editing the name of a vpn connection profile and its policy, i have created the profile throught ipsec VPN wizard, the profile got automatically the name: DefaultRAGroup and also its grouppolicy got the name: DefaultRAGroup, in the edit window i cant change the Name?how can i rename them?
View 1 RepliesI have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
I have an ASA 5510 being fed by ACS for authentication and groups.I have several VPN groups, and I'm trying to determine how the local routes on the VPN client are created. I know it's based on the vpn group becuase clients with different policies get different routes when they login. I know I should know this as I've setup groups before but for some reason this section of my brain wasnt backed up.
View 4 Replies View RelatedHow can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
View 1 Replies View RelatedHow can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
Did I need to call my ISP?
i have got the below long on the acs 5.2,one the vpn client user connect to asa 5510
Description
Selected Shell Profile is DenyAccess
Resolution Steps
Check whether the Device Administration Authorization Policy rules are correct
I have a problem with one of our IPSec site-to-site vpns.
-we use ASA5540 and the remote site uses a software based FW (steelgate borderware). -there are some old ACLs on our FW that have the remote site's IP address as an incoming node having TCP.... access to some servers on our LAN (why they didn't use static/dynamic NAT for clients of both end to have TCP connection???)
-when I try to set up the vpn the name entry of the remote site (which is optional) changes with IP address of the peer in vpn profile and it confuses the vpn, so the IKE phase1 won't establish. the name entry is because of those ACLs that have been entered in the past.
Q- How to stop ASA creating names via ASDM when adding ACLs?
Imagine the other site's network people are the most inflexible IT guys to do any changes in terms of using static or dynamic nat for their clients to have access to ours, so I can replace their FW IP address in ACL with other NAT addresses.
how we can clear the username in the Anyconnect Connection Profile on a users laptop? Currently it defaults to the last username used but our security group would like that cleared so that the field comes up blank every time. This feature was available in the old Cisco 3030's but I can't find it in the ASA.
View 3 Replies View RelatedWe assign in our IPSec VPN the tunnel-address from our centralized dhcp server pools.In the profile we have two server's ip configured.In test (whireshark) we noticed that the discover always go to the first configured ip.
I do not understand and could not finf hints how the function is.
- backup server with a timeout when no answer comes from primary ?
- should ASA do simultaneous discover to all configured ip's ?
=>Problem is, that although the first server not answered in a timely manner, we noticed no discover to the second.
Here the partial CLI - Config:
++
tunnel-group AZInt07 type remote-access
tunnel-group AZInt07 general-attributes
authentication-server-group ActivPack
default-group-policy AZInt
dhcp-server 10.x.x.y
dhcp-server 10.x.y.y
[code].....
i've configured 4 connection profiles (IT,HR,Admon,VIP) on the asa everything works well, but our boss wants to know if it's possible to assign the right connection profile without using group drop-down list, what he wants is to use a unique connection profile (non-default) and via radius attributes using ACS 5.X to assing the right profile.
View 6 Replies View RelatedI have a pair of ASA 5550s running Anyconnect Essentials, with multiple connection profiles configured. I would like the login page to the portal to default to our main corporate profile (so the users get NAM and all the policy goodness), but presently it is defaulting to the last profile I created. Is there any way to modify the default connection profile in the drop down list so it always defaults to my preferred profile? It seems like I saw this sometime in the past.
View 2 Replies View RelatedI have a big problem with my Cisco 1841 and the WIC-1AM-V2 in Slot 0.I got the task, to test if it is possible, to build up a connection (Dial on Demand Routing) to a remote modem, which is connected to a console port of another Cisco 1841, with the integrated modem card over POTS from the CLI of the router. My router will only dial out to the remote modems and only if its needed.I am connected to the router with the integrated modem card over a console cable on the console port. The remote modem is also connected to the console port of the remote Cisco 1841.
I found out, with my Dialer Profile configuration, it is possible to build up a connection. I configured a dialer list, that specifies that all ip traffic is permitted an interesting for my dialer interface. So a telnet or ping brings up my dialer, which brings up my Async interface. With the "show line" command, I can see that the TTY line, connected with the Async0/0/0 Interface is in use for 5 minutes, because of the "exec-timeout 5 0", which is configured on the remote router. Now the problem is, in this 5 minutes, I can not use a remote telnet on this line with my loopback interface, because the line is already in use and I get a "connection refused". The first telnet I use runs in a timeout, because the remote host is not responding. When I dial out directly from the modem card and not from the CLI with the AT-commands, I get also the connection and with a return i get the login prompt. I will post my actual config, so that you can see maybe a mistake I did or which command I must use, to get a working connection. [code]
I needed to change the mask, not the ip address, of the outside interface of an 5510 running 8.2(3).
Immediately afterwards I could establish ASDM but could not re-establish SSH.
I tried the following:
Zeroize the rsa key and generate a new one Create a new SecureCRT session to accept the new key
That didn't work. All I have is ASDM access.
I have successfully setup radius using win2003 IAS and cisco asa 5510 running asa version 8.2. My vpn client is 5.0.07
For the user account on my win2003 IAS, i enable the option "user must change password" but when i try connecting i was not prompted to change password but the window kept popping up again for me to key in username and password. If i disable the option "user must change password" i can login successfully. I would like to have the option to change password.
i have following problem. I configured on a Cisco ASA5510 VPN authentication with LDAP. It works fine but one thing doesnt works.If i configure on my Active Directory the user for "User must change Password at next login" the message for password change is coming (look screenshot AnyConnect1), but if the user want to change his password, the password will not accepted by the system(look screenshot AnyConnect2).In the Group Policies on my Active Directory i disabled all features(look screenshot Pic1)I tried all combination for the password, but nothing will accepted.i configured LDAP over SSL and in the Tunnel Group i enabled the password management with "NOtify User 2 days prior to password expiration".
