Cisco :: ACLs To Limit Ports With Client - Based VPN Tunnel
Jun 16, 2011
I have a customer I've built a webvpn tunnel for.Users on this tunnel need to have http access to a server at 10.1.1.12 and nothing else.That's fine, but in order for name resolution to work properly they need to be able to send DNS requests to 10.1.1.9.I'm working with two different access lists, my non access list (nat 0) and my split tunnel access list. I can't specify ports in the nat 0 access list, but I did try writing my split tunnel access list as follows:
-access-list split permit ip host 10.1.1.12 172.16.4.0 255.255.255.0
-access-list split permit udp host 10.1.1.9 eq 53 172.16.4.0 255.255.255.0
When I do that users can access the 10.1.1.9 dns server, but they can hit it on anything (ping, 3389, etc.).I'm trying to figure out how I can limit them so they will only be able to pull dns but nothing else.They have the Any connect Essentials license, so unfortunately a clientless VPN is not an option. Is there some other access list I can interpose that will limit things the way I want?
View 2 Replies
ADVERTISEMENT
May 19, 2013
I want to buy an AIR-SAP1602I-E-K9 and I don't know if I can configure a MAC-BASED ACL with this AP, because I must permit the access of the wireless netwok only to determined wireless devices.
View 4 Replies
View Related
Nov 23, 2011
I have ip phones at the remote location that connect into the phone switch(it's a nortel cs1000 system) over the tunnel. Internal calls work just fine, however when somebody calls from the outside, or calls are made to the outside the connection is never finalized. Like if I call from my cell it rings the phones, but when I answer there is nothing but dead air.In the group policy for the tunnel, I gave the remote site FULL access to the phones vlan and vice versa...which obviously works since internal calls work fine. If I remove my group policy and give it the Default group policy which essentially gives that tunnel full access to everything since the tunnel is set to bypass interface ACLS, external calls work fine. So it's definitely related to the group policy.
The group policy is basicallyAllow remote site to X network/host on these ports no denies since it blocks whatever isn't specifically allowed. However since it can get the phone switch and it can get to the internet I'm not seeing why the calls aren't working.The only thing I can think of to try doing as well is remove the allow inbound traffic to bypass interface rules and treat it just like another vlan interface on the ASA. Create the rules on each interface for the remote site network etc and see if it works that way.
View 5 Replies
View Related
May 18, 2011
I have 1812j with ISDN line.Recently Accidentaly the ISDN Router was dialing every 1 minute because of the config was not right.It was too late to find out.And I got the expensive bill from the telephone company.
The idea is I want to stop dialing if the dialing cost is over than appropriate amount.For example, if dialing cost reach to $200, then stop dialing and alert to the system administator by E-mail or something.There is the way to limit the timed-out but this won't work for that.
View 3 Replies
View Related
Mar 1, 2011
I have Site(s) Ani....i=1,..10 sites which communicate with site B to access a website/application. That's simple enough. However, the traffic is http well we primarily don't need https on ipsec tunnel right?. But since attacks related to eavesdropping of traffic come a real reality once it gets terminated by the ipsec device on both side.I have two options either to purchase a third-party ssl certificate to encrypt the traffic between two nodes or use a custom made one.I don't want to use a custom made one because this make the browser prompt an ugly untrusted certificate message; its ugly not from security perspective but for clients inconvenience and assuring users confidence in our systems is a critical issue for us. ?
a) How its possible to remove ugly certifcate message from user screen? Does the company need to register its certificate to some kind of CA body? or what ...
b) Due to some tcp acceleration issues, ssl traffic slows down the traffic between the nodes so we only require the encryption to stand just during the initial handshake when the username and password are being validated ; after that we want to revert back to http?
View 1 Replies
View Related
Oct 11, 2012
I'm getting the following error in the log of a 2901:
%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.
I'm a bit confused by this since there is only 1 active SA at the time.Here is some more info:
2901#sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 768 active, 2800 max, 0 failed
View 3 Replies
View Related
Jan 25, 2013
I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.
After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
how can i allow user to access a server with defined port only and not any other service/port access for the server.
View 4 Replies
View Related
Feb 28, 2011
Is it possible to log when a user connects/disconnects their VPN session? They are connecting to an asa 5510.
View 5 Replies
View Related
Jan 24, 2013
Recently our company purchased 3 Lynksys SGE2010p, At the moment they work as a stack but as we are implementing UCCX we need to mirror 15 ports but during the provisioning i've noticed that the limit is 8 ports per stack. I'm wondering whether this is a known issue or just a known limitation . I believe that most probably i'll need to move back to stand alone mode so i could configure 8 mirrored ports per switch.
View 2 Replies
View Related
Apr 18, 2012
Im making a design for a customer that will have around 200 wireless users.
We were thinking in the WLC 2500, because the number of APs will be around 30.
But the problem is that from time to time, the client organizes events, and in these events the number of wireless clients will be around 600.
In the WLC2500 specs te maximun numbers of users is 500, but i want to know if this is just a recomendation, of if the WLC will drop the connection attemp # 501.
