we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)
View 2 RepliesIs there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
View 6 Replies View RelatedI have a site-to-site VPN configured between a 5520 at our data center, and a 1700 at a client's site for site-to-site connectivity. What I've noticed is, is that the VPN can only initiate from my Data Center, never from the client router. I can telnet into the router and start a telnet session sourced from the "inside" interface and it fails, yet I can see the NAT translations get created in the state table that should match the crypto-map. However, if I ping a host on the inside of the remote LAN from my workstation (behind the 5520) to bring the tunnel up, and run the exact same command on the client router once the tunnel is up, it works. Right now I have a continuous ping running from my workstation to keep the tunnel up, but obviously that's not the best solution
I had to modify this config to NAT the LAN addresses at the client to a non-overlapping subnet, so anything coming from 128.1.0.0/16 should be NAT'd to 192.168.105.[50-200]/24. I've also got two static NATs for inbound access from the data center and those seem to work fine.
Current configuration : 2787 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
[code]...
We have dns server(only Internal IP) inside our network, right now we have configured Remote Access VPN using Public IP and we connect it using the same Public IP. I need to use FQDN instead using Public IP. What is the configuration for this.
-Device : ASA 5520
-Configuration Type : IPSec
I have a ASA 5520 upon which I need to build a WebVPN for the company urls - webmail, intranet portals etc. There will be 2 groups -
a. Confidential Access - For senior management.
b. Public Access - For employee access.
RSA Token & LDAP auth would be used for access to the WebVPN. However, I am unclear on certain aspect.How do I isolate the 2 groups? I mean only Senior management should be able to view & access the first set of links while employees see and access the other set of links only.Both the groups will be available to all users loggin on to the WebVPN. Since the authentication mechanism - LDAP - is the same, anyone would be able to access the groups and in turn, urls.
I have two ASA 5520 units, both running version 8.3(2) code. Among many other uses, they have an IPSec tunnel between them to link office 1 and office 3 together. Office 2 does exist, and is connected to a different port on the ASA in office 3; there is no IPSec involved with office 3.
View 6 Replies View RelatedHow can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.
View 3 Replies View RelatedI am working on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.
So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:
I then added the following rules on the inside-in ACL: However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.
For isakmp:
For ESP:Seems like the nat rule is drawing my ESP traffic,
I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520. Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with. Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel. My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. If so, what configuration options should I consider?
View 5 Replies View RelatedNeed to check how many tunnels IPSEC are running over ASA 5520.Tried commands which we use on Routers no luck?
View 6 Replies View RelatedI am trying to implement IPSec Authenticated Firewall Bypass on windows vista clients within my microsoft domain to avoid implementing numerous windows firewall port exceptions for each client.
This is working internally on our network, between services servers (i.e AV server), and desktop clients. However i am having a problem when the clients are remotly accessing the domain via the VPN client.I have open traffic ports (IKE-UDP500, ESP - IP Prot 50, AH - IP Prot 51) bidirectionally between the remote vpn clients subnet and the services servers, however when the endpoints initiate traffic to the services server, the IKE traffic is unencrypted?
I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network. I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y. HTTPS/443 connectivity. I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.
The Cisco tech entered the following static NAT statement to "fix" the problem - nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface.
The y.y.y.y is on a remote, routed network within my private, corporate MPLS network. My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x. Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.The NAT statement above will break my network. How to NAT this connection without killing my Inside network? Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool.
We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
View 3 Replies View RelatedI am having an issue with establishing L2L VPN with remote site. My side is cisco asa 5520 and other side is check point UTM-- tunnel is not up.just wnated to confirm on my sidde if the configuration is OK.al the parameters using are correct for both side. any issue with below conf ? default route is pointing to my next GW address is there additiona default is required for VPN ? to reach the remote LAN somthing like pointing to remote peer address.to give a brief idea front end device is router as GW wher in internet is terminated and other wan connections ASA is behind ther GW rtr and outside int of asa and lan interface of GW rtr is having public ip. LAN switch is connected to ASA
access-list insideinterface_nat0_outbound extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
access-list outsideinterface_cryptomap_40 extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
nat (insideinterface) 0 access-list insideinterface_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
[code]....
I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.
View 7 Replies View RelatedIs it possible to deny VPN access to specific AD accounts?
Currently setup with 5520, LDAP authentication for VPN users.
is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ?
here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP ( Public IP)
i have cisco ASA5520 and i have a remote access vpn .I want to configure logging for this remote access vpn.
i want the time user connected .how log it is connected .If any error while connecting ?
I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.
in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.We'd like to restrict the acess like this:
A Group "Home User" might establish a VPN from anywhere on the Internet
A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!
On our old solution, we were able to limit the remote access network, per user group, to some source IP's.
The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.Or is it possible to do that by Dynamic Access Policies? How?
