ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface .  The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark  citrix server http:// 172.30.40.5.) i enter the citrix and then for example  i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error.  It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1.  Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

Similar Messages

  • How many connections supports a web interface with each camera and how many Adobe Encoder clients does AMS support? AMS Standart

    How many connections supports a web interface with each camera and how many Adobe Encoder clients does AMS support? AMS Standart. We need connect by  Adobe Encoder many people. what is differences between Adobe Media Server 5 Professional, Adobe Media Server 5 Standard and Adobe Media Server 5 Extended?

    For the detailed list of differences across editions refer this link
    http://www.adobe.com/in/products/adobe-media-server-family/buying-guide-comparison.html

  • Cisco ASA 5505 configuration

    Hi,
    I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
    Here is my configuration:
    Result of the command: "show running-config"
    : Saved
    ASA Version 8.2(5)
    hostname xxxxxxxxxxxxxxxxx
    domain-name xxxxxxxxxxxxxxxxxxx
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxxxxxxxx encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.1.48 255.255.255.0
    ftp mode passive
    dns server-group DefaultDNS
    domain-name processia.com
    access-list outside_access_in extended permit ip any any
    access-list icmp_out_in extended permit icmp any any
    access-list inside_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ipv6 access-list outside_access_ipv6_in permit ip any any
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group icmp_out_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.2.2-192.168.2.129 inside
    dhcpd dns 80.10.246.2 80.10.246.129 interface inside
    dhcpd ping_timeout 5000 interface inside
    dhcpd domain xxxxxxxxxxxxxxxxx interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    policy-map global_policy
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
    : end
    Thank you for your help

    Hi Sylla,
    The static route you have configured for Internet access needs to be corrected:
    route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
    The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
    -Mike

  • Cisco ASA 5505 - Keeps dropping internet connection

    Hi,
    We are having some issues with our Cisco ASA 5505 unit, it intermittently drops the outside interface connection. Internally the network appears to be working correctly with no issues. Even though the outside interface indicates it is 'up' access to the internet is lost from our LAN. This seems to be ocourring more and more often! This is happening for all users on the network too. Reloading the ASA seems to correct the problem temporally but this isn't really an option during peak periods in the day as this would obviously hinder work being carried out by employees.
    Any ideas?
    Any help would be greatly appreciated!!
    Thanks,
    John
    Running Config Below:
    ASA Version 8.2(1)
    hostname ******************
    domain-name *************************
    enable password ************************* encrypted
    passwd **************************** encrypted
    names
    dns-guard
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.3.0.254 255.255.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address ***************** 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server *****************
    domain-name **********************
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit tcp any any eq smtp
    access-list outside_access_in extended permit tcp any any eq 3389
    access-list outside_access_in extended permit tcp any any eq https
    access-list outside_access_in extended permit tcp any any
    access-list outside_access_in extended permit tcp any any eq 3839
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1500
    failover timeout -1
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp 10.3.0.2 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface https 10.3.0.2 https netmask 255.255.255.255
    static (inside,outside) tcp interface 3839 10.3.0.1 3839 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 10.3.0.1 3389 netmask 255.255.255.255
    static (inside,inside) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 norandomseq nailed
    static (inside,inside) 172.16.63.0 172.16.63.0 netmask 255.255.255.240 norandomseq nailed
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 *************** 1
    route inside 172.16.63.0 255.255.255.240 10.3.0.253 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.3.0.0 255.255.0.0 inside
    http 10.3.0.0 255.255.255.0 inside
    http 10.10.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt noproxyarp inside
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username ************ password *********************** encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global

    Hello,
    What happens when you assign eth0 as internal interface and eth1 as outside if?
    Also configure logging (/debugging) to see if there are hardware issues or something else.
    And it seems you have a range of public addresses. What happens when you connect a device, e.g. a laptop directly on the internet access device and send continue ping to an internet host.
    When you loose internet connectivity, is the laptop still pinging to that host?
    Hopefully this helps you,
    Kind regards,
    Ralph Willemsen
    Arnhem, Netherlands

