Cisco VPN :: IPSEC VPN Group Authorization ASA 5520

Feb 15, 2011

Options a user may reside in Austin, TX and I want the user to utilize the local proxy (i.e. texasproxy:8080). We currently only require the user to enter the RSA passcode and username to authentication (RSA/AD username are identical). Is there a way to have the user authenticate via RSA and have the user's AD group membership (TX) assign the user the specific IE proxy settings? We are utilizing an ASA 5520 on 8.2, but we are willing to upgrade to newer IOS or even consider anyconnect to resolve this issue.

View 2 Replies


ADVERTISEMENT

Cisco VPN :: To Match Tunnel Group With ASA 8.2 And VPN Client IPSec Authorization

Apr 15, 2010

I have configured a lab for RA VPNs with a ASA5510 software version 8.2 and VPN Client 5 using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco website: URL
 
Now the vpn works just fine, but now I need to configure different tunnel-groups so I can provide different services to different users. The problem I have now is that I don't know how to configure it so the certificate matches the tunnel-group name. If i do a debug crypto isakmp on ASA I get this error messages:
 
%ASA-7-713906: IP = 165.98.139.12, Trying to find group via OU...%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload:   Unknown%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IKE ID...%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload:   Unknown%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IP ADDR...%ASA-7-713906: IP = 165.98.139.12, Trying to find group via default group...%ASA-7-713906: IP = 165.98.139.12, Connection landed on tunnel_group DefaultRAGroup

So basically when using certificates I always connect the RA VPN only with the default group DefaultRAGroup. Do I need to use a different web enrollment template for certificate request instead of the user template??? How can I define the OU on the User certificate so it matches the tunnel-group???

View 3 Replies View Related

Cisco AAA/Identity/Nac :: VPN Group Authorization With ACS 5.2

Apr 26, 2011

I'm trying to set a VPN connection to a router using group authorization with the ACS 5.2 but cannot make it work. I configured everything based on the procedure used for ACS 4.2. I created a user that corresponds to the group name, used the password cisco and used all the requiered Cisco AV pairs in an authorization profile. (Based on document: [URL]
 
While testing with ACS 4.2 this works fine, I can see that the ACS returns the group attibutes correctly (here is a debug output)
 
Apr  9 16:16:59.256: RADIUS: Received from id 1645/22 192.168.1.212:1645, Access-Accept, len 203Apr  9 16:16:59.256: RADIUS:  authenticator 02 07 F5 E6 46 78 73 CA - 46 6D 47 90 FE 92 38 9AApr  9 16:16:59.256: RADIUS:  Vendor, Cisco       [26]  30  Apr  9

[Code].....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ISE V1.1 ISE Authorization Rules Do Not Use Endpoint Identity Group

Dec 5, 2011

I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned  dynamically or statically to an endpoint identity group. Cisco ISE authorization  rules do not use this endpoint identity group.

View 2 Replies View Related

AAA/Identity/Nac :: Configuring Authorization ASA 5520 - Level 15

Sep 10, 2012

I have an ASA 5520 8.2(5) with ACS 5.1, I made the configutation of Authentication and is working well, now how I can configure the authorization and get  into the privileged level 15 mode directly.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 Failover Exec Authorization Failed

Mar 14, 2013

I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
 
failover exec standby dir disk0:/
 
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
 
I don't even see the authentication attempt going into ACS.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.2 Change Of Authorization With Avaya Switches (5520)?

Jan 27, 2013

I am configuring ise to do the posture assessment. I am having avaya as my LAN and Core switches. The idea is once the user is authenticated using 802.1x then it will be moved to qurantine vlan and after it is compliant with the company's policy then it will be moved to the actual vlan. I have configured the avaya switch to accept the radius assigned vlan and also configured the 802.1x dynamic-authorization. Currently, radius assigned qurantine vlan is working but once the nac agent scan and mark the PC status as Compliant then the CoA is not happening and User is not moved to the actual vlan.
 
I tested the same ise authorization policy of dynamically assigning VLANs on cisco switches and it worked perfectly, but the same is not happening on avaya switch.

View 1 Replies View Related

Cisco VPN :: ASA 5510 - Group Policy In IPSEC Remote?

Nov 20, 2012

I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
 
Internal network has 4 VLANS. Need solution for below.
 
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
 
Is it possible to configure Group policy in ASA for IPsec Remote VPN.

View 1 Replies View Related

Cisco VPN :: ASA 5520 Authentication Using Windows NT AD Group?

Feb 3, 2011

I am configuring windows nt authentication on asa 5520 firewall for clientless web vpn. is there a way i can specify to only authentication from the specific AD group only using windows nt or other way?

