天亮了说晚安's Blog

本文转自：https://www.petenetlive.com/KB/Article/0000049 Problem You would like to enable remote access for your clients using the Cisco VPN Client software. Solution Before you start – you need to ask yourself “Do I already have any IPSECVPN’s configured on this firewall?” Because if its not already been done, you need to enable ISAKMP on the outside interface. To accertain whether yours is on, or off, issue a “show run crypto isakmp” command and check the results, if you do NOT see “crypto isakmp enable outside” then you need to issue that command. PetesASA# show run crypto isakmp crypto isakmp enable outside << Mines already enabled. crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 PetesASA# 1. Firstly we need to set up Kerberos AAA, if you wanted to use the ASDM to do this CLICK HERE however, to do the same via command line see the commands belo......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000688 Problem Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall. I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first. Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAALocal Users > AAA Server Groups. 2. In the Server group section > Add. 3. Give the group a name and accept the defaults > OK. 4. Now (with the group selected) > In the bottom (Server) section > Add. 5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK. 6. Apply. Configure AAA RADIUS from command lin......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000071 Problem Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I’ve put the commands at the end. You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up. It also uses the Cisco VPN client – the version used is v5 which is still in beta at the time of writing. Solution Note: This is an old post and covers setup on Server 2003, for a more modern version, (Server 2012/2016/2019) of this procedure, see the following article; Windows Server Setup RADIUS for Cisco ASA 5500 Authentication Step 1 Install RADIUS (Server 2003 Windows IAS) Note: for Server 2008 go here and for Server 2012 go here. 1. Assuming you don’t already ha......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000685 Problem Note: The procedure is the same for Server 2016 and 2019 This week I was configuring some 2008 R2 RADIUS authentication, so I thought I’d take a look at how Microsoft have changed the process for 2012. The whole thing was surprisingly painless. I will say that Kerberos Authentication is a LOT easier to configure, but I’ve yet to test that with 2012, (watch this space). Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration. 2. Remote Access VPN. 3. AAA Local Users > AAA Server Groups. 4. In the Server group section > Add. 5. Give the group a name and accept the defaults > OK. 6. Now (with the group selected) > In the bottom (Server) section > Add. 7. Specify the IP address, and a shared secret that the AS......Read More

本文转自：https://www.petenetlive.com/KB/Article/0000943 Problem Also See Cisco ASA5500 AnyConnect SSL VPN This procedure was done on Cisco ASA version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect. Solution 1. The first job is to go get the AnyConnect client package, (download it from Cisco with a current support agreement). Then copy it into the firewall via TFTP. If you are unsure how to do that see the following article. Install and Use a TFTP Server Petes-ASA(config)# copy tftp flash Address or name of remote host [10.254.254.183]? 192.168.80.1 Source filename []?anyconnect-win-3.1.05152-k9 Destination filename [anyconnect-win-3.1.05152-k9]? {Enter} Accessing tftp://192.168.80.1/anyconnect-win-3.1.05152-k9...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!......Read More

本文转自：https://www.petenetlive.com/KB/Article/0001152 Problem When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change. The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. Though to be honest if you have multiple groups and want to assign different levels of access (i.e. different ACLs etc.) then using a blend of LDAP and Cisco Dynamic Access Policies (DAP) is a lot simpler. I’ll post both options, and you can take your pick Solution Firstly you need to cre......Read More

本文转自：https://www.petenetlive.com/KB/Article/0001175 Problem I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step! Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well. Solution Cisco ASA Test AAA Authentication From Command Line You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc. Petes-ASA# show run | begin aaa aaa-server TEST-LDAP-SERVER protocol ldap aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10 ldap-base-dn dc=TEST,dc=net ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net server-type auto-detect To te......Read More

本文转自： https://blog.51cto.com/yiding/1680043 结合自己在实际配置中遇到的问题，或不清楚的地方做了补充和说明。 很多公司通过ASA防火墙实现VPN用户远程访问公司内网，但默认情况下需要为每个用户分配一个VPN账号。而企业内部人员都有自己的域账号，如果能使用域账号访问VPN，这样会大大改善用户体验。以下我们通过LDAP实现ASA与AD域的集中认证。LDAP（Lightweight Directory Access Protocol），轻量级目录访问协议。它是目录访问协议一个标准，基于X.500 标准且可以根据需要定制。LDAP 目录中可以存储各种类型的数据：电子邮件地址、邮件路由信息、人力资源数据、公用密匙、联系人列表等等。在企业范围内实现LDAP 可以让几乎所有应用程序从LDAP 目录中获取信息。下面结合一个网络拓扑来看下是如何实现的公司内部域sr.com,192.168.1.0/24ASA5520集防火墙、VPN网关为一体，外部用户需要远程访问需求：远程用户可以使用域用户访问VPN 实现过程：Step1:在ASA上添加LDAP认证类型的aaa-serveraaa-server sr.com protocol ldap //指定防火墙与AD中使用的协议max-failed-attempts 2aaa-server sr.com (inside) host 192.168.1.80 //指定AAA服务器地址ldap-b......Read More

本文转自： https://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html Updated:December 8, 2017Document ID:113605 Contents IntroductionPrerequisitesRequirementsComponents UsedConventionsFeature OverviewRelated Information Introduction This document explains how to use an External Web Server with FlexConnect Local Switching for different Web Policies. Prerequisites Requirements Ensure that you meet these requirements before you attempt this configuration: Basic knowledge about FlexConnect Architecture and Access Points (APs)Knowledge on how to set up and configure an external web serverKnowledge on how to set up and configure DHCP and DNS servers Components Used The information in this document is based on these software and hardware versions: Cisco 7500 Wireless LAN Controller (WLC) that runs firmware release 7.2.110.0Cisco 3500 Series Lightweight Access Point (LAP)External web server t......Read More