Advertisement

04.30.2008 at 11:11AM PDT, ID: 23366284
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.5

how do I use asdm gui to configure pix vpn user password options.

Zone: Network Software Firewalls
Tags: cisco, PIX, 515E, Configure Remote Access VPN using ASDM
I'm trying to figure out how to give users who connect with their ipsec client, the option to change their passwords.  I've sucessfully configured my remote access VPN and users in the "local database" on the pix via the asdm gui.
Start your free trial to view this solution
Question Stats
Zone: Security
Question Asked By: capanis
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: A
Views: 79
Translate:
Loading Advertisement...
05.03.2008 at 02:18PM PDT, ID: 21493725

Rank: Master

batry_boy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 08:31AM PDT, ID: 21517467
capanis:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 08:34AM PDT, ID: 21517508

Rank: Master

batry_boy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
05.03.2008 at 02:18PM PDT, ID: 21493725

Rank: Master

batry_boy:
The code only supports letting users change their own passwords when using RADIUS or LDAP for authentication, not the local user database.  It is performed with the "password-management" command which was introduced in version 7.1(1), but with the limitation stated above.  See the following article for more information:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1725278
Accepted Solution
 
05.07.2008 at 08:31AM PDT, ID: 21517467
capanis:
Wow! thanks much for this feedback. Another issue is that i have enable split tunneling as part of my tunnel attributes but my remote users who connect cannot access the web once they're connected. Any ideas?
 
05.07.2008 at 08:34AM PDT, ID: 21517508

Rank: Master

batry_boy:
It sounds like the split tunneling may be misconfigured...please post your sanitized configuration and I'll have a look...
 
 
capanis
05.07.2008 at 08:55AM PDT, ID: 21517714
here is most of the show run:

ftp mode passive
access-list outbound-filter extended permit tcp any any eq 220
access-list outbound-filter extended permit tcp any any eq ldap
access-list outbound-filter extended permit tcp any any eq ftp
access-list outbound-filter extended permit tcp any any eq telnet
access-list outbound-filter extended permit tcp any any eq smtp log
access-list outbound-filter extended permit tcp any any eq domain
access-list outbound-filter extended permit ip any any
access-list splittunnel extended permit ip 192.168.0.0 255.255.0.0 192.168.254.0 255.255.255.0
access-list vpnacl extended permit ip 192.168.0.0 255.255.0.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.36.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip any 192.168.254.0 255.255.255.0
access-list nonat extended permit ip any 192.168.40.0 255.255.255.0
access-list outside_coming_in extended permit esp any any
access-list outside_coming_in extended permit gre any any
access-list outside_coming_in extended permit udp any eq isakmp any
access-list outside_coming_in extended permit udp any any eq isakmp
access-list outside_coming_in extended permit ah any any
access-list outside_coming_in extended permit tcp any any eq imap4
access-list outside_coming_in extended permit tcp any any eq www
access-list outside_coming_in extended permit icmp any any log
access-list outside_coming_in extended permit tcp any any eq domain
access-list NY_edward_splitTunnelAcl standard permit any
access-list development_splitTunnelAcl standard permit any
access-list gomobo_ny_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.254.1-192.168.254.254 mask 255.255.255.0
ip local pool dev_vpn 192.168.40.1-192.168.40.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 192.168.36.0 255.255.255.0
access-group outside_coming_in in interface outside
access-group outbound-filter in interface inside
route outside 0.0.0.0 0.0.0.0 xxxxxx
route inside 192.168.10.0 255.255.255.0 192.168.3.2 1
route inside 192.168.36.0 255.255.255.0 192.168.3.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 4
http server enable
http 192.168.4.224 255.255.255.248 inside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt nodnsalias inbound
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set myset ESP-3DES-SHA
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 100 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
 authentication pre-share
 encryption des
 hash sha    
 group 1      
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5    
 group 2      
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha    
 group 2      
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
<--- More --->
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.254.0 255.255.255.0 outside
telnet 192.168.3.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
group-policy development internal
group-policy development attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 intercept-dhcp 255.255.0.0 enable
group-policy DfltGrpPolicy attributes
 dns-server value xxxxx
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 intercept-dhcp 255.255.0.0 enable
 address-pools value vpnpool
group-policy Roadwarriors internal
group-policy Roadwarriors attributes
 banner none  
 dns-server value xxxxx
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 intercept-dhcp 255.255.0.0 enable
 vlan none    
 nac-settings none
 address-pools none
username edward password xxxxx encrypted privilege 0
username edward attributes
 vpn-group-policy Roadwarriors
username craig password xxxx encrypted
username capanis_support password xxxxx encrypted
username jimmy password xxxxx encrypted
username john password xxxx encrypted
username nick password xxxx encrypted
username lars password xxxx1k encrypted
username andrew password xxxx encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group development type remote-access
tunnel-group development general-attributes
 address-pool vpnpool
 default-group-policy development
 password-management
tunnel-group development ipsec-attributes
 pre-shared-key *
!
class-map class_sip_tcp2
 match port tcp eq 5678
class-map class_sip_tcp1
 match port tcp eq 5298
class-map class_sip_tcp
 match port tcp eq aol
class-map inspection_default
 match default-inspection-traffic
class-map class_pptp
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect tftp
 class class_pptp
  inspect pptp
 class class_sip_tcp
  inspect sip  
 class class_sip_tcp1
  inspect sip  
 class class_sip_tcp2
  inspect sip  
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

 
 
batry_boy
05.07.2008 at 09:13AM PDT, ID: 21517879
You've specified a /16 network in your split tunneling ACL...I would reconfigure that ACL to be more granular and only include the networks that you have on the inside of your ASA.  For instance, if you have subnets 192.168.0.0/24 and 192.168.3.0/24 on your inside, then construct the ACL like this:

access-list splittunnel extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list splittunnel extended permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0

Don't forget to remove the existing ACL statement as well:

no access-list splittunnel extended permit ip 192.168.0.0 255.255.0.0 192.168.254.0 255.255.255.0
 
 
capanis
05.07.2008 at 10:16AM PDT, ID: 21518445
below is the acl config after your instructed changes but it still does not work even after i disconnected and reconnected to the vpn.

show run | i access-list
access-list outbound-filter extended permit tcp any any eq 220
access-list outbound-filter extended permit tcp any any eq ldap
access-list outbound-filter extended permit tcp any any eq ftp
access-list outbound-filter extended permit tcp any any eq telnet
access-list outbound-filter extended permit tcp any any eq smtp log
access-list outbound-filter extended permit tcp any any eq domain
access-list outbound-filter extended permit ip any any
access-list splittunnel extended permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list splittunnel extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list splittunnel extended permit ip 192.168.36.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list splittunnel extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list vpnacl extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.36.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip any 192.168.254.0 255.255.255.0
access-list nonat extended permit ip any 192.168.40.0 255.255.255.0
access-list outside_coming_in extended permit esp any any
access-list outside_coming_in extended permit gre any any
access-list outside_coming_in extended permit udp any eq isakmp any
access-list outside_coming_in extended permit udp any any eq isakmp
access-list outside_coming_in extended permit ah any any
access-list outside_coming_in extended permit tcp any any eq imap4
access-list outside_coming_in extended permit tcp any any eq www
access-list outside_coming_in extended permit icmp any any log
access-list outside_coming_in extended permit tcp any any eq domain
access-list NY_edward_splitTunnelAcl standard permit any
access-list development_splitTunnelAcl standard permit any
access-list gomobo_ny_splitTunnelAcl standard permit any
nat (inside) 0 access-list nonat
 
 
batry_boy
05.07.2008 at 10:18AM PDT, ID: 21518459
You have 2 VPN DHCP pools defined:

ip local pool vpnpool 192.168.254.1-192.168.254.254 mask 255.255.255.0
ip local pool dev_vpn 192.168.40.1-192.168.40.254 mask 255.255.255.0

Are you receiving a 192.168.254.x address or 192.168.40.x address when you are connecting to the VPN?
 
 
capanis
05.07.2008 at 10:57AM PDT, ID: 21518811
i got a 192.168.254.4 address. Perhaps i shld remove the 40.x pool since it's not in use.

 
 
capanis
05.08.2008 at 06:06AM PDT, ID: 21524241
Any other suggestions?
 
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628