Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About rdianat
Stats
Member since
11-25-2002
95
Posts
0
Helpful
0
Solutions
Created by
rdianat
in VPN and AnyConnect
in VPN and AnyConnect
08-03-2012
08:07 AM
08-03-2012
08:07 AM
Hello experts, I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time). My Question to Experts: 1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client? 2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling) Thanks for your help, Razi
... View more
- Tags:
- anyconnect
- anyconnect_vpn
- asa_5500
- ikev2
- ipsec
- ipsec_ikev2
- split_tunneling
- vm
- vmware
- vpn_client
- vpn_concentrator
Labels:
03-07-2012
08:00 AM
Hello experts, When using cisco VPN client and ipsec IKEV1, there was always and option to choose IPSEC over TCP which also made it possible to use NAT-T over TCP port 4500. However in new AnyConnect client there is no way to force the IPSEC over NAT-T to run over TCP. at least I do not know how to do it. Does anyone know how to configure ASA with IPSEC IKEV2 to run NAT-T over TCP. As you know many Firewalls block UDP/4500 and this creates problem if I cannot configure NAT-T over TCP port 4500. Thank you Razi
... View more
Labels:
Created by
rdianat
in VPN and AnyConnect
in VPN and AnyConnect
03-06-2012
01:27 PM
03-06-2012
01:27 PM
Hello experts, When running 8.2 on ASA, with Cisco VPN Client, I could see the name of remote computers in ASA logs. this is something like: Mar 6 15:32:09 Test_ASA_Serv : %ASA-7-715053: Group = ABCD, Username = John, IP = 1.1.1.1, MODE_CFG: Received request for DHCP hostname for DDNS is: Computer123-John! Now on the same ASA box I have upgraded to 8.4, and still see the same logs with Cisco VPN Client, but when running AnyConnect client, I do not see any loggs with message ID 715053. i.e. I am not getting the information about remote computer name. My question is what message ID in AnyConnect I have to use to get the name of the remote machine in the ASA logs. Very soon I am going to completely remove the Cisco VPN client and only use AnyConnect, so I need to make sure that I will be getting the same level of logging. Please note: I am going to use Anyconnect only for IPSEC. I am not planning for SSL VPN yet. Thank You, Razi
... View more
Labels:
03-02-2012
12:21 PM
Joey, I CAN see 746012, but only if I have enabled debug logging " logging buffered debugging" I did the commands you have mentioned: logging message 746012 informational logging message 734003 informational by doing this I can not see these messages, but if I do "logging buffered debugging" then I can see these messages. if a message is generated in debug level, we can not change it to informational level by "informational" keyword. This is what I thought and that is what I see after configuration. Any other thought? Thanks, Razi
... View more
03-01-2012
12:59 PM
Yes, I see the debug level logs but nothing for 722022. tst-vpn(config)# sh logg mess 722022 syslog 722022: default-level informational, current-level debugging (enabled) Now I found the message ID 746012 and 734003 could be an acceptable solution, but the problem is for these two messages to be logged I have to enable logging buffered debugging". When I enable buffered debug logging, the buffer gets full immediately and I get lots of undesired logs. Is there any other message ID which can work in informational (level 6) and give me the same information as in 746012 or 722022? Thanks, Razi
... View more
03-01-2012
10:19 AM
Hello experts, I have upgraded my ASA5540 form 8.2(2) to 8.4(2) and I have run into this logging issue. previously I was logging the message ID: 713906 and could get this information: group name, public address, assigned local address, username which identifies all the elements of a tunnel establishment. As I upgraded to 8.4(2) I have lost this logging capability. I have tried to use different logging message ID alternatives like 722022, 722051 without any luck. I configured the message IDs and just they are not being logged. here is my config: logging enable logging facility 22 logging queue 1024 logging device-id hostname logging buffered 10000000 logging message 722051 level debugging logging message 713906 level debugging logging message 713050 level debugging logging message 715053 level debugging logging message 715019 level debugging logging message 713906 level debugging logging message 713184 level debugging logging message 113019 level debugging logging message 113004 level debugging logging message 113005 level debugging logging message 713052 level debugging logging message 106015 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302014 level debugging logging message 750006 level debugging logging message 722022 level debugging logging message 737026 level debugging I see lots of lines being logged for connection etablishment, but not the above logs which I am interested in. I am interested to have at least 'username, local ip address, at the time the session is established all together in one line. I can see many lines for 302013, 302014, 302016 for different connections, but I am more intereseted in the start of the session. And please note I am using pure ipsec both IKEV1 and IKEV2 with cisco vpn client as well as cisco anyconnect. I am NOT using ssl vpn. Any help would be appreciated. Thank you, Razi
... View more
Labels:
02-18-2012
09:54 AM
