto client configuration group xxxxx
key xxxxxx
DNS 10.0.10.5
domain xxxxxxxx
pool vpnpool
include-local-lan
netmask 255.255.255.224
!
!
Crypto ipsec transform-set esp esp - aes 256 RIGHT-model of hmac-SHA-lzs
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client authenticationuserauthen
card crypto clientmap isakmp authorization listgroupauthor
client configuration address map clientmap cryptoinitiate
client configuration address map clientmap cryptoanswer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
Crypto ctcp port 6000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
Bridge IRB
!
!
!
interface Loopback0
IP 10.100.100.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
switchport mode trunk
!
interface FastEthernet4
WAN description $ FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
stream IP output
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
wlan-ap0 interface
description of the Service interface module to manage theEmbedded AP
IP unnumbered Vlan1
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP virtual-reassembly
ARP timeout 0
!
interface GigabitEthernet0 Wlan
description of the Service interface module to manage theEmbedded AP
switchport mode trunk
!
interface Vlan1
VLAN_1 description $ FW_INSIDE$
IP 10.0.1.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface Vlan10
VLAN_10 description $ FW_INSIDE$
IP 10.0.10.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface BVI1
Description $FW_INSIDE$
in the form of address IP WAPB dhcp host name
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
no ip-cache cef route
no ip route cache
!
router RIP
version 1
10.0.0.0 network
!
IP local pool vpnpool 197.0.0.1 197.0.0.5
no ip forward-Protocol nd
IP route 0.0.0.0 0.0.0.0 dhcp
IP route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
!
The dns server IP
IP nat inside source list 1 interface FastEthernet4Overload
IP nat inside source list 2 interface FastEthernet4Overload
IP nat inside source static tcp 10.0.10.3 3389interface FastEthernet4 3389
IP nat inside source static tcp 10.0.10.3 1723interface FastEthernet4 1723
IP nat inside source static tcp 10.0.10.3 80interface FastEthernet4 80
!
record 10.0.10.1
access-list 1 permit 10.0.1.0 0.0.0.31
access-list 2 permit 10.0.10.0 0.0.0.31
access-list 199 permit any one
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp a whole Workbench
access-list 199 permit udp any any eq 3389
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 tcp refuse a whole
access-list 199 tcp 10.0.0.0 refuse 0.255.255.255 everything
access-list 199 tcp 172.16.0.0 refuse 0.15.255.255any
access-list 199 tcp 192.168.0.0 refuse 0.0.0.255 any
access-list 199 refuse udp 10.0.0.0 0.255.255.255 everything
access-list 199 refuse udp 172.16.0.0 0.15.255.255any
access-list 199 refuse udp 192.168.0.0 0.0.0.255 any
access-list 199 refuse icmp no echo
access-list 199 deny udp any how any eq 135
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny udp any any eq netbios-ss
access-list 199 deny udp any any eq isakmp
access-list 199 tcp refuse any any eq telnet
access-list 199 tcp refuse any any eq smtp
access-list 199 tcp refuse any any eq nntp
access-list 199 tcp refuse any any eq 135
access-list 199 tcp refuse any any eq 137
access-list 199 tcp refuse any any eq 139
access-list 199 tcp refuse any any eq www
access-list 199 tcp refuse any any eq 443
access-list 199 tcp refuse any any eq 445
access-list 199 refuse an entire ip
not run cdp!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
bridge 10 Protocol ieee
IP route 10 bridge
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not authorizeduser! ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transportation out all
line vty 0 4
access-class 104 in
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
Server NTP 192.43.244.18
endHello
The problem is due to NAT configurations. Please, try the following:
no nat ip within the source list 1 interface FastEthernet4 overload
no nat ip inside the source list 2 interface FastEthernet4 overload
access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7
access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.0.255.31 all
Internet route map
corresponds to the IP 101
output
IP nat inside source overload map route Internet interface FastEthernet4
This will ensure that the VPN clients can access all internal
resources. However, they will not be able to access to the 10.0.10.3 Server
using its private IP address that you can not use the roadmap, when you use the
keyword "interface." If you have a static IP address assigned to your FastEthernet4
You can then use the interface by the ISP, the configuration below:
access-list 102 refuse host ip 10.0.10.3 197.0.0.0 0.0.0.7
access-list 102 refuse 10.0.10.3 ip host 10.0.0.0 0.0.255.255
access-list 102 permit ip 10.0.10.3 host everything
route server map
corresponds to the IP 101
output
no nat ip inside source static tcp 10.0.10.3 interface FastEthernet4 3389
3389
no nat ip inside the source static tcp 10.0.10.3 1723 interface FastEthernet4
1723
no nat ip inside the 80 tcp static 10.0.10.3 source FastEthernet4 80 interface
IP nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389
route server map
IP nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723
route server map
IP nat inside source static tcp 10.0.10.3 80 'FastEthernet4 ip' 80-route map
Server
I hope this helps.
