VPN Termination IP address
Hi,
I am pretty sure that you can't do this in previous versions and don't think it has changed in version 9.X but though I would check in with the community before righting the idea off completely.
We are an ISP that does Managed Services, I am looking at a way too ultimately conserve IP addressing so for our managed firewall customers we want to have a private p2p subnet between the ISP PE router and the ASA firewall and then we can configure /32 static routes on the PE as and when the customers need public IP addresses. As I'm sure most of you know this will work fine for outbound dynamic and inbound static NAT's.
Can anyone confirm that in version 9.X whether there is anything we can do when it comes to l2l vpns (webvpn/Anyconnect as well but mainly IPsec l2l), can we use one of these routed public IP addresses to terminate a IPsec VPN?
I hafve lab'd it up in GNS3 on 8.4 and can't see a way of doing it, I have also seen a couple of posts online that say you can't do it either although nothing about 9.X.
Thanks in advance
Hello,
Not seen anything about it in release notes and you'd think it would get a mention if you could do it. Wish they would find a way to do it though, have the same problem and have to NAT the VPN through to a router behind the ASA, bit messy but it works.
Similar Messages
-
Unable to access vpn box internal address after vpn
Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.
hostname firewall
domain-name default.domain.invalid
enable password xxx
names
dns-guard
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.x 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.x 255.255.255.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.x.x.x 255.255.255.240
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
username ciscoadm password xxx encrypted privilege 15
username ciscoadm attributes
vpn-group-policy vpn
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool addpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.1x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.254 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.254 255.255.255.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.xx.xx.xx 255.255.255.240
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
access-list prod standard permit host 192.168.1x.x
access-list prod standard deny any
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnuser internal
group-policy vpnuser attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value prod
default-domain value mm.com
webvpn
username user password xxx encrypted privilege 15
username user attributes
vpn-group-policy vpnuser
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpnuser type ipsec-ra
tunnel-group vpnuser general-attributes
address-pool pool
default-group-policy vpnuser
tunnel-group vpnuser ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 8x.x.1x.x 8x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management -
Vpn-framed-ip-address not working with anyconnect
Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
Scenario:
ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing, BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the vpn-framed-ip-address command.
I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the vpn-framed-ip-address command as an attribute for this local user. But it seems the command is not working.
Already I´ve tried to resolve (with no success) by entering the
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local
Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection". Meaning the ASA simply is ignoring the vpn-framed-ip-address command.
Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
This is the current config:
ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
aaa-server RSA protocol sdi
aaa-server RSA (inside) host 192.168.12.1
retry-interval 5
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
group-policy GroupPolicyABC internal
group-policy GroupPolicyABC attributes
wins-server none
dns-server value 192.168.61.1 192.168.61.2
vpn-tunnel-protocol ssl-client
group-lock value TunnelGroupABC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ServersDB
default-domain value my.domain.com
split-tunnel-all-dns disable
webvpn
anyconnect ask none default anyconnect
username USER1 password xHhacRZ56Uadqoq encrypted
username USER1 attributes
vpn-framed-ip-address 192.168.229.7 255.255.255.0
group-lock value TunnelGroupABC
tunnel-group TunnelGroupABC type remote-access
tunnel-group TunnelGroupABC general-attributes
address-pool PoolSSL
authentication-server-group RSA
default-group-policy GroupPolicyABC
tunnel-group TunnelGroupABC webvpn-attributes
group-alias AccessToDB enable
I´ll wait for your answers, regards!https://tools.cisco.com/bugsearch/bug/CSCtf71671/
you need AAA assignment, or at least you needed to have it a couple of years back. -
Hi Guys,
I'm using a cisco 5510 ASA at the headoffice to provide the VPN (remote access vpn) connectivity to the branch offices.
My local network is - 192.168.30.0 /24 and I've used a part of same segment for the vpn_pool as well ( i.e 192.168.30.152 -192.168.30.199). Further I'm using the vpn-framed-ip-address feature to allocate an unique ip address for each branch office when it connects.