View 3 Replies
View Related
Nov 22, 2011
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
View 4 Replies
View Related
Jan 6, 2011
My customer requires the hostport on an access switch to be allocated to a specific Vlan based upon the AD Group that the user is a memeber of ? I am planning to setup NAC in a Real Gateway OOB deployment, using an ACS 5.2. I was initially thinking that the initial authentication server would be the ACS and then the AD, which using group mappings within the AD, I could then assign the user to a specific ACS group and then pass a Radius attribute back to the NAC manager for processing?
View 2 Replies
View Related
Mar 11, 2013
I've setup a cisco router 2821 with VPN (client) and it is working fine. All the configuration i've done via CLI
BUt i want that a user vpn client to have:
Maximum connection time 30 min
Maximum idle time 15 min.
View 4 Replies
View Related
Mar 3, 2010
I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
If at all possible, I do not users to have to pick a conenction profile or use different URL's.
View 1 Replies
View Related
Jun 16, 2012
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
View 1 Replies
View Related
Sep 12, 2012
I would like to be able to allow a specific client to only associate at 6mbit/s -is this possible using the wlc controller 5508? Another option would be to limit a whole w lan ssid to 6mbit/s but i can't find a way to do that either.
Other w lan ssid's on the same access points/controller need full data rates, so i guess i can't use the RF-profiling for this.
View 2 Replies
View Related
Aug 26, 2009
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
View 3 Replies
View Related
Apr 3, 2013
Region : India
Model : TL-WR940N
Hardware Version : Not Clear
Firmware Version : 3.13.27 Build 121101 Rel.38183n
I have bought TP-Link TL-WR841N 300 mbps router. I have 20-25 wireless clients but only 15 wireless clients are able to connect to the router. Is there the limitation on numbers of wireless clients can connect to the router?
View 1 Replies
View Related
Sep 12, 2012
I have implemented a Clientless SSL VPN solution with Smart-Tunnel feature on Cisco ASA 5520, software 8.4(4)1.I have been successful in making Bookmarks which employ Smart-Tunnel feature to avoid content rewritting (if any). And in reality it works fine with some links. However there are some links to an Oracle portal, it doesn't work.I was able to log into the Oracle portal with its username/password. However when i click into a button of the drop-down menu, nothing happens while normally there should be a box appearing. The Oracle portal runs with some Java stuffs which i don't really know as i am not a programming engineer anyway.
View 1 Replies
View Related
Oct 2, 2012
I have remote branches that connect to the corporate office as a site-to-site VPN. Now the clients at the branch are getting an application that is using an unsecured port (tcp/23). I would like to use a set of ASA 5520's that I have at the corporate office, with the AnyConnect license on them. I want the client machines to establish a tunnel from the client to one of these ASA's. The ASA' then would have a connection to the VLAN that the receiving server is housed on. The trick is to just establish the tunnel from the client to the ASA that will allow the IP of the client to not be translated. So I would use the ASA as a security 'pass-through' for the clients that use this new application.
View 1 Replies
View Related
Feb 6, 2012
I would like to know whether I will be able to setup a VPN tunnel between a wireless router and wireless client on the same network. What I plan to do is to first setup up my router to use DD-Wrt as its OS. I have read some tutorials on the Internet, about how one can configure a VPN server when using this router OS.Now if I assume that I have a client on the same WLAN network who is already connected and so on; - can the client connect to the router's VPN server and then connect to the Internet using the VPN tunnel that has been established? The purpose of this configuration is to see whether if this setup (if it can actually be configured that way) would protect against wireless man in the middle attacks that use trivial tools such as Cain and Abel.
View 4 Replies
View Related
Nov 25, 2012
I've been labbing on my asa5505 at home, setting up different VPN solutions for testing purposes. However, I can't get my anyconnect client to establish a DTLS tunnel when connecting (anyconnect only shows tls, and does not display any errors about not connecting with dtls)I have set dtls port to 444 and this port is open on the other side.
View 2 Replies
View Related
Jun 5, 2011
we use the Cisco VPN-Client to connect to our CISCO1921 Router and want to go out again on the same interface to the internet. We configured the connection with the IOS scurity package, have no split tunneling - so the client is forced with it's default gateway to our router - we also have pushed our local dns-server to the client and he gets dns results. Now I think we have to got out with some kind of NAT, because our client has a private IP from the IPSec Client pool. At the moment we have no NAT inside/outside, bacause we only use official IP addres in- and ouside (data-room usage).
- Is it possible to get the NAT function going in and out on the same interface with crypto_map IPSec user comming in and going out to the internet ?
- Is it more secure to configure this with vrf ?
- Has some a link to example configurations for this ?
View 4 Replies
View Related
Aug 11, 2010
i`ve setup smart tunnel with different applications. (mstsc.exe, putty.exe). This works fine. I`ve now tried to add the vSphere client appliaction (VpxClient.exe). But i don`t get it working.
