VPN IPSEC ASA with counterpart with dynamic IP and certificates

Hello!

Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.

He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate

authentication.

Should what special config I ask a DefaultRAGroup to activate the connection?

Thank you!

The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot.

In general I would suggest using option "cert."

With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)

Tags: Cisco Security

Similar Questions

  • VPN IPSec ASA with two ISP active

    Hi ALL!

    I have a question.

    So I have ASA with 9.2 (1) SW connected to ISP with active SLA.

    I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.

    I have configured SLA and it works.

    ciscoasa # display route performance
    Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
    Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2

    Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.

    This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.

    ciscoasa # display running nat
    NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
    NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec pmtu aging infinite - the security association
    card crypto cm_vpnc 10 correspondence address acl_vpn
    card crypto cm_vpnc 10 set pfs
    peer set card crypto cm_vpnc 10 172.22.10.5
    card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
    86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
    card crypto cm_vpnc interface isps1
    cm_vpnc interface isp2 crypto card
    trustpool crypto ca policy
    isps1 enable ikev1 crypto
    isp2 enable ikev1 crypto
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    ciscoasa # show ip
    System of IP addresses:
    Subnet mask IP address name interface method
    Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
    Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
    Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIG

    The main question why?

    Thank you in advance,

    Anton

    Hi anton,.

    If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.

    TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST

    set peer 10.175.3.10 10.175.2.10

    Delete the track on your routing entries

    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5

    This should work for you.

    Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.

    HTH

    Sandy

  • VPN IPSEC ASA with overlap proxy-ID

    All,

    Currently I have a VPN from a single network ASA spoke to a single hub of AAS, so I set up my access lists so that the source is specific to speak it (for example 192.168.1.0/24) and I use the word "any" key for destination.  I need to add a few more VPN connections, so can I just add lower inside specific networks to any instruction in the card encryption.  See below.

    outside_10_cryptomap list extended access allowed object-group home-networks-networks another ip

    outside_20_cryptomap list of allowed ip extended access object-group network inside everything

    card crypto outside_map 10 correspondence address outside_10_cryptomap

    card crypto outside_map 10 set peer 1.1.1.1

    outside_map card crypto 10 the transform-set ESP-3DES-MD5 value

    card crypto outside_map 20 match address outside_20_cryptomap

    card crypto outside_map 20 peers set 2.2.2.2

    outside_map card crypto 20 the transform-set ESP-3DES-MD5 value

    Gregory

    Now I come to think of it, I remember a problem with less specific entries in the ACL before more specific entries.

    So it should work, but you must make sure that the most specific comes before the less specific that you seem to have done with your config.

    Jon

  • L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

    Hi all

    My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

    I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

    company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

    where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

    I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

    ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
    crypto ISAKMP policy 5
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address no.-xauth y.y.y.y

    ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
    crymap extended IP access list
    IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
    card crypto 1 TUNNEL VPN ipsec-isakmp
    defined peer y.y.y.y
    game of transformation-ESP-3DES-SHA
    match the address crymap

    Gi0/2 interface
    card crypto VPN TUNNEL

    Hello

    debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

    What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

    So I suggest:

    no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

    Then try tunnel initiate.

    Kind regards

    Jan

  • ASA with A/A and three router ISP links

    Can someone help me, I have a problem I need to connect two ASAs with active and I have three routers to three Internet service providers, how do I optimize the gateway redundancy and load balancing.

    and I can use the router to ASA's private beach.

    Another Question is, do I really need host proxy server-based internet access.

    Please help me.

    Concerning

    One solution is to use the Protocol GLBP routers (OSPF in not available in A/A...).

    "GLBP offer deals on several routers (gateways) load balancing using a virtual IP address single and multiple virtual MAC. Each host is configured with the same virtual IP address, and all of the routers in the virtual routing group are involved in the transmission of packets. »

    GLBP group-load balancing [dependent on host: alternating | weighted]

    (see feature cisco IOS to IOS and hardware available browser.) .

    http://www.Cisco.com/en/us/products/ps6550/products_white_paper09186a00801541c8.shtml

    HTH.

    Roberto

  • Help with dynamic action and the selection list item

    G ' Day Apex gurus.

    I have problems trying to achieve to trigger the Help window from an element automatically select. A Help window is triggered when it is clicked on the label of an item, but my customer wants to be triguered automatically as soon as the user clicks to view the options in the select list.

    I think I should be able to do with dynamic actions but I can't function.

    I know when someone clicks on the label of the item selection list trigger this JavaScript

    JavaScript:popupFieldHelp('277938589795252851','1545903379570909')

    So I want to trigger the javascript also when the user click on the item selection list and pull down the options and for that I think that the dynamic action is the way to go, but I can't do things.

    That's what I have to do:

    I created a dynamic option as follows:

    Name: test
    Sequence: 30
    Even: click
    Selection type: product (s)
    Article (s): P1_RATING <-a selection list item
    Condtion: - no requirement.

    Real Actions
    Sequence: 10
    Action: Run the JavaScript Code
    Fires when the result of the event is: true
    Fire on loading the page: checked
    Code: javascript:popupFieldHelp('277938589795252851','1545903379570909')

    Thank you anyone who can tell me what I'm doing wrong here or bring a solution to my problem to trigger the Help window from an element automatically select.

    Kind regards
    Carlos

    Hi Carlos,

    I've set up a test case of exactly in the same way and it worked fine for me. I've created a page element called P1_DA_DEMO and added some values of the static selection list, then added a help text. I used the settings are lower, I suggest you try again, but also make sure that you have no other Javascript errors on the page. Use a tool like firebug to check.

    Name: Action Dynamics demo
    Sequence: 10
    Even: click
    Selection type: product (s)
    Product (s): P1_DA_DEMO<- a="" selection="" list="">
    Condtion: - no requirement.

    Real Actions
    Sequence: 10
    Action: Run the JavaScript Code
    Fires when the result of the event is: true
    Fire on loading the page: unchecked
    Code: javascript:popupFieldHelp('277938589795252851','1545903379570909')

    Scope of the event set a Bind s.

    Thank you

    Paul

  • VPN ASA ASA with dynamic IP of the branch

    Hello

    I would like to connect a private network Virtual Office HQ to a branch using two ASAs.

    I have a 5520 in the HQ and 5505 in the branch.

    My problem is in the office where I have a dynamic IP (ADSL).

    I couldn't find an example of this type of configuration.

    Can you help me?

    Kind regards

    Sergio Santos

    Hi Sergio,

    Well, you have two options:

    • Dynamic to static L2L tunnel:

    On the 5520, you must configure a dynamic encryption card because you don't know the IP address the 5505 will have and even if you IP address may vary. So:

    Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

    Crypto-map dynamic dynmap 1 transform-set RIGHT
    Crypto-map dynamic dynmap 1 the value reverse-road
    map mymap 10-isakmp IPSec crypto dynamic mymap
    mymap outside crypto map interface

    If you already have other tunnels already configured them just change the name of the crypto map that I used above with one you already have, in the example I used a sequence of 10 number because I have more tunnels in place but you need without ensuring that the card encryption where you attach the dynamic crypto map has the highest value! ID recommend using a value of 65535, which is the highest, you can use, this will allow you to configure static tunnels in the future without having need to reconfigure one you linked to the dynamics.

    Besides that you must configure the tunnel-group... but as you know for tunnels L2L with PSK in MainMode tunnel-group name MUST be the IP address peer, and in this case, we do not know, do not worry, we can configure the PSK under the DefaultL2LGroup

    IPSec-attributes tunnel-group DefaultL2LGroup
    pre-shared-key *.

    That's all you need on the 5520, in addition to the basic configuration PH1 for the construction of a tunnel.

    On 5505 all you need to do is to set up a regular tunnel because from the point of view 5505, we know the IP address of the 5520 and it will not change:

    map MYMAP 1 IPSec-isakmp crypto
    defined peer X.X.X.X
    Set transform-set RIGHT
    match address MYCRYPTOACL

    Group of tunnel X.X.X.X IPSec-attributes
    pre-shared-key *.

    • The other option will be to configure EzVPN you use a 5505

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

    http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/ezvpn505.html

    HTH!

  • IPSec VPN between ASAs with same subnet for disaster recovery

    Hello

    I need some clarification from you guys.

    To do disaster EasyVPN tunnels for the Cisco ASA 5505 firewall recovery site. Now, there is only one main site and 3 remote sites.

    Dr., must use the same subnet that it is on the main site because virtual machines Vmware will be replicated to DR.

    For the DR we use Double-Take software.

    What is the best solution for this? I think we could use NAT of Destination on ASAs. Other sites (HQ and remote control) will be directed to only address NAT of the

    DR and not real which is the same as on the main site.

    So guys, will this work? We are using IPSec VPN? In packet - trace on ASA, I see that the package is the first using a NAT, and then encrypted, so it should work, Yes?

    I hope someone can confirm this.

    I can confirm that this will work certainly,

    for prior type natting see 8.3:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml#diag

    for 8.3 and later it is also achievable.

  • LT2P configuration vpn cisco asa with the internet machine windows/mac issue

    Dear all,

    I have properly configured configuration vpn L2TP on asa 5510 with 8.0 (4) version of IOS.

    My internet does not work when I connect using the vpn. Even if I give power of attorney or dns or I remove the proxy

    It does not work. only the resources behind the firewall, I can access. I use the extended access list

    I tried also with the standard access list.

    Please please suggest what error might be.

    Thank you

    JV

    Split for L2TP over IPSec tunnel tunnel is not configured on the head end (ASA), it must be configured on the client itself, in accordance with the following Microsoft article:

    http://TechNet.Microsoft.com/en-us/library/bb878117.aspx

  • VPN between PIX with dynamic IP

    Can I make a VPN over the Internet with PIX or IOS VPN in each IP address dynamic and extreme (DHCP client) in the two extremes?

    Thank you

    If siempre sepas than las direcciones los extremos back there sets in el momento iniciar el tunel in peripheral los.

