ACS with VPN Concentrator : IP address attribution
Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patrice
yes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned
Similar Messages
-
IP Address Assignment on VPN Concentrator through AD
Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.Sorry for the thread title it should be : "reserver" not reverse.
I have been advised to read the "admin guide"
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
under the heading below
Assign a Specific IP Address to a User
In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
What I am thinking to do, are below (please any comment) :
1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
2- Create another group called : " mobile_users "
3- Create a user called : " commuter "
4- Assign the user " commuter " to the group " mobile_user "
5- Assign ip address 10..2.2.2 to the user " commuter "
6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
again since I am using production box, I have to assure that the modification above does not screw up the whole system -
Setup Sunray 3G with Cisco 3005 VPN concentrator
hi,
I first explain the setup situation:
Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
Is there some info about what IKE proposal i need to select in the Cisco 3005?
Any help would be appreciated
ThxI have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.
-
Vpn-framed-ip-address not working with anyconnect
Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
Scenario:
ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing, BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the vpn-framed-ip-address command.
I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the vpn-framed-ip-address command as an attribute for this local user. But it seems the command is not working.
Already I´ve tried to resolve (with no success) by entering the
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local
Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection". Meaning the ASA simply is ignoring the vpn-framed-ip-address command.
Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
This is the current config:
ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
aaa-server RSA protocol sdi
aaa-server RSA (inside) host 192.168.12.1
retry-interval 5
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
group-policy GroupPolicyABC internal
group-policy GroupPolicyABC attributes
wins-server none
dns-server value 192.168.61.1 192.168.61.2
vpn-tunnel-protocol ssl-client
group-lock value TunnelGroupABC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ServersDB
default-domain value my.domain.com
split-tunnel-all-dns disable
webvpn
anyconnect ask none default anyconnect
username USER1 password xHhacRZ56Uadqoq encrypted
username USER1 attributes
vpn-framed-ip-address 192.168.229.7 255.255.255.0
group-lock value TunnelGroupABC
tunnel-group TunnelGroupABC type remote-access
tunnel-group TunnelGroupABC general-attributes
address-pool PoolSSL
authentication-server-group RSA
default-group-policy GroupPolicyABC
tunnel-group TunnelGroupABC webvpn-attributes
group-alias AccessToDB enable
I´ll wait for your answers, regards!https://tools.cisco.com/bugsearch/bug/CSCtf71671/
you need AAA assignment, or at least you needed to have it a couple of years back. -
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
Hello Everyone,
Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range). If yes, how?
Thanks,
RishiRishi,
Are you looking to leverage certain group in AD to be assigned to a specific subnet? If yes, then this can be done through dynamic vlan assignment.
Thanks,
Tarik Admani -
Idle timeout with VPN remote users coming into a COncentrator 3030
I have a VPN Concentrator 3030, which my remote users connect to from home. The idle timeout is set to 30 minutes, however, I do not see anyone disconnected due to lack of activity, even if they are connected for over 24 hours. I assume that they are keeping MS Outlook open and that emails will pop up in their Inbox while connected. I'm sure that Exchange & Outlook are communicating back and forth, and this this is probably the traffic that is keeping the connection "active".
How do I enforce the "Inactive" policy. Can I exclude certain types of traffic?Microsoft Internet Explorer (MSIE) users add the VPN Concentrator 3000 to the list of trusted sites. Doing so enables the ActiveX control to install with minimal interaction from the user. This is particularly important for users of Windows XP SP2 with enhanced security. Refer to the following sections for instructions.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_release_note09186a0080405b6c.html -
Routing loop when tracing to remote ip address on vpn concentrator
When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
Tracing route to x.3.17.145
over a maximum of 30 hops:
1 29 ms 31 ms 28 ms 172.4.0.20
2 32 ms 30 ms 29 ms 172.4.0.25
3 38 ms 29 ms 31 ms 172.3.0.21
4 33 ms 30 ms 32 ms 172.4.0.25
5 32 ms 49 ms 27 ms 172.3.0.21
6 35 ms 30 ms 38 ms 172.4.0.25
7 31 ms 28 ms 28 ms 172.3.0.21
8 28 ms 28 ms 42 ms 172.4.0.25
9 38 ms 27 ms 32 ms 172.3.0.21
10 35 ms 28 ms 36 ms 172.4.0.25
11 35 ms 27 ms 28 ms 172.3.0.21
12 30 ms 28 ms 28 ms 172.4.0.25
13 39 ms 30 ms 43 ms 172.3.0.21
14 48 ms 28 ms 29 ms 172.4.0.25
15 36 ms 28 ms 34 ms 172.3.0.21
16 39 ms 39 ms 56 ms 172.4.0.25
17 42 ms 38 ms 47 ms 172.3.0.21
18 35 ms 39 ms 41 ms 172.4.0.25
19 49 ms 32 ms 29 ms 172.3.0.21
20 32 ms 28 ms 29 ms 172.4.0.25
21 28 ms 43 ms 30 ms 172.3.0.21
22 37 ms 32 ms 34 ms 172.4.0.25
23 29 ms 31 ms 32 ms 172.3.0.21
24 29 ms 33 ms 31 ms 172.4.0.25
25 32 ms 41 ms 43 ms 172.3.0.21
26 43 ms 29 ms 39 ms 172.4.0.25
27 47 ms 33 ms 31 ms 172.3.0.21
28 37 ms 29 ms 35 ms 172.4.0.25
29 44 ms 30 ms 91 ms 172.3.0.21
30 31 ms 41 ms 50 ms 172.4.0.25
172.3.0.21 is my private interface on the vpn 3000.
172.4.0.20 is my public interface on the vpn 3000.
172.4.0.25 is the default gateway / router interface on my router.
interface GigabitEthernet1/1/0.1
description connected to LAN
encapsulation dot1Q 1 native
ip address 10.3.0.25 255.255.255.0
interface GigabitEthernet0/0.4
description vpn 3000 concentratorconnection
encapsulation dot1Q 4
ip address 10.4.0.25 255.255.255.0
172.3.0.21 has a no default gateway on the vpn conentrator.
172.3.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.Hi John
could you clarify where you are pinging from and where you are pinging to please?
From the LAN to a destination across a VPN tunnel?
Or from a source across the VPN tunnel to a host on the concentrator's LAN?
Or from a source across the VPN tunnel to a host on the Internet?
I suppose your last line has a typo, it should be
172.4.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.
right?
Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
tnx
Herbert -
VPN Concentrator authentication with multiple domains
I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
Thanks in advance for any help.To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller
-
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
What am I missing with VPN enforcement?
I'm making sense of how to implement the VPN Enforcement feature and would like to hear from others who have set it up.
The way I understand it to work is this...
User connects to the internet (eg with a laptop using a 3G card). Once it detects the internet connection, it switches to the Location specified in the "Switch To" setting on the VPN Enforcement page.
And I have it prompting to connect to the VPN client at this point.
What is puzzling me is... what's the point?
It doesn't seem to make a difference whether the user connects to the VPN or not. The Location in the Switch To setting can have certain restrictions but once connected to the VPN, the Location doesn't change. So, before or after connection to the VPN the same restrictions are in place.
Perhaps I'm missing something in the way this is meant to work.
How has anyone else set this up?
Ideally what I want to happen is....
User connects to the internet - so has enough restrictions (or un-restrictions) to allow this. This would include connecting at an airport or hotel where you connect via a web page. Usually this would be with a 3G modem
then the user is forced to connect to their VPN (in our case we have a dongle and log in. So, I can cause the login screen to appear on VPN switching)
Only allow internet access as long as the VPN is connected. And block access if it is not.
Any thoughts are happily received, thanks
AlisonHere is a brief description of what needs to be done in order for VPN Enforcement to work.
1) The "Unknown" location should have a "stateful" firewall assigned. This allows the endpoint to see all APs and also authenticate to them.
2) The VPN Location should have an "all closed" firewall. This location will be used to switch to once the endpoint gains internet connection (the ZSC checks this automatically). You have to setup a single ACL rule
that points to the IP address of your VPN concentrator (so now the only accessible service/device is the VPN)
3) In the "VPN Enforcement" settings, enter the IP address of the VPN concentrator, the trigger location (at a minimum this is the Unknown), and "Switch to" locations (this is the location you set up in step 2)
5) Again, in "VPN Enforcement" configure the settings needed to make your VPN client to connect "automagically" to the VPN concentrator (client path, and optionally any arguments).
Please note that internet connectivity triggers the enforcement. If someone connects to an AP or wired network that requires authentication (such as you see at a coffee house or hotel), then the Internet connectivity fails.
Hope this clarifies,
Daniel
>>>
From: AWhitwood<[email protected]>
To:novell.support.zenworks.endpoint-security-management
Date: 7/8/2009 10:06 PM
Subject: Re: What am I missing with VPN enforcement?
Excellent - thanks Indy
That is pretty much the same as what I'm setting up. Would you mind
expanding on how you've set this up....I've put your original comments
in blue
1) Users log in and change their location to 'Wired/Wireless/3G'.
I know our users won't manually switch Locations themselves.
I've got this set up to detect the Unknown location which is anything
that is away from the office wired network.
2) Once they have connected to a secure wifi hotspot or their vodafone
3g dongle is connected the location automatically switches to 'Secure
VPN'.
Once they are on the internet, ourLcoation does switch from
"Unknown" to "Away from the Office" (or "VPN" in your system). Can I
ask you what your Firewall settings are on your VPN location? Are there
any restrictions? eg I had it All Blocked but of course it stopped it
connecting the VPN client so I've now got it set to All Stateful.
3) After a few seconds the Cisco VPN Client automatically loads and the
user has to connect via that to get internet connectivity otherwise they
get nothing.
I have this too - the client VPN launches and the user is prompted
to login. But what if they don't? what stops the internet working for
them if they didn't log in? When you say "otherwise they get nothing" -
what is it that prevents them getting to the internet if they have not
connected to the VPN. This is exactly what I'm trying to set up so I'm
very happy to hear that you've done it. What is puzzling me is how to
have it blocking internet access unless it is through the VPN.
I think its purpose is to make sure all internet traffic goes through
your VPN and firewalls, settings, etc etc...
Exactly what I want ! Thanks - I've just got to figure out how to
do it.
Hope that helps,
That helped a lot.
Alison
AWhitwood
AWhitwood's Profile: http://forums.novell.com/member.php?userid=4390
View this thread: http://forums.novell.com/showthread.php?t=379389 -
Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?
Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
Cheers
Brian -
Hi,
Trying to setup VPNc 3005 for WebVPN.
The VPNc is configured with NTP server so
the clock is fine. I installed SSL vpn
client and SecureDesktop software onto the VPNc. Create a local account and
group. When I perform https://vpnc/admin.html, I can manage the
VPNc from the external interface so the
certificate is good.
When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
it tells me that the vpn concentrator
has a server certificate error. I've
attached the screen shot. Anyone know
what it is? Thanks.If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684 -
Unable to access vpn box internal address after vpn
Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.
hostname firewall
domain-name default.domain.invalid
enable password xxx
names
dns-guard
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.x 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.x 255.255.255.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.x.x.x 255.255.255.240
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
username ciscoadm password xxx encrypted privilege 15
username ciscoadm attributes
vpn-group-policy vpn
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool addpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.1x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.254 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.254 255.255.255.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.xx.xx.xx 255.255.255.240
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
access-list prod standard permit host 192.168.1x.x
access-list prod standard deny any
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnuser internal
group-policy vpnuser attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value prod
default-domain value mm.com
webvpn
username user password xxx encrypted privilege 15
username user attributes
vpn-group-policy vpnuser
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpnuser type ipsec-ra
tunnel-group vpnuser general-attributes
address-pool pool
default-group-policy vpnuser
tunnel-group vpnuser ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 8x.x.1x.x 8x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management -
Hi Guys,
I'm using a cisco 5510 ASA at the headoffice to provide the VPN (remote access vpn) connectivity to the branch offices.
My local network is - 192.168.30.0 /24 and I've used a part of same segment for the vpn_pool as well ( i.e 192.168.30.152 -192.168.30.199). Further I'm using the vpn-framed-ip-address feature to allocate an unique ip address for each branch office when it connects.
My problem is, though this setup worked fine at the begining, now sometimes when the vpn connections are established from remote branches, they take different ip addresses from the allocated vpn pool, rather than the specific ip address which is mentioned under the vpn-framed-ip-address command.
Can anyone assist me with this issue?
Regards,
SuthakarHi Javier,
I think I have found out a solution for this problem.
I've removed the ip vpn pool and its reference under tunnel group general-attributes
ip local pool vpn_pool x.x.x.x - x.x.x.x
tunnel-group x.x.x.x general-attributes
address-pool vpn_pool
since there is no ip-pool, now the remote client's are getting the exact individual ip addresses allocated for them with the vpn-framed-ip-address command.
Thank you for your support.
Regards,
Suthakar
Maybe you are looking for
-
I have a PowerBook G4 with a Fantom Drive external hard drive. I have several FireWire peripherals, so I purchased an iogear GPF113 PC Card. I was running Panther and it was working with no problems. I just installed Tiger and now it won't even recgn
-
Hallo everyone, I need Your help about a strange problem on my C3-00. Near the silent's mode icon I can see another icon. It seems a ring with a little triangle on the right side. What is that? I can't find nothing on my manual. Thanks a lot.
-
I have just bought a MBP Retina Display and have successfully mapped all my old apps and files across to this machine from the old MBP. In doing a Software Update for the system I had the problem above when trying to upgrade iTunes. Any similar pro
-
hi i have downloaded the software for 8700 v4.7 i have downloaded it and when i open it says it says 470_b059_multilanguage.exe is not a valid win32 application pls help
-
PEAP ACS certificate Replacement
Hopfully an easy one. My customer has an ACS appliance with a 1 year certificate installed from a microsoft CA. They have 3months left on it so will replace it next week. The client certificates have 5 years left on them. As far as I know they should