VPN filter per remote access user (via ACS)?

Hello everyone,
I'm deploying IPSec Remote Access VPN for my company. I have Cisco ASA 5540 (8.0.4) and Cisco Secure ACS. I have successfully configured the system with authentication by ACS.
The question is, I want to apply filter policy for per user. I know that there's a method called vpn-filter. If I use local authentication, I can apply ACL to user attribute.
eg.
access−list 103 extended permit tcp 10.1.49.2 255.255.255.0 host 10.1.1.10 eq 3389
username testvpn attributes
vpn−filter value 103
But users are configured on ACS, so how can I apply vpn-filter policy to the user? I dont really want to apply vpn-filter to group-policy.
Please help me to find a method. Thank you very much.
Regards,
Hiep Nguyen.

Hi,
I think this is what you are looking for
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml
You will need to setup the IETF like this
filter-id=acl_name
There is a good example right there (better than mine) let me know how it goes.
Mike

Similar Messages

Cisco ASA disable command line interface (CLI) vor VPN Remote Access users

Hi,
I have local database for a couple of VPN Remote Access users on our Cisco ASA 5510 firewall. When adding users i asigned them the privilege leve 0. Is it possible to completly disable CLI for theses users as they will only be using VPN Remote Access and do not need to access the appliance cli.
Thanks in advance.
Kind Regards,
Marco

Hi,
We will need to use the vpn-filter or the ssh command to block ssh from the vpn pool.
Regards,
Vivek

Authenticate windows users via ACS

Hi,
Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
I would appreciate valued inputs.
Regards,

Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
Seems you are looking for DACL. Here is a document that can help you to understand the same
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
Let me know if you need any further help.
Jatin Katyal
- Do rate helpful posts -

VPN client unable to access Internert via split tunneling.

I have split tunneling configured on a PIX 515. The remote VPN client connects to the PIX fine and can ping hosts on the internal LAN, but cannot access the Internet. Am I missing something? My config as per below.
Also, I don't see any secured routes on the VPN client via Statistics (screen shot below)
Any advice is much appreciated.
Rob
PIX Version 8.0(3)
hostname PIX-A-250
enable password xxxxx encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.250 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
passwd xxxxx encrypted
ftp mode passive
dns domain-lookup outside
dns server-group Ext_DNS
name-server 194.72.6.57
name-server 194.73.82.242
object-group network LOCAL_LAN
network-object 192.168.9.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
port-object eq telnet
object-group network WAN_Network
network-object 192.168.200.0 255.255.255.0
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
access-list ACLIN extended permit icmp any any echo-reply log
access-list ACLIN extended permit icmp any any unreachable log
access-list ACLIN extended permit icmp any any time-exceeded log
access-list split_tunnel_list remark Local LAN
access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0
access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool testvpn 192.168.100.1-192.168.100.99
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 195.171.252.45 1
route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set Set_1
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy testvpn internal
group-policy testvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
username testuser password xxxxxx encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool testvpn
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
: end
PIX-A-250#

