VPN &; endpoint assessment
Hi all
I had a question about the assessment of DAP & endpoint.
We are looking to replace our Pix with ASAs. One of the conditions will be a remote VPN access. We have about 25 people with the company issued laptops that need the ability to VPN in. We also have the need to support access providers to the network through "VPN tunnel" and another 25 users who need remote access that can be covered with the WebVPN.
My question is: how to identify my computers? I'm not a fob key - gen or something like that. Nor do I want to enter audit antivirus or something like that. I just want to put a water mark on the computer so I know that it's ours.
-If this is one of our computers, and they belong to right ad groups, then they have access to certain subnets.
-If it is not one of ours, but they belong
I'm looking at the IPS of the ASA version and to add licenses of SSL VPN.
Is advanced endpoint assesment licenses everything what I need? I have to add CIsco Secure Desktop licenses? Are office secure licenses included in the license of Advanced endpoint?
Thank you
Ben
"How to identify my computers? I'm not a fob key - gen or something like that. Nor do I want to enter audit antivirus or something like that. I just want to put a water mark on the computer, so I know that it's ours. »
HD > you can do a record check, registry check, or process of scanning through search of CSD host. This does not require the "Advanced Endpoint Assessment" license, but it requires the SSL Client full license (the license of essentials Anyconnect SSL does not support hostscan characteristics). Keep in mind, that the traditional IPSec RA client doesn't not matter what hostscan.
"- If this is one of our computers and they belong to right ad groups, then they get access to certain subnets."
HD > you can do this with simple authentication such as RADIUS or ldap. For example, you can configure an ldap attribute card to say when we receive an AD attribute (such as memberOf) we will give the user a specific group policy that exists on the ASA. Search for "asa ldap-group policy" on cisco.com and the first link of document should be the right one to give you further instructions on this matter.
"If this isn't one of us, but they belong"
HD > if a user does not match any ldap card install you as described above, the user has automatically the group policy by default on the connection profile. You can configure the group policy to be more limited or no access granted.
Your other option if you don't want to map ldap attribute, is to use DAP. Still, this does not require the "Advanced Endpoint Assessment" license, but if you need features hostscan (AV, FW, check, check reg file, etc.) it may require that the SSL Client full license (essentials Anyconnect SSL license does not support the features of hostscan). Also, even once, ipsec does not support all hostscan stuff (AV, FW, reg file check check, etc.), so the 'endpoint ID' see you in ASDM dap policy are out of bounds for IPSec, but the IPSec VPN can use the part of the politics of the dap's ' AAA' attribute to make a match. So you can still make it work with DAP if you wish.
If you have more questions about the config described I'd open a TAC case.
-heather
Tags: Cisco Security
Similar Questions
-
Just to confirm that the VPN endpoint must be on a physical interface on a SAA
I have a client who changes their public IP address range, currently the FORMER IP exists on the physical Interface Internet and the NEW is the ASA, to be able to use the NEW IP to the endpoint of the VPN, it must be on a physical interface, so I think having a trunk to the Internet router, so that the NEW can have a physical address.then IP can pass another on the NEW for VPN.
Hi Richard,
Yes, it must be on a physical interface. Because you cannot configure secondary ip on the ASA, the only approach I can think of, is to set up a trunk according to your suggestion. Unless you use a proxy-arp :).
HTH.
Kind regards
Terence
-
Same subnet on all the VPN endpoints?
Anyone know if it is possible to have the same subnet on all the endpoints of a VPN tunnel star topology? I need to create tunnels ASA5505 18 back to an ASA5510. Instead of having 18 subnets over there, it sounds more effective for my request just to have one. Sort of a CLOUD (there is that Word) inquiry.
I was wondering.
Of course read below
http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html
-
Site to Site VPN, endpoint of the traffic on the loopback and ping down alternative packages
Hi team,
This is my first discussion. Today, I came across a new senario where in I was able to establish the tunnel vpn site-to-site between two sites. To my amazement, I am able to successfully ping to the router (Site A) to the server without drops keeping source as fa 0/1 (172.25.170.1) However, LAN segment (host) alternate packages are declining while reaching the server. Please find the picture below:
R2 - is ISP
We are required to use private segment WAN ip addresses so we have no choice other than to keep the public ip address on the loopback. To create the site to site, I asked the card encryption on the fa outside interface 0/0 with ip 1.1.1.1. Then I used the command cypto card loopback 1 mount the tunnel and work address local VPN. I then set a route on the Site1 for fa of government local traffic 0/0 to insert the interesting traffice enter the map encryption.
