Guys,
I am trying to work through the practice VPN lab “4.8 Easy VPN with External Group Authorization and XAUTH.” In regards to performing external authentication, where can I find a list/documentation for the RADIUS attributes to add to the [009\001] cisco-av-pair box under Group authentication? For example, as part of this solution I am supposed to input the following values in the [009\001] cisco-av-pair box under Group authentication: Ipsec:tunnel-type=ESP Ipsec:key-exchange=ike Ipsec:inacl=170 Ipsec:save-password=1 Ipsec:addr-pool=EZPOOL2 Where can a list of these attributes be found for reference? psec:tunnel-type= Ipsec:key-exchange= Ipsec:inacl= Ipsec:save-password= Ipsec:addr-pool= Thanks, *Matt Manire* *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* *Information Systems Security Manager* [email protected] *t*: 817.525.1863 *f*: 817.525.1903 *m*: 817.271.9165 *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com <http://www.firstrate.com/> *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Fawad Khan *Sent:* Wednesday, May 02, 2012 9:05 AM *To:* Kingsley Charles *Cc:* [email protected] *Subject:* Re: [OSL | CCIE_Security] AnyConnect per group ACLs No still on any connect VPN-filter On Wednesday, May 2, 2012, Kingsley Charles wrote: Are you talking about GETVPN? With regards Kings On Wed, May 2, 2012 at 6:18 PM, Fawad Khan <[email protected]> wrote: There are two ways to handle that situation which You mentioned. 1. An outbound acl on the inside/DMz interface. So that inside hosts cannot initiate the traffic because of the unnecessary hole created by acl. 2. This one is not very restrictive but still better than something I.e instead of having the acl like you mentioned Permit tcp vpn ip host 10.20.30.40 23 Use this acl Permit tcp VPN ip gt 1023 host 10.20.30.40 23 FNK On Wednesday, May 2, 2012, Kingsley Charles wrote: ASA VPN filter is tricky, but one think to remember is that is directional. permit tcp any host 10.20.30.40 eq 23 Now this ACL will permit outside user to connect to 10.20.30.40@23(inbound/post decrypt) and at the same time allow 10.20.30.40@23 (outbound/pre-encrypt) to any one outside. Have your tried the "match acl" in GETVPN crypto map? Seems it also bears a similar property. We can add an ACL with only "deny" entries and precedes the donwloaded acl from KS and those traffic are bypassed. This bypass is for outbound. What about inbound? The mirror traffic should also be bypassed,right? Whether the same ACE is going to the job. It has not been the case for me. With regards Kings On Wed, May 2, 2012 at 1:54 PM, Fawad Khan <[email protected]> wrote: Not the outside network specifically, by remote I mean ip address from the VPN pool (which is from perspective outside of the network but another perspective it's "now" part of the network after connecting to VPN. On Wednesday, May 2, 2012, Kingsley Charles wrote: Is 10.X.X.0/24 outside network? The format for vpn filter is always access-list name permit <outside IP> <outside port> <inside IP> <inside port> irrespective of whatever is the direction of traffic (inbound/outbound). Is this what you said? With regards Kings On Wed, May 2, 2012 at 7:21 AM, Fawad Khan <[email protected]> wrote: Matt, As others have said. VPN-Filter will do the job.. however as Eugene pointed out, the ACL is tricky...... remember that SOURCE in the ACL is always REMOTE (no matter who is initiating the connection). Check this old email I wrote couple of months back. it will give you a link as well. =================================== Antonio, I think you have guessed it right, i.e. VPN-Filter under group-policy. I usually put something like following in the vpn-filter acl. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt 1023 192.168.x.x 255.255.0.0 eq XYZ. where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core network/dmz/lan and XY is any service. the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN address in your case) would always act as a source, even though there would be a chance that inside/core user would access any service on the remote address. For example, if you want to enable remote desktop functionatility from your core to the ssl users then the vpn-filter acl would like the following in addition to regular OUTBOUND ACL on the inside interface. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
