I have a new asa 5510 that i have setup to what i thought was the same settings as my cisco 3002 appliance. However once i get everything setup for AAA authentication, the VPN sessions timeout and are not able to see the internal servers. I get error 113014 on the real time log viewer. I am able to authenticate sessions to the 5510 by not using AAA authentication on an internal server and using just the local authentication. Why wont my 5510 see my internal DCs? I can add more info as needed, but i think i am missing something basic.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ASA 5510 not seeing AAA server
- Thread starter ctct2323
- Start date
- Thread starter
- #3
Result of the command: "show running-config"
: Saved
:
ASA Version 7.1(2)
!
hostname asa5510repwest
domain-name rxxxxx
enable password M2bQ/GrgeC/F2s.G encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 50
ip address 205.2xx.xx.xx 255.255.255.0
!
interface Ethernet0/1
description insideinterface
speed 100
duplex full
nameif inside
security-level 100
ip address 190.1.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name rxxxxx
access-list inside_nat0_outbound extended permit ip any 190.1.1.128 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 190.1.1.224 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool corp 190.1.1.150-190.1.1.160 mask 255.255.255.0
ip local pool remote 190.1.1.239-190.1.1.240 mask 255.255.255.0
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 205.241.11.1 1
route inside 190.1.1.8 255.255.255.255 190.1.1.10 1
route inside 190.1.1.7 255.255.255.255 190.1.1.10 1
route inside 0.0.0.0 0.0.0.0 190.1.1.10 tunneled
route inside 190.0.0.0 255.0.0.0 190.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server DomainServers protocol nt
aaa-server DomainServers host 190.1.1.33
timeout 5
nt-auth-domain-controller RWIC
aaa-server Domain protocol radius
accounting-mode simultaneous
aaa-server Domain host 190.1.1.33
key rxxxxxg
radius-common-pw rxxxxxg
acl-netmask-convert auto-detect
aaa-server test protocol radius
accounting-mode simultaneous
aaa-server test host 190.1.1.7
key rxxxxxg
aaa-server remote protocol radius
accounting-mode simultaneous
aaa-server remote host 190.1.1.7
timeout 5
key rxxxxxg
radius-common-pw rxxxxxg
aaa-server remote host 190.1.1.8
key rxxxxxg
radius-common-pw rxxxxxg
group-policy DfltGrpPolicy attributes
banner value Welcome to Rxxxxx
wins-server value 190.1.1.8 190.1.1.7
dns-server value 190.1.1.8 190.1.1.7
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 120
vpn-session-timeout 720
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp enable
re-xauth enable
group-lock none
pfs enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value RWIC
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy Remote internal
group-policy Remote attributes
wins-server value 190.1.1.8 190.1.1.7
dns-server value 190.1.1.8 190.1.1.7
default-domain value RWIC
group-policy remote internal
group-policy remote attributes
wins-server value 190.1.1.8 190.1.1.7
dns-server value 190.1.1.8 190.1.1.7
default-domain value RWIC
group-policy corp internal
group-policy corp attributes
wins-server value 190.1.1.8
dns-server value 190.1.1.8 190.1.1.7
default-domain value RWIC
username test password S1UkYPw63gpAiP6N encrypted
username remote password Rhp7E2Qx4Uj4kyVK encrypted privilege 0
username remote attributes
vpn-group-policy Remote
http server enable
http 190.1.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool corp
authentication-server-group Domain
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group Corp type ipsec-ra
tunnel-group Corp general-attributes
address-pool corp
authentication-server-group Domain
authentication-server-group (inside) Domain
authorization-server-group Domain
dhcp-server 190.1.1.7
password-management
authorization-dn-attributes use-entire-name
tunnel-group Corp ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold 15 retry 10
tunnel-group corp type ipsec-ra
tunnel-group corp general-attributes
address-pool corp
authentication-server-group Domain
default-group-policy corp
authorization-dn-attributes use-entire-name
tunnel-group corp ipsec-attributes
pre-shared-key *
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
address-pool remote
default-group-policy Remote
tunnel-group Remote ipsec-attributes
pre-shared-key *
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool remote
authentication-server-group remote
authorization-server-group remote
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *
telnet timeout 120
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc enable
Cryptochecksum:726d3e6666f81207afdc520a1ce41bb5
: end
I know there is some leftover config there, I am mainly worried about the 'remote' group.
Thanks in advance
: Saved
:
ASA Version 7.1(2)
!
hostname asa5510repwest
domain-name rxxxxx
enable password M2bQ/GrgeC/F2s.G encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 50
ip address 205.2xx.xx.xx 255.255.255.0
!
interface Ethernet0/1
description insideinterface
speed 100
duplex full
nameif inside
security-level 100
ip address 190.1.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name rxxxxx
access-list inside_nat0_outbound extended permit ip any 190.1.1.128 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 190.1.1.224 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool corp 190.1.1.150-190.1.1.160 mask 255.255.255.0
ip local pool remote 190.1.1.239-190.1.1.240 mask 255.255.255.0
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 205.241.11.1 1
route inside 190.1.1.8 255.255.255.255 190.1.1.10 1
route inside 190.1.1.7 255.255.255.255 190.1.1.10 1
route inside 0.0.0.0 0.0.0.0 190.1.1.10 tunneled
route inside 190.0.0.0 255.0.0.0 190.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server DomainServers protocol nt
aaa-server DomainServers host 190.1.1.33
timeout 5
nt-auth-domain-controller RWIC
aaa-server Domain protocol radius
accounting-mode simultaneous
aaa-server Domain host 190.1.1.33
key rxxxxxg
radius-common-pw rxxxxxg
acl-netmask-convert auto-detect
aaa-server test protocol radius
accounting-mode simultaneous
aaa-server test host 190.1.1.7
key rxxxxxg
aaa-server remote protocol radius
accounting-mode simultaneous
aaa-server remote host 190.1.1.7
timeout 5
key rxxxxxg
radius-common-pw rxxxxxg
aaa-server remote host 190.1.1.8
key rxxxxxg
radius-common-pw rxxxxxg
group-policy DfltGrpPolicy attributes
banner value Welcome to Rxxxxx
wins-server value 190.1.1.8 190.1.1.7
dns-server value 190.1.1.8 190.1.1.7
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 120
vpn-session-timeout 720
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp enable
re-xauth enable
group-lock none
pfs enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value RWIC
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy Remote internal
group-policy Remote attributes
wins-server value 190.1.1.8 190.1.1.7
dns-server value 190.1.1.8 190.1.1.7
default-domain value RWIC
group-policy remote internal
group-policy remote attributes
wins-server value 190.1.1.8 190.1.1.7
dns-server value 190.1.1.8 190.1.1.7
default-domain value RWIC
group-policy corp internal
group-policy corp attributes
wins-server value 190.1.1.8
dns-server value 190.1.1.8 190.1.1.7
default-domain value RWIC
username test password S1UkYPw63gpAiP6N encrypted
username remote password Rhp7E2Qx4Uj4kyVK encrypted privilege 0
username remote attributes
vpn-group-policy Remote
http server enable
http 190.1.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool corp
authentication-server-group Domain
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group Corp type ipsec-ra
tunnel-group Corp general-attributes
address-pool corp
authentication-server-group Domain
authentication-server-group (inside) Domain
authorization-server-group Domain
dhcp-server 190.1.1.7
password-management
authorization-dn-attributes use-entire-name
tunnel-group Corp ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold 15 retry 10
tunnel-group corp type ipsec-ra
tunnel-group corp general-attributes
address-pool corp
authentication-server-group Domain
default-group-policy corp
authorization-dn-attributes use-entire-name
tunnel-group corp ipsec-attributes
pre-shared-key *
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
address-pool remote
default-group-policy Remote
tunnel-group Remote ipsec-attributes
pre-shared-key *
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool remote
authentication-server-group remote
authorization-server-group remote
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *
telnet timeout 120
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc enable
Cryptochecksum:726d3e6666f81207afdc520a1ce41bb5
: end
I know there is some leftover config there, I am mainly worried about the 'remote' group.
Thanks in advance
are you able to build a vpn tunnel? is this point to point or client VPN? and there are not access lists applied to any interface (implicit deny)
you would have to add something like
access-group inside_nat0_outbound (in/out) interface inside
you would have to add something like
access-group inside_nat0_outbound (in/out) interface inside
- Thread starter
- #5
i am able to build a tunnel, yes. this is for client VPN. are you saying that i need to create an access list to see anything beyond the asa 5510? i did add routes for the authentication servers that i am trying to hit, i would have thought this would be enough. does the 3002 appliance have acl? I will do some testing of authenticating local on the 5510, which i am able to do. I will see what resources I can access beyond the 5510. If the ACL is the issue, I should have the same prob. I will post shortly
- Thread starter
- #6
OK, I wiped most by groups and made a local authentication group. I was able to build a tunnel and authenticate using a user ID I setup on the device. At that point, I was able to remote into the resources on the internal network. I can get to what I need to, mostly just Term Serv and Email. So my issue is directly with the authentication to the RADIUS servers on the inside. I cant see those things from the 5510. Any ideas? I added static routes to the authentication in hopes or resolving, but that does not seem to work.
So in summary, I am able to build a tunnel and get resources. However I am not able to get that group to authenticate to the DC's.
I think I might need to add an ACL, but the 3002 I am used to is very different than this 5510.
So in summary, I am able to build a tunnel and get resources. However I am not able to get that group to authenticate to the DC's.
I think I might need to add an ACL, but the 3002 I am used to is very different than this 5510.
here is what i created for TACACS, take a look and replace RADIUS where I have TACACS. also search google for AAA configs:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
- Status
Similar threads
- Locked
- Solved
- Locked
- Question
- Locked
- Question