My problem is, though this setup worked fine at the begining, now sometimes when the vpn connections are established from remote branches, they take different ip addresses from the allocated vpn pool, rather than the specific ip address which is mentioned under the vpn-framed-ip-address command.
Can anyone assist me with this issue?
Regards,
SuthakarHi Javier,
I think I have found out a solution for this problem.
I've removed the ip vpn pool and its reference under tunnel group general-attributes
ip local pool vpn_pool x.x.x.x - x.x.x.x
tunnel-group x.x.x.x general-attributes
address-pool vpn_pool
since there is no ip-pool, now the remote client's are getting the exact individual ip addresses allocated for them with the vpn-framed-ip-address command.
Thank you for your support.
Regards,
Suthakar -
Cisco ASA 5505 VPN Anyconnect no address assignment
I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
hostname firewall
domain-name ITTRIPP.local
enable password 8K8UeTZ9KV5Lvofo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description Private Interface
nameif inside
security-level 100
ip address 192.168.178.10 255.255.255.0
ospf cost 10
interface Vlan2
description Public Interface
nameif outside
security-level 0
ip address 192.168.177.2 255.255.255.0
ospf cost 10
interface Vlan3
description DMZ-Interface
nameif dmz
security-level 0
ip address 10.10.10.2 255.255.255.0
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.178.3
name-server 192.168.177.1
domain-name ITTRIPP.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.178.x
subnet 192.168.178.0 255.255.255.0
object network NETWORK_OBJ_192.168.178.0_26
subnet 192.168.178.0 255.255.255.192
object service teamviewer
service tcp source eq 5938
object service smtp_tls
service tcp source eq 587
object service all_tcp
service tcp source range 1 65535
object service udp_all
service udp source range 1 65535
object network NETWORK_OBJ_192.168.178.128_26
subnet 192.168.178.128 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
object-group user DM_INLINE_USER_1
user LOCAL\admin
user LOCAL\lukas
user LOCAL\sarah
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service 192.168.178.network tcp
port-object eq 5000
port-object eq 5001
object-group service DM_INLINE_SERVICE_1
service-object object smtp_tls
service-object tcp destination eq imap4
service-object object teamviewer
object-group service DM_INLINE_SERVICE_2
service-object object all_tcp
service-object object udp_all
object-group service DM_INLINE_SERVICE_3
service-object object all_tcp
service-object object smtp_tls
service-object object teamviewer
service-object object udp_all
service-object tcp destination eq imap4
object-group service vpn udp
port-object eq 1701
port-object eq 4500
port-object eq isakmp
object-group service openvpn udp
port-object eq 1194
access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in terface]=-
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object -group Internet-udp
access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object -group Internet-tcp
access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip
access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1 78.0 255.255.255.0 any
access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1 78.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in terface]=-
access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo -reply
access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an y host 192.168.178.95 object-group DM_INLINE_TCP_1
access-list outside-in extended permit tcp any host 192.168.178.95 object-group 192.168.178.network
access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si p
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i nterface]=-
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10 .10.0 255.255.255.0 any
access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec t-group Internet-tcp
access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec t-group Internet-udp
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1 78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0 .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
object network 192.168.178.x
nat (inside,outside) dynamic interface
nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
access-group inside-in in interface inside
access-group outside-in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ITTRIPP protocol ldap
aaa-server ITTRIPP (inside) host 192.168.178.3
ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
server-type microsoft
user-identity default-domain LOCAL
eou allow none
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.178.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
http redirect dmz 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=firewall
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn l1u.dyndns.org
email [email protected]
subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA= [email protected]
serial-number
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 6a871953
308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
1416d222 0e11ca4a 0f0b840a 49489303 b76632
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 580c1e53
308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
