Cisco VPN :: ASA 5520 / Remote Access VPN - Allow Based On Ports
Jan 25, 2013
I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.
After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
how can i allow user to access a server with defined port only and not any other service/port access for the server.
View 4 Replies
ADVERTISEMENT
Oct 20, 2012
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies
View Related
Nov 22, 2011
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
View 4 Replies
View Related
Nov 10, 2011
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
View 6 Replies
View Related
Jan 22, 2013
I am trying to configure Remote Access VPN in our Cicco ASA 5520 firewall through SSL VPN wizard. I tried to configure Anyconnect VPN client option, but after entering user/pass it gives error "An error was received from the secure gateway in response to the VPN negotiation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned address"
As looking online there is no easy step-by-step option for same. I want to provide Remote Access VPN to some of our user abroad who should have access to few server applications and no internet access.
View 8 Replies
View Related
Mar 14, 2011
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
View 8 Replies
View Related
Aug 6, 2012
I Have asa 5520 terminate the remote access VPN Connection,when successfully connect to my corporate Network and try to copy a file(30MB) from the share to my PC ,it takes around 2 Hours or it disconnect.what is the speed of the vpn client once y connected to the corporate over the Internet ?at my home i have 512 ADSL while at my corporate we have 155Mbps Internet speed.
View 1 Replies
View Related
Mar 19, 2013
We have 2 5520 ASA's working in an active/standby function at our central site. The remote agencies have control of their ASA's or other devices able to create VPN tunnels back to the central site. When a new remote agency wants to connect to our central site we assign them a network range that is routable on the central sites network.We ask that the remote agency NAT into the addresses we provided them.This way we are able to route back to them. We assign the interesting traffic and then they we start communicating by way of the tunnel.
Since the central site can't control the traffic coming in on the site to site tunnel other than just defining the interesting traffic AND we aren't able to control the NAT on the remote end how can I put an access list on the central site ASA to allow only certain ports and IP's by way of access list? Ultimately, I'm trying to limit traffic on the central site coming inbound to only allow traffic I want. I tried applying a group policy to the lan2lan site to site tunnel, but it failed for some reason. It actually prevented all traffic. Can I apply a group policy to a site-to-site tunnel?
I'm struggling here a bit as I don't have control of the remote end. They can NAT whatever they want to an address in the range we assigned them. The tunnels interesting traffic is set to full ip to the central site's destination. The interesting traffic on the central site is set the same. However, on the central side...I want to limit that traffic to only certain ports by way of an acl. If it is possible to assign a site-to-site tunnel a group policy and filtering is done in that method, can
View 3 Replies
View Related
Mar 7, 2011
Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.
View 6 Replies
View Related
Oct 17, 2011
I have a site to site VPN between SiteA to SiteB which is working fine. SiteA has an ASA5520 and SiteB Pix501. The ASA5520 is running version 804 with split tunneling. Users connect to SiteA using remote access VPN. Is it possible to setup SiteA ASA5520 so that when users connect to SiteA they can access servers located on SiteB through the tunnel? I know i can setup the Pix501 for remote access VPN but it is located in another country and i don't want to take a chance just incase i lose connectivity.
View 7 Replies
View Related
Oct 24, 2012
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
View 5 Replies
View Related
Apr 29, 2013
We have dns server(only Internal IP) inside our network, right now we have configured Remote Access VPN using Public IP and we connect it using the same Public IP. I need to use FQDN instead using Public IP. What is the configuration for this.
-Device : ASA 5520
-Configuration Type : IPSec
View 1 Replies
View Related
Apr 14, 2012
I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?
View 5 Replies
View Related
Mar 21, 2012
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)
View 4 Replies
View Related
Apr 16, 2012
i have cisco ASA5520 and i have a remote access vpn .I want to configure logging for this remote access vpn.
i want the time user connected .how log it is connected .If any error while connecting ?
View 4 Replies
View Related
Jul 16, 2012
We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:
"Secure VPN Connection terminated locally by the client.
Reason 412: The remote peer is no longer responding.
They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?
CISCOASA# sh run: Saved:ASA Version 8.4(3)!hostname CISCOASAenable password xxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248!interface Ethernet0/1 nameif backup security-level 0 ip address
[Code]....
