VPN and Certificates fun

I've been trying to get the iPhone VPN to work with a self-signed cert to no avail. I generated the cert using Windows 2008r2 certificate services, exported the server and root and put into the ICU and my Cisco vpn (using ipsec of course).
In the ICU VPN section, under Identifity Certificate, it doesn't seem to recognize that I have the certs loaded. Please see http://imgur.com/KypuN. The server name and certs match where they should, and I know I'm missing something obvious here, but just can't find the problem.
Any help would be appreciated.

I was able to find the issue. I have tested the Scenario with a Surface RT 8.1. I enrolled the device to SCCM/Intune and get a certficate with NDES. Then I have added a VPN Connection and try to connect. Windows ask for SmartCard. But
the certficate isn't Smartcard. So I added second VPN Connection to a Microsoft VPN and try to connect with same certificate. No question about Smartcard and the connection is established fine. Than I could remind the Options of certficate profiles (TPM or
Software Key Storage). I' ve selected TPM in my initial configuration. I changed it to Software Key Storage and reenroll to Intune to force certficate deployment. After receiving the new certificate I tried again on my Surface and the Juniper VPN Connection
were established. I reenrolled my Windows Phone to Intune and after I received the new certificate I were able to connect my Windows Phone to Juniper VPN too.
So I think the Problem is that the Juniper 3rd Party api is not allowed to access TPM or it is done the wrong way.
I hope this helps.
Kind regards
Denis  
 

Similar Messages

  • AAA and Certificate Based VPN

    We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
    To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
    However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
    Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
    Thanks

    Hi CrankyMonkey, 
    9.4 image includes new features for SSLTLS that might be impacting your certificate authentication. 
    "Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
    As workaround you can try to use the following cipher configuration and check if works.
    ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA" 
    Reference link
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
    Rate if helps.
    -Randy

  • ASA 8.0 VPN cluster with WEBVPN and Certificates

    I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
    According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
    Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
    I'm assuming the client gets presented the appropriate certificate based on the http GET.
    Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
    Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
    Thanks,
    Mark

    There is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
    Here are the details:
    Symptom:
    ========
    ASA 8.0 load balancing cluster with WEBVPN.
    When connecting using a web browser to the load balancing ip address or FQDN,
    the certifcate send to the browser is NOT the certificate from the trustpoint
    assigned for the load balancing using the
    "ssl trust-point vpnlb-ip" command.
    Instead its using the ssl trust-point certificate assigned to the interface.
    This will generate a certificate warning on the browser as the URL entered
    on the browser does not match the CN (common name) in the certificate.
    Other than the warning, there is no functional impact if the end user
    continues by accepting to proceed to the warning message.
    Condition:
    =========
    webvpn with load balancing is used
    Workaround:
    ===========
    1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
    Warning: configs are not backward compatible.
    2) upgrade to 8.0.2 interim (8.0.2.11 or later)

