Cisco Security :: Disabling XAuth For Remote VPN Users On ASA 5510 Version 7.2(1)?
Jul 1, 2006
how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)?
HPMFIRE(config)# tunnel-group vpn3000 general-attributes
HPMFIRE(config-tunnel-general)# authen
HPMFIRE(config-tunnel-general)# authentication-server-group none
ERROR: The authentication-server-group none command has been deprecated.
The isakmp command in the ipsec-attributes should be used instead.
--[code]....
I couldn't find anything under isakmp to disable it.
View 2 Replies
ADVERTISEMENT
Feb 12, 2013
I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.
View 4 Replies
View Related
Apr 5, 2011
can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
View 7 Replies
View Related
Apr 5, 2011
How to designate access-list for the remote access vpn users in order to let them access specific subnet or host,asa 5510 and acs is in the picture
View 9 Replies
View Related
Jun 9, 2013
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
View 1 Replies
View Related
Jun 24, 2012
I have an ASA 5510 running ASDM 6.4(9) and Cisco Adaptive Security Appliance Software Version 8.4(4)1.I am trying to configure for the first time and I am accessing the ASA via its Management Interface.I am successfully able to connect to the device and get to the Cisco ASDM 6.4(9) page.When I try to run the startup wizard, a couple of prompts displays up to the point where the java applet runs and aks me to enter my IP, username and password.As it is a new system, password and username is blank so I enter and I get a message saying "loading software from cache" which later changes to "software Update completed" and then nothing happens.I am running MacOSX 10.7 Lion, Java version 1.6.0_33.I did try and run this on a Windows system and i was able to load the interface.
View 2 Replies
View Related
Jan 17, 2011
We have configured site to site VPN tunnel from offshore to client location using ASA5510 and accessing RDP from client location. Also configured remote VPN access at offshore location. But using remote VPN client we are able to get RDP from officeshore location but not able to access RDP from client location. Is there any additional changes required ?
View 4 Replies
View Related
Jul 15, 2012
we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
View 3 Replies
View Related
Jan 16, 2012
Can we use ACS 4.1 version recovery disc on 4.2 verison to recover the forgotten password.
View 1 Replies
View Related
Sep 17, 2012
I have a RV082.I need to disable the firewall, since firewalling is done better elsewhere.However disabling firewall Remote management on wan ip is forcefully enabled.I don't need Remote management, keeping it enabled is a security risk for my setup.I don't understand the rationale behind the choice to forcefully enable remote management if firewall is disabled.Is there a way to disable both firewall and remote management?Or at least a workaround?
I'm on firmware 2.0.0.19-tm on a probably v2 hardware. (Cannot find this info in the web configuration).This is not the newest even for v2 hw but I cannot afford to break it trying to upgrade the firmware.Moreover no release notes for firmware releases refers to a correction of firewall/remote management behavior.Is this behavior also in newer firmware releases?
View 2 Replies
View Related
May 10, 2011
i am using Cisco ASA 5510 with ASA Version 8.0(4) and memory 256MB. me to Upgrade it to 8.3
View 6 Replies
View Related
Jul 10, 2012
My wife just bought a Dell XPS L502x. I cannot get it to connect to our wireless network without disabling the route security completely. Even then it is slow.
Dell XPS L502x
Windows 7 Home Premium 64 bit
6 GB RAM
Intel Centrino Wireless-N1030
Our router is a Linksys Wireless-G 2.4 GHZ WRT54GL
I am aware of the PSP issue and have turned off the option to allow the computer to turn off the adapter and have set the power settings to the highest settings for both battery and plugged in. I have messed the routers security and the computer will not connect unless I turn off the security entirely. It connects but is slow. Anything else and it will not connect at all. Regardless, it can always detect the network without a problem and shows signal strength of Excellent (full bars) even when it is running slow. It works great on a cable or with a wireless usb adapter. I am positive that I am entering the password correctly as i have done this many times now. All other wireless devices in the house connect without a problem including her old Dell laptop.I have updated all the drivers (including the adapter) and keep current on all the Windows updates.when I run the ipconfig /all it lists all my wireless adapters and the blue tooth as "media disconnected". Not sure if that is referring to not being connected to the network or something else.
View 4 Replies
View Related
Nov 17, 2012
I am using ASA Version 8.2(1) , I want to limit the vpn users to use less bandwidth of my Interlink to access something on inside network
example : source vpn pool
Destn : inside network
how can achive this with QOS config.