Hello experts: A customer of mine has a requirement to do url redirection via PIX. This requirement is very strict as the customer does not want to spend an additional penny on this. Here is the example of what he wants to do: Any http or https request to www.mydomain.com which was originally hosted by mydomain.com to be modified on the PIX firewall and be redirected to an ISP hosting service at http://www.ISP.com/a/mydomain I know there are other simpler/better options like purchasing a URL redirection service from some DNS providers, but as I said at this stage, my customer wants only to do it on his own PIX Firewall. Has anyone done this? do you know how to do it. Please note: this is different from port forwarding in the PIX which is an straight forward task to do. Thanks, Razi
... View more
Labels:
01-21-2012
10:23 AM
Hi Marcin, Thank you very much for the useful clarification. I have configured an ASA with IPSEC IKEV2 remote access VPN where only server authentication through "Identity certificate" is required. The steps I have done. - created a CSR on the ASA - sent it to public CA and received the cert and installed it on the ASA - Installed the CA's cert chain on the client computer. So if I understand correctly, this allows only for server authentication which works perfectly. You mention that mutual authentication of server and client is an "RFC mandate". (If I understand it correctly) so is it that Cisco's implementation is not compliant with RFC mandate? And although the above configuration is using certificates, it is still weaker security compared to PSK because it is only one way authentication (only server authentication). Is this right? do you understand this the same way I understand? Now if I plan to implement two-way or mutual authentication of both server and client, I have either to use the ASA as Certificat Authority to authenticate clients or use another PKI infrastructure (like windows servers) to do the client authentication. This way I believe would be the most secure and of course costs more in terms of setting a PKI infrastructure. Any comment or any other way of doing it? Thank you, Razi
... View more
01-20-2012
11:17 AM
Hello Experts, I have two scenarios which I would like to hear your comments about: This is in regards to configuration of IKEV1 and IKEV2 in two different profiles and comparing their security level. When configuring IKEV1, I use shared secret keys. A client must know this secret key to be able to VPN to a server. When configuring IKEV2, I use identity certificates in the ASA for the users to authenticate the server identity, but I do not configure SCEP for server to authenticate the clients. In this scenario there is no secret key configured (IKEV2 does not allow for secret keys but ONLY certificates) so any client can VPN to the server if accepts the server certificate. Please note: Both of the above configs are only for IPSEC. I am not talking about any SSL VPN. I know that implementing SCEP would be ideal and better security, but my question is only to compare the above two scenarios. Thank you, Razi
... View more
Labels:
Created by
rdianat
in VPN and AnyConnect
in VPN and AnyConnect
01-20-2012
10:56 AM
01-20-2012
10:56 AM
Hello Experts, I have noticed and tested that Cisco IPSEC VPN IKEV1 works well through an IPSEC tunnel. However cisco IPSEC IKEV2 with AnyConnect fails to establish when passing through an IPSEC tunnel. What are the differences in protocols and port numbers which makes them different. In Cisco release notes I have read that we have to set the MTU to 1200 for IKEV2. I have done this and still no luck. To clarify I explain a little bit about the scenario: (Please see the attached diagram) Users in location A, need to VPN to the ASA VPN concentrator in location B. Connection from location A to location B is through internet and there is already an IPSEC tunnel established via edge routers between location A and location B. users have two VPN clients. One is the cisco VPN client configured for IKEV1 and the other is Cisco AnyConnect client which is configured for IPSEC IKEV2. At this time all the tests are about IPSEC. SSL VPN is NOT the goal at this stage. Here is what is happening: a. Users trying with cisco vpn client and IPsec IKEV1 are successfully connecting. b. Users trying with Cisco AnyConnect client and IPsec IKEV2 fail to even receive the prompt for credentials. The connection fails in IKE_SA_INIT stage. c. If the same user with Cisco AnyConnect client, tries from home to connect to ASA VPN concentrator at location B, all is good and successful. (probably because there is no extra IPSEC tunnel in the inetenet for the AnyConnect to pass through, but why cisco VPN client can establish an ipsec tunnel through an ipsec tunnel, but Anyconnect fails to establish an ipsec tunnel through an ipsec tunnel. The only difference I know is that the cisco VPN client is using IKEV1 and Cisco AnyConnect is using IKEV2, but does this make any difference in terms of ports and protocols across network?) Please see attached diagram. Thank you, Razi
... View more
Labels:
Created by
rdianat
in VPN and AnyConnect
in VPN and AnyConnect
10-15-2011
07:10 AM
10-15-2011
07:10 AM
Hi Rohan, Thank you for the solution and the link you have posted. The way you have described it may be possible to restrict access based on username, but for this special scenario, it is administratively prohibitive to use username to restrict access. One of the requirements is that user A from location A may have limited access but from location B full access and to manage this through LDAP groups is very difficult specially when users are mobile and there are many of them. The simplicity of the restriction by source IP address is that it is static and it would be only one-time configuration.
