ASA5510 - VPN AnyConnect - Two Part Authentication
Currently, we have the AnyConnect client authenticating our users to our AD environment. All is working as desired. Now our Controll Agency is requiring a two step authentication for VPN access. Is it possible (and if so how do you do it) to also configure the AnyConnect client login to send a PIN to the AD usres registered Cell Phone and then require that PIN to be input to make complete the VPN login process?
This is basically the sequence that I forsee:
1. The AnyConnect client requests and then validates the User's AD credentials
2. The ASA 5510 generates and sends a one-time 4 to 6 digit PIN to the AD user's cell phone.
3. The AnyConnect client presents a dialog box awaiting the PIN to be entered.
4. The user enters the PIN and completes the login once the ASA validates the PIN.
Hi,
You can use secondary authentication:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1452151
Do you have any external server/vendor for that PIN (one time password) authentication ?
How user in step 3 should know which PIN to type (if it's one-time generated) ?
With RSA one time password you could configure it as radius and use secondary authentication feature.
You could also use ACS as a proxy between ASA and RSA.
Michal
Similar Messages
-
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
Communication problem from the vpn-anyconnect to easy-vpn-remote
Hi Team,
I have a communication problem from the vpn-anyconnect to easy-vpn-remote, I´ll explain better bellow and see the attached
topology:
1) VPN Tunnel between HQ to Branch Office - That´s OK
2) VPN Tunnel between Client AnyConnect to HQ - That´s OK
The idea is that the Client Anyconnect is to reach the LAN at Branch Office, but did not reach.
The communication is stablished just when I start a session (icmp and/or rdp) from Branch Office to the Client AnyConnect,
in this way, the communication is OK, but just during a few minutes.
Could you help me?
Bellow the IOS version and configurations
ASA5505 Version 8.4(7)23 (headquarters)
ASA5505 Version 8.4(7)23 (Branch)
**************** Configuration Easy VPN Server (HQ) ****************
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-link-2_map 1 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map outside-link-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-link-2_map interface outside-link-2
access-list ACL_EZVPN standard permit 10.0.0.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.1.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.50.0 255.255.255.0
access-list ACL_EZVPN standard permit 10.10.0.0 255.255.255.0
group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_EZVPN
nem enable
tunnel-group EZVPN_TG type remote-access
tunnel-group EZVPN_TG general-attributes
default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
ikev1 pre-shared-key *****
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup
**************** Configuration VPN AnyConnect (HQ) ****************
webvpn
enable outside-link-2
default-idle-timeout 60
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles Remote_Connection_for_TS_Users disk0:/remote_connection_for_ts_users.xml
anyconnect enable
tunnel-group-list enable
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.15.0 255.255.255.0
access-list split-tunnel standard permit 10.0.0.0 255.255.255.0
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server none
dns-server value 192.168.1.41
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value ipconnection.com.br
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect profiles value Remote_Connection_for_TS_Users type user
anyconnect ask none default anyconnect
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group DC03
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias IPConnection-vpn-anyconnect enable
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookupHi,
the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.
when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.
I hope it explains the cause.
Regards,
Abaji. -
Network Policy Server Two-factor authentication OTP
Hello,
I don't have much knowledge about the Network Policy Server so before digging into this; I would like to know if it offers two-factor authentication. If so, what are the possibilites? I'm looking for a validation based on a one-time password OTP (hardware/software
token or sms) and the Active Directory user/pwd.
Is there anything builtin in the Network Policy Server offering this?
Thank you!Hi,
NPS supports smart card.
Two-factor authentication provides improved security because it requires the user to meet two authentication criteria: a user name/password combination and a token or certificate.
A typical example of two-factor authentication with a certificate is the use of a smart card.
To use smart cards for remote access authentication, we may do the following:
Configure remote access on the remote access server.
Install a computer certificate on the remote access server computer.
Configure the Smart card or other certificate (TLS) EAP type in remote access policies.
Enable smart card authentication on the dial-up or VPN connection on the remote access client.
For detailed information, please refer to the link below,
Using smart cards for remote access
http://technet.microsoft.com/en-us/library/cc783310(v=WS.10).aspx
Best Regards.
Steven Lee
TechNet Community Support -
Two factor authentication for iCloud?
Hello,
I have two factor authentication (aka two step verification) setup for my AppleID - when I login to appleid.apple.com it sends a code to my phone. So that part works great. However, when I login to www.icloud.com it doesn't send a code to my phone. Securing iCloud.com with two factor is very important as iCloud contains a lot of your data (email, contacts, etc.).
I'm wondering if it's not working for me because two factor for iCloud.com hasn't been fully rolled out yet - or maybe it is still in beta?
This article indicates that Apple was testing two factor for iCloud.com as recently as June, 2014:
http://appleinsider.com/articles/14/06/30/apple-testing-two-step-verification-fo r-icloudcom
So my question is, does anyone know when two-factor authentication will be fully rolled out and working for iCloud.com?
Thanks!After reading a few articles on this subject, Apple is still working on enabling two-factor authentication for iCloud. At best, they are currently "rolling it out", a process that can take several months due to the millions of users, I guess. At worst, it's still in beta and they are still testing and working on it... which means it could be next year before it's fully deployed. I haven't found any articles or news with a firm date. I'm just glad they are working on it as it's very important. In the meantime, they have implemented email notifications when you login to your iCloud account. I tested this and only received one notification (for multiple logins over several days from several different computers) so I'm not sure how well the notifications are really working - but I think the notifications are just a workaround until they get two-factor fully deployed for iCloud.
Does anyone else have more info on this? -
Vmware horizon radius integration with two factor authentication
-1 down vote favorite
I have deployed vmware horizon view connection server (Evaluation/Trial version), i want to integrate it with two factor authentication server. But after configuring RADIUS parameters in admin portal of connection server, it’s not allowing me to save the settings. Please suggest.
I have attached the snap for your reference.The SMTP server supports what is referred to as third party authentication. To take advantage of this you would need to provide all of the authentication code, however -- there's no way to do part of the authentication and then pass control back to the messaging server for the rest. So you'd need to do both password checks, one of which is presumably done via LDAP auth, yourself.
As far as LDAP proxy and RADIUS, we use a standard LDAP simple bind. The ODSEE LDAP proxy is often used in OCMS deployments, so that is a known good solution. We don't directly support RADIUS; the aforementioned third party authentication could be used to tie into such a system.
- Jeff -
Does iMessage imperil two-step authentication?
It seems that the new iMessage service is a complete lack of security for anyone relying on their iPhone as part of a two-step authentication process.
I was just re-logging into some secure sites, such as Google, that require two-step authentication, and the authentication number pops up on the screen of the iMac or iPad I'm using, apparently destroying any value in having the information supplied separately to my iPhone.
I have had to turn off the whole iMessage service now so that my access to secure sites is not so easily breached. Apparently anyone with access to my computer or iPad easily bypasses the security process.
I don't understand how this update doesn't leave everyone who relies on two-step authentication with an iPhone using SMS messages with validation codes from being completely compromised.You'd need to address this with Apple as these forums are user to user only; you could call or send them feedback:
http://www.apple.com/contact/feedback.html -
Two-factor authentication by using Digital Cert
Dear Friends,
I am trying to implement two-factor authentication on any connect vpn. While uploading identity certificate on the windows 2008 server ,getting below mentioned error
Please help on this.
Regards,
Shinu MathewHi Lars,
If you are using SMS PASSCODE, go to http://www.smspasscode.com/support and ask them to send you the setup guide or walk you through the configuration.
Kind Regards
Lars (@smspasscode). -
Write a progarm to test two parts at the same time
Hi:
I need to write a program in LabView that is capable of testing two parts at the same time.
Explanation:
I star the test on a unit, once all the electrical test is done move that unit to the pressure test without loosing the current test information and continue the test of the unit thewn generate a serial number only if it passes all the test. Then while the previous unit is going thru the pressure test star testing another unit for the elecrical test and so on.
I am using LabView 2012From what you have described, I agree with what has been answered above. TestStand is specifically designed for. If you would like to provide more information about your application we could give you a more detailed response. For more information about TestStand follow this link
www.ni.com/teststand
Ryan
Ryan
Applications Engineer
National Instruments -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
Please help, I am trying to split a HD mp4 video into two parts using Quicktime 10.2
Please help, I am trying to split a HD mp4 video into two parts using Quicktime 10.2, running Mountain Lion. I use trim then export but it doesn't give the movie option as a format. What would you suggest i do?
I'm not sure why you're using a FAT32 drive, but using ExFAT instead of FAT32 would be a better overall choice as it doesn't have the 4 Gig limit.
http://www.tech-recipes.com/rx/2801/exfat_versus_fat32_versus_ntfs/ -
Apple ID - Two Factor Authentication (and why I stopped using it)
The Apple devices I use every day consist of the following:
2009 MacBook Pro 17" (home)
iPhone 6 (home)
2012 MacBook Pro Retina (work)
My home devices are all logged in using my Apple ID as usual, and my work laptop uses a Apple ID specific to work, but with my personal Apple ID logged in for iMessage and FaceTime (pretty standard, I presume, for people with full-time work laptops they can bring home, etc.). Now, since I have multiple devices which are constantly syncing everything back and forth, whether it be something as simple as my contacts or as delicate and near and dear to my heart as my photo collection, I felt that maybe I should use two factor authentication for my home Apple ID, just to be on the safe side. I recognize that the two factor authentication only protects iMessage and FaceTime currently, but I implemented it with hopes that someday they will incorporate everything about iCloud and other services synced between Apple devices that you would assume should be covered by a two factor authentication update/overhaul.
I liked this idea very much, as I use two factor for almost everything I can, but things started to fall apart one day when I had to switch to a temporary work laptop and decided to log in to iMessage with a new app specific password, as you would need to on a new device (unless you wrote down the original iMessage password, which is a terrible thing to do). When I went to create my new iMessage password for work laptop B, I decided to revoke work laptop A's iMessage password while it went in for repairs. This wasn't so bad until something seemed funny about my phone, as it was asking for me to log into iMessage again. Now, I had created a separate password for work laptop A's iMessage when I first logged in a while back, as well as a separate password for the temporary work laptop B so it didn't interfere with my other generated passwords. Apparently this didn't matter.
I continued and created a new app password for my phone, but when I got home, wouldn't you know it, I had to log into iMessage on my home laptop again as well. I had to create a new password for that, which seemed to work for a while, but then I was prompted to enter my iMessage password on my phone again once I revoked my home laptop's iMessage password. Not following? No, me either. It seemed to me that creating separate app specific passwords for me to use across my devices didn't stay as separate as I thought they should, but instead they somehow seemed to be dependent on one another. Since I had a frustrating time trying to activate iMessage again on my iPhone and laptops on multiple occasions while this was happening, I decided to disable two factor authentication altogether.
I suppose I should ask a question here, so here goes: has anyone else encountered this horrific two factor authentication/app specific password management issue for their own account? Have you been able to resolve it, and if so, any helpful suggestions? Thanks!I had also thought that initially, but after turning it on, I went to sign into iMessage with my Apple ID and regular Apple ID password, but it prompted me to create an app specific password to sign in since I had two factor authentication on, as it wouldn't let me use my regular Apple ID password to log in (which I could use to log in for everything else but iMessage and FaceTime). It was nice since I was prompted to provide a code sent to an Apple device of my choosing when signing into the Apple ID management site or iCloud.com, but forcing me to create app specific passwords for iMessage and FaceTime is kind of ridiculous and frustrating. Maybe there's a way to have two factor authentication without the need for app specific passwords? Or if not, then perhaps that would be a great option to present users when turning that feature on.
-
How to split a text in two parts?
Hello everyone,
I'm trying to make a text appearance, with a smilar effect as the one in this video (1 mn 43) :
After Effects Template : 65 Title Animations - YouTube
My problem is, I'd like to split my text in two parts, at the middle of a letter, so I can separate the text in two parts then gather it up at the end of the animation.
I've tried to take a look at the text's animation tool, where you can make it spin, or rotate and this kind of stuff, but I can't find out how to make a letter really split at its middle.
Thank you in advance and sorry for my english.Duplicate your text layer and mask.
-
Two Factor Authentication on Windows Server 2008 R2
We have a small 2008 R2 Active Directory environment with 2 domain controllers and 13 member servers. We have no additional features such as an RDP gateway or Federation Services - just a plain AD setup. We now have a requirement from our client to have
a two factor authentication solution for each time we logon to any server, either using RDP or locally. We only have 4 admins that ever logon to these servers - we do not have any "regular" users.
Is there anything out there that would work in this environment without having to modify our AD (at least nothing major)?
ThanksHi,
You may consider smart card:
Smart Card Overview
http://technet.microsoft.com/en-us/library/hh831433.aspx
Understanding Requirements for Connecting to a Remote Desktop Gateway Server
http://technet.microsoft.com/en-us/library/cc770519.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Visual Studio 2013 Community Azure Login Not Working with Two-factor Authentication
Has anybody had any problems logging in to Azure to publish when using Visual Studio 2013 Community and with two-factor authentication turned on?
I couldn't log on until I turned off two-factor authentication.
RegardsHello John,
Thanks for posting here!
You can try and set a credential helper like
git-credential-winstore in order to cache your credentials. See if that helps.
Couple of questions here:
1) Are you using a MSA account by any chance?
2) When you turn on two-factor authentication, do you get any error message?
3) Did you try with different browsers?
Looking forward to your response!
Regards,
Sadiqh
Maybe you are looking for
-
How to display current day(13-nov-06) in selection screen-its very urgent
hi all, iam sending code to change the date from mm/dd/yyyy to dd-mon-yy(10-nov-06).my requirement is i have to keep a parameter and when iam executing thid report say p_text1 is a parameter when iam executing this report in selection screen it has t
-
Some contacts are numbers instead of names in messages on Mac
On my Macbook, I have a few contacts that aren't coming up in my messages. When they send a message, their phone number shows up instead of their name. I have current software on both and I have disabled and inabled my messages on both my phone and M
-
Changes in custom.css are not displayed on iPad
Dear all, I'm using a custom.css file in my Analysis Application. Changes in this CSS-file are immediately shown in my design in Design Studio and when executed on the BI Platform. However, these changes are not displayed when I run the application i
-
Deployment as command for Enable Remote Server Administration Tools keeps failing
trying to deploy cmd /c EnableFeatures.cmd with following commands in file dism /online /enable-feature /featurename:RemoteServerAdministrationTools dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles dism /online /enable-
-
My monitor will go to blank screen for no reason....and I cant get it back without rebooting sometimes 3x. I tried various monitors...same problem New video card?