View 15 Replies
View Related
Jun 16, 2011
I have a customer I've built a webvpn tunnel for.Users on this tunnel need to have http access to a server at 10.1.1.12 and nothing else.That's fine, but in order for name resolution to work properly they need to be able to send DNS requests to 10.1.1.9.I'm working with two different access lists, my non access list (nat 0) and my split tunnel access list. I can't specify ports in the nat 0 access list, but I did try writing my split tunnel access list as follows:
-access-list split permit ip host 10.1.1.12 172.16.4.0 255.255.255.0
-access-list split permit udp host 10.1.1.9 eq 53 172.16.4.0 255.255.255.0
When I do that users can access the 10.1.1.9 dns server, but they can hit it on anything (ping, 3389, etc.).I'm trying to figure out how I can limit them so they will only be able to pull dns but nothing else.They have the Any connect Essentials license, so unfortunately a clientless VPN is not an option. Is there some other access list I can interpose that will limit things the way I want?
View 2 Replies
View Related
Sep 19, 2011
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
View 1 Replies
View Related
May 28, 2012
Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.
Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.
Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.
View 1 Replies
View Related
Jan 6, 2011
My customer requires the hostport on an access switch to be allocated to a specific Vlan based upon the AD Group that the user is a memeber of ? I am planning to setup NAC in a Real Gateway OOB deployment, using an ACS 5.2. I was initially thinking that the initial authentication server would be the ACS and then the AD, which using group mappings within the AD, I could then assign the user to a specific ACS group and then pass a Radius attribute back to the NAC manager for processing?
View 2 Replies
View Related
Oct 2, 2011
What kind of cable is used for failover in asa 5520 ?
View 11 Replies
View Related
Jul 25, 2011
A customer has an ASA5520 and 2 ISP routers with one WAN link each, and wants to split the load over both routers based on source IP ("natted" IP on ASA). I found this excellent doc on the topic: {URL}. Using PBR to achieve this is an option I was looking at, but I have come across a possible loop doing this with 2 routers. Setup:
-----------CE-1---------ISP-1
| |
| |
ASA55020---- HSRP |
| |
| |
-----------CE-2---------ISP-2
Both Routers receive default routes via BGP, and customer networks are propagated via BGP as well (i.e. the customer can specify the return path for the traffic). The ASA5520 forwards traffic to a HSRP virtual IP for redundancy purposes. If one router or ISP fails, all the traffic should use the other router/ISP. The customer wants to specify which traffic is sent over which link, by defining nat rules on the ASA. e.g. traffic sourced from the network 10.10.1.0/24 will always use ISP 1, and traffic sourced from the network 10.10.2.0/24 will always use ISP 2.
My problem: if I use route-maps on both routers (CE-1 and CE-2), sending part of the traffic to the other, and one ISP link fails, in my opinion I have a loop, since part of the traffic will get sent back to the router it came from. Is there any other was to achieve my goal without using PBR? I have looked at CEF and GLBP, but I cannot seem to find a way to load share via source IP.
View 8 Replies
View Related
Mar 26, 2012
We have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.
View 0 Replies
View Related
Apr 9, 2013
I work from home and log into my work using a token I get into my work server but it keeps freezing and boots me out. If this makes sense. I have to use my mums laptop windows 7.
View 2 Replies
View Related
Mar 5, 2012
I have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
View 3 Replies
View Related
May 14, 2013
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
View 2 Replies
View Related
Feb 2, 2012
One of techs accidentally connected two access ports from different switches together. Since then, LMS is alerting them as being Link ports down. I tried to default the config and set them to access ports without any success. what I should do in LMS to recognize them as access ports?
View 2 Replies
View Related
Apr 13, 2011
is it possible to convert the any two ports of asa5520 as L2 ports . If so kindly let me know how that should be done. We are planning to connect our hsrp switches to these switch ports instead of using a separate switch thats why.
View 1 Replies
View Related
Jul 10, 2012
what are default ports are open on asa 5520 from outside interface (Zero level Security ) to inside interface (Security level 100)
View 3 Replies
View Related
Mar 27, 2013
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?
View 6 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
May 25, 2012
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
View 7 Replies
View Related
Jan 27, 2013
I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.
View 4 Replies
View Related
