Is it possable to use rsa token on the ASA without setting up any other server just using the ASA, out clients use the cisco vpn client version 5.0.07.0290 and IOS 8.3(1), How would this be done?
View 3 RepliesWe have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA. We have multiple VPNs on this firewall.
The issue with the latest one is they require a Public IP as the Local Encryption Network. I've seen this question a couple times while searching but never really a definitive answer.
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient? Or would this not work at all?
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66. Would using X1.X1.X1.64/28 as the local encryption network make the connection? Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would work over command line).
Edit: Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool. And make that our Local Encrypted Network? I think this might be it, but could it cause IP overlapping? Our webserver is part of this and I'm worried about causing connection issues.
I have configured vpn filtering on all my l2l vpns. I have restricted access from remote to local resources only to specified ports. It works perfectly.But I want to have also full access from local to remote networks (but still preserve restricted access from remote to local). As I now VPN Filter works bi-directional with a single ACL. So is there some way to open all traffic from local to remote and still restrict remote to local traffic? ASA 5520 8.4(3)
View 4 Replies View RelatedWe have an ASA 5520 using for VPN & would like make use ASA's local CA to manage certificate.Do you know if there's any limitation on number of certificates that the local CA supports ?
View 6 Replies View RelatedI want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies View Relatedi'm trying to setup a local DNS server to manage small office local-only domain names for our servers. i have the DNS working properly (resolving local machines and using the ISP dns if it can't). so i put the DNS server ip into the "Static DNS 1" field of the router settings. the other 2 static dns fields are empty.the problem is that the router is still using the ISP dns server as the primary and my local dns server as the secondary. i verify this in two places. first, if i go to the "status" tab, DNS 1 shows the ISP server while DNS 2 shows my local DNS server. secondly, if i connect to the wireless device with a linux-based machine, the /etc/resolv.conf file shows the nameserver ips in the same incorrect order.
View 1 Replies View RelatedWe were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedI have configure a cisco 861 as vpn server. Clients can connect, but cannot access local lan resources for subnet 10.0.10.0. [code]
View 4 Replies View RelatedI'm trying to synch time in an ACS 5.1 but after configuring with the ntp server command the show ntp command displays that time is synchronised to local net at stratum 11.The ntp source is a Windows 2003 server and the show ntp command shows that it has an external refid with at stratum 2, but still the ACS won't synchronize with this source, only local.
View 2 Replies View RelatedI have a Cisco 881 and I want to use Easy VPN.
-VLAN 1: 192.168.4.0
-WAN: 10.0.0.0
-VPN: 192.168.8.0
VPN connects and I get an IP of 192.168.8.100 from my pool. I can ping my cisco at VLAN1 (192.168.4.1), but I cannot access my local resources. I guess I miss a NAT configuration.
in my company we use Cisco VPN 3020.Actually users connect using CiscoVPN Client, and all traffic is routed into the VPN so that users gets a remote IP Address of the remote public LAN.The problem is that when using VPN users cannot acces anymore their local LAN at home.How can i allow users local LAN access ?All traffic is sent into the VPN also traffic for local LAN.
View 4 Replies View RelatedI have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies View RelatedI planned to install a LMS 4.0.1 Windows platform. I would like to know if LMS 4.0.1 supports only US Windows version (2003 or 2008) or if it supports also local (French) Windows version.
View 3 Replies View Relatedi have configured remote access vpn on my 2801 router's gio0/0 int ip x.x.x.1. i connected my laptop through vpn client from internet. i connected successfully and my vpn router gives me the assigned ip block y.y.y.1. from my laptop i can ping the other int gio/1 ip z.z.z.1 but i cant ping the ip z.z.z.2 of my core sw which is connected on router's int gi0/1.
View 14 Replies View RelatedWe are testing the upgrade from version 8.2 to 8.4 on an ASA 5505 and ran into a problem. For VPN connections we had pools created. A few of the pools were limited to a single IP address. After the upgrade the ASA rejects the pools that only had one IP address instead of a range. In the command line if you enter a question mark after typing in "ip local pool (pool keyword)" in config mode it says "Specify an IP address or a range of IP addresses:start[-end]" with the word "or" it sounds like it should except a single IP address but it doesn't. The error is "Please enter a valid IP address range."
View 5 Replies View RelatedWe are trying to setup a Cisco SSL VPN. When outside of the network and after logging in the web page, you have the option to Remote Control your PC at the office. When clicking that, it takes you to the login screen with MACHINEuser... Is there any way to make DOMAINuser default or even just automatically login since you've just logged in the VPN anyway?
View 1 Replies View RelatedI just installed a new ASA 5505 for an office with three internal subnets.* The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own.* How do I configure the ASA to allow all traffic between these three inside networks?
192.168.152.0
192.168.152.0
192.168.154.0
[code]....
I have a site to site vpn connection between ASA 5510 and PIX 515 which is working fine. There is no problem for hosts on any side of the tunnel to access a cross. However the local ip (192.168.20.1) on the client interface of my PIX is not allowed to access hosts on the other side of the tunnel. [code]
View 2 Replies View RelatedI am setting up a site to site IPsec connection with a company, something which I have done many times before without trouble. I use ASDM to configure this as it is quick and painless, usually.
We have a number of other site to site connections currently configured and working fine on this ASA, these are configured with the 'Protected network - Local network' configured with the private IP's of the hosts within our network we want to make available through the seperate tunnels. This includes the configuration setting on our ASA for each connection to 'Exempt ASA side hosts from NAT'.
With this new connection however, the company has asked us to use a public IP for the host we want them to reach through the tunnel. I am not sure why but they demand it. So I added a NAT rule for the inside host, and configured the connection with the public IP under 'Local Network'. When testing to try reach a host on their side, the tunnel does not even attempt to initiate.
I cant see where I am going wrong. I am guessing the 'Exempt ASA side host from NAT' does not require to be set for this, as how else would the ASA know which internal host the public IP relates to.
I am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
View 1 Replies View RelatedI am testing a Aironet1040 in AP setting. During the process of trial run of GUI on this 1040, I saw a local radius setting and it can set something like FAST-EAP.
Is it after using this setting (plus other steps), I can set this Aironet1040 as an AP with the capability of simple Radius Server for authentication purpose?
If not by this way as I mentioned above, can Aironet1040 be set as simple Radius Server? This is because if it can set as simple Radius Server and not need to work with an external Radius Server, that would be great and save trouble to find another server.
We currently have an ASA with site to site VPN and anyconnect VPN being utilized. We received a third party cisco router which will be used to initiate their own site to site VPN from inside our local LAN to their LAN through our ASA.
1. Would NAT Traversal be required on our ASA? 5540(config)#crypto isakmp nat-traversal
2. Would the ports listed below interfere with ports for site to site VPN and anyconnect VPN?
SSH
- allow access from xxxxx on TCP Port 22
ICMP
- allow access from xxxxx - protocol 1
ISAKMP
- allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T
[code]....
Been tinkering around in our ACS 5.2 appliances today to setup PEAP. I generated a self signed certificate under local certificates which I want to remove now. But when I try to delete it I get the following message:
This System Failure occurred: Certificate is associated with a protocol. Hence it cannot be deleted.. Your changes have not been save. Click OK to return to the list page.
I assume this is because it is associated with the EAP protocol, but I cannot uncheck the box when I edit the local certificate. How can I get rid of this test certificate?
I've got a VPN setup on an ASA 5510, it connects fine and my users, and myself are able to remote desktop, and ping. However, when accessing the servers by hostname I get nothing. When I want to access a fileshare I have to do it by IP. I've got my internal DNS added in the config.