... View more
Created by
rdianat
in VPN and AnyConnect
in VPN and AnyConnect
10-14-2011
06:30 PM
10-14-2011
06:30 PM
Hi there, I need to set up a Cisco ASA with 8.4(2), for a simple remote access IPSEC VPN. Looks straight forward. However I have a requirement which I need your help. The requirement is that I have to restrict each group-policy or profile to certain source IP addresses. Please note that this restriction needs to be applied before tunnel establishmen and applied to the source IP addresses which are public IP addressVPN-filter does not work in this scenario, as vpn-filter is only applies to post-decrypted traffic and not during tunnel establishemnet. I see many discussions in different forums basically providing two solutions: 1. VPN-filter which as I mentioned does not work in my case. 2. disabling default behavior of sysopt and defining ACLs. This also will not work for me. suppose a user at location A with source ip 1.1.1.1 tries to VPN using profile A. he should be able to do so. but if the same user moves to location B and gets assigned ip address 2.2.2.2, he should not be able to connect using profile A. however he still should be able to VPN using profile B which is allowed by source IP of 2.2.2.2 but NOT 1.1.1.1 Thank you, Razi
... View more
Labels:
11-04-2009
07:32 PM
Hi Petenugent, I know for fact that I want WWAN. I am not looking for another solution. My question was if someone has used it before? and if someone knows a provider which can recommend. Of course I want WWAN because other solutions can not do it. The only alternative is the wired network which I do not want to do. Now what is the attraction with WWAN: If your local loop fails for whatever reason, there is high likelihood that your other wired network can be impacted. If you have seen these USB air cards, you would know how convenient they are. The problem is that the USB air card is only for one laptop and I need it for an office with 40 users. There are already many providers in USA which sell this service and my question was if someone knew which one is better. Please look at the following links for more information on what I am looking for. http://en.wikipedia.org/wiki/Wireless_Wide_Area_Network http://www.wireless.att.com/businesscenter/business-programs/mid-large/wireless-network/wireless-wan.jsp
... View more
11-04-2009
02:54 PM
Hi leolaohoo, this is Wireless WAN scenario. It is not Wirless LAN where you can use HREAP. In WWAN scenario, suppose you have a T1 connection to Internet and your T1 goes down. How do you want to connect to internet without a T1 or any connection to other offices of your company? The common method so far has been having another T1 or an ISDN circuit or PSTN lines or...? I now want to use a WWAN solution for backup. Thanks, rdianat
... View more
11-02-2009
06:58 PM
Hi there, I am trying to use Wireless WAN as a backup alternative for my T1 connection for accessing internet when my T1 goes down. Has anyone used this technology? Any feedback on how is the speed? any idea which provider is a good option? I am in VA, USA. Thanks, rdianat
... View more
Created by
rdianat
in VPN and AnyConnect
08-03-2012
08-03-2012
Hello experts,I have customers who require to use VM in their laptop.
These users also require to VP...
03-07-2012
Hello experts,When using cisco VPN client and ipsec IKEV1, there was
always and option to choose IPS...
03-06-2012
Hello experts,When running 8.2 on ASA, with Cisco VPN Client, I could
see the name of remote compute...
03-02-2012
Joey,I CAN see 746012, but only if I have enabled debug logging "
logging buffered debugging"I did t...
03-01-2012
Yes, I see the debug level logs but nothing for 722022.tst-vpn(config)#
sh logg mess 722022syslog 72...
03-01-2012
Hello experts,I have upgraded my ASA5540 form 8.2(2) to 8.4(2) and I
have run into this logging issu...
02-18-2012
Hello experts:A customer of mine has a requirement to do url redirection
via PIX. This requirement i...
01-21-2012
Hi Marcin,Thank you very much for the useful clarification. I have
configured an ASA with IPSEC IKEV...
01-20-2012
Hello Experts,I have two scenarios which I would like to hear your
comments about:This is in regards...
Created by
rdianat
in VPN and AnyConnect
01-20-2012
01-20-2012
Hello Experts, I have noticed and tested that Cisco IPSEC VPN IKEV1
works well through an IPSEC tunn...
10-15-2011
Hi Rohan,Thank you for the solution and the link you have posted. The
way you have described it may ...
10-14-2011
Hi there,I need to set up a Cisco ASA with 8.4(2), for a simple remote
access IPSEC VPN. Looks strai...
Created by
rdianat
in Unified Communications Infrastructure
04-06-2010
04-06-2010
Hello Experts,I have a scenario and a problem to solve which can use
your brain and experience.Callm...
11-04-2009
Hi Petenugent,I know for fact that I want WWAN. I am not looking for
another solution. My question w...
Public Statistics
| Date Registered | 11-25-2002 08:30 PM |
| Date Last Visited | 08-18-2017 03:53 AM |
| Total Messages Posted | 95 |
.jpg "Hall of Fame Master"){kind=icon}
