Logging VPN access

I have an ASA5510 configured for remote access VPN (standard and clientless). It uses LDAP to authenticate against domain controllers in my environment.
Is there a way to configure syslog to log user access to the VPN (date & time, etc.), without turning on "logging trap informational" and filling up my syslog server with loads of other information (conduits opening, teardowns, etc.)?
I am syslogging to SolarWinds using udp

Hi Colin,
For this, you need to first know what message IDs you want syslog to receive. Say you want to receive the below message id 713059 (tunnel reject -user group-lock check failed) to syslog server...
logging list TEST message 713059
logging list TEST message 713070-713080 --> For range of messages
configure syslog server on ASA and issue the command 'logging trap TEST'.
Check the below link for more info...
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml
hth
MS

Similar Messages

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access

Hi there,
I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
connect I get the following message "couldn't connect - We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
Many thanks,
RocknRollTim

Any help would be much appreciated.
Kind regards,
RocknRollTim

VPN Access via LDAP authentication

Hello everyone,
I have setup an OS X server to serve as our department's VPN server. I am attempting to configure it to use an existing linux LDAP server for authentication, so that we don't need to have local accounts on the server. In the Directory Utility I have entered the information to point to our LDAP, and have it configured as RFC 2307 (Unix) for LDAP mappings. Everything in the Directory Utility appears that it considers the LDAP connection to be valid. In fact, from a terminal I can successfully finger users in LDAP.
In the Server Admin, I have selected the users that I wish to have VPN access (the LDAP users also show up in this list). However, when I try to connect to it, it fails almost immediately. Here is a snippet of the server's VPN log file (I have changed the IP addresses and hostname in the logfile to "*"):
2010-05-11 20:37:13 EDT Incoming call... Address given to client = **.***.***.**
Tue May 11 20:37:14 2010 : Directory Services Authentication plugin initialized
Tue May 11 20:37:14 2010 : Directory Services Authorization plugin initialized
Tue May 11 20:37:14 2010 : PPTP incoming call in progress from '**.***.***.**'...
Tue May 11 20:37:14 2010 : PPTP connection established.
Tue May 11 20:37:14 2010 : using link 0
Tue May 11 20:37:14 2010 : Using interface ppp0
Tue May 11 20:37:14 2010 : Connect: ppp0 <--> socket[34:17]
Tue May 11 20:37:14 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:14 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : lcp_reqci: returning CONFACK.
Tue May 11 20:37:17 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP EchoReq id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : sent [CHAP Challenge id=0xc6 <7636b1bad668b175a847d43875397f99>, name = "***.*****.edu"]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoReq id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : sent [LCP EchoRep id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoRep id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : rcvd [CHAP Response id=0xc6 <4a2f0f54d4ce55fe6d1308a8206c4b02000000000000000046f6233c5bb9ea82f6ef2164eb55ed a3355a931a6762101300>, name = "mouck"]
Tue May 11 20:37:17 2010 : sent [CHAP Failure id=0xc6 "\37777777677:\r\002"]
Tue May 11 20:37:17 2010 : CHAP peer authentication failed for mouck
Tue May 11 20:37:17 2010 : sent [LCP TermReq id=0x2 "Authentication failed"]
Tue May 11 20:37:17 2010 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Tue May 11 20:37:17 2010 : sent [LCP TermAck id=0x2]
Tue May 11 20:37:17 2010 : Connection terminated.
Tue May 11 20:37:17 2010 : PPTP disconnecting...
Tue May 11 20:37:17 2010 : PPTP disconnected
I am unsure why the authentication is not working. In the past, I have tried to configure the Open Directory service to be "Connected to a Directory System" but could never get the service to start. To be honest, I'm not even positive I need to have the Open Directory service running, since the authentication should hopefully be passed to our existing LDAP.
Any thoughts or suggestions would be greatly appreciated. Thanks very much!

Hi oleg,
It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
"cannot match peerless map when peer found in previous map entry."
Please check for the same, if thats the case you are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090
You needed a Cisco CCO id to check the link.
Thanks
Jeet Kumar

Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access

Hi everybody,
I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
add 1050 allow from any to any in
(This looks a little like a server manager bug to me, but I digress)
So I tried manually editing the file in /etc/ipfilter but no joy.
Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.

Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting.