Kind regards
NT
-
LAN-to-LAN tunnel between VPN 3000 and Cisco 1721
Hello
I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).
When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.
However, I would like to Turn off encryption for some time getting the speed improvements, so I changed
Encryption = null esp (in 1721) and to "null" in VPN-3000.
Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721
% C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0
Has anyone seen this behavior?
All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?
Thanx------Naman
Naman,
Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.
Kurtis Durrett
-
Hi guys,.
I'm working on the creation of a vpn between a vpn 3000 and a
point of control, the problem I have on the vpn3000 is that if I do not have
Select "reverse road injection" it won't establish the vpn.
I thought she might have because the roads of local lan did not exist
on the vpn 3000, so I added static to match the list of the network, but it
still wouldn't go out, as soon as I activate the reverse road injection it
works very well.
any ideas?
Thank you
Adam Baxter.
Adam,
Take out the static routes and also injection Road opposite say-able.
Activate the logs on the hub of gravity 1-13 for IPSEC & IPSECDBG, IKE, AUTH, IKEDBG, AUTHDBG.
Try to send a ping to the interesting traffic. Capture logs and send them to this post, let me take a look and see if there is a question that jumps.
See you soon
Gilbert
-
Cisco ACS 5.4 and VPN 3000
Hello
I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.
I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.
Any help would be much appreciated.
Concerning
AR
Hey,.
What is the report on GBA?
"RAIDUS AAuth in green"
If so, a pcap help between the two.
Concerning
Ed
-
The VPN Clients cannot access any internal address
Without a doubt need help from an expert on this one...
Attempting to define a client access on an ASA 5520 VPN that was used only as a
Firewall so far. The ASA has been recently updated to Version 7.2 (4).
Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot
ping any address on internal networks, or even the inside interface of the ASA.
(I hope) Relevant details:
(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and
are able to connect.
(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it
appears that the packets are décapsulés and decrypted, but NOT encapsulated or
encrypted (see the output of "sh crypto ipsec his ' home).
(3) by the other related posts, we've added commands associated with inversion of NAT (crypto
ISAKMP nat-traversal 20
crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our
Configuration.
(4) we tried encapsulation TCP and UDP encapsulation with experimental client
profiles: same result in both cases.
(5) if I (attempt) ping to an internal IP address of the connected customer, the
real-time log entries ASA show the installation and dismantling of the ICMP requests to the
the inner target customer.
(6) the capture of packets to the internal address (one that we try to do a ping of the)
VPN client) shows that the ICMP request has been received and answered. (See attachment
shooting).
(7) our goal is to create about 10 VPN client of different profiles, each with
different combinations of access to the internal VLAN or DMZ VLAN. We do not have
preferences for the type of encryption or method, as long as it is safe and it works: that
said, do not hesitate to recommend a different approach altogether.
We have tried everything we can think of, so any help or advice would be greatly
Sanitized the ASA configuration is also attached.
appreciated!
Thank you!
It should be the last step :)
on 6509
IP route 172.16.100.0 255.255.255.0 172.16.20.2
and ASA
no road inside 172.16.40.0 255.255.255.0 172.16.20.2
-
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
Remote VPN users cannot access tunnel from site to site
Cisco ASA5505.
I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC. I'm not a network engineer and have spent way too much time just to get to this point.
It works very well since within the office, but users remote VPN can not access the tunnel from site to site. All other remote access looks very good.
The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626
Any help or advice would be greatly appreciated. It is probably super simple for someone who knows what they're doing to see the question.
Hi Paul.
