Assign Static IP to VPN clients authenticated on AAA server

Hi NetPros
My objective is to assign static IP address for VPN clients.
The tunnel group authentication is on a AAA LDAP server.
AAA LDAP queries has been configured and tested to work.
I followed the guide below, but could not get static IP assignment to work.
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html#wp41996
The tunnel group is configured to use the DHCP pool and the Group policy on ASA.
- If i do not specify dhcp pool, the error message is: "no assigned address"
- If i configure dhcp pool, the assigned address will be from the pool
Here are my queries on assigning a static IP for aaa-users:
1. Do you need to configure a external policy server for static IP assignment to work?
-I prefer to use the group policy on ASA
2. Under the tunnel profile, do you need to specify what DHCP pool to use? If yes, what do i specify?
3. Does DHCP service needs to be running on ldap server?
4. As per printscreen below, is Remote Access Policy required?
5. What am I missing out to make static IP assignment work?
Big thanks

Hi all
Thanks to friends working in Cisco, they have helped to identify the root cause.
The root cause was due to a misprint on the Cisco document.
The correct LDAP attribute is: msRASSavedFramedIPAddress. Note on the additional 'd' after the word, 'Frame'
In fact this LDAP attribute was also lacking of a 'd' on the ASDM scroll down selection. Would appreciate if someone relay the mistake to cisco personnel. Thanks all.

Similar Messages

AAA static IP address for RA VPN Client

Hi,
my vpn group and VPN POOL is locally created in Cisco VPN router but users are authenticated through ACS, AAA server via TACACS. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.
My router is configured for TACACS+. I have checked the user configuration in AAA server to get the static ip address but it is not working. Please help me out how to do this. I cant change Router to Radius but this is my main router which is configured for 160 sites through ISDN and these sites also configured for TACACS+.
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group Aviation-VPN
key egntosc
pool aviation-pool
acl avi-tunnel
save-password
netmask 255.255.255.0
crypto isakmp profile vpnclient
   match identity group Aviation-VPN
   client authentication list default
   isakmp authorization list Aviation-authorization
   client configuration address respond
crypto ipsec transform-set aviset esp-3des esp-sha-hmac
crypto dynamic-map avi 10
set transform-set aviset
set isakmp-profile vpnclient
reverse-route

Since you're using ACS, I believe the way to do this is to
go into ACS, and select the username of the user that you want
to get the static IP. Under that user's setup, there is an option to
always assign the same IP. Just select that and enter the IP you
want them to get. - chris

Assigning 2 DNS servers to VPN clients

It seems like I can only assign 2 DNS servers to VPN clients using the "dns-server" command in config-group-policy? How do I go about assigning more than 2?
what exactly does dns server-group do? Can I use that command to assign dns servers to vpn clients since I can add more than 2 dns servers?

ciscoasa# sh run
: Saved
ASA Version 8.0(4)
hostname ciscoasa
enable password c.LHJMlCqC0Qvrsf encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address extip 255.255.255.240
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.17.193.100 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot config disk0:/exit
ftp mode passive
clock timezone mst -7
clock summer-time mdt recurring
dns domain-lookup inside
dns server-group TA-UAT
name-server 44.44.44.102
domain-name ta.corp.adds
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inbound_on_outside extended permit icmp any any
access-list inbound_on_outside extended permit tcp any host extip eq 5555
access-list inbound_on_outside extended permit tcp any host extip eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 44.44.44.0 255.255.255.0
nat (inside) 1 172.17.193.0 255.255.255.0
static (inside,outside) tcp extip 5555 172.17.193.96 5555 netmask 255.255.255.255
static (inside,outside) tcp extip www 172.17.193.1 www netmask 255.255.255.255
access-group inbound_on_outside in interface outside
route outside 0.0.0.0 0.0.0.0 extip 1
route inside 44.44.44.0 255.255.255.0 172.17.193.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http 172.17.193.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 3600

How to enable traffic between VPN clients in Windows Server 2012 R2?

Hello,
I installed Remote Access role with VPN.
IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
VPN server uses Windows Authentication and Windows Accounting.
With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
For example, VPN server has ip 192.168.99.5
VPN Client 1 - 192.168.99.6
VPN Client 2 - 192.168.99.7
I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
What else should I configure to allow network traffic between VPN clients?

Hi,
To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1   172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C        10.2.2.2/32 is directly connected, Loopback0
C        10.10.7.0/24 is directly connected, FastEthernet0/1
L        10.10.7.1/32 is directly connected, FastEthernet0/1
C        10.10.8.0/22 is directly connected, FastEthernet0/1
L        10.10.10.1/32 is directly connected, FastEthernet0/1
      117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/22 is directly connected, FastEthernet0/1
L        172.16.0.1/32 is directly connected, FastEthernet0/1
      172.18.0.0/32 is subnetted, 1 subnets
S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, FastEthernet0/1
L        192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: giet-vpn, local addr 117.239.xx.xx
   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
   current_peer 49.206.59.86 port 50083
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x550E70F9(1427009785)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5668C75(90606709)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550169/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x550E70F9(1427009785)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550170/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance....

VPN client and radius or CAR

Hello:
I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
the vpn client user needs to be authenticated by group id and password, and user id and password.
How should I setup CAR, could someone provides me an example?
I saw this sample, but there is no relationship between user and group.
Any suggestions?
thx
[ //localhost/RADIUS/UserLists/Default/joe-coke ]
Name = joe-coke
Description =
Password = <encrypted>
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ =
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
[ //localhost/RADIUS/UserLists/Default/group1 ]
Name = group1
Description =
Password = <encrypted> (would be "cisco")
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ = group1profile
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
AV-pairs:
[ //localhost/RADIUS/Profiles/group1profile/Attributes ]
cisco-avpair = ipsec:key-exchange=ike
cisco-avpair = ipsec:tunnel-password=cisco123
cisco-avpair = ipsec:addr-pool=pool1
Service-Type = Outbound

you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

IOS VPN will not respond to Cisco VPN Client connections.

Hi all,
I am about to set my routers on fire here.
I have two 2921 ISRs both with Security licenses on separate leased lines. I have configured one to accept VPN connections from our Cisco VPN Client remote workers.
I have followed the set up process I used on another site with an 1841/Sec router and the same clients and I have also checked against the config given in the latest IOS15 EasyVPN guide.
With all debugs active, all I see is
038062: Dec 8 14:03:04.519: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (N) NEW SA
038063: Dec 8 14:03:04.519: ISAKMP: Created a peer struct for x.y.z.z, peer port 60225
038064: Dec 8 14:03:04.519: ISAKMP: New peer created peer = 0x3972090C peer_handle = 0x8001D881
038065: Dec 8 14:03:04.523: ISAKMP: Locking peer struct 0x3972090C, refcount 1 for crypto_isakmp_process_block
038066: Dec 8 14:03:04.523: ISAKMP:(0):Setting client config settings 3E156D70
038067: Dec 8 14:03:10.027: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE
Below is the abridged config.
System image file is "flash0:c2900-universalk9-mz.SPA.154-1.T1.bin"
aaa new-model
aaa authentication login default local
aaa authentication login VPNAUTH local
aaa authorization exec default local
aaa authorization network VPN local
aaa session-id common
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
crypto isakmp client configuration group VPN
key ****-****-****-****
dns 192.168.177.207 192.168.177.3
domain xxx.local
pool VPNADDRESSES
acl REVERSEROUTE
crypto ipsec transform-set HASH esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSECPROFILE
set transform-set HASH
crypto dynamic-map VPN 1
set transform-set HASH
reverse-route
crypto map VPN client authentication list VPNAUTH
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic VPN
ip local pool VPNADDRESSES 172.16.198.16 172.16.198.31
ip access-list extended REVERSEROUTE
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended FIREWALL
2 permit udp any host a.b.c.d eq non500-isakmp
3 permit udp any host a.b.c.d eq isakmp
4 permit ahp any host a.b.c.d
5 permit esp any host a.b.c.d
If anyone can see anything wrong, I would be so pleased and it would save the destruction of an ostensibly innocent router.
Thanks,
Paul

> I actually love you. Thank you so much.
Sorry, I'm married ... ;-)
> Im not using a virtual template. Can I get away without the Crypto Map if I use one...? All my tunnels are VTIs
oh yes, I could have seen that ...
crypto isakmp profile VPN-RA
match identity group VPN
client authentication list VPNAUTH
isakmp authorization list VPN
client configuration address respond
virtual-template 1
interface Virtual-Template1 type tunnel
description Tunnel fuer Cisco VPN-Client
ip unnumbered GigabitEthernet0/0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
Your isakmp-config and ipsec profile stays the same.

Bordermanager VPN-client 3.8.x + netware6.0 + Vista

I'm currently using bordermanager 3.8.16 installed on my Windows Vista and connecting to my office by the Bordermanager VPN-client to a netware6-server (they refuse to upgrade to 6.5) and it's working! (but!).
.. but every hour when my ISP renews it's lease for the IP-adress it won't succeed and the VPN-client and my internet-connection stops working.
Then I have to disconnect/logout the VPN and then reconnect to my ISP and then reconnect/login to the VPN
I also found out that the VPN doesn't work when I'm behind a NAT (but that works on my other computer (with Windows XP).
I know Vista isn't supported on 3.8.x, but I'm wondering if it will get supported in some patch? Or can I perhaps install Bordermanager 3.9SP1 and use it on Netware6 allthough it says in the requirements that it has to be netware6.5?

But when I'm on this page Novell: Downloads
... it says PLATFORMS: Netware 6.5 when doing a mouseover on the link "BorderManager 3.9 Support Pack1".
and when following the link "BorderManager 3.9 Support Pack1" it once again says Platforms: Netware 6.5. And when reading a bit further down on that page under System Requirements:
"1.0 System Requirements
Make sure that NetWare 6.5 SP6 or SP7 with Novell
BorderManager 3.9 is installed in your system, before
you install Novell BorderManager 3.9 SP1."
but if you tell me it works with netware6 I trust you Gonzalo (you've helped me once before). Thanks again, I'll try it.
//reenhilm aka gummi
Originally Posted by mysterious
bm39sp1 contains a specific vpn client for vista. You do not have to
upgrade the server to use it
Gonzalo

A strainge problem..client authentication

HI,
I am able to work out an application which beside server cert authentication also has client authentication. For server i have created a cert using keytool or jdk1.4 and having its public key in client's trusted store.for client crt i have installed a 60 day Personal certificate on IE. i have exported this cert from IE and hence included its public key in trust store of server and keep its keystore for client authentication.. everything works fine...
say this was a tomcat server on my machine on which i originally installed personal sertificate..say it machine A....now on some other machine on same network for another tomcat i have created another cert using keystore and accessing it..i am having its public key also in the client truststore...i have also kept client's public key of personal cert in the trust store of server of machine B...but for this server it works only without client authentication...
for both machine/servers i have done perfectly same thing..both server has client's public key and client has both servers public key in their respective trust store...i have checked it using the IBM key Man...
the only difference is that A is the machine on which i originally installed the personal certificate..
Any guess or idea...why it might be happening...its killing me...
Akhil

Hi,
i could not find anything suspicious happening in log files...however today i tried to find out access the same server on machine B using my browser IE on my machine A. This is the browser i installed my Personal Certificate. Now its public key is present in trust store of tomcat on machine B.
Hoeever when i accessed it . browser prompts with a list of empty list of client certificates...but when i try to access the my local machine (A) server it prompts me with one certificate..
why is this..what i understand is that "if i am having a personal certificate from some CA installed in my browser,then whatever secure website which needs client authentication i access,my browser should prompt me with the list of certificates installed.." "whether that website has my public key in their trust store or not".....am i correct??....now why my brorwser shows empty list when i access server B and a list with one certificate when i access server A..
any thoughts...
Akhil Nagpal

Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN

Hi,
I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):
ip local pool mypool 10.0.0.101-10.0.0.105
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username xxxx password *********
vpdn enable outside
I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:
PPP adapter Office:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Default GW is missing too, but I think this is not the main problem.
Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?
Any input will be greatly appreciated!
George

Thanks for the prompt reply.
Here it does:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname OSTBERG-PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq pptp
access-list inbound permit gre any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.189.xxx.xxx 255.255.252.0
ip address inside 10.0.0.23 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.0.0.101-10.0.0.105
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 10.0.0.23 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username ********* password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxx
: end
There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.
PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.
I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!
Thanks again!
George

Can we assign IPv4 IP address pool to IPv6 VPN Client

We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
LAN Server are in IPv4 only..
Requirement :
Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
Qus:
1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
Thanks
Sankar

AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing.
Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

ASA , Cisco VPN client with RADIUS authentication

Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
Alex

Hi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John

VPN Client and Clientless users not authenticating with AD

Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510. Users authenticate in AD. I am not sure if the problem is on the server or the ASA.
CP

Hi,
Are you using LDAP for user authentication, is this a new setup or was this working at one point?
If using LDAP please use "debug ldap 255" and reproduce, If you are using radius what are you using?
Thanks,
Sent from Cisco Technical Support iPad App

Certificate authentication for Cisco VPN client

I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.

Dear Doug ,
          What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Enabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

VPN Client - Assigned wrong netmask?

I am having problems with a VPN setup that has previously been working. The VPN Client connects OK (V4.6.04.0043) however, if I check the IP address & mask assigned by the router I see :-
IP Address : 172.22.80.126
Subnet Mask : 255.255.0.0
Gateway : 172.22.80.126
DNS Servers : 172.22.1.240
If I try and ping anything on the LAN I get no response. I can ping my own IP.
Using the same client I can connect sucessfully to several other VPN gateways - all of these give me what I would expect to be the correct mask of 255.255.255.0
Can anyone shed any light on this?
IOS on the non-working setup is - 12.2(11)T6
Andy.

it's normal. when the router assigns ip address from the pre-configured pool, it determines the mask according to the class of ip. with your case the mask will be 255.255.0.0 as the ip is 172.x.x.x. if the pool is 10.x.x.x then the mask will be 255.0.0.0.
it will work except the pc itself has another route to 172. to verify, do a route print on the pc.
a way to verify the issue is to connect the vpn via a dialup connection. in that case you will be able to identify whether the issue is with the pc, vpn software, or the router config

Assign Static IP to VPN clients authenticated on AAA server

Similar Messages

Maybe you are looking for