How to configure AnyConnect/ASA/Certificate/MS CA together
Hello
We are looking to apply mobile device management utilizing some third-party cloud solution. Mostly iPad users will connect to our internal network using AnyConnect thru ASA. Third party MDM will be used to control and provision ipads and i need to provide solution for AnyConnect VPN.
Looking for some guidance, docs, examples, white paper that will provide info how to configure the following:
users will connect to ASA VPN using AnyConnect; certificate issued by internal Microsoft CA and unique to each user will be used for authenticate the user. ACS will communicate with Microsoft AD to check if the user is valid AD user. Once authentication is done, user will have access to internal network.
I am struggling to get all those peace of puzzle togehter so i can work on solution.
I would appreciate if someone will give me some ideas how this whole scenario will work.
Thank you.
Anyone from experts out there? I am sure someone heave doen this before.
Similar Messages
-
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
How to configure AnyConnect ACL's?
I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group. Can anyone please help me with this? Any help would be much appreciated.
Thanks for your reply....
I would like to have a block all then allow access to certain back end servers. For example: If user signs in and authenticates against AD. I would like to keep it simple at first and just apply an access list to that group. I was told by a few people that the ASA starts a connection with it open to everything and then you have to tell it what to block. I would like to apply an ACL to a group where it just allows access to one application. So I would be a Coplink user for instance and I am allowed to connect back to our Anyconnect VPN. The user signs on and because he is in the Coplink group apply an access list to him to only allow him to 10.105.x.x. Or if someone is in a group called SSL_VPN they would only have access to 10.101.x.x and 10.105.x.x networks. -
How to configure an ASA with 2 Public IP address.
Hi, I have to configure a router ASA 5505 with 2 Publics IP, our ISP give us a 3 Public IP, and actually our configuration is like this:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 200.91.x.x 255.255.255.248
The problem is: If I create a new Vlan, the interface overlaps.
How can I solve that problem??
Thanks for your answers!!!Answered in duplicate post:
https://supportforums.cisco.com/discussion/12150111/how-configure-asa-2-public-ip-address -
How to configure Cisco ASA 5500 to work with the iPhone
We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
I noticed that many people are having these problems.
Please do not post to this topic if you have ANY OTHER Cisco device.
Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
Thank you!
Oleg RWe found the solution and a bug in Cisco firmware (seems to be a bug).
First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set iphone esp-3des esp-sha-hmac
crypto ipsec transform-set iphone mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
crypto map outside_map 10 match address vpn
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
group-policy iphone internal
group-policy iphone attributes
wins-server value <insert ip> <insert ip>
dns-server value <insert ip> <insert ip>
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iphone_splitTunnelAcl
default-domain value <insert domain name>
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool VPN-Pool
authentication-server-group ActiveDirectory2
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key <insert pre-shared key>
For iPhone you have to be using IPSec tab for configuration.
We tried to set up this config using the wizards, but it would not work.
Later it turned out that wizards by default set this setting:
"crypto isakmp nat-traversal 20"
equal to zero and there is no way to change it from the GUI.
Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
Please let me know how it works out for you.
Message was edited by: Rogik
Message was edited by: Rogik -
How to configure CISCO ASA 5510 for internal remote desktop ?
Helo,I have a client that want to install new ASA (5510) in their network.
and then I did some experiment to implement it. the topology is like this :
--------configuration---------
2800 router :
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.11.3 255.255.255.0
duplex auto
speed auto
ip route 192.168.12.0 255.255.255.0 172.16.1.2
1841 router :
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ASA 5510 :
: Saved
: Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
ASA Version 8.2(1)
hostname ciscoasa
enable password **** encrypted
passwd ***** encrypted
names
name 192.168.12.0 Branch
dns-guard
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
tcp-map mssmap
synack-data allow
invalid-ack allow
seq-past-window allow
urgent-flag allow
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location Branch 255.255.255.0 inside
no asdm history enable
arp timeout 14400
static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside Branch 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ***** password ***** encrypted
class-map mymap
match access-list inside_access_in
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map myPolicy
class mymap
set connection advanced-options mssmap
service-policy global_policy global
service-policy myPolicy interface inside
prompt hostname context
Cryptochecksum:a605d94f29924e5267644dd0f4476145
: end
I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
"1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
"1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
please help, any suggest would be great .
thanks .
sincerley yours
-IAN WIJAYA-ear Ian_benderaz,
Thank god i am not alone on this ,
Me too having the exact same problem , i can ping to the host ,but no remote desktop .
