Cisco :: Way To Grant SSL VPN Users Different Levels Of Access?
Mar 18, 2011
I have a customer with an ASA5510. We have an SSL VPN (tunnel-based, or "SVC") that we use for remote access. That works great.They want to be able to use this same functionality, but add users who will not have the full access that the current SSL VPN users have. So in other words we currently have a small group of users who get full access to the LAN. Then they want to have a second group of users who will only have access to certain nodes.I'm wondering if there's some way to do this using LDAP between the firewall and the Radius server? The user gets put in a different tunnel group depending on what the FW learns from the server?We only have the Anyconnect Essentials license, so unfortunately we can't do a clientless SSL VPN, which otherwise might work well here.
View 3 Replies
ADVERTISEMENT
Jul 25, 2011
I have a wireless lan controller (5508) broadcasting 2 SSID's, once is a secure vlan grabbing an ip address from a local dhcp server and getting access to the internal network, and the other ssid is for a guest vlan where the dhcp server is in a remote site and internet access is off a circuit in our data center which is accessed over a wan. The secure ssid's vlan is defined on the local switch, but the guest vlan is not defined on the local switch.the ap's in the respective sites are trunked to the core switch and the switchport config is : [code] it's trunked b/c we have both vlans going across this physical connection.I would like get the guest vlan a wired connection, ie. off a switchhub, but not sure how to do that as this guest vlan is not defined on our local network.
View 1 Replies
View Related
Jun 29, 2012
I started getting into IT (as a job) a little less than a year ago, though I've been working with computers for close to 20. So networking was never something I was into while working on computers at home. I've been handed a significant position at work and I am learning a lot as I go. I want to know how to grant permissions for a domain user to a directory without adding the user to all of the sub-directories and directories. The only way I've figure thus far is to grant permissions to said folder, then inside remove the "inherit permissions..." but then I have to manually remove the permissions to every other sub-folder.I want to add a single path to a folder by adding single permissions to each folder until the directory in question is reached.
View 2 Replies
View Related
Jul 24, 2011
I am trying to set up my router to grant http traffic a minimum bandwidth of - for example - 5,000 kBit (if there is any http traffic).
So I set http min. rate to 5,000 while I set nntp min. rate to 1 However, when I run nntp downloads on several connections (e.g. 10) my single http download never goes above 1,000 kBit. Without any other connections I reach 8,000 kBit.
I am using a single 12 MBit line.
View 4 Replies
View Related
Aug 28, 2011
I can connect to the internet via wireless just fine, and everything will be hunky-dory for a while. After a while, however (this varies anywhere from a day to a week), there will be a small hiccup on the connection, and then something fails in the Acquiring Network Address stage. My computers will get an IP, but they will not get the default gateway or DNS server.I have tried a plethora of fixes, from simple computer reboots to fiddling with all sorts of settings, and nothing works to reestablish the connection. My father has also tried fixing it, to no avail. I have to go and reset my router, which also interrupts TV service, because it is through AT&T U-Verse. Needless to say, this does not make other people in the household very happy, and I really shouldn't have to be resetting my router every couple of days like that. My PC uses a Netgear WG111v3 adapter and is Windows XP. My laptop has on-board Wifi and is Windows XP Professional.
View 2 Replies
View Related
Nov 1, 2011
Based on my diagram, my computer A (192.168.100.11) can ping and access my computer B (192.168.10.14). But, when i'm home and i use remote access vpn (192.168.200.x) in cisco asa 5520 to connect to my computer A is okay. But, when i try to ping my computer B is not okay. I already do the exemption for 192.168.100.x and 192.168.10.x in nat rules for inside interface (192.168.100.2) ...
Should i put routing from outside 1.1.1.2 to 192.168.10.x by using 192.168.100.1 as a gateway?
View 1 Replies
View Related
May 25, 2011
*By default, the interface with higher security level can access "interfaces" with lower security level*By default , lower security level interface has no access to higher security level interface (access list needed to permit access
View 9 Replies
View Related
Jul 7, 2011
different levels of security in networks
View 2 Replies
View Related
May 6, 2013
I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.