  • Cisco ASA 5505 Configurations. Help... Beyond Frustrated

    Hello All,
    I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
    I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
    hostname AMDASA
    domain-name asa.(mydomain).com
    enable password (encrypted)
    passwd (encrypted)
    interface Ethernet0/0
    description TWCoutside
    switchport access vlan 2
    no shutdown
    write mem
    exit
    interface Ethernet0/1
    description Port1inside
    switchport access vlan 1
    no shutdown
    write mem
    exit
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.250 255.255.255.0
    write mem
    exit
    interface Vlan2
    nameif outside
    security-level 0
    ip address 24.39.245.36 255.255.255.240
    write mem
    exit
    object-group icmp-type DefaultICMP
    description Default ICMP Types permitted
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object time-exceeded
    write mem
    exit
    ftp mode passive
    write mem
    clock timezone EST -5
    clock summer-time EDT recurring
    write mem
    exit
    dns server-group DefaultDNS
    domain-name asa.adcmotors.com
    write mem
    exit
    access-list acl_outside extended permit icmp any any object-group DefaultICMP
    access-group acl_outside in interface outside
    access-list acl_inside extended permit icmp any any object-group DefaultICMP
    access-group acl_inside in interface inside
    write mem
    exit
    write mem
    That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

    Hi our desperate friend .
    First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
    That said, I also think that your ASA lacks of some basic configuration as of now.  If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
    route outside 0.0.0.0 0.0.0.0 24.39.245.33
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0  255.255.255.0
    Now regarding the VPN Client configuration you would need to something like this:
    Create an isakmp policy:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha    
    group 2
    lifetime 86400
    Create a couple of ACLs that we will use later:
    access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list split_tun standard permit 192.168.0.0 255.255.255.0
    Create a Pool for the VPN Clients to use:
    ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
    Create a Group Policy:
    group-policy TEST internal
    group-policy TEST attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tun
    Create a group:
    tunnel-group TEST type ipsec-ra
    tunnel-group TEST general-attributes
    address-pool TestPool
    authentication-server-group ABTVPN
    default-group-policy TEST
    tunnel-group TEST ipsec-attributes
    pre-shared-key cisco123
    Create crypto map and do a NAT 0:
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
    crypto map Outside_map interface outside
    nat (inside) 0 access-l nonat
    Finally create a user that you will use to connect:
    username test password test123
    Then you would need to configure your VPN Client to connect with the ASA.
    Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
    I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
    Have fun.
    Raga

  • ASA 5505 speed reduction when connected to a Planet fiber converter

    Hi!
    We have many customers running ASA 5505, and a number of them are running 100 Mbit connections. This normally works fine. But recently, our ISP has started setting up all new fiber connections using a Planet fiber to RJ converter (Before they used Cisco switches), and with those, the locations only get around 50-60 Mbit. We have done all the testing - force port speed and duplex settings, test with a PC directly connected to the converter etc. And the connection allways runs 100 Mbit. And the ASA's themselves also run 100 Mbit when connected to anything else than the Planet converter. We have for now circumvented the problem by placing a simple L2 switch between the converter and the ASA's, but this is not an ideal solution as it adds another single point of failure element etc.
    Any ideas?

    The Express units can extend wireless on the TC or each other.. but they cannot extend wireless on the Asus anyway..
    So the setup is Asus--TC (that has to be ethernet) The TC in bridge mode.
    Then TC -- express can be done by ethernet in roaming mode as bob listed above or extend wireless.
    I am guessing.. what model are the express units.. they are older Gen1 N model ??
    IMHO the TC is simply no longer viable.. replace it with one express as the AP and extend it with the other Express.. see if that works better.
    But I would be trying to use the wireless just from the AC66U.
    I would also force the Asus back to 20mhz on the 2.4ghz band.. so you can provide adequate channel separation.. 40mhz wireless on 2.4ghz works poorly anyway because you have too much wifi .. there is very limited number of non-overlapping channels.. ie 3. 11, 6 and 1.

  • Ftp - ftpd and firewall configuration for passive connections

    I set up ftpd on my imac. Connecting and logging on work ok, but when I try to get a directory listing or xfer or send multiple commands it always locks up, i get a message "421 Service not available, remote server timed out. Connection closed" and I see that the ftpd process for that connection has terminated.
    Turning the firewall completely off allows ftpd to work correctly, but I was under the impression that if I check the "FTP Access" box under services, the firewall should CORRECTLY self-configure to allow connections to ftpd. Opening ports 1024-65535 guarantees that ftpd will work with a client's passive connection, but is there a better way?
    I tried opening 20 for the data connection and 21 for control, but unless I tell everyone to use an active connection, there is still a long wait before most ftp clients notice that passive isn't working and switch to an active connection, so I would like to avoid that also.

    Hi, we use FTPd (with Pure FTPd Manager) on our internal server here. While I'm not a complete expert, I do know that we were able to get passive FTP working only after we got this setup properly.
    The main reason we got this was for it's ability to set a default port range for passive FTP to work on. In Pure FTPd Manager, you go to Preferences/Settings and you will see the area to input your passive port range (we use 51000-51100).
    Then you just need to forward those ports (on a router) to your FTP server, and/or open those ports on your server firewall.
    It sounds like you already have ports 20-21 setup.
    Hope this helps!
    G5 Dual 2Ghz   Mac OS X (10.4)   1.5GB RAM

  • P30: Can not find configuration for Infrared connection

    I have a Cannon BJC-50 that I have had for a number of years and I want to connect it to my new Toshiba P30-144 Satellite notebook,m which does not have a parallel port.
    I want to connect with infrared but I cannot find the infrared icon under control panel.
    I checked the bios and there is no configuration for enabling infrared in the setup.
    please help

    Hi
    It seems you notebook doesnt support the IrDA.
    If you can not see it in the control panel and in the device manager the unit hasnt IrDA port. :(
    Bye

  • ASA 5505 LCP terminated: loosing connection every so often

    hi,
    i'm a little lost with interpreting the following debug messages of an ASA 5505 running "asa724-k8.bin".
    I'm loosing the connection every so often after 20-45 Minutes:
    %ASA-3-403503:PPPoE:PPP link down:
    %ASA-3-403503:PPPoE:PPP link down:Peer Terminated
    %ASA-3-403503:PPPoE:PPP link down:
    %ASA-3-403503:PPPoE:PPP link down:LCP down
    Debugs are attached.
    thanks
    colin

    Hi Colin,
    To me the PPPoE debug is a bit of a distraction.
    It would be wonderful just to see the PPP debug and not a PPPOE PADI etc.. but that's just my preference :-)
    If the Service provider is sending PPP LCP echo request, these act almost like a keepalive to verify the PPP link from the PPPoE access concentrator to the client is up and running. If the ASA doesn't respond, the Service providers access concentrator 'thinks' ah this link is down.
    The PPPoE access comncentrator send another LCP echo request and the client should send a echo reply.
    Usually in a PPP scenario, both ends send LCP echo requests and expect to see LCP echo replies. As both ends of a PPP link want to know if they are sending packets to a real end point, and that this end point is still up and running.
    Or if the Service provider doesn't see the LCP echo reply it will be patient and resent a LCP echo request. But if it still doesn't get a response to a echo request, maybe as a result of congestion over the PPPoE interface and Echo replies getting dumped, the service provider will send a PPP LCP terminate request.
    It does this as it has to assume that the link is down between the Access concentrator and the ASA PPPoE client, but it send the LCP terminate request so if the remote end of the link is really up, it will have an option to restart ppp negotiation again and bring up the PPPoE link. This i believe what you are seeing.
    The ASA should then start to initaite a PPPoE session again. You will keep on seeing;
    %ASA-3-403503:PPPoE:PPP link down:
    %ASA-3-403503:PPPoE:PPP link down:Peer Terminated
    %ASA-3-403503:PPPoE:PPP link down:
    %ASA-3-403503:PPPoE:PPP link down:LCP down
    As the Service provider is not seeing an appropriate response to it sending LCP echo requests.
    The ASA should be responding to LCP echo requests with LCP echo reply, worthwhile checking this in a debug. (LCP echo requests and replied are very different to ICMP echo requests and echo replied)
    The problem could be caused by LCP echo-replies being lost due to congestion.
    Again, would be wonderful to see how often you are receiving LCP echo-requests from the service provider and the responses.
    Interesting to see a wireshark or ethereal capture of only PPP LCP negotiation and LCP packets. To really see where the problem is.
    Sorry not much help without seeing a packet capture..
    regards Dave

  • ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

    Using an ASA 5505 for firewall and VPN.  We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
    The devices complete the connection and authenticate fine, but then are unable to hit any internal resources.  Split tunneling seems to be working, as they can still hit outside resources.  Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24).  Even the NAT translation looks good in packet tracer.
    I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.)  This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses.  Details:
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
    local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
    remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
    current_peer: [VPN CLIENT ADDRESS], username: vpnuser
    dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
    dynamic allocated peer ip(ipv6): 0.0.0.0
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
    #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
    #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
    #pkts invalid prot (rcv): 0, #pkts verify failed: 0
    #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
    #pkts invalid pad (rcv): 0,
    #pkts invalid ip version (rcv): 0,
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
    #pkts replay failed (rcv): 0
    #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (rcv): 0
    local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
    path mtu 1500, ipsec overhead 82(52), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: 05BFAE20
    current inbound spi : CF85B895
    inbound esp sas:
    spi: 0xCF85B895 (3481647253)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
    slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
    sa timing: remaining key lifetime (kB/sec): (4373998/3591)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x000FFFFD
    outbound esp sas:
    spi: 0x05BFAE20 (96448032)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
    slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
    sa timing: remaining key lifetime (kB/sec): (4373999/3591)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    Any ideas?  The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

     I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
    It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

  • ASA 5505 Unable to assign ip to DMZ vlan interface

    hi all,
    I have ASA  5505 with base license.
    I created 3rd  vlan on it.it was created.
    but i am unable to assign IP to it.
    i assign ip address it takes it.
    But when i do sh int ip brief it does not show any ip.
    ciscoasa# sh int ip brief
    Interface                  IP-Address      OK? Method Status                Prot
    ocol
    Ethernet0/0                unassigned      YES unset  up                    up
    Ethernet0/1                unassigned      YES unset  up                    up
    Ethernet0/2                unassigned      YES unset  up                    up
    Ethernet0/3                unassigned      YES unset  administratively down down
    Ethernet0/4                unassigned      YES unset  administratively down down
    Ethernet0/5                unassigned      YES unset  administratively down down
    Ethernet0/6                unassigned      YES unset  administratively down down
    Ethernet0/7                unassigned      YES unset  administratively down down
    Internal-Data0/0           unassigned      YES unset  up                    up
    Internal-Data0/1           unassigned      YES unset  up                    up
    Vlan1                      192.168.1.1     YES CONFIG up                    up
    Vlan2                      192.168.11.2    YES CONFIG up                    up
    Vlan3                      unassigned      YES manual up                    up*************************************************************
    Virtual0                   127.0.0.1       YES unset  up                    up
    ciscoasa# config t
    ciscoasa(config)# int vlan 3
    ciscoasa(config-if)# ip ad
    ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
    ciscoasa(config-if)# end
    ciscoasa# wr mem
    Building configuration...
    Cryptochecksum: 808baaba ced2a226 07cfb41f 9f6ec4f8
    4608 bytes copied in 1.630 secs (4608 bytes/sec)
    [OK]
    ciscoasa# sh int ip brief
    Interface                  IP-Address      OK? Method Status                Prot
    ocol
    Ethernet0/0                unassigned      YES unset  up                    up
    Ethernet0/1                unassigned      YES unset  up                    up
    Ethernet0/2                unassigned      YES unset  up                    up
    Ethernet0/3                unassigned      YES unset  administratively down down
    Ethernet0/4                unassigned      YES unset  administratively down down
    Ethernet0/5                unassigned      YES unset  administratively down down
    Ethernet0/6                unassigned      YES unset  administratively down down
    Ethernet0/7                unassigned      YES unset  administratively down down
    Internal-Data0/0           unassigned      YES unset  up                    up
    Internal-Data0/1           unassigned      YES unset  up                    up
    Vlan1                      192.168.1.1     YES CONFIG up                    up
    Vlan2                      192.168.11.2    YES CONFIG up                    up
    Vlan3                      unassigned      YES manual up                    up
    Virtual0                   127.0.0.1       YES unset  up                    up
    ciscoasa# sh ver
    Cisco Adaptive Security Appliance Software Version 8.2(5)
    Device Manager Version 6.4(9)
    Compiled on Fri 20-May-11 16:00 by builders
    System image file is "disk0:/asa825-k8.bin"
    Config file at boot was "startup-config"
    ciscoasa up 3 days 17 hours
    Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
    0: Int: Internal-Data0/0    : address is 001d.a24d.ed0e, irq 11
    1: Ext: Ethernet0/0         : address is 001d.a24d.ed06, irq 255
    2: Ext: Ethernet0/1         : address is 001d.a24d.ed07, irq 255
    3: Ext: Ethernet0/2         : address is 001d.a24d.ed08, irq 255
    4: Ext: Ethernet0/3         : address is 001d.a24d.ed09, irq 255
    5: Ext: Ethernet0/4         : address is 001d.a24d.ed0a, irq 255
    6: Ext: Ethernet0/5         : address is 001d.a24d.ed0b, irq 255
    7: Ext: Ethernet0/6         : address is 001d.a24d.ed0c, irq 255
    8: Ext: Ethernet0/7         : address is 001d.a24d.ed0d, irq 255
    9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
    10: Int: Not used            : irq 255
    11: Int: Not used            : irq 255
    Licensed features for this platform:
    Maximum Physical Interfaces    : 8
    VLANs                          : 3, DMZ Restricted
    Inside Hosts                   : Unlimited
    Failover                       : Disabled
    VPN-DES                        : Enabled
    VPN-3DES-AES                   : Enabled
    SSL VPN Peers                  : 2
    Total VPN Peers                : 10
    Dual ISPs                      : Disabled
    VLAN Trunk Ports               : 0
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled
    AnyConnect for Cisco VPN Phone : Disabled
    AnyConnect Essentials          : Disabled
    Advanced Endpoint Assessment   : Disabled
    UC Phone Proxy Sessions        : 2
    <--- More --->
    Need to know does this License support IP  to 3rd vlan ?
    Thanks
    Mahesh

    Hi Julio,
    I tried to config namef if but here is result
    ciscoasa# sh run int vlan 3
    interface Vlan3
    description DMZ  to 3550 New Switch
    no nameif
    security-level 50
    ip address 192.168.12.2 255.255.255.0
    ciscoasa# config t
    ciscoasa(config)# int vlan 3
    ciscoasa(config-if)# name
    ciscoasa(config-if)# namei
    ciscoasa(config-if)# nameif DMZ
    ERROR: This license does not allow configuring more than 2 interfaces with
    nameif and without a "no forward" command on this interface or on 1 interface(s)
    with nameif already configured.

  • ASA 5505 VPN Can not connect clients

    Hi,
    I tried to search for an answer to this question but I couldn't find the answer.
    I configured the VPN on the ASA, I can not  get a client to connect to the ASA  I've tried and search for an answer and I really need som help!
    Any help is greatly appreciated.
    : Saved
    ASA Version 7.2(2)
    hostname
    domain-name
    enable password
    names
    ddns update method
    ddns both
    interface Vlan1
    nameif inside
    security-level 100
    ddns update hostname
    ddns update
    dhcp client update dns
    ip address 192.168.1.1 255.255.255.0
    ospf cost 10
    interface Vlan2
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.0
    ospf cost 10
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server
    name-server
    domain-name
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list EasyVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list OUTSIDE_IN_ACL extended permit ip any any
    access-list OUTSIDE_IN_ACL extended permit icmp any interface outside
    access-list Remote-VPN_splitTunnelAcl standard permit any
    access-list DefaultRAGroup_splitTunnelAcl standard permit any
    access-list Bild_splitTunnelAcl standard permit any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool TKK 192.168.1.200-192.168.1.220 mask 255.255.255.224
    ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
    no failover
    monitor-interface inside
    monitor-interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 0 access-list outside_nat0_outbound
    static (inside,inside) tcp interface 3389 access-list inside_nat_static
    static (inside,inside) tcp interface ftp access-list inside_nat_static_2
    static (outside,inside) x.x.x.x 192.168.1.0 netmask 255.255.255.255 dns
    access-group inside_access_in in interface inside
    access-group inside_access_out out interface inside
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    vpn-tunnel-protocol l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server value 192.168.1.253
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission
    to use any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy EasyVPN internal
    group-policy EasyVPN attributes
    dns-server value 192.168.1.253
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value EasyVPN_splitTunnelAcl
    default-domain value xxx.se
    group-policy Remote-VPN internal
    group-policy Remote-VPN attributes
    dns-server value 192.168.1.253
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Remote-VPN_splitTunnelAcl
    default-domain value xxx.se
    group-policy CiscoASA internal
    group-policy CiscoASA attributes
    dns-server value 192.168.1.253 x.x.x.x
    vpn-tunnel-protocol IPSec webvpn
    group-policy Bild internal
    group-policy Bild attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Bild_splitTunnelAcl
    username User attributes
    vpn-group-policy DfltGrpPolicy
    username Bild password encrypted privilege 0
    username Bild attributes
    vpn-group-policy Bild
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 80 set pfs
    crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 100 set pfs
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 120 set pfs
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 140 set pfs
    crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 160 set pfs
    crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 180 set pfs
    crypto dynamic-map outside_dyn_map 180 set transform-set TRANS_ESP_DES_SHA
    crypto dynamic-map outside_dyn_map 200 set pfs
    crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 220 set pfs
    crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-SHA
    crypto dynamic-map inside_dyn_map 20 set pfs
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group Bild type ipsec-ra
    tunnel-group Bild general-attributes
    address-pool TKK
    default-group-policy Bild
    tunnel-group Bild ipsec-attributes
    pre-shared-key *
    tunnel-group CiscoASA type ipsec-ra
    tunnel-group CiscoASA general-attributes
    address-pool vpn
    default-group-policy CiscoASA
    tunnel-group CiscoASA ipsec-attributes
    pre-shared-key *
    tunnel-group EasyVPN type ipsec-ra
    tunnel-group EasyVPN general-attributes
    address-pool vpn
    default-group-policy EasyVPN
    tunnel-group EasyVPN ipsec-attributes
    pre-shared-key *
    tunnel-group Remote-VPN type ipsec-ra
    tunnel-group Remote-VPN general-attributes
    address-pool VPN-Pool
    default-group-policy Remote-VPN
    tunnel-group Remote-VPN ipsec-attributes
    pre-shared-key *
    class-map global-class
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global-policy
    class global-class
      inspect ftp
      inspect icmp
      inspect pptp
    service-policy global-policy global
    prompt hostname context
    Cryptochecksum:8cdda33b1993ba7bb33db88d996e939c
    : end

    Hi Fredrik,
    I see your acl "outside_nat0_outbound" set on inside interface for no nat, but I do not see, the acl is being defined anywhere on your config.
    I also strongly recommand create your vpn-pool to be different subnet rather being as same as your inside ip of your ASA.
    so, let assume your vpn pool is 192.168.255.1-254/24
    so, your no-nat for inside will look like this below.
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.255.0 255.255.255.0
    Let me know, if this helps.
    thanks

  • How to add in ODBC connection and configuration for data connection

    Hello expert,
    on my computor, there is a oracle client for oracle 10g. now there is new oracle 11g installed , I want to create a ODBC connection to this new database. but when I create ODBC , I can't find server type for oracle 11g , there only has driver for oracle 10g. will you please tell me how to create ODBC for this new DB? will you please tell me where is the configuration file for data source on my computor?
    Many Thanks,

