Re: ASA VPN problem from Farrukh Haroon on 2010-01-17 (Ccielab archives 01/2010)

From: Farrukh Haroon <farrukhharoon_at_gmail.com>
Date: Sun, 17 Jan 2010 08:50:29 +0300

Can you try removing the default group policy from the tunnel group and then
try? (it will default to the default group-policy)

Also what version of code are you running?

Regards

Farrukh

On Sun, Jan 17, 2010 at 12:39 AM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:

> ASA# show vpn-sessiondb remote
>
> Session Type: IPsec
>
> Username : sapadmin Index : 84
> Assigned IP : 172.17.1.8 Public IP : X.X.X.X
> Protocol : IKE IPsec
> License : IPsec
> Encryption : AES256 Hashing : SHA1
> Bytes Tx : 0 Bytes Rx : 0
> Group Policy : Tunnel Group : GROUP
> Login Time : 13:01:03 UTC Sat Jan 16 2010
> Duration : 0h:00m:27s
> NAC Result : Unknown
> VLAN Mapping : N/A VLAN : none
>
> Group Policy is empty.
>
> On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
> > part of configuration:
> >
> > !
> > hostname ASA
> > domain-name default.domain.invalid
> > enable password LnGnWLhfZ8O2Q/GB encrypted
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > names
> > dns-guard
> > pager lines 24
> > logging enable
> > logging buffered errors
> > logging asdm informational
> > mtu outside 1500
> > mtu VPN 1492
> > mtu Serveri 1500
> > mtu LAN 1500
> > mtu Procesni 1500
> > mtu management 1500
> > ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
> > ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
> > ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
> > no failover
> > icmp unreachable rate-limit 1 burst-size 1
> > asdm image disk0:/asdm-613.bin
> > no asdm history enable
> > arp timeout 14400
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> > timeout tcp-proxy-reassembly 0:01:00
> > dynamic-access-policy-record DfltAccessPolicy
> > aaa authentication ssh console LOCAL
> > aaa authentication http console LOCAL
> > aaa authentication telnet console LOCAL
> > no snmp-server location
> > no snmp-server contact
> > snmp-server enable traps snmp authentication linkup linkdown coldstart
> > crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
> > crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
> > crypto ipsec transform-set T3 esp-aes esp-sha-hmac
> > crypto ipsec transform-set T4 esp-3des esp-sha-hmac
> > crypto ipsec transform-set T5 esp-3des esp-md5-hmac
> > crypto ipsec security-association lifetime seconds 28800
> > crypto ipsec security-association lifetime kilobytes 4608000
> > crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
> > crypto dynamic-map DM1 10 set security-association lifetime seconds 28800
> > crypto dynamic-map DM1 10 set security-association lifetime kilobytes
> 4608000
> > crypto dynamic-map DM1 10 set reverse-route
> > crypto map MAP 10 ipsec-isakmp dynamic DM1
> > crypto map MAP interface outside
> > crypto isakmp identity hostname
> > crypto isakmp enable outside
> > crypto isakmp policy 10
> > authentication pre-share
> > encryption aes-256
> > hash sha
> > group 2
> > lifetime 43200
> > no crypto isakmp nat-traversal
> > no vpn-addr-assign dhcp
> > telnet timeout 5
> > ssh timeout 5
> > ssh version 2
> > console timeout 5
> > management-access management
> > !
> > threat-detection basic-threat
> > threat-detection statistics access-list
> > no threat-detection statistics tcp-intercept
> > group-policy POLICY3 internal
> > group-policy POLICY3 attributes
> > vpn-idle-timeout 60
> > vpn-filter value
> > vpn-tunnel-protocol IPSec
> > address-pools value POOL3
> > group-policy DfltGrpPolicy attributes
> > vpn-tunnel-protocol IPSec webvpn
> > group-policy POLICY1 internal
> > group-policy POLICY1 attributes
> > vpn-idle-timeout 180
> > vpn-session-timeout none
> > vpn-tunnel-protocol IPSec
> > password-storage enable
> > split-tunnel-policy tunnelspecified
> > split-tunnel-network-list value NONAT
> > user-authentication enable
> > address-pools value POOL1
> > group-policy POLICY2 internal
> > group-policy POLICY2 attributes
> > vpn-simultaneous-logins 7
> > vpn-idle-timeout 60
> > vpn-filter value FILTER2
> > vpn-tunnel-protocol IPSec
> > password-storage enable
> > address-pools value POOL2
> > username USER3 password g9O3SBOu.Lds9mV4 encrypted
> > username USER3 attributes
> > vpn-group-policy POLICY3
> > username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
> > username USER1 attributes