View 2 Replies
View Related
May 7, 2013
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies
View Related
Feb 20, 2012
it is possible to enable Xauth on pix. I have read multiple threads about using the following cmds:
username test123password testing privilege 2
aaa-server LOCAL protocol local
crypto map mycrypto client authentication LOCAL
However the f/w wont let me add the crypto map cmd, just comes back with the following:
PIX(config)# c.rypto map mycryptomap client authenication LOCAL
Usage: [ show ] crypto { ca | dynamic-map | ipsec | isakmp | map | sa } ...
show crypto engine [verify]
[ show | clear ] crypto interface [counters]
I also tried the following, but they dont work and I am not sure if they are meant for Xauth since I was under the impression that it had to be enabled globally.
PIX(config)# vpngroup test authentication-server LOCAL
Protocol "local" is not supported for authentication of remote users of a h/w client
PIX(config)# vpngroup test user-authentication
[code]....
View 3 Replies
View Related
Nov 17, 2008
I have problem auto connect Easy VPN client to Easy VPN server using saved X auth username/password. The ez vpn client is a Cisco 2691 using IOS 12.4.15T7. The config is as follows:
crypto ipsec client ezvpn EZ
connect auto
[code]....
the router keeps prompting me to manually enter username/password. connectivity will work be established after i manually enter the username/password. But this is not what i desired. I need it to connect automatically.
The Ez vpn server is a 7200 running 12.4.22T. Config as follows:
aaa new-model
aaa authentication login USERAUTHEN local
aaa authorization network GROUPAUTHOR local
[code].....
View 7 Replies
View Related
Dec 1, 2011
I've had a WRT160N v3 for a couple of years, and I've noticed that the wireless security setting is often set to disabled when I go into the configuration, even though I've set to enabled previously. It goes like this....
I've setup the router to have WPA2 Personal security enabled, with a passphrase. I have several devices that use wireless that connect to it everyday. I recently received a new device, so I went into the Linksys configuration to get my passphrase, and the Security is set to disabled. So, I enable it again, configure a the device, and have no problems.
This has happened many times. I just happen to be in the router configuration and check the wireless security tab, and it is set to disabled.
My first thought was that maybe there had been a power loss (although, I can't remember the last power outage we had in my area). However, every other setting was retained, so I can't see why this would be the only one that changes (and it's a rather important setting). Additionally, I was configuring a blue-ray player last night, trying to see if it was better with a wired setting from another Access Point, and the setting was disabled, so I enabled it again. I made changes to the BR player, then changed it back to a wireless connection. I checked the security setting on the Linksys, and AGAIN it was disabled.
View 5 Replies
View Related
Aug 14, 2011
I have set this up on pre 8.3 code and 8.3 code as well. I have the following configured on the ASA, but it is not working and I am not seeing the ASA trying to NAT the VPN pool IP address that the client gets assigned.
object network VPNPool
subnet 192.168.70.0 255.255.255.0
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
View 3 Replies
View Related
Apr 25, 2012
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
View 8 Replies
View Related
Dec 30, 2011
One of our accounting administrators will be working in our server this weekend from his home remotely. He wanted to know if there was a way I could temporarily lock users from remoting in a few days to prevent them from messing up his work.The only way I could think of was disabling the accounts in Active Directory and then re-enabling them once he was done. Server is running Windows Server 2003 with the users remoting in via RDP. They all have accounts in Active Directory.
View 1 Replies
View Related
Aug 8, 2006
ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.
View 3 Replies
View Related
Oct 19, 2011
I have setup an SA520W and configured SSL-VPN for our small business. Everything seemed to go smoothly and I tested SSL VPN by logging in and playing around a bit which seemed to be fine. However, shortly after deployment I started getting complaints about it being much slower than our old VPN through the consumer grade router I just replaced. I investigated and tested with IE8 and Chrome on Windows XP 32-bit with several different machines, and in all instances it did seem very slow indeed. While looking around I noticed that the Task Manager under the Networking tab shows the SSL VPN connection as VirutalPassage at 64 Kbps. Going into Network Connections shows VirtualPassage under the Dial-up heading with device name Virtual Passage SSLDrv Adapter. Additional properties describe it as an ISDN channel. I have attached an image of the Task Manager pane.The router is running the latest firmware of 2.1.51. It is connected via a static IP that does not require a login, to our dedicated 5 Mbit / 5 Mbit ethernet over copper link to our ISP. We get great speeds and low latency through everything but SSL VPN connections. I haven't done anything fancy so the router certificate is the factory default. Currently we are using the existing 2 SSL VPN licenses that come with the router until we need more access, at which point I want to upgrade to the 25 user bundle. However, I don't feel comfortable upgrading until I get this resolved, because 64kbps simply cannot work for us for a VPN solution.how to configure the SSL VPN to not limit at 64kbps? My engineers are making fun of me for bringing us back to dialup, and I have to agree with them!
