|
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
смена dc при подключении anyconnect
Автор |
Сообщение |
Praporwik
Зарегистрирован: 10 июл 2019, 18:21 Сообщения: 103
|
Всем доброго времени суток.
Сталкивался ли кто с проблемами на асе при смене контроллера домена с ldap для подключения через anyconnect? В данном случае, меняется исключительно адрес dc - домен остается тот же.
dns server-group DefaultDNS name-server 192.168.189.57 domain-name domain.ru aaa-server TI (inside) host 192.168.189.57 kerberos-realm DOMAIN.RU aaa-server LDAP (inside) host 192.168.189.57 ldap-base-dn DC=domain,DC=ru ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password passNet123 ldap-login-dn domain\asa55 ldap-over-ssl enable server-type microsoft ldap-attribute-map MAP123
Это часть текущего конфига. В новом меняем на новый адрес 10.191.10.57 и ничего не работает... Хотя аса с dc доступна - телнет и ssh на нее доступ есть.
%ASA-2-113022: AAA Marking LDAP server 10.191.10.57 in aaa-server group LDAP as FAILED %ASA-2-113023: AAA Marking LDAP server 10.191.10.57 in aaa-server group LDAP as ACTIVE
|
15 июл 2019, 12:48 |
|
|
Praporwik
Зарегистрирован: 10 июл 2019, 18:21 Сообщения: 103
|
Т.е. если показать часть конфига, то получается меняем 192.168.189.57 на 10.191.10.57 - и ничего. Хотя, оба находятся в inside.
ASA Version 9.1(6) ! hostname asa domain-name domain.ru xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain
names dns-guard ip local pool POOL-VPN 192.168.20.200-192.168.20.254 mask 255.255.255.255 ! interface Ethernet0/0 nameif outside security-level 0 ip address 10.11.12.13 255.255.255.252 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.130.30 255.255.255.252 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.17.2 255.255.255.0 ! ! time-range TIME periodic daily 0:00 to 23:59 ! boot system disk0:/asa916-k8.bin ftp mode passive clock timezone MSD 3 clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00 dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.189.57 domain-name domain.ru same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network NET_RA network-object 192.168.20.0 255.255.255.0 network-object 192.168.130.16 255.255.255.248 access-list ACL_NO_NAT extended permit ip any4 object-group NET_RA access-list ACL_NO_NAT extended permit ip object-group NET_RA any4 access-list ACL_NO_NAT extended permit ip 172.16.20.0 255.255.255.0 host 11.12.13.15 access-list ACL_NO_NAT extended permit ip host 11.12.13.15 172.16.20.0 255.255.255.0 access-list WAN_RA_DYN extended permit ip any4 object-group NET_RA access-list WAN_RA_DYN extended permit ip object-group NET_RA any4 access-list tunnel standard permit 192.168.189.0 255.255.255.0 ... access-list tunnel standard permit 10.191.10.0 255.255.255.0 ... access-list tunnel standard permit 10.0.0.0 255.0.0.0 ... access-list ACL_WAN_IN extended permit icmp any4 any4 access-list ACL_WAN_IN extended permit ip any4 any4 access-list ACL_WAN_IN extended permit udp any4 any4 access-list ACL_WAN_IN extended permit gre any4 any4 access-list tunnel2 standard permit 192.168.0.0 255.255.0.0 ... access-list tunnel2 standard permit 192.168.76.0 255.255.255.0 ... access-list tunnel3 standard permit 10.0.0.0 255.0.0.0 pager lines 24 logging enable logging buffer-size 16000 logging console debugging logging monitor debugging logging buffered debugging logging trap debugging logging history debugging logging asdm errors logging mail errors logging queue 2048 logging host inside 192.168.189.6 logging permit-hostdown mtu outside 1500 mtu inside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group ACL_WAN_IN in interface outside access-group ACL_WAN_IN out interface outside route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 route inside 10.0.0.0 255.0.0.0 192.168.130.29 1 route inside 192.168.0.0 255.255.0.0 192.168.130.29 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map