  • Cisco 1841 SSL VPN and Anyconnect Help

    I am pretty new to Cisco programming and am trying to get an SSL VPN set up  for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to  connect via a web browser I get an error telling me the security  certificate is not secure. If I try to connect via Anyconnect I get an  error saying "Untrusted VPN Server Blocked." If I change the Anyconnect  settings to allow connections to untrusted servers, I get two errors  that say"Certificate does not match the server name" and "Certificate is  malformed." Below is the running config in the router at this time.  There is another Site-to-Site VPN tunnel that is up and working properly  on this device. Any help would be greatly appreciated. Thanks
    Current configuration : 7741 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname buchanan1841
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    no logging buffered
    enable secret 5 XXXXXXX
    enable password XXXX
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authentication login ciscocp_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    aaa session-id common
    crypto pki trustpoint buchanan_Certificate
    enrollment selfsigned
    revocation-check crl
    rsakeypair buchanan_rsakey_pairname
    crypto pki certificate chain buchanan_Certificate
    certificate self-signed 01
      30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
      170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
      311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
      0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
      AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
      79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
      0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
      68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
      97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
      DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
      4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
      3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
            quit
    dot11 syslog
    ip source-route
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username buchanan privilege 15 password 0 XXXXX
    username cybera password 0 cybera
    username skapple privilege 15 secret 5 XXXXXXXXXX
    username buckys secret 5 XXXXXXXXXXX
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key p2uprEswaspus address XXXXXX
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec transform-set cybera esp-3des esp-md5-hmac
    crypto ipsec profile cybera
    set transform-set cybera
    archive
    log config
      hidekeys
    ip ssh version 1
    interface Tunnel0
    description Cybera WAN - IPSEC Tunnel
    ip address x.x.x.x 255.255.255.252
    ip virtual-reassembly
    tunnel source x.x.x.x
    tunnel destination x.x.x.x
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile cybera
    interface FastEthernet0/0
    description LAN Connection
    ip address 192.168.1.254 255.255.255.0
    ip helper-address 192.168.1.2
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    interface FastEthernet0/1
    description WAN Connection
    ip address x.x.x.x 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface ATM0/0/0
    no ip address
    shutdown
    atm restart timer 300
    no atm ilmi-keepalive
    interface Virtual-Template2
    ip unnumbered FastEthernet0/0
    ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
    ip local pool LAN_POOL 192.168.1.50 192.168.1.99
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 x.x.x.x
    ip route 4.71.21.0 255.255.255.224 x.x.x.x
    ip route 10.4.0.0 255.255.0.0 x.x.x.x
    ip route 10.5.0.0 255.255.0.0 x.x.x.x
    ip route x.x.x.x 255.255.240.0 x.x.x.x
    ip route x.x.x.x 255.255.255.255 x.x.x.x
    ip route x.x.x.x 255.255.255.255 x.x.x.x
    ip http server
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
    ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
    access-list 1 permit 192.168.1.0 0.0.0.255
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    password xxxxx
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway_1
    ip address x.x.x.x port 443
    http-redirect port 80
    ssl trustpoint buchanan_Certificate
    inservice
    webvpn install svc flash:/webvpn/anyconnect-w
    in-3.1.04059-k9.pkg sequence 1
    webvpn context employees
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "LAN_POOL"
       svc default-domain "buchanan.local"
       svc keep-client-installed
       svc dns-server primary 192.168.1.2
       svc wins-server primary 192.168.1.2
    virtual-template 2
    default-group-policy policy_1
    aaa authentication list ciscocp_vpn_xauth_ml_2
    gateway gateway_1
    max-users 10
    inservice
    endbuchanan1841#

    Perhaps you have changed the host-/domainname after the certificate was created?
    I'd generate a new one ...
    Michael
    Please rate all helpful posts

  • VPN and Remote Desktop Connection

    I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
    other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
    Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
    be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
    is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
    I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
    Thanks for your help.
    I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
    Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls
    will be accepted to this port.
    A certificate could not be found. Connections that use the L2TP protocol over IPsec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.
    The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
    retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

    Morning Trent,
    I don't know if this is still an issue for you, did you get it solved?
    If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
    to use on the server.

  • Untrusted VPN Server Certificate

    We just upgraded our AnyConnect to Ver 3.1.01065 and we are using a self signed cert with it. We haven't had any issues with the before but now when ever a customer logs on to the VPN using AnyConnect we get " Security warning: Untrusted VPN Server Certificate!" and it says that AnyConnect cannot verify the VPN server.
    Then i can connect anyways or cancel.
    Because this is my server and i trust the cert i am fine just clicking Connect anyways. My customers freak out a bit when they see this, I know this has to be a simple fix but i can't figure out how to get my local boxes to trust the cert. Has anyone run in to this with Ver 3.1.01065 and how did you fix it?
    Thanks,
    Jeremy

    Cisco is really trying to make people stop using self-signed certificates with AC 3.1. You have to either use a trusted root CA (either private or public) or turn off the certificate checking altogether.

  • Security warning for any connect VPN " Untrusted VPN server Certificate"

    Is there any way to disable this security warning  ( " Untrusted VPN server Certificate") with self sign certificate on the ASA 

    Hi Anton,
    Please have a look at the link below:
    http://docs.acl.com/ex/300/index.jsp?topic=%2Fcom.acl.ax.exception.installguide%2Fexception%2Finstallation%2Ft_installing_the_self-signed_certificate.html
    This is for IE. You should get steps for FF and CHROME out there easily as well.
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • Problem SSO between VPN and NAC

    Hello
    Description of our problem : SSO doesn't work
    -on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
    -although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
    The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
    Step 1 Add Default Login Page =ok
    Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
    Step 3 Enable L3 Support on the CAS = ok
    Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
    Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
    Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
    Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
    Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
    Step 9 Add VPN Concentrator as a Floating Device =ok
    Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
    the database for vpn authentication is cisco secure acs(192.168.1.30).
    Tanks to any anybody to give us a possible solution.
    FILALI Saad
    Ares Maroc

    Hi
    I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
    First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
    1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
    This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
    2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
    3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
    Follow from step 15 in following link
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
    3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
    4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
    Try these things first.
    Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
    You may find it useful too.
    Dale

  • WebVPN and certificates**nevermind!**

    Does anyone have any experience with certs? I bought and installed a cert for the WebVPN product and I am still getting the ...do you really trust this? you don't know who is sending you this cert message...any links/comments would surely help me out. Thanks
    I had to many certs configured on my vpn box, I deleted any self generated certs and left the one I bought and this solved the problem!

