Cisco Firewall :: Enabling Microsoft LDAP With ASA 5520

Oct 27, 2012

I am trying to implement Microsoft LDAP server with our ASA 5520. The client is using Cisco VPN client and when I am trying to connect I am receiving the following error message:
 
"Secure VPN connection terminated locally by the client. Reason 413:User authentication failed"
 
I triggered the debug on the ASA 5520 and everything looks fine .The LDAP server is sending the right information without any error message.
  
Googled this error message and I found that I need to enable the simultaneous logins to enable. I enabled it but I got the same error message. This configuration is under remote access vpn>group-policies>General>more options.

View 64 Replies


ADVERTISEMENT

Cisco Firewall :: ASA Version 8.2 (2) / Authenticate With Microsoft LDAP?

Jul 25, 2012

I am running ASA ver. 8.2(2)  and all users are configured in the ASA. This ASA is uses as a VPN ASA and we are using it for remote access for external users. When a user is logged in, he gets all parameters that are need to continue working from outside, such as, IP, assigned to special group with special permissions and so on. All the parameters that are needed are configured under  user attribute. See example below: 
  
username username1 password xxxxxx == nt-encrypted
username username1 attributes
vpn-group-policy Basic
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 30

[code]....            

Is it possible to live the user attributes as is and to force the users to authenticate via LDAP servers only?

View 4 Replies View Related

Cisco Firewall :: Enabling Outbound Traffic Through ASA 5520 8.4(4)1

Apr 4, 2013

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
 
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
 
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
 
I've also enabled IPSec pass-through Inspection to no avail.
 
how should we configure our ASA to enable this kind of traffic?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 SSL VPN LDAP Authentication Configuration Required

Oct 16, 2012

I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.

View 7 Replies View Related

Cisco Firewall :: 5520 - Enabling And Disabling Graphs In ADSM Dashboard?

Jun 10, 2012

I have just logged into the ASDM for my 5520 and can see under the "Firewall Dashboard" tab that I can enable these graphs/stats, why would they be disabled?  So I was wondering if I enable these and they use alot of memory how can I disable them again?

View 3 Replies View Related

Cisco Firewall :: 5520 Enabling And Disabling Graphs In ADSM Dashboard?

Oct 5, 2011

I have just logged into the ASDM for my 5520 and can see under the "Firewall Dashboard" tab that I can enable these graphs/stats, why would they be disabled?  So I was wondering if I enable these and they use alot of memory how can I disable them again?

View 1 Replies View Related

Cisco VPN :: Spaces In LDAP OU Field ASA 5520

Jun 21, 2012

I'm running VPN SSL on an asa 5520 (V8.2.5) with LDAP authentication and everything works fine but now the AD people changed name in the groups and they added a " " "blank" in one of the fields so when I configured the group I get an error.

for example:

map-value memberOf CN=VPN_SSL_ABC,OU=External,OU=XXX,DC=ext,DC=local ABCPolicy
 
but this does not:
 
map-value memberOf CN=VPN_SSL_ABC,OU=External Group,OU=XXX,DC=ext,DC=local ABCPolicy
 
Is there any way to insert a space in the OU field?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 - VPN Access Control Using LDAP

Mar 13, 2011

I am configuring an ASA 5520 for VPN access.  Authorization & Authentication use an LDAP server.  I have the tunneling configured successfully, and I can access internal resources.  What I want to do now is to restrict access to a specific AD Group membership.  In the absence of that group membership, a user should not be allowed access to the VPN.
 
My test VPN client software is Cisco Systems VPN Client Version 5.0.05.0290.  The group authentication is configured into a Connection Entry that identifies the Tunnel Group. I think I worded that correctly.
 
The Software Version on the ASA is 8.3(1).
 
My current challenge is getting the VPN to stop letting every access request through regardless of group membership. 
 
[URL]
 
The configuration (AAA LDAP, group policy, and tunnel group) is below.
 
aaa-server LDAP protocol ldapaaa-server LDAP (inside) host x.x.y.12      server-port 636      ldap-base-dn dc=domain,dc=com      ldap-scope subtree      ldap-naming-attribute sAMAccountName      ldap-login-password ********      ldap-login-dn

[Code].....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 5520 VPN Users Are Authenticated Against MS-AD Through LDAP

Sep 1, 2011

I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
 
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 / Enabling Firewall To Send Logging Information?

Jun 22, 2011

I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 Cannot Connect To Microsoft IAS

Apr 24, 2012

I am transitioning from a Microsoft ISA server to a Cisco ASA 5510. So far so good, until it comes to getting AAA functioning properly. I have a Microsoft IAS server that is functioning properly, however when I try to test it through the ASA's ASDM it errors out. When I run a packet trace it shows it's being blocked by the dreaded implicit ACL. The funny thing is that I can ping and traceroute to the IAS server from the ASA. I found numerous config examples for AAA using IAS, but still not working.
 
Could it possibly be behaving this way because my ASA and my IAS server are on two different internal netowrks? (172.31.1.x-ASA, 10.1.1.x-IAS)

View 1 Replies View Related

Cisco VPN :: Microsoft VPN Client To ASA 5510 Firewall?

Aug 5, 2012

We just set up the AnyConnect SSL vpn on our ASA.  I am able to establish a connection fine using the Cisco AnyConnect client.  I would like to use the native Windows VPN client though if possible. What configuration changes on either the firewall or the client I would need to make for this to happen?

View 1 Replies View Related

Cisco WAN :: Microsoft Outlook Though ASA5505 Firewall

Nov 16, 2011

I have some users from another company who are visiting my company. The use outlook to access their mail. I think it is via RPC over https (ssl). When there are on my network they are unable to send messages but when the connect to an ISP directly they are able to send. I have a cisco 2821 as my internet router and an ASA5505 (8.0.5...i downgraded it from 8.2.3) as my firewall. I have not blocked anything from going out. Of note is that when other users use window live configured for gmail....which uses tls they are unable to send emails with atachements. Regular emails go though no problem. Hotmail can send atachments without a problem (there is no encrytion there). I have narrowed the issue down to how the firewall treats esmtp or tls traffic passing though it. I have already diabled inspect esmtp on the firewall.

View 2 Replies View Related

Cisco Firewall :: Microsoft Exchange With NLB And PAT On Asa 5510

Nov 7, 2012

i have exchange with NLB cluster.
 
i want to PAT the cluster ip to access email from outside. i know i can add the static arp entry for multicast cluster ip.
 
my question is i can add static nat command to that same cluster ip for port 25 and 443 like normal way like we do for normal PAT?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Enabling SYS Log ID

May 28, 2013

I'm having a problem with an ASA 5510 and software from Manage Engine (Firewall Analyzer).  They are saying that sys log 113019 is not getting data over to the server where the firewall analyzer is installed.  I'm checking the config and I see it enabled.  Why this particular sys log info isn't making it to the reporting software when other data is.

View 4 Replies View Related

Cisco Firewall :: 5505 Rule For Allowing Computer Access Microsoft

Apr 24, 2012

I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall.I have included my current asa 5505 configuration. [code]

View 3 Replies View Related

Cisco Firewall :: ASA5505 - Microsoft SQL Server And Anyconnect Remote Client VPN

Oct 29, 2012

I ve configures an asa 5505 for remote vpn with anyconnect. it works just fíne - from remote i can ping the Clients and Server inside, i can do RDP or Connect via SSH to any machine, map some volumes local and so on but: I can not connect microsoft sql server. It uses port 1433 for the first connect and establishes then a dynamic connection. So i am a Newbie  - what rules or configs do i miss?   

View 3 Replies View Related

Cisco Firewall :: 5510 Enabling Ping For Dmz

Mar 4, 2011

I currently have an ASA 5510 unit. I have a dmz setup which house some web servers and an inside interface. The web servers contain multiple public ip addresses which I have natted and access is fine.What is the most simple way to enable ping for my dmz from the outside. Meaning if someone outside the network pings one of the servers by its public ip address I would like it to respond to ping.

View 1 Replies View Related

Cisco Firewall :: Enabling IPS On 2911 Router?

Sep 20, 2012

I enable the IPS  on the 2911 router .  I am using the Basic IPS signatures that are inbulid on the routers . But sill it showing , that no signature is active .
 
ip ips signature-category
  category all
      retired true 
ip ips signature-category
   category ios_ips basic
      retired false

[code]....

View 1 Replies View Related

Cisco Firewall :: Pix 535 Enabling RIP On The Firewall

Aug 8, 2012

I am getting this error on my PIX 535 with 8.0.4 code. The error is b Error : OSPF/RIP cannot be enabled on failover interface, I am getting this error while trying to enable RIP on the firewall. The context is single mode and failover is enabled. When I am disabling the failover the Firewall is accepting the RIP configurations.

View 1 Replies View Related

Cisco Firewall :: Telnet Not Work After Enabling AAA On FWSM 3.2

Oct 7, 2011

After enabling AAA FWSM lost opportunity telnet session. FWSM version 3.2(5). In the logs show that resets itself FWSM telnet session.

Conf.,aaa-server TACACS+ (management) host 192.2.151.111
key aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
[Code] .....

View 3 Replies View Related

Cisco Firewall :: ASDM V6.4 / Enabling History Metrics

Mar 5, 2013

I am currently using ASDM v6.4 and would like to enable the historic metrics feature to view/produce graphs/tables for interface using the Last 5 days, every 2 hours option. how this will impact performance and storage space on the device?

View 1 Replies View Related

Cisco Firewall :: 65535 Make Video Conference Call Through Microsoft Office Communicator

Oct 19, 2010

my client wants to make videoconference call thorugh Microsoft Office Communicator, this should be operating between host from one site to another one, but we already configured some rules in the firewalls, and making some test I see that the videoconference use dynamic ports (1024 to 65535) and if we let to operate the videoconference we should remove all the rules in the firewall and that's not the point.

View 6 Replies View Related

Cisco Firewall :: 5060 Microsoft Office Communicator 2007 TCP UDP Ports Remote Users

Mar 11, 2012

We have a Cisco secure VPN site to site tunnel between the 2 locations.Which ports are need to open on tunnel so that users can successfully use OCS over the site to site VPN tunnel.All the users are havning the main brach AD account.Using Wireshark captured the packets, found only port TCP 5060, after allowing this port over tunnel I can see the authentication window.The user authentication fails. Already port 3389, 80, 443 are allowed.The main requirement is to only have the Chat, Group Chat and file transfer. Not require AV traffic.OCS is using TCP. no TLS is configured.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies View Related

Cisco Firewall :: Enabling Traffic On E0/2 And E0/3 Ethernet Ports - ASA 5510

Aug 10, 2011

enabling traffic between interfaces on the ASA 5510. Of course I have an outside interface E0/0 and an inside interface (E0/1) for normal operation. The idea was to enable one of the remaining interfaces on the 5510 to attach an internal network resource to for management in case we lost our switch. I am using E0/0 as the outside interface and the inside interface is E0/1. I am wanting to attached a management device on the same inside network IP address range for simplicity. I have E0/2 configured for the same security level (100) as the other inside interface and I also have enabled same-security-traffic permit inter-interface as well but I still cannot access the device on that port. Is there something else I am missing? I guess the best way to explain this is that I want ports E0/2 and E0/3 to act like a "switch" so to say...... The ASA 5505 lets you do this pretty easy but having trouble on the 5510. 

View 4 Replies View Related

Cisco Firewall :: ASA 5510 / Can LDAP-authenticated Remote User Be Assigned A Connection

Jun 30, 2011

ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not.  I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...".  I created a new Group Policy with split-tunnel enabled.  I created a new Connection Profile and assigned to it the new Group Policy.  When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want.  Each of them works, enabling or disabling split-tunnel.  But I want to assign a connection profile to the particular user, not give the user a choice.  The problem is I'm using LDAP authentication.  The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing.  I really don't want to give up LDAP and force people back to another local password.  But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile.  At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page.  Otherwise, DefaultWebVPNGroup will be the connection profile".  If I clear that switch every user will be assigned the same default profile, which does not work.

View 2 Replies View Related

Cisco Firewall :: Enabling RIP On PIX 535 / Error / OSPF / RIP Cannot Be Enabled On Failover Interface

Jun 29, 2012

I am getting this error on my PIX 535 with 8.0.4 code. The error is Error : OSPF/RIP cannot be enabled on failover interface, I am getting this error while trying to enable RIP on the firewall. The context is single mode and failover is enabled. When I am disabling the failover the Firewall is accepting the RIP configurations.

View 2 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
 
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
 
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Cisco Firewall :: Launch LAND Attack Against Firewall ASA 5520

Apr 15, 2013

I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved