help with asdm with asa 5500 series firewall

Destonomos

[H]ard|Gawd
Joined
Jul 13, 2004
Messages
1,027
I have an asa 5520 I'm trying to setup vpn on. I have the ipsec vpn setup and it works with login and pass. I confirmed that you can't ping the firewall inside address and then after connecting via VPN you can ping devices behind the firewall and the inside interface, so I know it is working.

Problem is to log into the VPN you have to use the group that I made and its username and password. What I want is to create 3 accounts for 3 different people to login with. I created a local user under the AAA groups and servers but it won't work when I try and use it to log in. What option am I missing to get accounts to be able to log in?
 
Do you have a domain? If so, RADIUS is the best way to manage this
 
update: I've got it working now.

you login with the cisco vpn client with the group user name and password and then it prompts for the individual user name and password which works for me :)


What I'm looking for now if anyone knows of such a program is something to simulate traffic over a port. Specifically 5060 if the port isn't selectable in the program.
 
update: I've got it working now.

you login with the cisco vpn client with the group user name and password and then it prompts for the individual user name and password which works for me :)


What I'm looking for now if anyone knows of such a program is something to simulate traffic over a port. Specifically 5060 if the port isn't selectable in the program.
thats called x-auth, or extended authentication. to generate traffic over a specific port, open a command prompt and run "telnet x.x.x.x 5060'
 
If this continues to grow I would +1 this for management simplicity.

yeah, we just deployed a radius server with a new product we are delivering but this is vpn for management of our internal team which will only be 3 users. Thanks for the heads up though.
 
OK.

so now I have a new problem...

The VPN works and all my acl's work as well as NAT rules I have setup. Once I am connected to the firewall on the outside interface through VPN I can ping all public IP addresses that are connected to the firewall. I cannot connect to anything on the non-routable network on 192.168.1.0 255.255.255.0 network.

I have an idea as to how to make it work. IF ANYONE knows PLEASE chime in, I really need the help. I'm thinking we need to create another inside interface and make it a 192.168.1.50 (just picking a random # at the end) so the other network can connect to it. The problem I run into then is that I have a blade server, HP, C series I believe behind the asa and it only has one eithernet cable coming out of it.

In short, I'm wondering now that I've written this, if it can even do it... Does a router need to be on the inside interface so we can accomplish this?

[edit] I thought what I wrote was a little wordy.

What I want to do is be able to VPN in through IPsec to the firewall that has a bladeserver behind it and have access to the devices that have public and private IP addresses. IF ANYONE CAN HELP ME. I would GREATLY appreciate it.

:)
 
Can you draw us a picture, maybe its just late but i could not comprehend what your saying there
 
40512619.jpg


sorry. Don't have visio loaded yet :p.
 
you need to provide a lot more info...a sanitized configuration would help. specifically:

1) what is the mode config pool for VPN clients
2) post your interesting traffic ACLs
3) what is the inside IP of the ASA
4) what network is the blade server on? Does it reside on the same network as the inside interface of the ASA?
 
you need to provide a lot more info...a sanitized configuration would help. specifically:

1) what is the mode config pool for VPN clients
2) post your interesting traffic ACLs
3) what is the inside IP of the ASA
4) what network is the blade server on? Does it reside on the same network as the inside interface of the ASA?


1) pool is 192.168.1.1 - .10
2) not important because its for servers to contact things without vpn (notthing set up for vpn)
3) Public IP
4)blade has vm's that are on public addresses and the VM servers are on private IPs
 
Back
Top