Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth

Hello all,
I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
We opened a TAC case with Cisco, and this is their response:
The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?

My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either.

Similar Messages

  • Hi, We are a physiotherapy practice trying to use i-cal as a clinic diary systaem for 15 therapists. We need to block out availability of therapists but cant do this? How can you block someones diary out for specific times on i-cal? Any help please..

    Hi, We are a physiotherapy practice trying to use i-cal as a clinic diary system for 15 therapists. We need to block out availability of therapists but cant do this? How can you block someones diary out for specific times on i-cal? Any help please..

    iCal is designed for personal use, and isn't really meant to handle this sort of situation.
    The best suggestion I can offer, though it's a trifle untidy, is: create a calendar for each therapist, giving each a different colour. Enter the availability for each therapist - if it's on a weekly basis you can make them repeating events. Then add the individual appointments, which will show alongside in the daily view. In this example, the 'purple' therapist is available from 1030 to 1700 and has appointments at 1200 and 1500.
    If you have more than a few therapists available at any one time it's liable to look a bit messy, but it's the best I can think of at the moment.

  • High CPU due to dispatch unit in cisco ASA 5540

    Hi Any suggestion help
    High CPU due to dispatch unit in cisco ASA 5540
    ciscoasa# sh processes cpu-usage
    PC         Thread       5Sec     1Min     5Min   Process
    0805520c   ad5afdf8     0.0%     0.0%     0.0%   block_diag
    081a8d34   ad5afa08    82.6%    82.1%    82.3%   Dispatch Unit
    083b6c05   ad5af618     0.0%     0.0%     0.0%   CF OIR
    08a60aa0   ad5af420     0.0%     0.0%     0.0%   lina_int
    08069f06   ad5aee38     0.0%     0.0%     0.0%   Reload Control Thread
    08072196   ad5aec40     0.0%     0.0%     0.0%   aaa
    08c76f3d   ad5aea48     0.0%     0.0%     0.0%   UserFromCert Thread
    080a6f36   ad5ae658     0.0%     0.0%     0.0%   CMGR Server Process
    080a7445   ad5ae460     0.0%     0.0%     0.0%   CMGR Timer Process
    081a815c   ad5ada88     0.0%     0.0%     0.0%   dbgtrace
    0844d75c   ad5ad2a8     0.0%     0.0%     0.0%   557mcfix
    0844d57e   ad5ad0b0     0.0%     0.0%     0.0%   557statspoll
    08c76f3d   ad5abef8     0.0%     0.0%     0.0%   netfs_thread_init
    09319755   ad5ab520     0.0%     0.0%     0.0%   Chunk Manager
    088e3f0e   ad5ab328     0.0%     0.0%     0.0%   PIX Garbage Collector
    088d72d4   ad5ab130     0.0%     0.0%     0.0%   IP Address Assign
    08ab1cd6   ad5aaf38     0.0%     0.0%     0.0%   QoS Support Module
    08953cbf   ad5aad40     0.0%     0.0%     0.0%   Client Update Task
    093698fa   ad5aab48     0.0%     0.0%     0.0%   Checkheaps
    08ab6205   ad5aa560     0.0%     0.0%     0.0%   Quack process
    08b0dd52   ad5aa368     0.0%     0.0%     0.0%   Session Manager
    08c227d5   ad5a9f78     0.0%     0.0%     0.0%   uauth
    08bbf615   ad5a9d80     0.0%     0.0%     0.0%   Uauth_Proxy
    08bf5cbe   ad5a9798     0.0%     0.0%     0.0%   SSL
    08c20766   ad5a95a0     0.0%     0.0%     0.0%   SMTP
    081c0b4a   ad5a93a8     0.0%     0.0%     0.0%   Logger
    08c19908   ad5a91b0     0.0%     0.0%     0.0%    Syslog Retry Thread
    08c1346e   ad5a8fb8     0.0%     0.0%     0.0%   Thread Logger
    08e47c82   ad5a81f0     0.0%     0.0%     0.0%   vpnlb_thread
    08f0f055   ad5a7a10     0.0%     0.0%     0.0%   pci_nt_bridge
    0827a43d   ad5a7620     0.0%     0.0%     0.0%   TLS Proxy Inspector
    08b279f3   ad5a7428     0.0%     0.0%     0.0%   emweb/cifs_timer
    086a0217   ad5a7230     0.0%     0.0%     0.0%   netfs_mount_handler
    08535408   ad5a7038     0.0%     0.0%     0.0%   arp_timer
    0853d18c   ad5a6e40     0.0%     0.0%     0.0%   arp_forward_thread
    085ad295   ad5a6c48     0.0%     0.0%     0.0%   Lic TMR
    08c257b1   ad5a6a50     0.0%     0.0%     0.0%   tcp_fast
    08c28910   ad5a6858     0.0%     0.0%     0.0%   tcp_slow
    08c53f79   ad5a6660     0.0%     0.0%     0.0%   udp_timer
    080fe008   ad5a6468     0.0%     0.0%     0.0%   CTCP Timer process
    08df6853   ad5a6270     0.0%     0.0%     0.0%   L2TP data daemon
    08df7623   ad5a6078     0.0%     0.0%     0.0%   L2TP mgmt daemon
    08de39b8   ad5a5e80     0.0%     0.0%     0.0%   ppp_timer_thread
    08e48157   ad5a5c88     0.0%     0.0%     0.0%   vpnlb_timer_thread
    081153ff   ad5a5a90     0.0%     0.0%     0.0%   IPsec message handler
    081296cc   ad5a5898     0.0%     0.0%     0.0%   CTM message handler
    089b2bd9   ad5a56a0     0.0%     0.0%     0.0%   NAT security-level reconfiguration
    08ae1ba8   ad5a54a8     0.0%     0.0%     0.0%   ICMP event handler
    I want exact troubleshooting.
    (1) Steps to follow.
    (2) Required configuration
    (3) Any good suggestions
    (4) Any Tool to troubleshoot.
    Suggestions are welcome

    Hello,
    NMS is probably not the right community to t/s this. You probably want to move this to Security group (Security > Firewalling).
    In the meanwhile, i have some details to share for you to check, though i am not a security/ASA expert.
    The Dispatch Unit is a process that continually runs on single-core ASAs (models 5505, 5510, 5520, 5540, 5550). The Dispatch Unit takes packets off of the interface driver and passes them to the ASA SoftNP for further processing; it also performs the reverse process.
    To determine if the Dispatch Unit process is utilizing the majority of the CPU time, use the command show cpu usage and show process cpu-usage sorted non-zero
    show cpu usage (and show cpu usage detail) will show the usage of the ASA CPU cores:
    ASA# show cpu usage
    CPU utilization for 5 seconds = 0%; 1 minute: 1%; 5 minutes: 0%
    show process cpu-usage sorted non-zero will display a sorted list of processes that are using the CPU usage. 
    In the example below, the Dispatch Unit process has used 50 percent of the CPU for the last 5 seconds:
    ASA# show process cpu-usage sorted non-zero
    0x0827e731 0xc85c5bf4 50.5% 50.4% 50.3% Dispatch Unit
    0x0888d0dc 0xc85b76b4 2.3% 5.3% 5.5% esw_stats
    0x090b0155 0xc859ae40 1.5% 0.4% 0.1% ssh
    0x0878d2de 0xc85b22c8 0.1% 0.1% 0.1% ARP Thread
    0x088c8ad5 0xc85b1268 0.1% 0.1% 0.1% MFIB
    0x08cdd5cc 0xc85b4fd0 0.1% 0.1% 0.1% update_cpu_usage
    If Dispatch Unit is listed as a top consumer of CPU usage, then use this document to narrow down what might be causing the Dispatch Unit process to be so active.
    Most cases of high CPU utilization occur because the Dispatch Unit process is high. Common causes of high utilization include:
    Oversubscription
    Routing loops
    Host with a high number of connections
    Excessive system logs
    Unequal traffic distribution
    More t/s details can be shared by the ASA members from the community.
    HTH
    -Thanks
    Vinod

  • HT4113 My sister just handed me one of her old iphone but when i am trying to use it, it is showing iphone is disabled ,please connect to itunes and when i ma trying to use it in recovery mode it is asking for update and when doing so it is showing error.

    Well my sister lives in US and she just handed me her old iphone 3gs. The phone was locked to AT&T .While trying to acees it an error message is popping up that Iphone is disable,Please connect to itunes.Well i downloaded a new version of itunes and while connecting it in recovery mode and tryuing to update it it is giving an error.i asked my sister to unlock the phone so i could use it on any network .she has applied for it and will get the code in one week. What should i do?? Please help.

    Restore the device as new with an AT&T SIM card or wait until it is unlocked and restore as new with another carriers SIM.

  • HT204053 I tried to use a card and it will not work for my App Store

    I tried to put a different card on file but it won't let me

    By not letting you, you mean ... ?
    If you are trying to use a debit card then I don't think that they are still accepted as a valid payment method - they are not listed on this page and there have been a number of posts recently about them being declined
    If it's a credit card then is it registered to exactly the same name and address (including format and spacing etc) that you have on your iTunes account, it was issued by a bank in your country and you are currently in that country ? If it is and it's being declined then you could check with the card issuer to see if it's them that are declining it, and if not then try contacting iTunes support and see if they know why it's being declined : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Account Management
    If it's something else then some info as to what happens and when would be useful.

  • Cisco ASA 5505 L2TP VPN cannot access internal network

    Hi,
    I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
    Can you jhelp me to find out the issue?
    I have Cisco ASA:
    inside network - 192.168.1.0
    VPN network - 192.168.168.0
    I have router 192.168.1.2 and I cannot ping or get access to this router.
    Here is my config:
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 198.X.X.A 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network net-all
    subnet 0.0.0.0 0.0.0.0
    object network vpn_local
    subnet 192.168.168.0 255.255.255.0
    object network inside_nw
    subnet 192.168.1.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool sales_addresses 192.168.168.1-192.168.168.254
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic net-all interface
    nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
    nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
    object network vpn_local
    nat (outside,outside) dynamic interface
    object network inside_nw
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.5-192.168.1.132 inside
    dhcpd dns 75.75.75.75 76.76.76.76 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy sales_policy internal
    group-policy sales_policy attributes
    dns-server value 75.75.75.75 76.76.76.76
    vpn-tunnel-protocol l2tp-ipsec
    username ----------
    username ----------
    tunnel-group DefaultRAGroup general-attributes
    address-pool sales_addresses
    default-group-policy sales_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
    : end
    Thanks for your help.

    You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
    policy-map global_policy
      class inspection_default
        inspect icmp
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Cisco ASA 5505 SSL VPN

    Hi Everyone,
    In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
    I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
    I need help to solve this mystery. Please find attached the ASA config: #show run
    I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
    Best regards,
    BEN

    If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
    I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

  • Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across

    This is my first Cisco configuration ever so go easy on me.  A lot of the commands that I used here I don't really understand.  I got them from Googling configs.  I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
    The first VPN I setup, labeled vpn1 here works perfectly.  I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
    I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0).  I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN.  I'm using the address 10.4.0.1 to test pings.  The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
    Here is my config (edited for names and passwords)
    ciscoasa# show run
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password ********** encrypted
    passwd ********** encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group ISP_DSL
    ip address pppoe setroute
    interface Vlan3
    no forward interface Vlan1
    nameif private
    security-level 100
    ip address 10.4.13.10 255.255.240.0
    ftp mode passive
    access-list 100 extended permit icmp any any
    access-list nonat remark ACL for Nat Bypass
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
    access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
    access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
    access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1492
    mtu private 1500
    ip local pool vpn1pool 192.168.2.100-192.168.2.110
    ip local pool vpn2pool 192.168.3.100-192.168.3.110
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (private) 0 access-list nonat
    access-group 100 in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dynmap 30 set transform-set strong-des
    crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
    crypto map vpn1 interface outside
    crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 11
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 10
    console timeout 0
    vpdn group ISP_DSL request dialout pppoe
    vpdn group ISP_DSL localname [email protected]
    vpdn group ISP_DSL ppp authentication chap
    vpdn username [email protected] password **********
    dhcp-client update dns
    dhcpd auto_config outside
    dhcpd address 192.168.1.100-192.168.1.200 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy vpn2 internal
    group-policy vpn2 attributes
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_SplitTunnel
    group-policy vpn1 internal
    group-policy vpn1 attributes
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_SplitTunnel
    username cssadmin password ********** encrypted
    username vpn2user password ********** encrypted
    username vpn1user password ********** encrypted
    tunnel-group vpn1-VPN type remote-access
    tunnel-group vpn1-VPN general-attributes
    address-pool vpn1pool
    default-group-policy vpn1
    tunnel-group vpn1-VPN ipsec-attributes
    pre-shared-key **********
    tunnel-group vpn2-VPN type remote-access
    tunnel-group vpn2-VPN general-attributes
    address-pool vpn2pool
    default-group-policy vpn2
    tunnel-group vpn2-VPN ipsec-attributes
    pre-shared-key *****
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
    : end
    Theories:  after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24.  I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
    So, what do I do?  Maybe NAT the VPN traffic?  If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
    I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
    Thanks in advance for any insight you can provide.