View 1 Replies View Related

Cisco VPN :: ASA5500 Remote Access Group Policies IPsec Client Firewall

Mar 6, 2011

We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco VPN :: ASA 5520 / Restricting End User To One Specific Group With AnyConnect?

Feb 6, 2013

I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication.  I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account.  How do I restrict this so that the user can only use one profile?  Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks.  Is there a sample configuration guide to handle multiple profiles with different levels of access?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 CSC Module Per Subnet / IP Group Inspection Profile

Sep 7, 2011

verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
 
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.

View 5 Replies View Related

Cisco VPN :: 5520 Should SSL VPN Performance Be On Par With IPSEC

May 22, 2010

Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps. What could be causing this slowdown? Should SSL VPN performance be on par with IPSEC? Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.

View 8 Replies View Related

Cisco :: Routing And IPSec On ASA 5520

Nov 19, 2011

The network design is a hub and spoke using a carrier provided MPLS network with a ASA 5520 at the hub that has a IPSec tunnel to another part of the company.This configuration has worked for sometime now (long before I came to the company a couple of months ago).The thing that does not make sense to me is that the those networks out on the spokes did not have a route to the inside interface network of the ASA. With the way this MPLS works, if a network is not in the MPLS network routing tables it will not pass that network. The network was not in the MPLS network, nor was it in any of our edge routers connecting to the MPLS.
 
These hub networks did have routes both in the MPLS and edge devices for the networks on the other side of the IPSec tunnel and have been reaching them for some time.So what I am trying to understand is how it is possible for these hosts that have no route to the ASA inside interface network, but do have routes to the remote networks, how are they able to successfully pass that traffic? There are no NAT devices between these WAN hosts and the ASA.

View 1 Replies View Related

Cisco VPN :: ASA 5520 IPsec VPN Performance?

Feb 17, 2011

I have a client that uses the ASA 5520 as both a firewall and VPN termination device.  Day to day VPN usage is 30-50 users and the memory (512 MB) is typically at 50% while the CPU is mostly under 30%.  I've suggested the RAM be upgrade to 1GB.The client would like to add a large block of VPN users which could see 250-300 concurrent users.  What kind of a system resource hit should the expect with this level of load?

View 1 Replies View Related

Cisco VPN :: Force IPsec VPN Client To Use ASA 5520

Jun 24, 2012

I have made the following change to my ASA 5520 using ASDM to try and force VPN clients to use a self assigned certificate from the ASA. I made the following changes Remove Access VPN > Certificate Management > Identity Certificates > Add Certificate.Then I made the following change.. Remote Access VPN > Network (Client) Access > IPSec(IKEv1) Connection Profiles > Connection Profile > Edit > IKE Peer Authentication > Pre Shared key and pointed the identity certificate to the one I created in the step above.Having made this change I am still able to VPN without a certificate configured in authentication settings.I was expecting that the VPN would attempt to issue the self assigned cert to client machine?

View 1 Replies View Related

Cisco VPN :: ASA 5520 / Domain Based IPSEC VPN

May 28, 2012

Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.

Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.

Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.

View 1 Replies View Related

Cisco VPN :: Anyconnect And IPSEC Vpn Coexist On ASA 5520?

Sep 8, 2011

When I try to add CAS to CAM a cannot choose a OOB Virtual Gateway or OOB Real-IP Gateway, because these operation modes are absent  in Type list.What can be reason it?

View 5 Replies View Related

Cisco WAN :: 871 / 5520 - L2L IPSec Tunnel Between Two Routers

Apr 4, 2011

Here is the situation: A CISCO871 router is configured to establish an IP SEC tunnel with a CISCO ASA5520. The configuration is OK about that. I wish to configure the same CISCO871 in order to establish a LAN-to-LAN IP sec Tunnel with another CISCO871 at the same time in order to reach private network. So, I have followed the Cisco procedure Document ID: 71462 "LAN-to-LAN IP sec Tunnel Between Two Routers Configuration Example"; it works, I can reach the peer private network BUT ONLY when the IP SEC tunnel with ASA is not established.
 
It seems to be a routing problem...I don't find how to configure to make both tunnels up and functional at the same time.

View 1 Replies View Related

Cisco Firewall :: Asa 5520 No Ipsec Involved With Office 3

Mar 2, 2013

I have two ASA 5520 units, both running version 8.3(2) code.  Among many other uses, they have an IPSec tunnel between them to link office 1 and office 3 together.  Office 2 does exist, and is connected to a different port on the ASA in office 3; there is no IPSec involved with office 3.

View 6 Replies View Related

Cisco VPN :: ASA 5520 IPSec DNS And Internet Access Not Working?

