ACS to VPN 3005 commnunication

Similar Messages

• VPN 3005 and Microsoft AD authentication

  I would like to use Microsoft Active
  Directory (AD) to authenticate
  remote access users connecting to the
  VPN3005 concentrator. Everything is
  working fine but I want the VPN3k to use
  microsoft ds (tcp port 445) instead of
  netbios (tcp port 139) when it communicates with the AD server.
  In the vpn 3005 I specified port 445
  as the communication port between vpn3k
  and the AD server but in my tcpdump,
  i see this:
  [Expert@cp]# tcpdump -i eth1 -n host 192.168.1.4
  tcpdump: listening on eth1
  14:41:54.664335 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: S 1464837366:1464837366(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 732419 0>
  14:41:54.666758 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 2621223901 win 8192 <nop,nop,timestamp 732419 0>
  14:41:54.669135 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 0:72(72) ack 1 win 8192 <nop,nop,timestamp 732419 0>NBT Packet
  14:41:54.671835 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 72:240(168) ack 5 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
  14:41:54.700474 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 240:371(131) ack 110 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
  14:41:54.704467 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 371:414(43) ack 223 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
  14:41:54.706526 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: F 414:414(0) ack 262 win 8192 <nop,nop,timestamp 732419 579729>
  14:41:54.715653 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 263 win 8192 <nop,nop,timestamp 732419 579729>
  obviously, it is using port 139 instead
  of port 445.
  How can I fix this on the vpn3k? Thanks.

  Hi Kevin, I've looked at this message to see any replies for a while and I don't know if you have already resolved this issue.. I used vpn3005 as well but use different method of authentication which is RADIUS from our Windows AD, I tend to believe this may be more of a PPTP client netbios setup and not the VPN , where? I don't know but clearly the tcpdump the client is initiating netbios session and even though vpn is setup for port 445 it still forwards netbios port... well just a thought .
  Rgds
  Jorge

• Errors while applying Thawte SSL cert to VPN 3005?

  I have recently requested a 128-bit SSL cert from Thawte for my VPN 3005, yet I continue to get "Parse Error" notifications when I try to install the cert. Has anyone been able to successfully apply a Thawte SSL cert to thei VPN 3005? The unit is running the very latest version of the Cisco 3000 VPN software.

  Hi,
  If the patch was applied succesfully and listed in ad_bugs then u can ignore these warnings and proceed to apply the patch u listed above.
  Getting warning messages when starting adadmin - generate JAR Files [ID 312594.1]      
  Regards

• Group matching from Ace SecureID-server to VPN 3005?

  Hi
  Is it possible to do group-matching between a Ace Server SecureID and VPN 3005 concentrator?
  That is, I want different users to match different group settings in the VPN 3005, based on which group they are in in the Ace Server.
  If Yes: how? :-)
  Regards
  Jimmy

  Hello!
  Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE.

• Vpn 3005 version to upgrade?

  I'm running this version on vpn 3005:
  vpn3005-4.0.4.A-k9.bin
  What is the upgrade that I need to perform:
  vpn3005-4.1.7.O-k9.bin OR
  vpn3005-4.7.2.I-k9.bin
  Please advise,
  yanic

  Go for vpn3005-4.7.2.I-k9.bin
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_release_note09186a00804ceedf.html#wp599031
  HTH
  AK

• VPN 3005 sessions

  hi
  I have a 3005 with 64mb RAM running ver 3.6.7B. maximum session it is displaying as 100
  - can i increase the no of max sessions by anyway
  - what will happen if 101th user connecting to VPN 3005, however i can see total cummulative session is 118. Does this mean this supports more than 100 sessio also..
  can someone help me here ..
  Thanks,
  Shiva

  This model can support up to 200 simultaneous Ipsec sessions.
  See data sheet models
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/product_data_sheet09186a00801d3b56.html

• Issue with Verizon Aircards passing traffic past VPN 3005

  We have a Cisco VPN 3005 as our endpoint. Clients connection using the Cisco 4.7 client. Currently here is the basic config on the device:
  Pub Interface 65.xxx.xxx.xxx
  Private Interface 172.22.0.3/16
  VPN Addy Pool 172.31.1.0/28
  Static routing is used to route traffic as necessary.
  Clients can connect via wireless broadband or broadband and ping past the VPN Private interface and open up Outlook using an online exhcange profile. But clients connecting over an EVDO or 3G cellular modem cannot open Outlook. They can ping by IP but not DNS.
  I have tried using different transports ie , IPSEC/UDP , IPSEC/TCP , and straight IPSEC. No joy. All the clients have allow local LAN access checked and the VPN Group is set to tunnel traffic in that network only. Any clues??

