Cisco VPN :: ASA5520 - Differentiate Between Machines Connecting Via AnyConnect
May 19, 2013
My users are using AnyConnect to make a remote access VPN connections to the corporate office thru an ASA5520. At this time, VPN users have very limited privileges because we allow users to connect using their home computers and RSA tokens.
I need to find a way to determine whether an AnyConnect client is connecting from a company-owned/maintained/patched laptop or some other device. I would like to give full network access to the company laptops while continuing to restrict access to the home machines. So far, the only idea I have is to use DHCP and associate the MAC addresses of the company laptops with addresses is a privielged subnet range.
View 2 Replies
ADVERTISEMENT
May 15, 2012
I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code]....
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
View 4 Replies
View Related
Aug 19, 2012
we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.
I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.
My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.
View 2 Replies
View Related
Sep 14, 2011
We are in the process of upgrading our win2003 radius server with a new win2008 radius server. We have an ASA5520 and FWSM in 6509, using anyconnect client. This has worked fine until we introduced the win2008 radius server. When in the asdm on the asa, you can click on the new server and click test and authenticate ok with your AD credentials. But when try to use anyconnect on your laptop, it takes the credentials password and the accept certificate, but then fails with "anyconnect was not able to connect to specified gateway.." message, then "the secure gateway has rejected the connection attempt due to network connectivity issue...host or network is 0" message. We thought we setup the new radius the same way, obviously not. is therw an easy way to use debug on the firewalls to see what is wrong? looked in event logs on radius server, have not found anything.
View 2 Replies
View Related
Aug 10, 2011
I am trying to connect 2 windows 7 machines wirelessly but without much luck.Both machines are connected to the wireless router and have internet connection. I have created a workgroup and put files into the the public folder, but still cannot get to the files even though the computers can see one another.
View 1 Replies
View Related
Apr 1, 2012
I connect to my corporate network using Cisco AnyConnect Secure Mobility Client. Once connected I can no longer print to my LAN attached printer and other local resources. I use the Cisco/Lyncsys E4200 router on my LAN and can re-connect to the storage on the local LAN by setting up Port Forwarding of port 21 and MS Windows FTP folder sharing. However, I can't seem to connect to a Terminal Services client by forwarding port 3389. Is there a way to connect to the local LAN after logging into the VPN connection. I can connect to regular HTTP/HTTPS sites and most other type of connectiins, just not my own local resources.
View 3 Replies
View Related
Mar 6, 2013
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver?
View 8 Replies
View Related
Feb 1, 2012
I have a cisco 3750 switch connected to the ASA5520 which is connected to the internet
LAN ----> Catalyst -----> ASA5520 ------> INTERNET
10.1.4.0 ---10.0.0.1 ----10.0.0.2 ------- 203.98.227.3
On my switch I have VLANs configured. From the 10.1.4.0 network, I'm able to ping switch gateway. I can ping insde of ASA .. See my ASA config below. I have allowed http and dns traffic outside but cannot browse internet from the 10.1.4.0 network.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.98.227.254 255.255.255.0
!
interface GigabitEthernet0/1
[code]....
View 9 Replies
View Related
Jan 15, 2013
i have configured remote access VPN to cisco ASA 5520, Cisco vpn client is connecting fine and both phases are coming up but ipsec phase packets are not encapsulating. and ima not able reach the remote subnets 192.168.10.0 and 192.168.180.0. [code]
View 4 Replies
View Related
Apr 3, 2012
I am facing problem connecting via vpn to my asa5510 using anyconnect.My anyconnect client shows "network access: unavailable - no networks detected" before i attempt to establish my vpn.Upon establishing vpn, i was prompted username and password which went through but i was given the error "anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again".I face this problem after replacing my pc. I was able to connect without problems on my previous pc.The vpn connection uses cert which i have already import to my new pc and authentication is fine since no authentication error. No changes made on my firewall.
View 1 Replies
View Related
Sep 21, 2012
I'm running an ISE 1.1.1 and i need to authenticate guest users.The goal is apply different Authorization profile to the same guest user based on the thevice he use to connect to the guest wlan.