View 3 Replies View RelatedRouter: ASA 5510
We have changed the ISP, so therefore new wan ip-addresses.
Internet works, and site-to-site vpn works, but I'm failing to localice why the remote access vpn won't work.
i configurated ipsec vpn at cisco asa 5510. all them are working very well. now i want to change ipsec remote vpn to L2tp over ipsec.i have router, asa and 3750 switch. all nat translation are done at router , ipsec vpn configurate at asa.
this is my ipsec configuration. this is working config. as you see i do static nat asa outside ip for vpn at router. now i want l2tp over ipsec. before i do it i have some question
1. must i do static nat port udp 1701 for l2tp over ipsec vpn? can i write access list at asa to open port 1701?
2. can i remove this static nat or i can not be change anything.is this nat is true for l2tp over ipsec vpn?
3.as you see user authentication from radius server at ipsec vpn. i also want this is same as l2tp over ipsec vpn..
4. i think that i must be add this addtional config. is this true? tunnel-group DefaultRAGroup ppp-attributesno authentication chapauthentication ms-chap-v2
is this config enougth for l2tp over ipsec vpn?? what is addtional config i need?
I have an ipsec tunnel IP is changing from mythical 200.200.200.182 to 200.200.200.254. Is it possible to change the .182 ip in below config via the CLI to .254 and have the site-to-site vpn continue to work? [code]
View 1 Replies View RelatedI have a Cisco 5510 which has remote access VPN configured.Now I have new block of IP address, is there a way I can just change the outside interface IP so that people can remote in without doing anythng else?Or if I coulds be taught to create a new one.Or best way to approcah this issue?For example: it was 67.64.x.x now I need to change to 64.44.x.x.
View 1 Replies View RelatedWe will be moving to a new data center in the very near future and with them our WAN IP addresses will be changing. Any best course of action for changing the IP addresses throughout the firewall configuration? Would it be possible/suggested to export the running-config, make the neccessary changes, then import the config? I am familiar with the ASA 5510 only so far as changes are required. It is not something I work with on a regular basis.
View 5 Replies View RelatedWe've recently shut down an interface on one of our ASA 5510s as we no longer use that service provider. The dashboard, however, still insists on showing traffic usage on this interface. How do I change the dashboard to display a more meaningful interface?
View 7 Replies View RelatedI'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362. Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500. If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
View 1 Replies View RelatedI am using laptop with wireless connection. would like to change my ip address
View 2 Replies View RelatedI have been having considerably slow internet compared to the other guys I live with and decided to investigate. I have run the speedtest.net on a good chunk of their computer and they all get around 40 mb/s while I am getting 2 mb/s. I have figured out that when I go in and change my MAC Address, I am able to get the same speed that they do for a short amount of time, but after a while(I haven't figured out a time interval) my speeds go back to the 2 mb/s. I can then go back in and change the address again and the same thing happens. I thought I might have a virus, but the different scan that I have tried running show nothing and when I do netstat from the command prompt, nothing abnormal shows up.
View 3 Replies View RelatedI am trying to set up a internet connection to my campus network. i followed there instructions to the T. The network requires me to change my proxy settings. But every time i change my proxy to connect to the to the network, it say that i am connected but i can seem to load any pages. it worked before but i just redid my computer an it doesn't work now. one of the steps in the list of instructions given to me by the university was to select "dial whenever a network connection is not available" but selecting this is restricted for sum reason what do i do ?
View 1 Replies View RelatedI have a Cisco ASA5520 that we are going to use to allow users to connect to our network via the Anyconnect client, I have authentication set up to validate against AD via LDAP, but was wondering if there were any way to set up the profile to check the PC before they log in....we do not want users using their home PCs to attach to our corporate network, only PCs that were issued to them by the company. Nothing is jumping out at me in the config, we are running some fairly old sofware on the boxes (ASA - v8.2(2), Anyconnect - v2.5.3046) I plan on upgrading the Anyconnect to v3.1 but will probably need to keep running the 8.2(2) version on the ASA due to support issues.
View 2 Replies View RelatedI have enabled the following attribute...Show Pre-connect Message—Displays a message to the user before the user makes the first connection attempt.Where do you actually enter the text for the message?
View 1 Replies View Relatedwhat's the ACS 5.3 common configuration for authorization profile for RAS authorization ?
I have an authorization error and the customer needs PPP, LCP, ip pool (configured on the ras).
I am running some tests with Cisco Anyconnect 3.0 and trying to configure profiles with profile editor. my understanding is that when we configure a profile under the AnyConnect profile editor, it will be used automatically when client connects to the SSID.
I have downloaded both the profile editor and AnyConnect secure mobility client, when i create a new profile and save it under "Network Access Manager newConfigFiles" folder, it seems the profile does not take any effect when i try to connect to the SSID, I am still propmted for user credentials when I try to connect to the SSID. I read from somewhere that a profile should be created using profile editor when using EAP-FAST, otherwise connection would fail, I did find failures when using EAP-FAST however this does not happen if I use local auth (on wlc or AP).
so the question is how do I suppose to configure profile editor to work properly with AnyConnect? if I have multiple profiles configured under profile editor, then how does AnyConnect know which profile config file to take when i switch between SSIDs?
i am use wifi connection for this which program i have to run?
View 1 Replies View RelatedI need to change my password for the wireless connection to the internet
View 1 Replies View Relatedwe are charter High speed customers and just recently upgraded are connection speedHowever today my sisters netbook wireless connection stopped working. My DS wifi connection is also dead now In the past the the wireless network name was wifi-****** but now its called wireless and the wep key no longer works
View 5 Replies View Related