View 3 Replies
View Related
Mar 27, 2011
I can connect to the router over VPN just fine, problem is that once I connect I can not access the 192.168.1.0 network... can't ping a workstation on the network 192.168.1.25, I can however Ping the Router which is 192.168.1.254.
FastEthernet 4 is my WAN
used this for setup: [URL]
Here is the config:
! Last configuration change at 13:50:29 UTC Tue Mar 16 1993 by cjcatucci!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname c861w!boot-start-markerboot-end-marker!no logging monitorenable secret
[Code].....
View 5 Replies
View Related
Apr 3, 2012
I am using a RV110W as a VPN client to establish a VPN conection since some months. So far everything works fine. But all traffic is routet thru the VPN tunnel. Now I try only to route specific adresses thru the tunnel but not the internet acess.
RV110W is in Gateway mode
WAN interface is connected with internet
I am using PPTP with PAP and MPPE for VPN
so far no static routes (I could not set e.g. a route to 0.0.0.0 because web-interface says its not a valid adress)
Goal is to route only traffic for the target network thru tunnel and the rest direct via WAN interface.
View 3 Replies
View Related
Mar 16, 2013
Is it possible with ASAVPNSERVER 5520 and an EasyVPN 5505 Client to have the client do split tunnel to a single public IP address? Both devices are on 8.2(5) 33. Could you possible provide sample config for split tunnel?
View 1 Replies
View Related
Sep 29, 2011
how to setup a both ends of an IPSEC VPN tunnel using a software client such as shrewsoft vpn and an 800 series router?
I've tried following the instructions on cisco's site, but I don't really understand which interface I should use? Dialer, VLAN1 or UnNumbered to a Loopback?
I'm OK with most basic features of the router, but never had any luck with VPNs?
View 3 Replies
View Related
Sep 4, 2011
I recently purchased a Cisco 2911 to replace my Cisco 1711 router. I copied the configuration from the Cisco 1711 router to the Cisco 2911 router. Everything seemed to work correctly except when I VPN tunnel into the Cisco 2911 router using Cisco's VPN client version 5.0. I can ping the router LAN interface from my PC that is VPNed into the router but I can no longer ping or access the devices on the LAN side of the router as I did on the Cisco 1711 router. I don’t see errors in the log or hits blocking anything in the acls. It’s using the same configuration that I had on the Cisco 1711 router, and this did work on the Cisco 1711. The Cisco 2911 router is running IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1).
Here is the VPN clinet portion of the configuration: The LAN is addressed as 192.168.0.0/24. The router LAN interface is 192.168.0.1, which I can ping and access. I can't ping or access anything on the LAN (192.168.0.0/24) beside the router.
aaa authentication login vpnclientauth local
aaa authorization network vpngroupauth local
!
crypto isakmp client configuration group remote-clients
key 6 xxxx
pool clients
[Code]....
View 11 Replies
View Related
May 28, 2011
inside network----ASA5505========internet===========Remote VPN client.
The ASA has one public IP on its outside interface and using PAT to the internet. It only has two interfaces, inside and outside using vlan. I created a IPSec VPN through CLI. My goal is for the remote client to browse the Internet throught tunnel.
Q1: Is it possible?
Q2: The remote side gets connected and has IP from the pool, with is part of inside network. But it cannot ping anything, including the gateway, which is the inside interface. I debug it, it shows the ASA receives the ping packages, but it doesnt send anything back to the client.
View 5 Replies
View Related
Apr 15, 2010
I have configured a lab for RA VPNs with a ASA5510 software version 8.2 and VPN Client 5 using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco website: URL
Now the vpn works just fine, but now I need to configure different tunnel-groups so I can provide different services to different users. The problem I have now is that I don't know how to configure it so the certificate matches the tunnel-group name. If i do a debug crypto isakmp on ASA I get this error messages:
%ASA-7-713906: IP = 165.98.139.12, Trying to find group via OU...%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload: Unknown%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IKE ID...%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload: Unknown%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IP ADDR...%ASA-7-713906: IP = 165.98.139.12, Trying to find group via default group...%ASA-7-713906: IP = 165.98.139.12, Connection landed on tunnel_group DefaultRAGroup
So basically when using certificates I always connect the RA VPN only with the default group DefaultRAGroup. Do I need to use a different web enrollment template for certificate request instead of the user template??? How can I define the OU on the User certificate so it matches the tunnel-group???
View 3 Replies
View Related
Mar 23, 2012
I need opening up some ports for a sftp client at work. software version 8.0 (3) device manager version 6.1 (1)
View 4 Replies
View Related
Feb 26, 2012
If client gateway = 192.168.64.9 then next-hop = 192.168.64.8 else use default-route 0.0.0.0
I know it's possible to do a route-map match ip-address ACL list. But is it possible to match on gateway?
Some info about hardware and config:
6509-E in VSS (IOS 12.2(17r)SX5) withVS-S720-10G supervisor.
All routes are static, IP for 192.168.64.9 is on SVI vlan.
View 3 Replies
View Related