Somebody please help me on this , how enable remote desktop on asa 5505
Thanks -
[SOLVED] How to configure prosody and jitsi to work together?
Hi,
I want to use prosody to connect several jitsi accounts on different computers on a LAN. I have followed the Prosody page in our wiki to set up Prosody and some user accounts. The service starts and ss -tul indicates that it is listening on the expected ports. I have created the missing key and certificate files expected by the default setup and placed them in /etc/prosody/certs.
I have created the account foo@localhost using prosodyctl adduser foo@localhost.
In jitsi I have created an XMPP account (foo@localhost) on the same host as prosody. The account appears but it fails to connect to the server. Jitsi displays error messages on the console which indicates that the server does not support TLS connections even though these are enabled in the prosody configuration file (and lua51-sec is installed).
I have tried numerous variations of disabling encryption in both prosody and jitsi but I either get the same error message or jitsi simply hangs while trying to connect to the server.
So far the only thing that I've been able to find that deals specifically with prosody and jitsi is an episode of the Linux Action Show from last year that skimps on the details of the setup. The various online documentation that I've found seems to be for an older version or Prosody (e.g. Host entries in the configuration file).
Does anyone have a similar setup working with the latest versions of Prosody and Jitsi? If so, please share your configurations.
edit
I went through the Prosody wiki page again today and managed to get it working. I think my problem was in misconfigured paths for the SSL server certificates in the VirtualHost section.
Last edited by Xyne (2014-08-13 00:35:51)So, i tried both ways but it still didn't work.
anrxc: i didn't know i could still prevent DNS leak without privoxy. Privoxy always blocked flash animations and videos (like youtube) here. I'll try to set up this better tomorrow when i have more time.
By the way, after following your guide, i got this when executing /usr/bin/tor:
Jan 10 19:29:16.993 [notice] Tor v0.2.1.21. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
Jan 10 19:29:16.994 [warn] Skipping obsolete configuration option 'Group'
Jan 10 19:29:16.995 [notice] Initialized libevent version 1.4.12-stable using method epoll. Good.
Jan 10 19:29:16.995 [notice] Opening Socks listener on 127.0.0.1:9050
Jan 10 19:29:16.995 [notice] Opening Socks listener on 192.168.0.1:9050
Jan 10 19:29:16.995 [warn] Could not bind to 192.168.0.1:9050: Cannot assign requested address
Jan 10 19:29:16.995 [notice] Closing partially-constructed listener Socks listener on 127.0.0.1:9050
Jan 10 19:29:16.995 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
Jan 10 19:29:16.995 [err] Reading config failed--see warnings above.
Last edited by ILoveJapaneseGirls (2010-01-10 22:00:12) -
I have ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
Or as something else to implement it?
My configuration for SLA monitor:
sla monitor 123
type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachabilityHey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
3
Nov 21 2011
18:29:56
77.xxx.xxx.99
59068
80.xxx.xxx.180
80
TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
Regards.
Chris -
Move CA from Win2K3 to Win2012R2 - how to configure ASA
Hi Guys,
i've a littel problem with a ASA in combination with a Microsoft CA.
First, i will describe you the enviroment we have which works
CERTSRV => A Windows Server 2003 Server, with CA in Standanlone, activated NDES / SCEP Service and a RADIUS / IAS Service to let the ASA authenticate VPN User against the local Window User. The CA Root Cert has a key lenght of 512bit
Our goal is the move the CA and the RADIUS to a Windows 2012 R2 Server. Due the restriction of the windows 2012 ca to reject ca certs which less the 1024 bit we cannot simply import the current ca cert-pair into the new ca.
Also we wont upgrade the ca key-pair on our current win2k3 ca, because we cannot estimate the side-effects and the ASA VPNs must work.
So we came to fabulos idea to clone the win2k3 CERTSRV into VM. there we generate a new key-pair with 1024bit length. Then export this key, export the database from live system and import both successfully into the new 2012 R2 CA. SCEP and NAP Services are installed and tested succesfully. We are able to create a new client cert with SCEP.
Our actual problem is that we dont know how to handle the new, upgraded CA in the ASA Configuration.