Looking at your configuration:
Remote access:
internal RA_GROUP group policy
RA_GROUP group policy attributes
value of server DNS 8.8.8.8 8.8.4.4
Protocol-tunnel-VPN IPSec
value of Split-tunnel-network-list Split_Tunnel_Listpermit same-security-traffic intra-interface
type tunnel-group RA_GROUP remote access
attributes global-tunnel-group RA_GROUP
address RA_VPN_POOL pool
Group Policy - by default-RA_GROUP
IPSec-attributes tunnel-group RA_GROUP
pre-shared key *.
local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 maskSite to site:
card crypto outside_map 1 match address acl-amzncard crypto outside_map 1 set pfspeer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IPcard crypto outside_map 1 set of transformation transformation-amznI recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:NAT_EXEMPT list of ip 10.0.0.0 access allow 255.255.255.0 172.17.0.0 255.255.0.0NAT (outside) 0-list of access NAT_EXEMPTNow, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.I would like to know how it works!Please don't forget to rate and score as correct the helpful post!Kind regardsDavid Castro, -
I keep to err msge "mask/area bad ip address/subnet mask/generic id" when you attempt to add a class C network to the list a VPN 3000 Concentrator using the CLI. Here's my entry 192.168.51.0/0.0.0.255. The number and the wildcard mask seem ok. Isn't the right syntax?
Vincent, you're very welcome and thank you for the update... happy all worked... Please rate as solved post.
Rgds BST
Jorge
-
ASA 5520 - VPN using LDAP access control
I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.
My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.
The Version of the software on the SAA is 8.3 (1).
My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.
https://supportforums.Cisco.com/message/3232649#3232649
Thanking all in advance for everything offered thoughts and advice.
Configuration (AAA LDAP, group policy and group of tunnel) is below.
AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAPAAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policyHello
The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)
The following link will explain how to set up the same.
http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
VPN; list of access on the external interface allowing encrypted traffic
Hi, I have a question about the access list on the external interface of a router 836. We have several routers on our clients site, some are lan2lan, some are client2router vpn.
My question is; Why should I explicitly put the ip addresses of the client vpn or tunnel lan to the access list. Because the encrypted traffic to already allowing ESPs & isakmp.
The access list is set to the outgoing interface with: ip access-group 102 to
Note access-list 102 incoming Internet via ATM0.1
Note access-list 102 permit IP VPN range
access-list 102 permit ip 192.123.32.0 0.0.0.255 192.123.33.0 0.0.0.255
access-list 102 permit ip 14.1.1.0 0.0.0.255 any
access-list 102 permit esp a whole
Note access-list 102 Open VPN Ports and other
access-list 102 permit udp any host x.x.x.x eq isakmp newspaper
I have to explicitly allow 192.123.32.0 (range of lan on the other side) & 14.1.1.0 (range of vpn client) because if I'm not I won't be able to reach the network.
The vpn connection is not the problem, all traffic going through it.
As far as I know, allowing ESPs & isakmp should be sufficient.
Can anyone clarify this for me please?
TNX
Sebastian
This has been previously answered on this forum. See http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.ee9f970/0#selected_message for more details.
-
I get a "parse error" when you try to manually create an SSL certificate in the web interface of a VPN 3000; has anyone ever seen anything like that?
Hi Chaplin,
This is usually caused by the corruption of software certificate, you may need to call the TAC for specific steps to solve this problem.
Kind regards
Aamir Waheed,
Cisco Systems, Inc.
CCIE #8933
-=-=-
Maybe you are looking for
-
Missing the month last s TimeMachine backup
last night, I noticed something TimeMachine called "cleaning of older backups. About half an hour later, I noticed the TimeMachine PrefPane and Finder now show also significantly more available space on the destination volume, which also confirms tha
-
Hello When I sync a PDF in iBooks, I can't mark a text or a Word. If there is no marker in iBook, please add it. Because it is necessary. (I use the latest version of iOS and iBook) Thank you very much
-
Help me with football at night on an Eos T3i
I need help for the best shots of my Cannon Eos T3i night football games. Any suggestions?
-
All the fonts/writing are gibberish and I can't not as what is written, so I can't change anything on my vista, how to see the writing again if I can read? Thank you
-
Hello! Is it possible to detect a call is an emergency call? I noticed the phone call has no useful methods. I could ignore calls to a 3 digit number, but is not a reliable way... BR, Isabelle