VPN Concentrator at the migration of ASA - auth problem.

Similar Questions

• problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

  Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

  Some basic information:

  I work at a seller who needs from one site to the other tunnel.  There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system.  I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range.  So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator.  The hosts behind the tunnel use 20x.x.x.x public IP addresses.

  My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper.  The seller sees my packages and provider host meets them and sends them to the tunnel.  They never reach the external interface on my Cisco router.

  I'm from the external interface so that my endpoint and the peers are the same IP address.  (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.)  Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

  I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host.  Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel.   The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel.  The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

  The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

  Here is what we have done so far:

  (1) confirm the config with the help of Cisco 2811.  The tunnel is up.  SH cyrpto ipa wristwatch tunnel upward.
  (2) turn on Nat - T side of the tunnel VPN landscapers
  (3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
  (4) successfully, tunnel and reach a different configuration hosting
  (5) to confirm all the settings of tunnel with the seller
  (6) the seller confirmed that his side host has no way and that it points to the default gateway
  (7) to rebuild the tunnel from scratch
  8) confirm with our ISP that no way divert traffic elsewhere.  My gateway lSP sees my directly connected external address.
  (9) confirm that the ACL matches with the seller
  (10) I can't get the Juniper because he is in production and in constant use

  Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

  Options or ideas are welcome.  I had countless sessions with Cisco webex, but do not have access to the hub of the seller.  I can forward suggestions.

  Here's a code

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA 3des
  preshared authentication
  Group 2

  Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

  Crypto-map dynamic dynmap 30
  Set transform-set RIGHT

  ISAKMP crypto key address No.-xauth

  interface FastEthernet0/0
  Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
  IP 255.255.255.240
  IP access-group 107 to
  IP access-group out 106
  NAT outside IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  crypto mymap map

  logging of access lists (applied outside to get an idea of what will happen.  No esp traffic happens, he has never hits)

  allowed access list 106 esp host host newspaper
  106 ip access list allow a whole
  allowed access list 107 esp host host Journal
  access-list 107 permit ip host host Journal

  access-list 107 permit ip host host Journal
  107 ip access list allow a whole

  Crypto isa HS her
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
    QM_IDLE ASSETS 0 1010

  "Mymap" ipsec-isakmp crypto map 1
  Peer =.
  Extend the 116 IP access list
  access - list 116 permit ip host host (which is a public IP address))
  Current counterpart:
  Life safety association: 4608000 kilobytes / 2800 seconds
  PFS (Y/N): N
  Transform sets = {}
  myTrans,
  }

  OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

  (4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

  !
  (1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

  !
  IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

  !

  (6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

  !

  (2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

  (3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

  (1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

  !

  (5) crypto-nat route-map permit 5 <> condition for the specific required NAT
  corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

  (7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

  Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1).  When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2).  When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4).  We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

• VPN concentrator + PIX on LAN-&gt; customers can not reach local servers

  Hello

  I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.

  For the topology:

  The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.

  On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the

  VPN client-PCs.

  I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses

  the 10.0.100.0/24 range.

  The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to

  internal to the 10.0.1.28 server.

  To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in

  10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.

  So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is

  Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1

  This does not solve my problem though.

  In the PIX logs, I see the entries as follows:

  % 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064

  The PIX seems to abandon return packages, i.e. traffic from the server back to the client

  To my knowledge, the problem seems to be:

  Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.

  My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the

  package because he has not seen the package from the client to the server.

  So here are my questions:

  (o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and

  computers servers on the local network (10.0.1.0/24)?

  (o) someone else you have something like this going?

  PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.

  Thank you very much in advance for your help,.

  -ewald

  Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.

  Best regards

  Robert Maras

• Multiple VPN groups on the ASA firewall

  I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.

  Thank you very much!

  Hello

  all you need to do is create another group strategy and attach it to a group of tunnel: -.

  internal vpnsales group policy

  attributes of the strategy of group vpnsales

  banner - VPN access for the sales team

  value x.x.x.x DNS server

  split tunnel political tunnelspecified

  Split-tunnel-network-list split-sales value

  address-pools sales-pool

  value by default-domain mydomain.com

  type tunnel-group vpnsales remote access

  tunnel-group vpnsales General-attributes

  authentication-server-group vpnsales

  Group Policy - by default-vpnsales

  vpnsales ipsec tunnel - group capital

  pre-share-key @.

  you will also create a map of the attribute named vpnsales for acs auth.

  Thank you

  Manish

• aid required for the image backup vpn concentrator

  Hi, I am unable to download the vpn concentrator ios image to the tftp server. is someone can pls tell me what is the procedure for that. I can't find good documentation on it. pls help someone.

  concerning

  Assane

  Assane,

  You try to save the image of the hub to the VPN concentrator. Like the 4.7.2.D or the version E or F of the code. If this is the case, it is not possible to copy the image file from the hub to the tftp server.