View 3 Replies
View Related
Oct 7, 2010
I recently upgraded our WLC 4404 to release 7.0.98.0. The process was very smooth with no issues. The controller manages access points in two buildings. Prior to the upgrade the access points were maintaining high TX power levels...typically between 1 and 3. After the upgrade the power levels all droped to 6 and 8. I have confirmed that the correct external antenas have been set for each access point. I have not done a site survey to see if the lower power levels are acceptable. But the environment has been very consistent for the past year with regards to TX power levels. For the time being I have manually set a power level of 2 to prevent any service outages. Is there any explanation as to why the power levels have changed so drastically?
View 3 Replies
View Related
Mar 10, 2013
I'm trying to make a setup on my Cisco 881 router, but I'm having some trouble.I've managed to configure logging in with a Public-Private key pair over SSH, but it's also still possible to log in over SSH with just a username and password. I'd like to prevent this, if possible. I imagine I might have manually configured this to be allowed at some point, but I can't quite figure out how I did this, as no matter what I've tried to remove, it keeps allowing this option. I still need to be able to log in with a username, because I want users to have different privileges.
Once I've logged in using the Public-Private key, I don't automatically go into privilege mode, even though the user is configured with a privilege level. I'd like to configure that users that I've configured to use a certain privilege mode, automatically go into privilege mode without a password prompt. I know it did this before I started using the Public-Private key (or before I used AAA, which was configured around the same time), so I wondered if it's possible to do this still.
View 7 Replies
View Related
Jun 7, 2012
I've got tons of fibre in my network. However, tbh, my knowledge about correct light levels isn't great. I generally wait until my router complains about a light level before I do anything. I would like to set up SNMP monitoring for light levels, but I need some kind of baseline.Anyone with extensive fibre experience? What light levels should I be looking at for both multimode and singlemode fibre?
View 6 Replies
View Related
May 29, 2011
How can I set up a network with different security levels to different groups?
View 3 Replies
View Related
Aug 12, 2011
I purchased a Epson Artisan 835, which I am runnung wireless. When I try to check the ink levels from my laptop they are all greyed out. Epson tech said the Dir-655 was the problem and that I needed to get the router to give permission for the ink levels to go through.
View 14 Replies
View Related
Jun 19, 2011
Is it possible to configure the ASA to:
log syslog informational to one host
and
log syslog critical to a different host
It seems that the ASA allows you to only specify 1 logging severity level for all syslog hosts..
View 1 Replies
View Related
Oct 4, 2011
In CLI we have users log in at priv 1 and use "enable" to increase privilege and do configurations. This allows "accounting" of command history. On the AIR-AP1121G-A-K9 (12.3(8)JED1) I cannot duplicate this for http login.
I can log in as a user at priv 1. When I try to go to a privileged link like "Security" I get prompted for a second login/pw. Nothing works here unless I have a second user defined at priv 15 and enter that login/pw. The problem is - that login/pw can be used to log in via http in the first place which bypasses accounting of the actual user. It also allows login to the CLI at priv 15 which I cannot permit.
username test1 secret 5 abcdxxx
username test2 privilege 15 secret 5 efghxxx
enable secret 5 ijklxxx(code)
View 1 Replies
View Related
Jul 14, 2011
I have FWSM's in Cat 6513's. I have a need to be able to session from the switch to the FWSM by using default account (not local user), at privilege level 15 I further have a need to allow a user read only access by ssh'n into the FWSM...
I believe I need to setup a local user, at, say privilege level 5, assign the show command only to privilege level 5, then set the authorization command for that user. So, i think my command sets are as follows to accomplish this:
username <username> password <pw> priv 5
priv command level 5 mode exec command show
aaa auth ssh console LOCAL
aaa auth enable console LOCAL
aaa authorization command LOCAL
I think, that this will allow the user at privilege 5 to run only the show command and only by SSH to the FWSM while allow the priv 15 level default login to continue to function properly.
View 1 Replies
View Related
Apr 23, 2012
We had a core switch(4503) in our environment and recently we tried to enable syslog in the switch. But the syslog server doesnt receives all the configured level messages from the switch. Following is the only message getting in syslog server after the configuration change in switch.
%SYS-5-CONFIG_I: Configured from console by CWLMS onvty1
(No Traffic related messages like acl deny traffic, spanning tree events etc are getting to syslog server as well as log buffer of the switch)
Following are the logging configuration for the core switch
logging monitor informational
logging facility syslog
logging source-interface Vlan44
[Code]....
1) Is there any more configurations required for getting all traffic related messages, (i mean all possible messages - upto level 7 - debugging)?
