VPN concentrator and webVPN
Hi,
Trying to setup VPNc 3005 for WebVPN.
The VPNc is configured with NTP server so
the clock is fine. I installed SSL vpn
client and SecureDesktop software onto the VPNc. Create a local account and
group. When I perform https://vpnc/admin.html, I can manage the
VPNc from the external interface so the
certificate is good.
When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
it tells me that the vpn concentrator
has a server certificate error. I've
attached the screen shot. Anyone know
what it is? Thanks.
If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684
Similar Messages
-
VPN Concentrator authentication with multiple domains
I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
Thanks in advance for any help.To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller
-
ACS with VPN Concentrator : IP address attribution
Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patriceyes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned -
Cisco 3005 vpn concentrator console cable
hi
i have just purchased a cisco 3005 vpn concentrator and i need to know where i can get a console cable for it the cable is different from the ones i have for my pix and routers as the connection at the concentrator end is a db9 and not rj45
ive tried looking on ebay but with no luck
ps
i live in england
regards
melvyn brownMelvyn,
Use a Straight Through Cable to console into the VPN3000.
I hope it helps.
Regards,
Arul -
SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"
Hi,
Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
some relevant config
webvpn
enable wan
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy vpnpolicy1 internal
group-policy vpnpolicy1 attributes
vpn-tunnel-protocol svc
tunnel-group admins type remote-access
tunnel-group admins general-attributes
address-pool sslpool2
default-group-policy vpnpolicy1
username myuser password 1234567890 encrypted privilege 15
username myuser attributes
vpn-group-policy vpnpolicy1
Debug:
asa01# debug webvpn 255
INFO: debug webvpn enabled at level 255.
asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
webvpn_add_auth_handle: auth_handle = 17
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (myuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
webvpn_session.c:http_webvpn_create_session[184]
WebVPN: error creating WebVPN session!
webvpn_remove_auth_handle: auth_handle = 17
webvpn_free_auth_struct: net_handle = CD5734D0
webvpn_allocate_auth_struct: net_handle = CD5734D0
webvpn_free_auth_struct: net_handle = CD5734D0AnyConnect says:
"The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the secure gateway: Host or network is 0"
Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
asa01# debug webvpn 255
INFO: debug webvpn enabled at level 255.
asa01# debug http 255
debug http enabled at level 255.
asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
webvpn_add_auth_handle: auth_handle = 22
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (myuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
HTTP: net_handle->standalone_client [0]
webvpn_session.c:http_webvpn_create_session[184]
webvpn_session.c:http_webvpn_find_session[159]
WebVPN session created!
webvpn_session.c:http_webvpn_find_session[159]
webvpn_remove_auth_handle: auth_handle = 22
webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE863DE8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE863DE8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE863DE8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE863DE8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CC894AA8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
Close 1043041832
webvpn_free_auth_struct: net_handle = CC894AA8 -
ASA 8.0 VPN cluster with WEBVPN and Certificates
I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
I'm assuming the client gets presented the appropriate certificate based on the http GET.
Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
Thanks,
MarkThere is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
Here are the details:
Symptom:
========
ASA 8.0 load balancing cluster with WEBVPN.
When connecting using a web browser to the load balancing ip address or FQDN,
the certifcate send to the browser is NOT the certificate from the trustpoint
assigned for the load balancing using the
"ssl trust-point vpnlb-ip" command.
Instead its using the ssl trust-point certificate assigned to the interface.
This will generate a certificate warning on the browser as the URL entered
on the browser does not match the CN (common name) in the certificate.
Other than the warning, there is no functional impact if the end user
continues by accepting to proceed to the warning message.
Condition:
=========
webvpn with load balancing is used
Workaround:
===========
1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
Warning: configs are not backward compatible.
2) upgrade to 8.0.2 interim (8.0.2.11 or later) -
Ciscoworks and VPN concentrator or PIX
With plain old Ciscoworks LMS is there anything useful that can be done with a PIX or a VPN concentrator as there is no write community string. Can you do anything aside from viewing the box?
Not via SNMP since VPN and PIX boxes by design not allow a SNMP RW string to be configured on them
-
Hello,
We have a Cisco ASA 5520 with the VPN PLus License and 8.04 IOS installed, we want to set up vpn access to our users. We can use the cisco VPN client which works on WIndows Platform, but we also have MAC OS 10.7 which works only with Cisco Anyconnect.
I am a little bit lost with all the client and the license, actually we can't setup more than 2 vpn session with an Anyconnect client installed on MAC or Windows. The authentication is by Certificate, the first two connect fine, but the third one don't connect and prompt for a username / password.