    The ASA/PIX is not able to validate WebVPN/SSL VPN Client certificates using OCSP as the certificate revocation list (CRL) method. This is a new feature.

  • IpSec VPN and NAT don't work togheter on HP MSR 20 20

    Hi People,
    I'm getting several issues, let me explain:
    I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
    I'm missing something but i don't know what it is !!!!, See below the configuration.
    Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
    Note: I just have only One public Ip address.
    version 5.20, Release 2207P41, Standard
    sysname HP
    nat address-group 1 186.177.159.93 186.177.159.93
    domain default enable system
    dns proxy enable
    telnet server enable
    dar p2p signature-file cfa0:/p2p_default.mtd
    port-security enable
    acl number 2001
    rule 0 permit source 192.168.100.0 0.0.0.255
    rule 5 deny
    acl number 3000
    rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
    vlan 1
    domain system
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    ike proposal 1
    encryption-algorithm 3des-cbc
    dh group2
    ike proposal 10
    encryption-algorithm 3des-cbc
    dh group2
    ike peer vpn-test
    proposal 1
    pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
    remote-address <Public Ip from VPN Peer>
    local-address 186.177.159.93
    nat traversal
    ipsec proposal vpn-test
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des
    ipsec policy vpntest 30 isakmp
    connection-name vpntest.30
    security acl 3000
    pfs dh-group2
    ike-peer vpn-test
    proposal vpn-test
    dhcp server ip-pool vlan1 extended
    network mask 255.255.255.0
    user-group system
    group-attribute allow-guest
    local-user admin
    password cipher .]@USE=B,53Q=^Q`MAF4<1!!
    authorization-attribute level 3
    service-type telnet
    service-type web
    cwmp
    undo cwmp enable
    interface Aux0
    async mode flow
    link-protocol ppp
    interface Cellular0/0
    async mode protocol
    link-protocol ppp
    interface Ethernet0/0
    port link-mode route
    nat outbound 2001 address-group 1
    nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
    ip address dhcp-alloc
    ipsec policy vpntest
    interface Ethernet0/1
    port link-mode route
    ip address 192.168.100.1 255.255.255.0
    interface NULL0
    interface Vlan-interface1
    undo dhcp select server global-pool
    dhcp server apply ip-pool vlan1

    ewaller wrote:
    What is under the switches tab?
    Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
    If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
    I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
    Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
    So here is what it is under the switches tab

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • Works windows mobile with SSL VPN and anyconnect

    Hello,
    do anyone know if the following OS works with ASA 8.x SSL VPN client ,SSL clientless VPN and anyconnect client and Secure Desktop :
    windows mobile 5.0 Premium phone edition
    windows mobile 6.0
    windows embedded CE,Net
    windows mobile 2003
    Thank you for your help
    Michael

    [url=http://fztodds.24fast.info/washington225.html] washington [/url]
    [url=http://fztodds.24fast.info/washington16e.html] washington [/url]
    [url=http://fztodds.24fast.info/washingtond66.html] washington [/url]
    [url=http://fztodds.24fast.info/washington4e0.html] washington [/url]
    [url=http://fztodds.24fast.info/washington00b.html] washington [/url]
    [url=http://fztodds.24fast.info/washington1e7.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington0a8.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington9de.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washingtone4a.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington4ec.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington184.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washingtonb73.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington853.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington1a5.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtonde7.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington2b8.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington902.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtonc99.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtoncc7.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington598.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtonbe2.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtone9b.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington4e0.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington327.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtonada.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtond2b.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington317.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington7cb.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washingtoneaf.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington259.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington8e0.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washingtonc03.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington092.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington79c.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington766.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtona2e.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington4c4.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtonb9f.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtond3a.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington54a.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington777.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington300.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington239.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington7b4.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washingtonad5.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washingtone03.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington399.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington9e9.html] washington [/url]
    [url=http://ggaubio.hostevo.com/washington878.html] washington [/url]
    [url=http://ggaubio.hostevo.com/washington525.html] washington [/url]

  • Clientless SSL VPN and ActiveX question

    Hey All,
    First post for me here, so be gentle.  I'll try to be as detailed as possible.
    With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
    First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
    Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
    I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
      match ip inside any outside any
        NAT exempt
        translate_hits = 8915, untranslate_hits = 6574
    access-list nonat extended permit ip any any log notifications
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list outside_in extended permit icmp any any log notifications
    access-list outside_in extended permit tcp any any log notifications
    pager lines 24
    logging enable
    logging asdm informational
    logging ftp-server 192.168.16.34 / syslog *****
    mtu inside 1500
    mtu outside 1500
    ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 1 interface
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.16.32 255.255.255.224
    nat (inside) 1 192.168.17.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group outside_in in interface outside
    192.168.2.0 is my corp network range
    192.168.2.171 is my internal IP for corp ASA5510
    97.x.x.x is the external interface for my corp ASA5510
    192.168.16.34 is the internal interface for the remote ASA5505
    64.x.x.x is the external interface for the remote ASA5505
    192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
    As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
    I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
    Thanks much for any and all ideas!

    Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

  • Access to VPN and Skype from behind work's firewall

    I'm running a Powerbook G4 with OS 10.4.11. At work I have a very fast ethernet connection perfect for internet and Work (Exchange) email, however I can't seem to access my Uni email account, VPN or several other services, notably Skype or iChat (as I work away from my kids during the week this is vitally important). I can ping the server for the VPN and both sets of IT boffins assure me that all appropriate ports are open. I can access the VPN through PCs and I am at the moment broadcasting the internet through my Airport to a PC based laptop which is running Skype quite happily. I can go to a local pub/coffee shop and access all of the services through a WiFi/Airport Network, and I have access to all these services when I'm at home (again through WiFi). What am I doing wrong? Any help would be greatly appreciated
    D

    Hi,
    yes, the spilt into three subnets did help. I now can see the routers also from the LAN which solves Problem A)
    Regarding the access from WAN1 to WAN2 the background is a long story about different flatrates from Provider A and B. To keep it short: DSL is stable but very slow during some hours of the day and attached to WAN2, LTE (4G) is fast but not stable (at least 2-3 hickups per day). Therefore I need the RV042 to keep the LAN clients always online as I need it for my job. The telephone is another issue. The fritzboxes do allow VOIP over their own Internet connection but also using another Fritzbox is possible. I have my telephones connected to the DSL Box (WAN2 = 192.168.179 now) and I have a flatrate for calls to cell phones with my 4G provider (WAN1 = 192.168.178 now). As the 4G keeps failing from time to time it is very annoying when it happens during a telco (and we all know Murphys law). So the ideas is to have the telphones attached to the stable (WAN2) DSL Box and reroute it for calls to cell phones via WAN1 ( which is a feature of the boxes and worked perfectly). If the 4G fails the DSL Box uses its own Internet connection to make the call (but then I have to pay for it).
    So I need access from WAN2 (192.168.179) to WAN1 (192.168.178). I tried a static route in the WAN2 Box but it didn't work (I've used the RV042 WAN interface IP: 192.168.179.100 as Gateway).
    Kind regards
    Klaus

  • Performance end to end testing and comparison between MPLS VPN and VPLS VPN

    Hi,
    I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
    I would appreciate any support, guidence, advice.
    Thanks
    Shahbaz

    Hi Shahbaz,
    I am not completely sure I understand your request.
    MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
    From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
    Ingress PE impose 2 labels (at least)
    Core Ps swap top most MPLS label
    Egress PE removes last label exposing underlying packet or frame.
    So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
    About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
    Riccardo

Maybe you are looking for

  • Looking for Answers:  Bootcamp, WinXP, SATA drive speed

    Hey - I'm wondering if someone can pass along some info. I've yet to upgrade to 10.5 I'm running a 2.66 4-core MacPro under 10.4.11. I am still running the Bootcamp Beta and my original sp2 install of WinXpPro. And my SATA drives are dog-dead-slow! I

  • How to update bookmarks when merging two PDF files?

    We have a company catalog that gets generated once a night.  It's three step process:      Step 1)  A raw XML file gets generated from our main ERP software (Microsoft Dynamics).      Step 2)  Then that raw XML file is ran against a stylesheet with X

  • Can't import my mp3 file on my computer at work

    can't import my mp3 file on my computer at work but the same format will successfully import on my computer at home.  Only difference is that work runs win 7 32 bit and home win7 64 bit. can anyone help on this regards, Aron

  • Invoking ALBPM (Oracle BPM) using Webservice calls

    Hi, I am trying to invoke Oracle BPM processes using webservice dynamically using events. I am presently not able to find any samples in this regard. Could somebody help me figure out a way to invoke Oracle BPM process dynamically using events ? I wo

  • Jcontrol process dies with exit code 66

    Hi After rebooting the Server the JControl process is not getting up. I am getting the following error in the developer trace. Could anybody help me out with this. Worker nodes -> [00] ID3535900            : D:\usr\sap\NGP\JC00\j2ee\cluster\instance.