Hello Jennifer,
I can ping the 192.168.88.0/24 (host 88.3) from my PIX fine. The 88 subnet hangs off a 2950 switch. This is my diagram.
My configs are as follows. Please note I have left out the suggested lines of config from above as they had no effect.
Very much appreciate your time and effort with my issue.
Many thanks,
Rob
PIX A
PIX Version 8.0(3)
hostname PIX-A-250
enable password NBhgOL6eDYkO4RHk encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.250 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
passwd k85be8tPM1XyMs encrypted
ftp mode passive
dns domain-lookup outside
dns server-group Ext_DNS
name-server 194.72.6.57
name-server 194.73.82.242
object-group network LOCAL_LAN
network-object 192.168.9.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
port-object eq telnet
object-group network WAN_Network
network-object 192.168.200.0 255.255.255.0
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
access-list ACLIN extended permit icmp any any echo-reply log
access-list ACLIN extended permit icmp any any unreachable log
access-list ACLIN extended permit icmp any any time-exceeded log
access-list split_tunnel_list remark Local LAN
access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0
access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool testvpn 192.168.100.1-192.168.100.99
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.252.45 1
route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set Set_1
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy testvpn internal
group-policy testvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
username robbie password mbztSskhuas90P encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool testvpn
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
: end
3560_GW Gateway
test_gw01#sh run
Building configuration...
Current configuration : 2221 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname test_gw01
enable secret 5 $1$cOB4$UDjkhs&$FjQBe8/rc30
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet0/1
interface GigabitEthernet0/2
description uplink to Cisco_PIX
switchport access vlan 9
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
switchport access vlan 88
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/24
switchport access vlan 9
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/25
description trunk to 2950_SW_A port 1
switchport trunk encapsulation dot1q
interface GigabitEthernet0/26
interface GigabitEthernet0/27
description trunk to A_2950_112 port 1
switchport trunk encapsulation dot1q
shutdown
interface GigabitEthernet0/28
interface Vlan1
no ip address
shutdown
interface Vlan9
ip address 192.168.9.2 255.255.255.0
interface Vlan88
ip address 192.168.88.254 255.255.255.0
interface Vlan199
ip address 192.168.199.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.9.1
ip route 192.168.88.0 255.255.255.0 192.168.9.1
ip route 192.168.100.0 255.255.255.0 192.168.9.1
ip route 192.168.200.0 255.255.255.0 192.168.9.1
ip http server
control-plane
banner motd ^C This is a private network.^C
line con 0
line vty 0 4
login
line vty 5 15
login
end

Vpn site to site and remote access , access lists

Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

NAT for remote access VPN clients

Hello,
I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
Thanks.

Have a look here for solution
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
Regards

Remote access vpn clients, access to Internet resources

Hello, we currently have a remote access vpn set up terminating on an ASA 5520. Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135. We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed. RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users. It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
Anyone have any ideas?

I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
global (outside) 1 interface

Remote Access....im confused !

Hi All,
im trying to set up remote acces (i.e i wou like to be able to connect via my home ADSL, to a remote site that we have a 851 router.
I have checked many scenarios and seen many configurations but they were not very helpful..so i would like to start fresh from teh beginning.
What technologies should i be reading about.
i have come accross VPDN, cisco easy VPN etc.
Can someone point me to the correct direction, and some sample configurations if possible ,
Thank you,
George

Hi Stephen,
thanks for the reply.
I managed to configure the router using cli (Easy vpn) but i still need to spend some time to make sure i understand all the commands fully.
One question that i want to ask (i asked this in another topic and not got an answer) is the difference in implementation of a remote access user . i mean i have seen it being configured using VPDN and cisco easy vpn !!! which one is the prefered way to go.
on more thing.
i managed to configure the router and i can connect to it using cisco VPN client but windows VPN connection will not connect. any ideas on this?
Also, please can someone tell me the commands (and give brief explanation) that i need to configure so that i can use some usernames-passwords for remote access-VPN (i want these names to be able to connect to Easy VPN but not login on router.)
i include my current configuration.
Thanks,
George

One username for two tunnel in IPSec remote access vpn + ACS for authentication

Hi all,
I want to set up a username which can be used for two different IPSec tunnel (i.e. username USER1 can be used in tunnel TUN1 and TUN2). Can anyone help me how to do this? My current configuration is that I tied the username to tunnel group using group-lock (RADIUS property) so a username can only be used for a particular remote access vpn tunnel (USER1 can only be used for TUN1). I have already tried to enable multiple entry for group lock in ACS (by manipulating the dictionaru setting in ACS), but it seems that authentication still takes the first group and can not take the second group.

