Cisco VPN :: ASA5520 / Remote Vpn User Access Notification By Email?
Apr 5, 2011
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
Is it possible to have email notification when a rule is hit on the ACS(5.1)?
Ive had a look around and cannot see any options, the server team seem to think its not possible to have this triggered from AD either on a side note, where are the SMTP settings on the ACS?
I need to access remote users system for troubleshouting and I cannot ping or access anything on their laptop when they are connected to VPN. For example, a user would get an IP of 172.16.4.132 when logged into vpn but I cannot ping him from the CLI, or can I access his laptop via RDP. S 172.16.4.132 255.255.255.255 [1/0] via 207.x.x.x, dmz What could be the issue and how can I fix this? Im on 10.8.24.0/24 network S 10.8.0.0 255.248.0.0 [1/0] via 172.16.0.7, Internal which has a route to 172.16.0.0/16 C 172.16.0.0 255.255.0.0 is directly connected, Internal The ASA is 172.16.0.3 which i can ping from my desktop on 10.8.24.0. Device info: This platform has an ASA 5520 VPN Plus license. Cisco Adaptive Security Appliance Software Version 7.2(5) Device Manager Version 5.2(5) Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Has any one got a working setup for SSL VPN users in regards to notification about password is going to expire and then providing the VPN user the opportunity to change password during the VPN login process, involving ASA5520 - ACS Radius server - Active Directory Our VPN users are connecting with Cisco Any Connect VPN Client V.2.5.3046 to a ASA5520 running 8.4(1), all user validation is handled via Radius though a Cisco ACS 5.2 server, which in turn validates the users up against MS Active Directory.
For the relevant connection profile on the ASA, the options Advanced / General/ Password Management / Enable password management has been selected together with the Notify user 14 days prior to password expiration, as mentioned its connecting to a Cisco ACS Radius server with MSCHAPv2 enabled on both the ASA and ACS.
On the ACS server under users and Identity Stores > External Identity Stores > Active Directory we have a successful bind to the AD, the values End User Authentication Settings > Enable password change has been selected.
Just to make sure the password notification function is working in the first place I change the ASA5520 AAA Server group to use LDAP instead of Radius and configured a direct path towards one of our domain controllers, sure enough when the user logged in he got a notification about the password would expire in xx days and then provided with a option to change the password right away or just connect with the current password.
The thing is I don’t want to just use LDAP for VPN authentication, I have quite a expensive setup on the ACS servers with unique ACL's for various group of employees and especially for external consultants, I also use the ACS for customization for webpage and resources when Web VPN is used.
Can it really be so that password expiration notification only works using LDAP, and if this is really the case, is there any way to configure Dual Authentication, so I could first validate the user against LDAP and next against the ACS??
(Side note: I tried to configure the ASA to use LDAP as normal Authentication and then the ACS as Authorization, but it failed, first off because the ASA started to use PAP/ASCII against the ACS and even if I allowed that, it seemed like the ASA wasn’t parsing the users password onwards, with the result that ACS failed and the user account ended up getting locked out in the AD).
Is there a way to configure an email notification for a specific authentication failure? Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".
I have 5508 controller in my lab. I am working on a project to set up a public internet but with some condition.
- User should able to connect to the SSID without any authentication.
- Once user will connec to the SSID it should redirect to an external URL which indicates terms and condition and email address field.
- User should enter his/her email address in email addrss filed and click I accept button.
- Once that is done then he/she is allowed to access internet.
We are not sure how can we achive this as I do not know what should be the return value for WLC to allow that user to go through or what should be the settings on the WLC to redirect to the page.
I have seen a settings on web authentication for external URL but I guess it is only for username passwor or Radius authentication. While in this case I do not want to use any authentication just an accept buttor or Decline button and all good to go.
Motion detection is setup - and I can see in the log and on the Live Video "Motion Trigger Indicator" that this part is working. I can also send test-emails, so the smtp is set up correct. In the Event Setup I have a valid server and a motion triggered event with the status ON. But no emails are sent . In the log there is also no indication of the server trying. Am I missing something - or is this not working for anybody?
And - there is no firmware beyond 1.0 for this model as far as I can see.
P.S. I am using a Gmail account for smtp, port 587 and using startTLS to send with,
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.We'd like to restrict the acess like this:
A Group "Home User" might establish a VPN from anywhere on the Internet
A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!
On our old solution, we were able to limit the remote access network, per user group, to some source IP's.
The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.Or is it possible to do that by Dynamic Access Policies? How?
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
ip local pool VPNPOOL 192.168.200.1-192.168.200.100.
i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface (10.0.0.254).the users (192.168.193.0/24) go internet from proxy server.
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I can't find it.I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this: [code] I do this,but it's not work.When I use EasyVPN client to connect ASA 5520,user could through authentication but will not get that static IP address which I configuration on Internal Users.so,what should I do,if anyboby knows how to use ACS 5.2 to create a static ip address user for remote access VPN.
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone, There is a document that describe a solution to this? What IP adressess should I use?
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone
I would like to create a additional user vpn on a 55010 where the user authenticates with the firewall and not the radius server.This user should NOT be able to log on to the firewall, but only be able to authenticates with the vpn client.I'm correct that the command "username abc123 password abc234 privilege 0" ?Also for this remote vpn how to I make sure the user only authencates with this password?
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I dont't know how to do it.
I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this:
Step 1Add a static IP attribute to internal user attribute dictionary: Step 2Select System Administration > Configuration > Dictionaries > Identity > Internal Users. Step 3Click Create. Step 4Add static IP attribute. Step 5Select Users and Identity Stores > Internal Identity Stores > Users. Step 6Click Create. Step 7Edit the static IP attribute of the user.
I just do it,but it's not work.When I use EasyVPN client to connect ASA 5520,user could success to authentication but will not get the static IP address which I configure on Internal Users,so the tunnel set up failed.I try to Configure a IP pool on ASA for ACS users get IP address,and use EasyVPN client to connect ASA , everything is OK,user authenticate successed.but when I kill IP pool coufigurations and use the "add a static IP address to user "configurations,EzVPN are failed. how to use ACS 5.2 to create a static ip address user for remote access VPN?
I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group
We have just bought 4 WAP4410N. These units will be handling wireless network at the edge of our network, only allowing for Internet access.We will be creating two SSID's, one for employees and another for guests, with different wireless password rotation policies, intended to be changed automatically by an application using SSH.Is it possible in any way to create another SSH user just for this purpose? I do feel unconfortable using the management user for this (call it paranoia!). The same with having SSH accessible from the wireless end. Any way I can tweak sshd and having it persist between reboots? Also, another issue is that we have the AP's configured for e-mailing the log however we don't receive it. Connectivity and sending has been tested with snmpc on console and everything seems to be OK.
I am having an issue with the user VPNs. For users connected via the AnyConnect VPN client, all of their Internet traffic goes out their local Internet connection, since I am using split tunneling. However, I need a specific public IP address to go through the VPN tunnel and out the DIA at the main office, rather than the user's local internet connection. I managed to have this IP address go through the tunnel to the ASA at the main office, but it appears that it gets blocked somewhere there, or maybe the return traffic gets blocked. I am using an ASA 5520 at the main office, with software version 8.3.
i configured a remote VPN on cisco ASA 5520 and everythings seems to be working fine...DHCP IP were been lease to users that connect to the VPN. but the issue now is that our customer want a static IP to be given to a particular user when he connect via VPN.
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
are there any free services where you can remote upload a file (zip file 25MB) and have it sent to me via email as an attachment. not a link where i have to download the file.
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520 Remote Office A = ASA (Unknown Model) Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
I have a client that wants to segment their wireless network behind their ASA. We currently have a normal setup, 5510, 2 interfaces, outside, inside. On the inside network there are Cisco Wireless APs that allow for internal access to the network. We want to move the APs to a new interface on the ASA and only allow traffic bettwen this new "Wireless" network and the internal network by using remote user VPN. So my question is, can you use remote user VPN from the new Wireless network to the inside network??
How do I setup remote login that would allow 3 or 4 people to login to the same computer.Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.
Each person would have their own Windows User Account name, with differentprivileges.I don't know what software could do this.The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.This is a very small business and keeping costs under control is important
Someone hacked into my computer through my Netgear router. They took over as Administrator and setup a Atheros (sp) driver. They pretty much have total control over my computer. How can I rid myself of this hack and protect nyself in the future?
I want to share the My Documents folder from an XP machine with ONLY one user (the administrator) on a networked Win 7 machine. I have turned off simple sharing on the XP machine. I hate XP!! So complicated to do anything. Anyway, under security, I have tried share this folder, and not to share folder. I have gone into Advanced and messed around with permissions, taking out Everyone, using Admin only, using Network. At one point I ended up not being able to access My Documents on the local computer and had to jump through many hoops to change ownership and disable read only so that the user could use her own files!The problem is, under Advanced in the permissions area, I cannot see the users on the remote pc to choose which one should be allowed access. how to actually find a particular user on the Win 7 pc and give ONLY that user permission to read (not to change) the files in My Documents on the XP pc.
How do I setup remote login that would allow 3 or 4 people to login to the same computer. Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.his is a very small business and keeping costs under control is important.