ACS with VPN Concentrator : IP address attribution

Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patrice

yes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned

Similar Messages

  • IP Address Assignment on VPN Concentrator through AD

    Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
    I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.

    Sorry for the thread title it should be : "reserver" not reverse.
    I have been advised to read the "admin guide"
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
    under the heading below
    Assign a Specific IP Address to a User
    In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
    My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
    On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
    nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
    nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
    nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
    global (outside) 1 10.1.1.150-10.1.1.155
    global (outside) 1 10.1.1.156
    route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
    http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
    What I am thinking to do, are below (please any comment) :
    1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
    2- Create another group called : " mobile_users "
    3- Create a user called : " commuter "
    4- Assign the user " commuter " to the group " mobile_user "
    5- Assign ip address 10..2.2.2 to the user " commuter "
    6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
    again since I am using production box, I have to assure that the modification above does not screw up the whole system

  • Setup Sunray 3G with Cisco 3005 VPN concentrator

    hi,
    I first explain the setup situation:
    Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
    Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
    can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
    Is there some info about what IKE proposal i need to select in the Cisco 3005?
    Any help would be appreciated
    Thx

    I have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.

  • Vpn-framed-ip-address not working with anyconnect

    Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
    Scenario:
    ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
    In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing,  BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the  vpn-framed-ip-address command.
    I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the  vpn-framed-ip-address  command as an attribute for this local user. But it seems the command is not working.
    Already I´ve tried to resolve (with no success) by entering the
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    vpn-addr-assign local
    Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection".  Meaning the ASA simply is ignoring the  vpn-framed-ip-address command.
    Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
    At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
    Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
    This is the current config:
    ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
    aaa-server RSA protocol sdi
    aaa-server RSA (inside) host 192.168.12.1
     retry-interval 5
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    group-policy GroupPolicyABC internal
    group-policy GroupPolicyABC attributes
     wins-server none
     dns-server value 192.168.61.1 192.168.61.2
     vpn-tunnel-protocol ssl-client
     group-lock value TunnelGroupABC
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value ServersDB
     default-domain value my.domain.com
     split-tunnel-all-dns disable
     webvpn
      anyconnect ask none default anyconnect
    username USER1 password xHhacRZ56Uadqoq encrypted
    username USER1 attributes
     vpn-framed-ip-address 192.168.229.7 255.255.255.0
     group-lock value TunnelGroupABC
    tunnel-group TunnelGroupABC type remote-access
    tunnel-group TunnelGroupABC general-attributes
     address-pool PoolSSL
     authentication-server-group RSA
     default-group-policy GroupPolicyABC
    tunnel-group TunnelGroupABC webvpn-attributes
     group-alias AccessToDB enable
    I´ll wait for your answers, regards!

    https://tools.cisco.com/bugsearch/bug/CSCtf71671/
    you need AAA assignment, or at least you needed to have it a couple of years back. 

  • RA VPN into ASA5505 behind C871 Router with one public IP address

    Hello,
    I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
    PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
    The  public IP address is assigned to the outside interface of the C871. The  C871 forwards incoming traffic UDP 500, 4500, and esp to the outside  interface of the ASA that has a private IP address. The PC1 can  establish a secure tunnel to the ASA. However, it is not able to ping or  access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets  to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand  removing C871 and just use ASA makes VPN much simpler and easier, but I  like to understand why it is not working with the current setup and  learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
    version 15.0
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    hostname router
    boot-start-marker
    boot-end-marker
    enable password 7 xxxx
    aaa new-model
    aaa session-id common
    clock timezone UTC -8
    clock summer-time PDT recurring
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 192.168.2.1
    ip dhcp excluded-address 192.168.2.2
    ip dhcp pool dhcp-vlan2
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.1
    ip cef
    ip domain name xxxx.local
    no ipv6 cef
    multilink bundle-name authenticated
    password encryption aes
    username xxxx password 7 xxxx
    ip ssh version 2
    interface FastEthernet0
    switchport mode trunk
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    description WAN Interface
    ip address 1.1.1.2 255.255.255.252
    ip access-group wna-in in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    no ip address
    interface Vlan2
    description LAN-192.168.2
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan10
    description router-asa
    ip address 10.10.10.1 255.255.255.252
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source list nat-pat interface FastEthernet4 overload
    ip nat inside source static 10.10.10.1 interface FastEthernet4
    ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
    ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
    ip nat inside source static esp 10.10.10.2 interface FastEthernet4
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    ip route 10.10.10.0 255.255.255.252 10.10.10.2
    ip route 192.168.2.0 255.255.255.0 10.10.10.2
    ip access-list standard ssh
    permit 0.0.0.0 255.255.255.0 log
    permit any log
    ip access-list extended nat-pat
    deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    permit ip 192.168.2.0 0.0.0.255 any
    ip access-list extended wan-in
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.255.0.0 0.0.255.255 any
    deny   ip 255.0.0.0 0.255.255.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    deny   ip host 0.0.0.0 any
    deny   icmp any any fragments log
    permit tcp any any established
    permit icmp any any net-unreachable
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit esp any any
    permit icmp any any host-unreachable
    permit icmp any any port-unreachable
    permit icmp any any packet-too-big
    permit icmp any any administratively-prohibited
    permit icmp any any source-quench
    permit icmp any any ttl-exceeded
    permit icmp any any echo-reply
    deny   ip any any log
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    no modem enable
    line aux 0
    line vty 0 4
    access-class ssh in
    exec-timeout 5 0
    logging synchronous
    transport input ssh
    scheduler max-task-time 5000
    end
    ASA:
    ASA Version 9.1(2)
    hostname asa
    domain-name xxxx.local
    enable password xxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd xxxx encrypted
    names
    ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
    interface Ethernet0/0
    switchport trunk allowed vlan 2,10
    switchport mode trunk
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif inside
    security-level 100
    ip address 192.168.2.2 255.255.255.0
    interface Vlan10
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.255.255.252
    ftp mode passive
    clock timezone UTC -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name xxxx.local
    object network vlan2-mapped
    subnet 192.168.2.0 255.255.255.0
    object network vlan2-real
    subnet 192.168.2.0 255.255.255.0
    object network vpn-192.168.100.0
    subnet 192.168.100.0 255.255.255.224
    object network lan-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
    object network vlan2-real
    nat (inside,outside) static vlan2-mapped
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 10.10.10.1 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev1 enable outside
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.2.0 255.255.255.0 inside
    ssh 10.10.10.1 255.255.255.255 outside
    ssh timeout 20
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    anyconnect-essentials
    group-policy vpn internal
    group-policy vpn attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn-split
    default-domain value xxxx.local
    username xxxx password xxxx encrypted privilege 15
    tunnel-group vpn type remote-access
    tunnel-group vpn general-attributes
    address-pool vpn-pool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    ikev1 pre-shared-key xxxx
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
    : end

    Hi,
    I think, that you want control all outbound traffic from the LAN to the outside by ASA.
    I suggest some modifications as shown below.
    C871:
    interface Vlan2
    description LAN-192.168.2
    ip address 192.168.2.2 255.255.255.0
    no ip nat inside
    no ip proxy-arp
    ip virtual-reassembly
    ip access-list extended nat-pat
    no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    no permit ip 192.168.2.0 0.0.0.255 any
    deny ip 192.168.2.0 0.0.0.255 any
    permit ip 10.10.10.0 0.0.0.255 any
    ASA 5505:
    interface Vlan2
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    Try them out and response.
    Best regards,
    MB

  • Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range).

    Hello Everyone,
    Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range). If yes, how?
    Thanks,
    Rishi

    Rishi,
    Are you looking to leverage certain group in AD to be assigned to a specific subnet? If yes, then this can be done through dynamic vlan assignment.
    Thanks,
    Tarik Admani

  • Idle timeout with VPN remote users coming into a COncentrator 3030

    I have a VPN Concentrator 3030, which my remote users connect to from home. The idle timeout is set to 30 minutes, however, I do not see anyone disconnected due to lack of activity, even if they are connected for over 24 hours. I assume that they are keeping MS Outlook open and that emails will pop up in their Inbox while connected. I'm sure that Exchange & Outlook are communicating back and forth, and this this is probably the traffic that is keeping the connection "active".
    How do I enforce the "Inactive" policy. Can I exclude certain types of traffic?

    Microsoft Internet Explorer (MSIE) users add the VPN Concentrator 3000 to the list of trusted sites. Doing so enables the ActiveX control to install with minimal interaction from the user. This is particularly important for users of Windows XP SP2 with enhanced security. Refer to the following sections for instructions.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_release_note09186a0080405b6c.html

  • Routing loop when tracing to remote ip address on vpn concentrator

    When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
    Tracing route to x.3.17.145
    over a maximum of 30 hops:
    1    29 ms    31 ms    28 ms  172.4.0.20
      2    32 ms    30 ms    29 ms  172.4.0.25
      3    38 ms    29 ms    31 ms  172.3.0.21
      4    33 ms    30 ms    32 ms  172.4.0.25
      5    32 ms    49 ms    27 ms  172.3.0.21
      6    35 ms    30 ms    38 ms  172.4.0.25
      7    31 ms    28 ms    28 ms  172.3.0.21
       8    28 ms    28 ms    42 ms  172.4.0.25
      9    38 ms    27 ms    32 ms  172.3.0.21
    10    35 ms    28 ms    36 ms  172.4.0.25
    11    35 ms    27 ms    28 ms  172.3.0.21
    12    30 ms    28 ms    28 ms  172.4.0.25
    13    39 ms    30 ms    43 ms  172.3.0.21
    14    48 ms    28 ms    29 ms  172.4.0.25
    15    36 ms    28 ms    34 ms  172.3.0.21
    16    39 ms    39 ms    56 ms  172.4.0.25
    17    42 ms    38 ms    47 ms  172.3.0.21
    18    35 ms    39 ms    41 ms  172.4.0.25
    19    49 ms    32 ms    29 ms  172.3.0.21
    20    32 ms    28 ms    29 ms  172.4.0.25
    21    28 ms    43 ms    30 ms  172.3.0.21
    22    37 ms    32 ms    34 ms  172.4.0.25
    23    29 ms    31 ms    32 ms  172.3.0.21
    24    29 ms    33 ms    31 ms  172.4.0.25
    25    32 ms    41 ms    43 ms  172.3.0.21
    26    43 ms    29 ms    39 ms  172.4.0.25
    27    47 ms    33 ms    31 ms  172.3.0.21
    28    37 ms    29 ms    35 ms  172.4.0.25
    29    44 ms    30 ms    91 ms  172.3.0.21
    30    31 ms    41 ms    50 ms  172.4.0.25
    172.3.0.21 is my private interface on the vpn 3000.
    172.4.0.20 is my public interface on the vpn 3000.
    172.4.0.25 is the default gateway / router interface on my router.
    interface GigabitEthernet1/1/0.1
    description connected to LAN
    encapsulation dot1Q 1 native
    ip address 10.3.0.25 255.255.255.0
    interface GigabitEthernet0/0.4
    description vpn 3000 concentratorconnection
    encapsulation dot1Q 4
    ip address 10.4.0.25 255.255.255.0
    172.3.0.21 has a no default gateway on the vpn conentrator.
    172.3.0.21 has a default gateway 172.4.0.25  on the vpn concentrator.

    Hi John
    could you clarify where you are pinging from and where you are pinging to please?
    From the LAN to a destination across a VPN tunnel?
    Or from a source across the VPN tunnel to a host on the concentrator's LAN?
    Or from a source across the VPN tunnel to a host on the Internet?
    I suppose your last line has a typo, it should be
    172.4.0.21 has a default gateway 172.4.0.25  on the vpn concentrator.
    right?
    Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
    tnx
    Herbert

  • VPN Concentrator authentication with multiple domains

    I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
    Thanks in advance for any help.

    To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

  • PIX, ASA or VPN concentrator & dynamic VPN

    Hi all,
    I need help what to use and how to do next.
    What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
    How to do that dynamically? Is it possible to do that with one certificate?
    Other question is what to use? ..PIX, ASA, VPN concentrator ?
    BR
    jl

    The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
    You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
    "every user is member of more than one group "
    Some links:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
    With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
    Pls. rate if helpful.
    Regards
    Farrukh

  • What am I missing with VPN enforcement?

    I'm making sense of how to implement the VPN Enforcement feature and would like to hear from others who have set it up.
    The way I understand it to work is this...
    User connects to the internet (eg with a laptop using a 3G card). Once it detects the internet connection, it switches to the Location specified in the "Switch To" setting on the VPN Enforcement page.
    And I have it prompting to connect to the VPN client at this point.
    What is puzzling me is... what's the point?
    It doesn't seem to make a difference whether the user connects to the VPN or not. The Location in the Switch To setting can have certain restrictions but once connected to the VPN, the Location doesn't change. So, before or after connection to the VPN the same restrictions are in place.
    Perhaps I'm missing something in the way this is meant to work.
    How has anyone else set this up?
    Ideally what I want to happen is....
    User connects to the internet - so has enough restrictions (or un-restrictions) to allow this. This would include connecting at an airport or hotel where you connect via a web page. Usually this would be with a 3G modem
    then the user is forced to connect to their VPN (in our case we have a dongle and log in. So, I can cause the login screen to appear on VPN switching)
    Only allow internet access as long as the VPN is connected. And block access if it is not.
    Any thoughts are happily received, thanks
    Alison

    Here is a brief description of what needs to be done in order for VPN Enforcement to work.
    1) The "Unknown" location should have a "stateful" firewall assigned. This allows the endpoint to see all APs and also authenticate to them.
    2) The VPN Location should have an "all closed" firewall. This location will be used to switch to once the endpoint gains internet connection (the ZSC checks this automatically). You have to setup a single ACL rule
    that points to the IP address of your VPN concentrator (so now the only accessible service/device is the VPN)
    3) In the "VPN Enforcement" settings, enter the IP address of the VPN concentrator, the trigger location (at a minimum this is the Unknown), and "Switch to" locations (this is the location you set up in step 2)
    5) Again, in "VPN Enforcement" configure the settings needed to make your VPN client to connect "automagically" to the VPN concentrator (client path, and optionally any arguments).
    Please note that internet connectivity triggers the enforcement. If someone connects to an AP or wired network that requires authentication (such as you see at a coffee house or hotel), then the Internet connectivity fails.
    Hope this clarifies,
    Daniel
    >>>
    From: AWhitwood<[email protected]>
    To:novell.support.zenworks.endpoint-security-management
    Date: 7/8/2009 10:06 PM
    Subject: Re: What am I missing with VPN enforcement?
    Excellent - thanks Indy
    That is pretty much the same as what I'm setting up. Would you mind
    expanding on how you've set this up....I've put your original comments
    in blue
    1) Users log in and change their location to 'Wired/Wireless/3G'.
    I know our users won't manually switch Locations themselves.
    I've got this set up to detect the Unknown location which is anything
    that is away from the office wired network.
    2) Once they have connected to a secure wifi hotspot or their vodafone
    3g dongle is connected the location automatically switches to 'Secure
    VPN'.
    Once they are on the internet, ourLcoation does switch from
    "Unknown" to "Away from the Office" (or "VPN" in your system). Can I
    ask you what your Firewall settings are on your VPN location? Are there
    any restrictions? eg I had it All Blocked but of course it stopped it
    connecting the VPN client so I've now got it set to All Stateful.
    3) After a few seconds the Cisco VPN Client automatically loads and the
    user has to connect via that to get internet connectivity otherwise they
    get nothing.
    I have this too - the client VPN launches and the user is prompted
    to login. But what if they don't? what stops the internet working for
    them if they didn't log in? When you say "otherwise they get nothing" -
    what is it that prevents them getting to the internet if they have not
    connected to the VPN. This is exactly what I'm trying to set up so I'm
    very happy to hear that you've done it. What is puzzling me is how to
    have it blocking internet access unless it is through the VPN.
    I think its purpose is to make sure all internet traffic goes through
    your VPN and firewalls, settings, etc etc...
    Exactly what I want ! Thanks - I've just got to figure out how to
    do it.
    Hope that helps,
    That helped a lot.
    Alison
    AWhitwood
    AWhitwood's Profile: http://forums.novell.com/member.php?userid=4390
    View this thread: http://forums.novell.com/showthread.php?t=379389

  • AAA VPN Concentrator 3005

    Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?

    Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
    Cheers
    Brian

  • VPN concentrator and webVPN

    Hi,
    Trying to setup VPNc 3005 for WebVPN.
    The VPNc is configured with NTP server so
    the clock is fine. I installed SSL vpn
    client and SecureDesktop software onto the VPNc. Create a local account and
    group. When I perform https://vpnc/admin.html, I can manage the
    VPNc from the external interface so the
    certificate is good.
    When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
    to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
    it tells me that the vpn concentrator
    has a server certificate error. I've
    attached the screen shot. Anyone know
    what it is? Thanks.

    If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
    http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
    http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

  • Unable to access vpn box internal address after vpn

    Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.
    hostname firewall
    domain-name default.domain.invalid
    enable password xxx
    names
    dns-guard
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.1x.x 255.255.255.0
    interface Ethernet0/1
    nameif DMZ
    security-level 50
    ip address 192.168.2x.x 255.255.255.0
    interface Ethernet0/2
    nameif outside
    security-level 0
    ip address 8x.x.x.x 255.255.255.240
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    passwd xxx
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended deny ip any any
    access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
    access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
    access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm-buffer-size 500
    logging asdm informational
    mtu inside 1500
    mtu DMZ 1500
    mtu outside 1500
    mtu management 1500
    ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
    no failover
    monitor-interface inside
    monitor-interface DMZ
    monitor-interface outside
    monitor-interface management
    asdm image disk0:/asdm-507.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 100 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 100 192.168.1x.0 255.255.255.0
    access-group inside_access_in in interface inside
    access-group DMZ_access_in in interface DMZ
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy vpn internal
    group-policy vpn attributes
    dns-server value 192.168.1x.x 192.168.1x.x
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    webvpn
    username ciscoadm password xxx encrypted privilege 15
    username ciscoadm attributes
    vpn-group-policy vpn
    webvpn
    http server enable
    http 192.168.1x.x 255.255.255.255 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection tcpmss 13800
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool addpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    telnet 192.168.1x.x 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.1x.254 255.255.255.0
    interface Ethernet0/1
    nameif DMZ
    security-level 50
    ip address 192.168.2x.254 255.255.255.0
    interface Ethernet0/2
    nameif outside
    security-level 0
    ip address 8x.xx.xx.xx 255.255.255.240
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    passwd xxx
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
    access-list inside_access_in extended permit esp any any
    access-list inside_access_in extended permit gre any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended deny ip any any
    access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
    access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
    access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
    access-list prod standard permit host 192.168.1x.x
    access-list prod standard deny any
    pager lines 24
    logging enable
    logging asdm-buffer-size 500
    logging asdm informational
    mtu inside 1500
    mtu DMZ 1500
    mtu outside 1500
    mtu management 1500
    ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0
    no failover
    monitor-interface inside
    monitor-interface DMZ
    monitor-interface outside
    monitor-interface management
    asdm image disk0:/asdm-507.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 100 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 100 192.168.1x.0 255.255.255.0
    access-group inside_access_in in interface inside
    access-group DMZ_access_in in interface DMZ
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy vpnuser internal
    group-policy vpnuser attributes
    dns-server value 192.168.1x.x 192.168.1x.x
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value prod
    default-domain value mm.com
    webvpn
    username user password xxx encrypted privilege 15
    username user attributes
    vpn-group-policy vpnuser
    webvpn
    http server enable
    http 192.168.1x.x 255.255.255.255 inside
    http 0.0.0.0 0.0.0.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection tcpmss 13800
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    tunnel-group vpnuser type ipsec-ra
    tunnel-group vpnuser general-attributes
    address-pool pool
    default-group-policy vpnuser
    tunnel-group vpnuser ipsec-attributes
    pre-shared-key *
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd dns 8x.x.1x.x 8x.x.x.x
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd enable management

  • Vpn-framed-ip-address issue

    Hi Guys,
    I'm using a cisco 5510 ASA at the headoffice to provide the VPN (remote access vpn) connectivity to the branch offices.
    My local network is - 192.168.30.0 /24 and I've used a part of same segment for the vpn_pool as well ( i.e 192.168.30.152 -192.168.30.199). Further I'm using the vpn-framed-ip-address feature to allocate an unique ip address for each branch office when it connects.
    My problem is, though this setup worked fine at the begining, now sometimes when the vpn connections are established from remote branches, they take different ip addresses from the allocated vpn pool, rather than the specific ip address which is mentioned under the vpn-framed-ip-address command.
    Can anyone assist me with this issue?
    Regards,
    Suthakar

    Hi Javier,
    I think I have found out a solution for this problem.
    I've removed the ip vpn pool and its reference under tunnel group general-attributes
    ip local pool vpn_pool x.x.x.x - x.x.x.x
    tunnel-group x.x.x.x general-attributes
    address-pool vpn_pool
    since there is no ip-pool, now the remote client's are getting the exact individual ip addresses allocated for them with the vpn-framed-ip-address command.
    Thank you for your support.
    Regards,
    Suthakar

Maybe you are looking for

  • Fire Wire PC Card

    I have a PowerBook G4 with a Fantom Drive external hard drive. I have several FireWire peripherals, so I purchased an iogear GPF113 PC Card. I was running Panther and it was working with no problems. I just installed Tiger and now it won't even recgn

  • C3-00 strange icon on display

    Hallo everyone, I need Your help about a strange problem on my C3-00. Near the silent's mode icon I can see another icon. It seems a ring with a little triangle on the right side. What is that? I can't find nothing on my manual. Thanks a lot.

  • Problems downloading iTunes 10.6.3.  The System keeps telling me that download is corrupted.

    I have just bought a MBP Retina Display and have successfully mapped all my old apps and files across to this machine from the old MBP.  In doing a Software Update for the system I had the problem above when trying to upgrade iTunes.  Any similar pro

  • Desktop for BB 8700

    hi i have downloaded the software for 8700 v4.7 i have downloaded it and when i open it says it says 470_b059_multilanguage.exe is not a valid win32 application pls help

  • PEAP ACS certificate Replacement

    Hopfully an easy one. My customer has an ACS appliance with a 1 year certificate installed from a microsoft CA. They have 3months left on it so will replace it next week. The client certificates have 5 years left on them. As far as I know they should