Now everything works well to router server however I get replacement ping drops (50% success). I am not able to solve this problem. The result above is both real and gns.
Help, please
Think it's a bug in IOS, disable IP CEF, hen now this works, but it is only a workaround to make it work for real IOS update.
-
Loopback Interface client endpoint VPN Site
My project consists of 871 router connected to the router soho 3845 network head on the MPLS network unencrypted for data communication. For the Client PC behind router 871 on remote site, they need activate the Cisco VPN client and connect to headend 3845 so that they can access information behind the main switch 6506.
To reduce to a minimum the installation, I would like to prepare a unique VPN profile for all remote controls. So, I plan on using lo0 int for the VPN endpoint. However, I have found that when the VPN connection is in place on the int lo0, the remote client computer can 'ping' lo0 only, but can not 'ping' all other IP addresses. However, when I set up the connection to the IP address on router 3845, the connection is ok.
I have attached my config for the VPN and the diagram. Can anyone help?
Hello
You need to change your ACL split tunnel:
FEHD_VPN extended IP access list
Note * outbound VPN client traffic *.
IP 10.0.0.0 allow 0.255.255.255 10.65.215.0 0.0.0.255
Note: Do not know what is the purpose of "allowed host ip host 0.0.0.0 0.0.0.0.
-
How much max VPN session is my ASA
This is my version to see the ASA5512 VPN
"Other peers VPN: 250" means that I can use 250 IPSEC session? If I still use MAX 250 VPN Cisco AnyConnect Secure Mobility Client session?
"Total peer VPN: 250" means that I can use 2 Anyconnect premium + 248 250 IPSEC or IPSEC session at the same time?"AnyConnect for Mobile: Disabled" means, I can't use AnyConnect Secure mobility Client (smartphone apps) connect to the ASA by AnyConnect SSL? Can I use AnyConnect secure mobility Client (smartphone apps) connect to the ASA by IPSEC?
The devices allowed for this platform:
The maximum physical Interfaces: unlimited perpetual
VLAN maximum: 100 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active/active perpetual
Encryption - A: enabled perpetual
AES-3DES-Encryption: activated perpetual
Security contexts: 2 perpetual
GTP/GPRS: Disabled perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 250 perpetual
Total VPN counterparts: 250 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetual
The IPS Module: Disabled perpetual
Cluster: Disabled perpetualTHX
Hello!
ASA5512 can contain up to 250 concurrent VPN of any type: IPsec Site to Site or IPsec Remote access or Anyconnect SSL VPN or IPsec IKEv2, or even without VPN client.
This means you can use 2 Anyconnect premium + 248 IPSEC VPN from Site to Site. Or, for example, 200 simultaneous IPsec Site to Site VPN + 25 Client VPN (IPsec IKEv1) + 25 AnyConnect VPN (SSL or IPsec IKE v2). But not more than 250 and then at the same time.
"AnyConnect for Mobile" is now obsolete. The license for Anyconnect schema was changed in early 2015. You can see the new pattern here:
http://www.Cisco.com/c/dam/en/us/products/security/AnyConnect-og.PDF
With the new scheme, if you need to connect mobile devices (iOS, Android and so on), using the Anyconnect client, you just need to have a license Anyconnect MORE for the necessary amount of users/devices. License AnyConnect more open along the lines in the output of the show version:
AnyConnect Premium Peers : 250 perpetual
AnyConnect for Mobile : Enabled perpetualAnyConnect for Cisco VPN Phone : Enabled perpetualAdvanced Endpoint Assessment : Enabled perpetual
But, despite the exit "AnyConnect peers Premium: 250 perpetual", you will have the right to use no more then amount ordered... If you need advanced features, for example, Suite B cryptography or VPN without customer, you must order license Anyconnect Apex for amount of users/devices needed. For ASA5512, you need to order licenses Anyconnect more or Apex, but no more so for 250 users, because ASA5512 can't take no more then 250 simultaneous connections. If you want to use the Anyconnect client for mobile devices and you use IPsec IKEv2 for VPN, you will also need order licenses Anyconnect more or Apex. I hope this helps. -
What VPN Client for ASA 5550 AnyConnect Premium connection?
We have version9 a couple of ASA550 I want to put in place a VPN client for use with remote access to administration. We have included AnyConnect VPN, Premium license peers 2 so I guess we can just use of Cisco AnyConnect VPN client. I went to Cisco's Web site and it says that I don't have right to the last Anyconnect VPN Client 4.x but I don't have access to the version 3.x.
The 3.x client is compatible with the ASA and also Windows 10?
If Yes, what is the correct file to use, there are many files listed for download in AnyConnect 3.x?
In addition, what is the difference between the AnyConnect 3.x and 4.x customer and why Cisco restricting 4.x?
Jim
AnyConnect 4.x has changed the licensing model. AnyConnect 4.x licenses are term based licensing vs perpetual 3.x. There are a number of other differences, mainly due to there being only two license types - more and Apex - no Mobile plus, Advanced Endpoint Assessment, shared VPN etc. Cisco offers a nominal or no license cost of migration until the end of 2015. (depending on what you have: positive Essentials or Apex at premium)
AnyConnect 3.1 will work with Windows 10 and the latest version of the Software ASA (since Version 3.1.10010). Reference:
http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...
There are two ways it is distributed - as a stand-alone installation or package for the distribution of the ASA station. Both come in Windows, Mac OS X and Linux distributions. For a Windows client, you must use either:
AnyConnect-Win-3.1.12020-pre-deploy-K9.ISO
AnyConnect-victory - 3.1.12020 - k9.pkg
.. .to the current version of these respective form factors.
-
AnyConnect VPN for Cisco ASA 5505 refused connections
I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:
interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any anyaccess-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outsidewebvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enablegroup-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpnpolicy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!When I try to connect, I get this error in the real-time log viewer:
TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
Here are the details of the license:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledThis platform has a Base license.
Can someone tell me what I am doing wrong or what access list I'm missing?
I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.
Hi Matt,
You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:
WebVPN
tunnel-group-list activate
Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.
HTH
Herbert
-
Hi all
Well, I don't have VPN Linksys configuration in a while and have forgotten most of this, so I was wondering if somebody could please share any knoweldge response and help issues.
What I want to do is to create VPN tunnels between 2 remote sites for VOIP traffic. At both ends of my tunnel, I have a Linksys router. The main site that two remote sites are connecting to has a RV-042.
So here's what I need to know:
1. If I have an existing VPN that runs through the router (the router is currently not my VPN endpoint, a server is) when I place a VPN endpoint on the RV-042 point my existing VPN will be functional?
2. once the branch establishes as a tunnel with the RV-042 how will be the traffic that is intended to flow from the internet? I wish that only certain traffic flows through the tunnel, more specfically as VOIP traffic.
3. once the branch establishes a tunnel with the RV-042 how will forward the RV-042? Also, I want just the VOIp traffic through the tunnel that anything that is intended for the internet should not go to the internet... In other words Split tunneling on both ends of the tunnel.
Router RV - 042 is VPN Head end or head office, if you want to...
RV-042 Firmware: 1.3.12.6 - tm
Ideas or things I should look out for. Is this possible to do?
Topic 1. Perhaps. If you connect to the same endpoint router and a server within the local network, then you will get most likely difficulties.
Re 2/3. The two parties define the traffic that tunnel is based on IP addresses. You define a local and remote security group that essentially defines the IP addresses in the part of the source and destination of each IP packet. If these are in circulation will be tunnel. If they do not match, the traffic is sent outside the tunnel. The configuration of the tunnel does not specify certain protocols or ports. You can only do this based on the IP address. If you use software phones on the computers that you will not get it work as you want because you can't separate the other traffic of the computer VoIP traffic. If you use hardphone you could put all the phones in a specific subnet or address range, and then set that only those IP addresses go through the tunnel.
-
When I connect to the VPN on my laptop from home (using a wireless connection), I can't access the Internet.
Any help?
Hello
Depending on the system and its configuration, it is not always possible to solve this problem.
However, try this.
Make sure that the default route has NOT changed to the VPN server.
Open the properties of your VPN connection.