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

    Hello,
    We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
    Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
    : Saved
    ASA Version 8.4(2)
    hostname domainasa
    domain-name adomain.local
    enable password cTfsR84pqF5Xohw. encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 205.101.1.240 255.255.255.248
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.168.2.60
    domain-name adomain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network SBS_2011
    host 192.168.2.60
    object network NETWORK_OBJ_192.168.2.0_24
    subnet 192.168.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.5.192_
    27
    subnet 192.168.5.192 255.255.255.224
    object network Https_Access
    host 192.168.2.90
    description Spam Hero
    object-group network DM_INLINE_NETWORK_1
    network-object object SPAM1
    network-object object SPAM2
    network-object object SPAM3
    network-object object SPAM4
    network-object object SPAM5
    network-object object SPAM6
    network-object object SPAM7
    network-object object SPAM8
    object-group service RDP tcp
    description Microsoft RDP
    port-object eq 3389
    access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
    access-list outside_access_in extended permit tcp any object SBS_2011 eq https
    access-list outside_access_in extended permit icmp any interface outside
    access-list outside_access_in remark External RDP Access
    access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
    access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
    ip local pool VPN_Users 192.168.5.194-192.168.5.22
    0 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
    NETWORK_OBJ_192.168.2.0_24
    destination static NETWORK_OBJ_192.168.5.192_
    27 NETWORK_OBJ_192.168.5.192_
    27 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network SBS_2011
    nat (inside,outside) static interface service tcp smtp smtp
    object network Https_Access
    nat (inside,outside) static interface service tcp https https
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.160-192.168.2.19
    9 inside
    dhcpd dns 192.168.2.60 24.29.99.36 interface inside
    dhcpd wins 192.168.2.60 24.29.99.36 interface inside
    dhcpd domain adomain interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy domain internal
    group-policy domain attributes
    wins-server value 192.168.2.60
    dns-server value 192.168.2.60
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value domain_splitTunnelAcl
    default-domain value adomain.local
    username ben password zWCAaitV3CB.GA87 encrypted privilege 0
    username ben attributes
    vpn-group-policy domain
    username sdomain password FATqd4I1ZoqyQ/MN encrypted
    username sdomain attributes
    vpn-group-policy domain
    username adomain password V5.hvhZU4S8NwGg/ encrypted
    username adomain attributes
    vpn-group-policy domain
    service-type admin
    username jdomain password uODal3Mlensb8d.t encrypted privilege 0
    username jdomain attributes
    vpn-group-policy domain
    service-type admin
    tunnel-group domain type remote-access
    tunnel-group domain general-attributes
    address-pool VPN_Users
    default-group-policy domain
    tunnel-group domain ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e2466a5b754
    eebcdb0cef
    f051bef91d
    9
    : end
    no asdm history enable
    Thanks again

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

  • Cisco ASA 5505 as VPN client

    Hello all thanks for looking,
    I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router. 
    Thanks in advance,

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • CIsco ASA 5505 and VPN licenses

    Hi,
    Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
    How those licenses are counted? Will I need a license per one IPSec SA?
    If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
    Thank you.
    Regards,
    Alex

    Alex,
    In an ASA 5505, it should say something like this...when you do sh ver.
    VPN Peers : 25
    It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
    Its a per tunnel license.
    Rate this, if it helps!
    Gilbert

  • How to use ISE for VPN auth

    Hello
    looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.
    Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.
    Thanks

    We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization  tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can  for example insert admin.
    So if you have an admin user that wants to login:
    authentication: user found in ldap (or ad)
    authorization:
    -user is coming from asa ip address
    -user attribute is admin
    = user is authorized for the admin class on your asa vpn device.

  • Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

    I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
    home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

    Hi,
    Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

  • I am trying to use AppleScript to make a quick compose app for iMessage.

    tell application "Messages"
                        set theBuddy to buddy of service " "
      send myMsg to theBuddy
              end tell
    I was wondering, what are possible services. Because every time I try to run the program it says cannot get the service. And how can generalize this service in case I choose to distribute this application. Or use it for some other application.

    Easy:

Maybe you are looking for