View 3 Replies
View Related
Jan 17, 2012
I have an ASA 5505. I have configured Remote Access VPN so that users can connect to VPN and access my main VLAN (Inside). I would like to secure it so that when a user VPN's in, they are only allowed access to the HVAC vlan (Vlan 2) as seen in my configuration. Please note there is also a LAN- 2- LAN VPN which has been configured as well.
View 17 Replies
View Related
May 17, 2013
Client has a Cisco ASA 5510 with 4 L2L VPN's all using 5505's
The L2L connect to the "outside" interface as do the VPN Users (I'm leary of this
The VPN Users need access to the "inside" networks and all L2L subnets.
The VPN User has its own subnet (192.168.168.0/24( seperate from the Local LANs (172.16.0.0/16)
When the Users VPN in they can get to all the subnets connected to the inside interface but none of the L2L subnets
I have verified that the UserVPN Subnet is in the crypto acls and in the route statements of all L2L 5505s
View 3 Replies
View Related
Mar 13, 2011
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
[code]....
View 1 Replies
View Related
Dec 13, 2012
Is it possible to deny VPN access to specific AD accounts?
Currently setup with 5520, LDAP authentication for VPN users.
View 3 Replies
View Related
Oct 19, 2011
I have a STORCENTER IX2-200 CLOUD EDITION in my office with 3 machines hooked up via the router. I cant seem to access users when I enable the security. If i disable security i can get in. This is happening on Windows XP and 7. I've tried Iomega support and it all has to be done via email which is annoying.If i enable security I get the following windows error: \iomegakate is not accessible. you miht not have permission to use this network resource. access is denied.all the machines are logged on as administrator. I did fix this problem although only for a few hours after speaking to Iomega. They advised to use the Net Use command and delete all connections. Ive forgotten what it was now as they remote accessed in.
View 1 Replies
View Related
May 28, 2011
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one. The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my account. There must be someway by which I could disable the device or make the internet inaccesible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
View 14 Replies
View Related
Dec 21, 2012
I want to create a website but only allow a certain user or group of users access to that website. Assuming that user or users will be from the same location, and likely the same static IP, can I throw a firewall between my internet connection and web server and only allow that specific IP address access to my web server by a rule?If there is a better way to handle that,
View 3 Replies
View Related
Apr 1, 2012
I currently set up two LAN networks. But one of them (Router 2) will be open (no password). Will this create a security compromise? Can the Router 2 Users access information of users of Router 1?
Modem WAN > Router 1 WAN
Router 1 LAN > Router 2 WAN
The router 1 and 2 are broadcasting different networks and SSID.Is there any setting that I need to change, or this configuration is perfectly safe? both of them have DHCP enabled.
View 3 Replies
View Related
May 28, 2011
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting complete internet access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one.
The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my user account. There must be someway by which I could disable the device or make the internet inaccessible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
View 4 Replies
View Related
Feb 16, 2012
I have a ASA5505 and setup SSL VPN. My users can connect to the VPN but can't get access to any of the internal servers.
View 3 Replies
View Related
Sep 27, 2011
we have a ASA 5510 firewall and i have created remote vpn user who connects the internal network via vpn any connect after connecting i want him to only access his internal PC via rdp and not access other internal website or shared folders without connecting to the RDP however now he can access the internal website wihtout connecting to RDP?
View 3 Replies
View Related
Feb 12, 2013
I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.
View 4 Replies
View Related
Nov 19, 2012
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can som point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
!
ASA Version 8.3(1)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
View 2 Replies
View Related
Feb 9, 2012
The goal is to add a 2801 router between a DSL modem and a switch and obviously still access the internet. I connected and configured as explained below and the results are:
- I am able to ping internet addresses from the 2801 router
- I am not able to ping internet addresses from userlaptop but I am able to ping LAN gateway (192.168.254.254)
I cannot understand why the internet requests from the user laptopuser are not routed to the internet but the router itself can access the internet.
INTERNET====DSLmodem=====CISCO2801=====unmanagedSwitch=====userlaptop
DSLmodem:
non-bridged mode and does the PPPOe authentication.
WAN interface: Dynamic IP address assigned by ISP
[Code].....
View 14 Replies
View Related
Nov 7, 2012
Since we upgraded our ASA from 8.3 to 8.4(4), VPN users cannot access resources. This worked fine until the appliances were upgraded. We get the message:
[code]....
View 2 Replies
View Related