View 3 Replies View RelatedWe normally interconnect an ethernet VLAN via a bridge-group to an ATM PVC like :
interface ATM1/0.162055
bridge 10
pvc 16/2055
encap aal5snap
!
interface port-channel1.10
[code]...
This works fine on our 7206VXR's (IOS 12.4(24)) but the limit on bridge-groups is 256 which is not scalable enough.Earlier i was reading on [URL] wp1170945 for L2 switching an ATM PVC to an Ethernet VLAN which interested me because of the simplicity of it. According to the manual, the corresponding config would be :
interface ATM1/0
pvc 16/2055 l2transport
encapsulation aal5snap
!
!
connect atm-eth-vlan-con atm1/0 16/2055 GigabitEthernet0/1.100 interworking ethernet
I've got the following questions :
- Can i terminate the ATM PVC to a port-channel or is it implicit when i configure gi0/1.100?
- Are there any limitations on the amount of connects on the 7200VXR with the IOS i'm using?
- Are there any other caveats i didn't think about?
Im trying to configure remote access VPN on ASA5505. I configured it as local CA server, installed digital certificate on remote station and everything looks fine as far as i can see. I'm using cisco VPN client 5.0 on remote station. when i initiate VPN session it fails while trying to connect. Looks like im missing some configuration but i cannot figure out what it is. Currently i have firewall configured to use group authentication and everything works fine. I want to switch it to use certificate authentication, and if possible, confiure firewall to use main mode instead of aggressive mode for better security.
View 4 Replies View RelatedI have a very problematic situation here.I have configure on a Cisco 2960 the vty line in a wrong manner and now I am stock.To configure those vty to enable ssh I have typed :
line vty 0 4
login local
password xxxx
line vty 5 15
login local
password xxxx
exit
Problem, I work remotely (I was on telnet while doing this). I have no username configure as I thought that root user would work.Now when I issue an ssh to my switch, I always failed authentication.how I could recover access to my switch without being physically there ? I have write the config in memory, otherwise it would have been too easy.
I'm using 3 AP's 1140 with local authentication using local radius (flex connect mode).the radius server im using is MS 2008 R2.authentication is working great on all devices pc's&mobile.authentication method is PEAP wpa2 aes enterprise.after 3 or 4 hours devices loose connectivity to the web.the device seems to be still connected to the ap but there is no ping to host from local lan or any arp learnd on local router.only manual disconnect on device and reconnecting brings connectivity up again.in one case only reseting the AP's worked.
View 6 Replies View RelatedI want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies View RelatedI am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs. Now my customer wants ACS migration by creating new Group in AD, I also update ACS config. For the user from the old group, authentication is ok.For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.How can we check or make sure it?
I want to limit a local user's access to some specific groups of devices. In Role Management Setup I can define which service they can access, but I want to restrict it to a specific device as well.
View 3 Replies View RelatedI have a weird issue I have never seen before and am trying to get some answers. I setup a laptop for one of our employees who works out in the field. We typically login to the machine while on the network with a domain account. This is so the password gets cached and they can login to the machine once they receive it. I sent a laptop to this one guy (who is rather tech savvy-so I know it is not user error) and he could not login to the laptop using his network credentials. I was able to get him on his home network using his router, and I RDP'ed into the machine. When I was remotely connected, I was able to login to the PC with no problem. However, after I disconnected, he tried to login also and it kept telling him that the domain was not available? It wasn't even an "invalid password or login" error.I ended up creating another local account on the machine so he could work, but I am stumped as to why he could not login locally, but I could using RDP.
View 4 Replies View RelatedI've recently been having issues getting a wireless connection with my laptop (specifically dv6700) running vista. I had previously run it for 2 years without issue, but after returning from Sweden (where there was again no issue connecting wirelessly) I have often only been able to get local access. This isn't on all networks - my University library network works fine, for example, but my flat's personal network as well as my parents' network, as well as a local cafe which I had previously connected to fine, only get local access.
View 2 Replies View Related