Cisco VPN :: ASA5520 / Cannot Access (RDP) VPN User
Nov 22, 2012
I need to access remote users system for troubleshouting and I cannot ping or access anything on their laptop when they are connected to VPN. For example, a user would get an IP of 172.16.4.132 when logged into vpn but I cannot ping him from the CLI, or can I access his laptop via RDP. S 172.16.4.132 255.255.255.255 [1/0] via 207.x.x.x, dmz What could be the issue and how can I fix this? Im on 10.8.24.0/24 network S 10.8.0.0 255.248.0.0 [1/0] via 172.16.0.7, Internal which has a route to 172.16.0.0/16 C 172.16.0.0 255.255.0.0 is directly connected, Internal The ASA is 172.16.0.3 which i can ping from my desktop on 10.8.24.0. Device info: This platform has an ASA 5520 VPN Plus license. Cisco Adaptive Security Appliance Software Version 7.2(5) Device Manager Version 5.2(5) Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
I am having an issue with the user VPNs. For users connected via the AnyConnect VPN client, all of their Internet traffic goes out their local Internet connection, since I am using split tunneling. However, I need a specific public IP address to go through the VPN tunnel and out the DIA at the main office, rather than the user's local internet connection. I managed to have this IP address go through the tunnel to the ASA at the main office, but it appears that it gets blocked somewhere there, or maybe the return traffic gets blocked. I am using an ASA 5520 at the main office, with software version 8.3.
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
I am creating access rule on a ASA5520 running ASA 8.2 (1) and ASDM 6.2(1) and found that the GUI has less option then when creating access rule on a ASA5505 running ASA 7.2 (3) and ASDM 5.2(3) (see attachment). Is there an option that enables me to get the same configuration options on the ASA5520 running ASA 8.2 (1) and ASDM 6.2(1) as I have on the ASA5505 running ASA 7.2 (3) and ASDM 5.2(3).
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.We'd like to restrict the acess like this:
A Group "Home User" might establish a VPN from anywhere on the Internet
A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!
On our old solution, we were able to limit the remote access network, per user group, to some source IP's.
The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.Or is it possible to do that by Dynamic Access Policies? How?
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
I recently had a vendor configure our 2 firewalls (ASA5520). We are replacing a active-failover PIX525 firewall in 2 locations. After the vendor configured the new ASA5520's, I was unable to access the ASDM. The configurations are a basically modified versions of the config on the PIX525. I did find that they did not set the ASDM image path. [code]
I have tried from my browser as well as downloading and installing th ASDM on my computer.
I have an ASA 5520 new. I am trying to migrate from a PIX 515E. I can connect via the CLI and ASDM on the management port (IP 192.168.1.1 the default) What I am having an issue with though is when I change the management port to 10.0.1.1 via the CLI or ASDM I can no longer use ASDM. I issue the show IP command in the CLI and I see that the IP has indeed changed but I still can not get into it. I must be missing something really simple, but this is driving me insane. I want to change the IP because I need the a different interface to be 192.168.1.1.
We have a small office and already have a firewall in place that uses content filtering. I am looking for a low cost wireless access point that I can place behind my firewall that will allow me to control access by a username and password list, not just the passkey.
Does this exist without having to go to an Aruba or Ruckus type enterprise WIFI product?
I have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
I want to limit a local user's access to some specific groups of devices. In Role Management Setup I can define which service they can access, but I want to restrict it to a specific device as well.
We're planning to ope a coffee house for teens at my church. We want the internet to be accessible to them but want to restrict what sites they can access so homework, games, etc. can be accessed but not the stuff rated for violent, rrisky behaviors.
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
We currently have one Cisco ASA 5510 firewall at our mailn office. Our firewall does not let users access the internet. We currently have a web proxy that lets users access this. I need to let users access one website through the firewall without going through the firewall. I believe this is possible if I use dynamic NAT.
I am trying to create a user restriction to allow one user to access only two networks (10.192.3.0 and 10.192.5.0) I have range of networks but I want to permit only two networks for limited user and full access for the admins. I know this was possible with ACS 3.3 but I am not too sure if this is also applicable with ACS 5.2.
I have created 7 QuickVPN users on router and on QuickVPN client. They all work except two. Have deleted and reinstalled on router and in QuickVPN to no avail. Changing the user name by one letter works (eg user NameVPN doesn't work, but NameVP does). Somehow router (I think) is not releasing user credentials/policies (which seems to agree with log). I have rebooted router.
ip local pool VPNPOOL 192.168.200.1-192.168.200.100.
i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface (10.0.0.254).the users (192.168.193.0/24) go internet from proxy server.
We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop. We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.
Is there anyway to monitor client who is downloading , using the most bandwidth in Cisco wireless environment ? i have 1240 ap and 4400 controller environment.
I have 2 desktops and a laptop accessing a wireless Motorola modem using roadrunner broadband. My desktop/Vista and laptop/Windows 7 are working fine. My older desktop with XP has a wireless card and shows that the wireless is connected with great signal strength but won't access Internet Explorer. I keep getting an error message. I have tried re-setting up the wireless and shutting down the machine ,etc. I have seen a few older posts that suggest downloading some software, etc
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
We are having Cisco router 1002 ASR and 2841 switch. Some times perticular VLAN user will not be able to access the network but from the same switch others VLAN users can able to access. We were getting ARP entries in router but we cannot ping the IP's. Even we clear the ARP entries. Once we restart the switch users can access the network. We have changed vlan ports, uplink too. but problem not solved. and we observed CPU utilization will be going 70-80% some times and at same time switch hangs.
I tried the solution posted at [URL] however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
need an access point configured in the user minimum because I was looking and some had up to 49 LAP connections at the same time. I have a WLC 4402 VERSION 7.0.98
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I can't find it.I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this: [code] I do this,but it's not work.When I use EasyVPN client to connect ASA 5520,user could through authentication but will not get that static IP address which I configuration on Internal Users.so,what should I do,if anyboby knows how to use ACS 5.2 to create a static ip address user for remote access VPN.
After upgrade to ACS 5.2 appliance , we are trying to configure AAA between Ciscoworks and ACS. Authentication is working but authorization fails , logged user cannot access to admin parameters. I've configured attributes manually but it doesn't work.Does ACS 5.2 support integration with CiscoWorks?
In my Wireless network, I have two appliances WLC 5508 running version 7.0.116.0.I have a WCS running version 7.0.172.0, deployed on a windows 2003 server.I've imported the two WLCs in my WCS in order to centralize the monitoring and the configuration tasks.Now I'm facing an issue when I want to create a guest user from the WCS, rather than creating this user access on each WLC. The creation of the user account is working good, the replication is done on the both WLCs, but on one of my WLC the guest user account is deleted after one hour(around).On the second WLC, the same user account remains during all its life time.In attachment a screen shot of the advanced parameter of the guest user.You can see that the user was created on the both WLC but is only active on one ... and unfortunately the wrong because the AP is associated with the other WLC.