d50e4e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.178.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
dhcp-client update dns server both
dhcpd update dns both
dhcpd address 192.168.178.100-192.168.178.150 inside
dhcpd dns 192.168.178.3 192.168.177.1 interface inside
dhcpd wins 192.168.178.3 interface inside
dhcpd domain ITTRIPP.local interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.178.10 interface inside
dhcpd option 4 ip 192.168.178.3 interface inside
dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
dhcpd option 66 ip 192.168.178.95 interface inside
dhcpd enable inside
dhcpd address 192.168.177.100-192.168.177.150 outside
dhcpd dns 192.168.178.3 192.168.177.1 interface outside
dhcpd wins 192.168.178.3 interface outside
dhcpd domain ITTRIPP.local interface outside
dhcpd update dns both interface outside
dhcpd option 3 ip 192.168.177.2 interface outside
dhcpd option 4 ip 192.168.178.3 interface outside
dhcpd option 6 ip 192.168.178.3 interface outside
dhcpd enable outside
dhcpd address 10.10.10.100-10.10.10.150 dmz
dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
dhcpd wins 192.168.178.3 interface dmz
dhcpd domain ITTRIPP.local interface dmz
dhcpd update dns both interface dmz
dhcpd option 3 ip 10.10.10.2 interface dmz
dhcpd option 4 ip 192.168.178.3 interface dmz
dhcpd option 6 ip 192.168.178.3 interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200
tftp-server inside 192.168.178.105 /volume1/data/tftp
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 dmz
ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
enable dmz
file-encoding 192.168.178.105 big5
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil e.xml
anyconnect enable
tunnel-group-list enable
mus password *****
group-policy DfltGrpPolicy attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
dhcp-network-scope 192.168.178.0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value ITTRIPP.local
split-dns value ITTRIPP.local
webvpn
anyconnect firewall-rule client-interface public value outside-in
anyconnect firewall-rule client-interface private value inside-in
group-policy GroupPolicy_SSL-Profile internal
group-policy GroupPolicy_SSL-Profile attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value ITTRIPP.local
webvpn
anyconnect profiles value SSL-Profile_client_profile type user
username sarah password PRgJuqNTubRwqXtd encrypted
username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
username lukas password KGLLoTxH9mCvWzVI encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL-POOL
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 trust-point ASDM_TrustPoint0
ikev1 radius-sdi-xauth
tunnel-group SSL-Profile type remote-access
tunnel-group SSL-Profile general-attributes
address-pool SSL-POOL
default-group-policy GroupPolicy_SSL-Profile
tunnel-group SSL-Profile webvpn-attributes
group-alias SSL-Profile enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
service-policy global_policy global
mount FTP type ftp
server 192.168.178.105
path /volume1/data/install/microsoft/Cisco
username lukas
password ********
mode passive
status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
Any idea why it's not working?You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the local pool.
By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol. -
AnyConnect VPN Clients IP Address access rules
I setup ASA5540 for SSL-VPN (clientless) works fine.
But I try to use Client (AnyConnect) to access internal resources, it is failed. It is stiil initiate sessions from remote client IP.
I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
How I setup it?I use Cisco VPN client (remote access VPN)to connect ASA.
There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
Second, remote client connect ASA, I should get the client IP address which I setup on ASA.
It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
How I setup this ( SSL VPN on this ASA works). -
ACS with VPN Concentrator : IP address attribution
Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patriceyes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned -
Correlating VPN assigned IP address with particular users - CSACS and ASA
We have an ASA running 7.0(6)8 and use CSACS v4.1
For remote access, we have VPN groups set-up on the ASA. Our remote users connect to our network, are authenticated via the CSACS server, then are assigned an IP address from the relevant address pool on the ASA.
At the moment, I can use "show uauth" on the ASA to determine which user has been assigned a particular IP address, as long as they are currently connected.
But, what I'd like to be able to do is determine which user had an IP address at a particular time in the past.
E.g. if our device logs show activity from a particular IP address, I'd like to be able to trace back to find out which user had been assigned that IP address at the time.
Can anyone suggest how I might achieve this? I'm guessing that I need to set-up some sort of accounting between the ASA and the CSACS server but I'm not really sure what exactly is required.
Any help/advice would be appreciated. Thanks.hi, thanks for the advice, that sounds good.
Do you know the exact commands required to achieve this on the ASA? It doesn't seem to have the same set of aaa commands as found on e.g. an IOS router so I'm not entirely sure what to configure.
E.g. on my ASA, the aaa accounting options are:
aaa accounting ?
configure mode commands/options:
command Specify this keyword to allow command accounting to be configured
for all administrators on all consoles
enable Enable
exclude Exclude the service, local and foreign network which needs to be
authenticated, authorized, and accounted
include Include the service, local and foreign network which needs to be
authenticated, authorized, and accounted
match Specify this keyword to configure an ACL to match
serial Serial
ssh SSH
telnet Telnet -
I am trying to write a program that sends a <CiscoIPPhoneExecute> request to a Cisco Phone, the problem is that I am having trouble obtaining the IP for the terminal which I need to construct the HTTP Header.
I am aware of the sendData() attribute that can do similar to this but I really need the IP address of the Terminal recieving the call.
Please can anyone help?
ThanksBDAqua,
My report:
1. Moved preferences.plist from /Library/Preferences/SystemConfiguration/preferences.plist into trash.
2. rebooted.
3. Computer now shows [localhost] in terminal as a host name-success. However, now Internet does not work.
4. Went to System preferences>Network>Built-in-Ethernet. There was a blank page (all settings gone).
5. No matter. Inputed comcast.net in Search domains field (Comcast is my provider). Clicked on Apply now. All settings came back, internet works.
6. Now Terminal again shows my IP as a host name, but at least I know that this change came from Comcast.
Unexpected benefit: Apparently this procedure got rid of annoying "Your settings are being modified by another application" bug-Good to know, thanks.
Conclusion: For some reason Comcast sees fit to modify Terminal settings.
Big thanks for making the problem clearer. -
Terminal-IP address instead of computer name is showing
Hi, my computer is behaving strangely lately and I noticed that in terminal the host name is displayed like this:
c-XX-XXX-XX-XX-XXX:~ myusername%
with XX numbers corresponding to my actual IP address
When I looked in my 1 month old backup, it is displayed correctly there with an actual drive name.
In addition, the current shell is tsch, despite the fact that I am running OSX10.4.11 where it is supposed to be bash as far as I understand.
Is displaying IP address in terminal instead of computer name normal? If not, how to reset this?
Any help would be much appreciated.BDAqua,
My report:
1. Moved preferences.plist from /Library/Preferences/SystemConfiguration/preferences.plist into trash.
2. rebooted.
3. Computer now shows [localhost] in terminal as a host name-success. However, now Internet does not work.
4. Went to System preferences>Network>Built-in-Ethernet. There was a blank page (all settings gone).
5. No matter. Inputed comcast.net in Search domains field (Comcast is my provider). Clicked on Apply now. All settings came back, internet works.
6. Now Terminal again shows my IP as a host name, but at least I know that this change came from Comcast.
Unexpected benefit: Apparently this procedure got rid of annoying "Your settings are being modified by another application" bug-Good to know, thanks.
Conclusion: For some reason Comcast sees fit to modify Terminal settings.
Big thanks for making the problem clearer. -
VPN - reserving Pool addresses
Hello there.
I have created a PPTP VPN on a cisco 3745 router, and a pool of addresses for the VPN clients. Now i want to find a way to reserve the addresses in the pool for specific machines, for example, if machine A connects to the VPN it should always be given the IP address a.a.a.a and that address should never be assigned to any other machine even if machine A is not connected to the VPN. Please help.
Thanks.you can reserve the ip address for a particular user in the ACS. and you will have to authenticate for vpn via ACS. i have done this and it works perfectly.
-
VPN with overlapping addresses
Hi
An ISP need to make VPN tunnels to four Costumers, so they can get data from a common server placed at the ISP.
Costumer A, B & C is working well, but the new Costumer D are using same private Network as the ISP, an will not accept to change their Network, neither they will accept to put some NAT in their Router.
They already NAT their private Network range to an official Network.
ISP are using a Cisco 1841 Router for the project, but are ready to change to a PIX firewall or a VPN 3005 Concentrator if thats whats needed.
Could any kind person please help me with this scenario.
