Cisco VPN :: ASA 5520 - Persistent IP Address For Some Vpn Users
Sep 13, 2012
We are using Any connect vpn client (v2.5.3055) to an ASA 5520 (v8.4) in a development environment. We use our corporate Radius server to authenticate users. We have certain users which need have the same IP address every time they lo gin. As it is configured now, the IP addresses are assigned sequentially from the pool. Is there a way to allow certain users to get the same IP address each time they log on?
View 3 Replies
ADVERTISEMENT
Mar 2, 2011
I recently configured and installed a 1941ISR for a customer. The customer purchased a 25-User SSLVPN license with the router, and I configured it for remote SSLVPN access. This is working nicely except for one issue: when users initiate an SSLVPN connection request by browsing to the assigned webvpn gateway IP, they get the "There is a problem with this website's security certificate" browser message. They are in the process of working with their DNS hosting provider to get a DNS entry assigned to the IP address so the users won't have to specify an IP address in the URL address box, but they will continue to get the certificate error until/unless I can figure out how to resolve the issue.
I've tried the following "How to make IE8 trust a self-signed certificate in 20 irritating steps" that I found via another forum link but with no luck:
1.Browse to the site whose certificate you want to trust.
2.When told "There is a problem with this website's security certificate.", choose "Continue to this website (not recommended)."
3.Select Tools->Internet Options.
4.Select Security->Trusted sites->Sites.
5.Confirm the URL matches, and click "Add" then "Close".
6.Close the "Internet Options" dialog box with either "OK" or "Cancel".
7.Refresh the current page.
8.When told "There is a problem with this website's security certificate.", choose "Continue to this website (not recommended)."
9.Click on "Certificate Error" at the right of the address bar and select "View certificates".
10.Click on "Install Certificate...", then in the wizard, click "Next".
11.On the next page select "Place all certificates in the following store".
12.Click "Browse", select "Trusted Root Certification Authorities", and click "OK".
13.Back in the wizard, click "Next", the "Finish".
14.If you get a "Security Warning" message box, click "Yes".
15.Dismiss the message box with "OK".
16.Select Tools->Internet Options.
17.Select Security->Trusted sites->Sites.
18.Select the URL you just added, click "Remove", then "Close".
19.Now shut down all running instances of IE, and start up IE again.
20.The site's certificate should now be trusted.
I followed all 20 irritating steps to the letter, but am still getting the security certificate nat.Now when I “Continue to this website (not recommended)” and click on "Certificate Error" at the right of the address bar, the certificate error windows says “Mismatched Address”.Is there a way that I can get this fixed without resorting to a 3rd party CA?
View 5 Replies
View Related
May 6, 2010
I'm using a Cisco ASA 5520 with IOS 8.2.2. We have many remote users using the Cisco VPN client, but I have been asked can we logout idle users as we do hit our license limit and some users stay conenct for days.
View 3 Replies
View Related
Mar 13, 2011
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
[code]....
View 1 Replies
View Related
Dec 13, 2012
Is it possible to deny VPN access to specific AD accounts?
Currently setup with 5520, LDAP authentication for VPN users.
View 3 Replies
View Related
Jan 17, 2012
I am new at ASA 5520 and CSC module (version 6.3). I would like to know what configurations are possible for my network users if i use the CSC trend micro blocking using IP address or AD users, I know that i could select users/groups from the windows AD or select the IP addresses that i want to use for blocking or permit HTTP traffic (URL, etc).
My question is on the client side, how the CSC knows what AD users is the one that is requesting certain HTTP pages, or if i user a proxy server, i lose the IP/users options on the CSC??..or i could use authentication options on the proxy for example?.
I have been looking information about this but the manuals only explain the configuration options that i could configure on the CSC Trend Micro page, but it doesn't say which network environment i could use or need.
View 2 Replies
View Related
Sep 1, 2011
I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.
View 2 Replies
View Related
Apr 10, 2011
I have created an IPSec VPN between our ASA (5510) and a Cisco Router running IOS.Only problem i have is that the VPN goes down if there's no interesting traffic from the router and i can't find anything to initiate the VPN Tunnel from the ASA (so we need to wait 'till someone connects on the other side).
Is there any way to make this connection persistent, just like an ASA-to-ASA tunnel?
View 3 Replies
View Related
Feb 10, 2010
I am having ASA firewall 5520. I want to block yahoo mail, gmail using regex for particular users only.
View 5 Replies
View Related
Oct 29, 2012
I have a problem on a Cisco ASA5520 version 8.2(5). A customer has set up a syslog to keep tracks of tcp sessions made by vpn users. On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection. When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection. I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed; if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message. I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere. Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
View 2 Replies
View Related
Apr 5, 2011
I hava Cisco ASA 5520 with AIP-SSM module. I would like to have the below features with ASA installed in Transparent mode.
1. Traffic shapping per user
2. Traffic shapping per IP subnet
3. Traffic shapping per Application
Is it possible with ASA installed in Transparent mode?
View 9 Replies
View Related
Feb 23, 2012
I have been tasked with attempting to setup an enviroment that allows users to VPN from home and use Dameware to connect, from home, to another machine in another users home that is VPN'd into the same network. Is this possible?
We are using 2 5520 ASA's and CiscoAnyConnect.
View 1 Replies
View Related
Jul 5, 2012
How many user accounts i can create to a Cisco ASA box? Say for example a Cisco ASA 5510 or Cisco ASA 5520?
View 5 Replies
View Related
Apr 11, 2012
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
View 5 Replies
View Related
Feb 5, 2011
I have a recurring problem that only started happening for the last 3 weeks or so.I keep losing my internet. In event viewer it shows up as: "none of the default DNS Servers responded".I am using a Netgear DG834N Modem/Router ADSL LAN to the first computer and a Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller on my ASUS P6X58D-E motherboard.I have been using this setup since June 2010 with no problems.I am using Windows 7 Home Premium 64 bit.I have 2 other computers and a Sony PS3 connected wirelessly to this Netgear Router, but one of the computers is hardly used now. I Googled this problem and it came up with a registry fix which seemed to solve some of the problem, but it seems to have come back just as bad today, so changed the registry value back to what it was before.
View 6 Replies
View Related
Oct 19, 2011
I've just got a BRAND NEW HP dv7-6197ca
Specs: Windows 7 64 bit
Processor: Intel i7-2360QM 2.0 Ghz with Turbo boost technology
RAM: 8GB DDR3
Graphics: Radeon HD 6770m 1GB
Storage: 2 x 500 GB 7200rpm
Network Interface: Integrated 10/100/1000 Gigabit Ethernet LAN
Wireless: Wireless LAN 802.11 b/g/n. Bluetooth wireless networking with WiDi
So problem is with persistent disconnection from my landlord's wireless hotspot. The usual exclamation mark at the wireless bar indicating that I'm connected to the network but I don't get internet access...I've got the computer checked up by STAPLES where I bought it and everything was in perfect shape, network card fully functional... I mean it is brand new. They even reformatted the computer and installed clean Windows 7 with no crap software in it...I brought the computer to school and internet works FLAWLESSLY. Disgustingly fast.The problem is only when I'm at home where my internet would work fine for say 5 mins and then the exclamation mark will pop at the wireless bar and I would lose internet access for half an hour or more. I would get the access back and then it would disconnect again.
I called my ISP and they suggested to change my wireless channel to a unique # say channel 11 from 1-11. Turns out the wireless channel already is on 11... I then got it changed to 1 by my landlord. Still same situation. We then tried to change the wireless security encryption (e.g WPA-personal to WPA2). My computer can't connect in that case...On a side note I do have an older laptop (~7 years old), the one I had before purchasing this new computer. This old laptop can connect to the wireless and work PERFECTLY.
So the problem happens only with this new computer, and only at home. I'm completely clueless as to what the problem might be. It looks like some kind of interference but I've tried changing wireless channel (from 11 to 1) which didn't get rid of the persistent disconnection. Could it be interference with another computer that's using the same wireless hotspot in the house?
View 5 Replies
View Related
Jul 1, 2011
We have ASA 5520 with CSC-SSM 20 and we want to block https traffic but when we are blocking https traffic http traffic going to block but user are able to open website.
View 1 Replies
View Related
Sep 27, 2012
I am having an issue on a Cisco 3750 stack where when the stack master is rebooted, all my lacp port-channels drop and then come back up again. After doing some investigation It seems that it is happening because of lacp using the stack master mac-address as part of the system-id, so when the stack master reboots, the stack mac changes. I see that there is the command: stack-mac persistent timer 0
There is this warning about using this command:
When you configure this feature, a warning message displays the consequences of your configuration. You should use this feature cautiously. Using the old master MAC address elsewhere in the domain could result in lost traffic.
My question are:
Are there any other consequences to using this command (apart from moving the switch/mac to another location in the network)It mentions 'If the entire switch stack reloads, it acquires the MAC address of the master as the stack MAC address' Is this still the case if you have the stack-mac persistent timer to 0? Does using channel-group mode on for the port-channels still use the same mechanism of having a system-id? (Will the channels flap using 'mode on' when rebooting the stack master.