MAP123 map-name msNPAllowDialin IETF-Radius-Class map-value msNPAllowDialin FALSE GR2 map-value msNPAllowDialin TRUE GR1 map-name msNPCallingStationID IETF-Radius-Class map-value msNPCallingStationID NoAnyConnect GR3 dynamic-access-policy-record DfltAccessPolicy aaa-server TI protocol kerberos aaa-server TI (inside) host 192.168.189.57 kerberos-realm DOMAIN.RU aaa-server tacacs protocol tacacs+ aaa-server tacacs (outside) host 21.13.12.25 key ppp123 aaa-server LDAP protocol ldap aaa-server LDAP (inside) host 192.168.189.57 ldap-base-dn DC=domain,DC=ru ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password passNet123 ldap-login-dn domain\asa55 ldap-over-ssl enable server-type microsoft ldap-attribute-map MAP123 user-identity default-domain LOCAL aaa authentication ssh console tacacs LOCAL aaa authentication telnet console LOCAL aaa authorization command tacacs LOCAL http server enable ... sysopt connection tcpmss 1460 crypto ipsec ikev1 transform-set des esp-des esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto ipsec df-bit clear-df outside crypto dynamic-map WAN_DYN_MAP 20 match address WAN_RA_DYN crypto dynamic-map WAN_DYN_MAP 20 set ikev1 transform-set des crypto dynamic-map WAN_DYN_MAP 20 set security-association lifetime seconds 28800 crypto dynamic-map WAN_DYN_MAP 20 set security-association lifetime kilobytes 4608000 crypto dynamic-map WAN_DYN_MAP 20 set reverse-route crypto map WAN_MAP 10 ipsec-isakmp dynamic WAN_DYN_MAP crypto map WAN_MAP interface outside crypto map domain 1 set security-association lifetime seconds 28800 crypto map domain 1 set security-association lifetime kilobytes 4608000 crypto ca trustpoint SSL-Trustpoint-PKCS12 ... crypto isakmp identity hostname crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 192.168.0.0 255.255.0.0 inside ssh stricthostkeycheck ssh 192.168.0.0 255.255.0.0 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 13.13.12.35 ntp server 192.168.189.6 ssl trust-point SSL-Trustpoint-PKCS12 outside webvpn enable outside no anyconnect-essentials csd image disk0:/csd_3.5.841-k9.pkg anyconnect image disk0:/anyconnect-win-4.1.06013-k9.pkg 1 anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2 anyconnect image disk0:/anyconnect-macosx-i386-4.1.06013-k9.pkg 3 anyconnect enable tunnel-group-list enable group-policy webvpn internal group-policy webvpn attributes dns-server value 192.168.189.57 vpn-simultaneous-logins 50 vpn-idle-timeout 5 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value tunnel default-domain value domain.ru address-pools value POOL-VPN webvpn homepage none anyconnect mtu 1200 anyconnect ask enable file-entry enable file-browsing enable group-policy GR1 internal group-policy GR1 attributes vpn-simultaneous-logins 5 vpn-idle-timeout 15 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value tunnel2 default-domain value domain.ru address-pools value POOL-VPN webvpn anyconnect mtu 1200 group-policy GR2 internal group-policy GR2 attributes vpn-simultaneous-logins 5 vpn-idle-timeout 15 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value tunnel3 default-domain value domain.ru address-pools value POOL-VPN group-policy GR3 internal group-policy GR3 attributes vpn-simultaneous-logins 0 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value tunnel3 username ... tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group TI default-group-policy webvpn tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server 192.168.189.57 timeout 2 retry 2 tunnel-group LDAP type remote-access tunnel-group LDAP general-attributes authentication-server-group LDAP default-group-policy webvpn password-management tunnel-group LDAP webvpn-attributes group-alias LDAP enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global
|
15 июл 2019, 18:41 |
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 51 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|
|