  Issue has been resolved. Clearing DNS with an ipconfig /flushdns , ipconfig /registerdns while on aircards on VPN resolved it.

• VPN 3005 - Reroute Internet traffic out local connection

  We have a VPN 3005 concentrator that connects to our backbone switch. We have about 6 sites who have the following subnet:
  site A: 172.16.x.x
  site B: 172.17.x.x (etc)
  When a user is at home, hotel, or directly connected to the Internet and they connect with the VPN client to our network we want all Internet traffic (cnn, google, etc) to route through their local connection and not through our network through our internal Internet connection. How can I setup the VPN Concentrator to allow all internal traffic and reroute all other traffic out their local Internet connection?

  split tunneling needs to be configured on the concentrator.
  firstly, create a network list.
  go configuration>policy management>traffic management>network lists. then put the private lan ip behind concentrator on to the list.
  go configuration>user management>groups>client config
  you will see "split tunneling policy" and "split tunneling network list"
  with option "split tunneling policy", choose "only tunnel networks on the list". with option "split tunneling network list", choose the network list you just created.

• VPN 3005 Peak Concurrent Sessions

  Hi
  I have an old VPN 3005 concentrator that need replacement. At the webinterface under monitoring -> sessions I can see that my Peak Concurrent Sessions is 19. The question is if its 19 sessions peak since last reboot or a specefic time period?
  I've 200 vpn session available in the 3005, i planning to replace it with an ASA 5505 with max 25 VPN sessions.
  Best Regards, Steffen.              

  The peak concurrent sessions count from the last reboot or reset on.
  If you go for the ASA 5505, you need the Security-Plus-Version, only that supports 25 Users.
  Sent from Cisco Technical Support iPad App

• ACS with VPN Concentrator : IP address attribution

  Hello,
  I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
  Thanks !
  Patrice

  yes it can be done at works very well under the radius attributes uses the:
  [014] Login-IP-Host
  NAS Specifies
  User Specifies
  Other
  Check other and then add the ip address that you want to assigned

• VPN 3005 with 3002 Hardware Client

  I have a VPN3002 Hardware Client (172.16.1.x) that is accessing a VPN3005 Concentrator (192.168.x.x) in Network Extension Mode. On the VPN3005, I have a LAN-to-LAN connection to another VPN device. I can access addresses in all scenarios except for from devices behind the Hardware Client through the LAN-to-LAN tunnel. In other words, addresses behind the Hardware Client (172.16.1.x) cannot access addresses through the LAN-to-LAN.
  Devices on the network behind the Concentrator (192.168.x.x) CAN access addresses through the LAN-to-LAN and there is bi-directional communication between the network behind the 3005 and behind the 3002 client.
  Can anyone help? Thank you.

  The 3000 is only going to send traffic over the L2L tunnel that is sourced from the Local Network and going to the Remote Network. Trafic from behind the 3002 is NOT going to match this based on the fact you're NAT'ing all the locla traffic to some other address.
  I presume you have done this NAT'ing on some device before the 3000, in wihch case there's no way to get the 3002 traffic to also be NAT'd since it is going to come in and go straight back out the Public interface of the 3000.
  You will have to add another line to your Local Network list that defines the traffic behind the 3002. Similarly, the remote end is going to have to add this same network to their Remote network list. Unless you do that, or find some way to NAT the 3002 traffic to the same address, the 3005 is NOT going to send it over the tunnel because you haven't told it to.

