Сообщения без ответов | Активные темы Текущее время: 28 мар 2024, 21:23



Ответить на тему  [ Сообщений: 2 ] 
смена dc при подключении anyconnect 
Автор Сообщение

Зарегистрирован: 10 июл 2019, 18:21
Сообщения: 103
Всем доброго времени суток.

Сталкивался ли кто с проблемами на асе при смене контроллера домена с ldap для подключения через anyconnect? В данном случае, меняется исключительно адрес dc - домен остается тот же.

dns server-group DefaultDNS
name-server 192.168.189.57
domain-name domain.ru
aaa-server TI (inside) host 192.168.189.57
kerberos-realm DOMAIN.RU
aaa-server LDAP (inside) host 192.168.189.57
ldap-base-dn DC=domain,DC=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password passNet123
ldap-login-dn domain\asa55
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map MAP123

Это часть текущего конфига. В новом меняем на новый адрес 10.191.10.57 и ничего не работает... Хотя аса с dc доступна - телнет и ssh на нее доступ есть.

%ASA-2-113022: AAA Marking LDAP server 10.191.10.57 in aaa-server group LDAP as FAILED
%ASA-2-113023: AAA Marking LDAP server 10.191.10.57 in aaa-server group LDAP as ACTIVE


15 июл 2019, 12:48
Профиль

Зарегистрирован: 10 июл 2019, 18:21
Сообщения: 103
Т.е. если показать часть конфига, то получается меняем 192.168.189.57 на 10.191.10.57 - и ничего. Хотя, оба находятся в inside.

ASA Version 9.1(6)
!
hostname asa
domain-name domain.ru
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
dns-guard
ip local pool POOL-VPN 192.168.20.200-192.168.20.254 mask 255.255.255.255
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.11.12.13 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.130.30 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.17.2 255.255.255.0
!
!
time-range TIME
periodic daily 0:00 to 23:59
!
boot system disk0:/asa916-k8.bin
ftp mode passive
clock timezone MSD 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.189.57
domain-name domain.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network NET_RA
network-object 192.168.20.0 255.255.255.0
network-object 192.168.130.16 255.255.255.248
access-list ACL_NO_NAT extended permit ip any4 object-group NET_RA
access-list ACL_NO_NAT extended permit ip object-group NET_RA any4
access-list ACL_NO_NAT extended permit ip 172.16.20.0 255.255.255.0 host 11.12.13.15
access-list ACL_NO_NAT extended permit ip host 11.12.13.15 172.16.20.0 255.255.255.0
access-list WAN_RA_DYN extended permit ip any4 object-group NET_RA
access-list WAN_RA_DYN extended permit ip object-group NET_RA any4
access-list tunnel standard permit 192.168.189.0 255.255.255.0
...
access-list tunnel standard permit 10.191.10.0 255.255.255.0
...
access-list tunnel standard permit 10.0.0.0 255.0.0.0
...
access-list ACL_WAN_IN extended permit icmp any4 any4
access-list ACL_WAN_IN extended permit ip any4 any4
access-list ACL_WAN_IN extended permit udp any4 any4
access-list ACL_WAN_IN extended permit gre any4 any4
access-list tunnel2 standard permit 192.168.0.0 255.255.0.0
...
access-list tunnel2 standard permit 192.168.76.0 255.255.255.0
...
access-list tunnel3 standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging buffer-size 16000
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm errors
logging mail errors
logging queue 2048
logging host inside 192.168.189.6
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group ACL_WAN_IN in interface outside
access-group ACL_WAN_IN out interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.0.0.0 255.0.0.0 192.168.130.29 1
route inside 192.168.0.0 255.255.0.0 192.168.130.29 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map MAP123
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE GR2
map-value msNPAllowDialin TRUE GR1
map-name msNPCallingStationID IETF-Radius-Class
map-value msNPCallingStationID NoAnyConnect GR3
dynamic-access-policy-record DfltAccessPolicy
aaa-server TI protocol kerberos
aaa-server TI (inside) host 192.168.189.57
kerberos-realm DOMAIN.RU
aaa-server tacacs protocol tacacs+
aaa-server tacacs (outside) host 21.13.12.25
key ppp123
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.189.57
ldap-base-dn DC=domain,DC=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password passNet123
ldap-login-dn domain\asa55
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map MAP123
user-identity default-domain LOCAL
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console LOCAL
aaa authorization command tacacs LOCAL
http server enable
...
sysopt connection tcpmss 1460
crypto ipsec ikev1 transform-set des esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map WAN_DYN_MAP 20 match address WAN_RA_DYN
crypto dynamic-map WAN_DYN_MAP 20 set ikev1 transform-set des
crypto dynamic-map WAN_DYN_MAP 20 set security-association lifetime seconds 28800
crypto dynamic-map WAN_DYN_MAP 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map WAN_DYN_MAP 20 set reverse-route
crypto map WAN_MAP 10 ipsec-isakmp dynamic WAN_DYN_MAP
crypto map WAN_MAP interface outside
crypto map domain 1 set security-association lifetime seconds 28800
crypto map domain 1 set security-association lifetime kilobytes 4608000
crypto ca trustpoint SSL-Trustpoint-PKCS12
...
crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 13.13.12.35
ntp server 192.168.189.6
ssl trust-point SSL-Trustpoint-PKCS12 outside
webvpn
enable outside
no anyconnect-essentials
csd image disk0:/csd_3.5.841-k9.pkg
anyconnect image disk0:/anyconnect-win-4.1.06013-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-4.1.06013-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy webvpn internal
group-policy webvpn attributes
dns-server value 192.168.189.57
vpn-simultaneous-logins 50
vpn-idle-timeout 5
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnel
default-domain value domain.ru
address-pools value POOL-VPN
webvpn
homepage none
anyconnect mtu 1200
anyconnect ask enable
file-entry enable
file-browsing enable
group-policy GR1 internal
group-policy GR1 attributes
vpn-simultaneous-logins 5
vpn-idle-timeout 15
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnel2
default-domain value domain.ru
address-pools value POOL-VPN
webvpn
anyconnect mtu 1200
group-policy GR2 internal
group-policy GR2 attributes
vpn-simultaneous-logins 5
vpn-idle-timeout 15
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnel3
default-domain value domain.ru
address-pools value POOL-VPN
group-policy GR3 internal
group-policy GR3 attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnel3
username ...
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group TI
default-group-policy webvpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.189.57 timeout 2 retry 2
tunnel-group LDAP type remote-access
tunnel-group LDAP general-attributes
authentication-server-group LDAP
default-group-policy webvpn
password-management
tunnel-group LDAP webvpn-attributes
group-alias LDAP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global


15 июл 2019, 18:41
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 2 ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 54


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
cron
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB