ASA 8.0 VPN cluster with WEBVPN and Certificates
I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
I'm assuming the client gets presented the appropriate certificate based on the http GET.
Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
Thanks,
Mark
There is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
Here are the details:
Symptom:
========
ASA 8.0 load balancing cluster with WEBVPN.
When connecting using a web browser to the load balancing ip address or FQDN,
the certifcate send to the browser is NOT the certificate from the trustpoint
assigned for the load balancing using the
"ssl trust-point vpnlb-ip" command.
Instead its using the ssl trust-point certificate assigned to the interface.
This will generate a certificate warning on the browser as the URL entered
on the browser does not match the CN (common name) in the certificate.
Other than the warning, there is no functional impact if the end user
continues by accepting to proceed to the warning message.
Condition:
=========
webvpn with load balancing is used
Workaround:
===========
1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
Warning: configs are not backward compatible.
2) upgrade to 8.0.2 interim (8.0.2.11 or later)
Similar Messages
-
I've been having trouble with in getting iMessage to send messages. I decided to connect to my VPN (along with wifi) and it worked. Why won't it work via my wifi connection alone?
Using FaceTime http://support.apple.com/kb/ht4319
Troubleshooting FaceTime http://support.apple.com/kb/TS3367
The Complete Guide to FaceTime + iMessage: Setup, Use, and Troubleshooting
http://tinyurl.com/a7odey8
Troubleshooting FaceTime and iMessage activation
http://support.apple.com/kb/TS4268
iOS: FaceTime is 'Unable to verify email because it is in use'
http://support.apple.com/kb/TS3510
Using FaceTime and iMessage behind a firewall
http://support.apple.com/kb/HT4245
iOS: About Messages
http://support.apple.com/kb/HT3529
Set up iMessage
http://www.apple.com/ca/ios/messages/
iOS 6 and OS X Mountain Lion: Link your phone number and Apple ID for use with FaceTime and iMessage
http://support.apple.com/kb/HT5538
How to Set Up & Use iMessage on iPhone, iPad, & iPod touch with iOS
http://osxdaily.com/2011/10/18/set-up-imessage-on-iphone-ipad-ipod-touch-with-io s-5/
Troubleshooting Messages
http://support.apple.com/kb/TS2755
Troubleshooting iMessage Issues: Some Useful Tips You Should Try
http://www.igeeksblog.com/troubleshooting-imessage-issues/
Setting Up Multiple iOS Devices for iMessage and Facetime
http://macmost.com/setting-up-multiple-ios-devices-for-messages-and-facetime.htm l
FaceTime and iMessage not accepting Apple ID password
http://www.ilounge.com/index.php/articles/comments/facetime-and-imessage-not-acc epting-apple-id-password/
FaceTime, Game Center, Messages: Troubleshooting sign in issues
http://support.apple.com/kb/TS3970
Unable to use FaceTime and iMessage with my apple ID
https://discussions.apple.com/thread/4649373?tstart=90
How to Block Someone on FaceTime
http://www.ehow.com/how_10033185_block-someone-facetime.html
My Facetime Doesn't Ring
https://discussions.apple.com/message/19087457
Send an iMessage as a Text Message Instead with a Quick Tap & Hold
http://osxdaily.com/2012/11/18/send-imessage-as-text-message/
To send messages to non-Apple devices, check out the TextFree app https://itunes.apple.com/us/app/text-free-textfree-sms-real/id399355755?mt=8
How to Send SMS from iPad
http://www.iskysoft.com/apple-ipad/send-sms-from-ipad.html
You can check the status of the FaceTime/iMessage servers at this link.
http://www.apple.com/support/systemstatus/
Cheers, Tom -
Oracle Clustre, Oracle Cluster with RAC and Oracle 10g
Is there a difference between Oracle Cluster and Oracle Cluster with RAC? Please explain. Do existing database codes run unmodified in Cluster or Cluster with RAC environment? What needs to be modified to make existing SQL codes RAC-aware. How to achieve 'all automatic' in case of failure and resubmission of Queries from failed instance to a running instance?
In 10g environment, do we need to consider licensing of RAC as a separate product? What are additional features one derives in 10g that is not in Cluster +RAC?
Your comments and pointers to comparison study and pictorial clarification will be very helpful.Oracle cluster like failsafe before or Veritas Cluster or other vendor's cluster is meant for HA (high availability) purpose. Which 2 nodes or more can see a shared disk with 1 active node. Whenever this active node failed through heartbeat other machine will know and will take the database over from there.
Oracle RAC is more for HA and load balance. In Oracle RAC 2 or more nodes are accessing the database at the same time so it spread load across all these nodes.
I believe Oracle 10g RAC still need seperate license for it. But you need to call Oracle or check the production document to verify it.
Oracle 10g besides improvement in RAC. It's main improvement is on the build in management of the database itself. It can monitored and selftune itself to much furthur level then before and give DBA much more information to determine the cause of the problem as well. Plus improvement on lots of utility as well like RMAN , data pump etc... I don't want to get into too much detail on this you can check on their 10g new features for more detail view.
Hope this help. :) -
How to create an intensity waveform graph cluster with t_0 and dt ?
Hi all,
I would like to know whether it is possible to create an intensity waveform like you can do with a 1-d waveform (with "build waveform") so that you get a cluster with the waveform array, the t_0, the dtand the attributes.
If not I would like to know the following: I use references to cluster typedefs to update my controls and indicaters on the front panel. Now if I use a property node for the intensity graph to set the offset and multiplier on the x-scale, the x-scale on the graphs on the sub-VI work perfectly, however not on the real front panel, probably since these get updated through a reference. Does anyone have a clue how to fix this?
Regards, PieterYou are only writing the "value" of the type definition via the property node. This does not include properties such as offset and multiplier.
On a sidenote, you are using way too much code for most operations.
For example, the to-I32 can be placed on the cluster, so only one instance is needed.
Also property nodes are resizeable, so only one instance is needed.
There are also Rube Goldberg constructs, such as ">0 *AND* TRUE", which is the same as a simple ">0"
Overall, you are really fragmenting memory by constantly building and then resizing arrays to keep them at a max size of 2880. This can cause performance problems due to the constant need of reallocations. It might be better to use fixed size arrays and do things "in place".
Message Edited by altenbach on 03-19-2009 09:57 AM
LabVIEW Champion . Do more with less code and in less time .
Attachments:
OneIsEnough.png 8 KB
CombineProperties.png 3 KB -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Write/Read cluster with ftp and datasocket
I try to save a cluster to a file on my RT-target from my host machine via ftp and datasocket. I can use the DS examples between host and target but when I connect a cluster to either DS Write or DS Read the VI stops with error 42 (Generic error). The help for DataSocket does not mention any constriction concerning the data type. Is this a bug or a feature?
I found a workaround by saving the cluster to a local file and transferring this to the RT-target with FTP-VI's but the DataSocket solution would be much simpler.
LabVIEW 8.6.1
Attachments:
clusterDS.jpg 24 KB
Error42.jpg 12 KBHi,
I found the reason for the generic error: the file to write or read has to have a extension "dsd" (or "wav"), otherwise you'll get the error. With a .dsd extension I was able to save the cluster. I have not yet managed to read it back but at least DS Read does not abort with the generic error. Interesting thing is if you use an other extension than dsd when writing, an empty file is actually created on the target system.
Attachments:
DSWriteCluster.vi 7 KB
DSReadCluster.vi 10 KB -
Weblogic Cluster with i686 and Itanium
Hello,
I want to configure a Bea Weblogic 8.1 Cluster including an itanium and a i686
server.
I have sucessfully configured a weblogic cluter with 2 Sun servers.
Now I want to use for my weblogic cluster an itanium server together with an Intel
i686 server both running on linux with jrockit as jvm.
Is it possible to do this with two different hardware platforms to use a Weblogic
Cluster?
MichaelHello,
I want to configure a Bea Weblogic 8.1 Cluster including an itanium and a i686
server.
I have sucessfully configured a weblogic cluter with 2 Sun servers.
Now I want to use for my weblogic cluster an itanium server together with an Intel
i686 server both running on linux with jrockit as jvm.
Is it possible to do this with two different hardware platforms to use a Weblogic
Cluster?
Michael -
WebVPN and certificates**nevermind!**
Does anyone have any experience with certs? I bought and installed a cert for the WebVPN product and I am still getting the ...do you really trust this? you don't know who is sending you this cert message...any links/comments would surely help me out. Thanks
I had to many certs configured on my vpn box, I deleted any self generated certs and left the one I bought and this solved the problem!The ASA/PIX is not able to validate WebVPN/SSL VPN Client certificates using OCSP as the certificate revocation list (CRL) method. This is a new feature.
-
ASA site-site VPN error using Microsoft Digital Certificates.
Hi,
I configured site-site between ASA's with authentication type as RSA-SIG for Phase1. I got manual certificates from Microsoft CA Server but not able to form the tunnel. Need someones help badly on this issue.
ASA1 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
tunnel-group 200.160.126.30 type ipsec-l2l
tunnel-group 200.160.126.30 ipsec-attributes
peer-id-validate cert
trust-point CA1
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 200.160.126.30
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa1.cisco.com
keypair my.ca.key
crl configure
ASA-2 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 59.160.128.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
tunnel-group 59.160.128.50 type ipsec-l2l
tunnel-group 59.160.128.50 ipsec-attributes
peer-id-validate cert
trust-point CA1
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa2.cisco.com
keypair my.ca.key
crl configure
Debug Output:
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 59.160.128.50, IKE Initiator: New Phase 1, Intf inside, IKE Peer 59.160.128.50 local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
%ASA-7-715046: IP = 59.160.128.50, constructing ISAKMP SA payload
%ASA-7-715046: IP = 59.160.128.50, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host NP Identity Ifc:200.160.126.30
%ASA-7-609001: Built local-host outside:59.160.128.50
%ASA-6-302015: Built outbound UDP connection 122 for outside:59.160.128.50/500 (59.160.128.50/500) to NP Identity Ifc:200.160.126.30/500 (200.160.126.30/500)
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 59.160.128.50, processing SA payload
%ASA-7-713906: IP = 59.160.128.50, Oakley proposal is acceptable
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Fragmentation VID
%ASA-7-715064: IP = 59.160.128.50, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715046: IP = 59.160.128.50, constructing ke payload
%ASA-7-715046: IP = 59.160.128.50, constructing nonce payload
%ASA-7-715046: IP = 59.160.128.50, constructing certreq payload
%ASA-7-715046: IP = 59.160.128.50, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 59.160.128.50, constructing xauth V6 VID payload
%ASA-7-715048: IP = 59.160.128.50, Send IOS VID
%ASA-7-715038: IP = 59.160.128.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 59.160.128.50, constructing VID payload
%ASA-7-715048: IP = 59.160.128.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-715047: IP = 59.160.128.50, processing ke payload
%ASA-7-715047: IP = 59.160.128.50, processing ISA_KE payload
%ASA-7-715047: IP = 59.160.128.50, processing nonce payload
%ASA-7-715047: IP = 59.160.128.50, processing cert request payload
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Cisco Unity client VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received xauth V6 VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715038: IP = 59.160.128.50, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 59.160.128.50, Generating keys for Initiator...
%ASA-7-715046: IP = 59.160.128.50, constructing ID payload
%ASA-7-715046: IP = 59.160.128.50, constructing cert payload
%ASA-7-715001: IP = 59.160.128.50, constructing RSA signature
%ASA-7-715076: IP = 59.160.128.50, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 128
%ASA-7-713906: Constructed Signature:
0000: 4FB66432 FCA9DA52 5420E6C1 DF8293AC O.d2...RT ......
0010: DE3533F1 7036E5C8 40B11A9D 5C68C884 .53.p6..@...\h..
0020: D4BCA531 BAE87710 09D1AD06 7994CD1B ...1..w.....y...
0030: DCEDB9CE E971F21B 0104C06A 1901FACE .....q.....j....
0040: D1E8AED1 7684DFDA 40E98BC2 E195F3C8 ....v...@.......
0050: 3625E936 E35F47A3 F44BC326 62E99135 6%.6._G..K.&b..5
0060: 88EB90FF 10938CC3 0FFAA576 A9DBD9AD ...........v....
0070: 65592C71 5A13C4C5 8EBA60F6%ASA-7-715034: IP = 59.160.128.50, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: IP = 59.160.128.50, constructing dpd vid payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1668
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-715065: IP = 59.160.128.50, IKE MM Initiator FSM error history (struct &0xd8a30d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
%ASA-7-713906: IP = 59.160.128.50, IKE SA MM:f2cbbafa terminating: flags 0x0100c022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 59.160.128.50, sending delete/delete with reason message
%ASA-7-715046: IP = 59.160.128.50, constructing blank hash payload
%ASA-7-715046: IP = 59.160.128.50, constructing IKE delete payload
%ASA-7-715046: IP = 59.160.128.50, constructing qm hash payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=372e03ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-3-713902: IP = 59.160.128.50, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 59.160.128.50, Error: Unable to remove PeerTblEntry
Kindly suggest me for further steps.
Regards,
MonHI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad. -
How to set up Windows with Reader and certificate for all users
Good afternoon (GMT),
we're dealing with a Win XP (SP3) system that is set up by an Administrator. One task is to set up the system in a way that all users (w/o admin rights) become able to read a certified-protected PDF. Currently we know a way to install the "public key" for this certificate only for one known user. But how to proceed when not all users are known? The users shall later on never be asked to confirm the certification installation/registration.
If it helps, here is the software version:
Acrobat 8.12 to encrypt the PDF via certification. In near future I will switch to Acrobat 9.x
Reader 7.x and/or 8.x on customer PCs.
Thank you for ideas and hints.
BTW: Next time we want to provide a solution for Win7 systems, too.
CarstenCheck
Time Zone Specification from http://docs.oracle.com/cd/E12844_01/doc/bip.1013/e12187/T421739T481157.htm#4535403
just in case https://blogs.oracle.com/xmlpublisher/entry/how_to_keep_your_dates_from_go -
Tax posting with retention and certificate
Hi,
Can you please help me. I need to have a tax code which should make following postings. When I enter transaction FB01 costs (debet) 100 and vendor (credit) 100, I select tax code and system shoud create following posting.
I can create posting so that expence account is reduced, but I need a solution where vendor line item (posting key 31) is reduced. Posting should go as follows:
Costs D 100 Entered manually
Vendor C 97 Entered manually
Input tax D 22 System post automatically via tax code
Certification tax C 22 System post automatically via tax code
Retention C 7 System post automatically via tax code
*Reducing vendor line item?
Thanks,
MarkkuHi,
Thanks, Do you have any documentation how to configure this wht tax. Can I assign wht tax to the tax code?
rgs.markku -
Asa 5505 Remote VPN Can't access with my local network
Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname contextHey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer:155.155.155.1, username: Thomas
dynamic allocated peer ip: 192.168.100.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 73FFAB96
inbound esp sas:
spi: 0x1B5FFBF1 (459275249)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2894
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x73FFAB96 (1946135446)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2873
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
VPN Cluster and Wildcard Certificate
Hi,
I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
cluster.domain.com
Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
vpn01.domain.com
or
vpn02.domain.com
or
vpn03.domain.com
Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
Any experience or recommendations?
BR,
/KHello Kenneth,
It was working for version before 9.
On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
Michal -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
OS X 10.4/5 Server with PC and Mac Clients - Advice Appreciated
I have inherited a OS X 10.4 server and a user base of about 15 fulltime PC users, 10 fulltime Mac users, 10 printers.
This thread will likely contain a LOT of questions as time goes on.
1. Should I set the PCs to Workgroup or Domain? As I have so many users I would prefer a domain setup but am not sure how that works with the OSX server.
2. Is it worth it to upgrade to 10.5? As the processor is a G5 I cannot go to Snow Leopard.
Thanks!1: Domain definitely. Run Open Directory. Keep in mind you WILL NOT be able to support and run Group Policy extensions for the Windows Machines. I highly suggest you run Parallels or VMWare (if this is on a Mac Pro or XServe Intel machine) and run Windows Server 2008 or Small Business Server 2008 to manage the Windows Machines.
If you do not have a Mac Pro or XServe, or cannot afford to upgrade to a Mac Pro, then I would build a server class PC to run Windows Server or Small Business Server 2008. You can then lock down your Windows machines, run Exchange for collaboration (including push e-mail to iPhones, Windows Mobile and Blackberry devices), provide group policy and run WSUS to update your windows machines automatically.
Trying to patch the windows machines will be a royal pain in the butt without using Windows Software Update Services (part of Windows Server). You will also want an enterprise grade security solution that runs off of Windows Server, such as Trend Micro's Worry Free Business Security 6.1, to content filter, provide anti-virus and anti-malware security and spam filtering. You can use a web based console to check on virus scans, provide security lockdowns etc. There is NO enterprise grade security system that runs the web console off of Mac OS X Server at this time. There are plenty of clients (Trend Micro, Internet Security Barrier, Sophus etc), but no way to control the anti-virus clients on the Windows machines from the Mac server.
You can use your current mail, or if you go with Small Business Server you can run Exchange which is way more capable that the very limited mail capability in OSX Server 10.411. I ran 10.4 server until two months ago at my work, where we upgraded to 10.6.
Group Policy, which is similar to Workgroup Manager Server Preferences, will allow you to lock down and secure your windows machines. You can lock the screen, send software updates, provide firewall preferences etc. This requires Windows Server.
10.5 is totally worth the upgrade. It adds RADIUS support (you can secure and lock down your VPN connections with XAUTH and your wifi access points to require a username and password, rather than just a password), it provides MUCH improved Software Update Services (10.4 Software Update Server is severely limited; it also cannot upgrade 10.5 or 10.6 clients. 10.5 SUS can update 10.4, 10.5 and 10.6 clients).
If you upgrade to OSX Server 10.5 you want to do a full bootable backup of the boot drive to an external Firewire drive. You can use CarbonCopyCloner or SuperDuper! to accomplish this. You can then attempt an upgrade, and if it screws up you can then restore the machine and plan to do a clean install and migrate your settings from the 10.4 install.
Maybe you are looking for
-
I can't connect my ipad to my home wifi?
I can use my hotspot on my iphone. No problem. But my wireless router isn't even showing up on the ipad settings. Only sometimes it will appear. If it does show up it doesn't allow the password to be accepted. I tried resetting the router and u
-
Configuration for Transaction Management
Hi, I am working with Weblogic Server SP1. I am facing a problem in configuring for Transaction Management. I have a session EJB say SEJB and two entity EJB say EEJB1 and EEJB2. EEJB1 is for the paren
-
I recently attempted to put some files on my Nomad Zen Xtra with the most recent PlaysForSure firmware after a format of my PC and a fresh driver install, but when I attempted to do so, the Creative transfer software was not working properly. As a re
-
Infoset based on logical database CRC and customer field wrongly calculated
Hello, I'm building an info-set (SQ02) based on logical database CRC. My requirement is to calculate a value based on the start date of the capacity allocated to a work center (KAKO-BEGZT). I defined a customer field (named FIELD1) with data type I,
-
Hi I have two different requirements for two files 1. I need to add the current date and time to the name of the file 2. I need to add first field data of the file to the filename how can I acheive it