> > vpn-group-policy POLICY1
> > username USER2 password jcSAXHlsFLpnIf2H encrypted
> > username USER2 attributes
> > vpn-group-policy POLICY2
> > tunnel-group GROUP type remote-access
> > tunnel-group GROUP general-attributes
> > authorization-server-group LOCAL
> > default-group-policy POLICY1
> > tunnel-group GROUP ipsec-attributes
> > pre-shared-key *
> > !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map type inspect dns migrated_dns_map_1
> > parameters
> > message-length maximum 512
> > policy-map global_policy
> > class inspection_default
> > inspect dns migrated_dns_map_1
> > inspect ftp
> > inspect h323 h225
> > inspect h323 ras
> > inspect rsh
> > inspect rtsp
> > inspect esmtp
> > inspect sqlnet
> > inspect skinny
> > inspect sunrpc
> > inspect xdmcp
> > inspect sip
> > inspect netbios
> > inspect tftp
> > !
> > service-policy global_policy global
> > prompt hostname context
> > Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
> > : end
> >
> >
> > AAA output shows that my USER2, which should retrieve POLICY2, gets
> > default policy POLICY1:
> >
> > %ASA-6-113012: AAA user authentication Successful : local database :
> > user = USER2
> > %ASA-6-113004: AAA user authorization Successful : server = LOCAL :
> > user = USER2
> > %ASA-6-113009: AAA retrieved default group policy (POLICY1) for user =
> USER2
> > %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
> >
> > Regards
> >
> >
> >
> >
> > On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >> Ivan,
> >>
> >> I would take a step back and see if you can get it working with the most
> basic settings and then maybe you can narrow down what's blocking you.
> >>
> >> I replicated basic settings on a 5510 running 7.2(4)33, so I'm missing
> the service-type setting under the username attributes. I have this
> configured in other environments on 8.2(1)11 with fallback local
> authorization. Here are my results:
> >>
> >> s ver | i 7.2
> >> Cisco Adaptive Security Appliance Software Version 7.2(4)33
> >>
> >> show run | i group-policy|tunnel-group|ip local pool|access-list
> test[12]
> >> access-list test1 extended deny ip any host 192.168.98.3
> >> access-list test1 extended permit ip any any
> >> access-list test2 extended permit ip any any
> >> ip local pool vpnpool 192.168.100.1-192.168.100.20
> >> group-policy test2 internal
> >> group-policy test2 attributes
> >> group-policy test1 internal
> >> group-policy test1 attributes
> >> tunnel-group testing type ipsec-ra
> >> tunnel-group testing general-attributes
> >> default-group-policy test1
> >> tunnel-group testing ipsec-attributes
> >>
> >> You'll want to watch for the AAA output when you connect:
> >>
> >> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication
> Successful : local database : user = test2
> >> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user test2
> is being set to test2
> >> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user specific group
> policy (test2) for user = test2
> >> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default group
> policy (test1) for user = test2
> >> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status ACCEPT :
> user = test2
> >>
> >> show vpn-sessiondb remote | i Username|Group
> >> Username : test2
> >> Group Policy : test2
> >> Tunnel Group : testing
> >>
> >> HTH,
> >>
> >> -ryan
> >>
> >>> -----Original Message-----
> >>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >>> Sent: Friday, January 15, 2010 1:51 PM
> >>> To: Ryan West
> >>> Cc: Cisco certification
> >>> Subject: Re: ASA VPN problem
> >>>
> >>> Nothing. Same thing.
> >>>
> >>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >>> > Ivan,
> >>> >
> >>> >> -----Original Message-----
> >>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >>> >> Sent: Thursday, January 14, 2010 5:37 PM
> >>> >> To: Ryan West
> >>> >>
> >>> >> ASA# sh run tunnel-group
> >>> >> tunnel-group GROUP1 type remote-access
> >>> >> tunnel-group GROUP1 general-attributes
> >>> >> default-group-policy POLICY3
> >>> >> tunnel-group GROUP1 ipsec-attributes
> >>> >> pre-shared-key *
> >>> >
> >>> > Try adding this to your tunnel-group GROUP1 general-attributes:
> >>> > authorization-server-group LOCAL
> >>> >
> >>> > -ryan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Jan 17 2010 - 08:50:29 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART