Re: ASA VPN problem

part of configuration:

!
hostname ASA
domain-name default.domain.invalid
enable password LnGnWLhfZ8O2Q/GB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu outside 1500
mtu VPN 1492
mtu Serveri 1500
mtu LAN 1500
mtu Procesni 1500
mtu management 1500
ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set T3 esp-aes esp-sha-hmac
crypto ipsec transform-set T4 esp-3des esp-sha-hmac
crypto ipsec transform-set T5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
crypto dynamic-map DM1 10 set security-association lifetime seconds 28800
crypto dynamic-map DM1 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map DM1 10 set reverse-route
crypto map MAP 10 ipsec-isakmp dynamic DM1
crypto map MAP interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200
no crypto isakmp nat-traversal
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 5
management-access management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy POLICY3 internal
group-policy POLICY3 attributes
 vpn-idle-timeout 60
 vpn-filter value
 vpn-tunnel-protocol IPSec
 address-pools value POOL3
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
group-policy POLICY1 internal
group-policy POLICY1 attributes
 vpn-idle-timeout 180
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NONAT
 user-authentication enable
 address-pools value POOL1
group-policy POLICY2 internal
group-policy POLICY2 attributes
 vpn-simultaneous-logins 7
 vpn-idle-timeout 60
 vpn-filter value FILTER2
 vpn-tunnel-protocol IPSec
 password-storage enable
 address-pools value POOL2
username USER3 password g9O3SBOu.Lds9mV4 encrypted
username USER3 attributes
 vpn-group-policy POLICY3
username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
username USER1 attributes
 vpn-group-policy POLICY1
username USER2 password jcSAXHlsFLpnIf2H encrypted
username USER2 attributes
 vpn-group-policy POLICY2
tunnel-group GROUP type remote-access
tunnel-group GROUP general-attributes
 authorization-server-group LOCAL
 default-group-policy POLICY1
tunnel-group GROUP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
: end

AAA output shows that my USER2, which should retrieve POLICY2, gets
default policy POLICY1:

%ASA-6-113012: AAA user authentication Successful : local database :
user = USER2
%ASA-6-113004: AAA user authorization Successful : server = LOCAL :
user = USER2
%ASA-6-113009: AAA retrieved default group policy (POLICY1) for user = USER2
%ASA-6-113008: AAA transaction status ACCEPT : user = USER2

Regards

On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Ivan,
>
> I would take a step back and see if you can get it working with the most basic settings and then maybe you can narrow down what's blocking you.
>
> I replicated basic settings on a 5510 running 7.2(4)33, so I'm missing the service-type setting under the username attributes. I have this configured in other environments on 8.2(1)11 with fallback local authorization. Here are my results:
>
> s ver | i 7.2
> Cisco Adaptive Security Appliance Software Version 7.2(4)33
>
> show run | i group-policy|tunnel-group|ip local pool|access-list test[12]
> access-list test1 extended deny ip any host 192.168.98.3
> access-list test1 extended permit ip any any
> access-list test2 extended permit ip any any
> ip local pool vpnpool 192.168.100.1-192.168.100.20
> group-policy test2 internal
> group-policy test2 attributes
> group-policy test1 internal
> group-policy test1 attributes
> tunnel-group testing type ipsec-ra
> tunnel-group testing general-attributes
> default-group-policy test1
> tunnel-group testing ipsec-attributes
>
> You'll want to watch for the AAA output when you connect:
>
> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication Successful : local database : user = test2
> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user test2 is being set to test2
> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user specific group policy (test2) for user = test2
> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default group policy (test1) for user = test2
> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status ACCEPT : user = test2
>
> show vpn-sessiondb remote | i Username|Group
> Username : test2
> Group Policy : test2
> Tunnel Group : testing
>
> HTH,
>
> -ryan
>
>> -----Original Message-----
>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> Sent: Friday, January 15, 2010 1:51 PM
>> To: Ryan West
>> Cc: Cisco certification
>> Subject: Re: ASA VPN problem
>>
>> Nothing. Same thing.
>>
>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com> wrote:
>> > Ivan,
>> >
>> >> -----Original Message-----
>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> >> Sent: Thursday, January 14, 2010 5:37 PM
>> >> To: Ryan West
>> >>
>> >> ASA# sh run tunnel-group
>> >> tunnel-group GROUP1 type remote-access
>> >> tunnel-group GROUP1 general-attributes
>> >> default-group-policy POLICY3
>> >> tunnel-group GROUP1 ipsec-attributes
>> >> pre-shared-key *
>> >
>> > Try adding this to your tunnel-group GROUP1 general-attributes:
>> > authorization-server-group LOCAL
>> >
>> > -ryan

Blogs and organic groups at http://www.ccie.net
Received on Sat Jan 16 2010 - 15:41:09 ART