LDAP ON VPN CONCENTRATOR

Similar Messages

• VPN concentrator and webVPN

  Hi,
  Trying to setup VPNc 3005 for WebVPN.
  The VPNc is configured with NTP server so
  the clock is fine. I installed SSL vpn
  client and SecureDesktop software onto the VPNc. Create a local account and
  group. When I perform https://vpnc/admin.html, I can manage the
  VPNc from the external interface so the
  certificate is good.
  When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
  to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
  it tells me that the vpn concentrator
  has a server certificate error. I've
  attached the screen shot. Anyone know
  what it is? Thanks.

  If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• IP Address Assignment on VPN Concentrator through AD

  Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
  I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.

  Sorry for the thread title it should be : "reserver" not reverse.
  I have been advised to read the "admin guide"
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
  under the heading below
  Assign a Specific IP Address to a User
  In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
  My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
  On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
  nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
  nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
  nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
  global (outside) 1 10.1.1.150-10.1.1.155
  global (outside) 1 10.1.1.156
  route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
  http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
  What I am thinking to do, are below (please any comment) :
  1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
  2- Create another group called : " mobile_users "
  3- Create a user called : " commuter "
  4- Assign the user " commuter " to the group " mobile_user "
  5- Assign ip address 10..2.2.2 to the user " commuter "
  6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
  again since I am using production box, I have to assure that the modification above does not screw up the whole system

• Cisco works LMS 3.0.1 cannot archieve configuration for cisco 3000 series vpn concentrator

  Hi All,
  Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
  Any help would be greatly appreciated.
  Thanks in advance.
  Samir

  Make sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices.  RME will only use HTTPS to fetch VPN concentrator configurations.

• ACS with VPN Concentrator : IP address attribution

  Hello,
  I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
  Thanks !
  Patrice

  yes it can be done at works very well under the radius attributes uses the:
  [014] Login-IP-Host
  NAS Specifies
  User Specifies
  Other
  Check other and then add the ip address that you want to assigned

• Replace 3005 VPN Concentrator

  We have two 3005 concentrators that need to be replaced.
  Is there anything equivilant that will allow for creation of groups, Cisco VPN client, web VPN and is reasonably priced?
  What do people generally do for a plug in replacement to the 3005 VPN concentrator?

  What is generally done about the cost?
  At the moment, the PIX firewalls are not EOL.
  If I replace the firewalls, just because the 3005 is EOL, will be a large expense correct?
  Also, at the moment, the firewall is passing through the traffic to the concentrator in a DMZ.
  What is the alternative in the ASA appliance?
  And, does the ASA allow for the creation of groups for access like the concnetrator does?

• What's replaced the vpn concentrator?

  Greenhorn here, I didn't sit any of this up.  We have three remote sites, sister institutions, that we share an app with.  We house the app.  One site has a vpn concentrator setup, the other two are using a point to point leased line. They have each have a router that connects to a single router.  They want to replace the leased lines with a vpn concentrator.  Doing the digging I see the concentrators are EOL.
  So what's used to replace the concentrator today?  What's a solution today to move away from the leased lines? These are all cash poor non-profits. My guess is they'll say look on Ebay for a concentrator if the solution is too pricey.
  Thanks Jim

  Sorry it took so long but here's the output from sh version.
  Location 1
  Cisco Internetwork Operating System Software
  IOS (tm) C2600 Software (C2600-I-M), Version 12.2(16a), RELEASE SOFTWARE (fc2)
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Fri 18-Apr-03 19:25 by xxxxx
  Image text-base: 0x8000808C, data-base: 0x80A0EE84
  ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
  xxxxxxxxx uptime is 41 weeks, 3 days, 20 hours, 54 minutes
  System returned to ROM by power-on
  System image file is "flash:c2600-i-mz.122-16a.bin"
  cisco 2621 (MPC860) processor (revision 0x00) with 27648K/5120K bytes of memory.
  Processor board ID JAD07070EVT (2982455740)
  M860 processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  2 FastEthernet/IEEE 802.3 interface(s)
  2 Serial network interface(s)
  32K bytes of non-volatile configuration memory.
  8192K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Location 2
  Cisco Internetwork Operating System Software
  IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Fri 14-Feb-03 14:34 by ccai
  Image text-base: 0x80008124, data-base: 0x80A94064
  ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
  xxxxxxxxxxx uptime is 14 weeks, 14 hours, 22 minutes
  System returned to ROM by power-on
  System image file is "flash:c1700-sy-mz.122-11.T6.bin"
  cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
  Processor board ID FOC0708028N (496857573), with hardware revision 0000
  MPC860P processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  1 FastEthernet/IEEE 802.3 interface(s)
  1 Serial network interface(s)
  WIC T1-DSU
  32K bytes of non-volatile configuration memory.
  16384K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Location 3
  Cisco Internetwork Operating System Software
  IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Fri 14-Feb-03 14:34 by ccai
  Image text-base: 0x80008124, data-base: 0x80A94064
  ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
  Xxxxxxxxx uptime is 13 weeks, 6 days, 5 minutes
  System returned to ROM by reload
  System image file is "flash:c1700-sy-mz.122-11.T6.bin"
  cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
  Processor board ID FOC0707142M (1927840357), with hardware revision 0000
  MPC860P processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  1 FastEthernet/IEEE 802.3 interface(s)
  1 Serial network interface(s)
  WIC T1-DSU
  32K bytes of non-volatile configuration memory.
  16384K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Location 4
  Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2006 by Cisco Systems, Inc.
  Compiled Mon 06-Nov-06 02:36 by alnguyen
  ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
  xxxxxxxxxx uptime is 40 weeks, 5 days, 6 hours, 22 minutes
  System returned to ROM by reload at 13:34:01 UTC Thu Dec 27 2012
  System image file is "flash:c2800nm-advsecurityk9-mz.124-3g.bin"
  This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to [email protected].
  Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
  Processor board ID FTX1051A01V
  2 FastEthernet interfaces
  2 Serial interfaces
  1 Virtual Private Network (VPN) Module
  DRAM configuration is 64 bits wide with parity enabled.
  239K bytes of non-volatile configuration memory.
  62720K bytes of ATA CompactFlash (Read/Write)
  Configuration register is 0x2102