We have a pair of 5510s and a pair of 5520s, each in Active/Standby mode. I'd like to upgrade the ASDM and ASA software on these, but am finding no documentation that advises on how this can be done without physical access to the devices. It so happens I am on site, but we will be deploying these throughout our network and I'd like to be able to perform this type of maintenance without travelling to each site. We utilize CSM and ASDM to manage these for the most part, but are certainly capable of configuring via CLI.
The issue may be my lack understanding of the ASA fundamentals, but I don't really get how the software can be copied to the individual ASAs of the pair so they may be reloaded and upgraded without outage. With a remote SSH connection to the pair, I'm only copying the software to the Active ASA, correct? Or is there a way to get the software to each disk individually from the single SSH connection? I'm not quite sure how to manage the Standby ASA without consoling into it... If I can indeed remotely get the software to each ASA (copying to different disks?? i.e. disk0: and disk1:?), then I also run into an issue updating the boot statement for each of them individually, though to resolve that I suppose I could just remove the old software, but that seems like bad practice before confirming the new software is ok.If there is a simpler way of deploying new code via ASDM or CSM, I'm certainly open to that.
We have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
%ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
%ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
[code]...
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies View RelatedI have a AD server that needs to access to servers at a company out on the web. it an asa the protocol is ldap
AD server 10.12.1.56 / 24
External servers 206.123.45.122, 174.87.96.143
ASA configuration
access-list outside permit tcp host 206.123.45.122 host 10.12.1.56 eq 389
access-list outside permit tcp host 174.87.96.143 host 10.12.1.56 eq 380
I would like to restrict Internet traffic (HTTP & HTTPS) for Inside Users with an ASA 5505. I would like to setup a proxy-like system where a User/Password must be entered before the User can actually browse the web.
I know that this can be done with an additional RADIUS/TACACS+ Server. Is this also possible without any external AAA Server, so with User/PW stored on the ASA locally only?
Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps. What could be causing this slowdown? Should SSL VPN performance be on par with IPSEC? Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.
View 8 Replies View RelatedThe network design is a hub and spoke using a carrier provided MPLS network with a ASA 5520 at the hub that has a IPSec tunnel to another part of the company.This configuration has worked for sometime now (long before I came to the company a couple of months ago).The thing that does not make sense to me is that the those networks out on the spokes did not have a route to the inside interface network of the ASA. With the way this MPLS works, if a network is not in the MPLS network routing tables it will not pass that network. The network was not in the MPLS network, nor was it in any of our edge routers connecting to the MPLS.
These hub networks did have routes both in the MPLS and edge devices for the networks on the other side of the IPSec tunnel and have been reaching them for some time.So what I am trying to understand is how it is possible for these hosts that have no route to the ASA inside interface network, but do have routes to the remote networks, how are they able to successfully pass that traffic? There are no NAT devices between these WAN hosts and the ASA.
I have a client that uses the ASA 5520 as both a firewall and VPN termination device. Day to day VPN usage is 30-50 users and the memory (512 MB) is typically at 50% while the CPU is mostly under 30%. I've suggested the RAM be upgrade to 1GB.The client would like to add a large block of VPN users which could see 250-300 concurrent users. What kind of a system resource hit should the expect with this level of load?
View 1 Replies View Relatedi want to create Remote IP Sec VPN on Cisco ASA5510.Problem is this 5510ASA is behind another 5520ASA and it dont have any public IP address on any of 5510 interface.if i do static NAT of ASA 5510 Private IP on internet facing 5520 IP Public POOL, then will VPN work on 5510 ASA? and what ports need to forward on 5520 for 5510 to become IPSEC VPN head end
View 1 Replies View RelatedI have a customer, who has the SVI's configured on the Core (4500x) and this is connected to a ASA 5525x, there is a requirement of restricting traffic between different vlans. How can i use the ASA to accomplish this task. ACLs on the Switch are not stateful and hence not considering this option, Also we are not planning to configure the GW's on the ASA since there is lot of traffic between the vlan's and this will become a bottleneck
View 4 Replies View RelatedI have made the following change to my ASA 5520 using ASDM to try and force VPN clients to use a self assigned certificate from the ASA. I made the following changes Remove Access VPN > Certificate Management > Identity Certificates > Add Certificate.Then I made the following change.. Remote Access VPN > Network (Client) Access > IPSec(IKEv1) Connection Profiles > Connection Profile > Edit > IKE Peer Authentication > Pre Shared key and pointed the identity certificate to the one I created in the step above.Having made this change I am still able to VPN without a certificate configured in authentication settings.I was expecting that the VPN would attempt to issue the self assigned cert to client machine?
View 1 Replies View RelatedOptions a user may reside in Austin, TX and I want the user to utilize the local proxy (i.e. texasproxy:8080). We currently only require the user to enter the RSA passcode and username to authentication (RSA/AD username are identical). Is there a way to have the user authenticate via RSA and have the user's AD group membership (TX) assign the user the specific IE proxy settings? We are utilizing an ASA 5520 on 8.2, but we are willing to upgrade to newer IOS or even consider anyconnect to resolve this issue.
View 2 Replies View RelatedCurrently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.
Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.
Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.