Re: ASA VPN problem

ASA# show vpn-sessiondb remote

Session Type: IPsec

Username : sapadmin Index : 84
Assigned IP : 172.17.1.8 Public IP : X.X.X.X
Protocol : IKE IPsec
License : IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Group Policy : Tunnel Group : GROUP
Login Time : 13:01:03 UTC Sat Jan 16 2010
Duration : 0h:00m:27s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Group Policy is empty.

On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
> part of configuration:
>
> !
> hostname ASA
> domain-name default.domain.invalid
> enable password LnGnWLhfZ8O2Q/GB encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> names
> dns-guard
> pager lines 24
> logging enable
> logging buffered errors
> logging asdm informational
> mtu outside 1500
> mtu VPN 1492
> mtu Serveri 1500
> mtu LAN 1500
> mtu Procesni 1500
> mtu management 1500
> ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
> ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
> ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-613.bin
> no asdm history enable
> arp timeout 14400
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> timeout tcp-proxy-reassembly 0:01:00
> dynamic-access-policy-record DfltAccessPolicy
> aaa authentication ssh console LOCAL
> aaa authentication http console LOCAL
> aaa authentication telnet console LOCAL
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set T3 esp-aes esp-sha-hmac
> crypto ipsec transform-set T4 esp-3des esp-sha-hmac
> crypto ipsec transform-set T5 esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
> crypto dynamic-map DM1 10 set security-association lifetime seconds 28800
> crypto dynamic-map DM1 10 set security-association lifetime kilobytes 4608000
> crypto dynamic-map DM1 10 set reverse-route
> crypto map MAP 10 ipsec-isakmp dynamic DM1
> crypto map MAP interface outside
> crypto isakmp identity hostname
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption aes-256
> hash sha
> group 2
> lifetime 43200
> no crypto isakmp nat-traversal
> no vpn-addr-assign dhcp
> telnet timeout 5
> ssh timeout 5
> ssh version 2
> console timeout 5
> management-access management
> !
> threat-detection basic-threat
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
> group-policy POLICY3 internal
> group-policy POLICY3 attributes
> vpn-idle-timeout 60
> vpn-filter value
> vpn-tunnel-protocol IPSec
> address-pools value POOL3
> group-policy DfltGrpPolicy attributes
> vpn-tunnel-protocol IPSec webvpn
> group-policy POLICY1 internal
> group-policy POLICY1 attributes
> vpn-idle-timeout 180
> vpn-session-timeout none
> vpn-tunnel-protocol IPSec
> password-storage enable
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value NONAT
> user-authentication enable
> address-pools value POOL1
> group-policy POLICY2 internal
> group-policy POLICY2 attributes
> vpn-simultaneous-logins 7
> vpn-idle-timeout 60
> vpn-filter value FILTER2
> vpn-tunnel-protocol IPSec
> password-storage enable
> address-pools value POOL2
> username USER3 password g9O3SBOu.Lds9mV4 encrypted
> username USER3 attributes
> vpn-group-policy POLICY3
> username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
> username USER1 attributes
> vpn-group-policy POLICY1
> username USER2 password jcSAXHlsFLpnIf2H encrypted
> username USER2 attributes
> vpn-group-policy POLICY2
> tunnel-group GROUP type remote-access
> tunnel-group GROUP general-attributes
> authorization-server-group LOCAL
> default-group-policy POLICY1
> tunnel-group GROUP ipsec-attributes
> pre-shared-key *
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns migrated_dns_map_1
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns migrated_dns_map_1
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
> : end
>
>
> AAA output shows that my USER2, which should retrieve POLICY2, gets
> default policy POLICY1:
>
> %ASA-6-113012: AAA user authentication Successful : local database :
> user = USER2
> %ASA-6-113004: AAA user authorization Successful : server = LOCAL :
> user = USER2
> %ASA-6-113009: AAA retrieved default group policy (POLICY1) for user = USER2
> %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
>
> Regards
>
>
>
>
> On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com> wrote:
>> Ivan,
>>
>> I would take a step back and see if you can get it working with the most basic settings and then maybe you can narrow down what's blocking you.
>>
>> I replicated basic settings on a 5510 running 7.2(4)33, so I'm missing the service-type setting under the username attributes. I have this configured in other environments on 8.2(1)11 with fallback local authorization. Here are my results:
>>
>> s ver | i 7.2
>> Cisco Adaptive Security Appliance Software Version 7.2(4)33
>>
>> show run | i group-policy|tunnel-group|ip local pool|access-list test[12]
>> access-list test1 extended deny ip any host 192.168.98.3
>> access-list test1 extended permit ip any any
>> access-list test2 extended permit ip any any
>> ip local pool vpnpool 192.168.100.1-192.168.100.20
>> group-policy test2 internal
>> group-policy test2 attributes
>> group-policy test1 internal
>> group-policy test1 attributes
>> tunnel-group testing type ipsec-ra
>> tunnel-group testing general-attributes
>> default-group-policy test1
>> tunnel-group testing ipsec-attributes
>>
>> You'll want to watch for the AAA output when you connect:
>>
>> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication Successful : local database : user = test2
>> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user test2 is being set to test2
>> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user specific group policy (test2) for user = test2
>> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default group policy (test1) for user = test2
>> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status ACCEPT : user = test2
>>
>> show vpn-sessiondb remote | i Username|Group
>> Username : test2
>> Group Policy : test2
>> Tunnel Group : testing
>>
>> HTH,
>>
>> -ryan
>>
>>> -----Original Message-----
>>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>>> Sent: Friday, January 15, 2010 1:51 PM
>>> To: Ryan West
>>> Cc: Cisco certification
>>> Subject: Re: ASA VPN problem
>>>
>>> Nothing. Same thing.
>>>
>>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>> > Ivan,
>>> >
>>> >> -----Original Message-----
>>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>>> >> Sent: Thursday, January 14, 2010 5:37 PM
>>> >> To: Ryan West
>>> >>
>>> >> ASA# sh run tunnel-group
>>> >> tunnel-group GROUP1 type remote-access
>>> >> tunnel-group GROUP1 general-attributes
>>> >> default-group-policy POLICY3
>>> >> tunnel-group GROUP1 ipsec-attributes
>>> >> pre-shared-key *
>>> >
>>> > Try adding this to your tunnel-group GROUP1 general-attributes:
>>> > authorization-server-group LOCAL
>>> >
>>> > -ryan

Blogs and organic groups at http://www.ccie.net
Received on Sat Jan 16 2010 - 22:39:49 ART