5505 - Network Authentication
Apr 16, 2012
We have three AD/DCs (2) in the datacenter and (1) locally
A couple of our users cannot:
Install a program that authenticates against AD
Create Mapped drives on their workstations
All of these users have full local Admin rights on their workstations.
I've restarted all the AD/DCs
I've checked and modified local security policy a couple of different ways.
I've checked Kebros authentication logs for errors.
On the static machines I've individually tested each of the DNS servers with no issues.
Here's the weird part:
Take those same machines...and move them into our static IP range 10.10.1.2-254 and boom ( things start working) .
Example of our network
10.10.1.1 /24 256 addresses Static Win 2003 R2
10.10.2.1 /23 512 addresses DHCP via ASA 5505 at a remote site
10.10.4.4 /23 512 addresses DHCP Win 2003 R2 with some of the addresses excluded at the datacenter and the other addresses excluded from distribution locally: This is so that when we have an outage machines don't go nuts from the loss of contact to the DHCP at the datacenter.
10.10.8.1 /22 1024 addresses DHCP Win 2003 R2 Not in use currently.
View 19 Replies
ADVERTISEMENT
Oct 16, 2011
I have cisco ASA 5505 with security plus, i configured remote VPN with ASA for LDAP authentication which works as i want. Now i have a requierment that some users needs to get access via remote VPN but they are not part OUR SERVER Active directory, Is that a possibility that users have an access of remote VPN while not creating an account in AD and perfrom local authentication via firewall for them?
View 1 Replies
View Related
Jun 2, 2011
Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
View 4 Replies
View Related
Dec 29, 2012
We have a business case where we have a group of ASA 5505's in 3 locations with anyconnect user licensing on all 3 for redundancy.The problem we are facing is that when we need to authenticate our anyconnect clients we use active directory servers located at site 1 and the other 2 sites need to contact these MS AD Servers over an already connected VPN tunnel to site 1 (IPSec l2l) but cannot.So the layout is as follows:Site 1 (houses AD servers) has l2l tunnels to site 2 and 3Site 2 (any connect essentials enabled) has l2l tunnel to site 1 and 3Site 3 (any connect essentials enabled) has l2l tunnel to site 2 and 3AD servers are ip'd as 10.1.1.11 and 10.1.1.4If I use anyconnect to site 1 it authenticates fine - as expected.Site 2 and site 3 fails to contact AD serverAny thoughts on how we can accomplish this(or is it even possible to do?) without exposing the AD server in a DMZ or via external ip?
View 1 Replies
View Related
Oct 5, 2010
I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server. Authenticate with a user's LDAP username and password is working fine.
I've hit Google pretty hard but can't seem to find a simple answer. It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.
View 6 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Nov 6, 2011
I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
View 3 Replies
View Related
Mar 14, 2011
How i can use both LDAP Authentication and local user database to authenticate the remote vpn clinet in asa 5505?
when i try to do the things either only one method is working both are not working at a time.
View 3 Replies
View Related
Feb 18, 2013
What's the least expensive way to enable Guest Network authentication in a network with WLC 4404 controllers and no WCS? Management would like guests to register with a valid email address and enter a 'password du jour' to keep unauthenticated users from chewing up bandwith with automatic connections.
View 4 Replies
View Related
Aug 17, 2011
The wireless in our condo requires a user and password to be submitted via a browser to connect to the network. My bluray player does not give this option or have the ability. Is there a way to accomplish this? Is there a bridge or router that can make the authentication to the wireless in the building that I could then connect the blu ray to?
View 10 Replies
View Related
Aug 21, 2011
I am behind a SQUID proxy.I need to set proxy settings for cmd.I'm using win7 so proxycfg cannot be used.I used netsh like this: netsh winhttp import proxy source=ie
Internet explorer had my proxy settings already.Now the problem my proxy requires username/password authentication.I do not know how to set the username and password in command prompt.
View 1 Replies
View Related
Apr 25, 2011
I'm sure it can be done just haven't been able to find it. I'm running ACS 4.2 and have 2 network groups, one is wireless where I have a WLC and the other is the default where vpn users authenticate with their tokens. Is there a way to have the Wireless network group authenticate using AD and the other group use RSA? I can't find the switch or switches I need.
View 1 Replies
View Related
Aug 2, 2012
I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.Client can get stock in this status and it keeps repeating from 1 to 20.
View 4 Replies
View Related
Apr 19, 2011
I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?
View 1 Replies
View Related
Sep 21, 2011
I`ll get straight to the point. I have at work a domain of computers. on one of the computers (I have admin rights) I want to share a folder that can be accessed by other computers that are not in the domain. By default accessing that share requires a user/pass. My question is: can I configure something on the computer (running windows 2008 server) to the shared folder so that other computers that are not from the domain will gain access to without user/pass requirement (like a normal share)?
