AAA VPN Concentrator 3005

Similar Messages

• VPN Concentrator 3005 will not allocate IP Addresses

  Greetings,
  I have a very strange issue. I have configured a 3005 concentrator with an address pool that is in the same subnet as the private interface. When I try and connect a client...I get an error stating that NO AVAIL ADDR with a further explanation that an IP address could not be obtained for the remote peer because it exhausted all available addresses.
  Further study of the log files shows that the concentrator believes there is a network conflict...however I can assure everyone there isn't.
  Can anyone tell me why the concentrator would false think that an IP address had already been assigned when it isn't?
  It works fine if I use a different pool...however this is on a DMZ and we really don't want to use another subnet for a few VPN clients.
  The exact error it give is:
  IP Address Conflict on the network: 192.168.123.101
  Marking address as unusable
  There is no 123.101 anywhere on the subnet.
  The worst part is...I have another concentrator setup the exact same way at a different location and this config works just fine.
  Any ideas?
  Thank you very much!

  thank you for your reply...but we are running 4.7.2.O
  any other ideas why this would happen?

• Vpn concentraor 3005

  one of my student changed login info on our lab vpn concentrator 3005.
  how to reset the login name and password ?
  the version is 4.1.7.
  thanks

  Please see this document.
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml
  Regards

• Replace 3005 VPN Concentrator

  We have two 3005 concentrators that need to be replaced.
  Is there anything equivilant that will allow for creation of groups, Cisco VPN client, web VPN and is reasonably priced?
  What do people generally do for a plug in replacement to the 3005 VPN concentrator?

  What is generally done about the cost?
  At the moment, the PIX firewalls are not EOL.
  If I replace the firewalls, just because the 3005 is EOL, will be a large expense correct?
  Also, at the moment, the firewall is passing through the traffic to the concentrator in a DMZ.
  What is the alternative in the ASA appliance?
  And, does the ASA allow for the creation of groups for access like the concnetrator does?

• Setup Sunray 3G with Cisco 3005 VPN concentrator

  hi,
  I first explain the setup situation:
  Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
  Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
  can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
  Is there some info about what IKE proposal i need to select in the Cisco 3005?
  Any help would be appreciated
  Thx

  I have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.

• Cisco 3005 vpn concentrator console cable

  hi
  i have just purchased a cisco 3005 vpn concentrator and i need to know where i can get a console cable for it the cable is different from the ones i have for my pix and routers as the connection at the concentrator end is a db9 and not rj45
  ive tried looking on ebay but with no luck
  ps
  i live in england
  regards
  melvyn brown

  Melvyn,
  Use a Straight Through Cable to console into the VPN3000.
  I hope it helps.
  Regards,
  Arul

• Concentrator 3005: Assigning IPs based on username...

  Can someone point me to a paper that will describe how (if possible), that a client logging into a Cisco VPN Concentrator can be given a specific static IP, based on information in a RADIUS profile? (RADIUS is running on an RSA SecureID server, so people authenticating via RADIUS are 2X-factor authenticated.
  Requirement: I need a specific IP address to go to a specific user each time they log in. This way, I can authorize them to certain resources by passing them thru a Firewall on the Private side of the concentrator. For now, I have 70 users, but may balloon to 2,000.
  I can't rely on the "group password" feature, because if users share group passwords, then they can assign themselves an IP from a pool where they don't belong.
  Summary: I need two-factor authentication of an IP address - You must provide 2X-factor authentication to get a certain IP address...