  You must download the CEC file.

  He had an answer to your question earlier, but it pointed you on how to make a backup of your CONFIGURATION file.

  If this answers your question, feel free to write it down.

• Configuration file for the VPN concentrator

  Hello

  I have a text-based VPN concentrator configuration file, and I want to know if there is a configuration guide of Concentrator VPN that I can use to refer to this file. The configuration on cisco.com guide is currently for the GUI based configuration.

  Furthermore, if there is a tool/utility that will read the configuration file in the format GUI without physical access to the device, which will also help.

  Thanks in advance for any assistance.

  There is a "XML export screen" in the management section of the files on the VPN concentrator. You can export the current configuration of the concentrator in a XML format, which provides the labels and values for the fields in the configuration file.

  http://www.Cisco.com/en/us/docs/security/vpn3000/vpn3000_47/Administration/Guide/Fileman.html#wpxref53361

• Select the timeout on ASA Cisco Anyconnect VPN

  Hello world

  I use the Cisco Anyconnect VPN client with the ASA 5540 firewall. I need allow a time-out on the VPN clients, so they log off after x hours of inactivity.

  Thank you to

  Best respect

  Hello

  To my understanding of the default timeout value is 30 minutes

  You should be able to change this setting in the "username" configurations (if you use LOCAL AAA on the SAA) or under the configurations of the 'group policy' .

  The command is

  VPN-idle-timeout

  Here is the link of the commands reference

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/ASA-command-reference/...

  -Jouni

• How Anyconnect VPN users will connect with cisco ASA, which uses the server (domain controller) Radius for authentication

  Hi team

  Hope you do well. !!!

  currently I am doing a project which consists in CISCO ASA-5545-X, RADIUS (domain controller) server for authentication. Here, I need to configure Anyconnect VPN and host checker in cisco asa.

  1 users will connect: user advanced browser on SSL VPN pop past username and password.

  2. (cisco ASA) authentication: VPN sends credentials to the RADIUS server.

  3 RADIUS server: authentication: receipt and SSL VPN (ASA) group.

  4 connectivity creation: If employee: PC so NAW verified compliance, no PC check Assign user to the appropriate role and give IP.

  This is my requirement, so someone please guide me how to set up step by step.

  1. how to set up the Radius Server?

  2. how to configure CISCO ASA?

  Thanks in advance.

  Hey Chick,

  Please consult the following page of installation as well as ASA Radius server. The ASA end there is frankly nothing much difference by doing this.

  http://www.4salesbyself.com/1configuring-RADIUS-authentication-for-webvp...

  Hope this helps

  Knockaert

• Download the firmware from the 3030 VPN concentrator?

  Hello

  I would like to download a newer firmware our vpn concentrator but wish to download a copy of the old firmware. Is this possible and how can I do? It seems that the only option is to download, as well as a fall on a document that indicate how to go back but still doesn't explain not how can I get a copy of the old firmware. Thank you

  I think that Cisco pulls some of the older minor revisions out of the web for major versions when the image becomes a bit old. 3.5 (3), you should be fine with 3.6 (which is available for download). You cannot copy the picture from the hub as far as I know.

• What has replaced the vpn concentrator?

  Greenhorn here, I was not to sit in this place.  We have three remote sites, sister of institutions, we share an app with.  Host us the app.  A site has a configuration of vpn concentrator, the other two use a leased from point to point line. They each have a router that connects to a single router.  They want to replace the lines leased by using a vpn.  Do the digging, I see that the hubs are EOL.

  So, what is used to replace the hub today?  What is a solution today from leased lines? They are all poor profit. My guess is that they will say look on Ebay for a hub if the solution is too expensive.

  Thanks Jim

  Jim

  The package of security (CISCO2901-SEC/K9 or CISCO2921-SEC/K9) is the convenient way to get the combination of the router, the software and licenses you will need. I don't think that you need something more elaborate than one of these security packages.

  I think one of these would be a good choice for you. It's been a while since I looked at the details of these routers. My recollection is that the 2921 offers more power, more interfaces and a few other benefits and would be attractive to many of us. But I think I understand your needs, I believe that the 2901 router cheaper and quite adequate for you.

  HTH

  Rick

• VPN failover between the ASA

  I do a search in the search of the best solution for switching between two ASA and hoped that someone wants to point me in the right direction.

  The situation is this, we got:

  -Head Office 2:

  Each is equipped with an ASA 5505

  -10 branches

  Each is equipped with a 887 integrated services router.

  Each is BranchOffice must have a redundant VPN connection at the headquarters of these two, and they all need to use the first person as main and the other in high school. In case of failure, all branches need to use the second connection VPN going the second seat.

  In my research, I'm looking for the best possible solution, with faster failover, but have no idea where to start my research.

  I hope someone has a good answer for this one.

  Thank you very much in advance,

  Kind regards

  Dwayne

  I do not understand why people continue to use ASA devices for VPN endpoint.  the ASA is NOT designed for complex VPN scenarios.  It is designed for simple scenarios.  In terms of VPN by using comparison, ASA is a person with a basic education while Cisco IOS is like a person with a college degree.

  For the scenario, you will be much better using Cisco IOS routers everywhere, where you can implement the GRE/IPSec or DMVPN.  Both cases will be sastify to your needs.

• Recovery of password on the vpn concentrator 3000 4.0 running above

  Hi all

  I looked in the collection of information about a vpn concentrator 3000 for one our clients who have recently begun to support. We have no documentation on the user name or password for the hub:

  The link on cisco http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml
  tells you how to reset the administrative password. But can someone confirm after doing so, the hub will retain the old configuration, I am very reluctant to do so because we have no documentation anywhere configuration and saw that you can lose it in some of the old pix/switches/routers.

  Thank you very much.

  For what it's worth, I followed this procedure to properly reset the administrator password on a VPN 3000 Concentrator without loss of the active configuration.

• VPN tunnel between the concentrator 3005 and router Cisco 827

  I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

  There is a router of perimeter with access set up in front of the 3005 list.

  I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

  I get the following message appears when I try to ping a local host in the Central site.

  Can Anyoune give me the correct steps to 827 and 3005.

  Thank you

  CCNP Ansar.

  ------------------------------------------------------------------------------------------------------

  Debug crypto ISAKMP

  encryption of debugging engine

  Debug crypto his

  debug output

  ------------------

  1d20h: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

  local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

  remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 3600 s and KB 4608000,

  SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

  1d20h: ISAKMP: ke received message (1/1)

  1d20h: ISAKMP: 500 local port, remote port 500

  1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Former State = new State IKE_READY = IKE_I_MM1

  1d20h: ISAKMP (0:1): early changes of Main Mode

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: IPSEC (key_engine): request timer shot: count = 1,.

  You must also allow the esp Protocol in your ACL.

  access-list 101 permit esp any host x.x.x.x (address of the hub)

  Hope this helps,

  -Nairi

• Config VPN concentrator

  We have an existing VPN 3000 Concentrator series. We are the migration of a hosted solution that uses an ASA 5510. The people who will manage the ASA asking all our old hub configurations. From what I see the hub uses a Menu system in function that will take me hours to compile all the information on. Is there an easier way to show the config? Perhaps something like a "show execution" on a router?

  Thomas

  Indeed, there are several options that are easier and better:

  -in the section of the administration, under the direction of file option is a choice for TFTP transfer. You can use this to TFTP configuration file from the hub to a TFTP server.

  - or in the administration section, the file management option contains an option where you can view the config file. and from there you could copy and paste it in a file on your PC. (this is essentially the show run the option)

  HTH

  Rick

• VPN Client AnyConnect 5 migration

  Dear community

  We are migrating the old Cisco VPN Client 5-Cisco AnyConnect.

  I have a couple of ASA-5510 9.1 (1) running the code with a license Base and in the current configuration, all remote users is in the VPN using standard methods of IKE/IPSec with their laptops (no split tunneling, nothing fancy). The VPN Client currently has a profile that is imported into each user's computer and has a pre-shared key that is stored, the solution works very well.

  Management has decided to go for the more AnyConnect version, rather than Apex which I believe meets all our requirements (preview here: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/feature/guide/anyconnect40features.html).

  I have three questions about the migration of Client AnyConnect VPN:

  (1) currently my ASA shows that AnyConnect is disabled (see attached screenshot to see the version). Can I upgrade the license on my ASA? If what comes with AnyConnect or do I need to order it separately?

  (2) is it possible to use the AnyConnect VPN Client VPN profile or should I create a new one?

  (3) can someone direct me to a guide for remote access VPN configuration using the rather than the old VPN Client AnyConnect client? Are there any caveats / pitfalls, I should be aware of?

  Thank you very much!

  Best regards
  Martin

  1 order the AnyConnect license you will get a PAK that you can redeem on the auto-serivce portal to get an activation key for your ASA. (You will need the serial number ASA as well.) This will allow you to "Essentials" AnyConnect (former name for more have together (which now includes Mobile), more or less) and allow you to run the command "anyconnect essentials".

  2. the old style IPsec profiles channel not again SSL VPN ones.

  3. There are many many of them out there. If you are new to it, you can find Pete Long message on the blog useful How - to's:

  http://www.petenetlive.com/kb/article/0000069.htm