You'd have to create a new AAA server group pointing to servers in the new domain for authentication.
Then make a new connection profile that uses that AAA server group.
Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).
This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

Help For Remote Access Via VPN

Need Help
what cisco product or router specification or model can we use for VPN connection in our remote site via Internet Connection
thanks Godbless

There are several options here, but more information is probably needed to give a good recommendation.
1. What type of VPN? A site to site VPN that stays up, or remote VPN that is more on demand?
2. What type of Internet access to have at your remote site?
3. Are you going to also use this as a gateway to the Internet or will this device sit to the side or behind your gateway?
My first inclination is that if you just need occasional remote access to your remote site for support issues check out the ASA 5505. Depending on where you will place it and what amount of user traffic will flow through it, you may be able to get by with just a base license and use IPSec remote VPN.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Help with Remote access VPN on Cisco router 3925 via Dialer Interface

Hi Everybody,
I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link. I want config VPN Remote Access and using software Cisco VPN client. But it doesn't work.. Here my config router :
HUNRE#show running-config
Building configuration...
Current configuration : 5515 bytes
! No configuration change since last restart
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HUNRE
boot-start-marker
boot-end-marker
enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
enable password cisco
aaa new-model
aaa session-id common
crypto pki trustpoint TP-self-signed-1050416327
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1050416327
revocation-check none
rsakeypair TP-self-signed-1050416327
crypto pki certificate chain TP-self-signed-1050416327
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
35A0B9FB FB76E976 3D2A19D7 006078
        quit
ip name-server 210.245.1.253
ip name-server 210.245.1.254
ip cef
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
vpdn-group 2
license udi pid C3900-SPE100/K9 sn FOC1823839B
license boot module c3900 technology-package securityk9
username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
redundancy
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPN-HUNRE
key hunre
dns 8.8.8.8
domain hunre
pool IP-VPN
acl 199
max-users 100
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map DYNMAP 1
set transform-set encrypt-method-1
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
interface GigabitEthernet0/1
description FPT
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
description Connect to CMC
no ip address
ip mtu 1442
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
no cdp enable
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp dns request
crypto map VPN
interface Dialer2
description Logical ADSL Interface 2
ip address negotiated
ip mtu 1442
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1344
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp address accept
no cdp enable
ip local pool IP-VPN 10.252.252.2 10.252.252.245
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source list 11 interface Dialer2 overload
ip nat inside source static 10.159.217.10 interface Dialer1
ip nat inside source list 199 interface Dialer1 overload
ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.159.217.0 255.255.255.0 192.168.1.8
ip sla auto discovery
ip sla responder
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
access-list 10 permit any
access-list 11 permit any
access-list 101 permit icmp any any
access-list 199 permit ip any any
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
transport input all
line vty 5 15
password cisco
transport input all
scheduler allocate 20000 1000
ntp master
end
However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.
Hopeful for your answers !
Thanks

Hi David Castro,
Thanks for your answer,
I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE and my router receive IP from ISP. Here show ip int brief :
GigabitEthernet0/0         192.168.1.1     YES NVRAM up                    up
GigabitEthernet0/1         unassigned      YES NVRAM up                    up
GigabitEthernet0/2         unassigned      YES NVRAM up                    up
Dialer1                    210.245.54.49   YES IPCP   up                    up
Dialer2                    101.99.7.73     YES IPCP   up                    up
NVI0                       192.168.1.1     YES unset up                    up
Virtual-Access1            unassigned      YES unset up                    up
Virtual-Access2            unassigned      YES unset up                    up
Virtual-Access3            unassigned      YES unset up                    up
But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
Thanks very much !

ACS 5.0 and remote access VPN

I have problem for authenticar a remote access VPN with ACS 5.0, not work.
When I try with ACS 4.1, the authentication work fine.
I hope someone can help me.
Regards.

I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
Here are some logs from ASA:
the end of debug crypto isakmp:
Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
debug radius:
Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8) , : TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Regards

Remote Access VPN users unable to communicate with each other

Hi,
We have configured Remote Access VPN on Cisco IOS router. Users are able to access the inside resources but cant communicate to each other. Any suggestions on the issue?
Regards
Saif

Have you excluded the VPN traffic from being NATed when traffic is going between clients?
Please post a full sanitised configuration of the router so we can check it for configuration issues.
Please remember to select a correct answer and rate helpful posts

Remote Access VPN Users with CX Active Authentication.

I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
The CX version we have is 9.3.1.1

Have you excluded the VPN traffic from being NATed when traffic is going between clients?
Please post a full sanitised configuration of the router so we can check it for configuration issues.
Please remember to select a correct answer and rate helpful posts

Remote access VPN Users not able to see local lan or internet

We are setting up a ASA5510. Right now our users can login to the vpn but can't access the internal Lan or internet.
Below is the config. Any help or insight would be greatly appreciated. Thanks
Cryptochecksum: dd11079f e4fe7597 4a8657ba 1e7b287f
: Saved
: Written by enable_15 at 11:04:57.005 UTC Wed Apr 22 2015
ASA Version 9.0(3)
hostname CP-ASA-TOR1
enable password m.EmhnDT1BILmiAY encrypted
names
ip local pool CPRAVPN 10.10.60.1-10.10.60.40 mask 255.255.255.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 63.250.109.211 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 10.10.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.60.0_26
subnet 10.10.60.0 255.255.255.192
access-list Outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object net-remote
access-list CPRemoteVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static net-local net-local destination static net-remote net-remote
nat (Inside,Outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 no-proxy-arp route-lookup
nat (Inside,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 63.250.109.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 209.171.34.91
crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy CPRemoteVPN internal
group-policy CPRemoteVPN attributes
dns-server value 10.10.10.12
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-network-list value CPRemoteVPN_splitTunnelAcl
default-domain value carepath.local
split-dns value carepath.ca
split-tunnel-all-dns enable
msie-proxy method no-proxy
address-pools value CPRAVPN
username roys password jjiV7E.dmZNdBlFQ encrypted privilege 0
username roys attributes
vpn-group-policy CPRemoteVPN
tunnel-group 209.171.34.91 type ipsec-l2l
tunnel-group 209.171.34.91 ipsec-attributes
ikev1 pre-shared-key *****************
tunnel-group CPRemoteVPN type remote-access
tunnel-group CPRemoteVPN general-attributes
address-pool CPRAVPN
default-group-policy CPRemoteVPN
tunnel-group CPRemoteVPN ipsec-attributes
ikev1 pre-shared-key **********
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd11079fe4fe75974a8657ba1e7b287f
: end

Sorry for the delay but I was able to put that command in this morning. But still no Joy.
Here is the updated config. Perhaps I didn't put it in right.
domain-name carepath.ca
enable password m.EmhnDT1BILmiAY encrypted
names
ip local pool CPRAVPN 10.10.60.1-10.10.60.40 mask 255.255.255.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 63.250.109.211 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name carepath.ca
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 10.10.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.60.0_26
subnet 10.10.60.0 255.255.255.192
access-list Outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object net-remote
access-list CPRemoteVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static net-local net-local destination static net-remote net-remote
nat (Inside,Outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 no-proxy-arp route-lookup
nat (Inside,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 63.250.109.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 209.171.34.91
crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.255 Inside
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy CPRemoteVPN internal
group-policy CPRemoteVPN attributes
dns-server value 10.10.10.12
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CPRemoteVPN_splitTunnelAcl
default-domain value carepath.local
split-dns value carepath.ca
split-tunnel-all-dns enable
msie-proxy method no-proxy
address-pools value CPRAVPN
username sroy password RiaBzZ+N4R7r5Fp/8RT+wg== nt-encrypted privilege 15
username roys password jjiV7E.dmZNdBlFQ encrypted privilege 0
username roys attributes
vpn-group-policy CPRemoteVPN
tunnel-group 209.171.34.91 type ipsec-l2l
tunnel-group 209.171.34.91 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group CPRemoteVPN type remote-access
tunnel-group CPRemoteVPN general-attributes
address-pool CPRAVPN
default-group-policy CPRemoteVPN
tunnel-group CPRemoteVPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bbc0f005f1a075a4f9cba737eaffb6f2

VPN filter per remote access user (via ACS)?

Similar Messages

Maybe you are looking for