  Hi Charles,
  Thanks for that, an interesting read however I dont believe it is applicable to my situation since I dont use a Cisco RADIUS solution for AAA.
  What I have is 3005's at the perimeter acting as the VPN end-pont. These end-points authenticate connections locally and do XAUTH via a RSA RADIUS server. There is a couple of ASA between the 3005s and the RADIUS servers however they dont do any AAA as such.
  The document you've provided me with seems to indicate authorisation needs to be done on a Cisco device that can store the ACLs, and provides example for using ASAs. I would prefer to do it on the 3005s, if possible and leave the ASAs untouched (assume the rules on the ASA allow all traffic through, and access will be more tightly defined at the 3005).
  If you have any suggestions/further documentation to support my desired setup I'm all ears.
  Thanks in advance
  Cheers
  Scott

• Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access

  Hello folks,
  I need your help.
  We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
  So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
  But I was not successull to establish it.
  Here is the pix config. the acl?s are only for testing and will be replaced if it works.
  PIX Version 6.3(4)
  interface ethernet0 10baset
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxx
  passwd xxx
  hostname PIX-AU
  domain-name araukraine.ua
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside permit ip any any
  access-list inside_access_in permit ip any any
  pager lines 24
  logging on
  logging monitor warnings
  logging buffered warnings
  mtu outside 1456
  mtu inside 1456
  ip address outside pppoe setroute
  ip address inside 192.168.x.x 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm location 192.168.x.x 255.255.255.224 inside
  pdm logging warnings 500
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group outside in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.x.x 255.255.x.x inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet 192.168.x.x 255.255.x.x inside
  telnet timeout 5
  ssh 194.39.97.0 255.255.255.0 outside
  ssh timeout 5
  management-access inside
  console timeout 0
  vpdn group pppoe_group request dialout pppoe
  vpdn group pppoe_group localname [email protected]
  vpdn group pppoe_group ppp authentication pap
  vpdn username [email protected] password *********
  encrypted privilege 15
  vpnclient server 212.xx.xx.xx
  vpnclient mode network-extension-mode
  vpnclient vpngroup vpntest password ********
  vpnclient username pixtest password ********
  terminal width 80
  on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
  And that?s all.
  I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
  What can be wrong ?
  Thanks for the replies

  This sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

• VPN concentrator and webVPN

  Hi,
  Trying to setup VPNc 3005 for WebVPN.
  The VPNc is configured with NTP server so
  the clock is fine. I installed SSL vpn
  client and SecureDesktop software onto the VPNc. Create a local account and
  group. When I perform https://vpnc/admin.html, I can manage the
  VPNc from the external interface so the
  certificate is good.
  When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
  to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
  it tells me that the vpn concentrator
  has a server certificate error. I've
  attached the screen shot. Anyone know
  what it is? Thanks.

  If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• IP Address Assignment on VPN Concentrator through AD

  Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
  I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.

  Sorry for the thread title it should be : "reserver" not reverse.
  I have been advised to read the "admin guide"
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
  under the heading below
  Assign a Specific IP Address to a User
  In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
  My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
  On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
  nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
  nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
  nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
  global (outside) 1 10.1.1.150-10.1.1.155
  global (outside) 1 10.1.1.156
  route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
  http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
  What I am thinking to do, are below (please any comment) :
  1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
  2- Create another group called : " mobile_users "
  3- Create a user called : " commuter "
  4- Assign the user " commuter " to the group " mobile_user "
  5- Assign ip address 10..2.2.2 to the user " commuter "
  6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
  again since I am using production box, I have to assure that the modification above does not screw up the whole system

• Cisco works LMS 3.0.1 cannot archieve configuration for cisco 3000 series vpn concentrator

  Hi All,
  Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
  Any help would be greatly appreciated.
  Thanks in advance.
  Samir

  Make sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices.  RME will only use HTTPS to fetch VPN concentrator configurations.

• ACS with VPN Concentrator : IP address attribution

  Hello,
  I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
  Thanks !
  Patrice

  yes it can be done at works very well under the radius attributes uses the:
  [014] Login-IP-Host
  NAS Specifies
  User Specifies
  Other
  Check other and then add the ip address that you want to assigned

• LDAP ON VPN CONCENTRATOR

  I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
  For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
  but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
  Thanks

  The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html