AAA VPN Concentrator 3005
Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?
Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
Cheers
Brian
Similar Messages
-
VPN Concentrator 3005 will not allocate IP Addresses
Greetings,
I have a very strange issue. I have configured a 3005 concentrator with an address pool that is in the same subnet as the private interface. When I try and connect a client...I get an error stating that NO AVAIL ADDR with a further explanation that an IP address could not be obtained for the remote peer because it exhausted all available addresses.
Further study of the log files shows that the concentrator believes there is a network conflict...however I can assure everyone there isn't.
Can anyone tell me why the concentrator would false think that an IP address had already been assigned when it isn't?
It works fine if I use a different pool...however this is on a DMZ and we really don't want to use another subnet for a few VPN clients.
The exact error it give is:
IP Address Conflict on the network: 192.168.123.101
Marking address as unusable
There is no 123.101 anywhere on the subnet.
The worst part is...I have another concentrator setup the exact same way at a different location and this config works just fine.
Any ideas?
Thank you very much!thank you for your reply...but we are running 4.7.2.O
any other ideas why this would happen? -
one of my student changed login info on our lab vpn concentrator 3005.
how to reset the login name and password ?
the version is 4.1.7.
thanksPlease see this document.
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml
Regards -
We have two 3005 concentrators that need to be replaced.
Is there anything equivilant that will allow for creation of groups, Cisco VPN client, web VPN and is reasonably priced?
What do people generally do for a plug in replacement to the 3005 VPN concentrator?What is generally done about the cost?
At the moment, the PIX firewalls are not EOL.
If I replace the firewalls, just because the 3005 is EOL, will be a large expense correct?
Also, at the moment, the firewall is passing through the traffic to the concentrator in a DMZ.
What is the alternative in the ASA appliance?
And, does the ASA allow for the creation of groups for access like the concnetrator does? -
Setup Sunray 3G with Cisco 3005 VPN concentrator
hi,
I first explain the setup situation:
Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
Is there some info about what IKE proposal i need to select in the Cisco 3005?
Any help would be appreciated
ThxI have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.
-
Cisco 3005 vpn concentrator console cable
hi
i have just purchased a cisco 3005 vpn concentrator and i need to know where i can get a console cable for it the cable is different from the ones i have for my pix and routers as the connection at the concentrator end is a db9 and not rj45
ive tried looking on ebay but with no luck
ps
i live in england
regards
melvyn brownMelvyn,
Use a Straight Through Cable to console into the VPN3000.
I hope it helps.
Regards,
Arul -
Concentrator 3005: Assigning IPs based on username...
Can someone point me to a paper that will describe how (if possible), that a client logging into a Cisco VPN Concentrator can be given a specific static IP, based on information in a RADIUS profile? (RADIUS is running on an RSA SecureID server, so people authenticating via RADIUS are 2X-factor authenticated.
Requirement: I need a specific IP address to go to a specific user each time they log in. This way, I can authorize them to certain resources by passing them thru a Firewall on the Private side of the concentrator. For now, I have 70 users, but may balloon to 2,000.
I can't rely on the "group password" feature, because if users share group passwords, then they can assign themselves an IP from a pool where they don't belong.
Summary: I need two-factor authentication of an IP address - You must provide 2X-factor authentication to get a certain IP address...Hi Charles,
Thanks for that, an interesting read however I dont believe it is applicable to my situation since I dont use a Cisco RADIUS solution for AAA.
What I have is 3005's at the perimeter acting as the VPN end-pont. These end-points authenticate connections locally and do XAUTH via a RSA RADIUS server. There is a couple of ASA between the 3005s and the RADIUS servers however they dont do any AAA as such.
The document you've provided me with seems to indicate authorisation needs to be done on a Cisco device that can store the ACLs, and provides example for using ASAs. I would prefer to do it on the 3005s, if possible and leave the ASAs untouched (assume the rules on the ASA allow all traffic through, and access will be more tightly defined at the 3005).
If you have any suggestions/further documentation to support my desired setup I'm all ears.
Thanks in advance
Cheers
Scott -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
Hi,
Trying to setup VPNc 3005 for WebVPN.
The VPNc is configured with NTP server so
the clock is fine. I installed SSL vpn
client and SecureDesktop software onto the VPNc. Create a local account and
group. When I perform https://vpnc/admin.html, I can manage the
VPNc from the external interface so the
certificate is good.
When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
it tells me that the vpn concentrator
has a server certificate error. I've
attached the screen shot. Anyone know
what it is? Thanks.If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684 -
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
VPN Concentrator authentication with multiple domains
I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
Thanks in advance for any help.To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller
-
IP Address Assignment on VPN Concentrator through AD
Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.Sorry for the thread title it should be : "reserver" not reverse.
I have been advised to read the "admin guide"
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
under the heading below
Assign a Specific IP Address to a User
In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
What I am thinking to do, are below (please any comment) :
1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
2- Create another group called : " mobile_users "
3- Create a user called : " commuter "
4- Assign the user " commuter " to the group " mobile_user "
5- Assign ip address 10..2.2.2 to the user " commuter "
6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
again since I am using production box, I have to assure that the modification above does not screw up the whole system -
Hi All,
Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
Any help would be greatly appreciated.
Thanks in advance.
SamirMake sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices. RME will only use HTTPS to fetch VPN concentrator configurations.
-
ACS with VPN Concentrator : IP address attribution
Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patriceyes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned -
I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
ThanksThe VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html
Maybe you are looking for
-
1.4.2_01 and 1.4.1_01 jar cache doesn't seem to be working
I am having a hard time getting the .jar cache to work with the 1.4.2_01 and 1.4.1_01 plugins. Here is my applet: ==================================================================== import java.applet.Applet; import java.awt.*; public class TestAppl
-
Unable to customize folder name on import
I'm using import for several cameras and I would like to have possibility to change 'Date Format' of destination folder name in import dialog: Yes, there are several formats, but it would be very useful to have possibility to define my own. E.g. inst
-
No Service Error: FTP Adapter file write
Hi, I am trying to write a file to a FTP server (Windows). I am able to connect to the FTP through command prompt and put the files as well. And to connect to FTP through IE, I had to uncheck "Use Passive FTP" under Tools-Internet Options-Advanced an
-
How do I count the number of times a word appears in a column?
What I have is a spreadsheet logging work history. Let's say the work location is "office", "home", or "travel" and I want to have a separate cell in another table for totals, count up the number of time each appears in the data for the year. So it w
-
Critical Xtras we need to support...
I'm beginning a new thread to try to identify, as a group of Director users, the critical Xtras that have not made the transition from Director 2004 MX to the new Adobe 11/11.5 product line. The powerful concept of Xtras, namely that we can extent th