ASA 5510 and VPN access to remote site over Ext WAN

ASA 5510
int client IP 172.0.1.XXX /24
VPN Client IP 172.0.1.248 /29
Static routes in the ASA
1) 0.0.0.0 --- points to router1
2) 172.29.1.1 --- Points to router2
3) 172.29.1.2 --- Points to router2
Router1 Internet connection // VPN access in path
Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
................../---- ROUTER 1
..Inside -- ASA --- outside (switch 2 rtrs)
..................\---- ROUTER 2
If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
3000 packets captured
1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

Hi,
Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
Something like this:-
access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT

Port forwarding for clientless SSL VPN access

Hello,
I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
If this doesn't make sense, please let me know and I'll do my best to explain it better.

Hi Caleb,
if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
CLI:
ciscoasa(config) webvpn
ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
then you apply the port-forwarder list under a group-policy
Hope this helps
Mashal
Mashal Alshboul

**Creating default directory in failed: \logging.properties (Access is denied)**

Hello Experts,
i am deploying edq on weblogic.
After deployment, when lauching the edq url getting below error on firefox.
**Creating default directory in failed: \logging.properties (Access is denied)**
by default, it took the path as:
C:\oraclesw\oracle\middleware\user_projects\domains\oedq_dev_domain\servers\edqdev_server1\tmp\_WL_user\dndirector\1i3bzo\war\WEB-INF\config
i have unzipped the config.zip into above mentioned config folder.

When we restart the application server up and start the managed server, the deployment is in the failed status with the following message:
We have the Memory settings on the managed server set as : -Xmx5024M –XX:MaxPermSize=256M
<Jul 11, 2013 4:45:13 PM EDT> <Warning> <Deployer> <BEA-149004> <Failures were detected while initiating start task for application 'dndirector'.>
<Jul 11, 2013 4:45:13 PM EDT> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
weblogic.application.ModuleException:
        at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1520)
        at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.ClassNotFoundException: com.datanomic.utils.transport.TransportSignature
        at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
        Truncated. see log file for complete stacktrace
>
<Jul 11, 2013 4:49:42 PM EDT> <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationOverviewPage&WebAppApplicationOverviewPortlethandle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3Ddndirector%2CType%3DAppDeployment%22%29.>

Server.log and access file previous record are overwrite

Hi,
I am having problem that my server.log and access file in all instance have been overwrite by latest record. Suppose all the system.out.print will append to the server.log. However, my problem is the log which has been written to server.log in earlier time (mayb morning till afternoon) is replaced. From the server.log, I am only able to view the log which start from 11 pm. The same case happen to access file as well. This incident is not happen everyday but sometimes.
I am wondering what is happen and how i can solve the problem.
Any help/guidance is highly appreaciate.
Thanks.

Hi,
Did anyone know the solution for this issues..
Thanks.

Log file (access.log) of the internal ITS

Hello,
anybody know how to access the logfiles of the internal ITS. In particularly im looking for the log file access.log which you had for the external ITS accessable over the ITS admin page http://<servername>/scripts/wgate/admin/!
The log file loged all users and the transaction they accessed over the time in the format
2006/10/21 18:39:16.093, 0 #197349: IP ???.???.???.???, -its_ping
Thanks in advance,
Kai Mattern

hi
good
go through these links, i hope these ll help you to solve your problem.
http://www.hp.com/hpbooks/prentice/chapters/0130280844.pdf
http://help.sap.com/saphelp_46c/helpdata/en/5d/ca5237943a1e64e10000009b38f8cf/content.htm
thanks
mrutyun^

VPN access to a Watchguard firewall using Radius credentials

Good morning, I have an Ipod Touch 4G that I would like to use to connect to our Watchguard firewall using the built in VPN client and pptp
I am the person onsite that manages the Watchguard firewall(s) (x553 with 10.2.12 firmware) , which are setup for pptp vpn access using Windows Radius servers. The users use their Active Directory credentials to make the VPN connections.
I have several macs at home, including an iMac and Mac mini and both of them can easily make VPN connections to the Watchguard firewall using pptp VPN access with Radius credentials. T
The setup I have been trying on the ipod Touch 4g is using the dns name for the firewall (published in Network Solutions DNS). I have also tried the outside address of each firewall. For the account, since we are using a Radius connection into Active Directory, I put my login in the format of domain\username . RSA SecurID is On, the Encryption level is set to Auto and Send all traffic is off.
In my testing so far, the Ipod Touch starts the connection, starts authenticating to Radius and fails. If I turned off RSA SecurID, no authentication is attempted, so it looks like this needs to stay turned on. It doesn't seem to matter is Send all traffic is off or on. Having it off is preferable as I don't want to send all Internet traffic through the firewall when connected via VPN.
So, I basically duped the setup of the VPN on the Ipod Touch based on my setup that's working on the Mac Mini and Imacs at home. But VPN on the iPod Touch 4g with the latest version of IOS is not working.
Does anyone have this kind of configuration working on the iPod Touch 4g or know if this is a shortcoming of this version of the Ipod or IoS?
Thanks,
Leo

I fixed my vpn connection on the iPod Touch. This is what works for Radius login to a Watchguard firewall:
Server (DNS name or ip address).
Account domainname\username
RSA SecurIT off
Encryption level Auto
Send All Traffic off.
Leo

Ios VPN access form handled devices

hi
someone here had configured on a router the vpn access form handled devices?
Really i don't know where to start!

You must select one of the following modes of operation when you enable the PIX Firewall as an Easy VPN Remote device:
Client modeIn this mode, VPN connections are initiated by traffic, so resources are only used on demand. In client mode, the PIX Firewall applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. To use this mode, you must also enable the DHCP server on the inside interface, as described in " Using the PIX Firewall DHCP Server."
Network extension modeIn this mode, VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
In network extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these addresses are registered with the Network Information Center (NIC), they may be forwarded to the public Internet without further processing. Otherwise, they may be translated by the Easy VPN Server or forwarded to a private network without translation.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html

Help Setting up VPN access

Morning all,
Yesterday I completed the installation of my SRP527W to my existing LAN.
I'm now trying to configure for VPN access and I'm not having much luck.
I'm running Windows Server 2003 and i just did the following:-
Manager Your Server - Remote Access/VPN Server - Manage this remote access/VPN Server - IP Routing - Static Routes and here I added our new Static IP address.
So having done that, no one here can still access the server so i'm wondering if I need to set up the router to allow VPN traffic.
Do I need to add individual profiles for people trying to gain access?
Can someone give me some advice on what I need to do because it appears that when we can't seem to get past the router.
Many Thanks
*ADDITIONAL*
I have now solved this - I needed to input the port forwarding settings to the router which now enables the pass-through.
ISSUE RESOLVED

OpenVPN will do the job for you - it's relatively easy to set up and it's cross-platform.

OSX Server + Billion 5200G RC VPN Access

Hello,
We are a small design studio looking at setting up a VPN to access local files whilst on the road. I believe I have all the configuration setup correctly in Mac OSX server but I am a little out of my element when know which ports to forward on the router and if it is even setup to accept VPN connections.
If anyone has experience setting up VPN access wtih the Billion 5200G RC Router I would be indebted to you.
Thanks
Michael
(designer @ false behaving animals)

i ran through those processes , and for the last one got file not found
/System/Library/LaunchDaemons/com.apple.pfctl: file does not exist or is not readable or is not a regular file
is there a way to verify that the adaptive firewall is running?
thanks

10.9.3 update stops VPN access to Server on Mac Mini

Having finally had the L2TP VPN issues solved after joining the 10.9.1 beta program for Mavericks and getting VPN access to our Mac Mini Server running again, the 10.9.3 update has broken it once more. It's been working since 10.9.1 and through both 10.9.2 and the 10.9.3 beta program, but after installing the final 10.9.3 update (without changing any settings on the Server App) last night it broke (immediatley after using the VPN to cheekily watch iPlayer abroad, so it was certainly working!) - now comes up with 'Authentication Failed'.
This happens on iOS devices as well, and all have authentication details stored (though naturally I have since tried recreating VPN configurations from scratch) so doesn't appear to be client end.

Same here, although the issue is slightly different.
Updated Mac Mini with server.app to 10.9.3, L2TP VPN still works my mac running 10.9.3, connects as normal.
However other clients (windows and android) would encounter error when trying to establish connection to server.
Windows client would fail wirh Error 789, previous to the update it was working.
May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 started (Initiated by peer).
May 18 18:58:13 mms.private racoon[413]: invalid DH group 20.
May 18 18:58:13 mms.private racoon[413]: invalid DH group 19.
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 1).
May 18 18:58:13 mms.private racoon[413]: >>>>> phase change status = Phase 1 started by us
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 3).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 AUTH: success. (Responder, Main-Mode Message 5).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 5).
May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 Responder: success. (Responder, Main-Mode).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 6).
May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 established (Initiated by peer).
May 18 18:58:14 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:14 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:16 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:16 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:18 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:18 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:21 mms.private racoon[413]: IKE Packet: transmit success. (Information message).
May 18 18:58:21 mms.private racoon[413]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
May 18 18:58:23 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:23 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:31 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:31 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:47 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:47 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:59:04 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:59:04 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:59:18 mms.private racoon[413]: IKE Packet: receive success. (Information message).

Logging VPN access

Similar Messages

Maybe you are looking for