CiscoVPN authentication on ASA 5510 using IAS AND restricting it to one server inside
Dear all,
How does one go about doing this?
I've read a couple of pages on EE and some on techrepublic. But, it's left me confused.
Does anyone have a step by step to help me?
Thanks
How does one go about doing this?
I've read a couple of pages on EE and some on techrepublic. But, it's left me confused.
Does anyone have a step by step to help me?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pete Long
oops [url=http://www.petenetlive.com/KB/Article/0000071.htm]IAS VPN[/url]
ASKER
Thank you for those instructions. I'm going to try them out today.
Are these instructions going to be compatible with pre-existing site-to-site VPN configs already in place? I wouldn't want those configs to change.
Are these instructions going to be compatible with pre-existing site-to-site VPN configs already in place? I wouldn't want those configs to change.
ASKER
After following the instructions, my client laptop with the same settings just keeps getting "contacting the security gateway at xxx.xxx.xxx.xxx", and then gets "terminated by peer" reason 433: reason not specified by peer
Any ideas?
Any ideas?
ASKER
Btw, i've tried the isakmp nat-traversal fix, did not work
ASKER
have also set the VPN idle timeout to none
ASKER
I'm sorry but, can I throw in one more complexity - there's an ISA in between the ASA and the IAS.
Anyone?
Anyone?
ASKER
past the previous issue. client gets connected. ad authentication happening, all good.
But I can't do anything once connected. Any ideas?
But I can't do anything once connected. Any ideas?
ASKER
how would i modify your config to say:
user dummy1 can only access one IP address eg. 192.168.9.5 for RDP ie. 3389
I created the extended list and added it to the group-policy. what else am i to do?
Thanks
user dummy1 can only access one IP address eg. 192.168.9.5 for RDP ie. 3389
I created the extended list and added it to the group-policy. what else am i to do?
Thanks
ASKER
Please help.
What's wrong with this config? Permitting VPN users only to 192.168.9.5.
access-list nonat extended permit ip host 192.168.9.5 172.16.200.0 255.255.255.0
access-list RestrictedVPN_splitTunnelA
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.50
nat-control
nat (inside) 0 access-list nonat
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.2.3
timeout 60
key cisco
crypto isakmp enable outside
group-policy RestrictedVPN internal
group-policy RestrictedVPN attributes
dns-server value 192.168.2.1 192.168.2.2
vpn-filter value RestrictedVPN_splitTunnelA
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RestrictedVPN_splitTunnelA
default-domain value company.prv
tunnel-group RestrictedVPN type remote-access
tunnel-group RestrictedVPN general-attributes
address-pool Restricted_VPN_IP_Pool
authentication-server-grou
default-group-policy RestrictedVPN
tunnel-group RestrictedVPN ipsec-attributes
pre-shared-key *
Thank you
What's wrong with this config? Permitting VPN users only to 192.168.9.5.
access-list nonat extended permit ip host 192.168.9.5 172.16.200.0 255.255.255.0
access-list RestrictedVPN_splitTunnelA
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.50
nat-control
nat (inside) 0 access-list nonat
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.2.3
timeout 60
key cisco
crypto isakmp enable outside
group-policy RestrictedVPN internal
group-policy RestrictedVPN attributes
dns-server value 192.168.2.1 192.168.2.2
vpn-filter value RestrictedVPN_splitTunnelA
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RestrictedVPN_splitTunnelA
default-domain value company.prv
tunnel-group RestrictedVPN type remote-access
tunnel-group RestrictedVPN general-attributes
address-pool Restricted_VPN_IP_Pool
authentication-server-grou
default-group-policy RestrictedVPN
tunnel-group RestrictedVPN ipsec-attributes
pre-shared-key *
Thank you
ASKER
Anyone?
ASKER
lack of communication