    Distinto are TR UN extremo tiene IP fija y el otro dinamica (vpn easy for example you can help ahi)

    --

    Alexis Fidalgo

    Systems engineer

    AT & T Argentina

  • VPN to ASA with ISE and Posture

    Hello

    I'll put up a new facility of ISE. I want to install AnyConnect 4.1 and use ISE for authentication & posture validation. I'm ok with the side of the authentication of things.

    http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...

    This configuration applies to time AnyConnect 3.1 & 4.x?

    Any help would be appreciated.

    Thank you

    Hi Stuart,

    Yes - this configuration applies as well to the AC3 and AC4.

    The new feature of AC4 is available directly from ISE ability:

    http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

    But the posture itself works in a similar way.

    Thank you

    Michal

  • VPN L2L ASA with NAT

    Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

    http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

    Thank you.

    Mike

    It's not very complicated, just keep in mind that NAT is done before the encryption.

    So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

    public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

    You can use the address translated into your crypto-ACL:

    REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

    I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

    Sent by Cisco Support technique iPad App

  • IOS - help with VPN IPsec L2L with NAT

    Hello guys

    I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.

    I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

    Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?

    I have attached a drawing that needs to better explain my needs.

    Someone knows a guide that shows how to do this?

    Best regards

    Jesper

    You can use a static policy NAT NAT the traffic:

    access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

    access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

    access-list 102 permit ip 10.0.0.0 0.0.0.255 any

    policy-NAT allowed 10 route map

    corresponds to the IP 101

    internet-NAT allowed 10 route map

    corresponds to the IP 102

    IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille

    IP nat inside source map route internet-NAT interface overloading

    Hope that helps.


  • activation / deactivation of field with dynamic action and apply the attribute 'required value.

    Hello

    Wanted to know how to force the 'required' attribute for the element off after that is "activated" by a dynamic action.

    For example, consider employee form.  I would like to disable the column of employment and salary.  As soon as the user enters the name of the employee, I will 'activate' JOB and SAL columns using "dynamic action".

    IMG-1.png

    IMG-2.png

    And above works fine.  Please note that both JOBS & SAL of columns 'NULL' according to the DB table.  My question is, how to comply with the condition of 'value' Yes, after allowing them.

    Another example would be, when the user selects 'Check' or 'Project', the 'no project' column will be activated.  Otherwise, "Project No." column is disabled (that is, the value is not required).  However, when turned on, I want to apply "value required" in this column.   How to get there?   (I use APEX 4.2.6)

    Thank you

    -Anand

    Why you do not create a function that returns a Boolean, validation of the page?

    You can do something like

    BEGIN

    IF: P5_ENAME IS NOT NULL THEN

    IF: P5_JOB IS NULL THEN

    Returns false;

    ON THE OTHER

    Returns true;

    END IF;

    END IF;

    END;

    You can change it to any desired column.

  • Works with dynamic sql and list of numbers as return value

    Hello.

    Problems:

    1. How can I insert the USERNAME variable in the string so it will be replaced over time.
    2. I intend to return a list of IDS as 1,4,6,7,2 I want to use later in an IN clause.

    How to complete the return function with the dynamic sql output variable?
    I have no preference to dynamic sql but it was just something that came into my mind
    When I thought that the implementation of the obligation to choose a list of offices for specific user groups.
    (select statements from the sample are cut short, they're actually really big and I want to reuse this function in my)
    BI Publisher data model for multiple modells).


    CREATE or REPLACE FUNCTION F_OFFICES (-input parameters)
    USERNAME IN VARCHAR2
    USERGROUP IN VARCHAR2,
    )
    -Output parameter
    RETURN VARCHAR2 AS
    dynSQL VARCHAR2 (1000);
    BEGIN

    IF USERGROUP = "local" THEN

    dynSQL: = 'xxx SELECT FROM CO_B WHERE Userid = username';

    ELSIF USERGROUP = "regional" THEN

    dynSQL: = "SELECT...". » ;

    ELSIF USERGROUP 'federal' = THEN
    dynSQL: = "SELECT...". » ;

    END IF;

    EXECUTE IMMEDIATE dynSQL;

    -RETURN?;

    END F_OFFICES;


    Thanks for any help.

    As you have presented essentially pseudo-code we can only give you a Pseudo-solution :)

    But the principle is:

    ...
--Output parameter
RETURN VARCHAR2 AS
    dynSQL VARCHAR2(1000);
    return_value varchar2(30):
BEGIN

  IF USERGROUP = 'local' THEN
    dynSQL:= 'SELECT xxx FROM CO_B WHERE userid = :1'; -- placeholder for parameter

   ...
  END IF;

  EXECUTE IMMEDIATE dynSQL
     using USERNAME -- pass parameters in placeholder order
     into return_value;   -- obviously this must match the projection of the dynamic query 

  RETURN return_value; 

END F_OFFICES ;

    This approach is not good if you want to vary the dynamic query projection. In this case, you can use a REF CURSOR or maybe DBMS_SQL.

    Cheers, APC

Maybe you are looking for