Go to 'network '. Double click on TCP/IP protocol. Use the button "Advanced".Disable the feature from default gateway.
For the best solution if you are using a cable/DSL router which is also home VPN endpoint you can take the 'Off' the computer VPN.
Example, http://reviews.cnet.com/routers/instant-broadband-etherfast-cable/4505-3319_7-20292080.html
Jack-MVP Windows Networking. WWW.EZLAN.NET
-
Cisco VPN Client Authentication - PIX 515E-UR
Hi all
I need your expert help on the following issues I have:
1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.
2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?
3 can. what command I use to debug RADIUS authentication?
Thanks in advance for your help.
Hi vincent,.
(1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication
(2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...
(3) use the "RADIUS session debug" or "debug aaa authentication..."
I hope this helps... all the best... the rate of responses if found useful
REDA
-
Hello guys.
Working on a project with 14 sites. And design would be like hub and spokes and let's make the vpn to connect to site to site.
Now, I need to know about design?
1 router GUY--->---> internet firewall
or
2. firewall---> router---> internet CME.
ASA will do vpn endpoint. And I know that a firewall does not support the gre and dmvpn. So, how do I make the plate rotating and talked.
Kind regards!
Ansar Jules
If you already have of ASA, then put on the outside. You will have built a lot of site to site VPN because it there's no hub and speaks as on routers with DMVPN support.
-
Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE
I can't find any reference to anywhere else.
We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.
We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.
I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.
When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.
Is this a bug?
I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?
I'm building a Rube Goldberg?
Thank you
George
Hi George,.
It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ? A package tracer could clarify wha that the ASA is actually sending.
In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly. For example; Source NAT (all, outside) static...
It may be useful
-Randy-
-
Using VPN Client coming out behind a PIX
As I understand it, a PIX can operate as a VPN endpoint for IPsec tunnels, or allow IPsec traffic to pass to the other endpoints behind him; My PIX is an end point, but there are a few users who wish to use the VPN Client to connect to outside points beyond the firewall.
Is it possible to configure a PIX to two pass through IPsec traffic AND be an endpoint?
On a related note, two customer software VPN hosts can connect to each other?
Thank you
Marc
My pix company does exactly what you posted, there is lan - lan vpn, and we again establish vpn to other companies via a software vpn client.
concerning the transmission of described video, it should not need additional acl or configuration assuming that there is no acl on the pix. a question must be noticed is that the other end (i.e. the end point of the remote vpn client) needs to nat-traversal since the local pix usually perform nat/pat.
However, the vpn directly between two clients is not feasible as its name suggests (they are the two client).
-
Hello, hope you can help me:
I need to configure an IPSEC VPN on an ASA5505, with one. PFX certificate to authenticate with the VPN endpoint. I can install the certificate as a certificate authority, but when I use the VPN Site - to - Site Wizard, I put the IP address peer, afterI try to select the certificate that is downloaded, but when I click on the name of the certificate, there is no certificate
I don't I can solve this problem?
Thanks to all in advance
Hello
Do you see the certificate imported as cert ID? If so, you can follow this guide
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
HTH
Averroès.
Maybe you are looking for
-
Recently my HP Officejet 4500 printer prints only partial pages and documents. On a two-page document, it will print the second page, and then an error message briefly appears on my screen. He said something like printer error hp 1612E4, not whmail
-
7.1 of IntelliType Pro and MS Natural Keyboard Pro...
IntelliType 7.1 pro does not offer the MS Natural Keyboard Pro as an acceptable product when you select the type of keyboard. Can I use one of the other keyboards, or I am simply out of luck?
-
Parameters of the camera for the resolution
Dear reader: If there is someone out there who can help me with my webcam I would be really appreciated. I was advice by rockstar to go to Dell Webcam Central, but I'm here and found that the Web is delivered with two viruses or overwhelm unwanted a
-
A document in my hp 3100 don't delete or cancel, and it's the only thing that prints. How can I get rid of him? I just changed the black ink cartridge, and the blocked document is the one with black and blue and yellow lines, which shows that the c
-
delete, disable, remove the guest user account
Hello I came across a lot of similar questions asked about deletion/deletion/disabling guest user account. the posted questions earlier and google has not provided me with answers specific questions. first of all, I know now that the guest user accou