I.E.:
if guest user "user1" connect to the guest WLAN using a windows laptop, than apply "Guest" authorization profile
if guest user "user1" connect to the guest WLAN using an Apple iPad, than apply "Mobile" authorization profile
I've tried to deployed the following 2 authorization policy:
1)if "Apple-Device" and "IdentityGroup:Name EQUALS Guest" then "Mobile"
2)if "Guest" then "Guest"
but the first rule never match and even if I use and iPad to access the guest network the "Guest" authorization Profile is matched
I've verified that the iPad is correctly recognized as an Apple-Device changing for test purposes the rule table in
1)if "Apple-Device" then "Mobile"
2)if "Guest" then "Guest"
View 5 Replies
View Related
Jul 19, 2012
We have a NM-T3/E3-RF card that fits inside a 3800, but does not fit into a 3945.
The documentation says it works with 3900 ISR Routers.
Is there a cradle or adapter that is required?
Does the "RF" section of the part number differentiate this from a NM-T3/E3 card?
View 5 Replies
View Related
Aug 25, 2012
I'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can differentiate among them in the service selection rules.
View 5 Replies
View Related
Feb 8, 2011
I have setup an AnyConnect Connection Profile on my ASA 5520.
We have some remote support software which the helpdesk use to connect to PC's remotley and torubleshoot.
I cannot connect to this software using the assigned IP address of the client even though it works fine with our old Nortel VPN.
If I hit the IP address the packet gets all the way to the ASA and seems to disappear.
I have setup an IP v4 access list on the connection profile which allows any/any access b ut still no joy.
View 1 Replies
View Related
Aug 5, 2012
I'm on a Mac connecting to a Cisco ASA 5510 with AnyConnect VPN client.
The connection is established and it works for 15-30 seconds, then the connection drops. AnyConnect will reconnect, and then it works fine.
I noticed in the logs that it reconnects with a smaller packet size.
View 1 Replies
View Related
Apr 18, 2011
I have ASA 5520 running ver 8.3.(2)8 and configured for AnyConnect VPN. While testing for iPads and iPhones we noticed that on connecting it disconnects few times before finally connecting. These are the messages logged in the ASA.I don't see authenticatio as an issue. Results are better with wifi compared to 3G. [Code]
View 1 Replies
View Related
May 16, 2012
I am trying to get anyconnect 3.0.07059 to run start before logon on windows 7 connecting to an ASA5540 running firmware 8.2.
The anyconnect starts fine, but will not connect. If I login to the laptop then run the anyconnect , same setup it connects fine.
View 2 Replies
View Related
Dec 29, 2012
I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting. This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below."The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail. Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
View 4 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
Feb 22, 2011
Running Windows XP Im a bit Dizzy as i can't seem to workout what's going wrong or what im doing wrong lol!!!8 Pc's on the network, all can view files etc.apart from one Pc Lets just call this "Bob1"It keeps asking for user name and password, now there's no user name or password on the giving pc, file and sharing is open and all the right ports giving. what i can't understand is that the reaming 7 pc's on the network has the same setup and files permissions, on the same subnet and can ping each other to my knowledge.So just to prove myself wrong i made a password for the pc that was asking for one on the network and this still did not work.so to cut the story short 7 pc's can search each other fine but on "Bob1" keeping asking for user name and password.
View 3 Replies
View Related
Nov 6, 2011
I have a single physical machine A (Windows XP). On A, I have 3 virtual machines (A1,A2,A3) If a want to communicate with port 4444 on virtual machine A1, can communicate to the same port 4444 on machine A2, All the VMs below exist on the same physical machine.
View 3 Replies
View Related
May 10, 2011
I am using a linksys router that is generating IP addresses to about 20 machines. The boss wants to block FACEBOOK on all the machines except for two machines? Is this possible? I was thinking even if we block all the machines and get a work around password (only given to the owners of 2 out of the 20 computers).