View 1 Replies
View Related
Apr 12, 2011
We have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?
View 1 Replies
View Related
May 22, 2013
I have two Firewalls one on MAIN site and another on BR site. I have configured RA VPN for both and i am able to access the internal networks of respective Firewalls. But the requirement is i want to connect to the Main site through RA VPN and access the BR SITE internal networks through that connection.
View 4 Replies
View Related
Oct 29, 2012
I have a problem on a Cisco ASA5520 version 8.2(5). A customer has set up a syslog to keep tracks of tcp sessions made by vpn users. On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection. When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection. I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed; if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message. I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere. Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
View 2 Replies
View Related
Sep 14, 2011
I configurated ipsec remote vpn at catalyst 6500.
192.168.14.0/24-- my servers are assigned this subnet
vpn user:10.10.10.0/24
192.168.10.229 ---- webserver ip address
[code]...
View 3 Replies
View Related
Mar 7, 2011
I am using my ASA 5505 to remote VPN. I use both windows and Macs. I use the Cisco VPN client software on the windows machine, on the Mac I have used both the Cisco VPN software and the built in OS X VPN client.
I am able to VPN with all machines, but randomly the VPN will disconnect all users. I know there is a setting that may fix this which I think I tested in the past and it did not work, but I have now forgotten it.
View 4 Replies
View Related
Mar 16, 2011
I was trying to access some computers in network via remote desktop. All those computers had been used by other staffs.What I noticed that, for some computers I can access via remote desktop by forcing them to log off (people who were using the computers)But for some computers, I got the message similar to "user is currently logged onto the computer, you are not allowed to connect"I want to force them too and access these computers. How I can do it?
View 6 Replies
View Related
Oct 29, 2012
I have a problem relating to remote access VPN configuration on Cisco ASA 5550 verion 8.2(1). I used Cisco VPN client 5.0.03.0560 with a simple topology : laptop(client) -----( Internet) ------- (IP public) ASA. Now, I can ping from laptop to OUTSIDE Interface on ASA from Internet when I connect from Cisco VPN client to ASA , I was notified log on Cisco VPN client as below: [code]
View 1 Replies
View Related
Oct 23, 2012
I have five (5) sites all connected via static VPN tunnels. They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site, because of the static VPN tunnels. I have the external IP (routeable) addresses connecting to each other.
Site A: 10.1.0.0 /24
Site B: 10.2.0.0 /24
Site C: 10.3.0.0 /24
Site D: 10.5.0.0 /24
Site E: 10.10.0.0 /20
I have remote users who connect using Cisco AnyConnect 3.1 to Site E. They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection. In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following: Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0 What am I missing? Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?
View 10 Replies
View Related
Apr 9, 2012
Currently we have a CISCO 3020 VPN Concentrator to terminate Lan-to-Lan tunnels and have our mobile workers connect via CISCO VPN client (300 users-employees and contractors-). Since this device is coming to an EOL this year we purchased a CISCO 5520 (below are the current licenses on it)
The licensing seems rather complicated, therefore this is my question:
- What VPN solution do you recommend for our users and contractors? it is my understanding the CISCO VPN client does not work with ASA 5500 series devices
- Is there a license needed to deploy VPN solutions for our remote users(employees/contractors)?
View 3 Replies
View Related
Jul 1, 2012
How to know the Red Hat OS version in the ACS 1121 appliance?
View 1 Replies
View Related
Jul 23, 2012
I configured a dynamic vpn(easy vpn) in a cisco isr. But the vpn clients cannot access any of the lan devices. VPN pool is 10.0.0.1- 10.0.0.20 & internal netwrk add is 172.17.x.x. I tried to disable zone based firewall but no resultout[CODE]
View 1 Replies
View Related