• Routing loop when tracing to remote ip address on vpn concentrator

  When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
  Tracing route to x.3.17.145
  over a maximum of 30 hops:
  1    29 ms    31 ms    28 ms  172.4.0.20
    2    32 ms    30 ms    29 ms  172.4.0.25
    3    38 ms    29 ms    31 ms  172.3.0.21
    4    33 ms    30 ms    32 ms  172.4.0.25
    5    32 ms    49 ms    27 ms  172.3.0.21
    6    35 ms    30 ms    38 ms  172.4.0.25
    7    31 ms    28 ms    28 ms  172.3.0.21
     8    28 ms    28 ms    42 ms  172.4.0.25
    9    38 ms    27 ms    32 ms  172.3.0.21
  10    35 ms    28 ms    36 ms  172.4.0.25
  11    35 ms    27 ms    28 ms  172.3.0.21
  12    30 ms    28 ms    28 ms  172.4.0.25
  13    39 ms    30 ms    43 ms  172.3.0.21
  14    48 ms    28 ms    29 ms  172.4.0.25
  15    36 ms    28 ms    34 ms  172.3.0.21
  16    39 ms    39 ms    56 ms  172.4.0.25
  17    42 ms    38 ms    47 ms  172.3.0.21
  18    35 ms    39 ms    41 ms  172.4.0.25
  19    49 ms    32 ms    29 ms  172.3.0.21
  20    32 ms    28 ms    29 ms  172.4.0.25
  21    28 ms    43 ms    30 ms  172.3.0.21
  22    37 ms    32 ms    34 ms  172.4.0.25
  23    29 ms    31 ms    32 ms  172.3.0.21
  24    29 ms    33 ms    31 ms  172.4.0.25
  25    32 ms    41 ms    43 ms  172.3.0.21
  26    43 ms    29 ms    39 ms  172.4.0.25
  27    47 ms    33 ms    31 ms  172.3.0.21
  28    37 ms    29 ms    35 ms  172.4.0.25
  29    44 ms    30 ms    91 ms  172.3.0.21
  30    31 ms    41 ms    50 ms  172.4.0.25
  172.3.0.21 is my private interface on the vpn 3000.
  172.4.0.20 is my public interface on the vpn 3000.
  172.4.0.25 is the default gateway / router interface on my router.
  interface GigabitEthernet1/1/0.1
  description connected to LAN
  encapsulation dot1Q 1 native
  ip address 10.3.0.25 255.255.255.0
  interface GigabitEthernet0/0.4
  description vpn 3000 concentratorconnection
  encapsulation dot1Q 4
  ip address 10.4.0.25 255.255.255.0
  172.3.0.21 has a no default gateway on the vpn conentrator.
  172.3.0.21 has a default gateway 172.4.0.25  on the vpn concentrator.

  Hi John
  could you clarify where you are pinging from and where you are pinging to please?
  From the LAN to a destination across a VPN tunnel?
  Or from a source across the VPN tunnel to a host on the concentrator's LAN?
  Or from a source across the VPN tunnel to a host on the Internet?
  I suppose your last line has a typo, it should be
  172.4.0.21 has a default gateway 172.4.0.25  on the vpn concentrator.
  right?
  Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
  tnx
  Herbert

• Setup Sunray 3G with Cisco 3005 VPN concentrator

  hi,
  I first explain the setup situation:
  Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
  Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
  can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
  Is there some info about what IKE proposal i need to select in the Cisco 3005?
  Any help would be appreciated
  Thx

  I have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.

• AAA VPN Concentrator 3005

  Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?

  Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
  Cheers
  Brian

• Cisco 3005 vpn concentrator console cable

  hi
  i have just purchased a cisco 3005 vpn concentrator and i need to know where i can get a console cable for it the cable is different from the ones i have for my pix and routers as the connection at the concentrator end is a db9 and not rj45
  ive tried looking on ebay but with no luck
  ps
  i live in england
  regards
  melvyn brown

  Melvyn,
  Use a Straight Through Cable to console into the VPN3000.
  I hope it helps.
  Regards,
  Arul

• VPN Concentrator High CPU

  Hello,
  I know i'm using an end of life product but was hoping for a little help. We are running a Cisco VPN Concentrator 3000 code version 4.7.2 We only have about 40-45 Site to Site Tunnels max. Total connections is 60.
  Every time we had add a new site to site tunnel it is causing issues with our existing tunnels with Latency for users. We notice that the latency and CPU on the concentrator is very high. Spiking at 100% for a good amount of time. Off hours this goes down. This has happened with a number of different new tunnels we have brough up over the last few months. We have new SEP cards installed. We cannot get any TAC support so was hoping someone might have had the same issue and can assist.
  Thanks,

  Thanks Andrew. We'll look into adding the SEP-E module. Wouldn't that cause consistent high CPU utilization? We've only seen the CPU spike twice to 100% and stick. Normally it's around 2% so there's not much load on the concentrator. We thought there may be a known bug in the IOS.

• Ciscoworks and VPN concentrator or PIX

  With plain old Ciscoworks LMS is there anything useful that can be done with a PIX or a VPN concentrator as there is no write community string. Can you do anything aside from viewing the box?

  Not via SNMP since VPN and PIX boxes by design not allow a SNMP RW string to be configured on them