View 4 Replies
View Related
Jul 24, 2011
i have configured some machines into a workgroup. all machines are opening except two machines having windows 7 . they are showing a window for username and password as appears in a domain. how to correct it
View 3 Replies
View Related
Jun 25, 2011
On my home network, I have several shares on my PC. But I dont seem to be able to even view the shares from other machines. If I put the IP address into an explorer window (\192.168.0.4) on another machine I get the message: "\192.168.0.4 is not accessible. You may not have permission to use this network resouces. contact your network administrator etc etc". So I cannot even bring up a directory list. There are no problems for me connecting to network shares on other machines from this machine that is refusing connections. That has all happened since I reinstalled windows. I reformatted the system partition and since then I cannot get the shares working again (they used to work fine). The shares are in a data partition that was not reformatted. This is really winding me up, as there never used to be a problem, and I cant think of anything else to look into, short of delving into the registry, and I wouldnt know where to look.
View 3 Replies
View Related
Feb 14, 2011
One of our servers has lost the ability to access WAN side computers. For example, it can't ping google.com. It can, however, interact with LAN computers. One thing of note -- it is set up with a static IP and one-to-one NAT on the firewall (sonicwall)When we disable the one-to-one nat on the firewall the server is able to ping out. We do need to keep the one-to-one nat up though -- as it provides access to the site the server hosts
View 4 Replies
View Related
Apr 29, 2012
I am using Nokia Siemens router. Recently there is an hack on the network. So I changed the security by enabling WPA2-PSK and AES and mac filter enabled. After that two of my roommate machines are not getting connected to WiFi. Even I cant see ssid being detected in thier machines.
how to connect to the machines. I have tried by removing security also but those two machines cant even detect the network being broadcasted by us. But it is detecting other networks(neighbors wifi).
View 1 Replies
View Related
Apr 29, 2012
I am using Nokia Siemens router. Recently there is an hack on the network. So I changed the security by enabling WPA2-PSK and AES and mac filter enabled. After that two of my roommate machines are not getting connected to WiFi. Even I cant see ssid being detected in thier machines. how to connect to the machines. I have tried by removing security also but those two machines cant even detect the network being broadcasted by us. But it is detecting other networks(neighbors wifi).
View 1 Replies
View Related
May 9, 2012
Other machines on my network can't seem to be able to see my machine, but i can ping them all. It can't be anything to do with the authentication because i have just reformatted my machine and re-added my machine to the AD.
View 1 Replies
View Related
Oct 15, 2012
How can I set up a functional VPN between two windows 7 machines?
[code]....
View 3 Replies
View Related
Aug 28, 2012
I am having a weird issue with my Cisco 7200 router. From the router i am able to ping and reach out to the internet but from the client i am able to reach out to the internet but unable to ping I am not sure where is the issue but when i traceroute to it my packets are dropped at my routers interface. All my pings from the client time out. I checked the Access list to make sure ICMP is not blocked. Following is my running conf
ip audit notify log
ip audit po max-events 100
ip ssh break-string ~
ipv6 unicast-routing
no ftp-server write-enable
[code]....
View 2 Replies
View Related
Apr 29, 2012
I am using Nokia Siemens router. Recently there is an hack on the network. So I changed the security by enabling WPA2-PSK and AES and mac filter enabled. After that two of my roommate machines are not getting connected to WiFi. Even I cant see ssid being detected in thier machines. How to connect to the machines. I have tried by removing security also but those two machines cant even detect the network being broadcasted by us. But it is detecting other networks (neighbors wifi).
View 1 Replies
View Related
Apr 12, 2012
I need to create a network bubble..means..Let say I have 4 machines having IP address 10.1.1.1,10.1.1.2, 10.1.1.3 and 10.1.1.4 (these are not actual IP's, using them just for explaining). These machines are connected to public network. At a given point in time, I need to isolate these machines from the public network in a way where - All these 4 machines can talk to each other using the assigned IP's. - These 4 machines cannot talk to any other nodes in the public network. no other machines outside these 4, will be able to ping these machines.
View 4 Replies
View Related
Feb 21, 2012
We've recently upgraded our switches from 10/100 over to FOUR Dell 2848 (GB Managed switches) and using one as a director (fiber uplink).We are all on GB networks now and we've been running into issues tracking down what's hogging up most of our bandwidth (local area network) throughout our company.We need to track down which machines are copying data to servers and vise versa.
View 1 Replies
View Related