View 4 Replies
View Related
Apr 5, 2011
can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
View 7 Replies
View Related
Mar 21, 2013
We recently implement WLC 5500 Series, I found out guest user once period of that user expired it will not appear at lobbyadmin page where you can see list of users.
Is there any way to see expired guest users and also IP address which assign to guest user?
View 2 Replies
View Related
May 8, 2013
I have an AP Aironet 1140 that have two (2) SSID: (ZDE) and (GUEST). Guest is working fine but ZDE is not giving IP addresses to users attached in this AP. I atached the sh tech of the Ap. From the configuration cisco guide of Aironet 1140 i understand that by default, access points are configured to receive IP settings from a DHCP server on your network. But i don´t know if i have to configure the dhcp server ip addres in the Ap, similar to the ip helper address in switches
Configuring the Access Point to Provide DHCP Service. These sections describe how to configure the wireless device to act as a DHCP server:
•Setting up the DHCP Server, page 5-22
•Monitoring and Maintaining the DHCP Server Access Point, page 5-24
•Setting up the DHCP Server
By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP server to assign IP settings to devices on both your wired and wireless LANs.
The 1100 series access point becomes a mini-DHCP server by default when it is configured with factory default settings and it cannot receive IP settings from a DHCP server. As a mini-DHCP server, the 1100 series access point provides up to 20 IP addresses between 10.0.0.11 and 10.0.0.30 to a PC connected to its Ethernet port and to wireless client devices configured to use no SSID, and with all security settings disabled. The mini-DHCP server feature is disabled automatically when you assign a static IP address to the 1100 series access point. Because it has a console port to simplify initial setup, the 1200 series access point does not become a DHCP server automatically.
View 1 Replies
View Related
Sep 29, 2012
I have a wireless 5508 with license base to 50 aps, i use a deployment flex connect. I already registered all my access points, I use web authentication to authenticate users guest, and the service dhcp is in the central site.
My issue is the users in each remote site, can not get an ip address by dhcp from the central site, they can authenticate in the guest ssid, but any users can not get an ip. The request is passing by the wan in this way
Central Site DHCP - Router WAN - Remote Site - Users with notebooks. I use flex connect central deployment (all the traffic consulting to the wlc) .
perhaps i should use local deploy? The wireless is in the central site.
View 17 Replies
View Related
Jun 8, 2013
We have 2 nexus 7010 switches configured with HSRP in the network. For all the vlans core1 is Master and Core2 is standby. In the current setup we have external dhcp server and dhcp relay is configured for all the vlans on Master and standby switch. The setup is running the IOS 5.2
Activity Done: During the Maintainacne activity, we isolated core1 switch in the network by disabling the vpc/keepalive and all the uplinks from access switch. The core2 switch was master for all the vlans.
Issue observed: It has been observed that new users were not getting ip address from the dhcp server. The ethereal capture showed that dhcp server was not getting the dhcp requests from the core2 switch. We disabled the dhcp feature in core2 and enabled again with dhcp relay again configured on vlan interfaces .even after doing this no change was observed in behaviour. Finally we got core1 back in network by enabling all the links.
Observation: The moment VPC link came up between the core switches, users started getting ip's from dhcp. Then we started enabling all the uplinks on core1.Core1 again become master for all the vlans and users continued getting ip’s. Network running fine.
Further Testing
1. For one of the vlan, core 2 switch has been made primary and for new users checked the dhcp functionality and it was working fine. The aim was to identify if anything wrong on core 2 related to dhcp relay
2.Again we changed the priority for this vlan and made core1 master for the same. This time we disabled this vlan on core1 and tried new user with core 2 became master and dhcp functionality worked fine for new user. Actually in this case we have simulated the same behaviour when we observed the issue with only difference of VPC was not available during the issue time as core 1 was isolated form network
Inputs needed.
Is there any known behaviour for dhcp functionality when VPC is unavailable? If we see the test scenario2 (wherein core1 was master for the vlan and we disable this vlan on core 1 and core 2 was able to relay dhcp requests for new users in this vlan.) it was actually same as scenario we observed during issue time..
View 7 Replies
View Related
Oct 29, 2011
We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3 ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.
View 7 Replies
View Related
Apr 24, 2011
I have an iPAD. It connects to my ASA5520 via IPSEC. When it connects it gets an IP address from the ASA but it does not get any of the other stuff. Specifically the DNS suffix. How to correct it?
View 3 Replies
View Related
Jul 25, 2008
CAn we filter MAC address in LAN using ASA 5520 , whats the method ?
View 2 Replies
View Related
Oct 7, 2012
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies
View Related
Dec 14, 2011
i have a site to site vpn stablished, the vpn works fine (while is up), i have a cisco asa 5520 and the other end of the vpn is a jupiter device that for technical reasons needs to send a continuos ping and when it does not receive a reponse back it brings down the vpn tunnel and reestablish it again. while the vpn is up traffic flows perfectly but because i m unable to repond to the ping the vpn is brought down as reestablished by the jupiter device. the jupiter device pings the encryption domain which is an ip that is natted to the real ip in the inside network. this is my configuration of the vpn:
AAA.AAA.AAA.AAA is the ASA public ip in the outside
BBB.BBB.BBB.BBB is the jupiter device ip (part of the object group IP_LIST)
CCC.CCC.CCC.CCC is the nat ip on the ASA
10.21.0.164 is the real address in the inside(code)
View 1 Replies
View Related
Oct 23, 2011
I guess I'll start with the easy stuff, Cisco ASA 5520 ver 8.2, ASDM ver 6.2, IPSec L2L tunnel with overlapping private IPs.
I have about a dozen L2L connections on our 5520 but never had to do one with overlapping IPs. I have two that I have to build and one definitely overlaps our inside locals, and the other is requesting that we NAT our inside locals to a 10.x.x.x.
I've searched the board and found several good posts including document 112049, but I just don't seem to be able to get my head around how to translate one inside address to another. It would seem like is would be as easy as doing an (inside,inside) static NAT, but most everything has the solution as a policy NAT or doing an (inside, outside) but in the less secure address space place the name of an ACL. I have ordered that brick of a book on ASAs from Cisco Press, but need to get something going and I'm not having much luck getting this thing up and running.
Perhaps my basic understanding of NAT rules is wrong. I thought that when using NAT the command speaks to the interfaces and the direction of travel, (inside,outside). I also thought that the IP adresses used must be valid on the interface refferenced, so any refference to "inside" would have to be an address on the "inside interface of the FW and likewise for the "outside" interface. Finally, to be sure I'm not calling a duck a goose my understanding is that the following are correct; "inside local" = my private, "inside global= my peer, "outside local"= their private, "outside global"= their peer.
So if I'm translating say a 192.x.x.x on my inside local and wanted to present them a 10.x.x.x, wouldn't I need an (inside,outside)? And even though I'm translating my private IP into a different private IP, the translated IP must be on the "outside" interface because that is the interface that I want to present the new private IP on?
So for the scenario I suggested at the top where I need to translate my private 192.x.x.x into a 10.x.x.x and present that 10.x.x.x to the other side, I need something like NAT Static (inside,outside) 10.x.x.x 192.x.x.x?
View 8 Replies
View Related
Jul 25, 2012
I've been tasked with retiring a VPN Concentrator 3000 and replacing it with an ASA 5520. I'm trying to get a handle on how to set up the NATs and ACLs, since most of my experience is remote access VPNs, not site-to-site. Plus I've not configured a VPN 3000 in about 6 years so I'm having to re-learn a lot of the interface.
The VPN 3000 has a feature called LAN-to-LAN NAT rules that basically allow you to NAT an address on your internal network to an address on the "local" network for the LAN-to-LAN connection so it can then go through the tunnel to the remote side. The config looks something like this in the VPN 3000: [code]
Which looks to me like a "Static Policy NAT" in ASDM. So I set one of those up, that should be translating 172.16.3.151 on the inside interface to 192.168.200.151 on the inside interface (yes, the same interface) which should then (logically) be picked up as "interesting traffic" by the crypto-map and sent across the VPN tunnel. However, that doesn't seem to be the case - both the "packet trace" in the ASDM and traceroute from the source workstation show the packets getting to the inside interface, and then passed right out the outside interface to the internet router (which then drops the packets as they're a private IP).
what else do I need to do to make the crypto-map pick up the NATted traffic?
View 7 Replies
View Related
May 28, 2012
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
-static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
-static (production,Outside) 10.10.10.10 access-list production_nat_static_1
View 2 Replies
View Related
Feb 8, 2011
I have setup an AnyConnect Connection Profile on my ASA 5520.
We have some remote support software which the helpdesk use to connect to PC's remotley and torubleshoot.
I cannot connect to this software using the assigned IP address of the client even though it works fine with our old Nortel VPN.
If I hit the IP address the packet gets all the way to the ASA and seems to disappear.
I have setup an IP v4 access list on the connection profile which allows any/any access b ut still no joy.
View 1 Replies
View Related
Aug 31, 2006
I want to configure a MAC address on my asa 5520 interface.I ask you if exist a private MAC address range?
View 5 Replies
View Related