I joined a SH VER of my ASA, if anyome can tell me what is wrong on the license or perhaps it's a configuration problem?
Thanks a lot for the answer.
Mathieu.
fw-eps-02# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.4(1)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
fw-eps-02 up 1 hour 36 mins
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is c84c.75da.9a58, irq 9
1: Ext: GigabitEthernet0/1 : address is c84c.75da.9a59, irq 9
2: Ext: GigabitEthernet0/2 : address is c84c.75da.9a5a, irq 9
3: Ext: GigabitEthernet0/3 : address is c84c.75da.9a5b, irq 9
4: Ext: Management0/0 : address is c84c.75da.9a5c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1433L0Y3
Running Activation Key: 0x3a17c153 0x8c141630 0xe0f3b5d4 0x86044ccc 0x47193392
Configuration register is 0x40 (will be 0x1 at next reload)
Configuration last modified by mgeffroy at 15:33:11.409 CEST Mon Jan 23 2012
fw-eps-02#why don't you use built-in client in mac osx? it supports certificate authentication also.
another solution would be to buy additional ssl vpn licences: there is a limit of two ssl vpn sessions by default.
Sent from Cisco Technical Support iPad App -
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
IP Address Assignment on VPN Concentrator through AD
Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.Sorry for the thread title it should be : "reserver" not reverse.
I have been advised to read the "admin guide"
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
under the heading below
Assign a Specific IP Address to a User
In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
What I am thinking to do, are below (please any comment) :
1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
2- Create another group called : " mobile_users "
3- Create a user called : " commuter "
4- Assign the user " commuter " to the group " mobile_user "
5- Assign ip address 10..2.2.2 to the user " commuter "
6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
again since I am using production box, I have to assure that the modification above does not screw up the whole system -
I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
ThanksThe VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html -
We have two 3005 concentrators that need to be replaced.
Is there anything equivilant that will allow for creation of groups, Cisco VPN client, web VPN and is reasonably priced?
What do people generally do for a plug in replacement to the 3005 VPN concentrator?What is generally done about the cost?
At the moment, the PIX firewalls are not EOL.
If I replace the firewalls, just because the 3005 is EOL, will be a large expense correct?
Also, at the moment, the firewall is passing through the traffic to the concentrator in a DMZ.
What is the alternative in the ASA appliance?
And, does the ASA allow for the creation of groups for access like the concnetrator does? -
What's replaced the vpn concentrator?
Greenhorn here, I didn't sit any of this up. We have three remote sites, sister institutions, that we share an app with. We house the app. One site has a vpn concentrator setup, the other two are using a point to point leased line. They have each have a router that connects to a single router. They want to replace the leased lines with a vpn concentrator. Doing the digging I see the concentrators are EOL.
So what's used to replace the concentrator today? What's a solution today to move away from the leased lines? These are all cash poor non-profits. My guess is they'll say look on Ebay for a concentrator if the solution is too pricey.
Thanks JimSorry it took so long but here's the output from sh version.
Location 1
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(16a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 18-Apr-03 19:25 by xxxxx
Image text-base: 0x8000808C, data-base: 0x80A0EE84
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
xxxxxxxxx uptime is 41 weeks, 3 days, 20 hours, 54 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.122-16a.bin"
cisco 2621 (MPC860) processor (revision 0x00) with 27648K/5120K bytes of memory.
Processor board ID JAD07070EVT (2982455740)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 2
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 14-Feb-03 14:34 by ccai
Image text-base: 0x80008124, data-base: 0x80A94064
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
xxxxxxxxxxx uptime is 14 weeks, 14 hours, 22 minutes
System returned to ROM by power-on
System image file is "flash:c1700-sy-mz.122-11.T6.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
Processor board ID FOC0708028N (496857573), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 3
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 14-Feb-03 14:34 by ccai
Image text-base: 0x80008124, data-base: 0x80A94064
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
Xxxxxxxxx uptime is 13 weeks, 6 days, 5 minutes
System returned to ROM by reload
System image file is "flash:c1700-sy-mz.122-11.T6.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
Processor board ID FOC0707142M (1927840357), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 4
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 02:36 by alnguyen
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
xxxxxxxxxx uptime is 40 weeks, 5 days, 6 hours, 22 minutes
System returned to ROM by reload at 13:34:01 UTC Thu Dec 27 2012
System image file is "flash:c2800nm-advsecurityk9-mz.124-3g.bin"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1051A01V
2 FastEthernet interfaces
2 Serial interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102 -
Routing loop when tracing to remote ip address on vpn concentrator
When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
Tracing route to x.3.17.145
over a maximum of 30 hops:
1 29 ms 31 ms 28 ms 172.4.0.20
2 32 ms 30 ms 29 ms 172.4.0.25
3 38 ms 29 ms 31 ms 172.3.0.21
4 33 ms 30 ms 32 ms 172.4.0.25
5 32 ms 49 ms 27 ms 172.3.0.21
6 35 ms 30 ms 38 ms 172.4.0.25
7 31 ms 28 ms 28 ms 172.3.0.21
8 28 ms 28 ms 42 ms 172.4.0.25
9 38 ms 27 ms 32 ms 172.3.0.21
10 35 ms 28 ms 36 ms 172.4.0.25
11 35 ms 27 ms 28 ms 172.3.0.21
12 30 ms 28 ms 28 ms 172.4.0.25
13 39 ms 30 ms 43 ms 172.3.0.21
14 48 ms 28 ms 29 ms 172.4.0.25
15 36 ms 28 ms 34 ms 172.3.0.21
16 39 ms 39 ms 56 ms 172.4.0.25
17 42 ms 38 ms 47 ms 172.3.0.21
18 35 ms 39 ms 41 ms 172.4.0.25
19 49 ms 32 ms 29 ms 172.3.0.21
20 32 ms 28 ms 29 ms 172.4.0.25
21 28 ms 43 ms 30 ms 172.3.0.21
22 37 ms 32 ms 34 ms 172.4.0.25
23 29 ms 31 ms 32 ms 172.3.0.21
24 29 ms 33 ms 31 ms 172.4.0.25
25 32 ms 41 ms 43 ms 172.3.0.21
26 43 ms 29 ms 39 ms 172.4.0.25
27 47 ms 33 ms 31 ms 172.3.0.21
28 37 ms 29 ms 35 ms 172.4.0.25
29 44 ms 30 ms 91 ms 172.3.0.21
30 31 ms 41 ms 50 ms 172.4.0.25
172.3.0.21 is my private interface on the vpn 3000.
172.4.0.20 is my public interface on the vpn 3000.
172.4.0.25 is the default gateway / router interface on my router.
interface GigabitEthernet1/1/0.1
description connected to LAN
encapsulation dot1Q 1 native
ip address 10.3.0.25 255.255.255.0
interface GigabitEthernet0/0.4
description vpn 3000 concentratorconnection
encapsulation dot1Q 4
ip address 10.4.0.25 255.255.255.0
172.3.0.21 has a no default gateway on the vpn conentrator.
172.3.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.Hi John
could you clarify where you are pinging from and where you are pinging to please?
From the LAN to a destination across a VPN tunnel?
Or from a source across the VPN tunnel to a host on the concentrator's LAN?
Or from a source across the VPN tunnel to a host on the Internet?
I suppose your last line has a typo, it should be
172.4.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.
right?
Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
tnx
Herbert -
3000 series concentrator and L2TP over IPSec
All,
Anyone have any wisdom they are willing to share regarding the establishment of a L2TP over IPSec tunnel between Mac OS X and a 3000 series concentrator? I believe that the concentrator is accepted the IKE SA proposal, but I can't get any further and I'm not able to get any useful information out of the logs on either side of the tunnel. The client side simply reports that "L2TP cannot connect to the server", the concentrator reports "Connection terminated for peer". It has clearly exchanged some valid information because the concentrator has assigned the traffic to the correct group (a non-default group I've set up specially to test this connection).
Looking at the packet dump I can see the two devices exchange some information, then the client starts sending ISAKMP packets (quick mode) that the concentrator seems to ignore.
Thoughts, suggestions, anecdotes etc. are all welcome.Try to adjust SA lifetime and the max connect time in VPN concentrator.
Refer these links:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml
Maybe you are looking for
-
How to Track the changes made to the custom table field value
I want to track the changes made to the custom table field value in table maintenance generator.please help me it is very urgent Thanks & Regards, Kranti
-
Error occurred while converting the file "". You do not have the privilege
I have recently bought a new MacBook Pro and it's my first mac ever. I have imported all my songs into itunes from an external hard drive where i would keep all my music and video's. I went ahead and added it to my mac and everything plays and works
-
Why does text not format correctly when pasting into outlook?
I am attaching a Screenshot of an email to better help you understand. Basically, I receive an email from customer. I draft an email to respond and send to my boss to get approval. Once my boss approves, I go back to my original sent email and copy
-
Colour Profiles on exported images causing major problems
I've been exporting keynote slides as png's to use in video presentations. The problem is that the png's are saved with colour profiles, which means if I export the images from diferent macs, or even the same mac but with a different monitor attached
-
CAN'T DRAG MUSIC FROM THE PC TO THE PHONE N958GB
WHAT DO I HAVE TO DO? Solved! Go to Solution.