Jun 26, 2011

I have set up a remote access ipsec vpn on an asa 5520.  I can connect, and ping internal ip addresses, however I cannot ping back out to the internet, and dns resolution does not work. 

View 3 Replies View Related

Cisco VPN :: ASA 5520 8.4.1 IPSec VPN No Matching Connection For ICMP

Jun 23, 2011

I am trying to set up remote access vpn on an asa 5520 running 8.4.1.  I have the ipsec group, policies, and ip pool set up.  When I try and connect with the cisco vpn client I see the following in the logs.  Deny icmp src outside:214.67.39.42 dst outside:24.252.51.73 (type 3, code 3) by access-group "acl_inbound".  Do I need to put in some firewall rules to allow this traffice so that the VPN can connect?

View 9 Replies View Related

Cisco VPN :: 5520 ASAs - IPSec VPN Clients Not Being Able To Connect

Aug 25, 2011

I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
 
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz version 8.3.2.

View 5 Replies View Related

Cisco VPN :: ASA 5520 IPSec Overlap - How To Route Traffic

Nov 13, 2011

We have multiple vpn tunnels coming to our cisco asa 5520 , the problem is that when we create another tunnel with the same network as another network on the firewall , it does not know how to route the traffic to which interface or sub interface.

View 2 Replies View Related

Cisco VPN :: 5520 Are RA IPSec And SSL VPN Ports Allowed By Default

Mar 27, 2013

We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?

View 6 Replies View Related

Cisco VPN :: 5520 - How Much Traffic Pass Through Into IPSec In ASA Firewall

Mar 20, 2013

How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.

View 3 Replies View Related

Cisco VPN :: ASA 5520 - L2TP / IPSEC Not Working In Windows XP / 7

Mar 25, 2011

i have configure l2tp/ipsec vpn on cisco ASA 5520 and also configure windows 7 client but its getting error 
 
Error in ASA debug log
debug crypto isakmp 7 
Mar 26 07:44:28 [IKEv1]: IP = 59.161.130.13, IKE_DECODE RECEIVED Message

[Code]......

View 2 Replies View Related

Cisco VPN :: 5520 BUN K9 Supports Data Compression On VPN IPsec

Sep 10, 2012

I would like to know if the ASA 5520 BUN K9 supports the data compression on VPN IPsec.

View 2 Replies View Related

Cisco VPN :: ASA 5520 - IPSec Remote Access VPN Design

Mar 7, 2011

Is there any documents that I can use to design an IPSEC remote access solution using 2 data centers . One data center is primary and other one is secondary. The VPN is terminated in ASA 5520. End users using cisco client.

View 6 Replies View Related

Cisco Firewall :: Setup Of IPSec Passthrough On ASA 5520

Mar 28, 2012

I am working on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.
 
So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:

I then added the following rules on the inside-in ACL: However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.
 
For isakmp:
 
For ESP:Seems like the nat rule is drawing my ESP traffic,

View 1 Replies View Related

Cisco VPN :: 5520 / IPSec VPN Won't Initiate From Remote Site

Sep 8, 2012

I have a site-to-site VPN configured between a 5520 at our data center, and a 1700 at a client's site for site-to-site connectivity.  What I've noticed is, is that the VPN can only initiate from my Data Center, never from the client router.  I can telnet into the router and start a telnet session sourced from the "inside" interface and it fails, yet I can see the NAT translations get created in the state table that should match the crypto-map.  However, if I ping a host on the inside of the remote LAN from my workstation (behind the 5520) to bring the tunnel up, and run the exact same command on the client router once the tunnel is up, it works.  Right now I have a continuous ping running from my workstation to keep the tunnel up, but obviously that's not the best solution
 
I had to modify this config to NAT the LAN addresses at the client to a non-overlapping subnet, so anything coming from 128.1.0.0/16 should be NAT'd to 192.168.105.[50-200]/24.  I've also got two static NATs for inbound access from the data center and those seem to work fine.
 
Current configuration : 2787 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

[code]...

View 2 Replies View Related

Cisco VPN :: ASA 5520 - ASDM Shows Lot Of IPsec VPN Sessions In GUI

Jan 20, 2013

I have upgraded my ASA 5520 til version 9.1 with ASDM version 7.1. After the upgrade ASDM shows a lot of IPSEC VPN-sessions in the GUI that i cannot see from the ASA. Right now the GUI says that I have 28 IPSEC-sessions while the output from "show vpn-sessiondb l2l" shows the expected 4 tunnels and the output from "show vpn-sessiopndb remote" shows 0 as expected. (I do not use IPSEC from remote users).

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved