it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
View 1 Repliesit is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
View 1 Replies View RelatedWe are trying to manage our Cisco ASA 5520 (8.2.5) SSL clients through Active Directory(ldap).
Currently the SSL VPN tunnel is up and all users are able to connect being authenticated by AD. but Group-policy to AD groups are not working. all the domain users are able to go to all the group policies .
I need to give access only to their respective Group policy in ASA. Following are the available groups and GP.
Code...
I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. What ports I need to open up? My AD servers are Windows 2003.
View 1 Replies View RelatedI want to setup Wireless Clients MAC+Active Directory based acess on AP 1242 standalone Wireless series.Steps i have configured :
1) SSID manger under Open authentication : Selected with EAP.
2) under advacned Radius.MAC Address AuthenticationMAC Addresses Authenticated by: Authentication Server Only
3) Server Manger : Current server list added the radius ip address 10.1.200.x
We are using ASA5520 as our VPN concentrator and has configured IPSec authentication using digital certificates with Microsoft CA for the remote access VPN. The AAA server used for remote user authentication is Windows Active Directory. Screenshot of the AAA configuration is attached. The problem we face is that the "Login DN" account (marked in red box in the screenshot) is frequently getting locked out in the active directory. I have confirmed that the password is the same on both ends and the account is not used any where else.
The NTP server configured for the VPN concentrator is the Active Directory itself but no accounts are configured (not required) for updating the time service in the concentrator.
I have a 5515 ASA that has the webVPN configured on it and it is using active directory to authenticate. The client would like to set up groups in active directory and restrict access to those groups when they are connected to the webVPN. For example, they have a group in active directory that they only want to access their "web" interface. What is the best way to configure this on the asa?
View 2 Replies View RelatedI'm trying to install Active Directory Agent in Windows 2003 (not R2) to configure Identity Firewall with ASA 5505 8.4.(2). The installation runs ok but the agent doesn't start because the WatchDogService.exe fails. I don't find any information about AD_Agent.
View 5 Replies View RelatedI will set up a Dhcp server on the inside interface of my pix. I would like to have the DHCP Server authenticate to the Active Directory Server that is located on the DMZ.
Inside --pix--dmz
Inside interface
Win 2008 DHCP
DMZ interface
Active Directory Server
What would be the issues that I could run in to when I try to authenticate this server from the inside interface to the dmz? I see that Dhcprelay option is available on the PIX 6.3 I'm guessing this is the only command that I need to use: dhcprelay enable dmz
I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
Is it at all possible to connect a client computer to an Active Directory via the Internet?
If so, would you change the client's DNS server to the remote IP, and then connect?
I have an ACS 5.1 and am trying to integrate with windows 2008 R1. The ACS has a valid AD account and indicates that its connected but when I try to list any directory groups my windows IE browser hangs?
View 2 Replies View RelatedAfter reading the post titled "ASA 5520 nat access-list query for internet access" I realized the object-group command could and should be used to make a more efficient and cleaner configuration. My current environment is very small and straight forward consisting of one FTP server in the DMZ. Though the guide: [URL] is straight forward, my inexperience hinders me from seeing how to use the commands effectively. A summary of the configuration is at the bottom of this post
Question: How can I clean up my current configuration? I have two references to the same server, dmz-rdp and dmz-ftp, created for port forwarding ports 3389 and ftp through the outside interface. I can combine them into one object statement, right? for each port I want to forward through the outside interface?
object network dmz-rdp
host 10.10.10.4
nat (DMZ,outside) static interface service tcp 3389 3389
[Code]....
I have an asa 5520 that works fine if you are using passive ftp and ftp inspection is on globally. It is not working for an active ftp session. I tried allowing all ports back to the external ip address of the internal client as a test and this did not work either.
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.2(3)
policy-map Global_Policy
[Code].....
I read another article saying that this command needs to be on the asa "fixup protocol ftp 21"
If this is enabled will it show on the firewall? How do I enable it?
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
View 3 Replies View Relatedhow many active TCP sessions my ASA has but having a hard time finding this information. When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP. Is there any way to get just the TCP connections?
View 3 Replies View RelatedI have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
Is IPS should be in Fail-Open or Fail-Close mode ?
Is Mangement ip for both IPS module should be same or diffrent. ?
I have installed ACS 5.2 and configured it to join the Company's Domain as an External database with Active directory 2008. I'm facing a problem that the user once authenticated using it's active directory account it's cached in the ACS and take a while for the ACS to clear this username. For example, if user TEST authenticates and then we removed this user from the AD and then tried again; it authenticates although this users is removed from the AD !!! same thing happens when we change the user group on the AD, it takes a while for the ACS to clear the old user attributes and get the new ones from the AD.
it there an aging time for this caching mechanism, or can i clear the dynamic users manually just like in ACS 4.X ?
Having problems configuring an SR520 to support SSL VPN with Active Directory authentication. I set up the domain and a user in the SR520. and get the login prompt remotely but when attempting to login using the active directory account i get a login error. I can login fine using local authentication.
View 5 Replies View RelatedIs the preempt option available in active standby ASA firewall setup with single context...somewhere i have read that same is available in active-active setup or active/standby setup with multiple context.If i active the multiple context mode on product environnement with two ASA5520 in Active/Standby mode, what are the impacts on the the production?
View 1 Replies View RelatedI am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.
View 2 Replies View RelatedI have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot
[Code].....
I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View RelatedI need to configure multiple context mode with active/standby failover solution.
Even after reading some Cisco documents I still can't understand if active/standby failover configuration has to be done within the admin context only or also within every single context (context-1, context-2 for example). In this case I have to allocate as failover interface a subinterface for each context (admin, context-1, context-2), right ?
Therefore a I have an other question: within the admin context, in a failover solution, do I have to allocate all interfaces I want to be moniotred, even though some will be used by context-1 only context and some others will be used by context-2 only context ?
An other question is: if active/standby failover configuration has to be done within each context, can I set regular failover within context-1 while stateful failover within context-2 ?
The last question is: can I use management interface within all 3 contexts ?
I am trying to set up a small domain for my business. I just purchased a Windows 2008 server and would like to use it as my domain controller.Also, I just had a new ATT DSL line put in. It came with a 2Wire modem/4-port router/wireless router device, therefore the modem can handle DHCP. The line has a static IP address as well so that I can eventually use my own exchange server and web server.I have tried 2 different configurations and couldn't get either to work) I tried to put the router into Bridged Mode and use DHCP server on my server using a PPPoe connection to connect to the Internet. I was confused as to what my static IP address and default gateway of my server should be.2) Then I tried to turn DHCP server off on the server and routing back on the modem/router. This didn't work either.What method would you recommend and why? Also I have some additional questions on each method.
Method 1)
* What is the static IP address of the server. Is it in the 192.168.1.x address or the static IP assigned to my account?
* Do I need a second Nic Card And Router to connect to the rest of my network or can I use the router provide
* What would the Static IP addresses of the additional PC be. Do I need more than 1 static IP from AT&T Method 2)
* Will this allow me to use all internal IP addresses on my machines and use port forwarding if I want a specific box to be a web server or exchange server.
I know that when you create a user account in active directory, the user's computer is also added to active directory. However, in what circumstance would you add a computer to active directory in which there are no user accounts created, or used ?For instance, my Linksys wrt54g router, on the main configuration tab has a space to name the router, which is appropriate called, "Linksys", and it has space to enter it's domain name, which if I named it, I guess it would be. LinksysRouter.**.local.Why add a router to an active directory domain ?Why add any other computer to an active directory domain with no users associated with it ?
View 11 Replies View RelatedI have 1 server where i enabled dhcp server and active directory on it . I still have to install something like ISA server on it as isa doesnt support 2008 r2. point me out on the networking , like how should i connect the clients to the server. And how the wireless router and switch should be connected to the server?
View 1 Replies View RelatedI've got a fully working active directory with mandatory profiles. I'm looking into adding MS Office 2007. I have the disk and everything, but I'm wondering how to go about installing it. Must I go around each workstation installing it?
View 1 Replies View RelatedI've got this problem with our Operations Manager's laptop not letting him log in once he is offsite(at home). We use an Active Directory server here for all out workstations to log on to the domain but once he is offsite he cannot log in because the laptop obviously cannot find the sever to authorize the user. For now I just have him logging in locally to his laptop and not to the domain when he is offsite but this creates a problem; it makes two users/desktops for him, one user.domain and user.local. Is there a way to tell the machine locally that his username is authorized to let him log onto the domain account though it cannot connect to the domain server?
View 3 Replies View RelatedI am not sure why but when I try to connect with my IPSEC VPN client, authentications are failing. The ldap test passes on the ASA but when I try to login, the VPN client gives me authentication failure even though debugs show authentication was successful.User 'test1' should be able to authenticate based on group membership.User 'test2' shouldn't be able to.I already removed the attribute-map to see if that was the problem but I am still failing authentication.
View 9 Replies View RelatedI am receiving a RADIUS authentication failure stating user must change password; however, password has been changed in AD and is not requiring change password any longer on the AD side.
Is there a cache on the ACS that needs to be cleared? AD connection from ACS to domain is fine. All other accounts authenticate.
It appears that if a user lets their account expire is when this happens. Account has been reenabled in AD and password has been changed. Still will not authenticate via ACS.
I'm attempting to integrate an acs 5v into the domain through the gui. The connection will establish, and the status will read 'connected', just as it lists the domain I've submitted. However, I can't seem to find anything listed under the directory groups, and when I run a connection test, I simply get 'Global Catalogue port status error.' Eventually, I'd like to configure this as a radius server.
View 1 Replies View Relatedquestion 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?