I added the new CA in the CA Certificates Menu
Here is the relevant part of the ASA log (debug level)
7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE SENDING Message (msgid=6b028bd2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing qm hash payload
7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing IKE delete payload
7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing blank hash payload
7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], sending delete/delete with reason message
7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE SA MM:49765104 terminating: flags 0x0105c002, refcnt 0, tuncnt 0
7|Feb 27 2014|11:56:58|715065|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE MM Responder FSM error history (struct &0xadcda9c0) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_CERT_FAIL-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ACTIVATE_NEW_SA-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT
5|Feb 27 2014|11:56:58|713904|||||Group = DefaultRAGroup, IP = [CLIENT_IP], Certificate Validation Failed
3|Feb 27 2014|11:56:58|717027|||||Certificate chain failed validation. Certificate chain is either invalid or not authorized.
7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
7|Feb 27 2014|11:56:58|717029|||||Identified client certificate within certificate chain. serial number: 1F00000951EB42CE6BD7157E2E000400000951, subject name: [CERT ATTRIBUTES].
7|Feb 27 2014|11:56:58|717025|||||Validating certificate chain containing 1 certificate(s).
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Connection landed on tunnel_group DefaultRAGroup
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via default group...
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IP ADDR...
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IKE ID...
3|Feb 27 2014|11:56:58|713020|||||IP = [CLIENT_IP], No Group found by matching OU(s) from ID payload:
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via OU...
4|Feb 27 2014|11:56:58|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
7|Feb 27 2014|11:56:58|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via cert rules...
6|Feb 27 2014|11:56:58|713172|||||IP = [CLIENT_IP], Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing notify payload
7|Feb 27 2014|11:56:58|713906|||||Dump of received Signature, len 256:
7|Feb 27 2014|11:56:58|715076|||||IP = [CLIENT_IP], Computing hash for ISAKMP
7|Feb 27 2014|11:56:58|715001|||||IP = [CLIENT_IP], processing RSA signature
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert request payload
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert payload
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], DER_ASN1_DN ID received, len 145
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing ID payload
7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 3111
7|Feb 27 2014|11:56:58|715063|||||IP = [CLIENT_IP], Successfully assembled an encrypted pkt from rcv'd fragments!
Do you know which is the best practise for us ?
best regards from germany
Edit: I see. I missed some more informationen. Old VPN Client, with certs created on the old Win2k3 CertSrv are working
6|Feb 27 2014|13:27:52|717028|||||Certificate chain was successfully validated with revocation status check.
6|Feb 27 2014|13:27:52|717022|||||Certificate was successfully validated. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTRB] .
7|Feb 27 2014|13:27:52|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
7|Feb 27 2014|13:27:52|717029|||||Identified client certificate within certificate chain. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTR].
7|Feb 27 2014|13:27:52|717025|||||Validating certificate chain containing 1 certificate(s).
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Connection landed on tunnel_group DefaultRAGroup
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via default group...
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IP ADDR...
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IKE ID...
Here are the configuration of the trustpoints
crypto ca trustpoint ASDM_TrustPoint0
revocation-check crl
enrollment url http://U.X.Y.Z:80/certsrv/mscep/mscep.dll
fqdn xxxxx
subject-name [CERT_ATTRB]
keypair asa01.key
crl configure
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
revocation-check crl none
enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
no client-types
crl configure
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint4
revocation-check crl none
enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
no client-types
crl configure
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2a5a90e900010000083c
quit
certificate ca 1e185567c7bc7e91473edd472e033d78
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 10acffbf9fb6429947e0cdea136cf8eb
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 10acffbf9fb6429947e0cdea136cf8eb
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate ca 10acffbf9fb6429947e0cdea136cf8eb
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate ca 3ae8ce8cf1619498418f9982315e6ad9
quitThis seems to be very useful answer but can you provide me with some code of some link where I can find some help. actually I am new to SSIS
Here are some good examples for filling variables with an Execute SQL Task:
http://dataqueen.unlimitedviz.com/2012/08/how-to-set-and-use-variables-in-ssis-execute-sql-task/
http://dwbi1.wordpress.com/2011/06/06/ssis-updating-a-variable-based-on-database/
And here is how you set the value of a property of the foreach loop with an expression:
Please mark the post as answered if it answers your question | My SSIS Blog:
http://microsoft-ssis.blogspot.com |
Twitter -
Hi guys,
I've configured my ASA 5510 Version 9.1(5) to send flow to Netflow Analyser. I think I've done it correctly but what happened is that I can see the ASA in netflow and netflow packets are receiving and increasing every time I refresh the page but there are no traffic as you can see in the attachment file. Also how can I figure out which ifindex is which interface to rename it?
BTW, my netflow version is 8.0 and below is the netflow config:
access-list NETFLOWMONITOREDTRAFFIC extended permit ip any any
flow-export destination INSIDE A.B.C.D 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
flow-export active refresh-interval 2
class-map NETFLOW
match access-list NETFLOWMONITOREDTRAFFIC
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
class NETFLOW
flow-export event-type all destination A.B.C.D
class class-default
flow-export event-type all destination A.B.C.D
Hope someone can help me here.
Cheers,
JoeI did find a workaround by keeping a connection open for communication between the client and server. However, I wish I did not have to do this. Ideally, I would like to be able to establish connections to the server only when needed and have the client JRE remember what certificate the user selected.
Browsers have this feature based on a user session. (i.e. once a user offers up a certificate to a server, the browser will not ask the user which certificate to send for the duration of the session to a given server). -
What is Certificate and how to configure it in cacerts file...
Hi,
I got an error wile authenticating LDAP server, saying"unable to find valid certification path to requested target", I came to know that I need to configure LDAP server's certificates in jre/lib/security/cacerts file. but I don't know how to do it.
Could someone explain what is that certificate? how do I get that information from LDAP admins? how to configure certification in my machine and how to use in our logic?
Thanks,
Sumant KI got the certificate and now I want to add it in my cacerts file .. how do I do that? please give me reply
-
How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones
Hi Team,
We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy. However, we're now looking to see how we can accomplish this for Mac book and iphones? Is there an open source application or something we can leverage to do this?
ThanksI think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications.
Hope this helps!
Thank you for rating helpful posts! -
How to Configuring external certificate for MEP
Hi,
I want to configuring external certificate to my mep gateway tier , can any one tell me procedure how to configure the certificate.
I am configuring behind the firewall I cannot run default port no 8181 for https , so where can I change https port no for MEP after installation and I need to import external certificates in to keystore.Hi Jayanth,
Both issues you raise are GlassFish issues rather than MEP issues per se.
To change the port, after doing 'asadmin stop-domain mep' you just edit the
domain.xml file in the .../domains/mep/config directory manually. Search for
8181 and change it to whatever you want, then restart GlassFish (asadmin start-domain mep).
In the MEP Installation Guide, there is a section on establishing trust between
tier1 and tier2 in a two-tier configuration. See http://docs.sun.com/app/docs/doc/820-7203/ggxmb?a=view
Hopefully, you can generalize that procedure to your situation. -
Don't know which technology to utilize or how to configure ASA5505
I have an ASA5505. Currently, it is using static NAT on several ports to forward traffic to several devices inside my network. It is a pain not only to configure but from the end user side.
The issue I am having is the applicatoins I am using to access the devices become a mess with dual configurations, one for when I am connected to the internal network and one for when I am away from the office and accessing from the internet. For example, I have 2 Cisco VC240 IP Cameras behind the ASA5505. One is set use port 9091 and the other 9092. When I am inside the office, I access them via http://10.1.2.215:9091 and http://10.1.2.216:9092. But when I am away from the office, I have to have another configuration in an Android app to use them, http://external_ASA_IP:9091 and 9092 and then NAT 9091 to the object for Camera1 and 9092 for Camera2. This is only one scenario. I also have a UC320W that I would like to put an IP phone at home and it sounds like AnyConnect is the only way to do this.
It sounds like to me that if I use some type of VPN, I can access the same devices using the same IP whether internal or external with the external connection using the VPN to tunnel the IP to the local network. There seems to be quite a few ways to do this with an ASA 5505.
AnyConnect seems like the way to go but after reading Cisco documentation, it requires your Android device to be root'd if it is not a particular Samsung model. If I understand correctly, root'ing your phone voids the warranty. I know it is common practice but would think Cisco would have a better solution as I am sure Cisco would not want another manufacturer telling their customers to void the warranty on their Cisco equipment in order to get it to work.
I believe I can just use IPSEC and use the native VPN of the Android OS and also tunnel L2TP as the Android supports IPSEC-PSK/L2TP or IPSEC-CRT/L2TP. But will either of these will support the IP phone to the UC320W?
A friend also told me to use NginX to proxy URL's so the URL http://www.fqdn.com/camera1 gets proxy'd to the internal IP of Camera1 and http://www.fqdn.com/camera2 gets proxy'd to Camera2. He says I should be able to store a cookie on the phone and let the phone authenticate to the camera and if the phone cannot, the proxy can authenticate internally to the IP camera over SSL.
I don't know anymore, I am so confused and just want to simplify my life as I am just a small business with me and a couple other employees but I have full-time job and it is not IT/Network Technician, it is only CTO/CEO/CIO/CFO. I don't have hours upon hours to set this up and test and I don't have hours upon hours to manage it. I just need to simplify this and have so that it is a set-it-and-forget-it for 6 months to 1 year and re-evaluate or update. So, if someone suggests IPSEC, I would not know how to configure anyway and you should expect another post. The same for AnyConnect or any of the other suggestions.
Thanks in advance for any advice.Hi!
1. Set Calculation Mode property of ITEM_5 to Formula.
Formula property:
nvl(:Block_Name.ITEM_1, 0) + nvl(:Block_Name.ITEM_2, 0) + nvl(:Block_Name.ITEM_3, 0) + nvl(:Block_Name.ITEM_4, 0)
OR
Function_Name(Param_1,... Param_N);
Have in view of, that the ITEM_5 data will not be saved in DataBase.
2. When-Validate-Item trigger is usfull when is necessary to store calculated item data in DataBase.
Rename you Post-Query trigger to When-Validate-Item.
Modify trigger: Store calculation result in the variable.
(Don't forget to round variable value!)
Then compare it with ITEM_5. If they are different - :ITEM_5 := var_name.
I prefer the first method. -
Hi people
I have configured Anyconnect access with split tunneling and I can connect with the username and password but the problem is: I can't connect to the two hosts I have given in my split tunneling. When I connect to anyconnect I get the IP address which I specified in the Pool but still can't connect to the hosts. Another qustion is how to tell ASA that only this IP address 10.54.112.90 should access the via Anyconnect?
I am new to ASA world so please bare with my questions if you think it's stupid.Since you are able to connect but not able to access resources mentioned in split tunneling after connecting with VPN thus it should be either a NAT or ACL issue or may be inspection if its only ping that is not working.
If you can post your configuration then I can check it for you else you can follow the link mentioned below to verify your configuration as a sample for Anyconnect with split tunneling:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Regarding the second question, it is not quite clear however if you are looking that how can we assign a specific address to a VPN user everytime then you can configure the same in username attributes or you can assign it via a a third party authentication server like Radius/ TACACS if you have any.
Hope that helps.
Regards,
Anuj
Maybe you are looking for
-
MY BB CURVE 9300 LED ISNT WORKING
AFTER UPGRADING MY BB TO OS 6 THE LED ISNT WORKING ANYMORE.. when someone texted me that should be on red light but now its still on green, thats while i need to unlock it first before i can see if someone has texted me... even on facebook,twitter an
-
How can i delete an icloud account from my iphone
How can I delete my icloud account from my iphone. I have two icloud accounts the old one just can not retrieve the pwd to access it
-
Macbook Pro makes wireless for iMac G3 + wireless receiver
First a situation sketch of my setup: My Macbook Pro is connected with an ethernet cable to the internet cable modem. The sharing settings is set to share the internet from the ethernet port over airport. The internet shared through Airport is spread
-
How to calculate percentge based on totals of two columns?
All, I am trying to create a percentage in the totals of a worksheet. PCT = (AMT01 / AMT02) * 100 GTPCT = (AMT01 / ( SUM(AMT01) OVER (PARTITION BY COL01)) AMT02 will be hidden PCT will not be totaled, since the total is not correct. GTPCT will be for
-
Migrating Smartform to Adobe form
Hi All, I have Standard SAP Purchase order, i have cpoied into Z-Smatform. then i have to migrating the same smartform to Adobe form. While migrating from smartform to Adobe i am getting dump like.. There is already a type called TY_TEXT ..