View 3 Replies
View Related
Mar 18, 2012
Can we change the internal web authentication for guest network to use http instead of https?
View 3 Replies
View Related
Oct 25, 2011
I am in need to setup a VPN tunnel to a vendors hosted network for AD authentication.To prevent RFC1918 Address overlap we are trying to NAT into a VPN Transit Network.I was given 209.235.17.232/19 and need to NAT these addresses:
209.235.17.233 <> 172.20.0.42
209.235.17.234 <> 172.20.0.43
The vendor is using 209.235.17.224/29 and NAT'ing to some 10.122.xx.xx addresses.
The Phase 1 requirements are:
Pre-Shared DH-Group2-AES256-SHA1 86400 seconds
The Phase 2 requirements are:
NOPFS-AES256-SHA1 3600 seconds
I have many l2l VPN tunnels configured using esp-3des esp-sha-hmac This is what I have configured on my ASA:
static (INSIDE,OUTSIDE) 209.235.17.233 172.20.0.42 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 209.235.17.234 172.20.0.43 netmask 255.255.255.255
access-list VPN-TO-JIVE extended permit ip 209.235.17.232 255.255.255.248 209.235.17.224 255.255.255.248
access-list VPN-TO-JIVE extended permit ip 209.235.17.224 255.255.255.248 209.235.17.232 255.255.255.248
[code].....
Currently my side is trying to initiate the tunnel, but we are getting this message:
15 IKE Peer: 65.168.255.157
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
I am configuring the transit network for the tunnel properly or performing the NAT for my 2 devices.I am still trying to determine what device the Vendor has on their end.
View 1 Replies
View Related
Apr 6, 2013
I'm planning to create a network of wifi access points all in different locations. Those locations all have different wifi routers and networks. I'm looking for a easy solution that let easily setup those networks to ask authentication credentials (in a browser page, once a user is inside the wifi and wants access the internet) by an external server possibly without overloading too much that server.
View 1 Replies
View Related
Sep 15, 2012
I have successfully set up a guest network on my EA4500. Guest laptop associates with guest SSID just fine. Then via IE, it gets prompted for the guest password, which is entered and accepted just fine. At this point guest laptop is on the network.
BUT... at some point the guest laptop will need to reauthenticate (I don't know what the timeout is, but maybe one or two days?). Anyway, it's at this point that IE presents the guest network login page. But now after typing in the password, "enter" or clicking on the button does nothing. It looks like the guest web page doesn't get loaded properly or completely, so the reauthentication can't complete, therefore can't get to the internet. So, while in this state, I've also tried Firefox and Chrome, and same thing, no action when trying to submit the guest password. Tried rebooting guest laptop, and still same problem. Only thing I've found so far that works is to reboot the router. So I'm guessing there's a problem with the guest/web server on the router?? It's a real pain to have to reboot the router every day or two, when I've had other Linksys routers run for months without having to touch them.
I was running CCC 2.1.38 when I first noticed the problem. Since then I've downgraded to Classic 2.0.37, but it seems I still have the same problem. Again, I can connect & authenticate just fine initially, but when reprompted after some period of time, it doesn't work.
I've tried contacting Cisco support, but it looks like I'm at 91 days since purchase and thus outside of my 90-day complimentary support, so they happily provided me with the premium support options just to have the honor of talking with them. Guess I shouldn't have spent so much time trying to figure this out myself.
View 9 Replies
View Related
Jul 29, 2011
I have a 5505 with the security plus license. I have a web server in the DMZ that needs to talk with a server on the inside network but it doesn't seem to be able to. Im guessing there is something I need to do to enable the DMZ to talk to the inside network.
Here is the config.
[code]...
View 1 Replies
View Related
Nov 29, 2012
I am using Cisco ASA 5505 between my two network.
1) I want 192.168.1.0/24 LAN user can go to access 172.16.1.0/24 network but 172.16.1.0/24 cant access 192.168.1.0/24 network
2) what interface nameif will be or security Laval
3)what access list should be configure
4)what IP route should be used
View 3 Replies
View Related
Sep 27, 2012
i want my ASA 5505 8.2(5) to access my proxy server on remote lan through VPN my VPN is OK, all PCs of local network can access to remote network.but ASA on local network can't access to remote network.i think it's a NAT problem but ....
local network 192.168.157.0/24 local IP ASA 192.168.157.1
remote netword 10.28.0.0 /16
remote proxy 10.28.1.26
my conf
[code]....