• Multiple logins to VPN 3005 required

  Hi Everyone,
  We have been using our Cisco 3005 VPN Concentrator now for a few years with no trouble. When connecting to it through the WEBVpn you normally only have to log in once... now it requires two logins, both of which are identical.
  Is there a good document that explains the logins, or a method to trace which page you are accessing through the WebVPN product to know why it is requesting the secondary login?
  Thanks,
  Ken

  Is this happening for all users?
  What version are you running?
  Regards
  Farrukh

• Are attributes needed for cisco vpn 3005

  Hey all,
  I am trying to setup radius authentication for my cisco 3005. I am using
  BM 3.8sp3 radius. I have it setup (or at least i can us NTradping and
  authenticate to it).
  I goto 3005 and add radius server as authentication server. When I try to
  test it, I get the follow message on the concentrator:
  Authentication Rejected: Access hours restrictions in effect
  Looking at the debug screen of the radius server, all has succeeded. Is
  there a profile that I need to setup and any attributes to assign to get
  this to work?
  Thanks
  Matt

  I found the answer to my last question, you do need xauth for radius
  > I think I found it. To test authentication I think it uses the base
  group.
  > I did have a time restriction on their.
  >
  > Now for another question: I am testing certificate based authentication
  > and it is working (Using a Novell CA). To get radius authentication to
  > work in conjunction with that. Do I need to use an SA that uses
  > Certificates and XAuth?
  >
  > Thanks
  > Matt
  >
  > > [email protected] schreef:
  > > > I don't have any time restrictions in place. But just in case I set
  > som=
  > > e=20
  > > > up and applied those and I still get the same message.
  > > >=20
  > > > I applied the access time to both a group and the individual user.
  > My=20
  > > > question I have is where would those be applied seeing that the
  user
  > is=
  > > =20
  > > > being authenticated via an external reference.
  > > >=20
  > > > Thanks
  > > > Matt
  > > >=20
  > >
  > > Matt,
  > >
  > > Try to test with a user not a group, make sure you don't have any
  time=20
  > > restrictions on the NDS user and also no Policy Management on your=20
  > > concentrator.
  > >
  > > > I applied the access time to both a group and the individual user.
  > > In the vpn concentrator?
  > >
  > > > My question I have is where would those be applied seeing that
  the=20
  > > user is
  > > > being authenticated via an external reference.
  > >
  > > Radius authentication uses the NDS (well you can configure this
  also=20
  > > otherwise as a radius proxy..).
  > > When configure the nds user with logon restrictions, I'm pretty
  sure=20
  > > that you wont be able to acces your network through the concentrator.
  > >
  > > If you want to restrict the acces to your vpn concentrator than you
  have
  > =
  > >
  > > to use the policy base mangement of your vpn concentrator.
  > >
  > > You can set acces hours to the groups created on the vpn
  concentrator,=20
  > > and throug radius you can sent attributes that will be used to
  indentify
  > =
  > >
  > > which group the user will be put in when the user authenticating to
  > the=20
  > > vpn concentrator.
  > >
  > > Hope this makes sense....
  > >
  > > gl,
  > >
  > > Louis G=F6hl
  >

• VPN 3005 Logging

  I would like to keep a simple log of who
  VPNs into the my 3005.
  Does anyone have a solution to do this?

  The syslog is pretty good. Here's an example:
  2007-01-30 14:45:19 Local7.Notice 172.16.255.254 63161228 01/30/2007 14:45:33.000 SEV=4 AUTH/22 RPT=41714 70.226.xx.xx User [DOMAIN\my_id] Group [vpn-group] connected, Session Type: IPSec
  You can filter on "connected" in Kiwi. Note that you will also get disconnect notices with that filter. If you really just want connections, filter on something longer like "[vpn-group] connected"
  HTH and please rate.
  Here's a disconnect for reference:
  2007-01-30 14:45:24 Local7.Notice 172.16.255.254 63161427 01/30/2007 14:45:38.460 SEV=4 AUTH/28 RPT=40305 70.226.xx.xx User [DOMAIN\my_id] Group [vpn-group] disconnected: Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 56 Bytes rcv: 0 Reason: User Requested

• VPN 3005 looses certificates

  Hello,
  I have a new VPN3005 (IOS4.0.3).
  After I reload or powerdown the device, all certificates are gone.
  When I try to reinstall them,
  the CA-certificate is installed OK,
  but when I try to generate a PKCS10 request
  for the VPN3005 itself I get the message:
  "Error generating request: Unable to write certificate request to file."
  Any idea ?

  Hi,
  I guess, I got the same problem as you but I`m not sure, if it`s allowed to post the solution in here.
  Your file system could be corrupted - you could format it via CLI, this way I was able to save certs on our 3005.
  Try open a TAC case yourself and concern to E787062.
  Hope this helps :)