    918440 wrote:
    Hello expert,
    on my computor, there is a oracle client for oracle 10g. now there is new oracle 11g installed , I want to create a ODBC connection to this new database. but when I create ODBC , I can't find server type for oracle 11g , there only has driver for oracle 10g. will you please tell me how to create ODBC for this new DB? will you please tell me where is the configuration file for data source on my computor?
    Many Thanks,So, on this machine you have
    - Oracle 10g client (only), and in a seperate ORACLE_HOME
    - Oracle 11g rdbms
    First, the 10g client will connect quite well to the 11g database
    Second, the 11g database includes the basic client admin software, but the odbc drivers are not installed by default. You have to run OUI and choose 'custom' installation, then select 'windows components' from the list of available components.
    I've never wanted to install the odbc driver as part of the database installation. Only on remote client installations.
    What are you really trying to achieve?

  • Static IP configuration for WLAN connectivity on N...

    My WLAN connectivity requires static IP configuration, any tips on how to configure the same on Nokia N97

    Menu > Settings > Connectivity > Destinations
    Enter the "destination" containing the access point that is your WLAN. Edit that access point.
    Options > Advanced settings > IPv4 settings
    Enter the phone's IP address and you will then be prompted to enter other key pieces of information such as the subnet mask, default gateway and nameserver addresses.
    Was this post helpful? If so, please click on the white "Kudos!" star below. Thank you!

  • ASA 5500 configuration for VC

    Hi All ,
    i have to open ports for vedio conferencing in my Firewall configuration , can some advise me the steps to do it successfully .
    regards ,

    Hi Bro
    The TCP and UDP ports that needs to be permitted in your FW rules varies according to the VC product manufacturer. For example, if you were using Tandberg (recently acquired by Cisco) the TCP and UDP ports needed to be permitted are as defined in http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/conferencing_products_conferenceme_ports_used_kb_3.shtml
    Generally, the TCP and UDP ports for VC are as listed below;
    TCP/389
    TCP/1002
    TCP/1503
    TCP/1720
    TCP/1024-65535 & UDP/1024-65535
    UDP/1718 - 1719
    Note: You could include in your ACL "deny ip any any log" on the last line, to unearth more TCP and UDP ports, assuming they are not listed above.
    Sometimes, you may need to disable the default inspects too (but do this as a last resort), assuming you do see packet drops when issuing the command "show service-policy global".
    policy-map global_policy
    class inspection_default
    no inspect h323 h225
    no inspect h323 ras
    no inspect skinny
    no inspect sip
    P/S: If you think this comment is useful, please do rate them nicely :-) and select the option "THIS QUESTION IS ANSWERED"

Maybe you are looking for

  • HP Printer Driver not currently available from Software Update server

    I have an iMac (early 2009) and an HP OfficeJet 6100 Series printer.  I just upgraded my Apple Extreme Base Station and when I try to add the printer again thru the new Base Station the iMac says the software is available from the Apple Server but af

  • External TFT - LCD TV to MacBook

    Hi , Which cables do I need to connect a 17 inch TFT-LCD TV to my macbook. Or has anyone any advice on a monitor/television at a reasonable price that I could buy mainly to watch movies stored on the MacBook. Thank you in advance, any advice is most

  • ORA-00313: open failed for members during restore from COLD backup

    Hi all, I took a cold backup of an 11.1 database using RMAN (database in mount state). I used the following command to restore it: restored the controlfile and then RESTORE DATABASE FROM TAG 'TAGxxxxxxxxxx'; Now I'm restoring it and it's taking too m

  • IPhoto exif data

    Does iphoto strip some of the exif data from photos? I'm currently using iPhoto as my photo management tool and I also use photoshop elements to do some editing. When I view the photo info in iPhoto, it seems like the data is pretty skimpy. Specifica

  • Keypad lights but no activity

    Heard a "pop" last night, checked everything around the iMac and the only thing not working correctly was the bluetooth keypad extension on the keyboard.  Get a yellow light when I push reset, green when turned on and off.  But no key action. Is it p