View 1 Replies
View Related
Nov 11, 2012
I have the connection working with my ASA 5505 but cannot ping the internal network. (Note external interface is getting the IP via DHCP)
View 4 Replies
View Related
Jul 7, 2011
I have 2 firewalls in my network: ASA 5505 and PIX 506E. Both firewalls's internal network is in the 192.168.0.0/24 subnet but their external addresses are different of course. The inside IP for ASA 5505 is 192.168.0.254/24 whereas the PIX is 192.168.0.1/24. I've successfully configured VPN on the ASA 5505. I'm able to VPN to the ASA and can ping / access hosts that have the 192.168.0.254 as their gateways.However, I'm unable to ping/access hosts behind the PIX. What do I need to do in order to allow access to the network behind the PIX after I VPN to the ASA? Also, I'm unable to ping 192.168.0.254 after I VPN to the ASA.
View 5 Replies
View Related
Jul 26, 2011
With an ASA 5505, i would l like to guide a sub network to an ISP and another sub network to the other ISP.i have 2 differents ISP.My major problem is the metric. I tried with access-list command to force the way out, but it seems that "metric" is stronger than "access-list".I don't know how to manage such LAB. is that possible with ASA 5505 appliance?
View 9 Replies
View Related
Feb 26, 2012
I'm looking for a content filtering/antivirus/antispyware appliance for my company. Right now we have an ASA 5505 at the edge. We have several outside employees connecting via Cisco VPN clients to the ASA. I need an appliance that can do content filtering for my inside network, guest network, and VPN users. That's two local VLANs and a VPN pool which are all terminated at the ASA.
I've had good luck with Cymphonix in the past, but their boxes are a bit steep for the amount of throughput I need. We'll probably be moving from a 15/15 fiber connection to 80/10 cable soon since our provider can't seem to keep us online; even with an alleged "100%" SLA. They just don't have a network capable of anything close to 100% uptime, plain and simple.
I'd like to keep the ASA running as our firewall and VPN server, so the device needs to be able to do content filtering/av/as in a transparent mode.
View 9 Replies
View Related
Nov 29, 2012
Cisco ASA 5505
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
I have and vpn tunnel between a pix network (192.168.200.0/24) and an asa network (192.168.100.0/24); it's been running fine for awhile now but this morning i've come in an i can not access anything on the pix network, (mail, file & web servers). Each attempt to access results in a SYN timeout.
6 Nov 30 2012 14:24:01 302014 192.168.200.9 192.168.100.115 Teardown TCP connection 6014 for outside:192.168.200.9/135 to inside:192.168.100.115/51240 duration 0:00:30 bytes 0 SYN Timeout
View 10 Replies
View Related
Feb 21, 2013
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
View 5 Replies
View Related
Jan 25, 2012
I now need to configure an ASA 5505 for a small server farm. It's fairly straightforward:isp -> asa5505 -> internal servers,'m using static addresses -- no DHCP involved.VPN works; I can get into the internal network.pinging from the ASA to an external address works,However, I cannot get from a laptop connected to an internal port out to the internet, either using ping or typing an address in the browser.
View 7 Replies
View Related
Mar 8, 2012
I have a Cisco ASA 5505 which is setup as an EasyVPN client to e remote VPN concentrator.The Cisco ASA has the 50 internal user license with 10 VPN peers.We just upgraded the license from the base 10 internal user to 50 user license but it has not resolved the problem and only 10 internal users still work, the 11th fails. Does each EasyVPN client on the inside network take up 1 of the 10 VPN peer licences? This seems to be the issue from what I can see, just need confirmation.
View 3 Replies
View Related
Sep 4, 2012
I've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. The Cisco 1841 is running sub-interfaces for my VLAN's.
View 4 Replies
View Related
Oct 18, 2011
i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration
ASA Version 8.2(1)
!
!
interface Vlan1
[Code].....
View 13 Replies
View Related
Mar 21, 2013
I am having a problem trying to figure out how to add a new ASA 5505 to an existing network. My current network is:Cable Modem > Linksys > 48 port switch With multiple hosts residing on the 192.168.0.x network.Now i know that the ASA comes default with 192.168.1.1 on the inside interface and i want to change that to 192.168.0.1. I have tried to do this thru ASDM using the wizard and manually. Once i hit ok for it to write the config, it gives me an error that it didnt take. I then lose connection to the ASA and have to hard boot it to get it back.I am trying to do this without my external connection connected and i have a laptop connected to the ASA on port 0/2 with an IP address of 192.168.1.75.Do i need to connect my internet connection to it first and then run the wizard? I was hoping to get it configured for my existing network before i plugged in the internet connection to limit my downtime.This ASA came with 6.4.1 ASDM and 8.2 OS installed. i was able to upgrade the ASDM to 7.X but when i go to update the OS to 9.1, i get an error that i am not registered to use cryptographic software. Dont know where i need to register to get it?
View 4 Replies
View Related