I have published the scenario in graphics here: http://www.z28.dk/vpn.htm
The configuration Im using for now can be found at: http://www.z28.dk/conf.htm
Best regards
R.B.P.I can help with the 3005 setup if you decide to go that route.
You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
Use a static Nat type. The rest will look similar to my example.
Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier. -
ASA5510 RA VPN, ACS assigned address different subnet than inside interface
Currently we have our RA tunnels set up with IP Address pools that are in the same subnet as the ASA inside interface and that works to give the clients connectivity.
I have seen that this is not the best way to go with this and also have seen some config snippets.
But I have not seen exactly how this should be done, and I don't really see anything in the config examples.
For example, If my ASA is 10.10.10.1 and I want to assign each person a specific IP Address in an address pool and I want each group to be in a different subnet:
Eng = 192.168.100.0
Bob = 192.168.100.1
Bill = 192.168.100.2
Sales = 192.168.200.0
Sue = 192.168.200.1
Sam = 192.168.200.2
I have two core switches with the SVIs configured for these subnets.
But, I don't see how the routing is accomplised in the ASA.
Also, I can configure the ACS to give each person an IP Address, but not sure what is needed in the ASA.
Do the pools still need to be configured in the ASA and the ACS hands the client an address that I specify in that pool?Better to reset an IP pool and reclaim all its IP addresses:
Use this User Guide for Cisco Secure Access Control Server 4.1 System Configuration: Advanced
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html -
My setup is ISP-2811-PIX 515E-LAN. Right now, I am doing a PAT for IPSEC tunnels to terminate on the PIX. Do you recommend I use the 2811 instead of PIX for VPN or keep things the way it is? Trying to determine the best box to use. Thanks!
i can't think of any cons of keeping it on the PIX as PIX is designed to terminate VPN and firewall capabilities.
But yes, you are right, if you need QoS capability for the traffic within the vpn tunnel then yes, move it to the 2811 router. -
SSL VPN and dedicated IP address
Hello
I have an ASA 5505 8.3 and i setup it with ADSL 6.3
I am trying to dedicate IP addresses to clientless SSL VPN user: is it possible ?
If not is it possible with Anyconnect client ?
If yes i can't perform it !
I have a user test and i want dedicated him an IP address . After authentification user can connect to a web application but when i see the netstat, it is the IP adress of the ASA which is connected ...
Could you help me ?
Regards
L.MalandainTwo ways -
Frist create pool with one IP address and assign that to group policy.
Second- modify the user atributes-
username test password xxxxx
username test attributes
vpn-framed-ip-address
Thanks
Ajay
Maybe you are looking for
-
Mixing RAM Speeds In iMac G4 1GHz 17" Flat-Panel?
I'm just checking here. I have an iMac G4 1GHz 17" Flat-Panel, Model M8935LL/A (USB 1.1 version) that currently has the standard 256MB PC2100 (266 MHz) RAM module installed in the factory slot, and a 512MB PC2700 (333 MHz) RAM module installed in the
-
Hi I currently have three devices sharing one Apple ID. Ipad (Work) Iphone (Wife) & Ipod Touch (Son) I have purchased an iPhone for Christmas and want to migrate the ipod to a new Apple ID. I haven't created the an ID for the phone yet but just wonde
-
Word merge with MS_WORD_OLE_FORMLETTER
We want to do a word-merge with MS_WORD_OLE_FORMLETTER, having two datasets (in internal tables) and making two documents in one run (to make sure all selections are the same). When trying this the word-template-document (or how do you call that) has
-
XI message to Attachments desc : my scenario is file-XI-SOAP I want to convert the input payload into an attachment. And this attachment should be sent to Webservice though SOAP rceceiver adapter by selecting "Keep Attachment". Please let me know how
-
SMARTFORMS printing is shifted to the right
We are having a problem with a SMARTFORMS for 1099 called IDWTCERT_US_1099MISC. We noticed that the print preview after testing the 1099 and the print preview from the SPOOL (trx SP01) shows the 1099 form OK, but printing it out cuts off the right si