Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out

I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500

Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik

Similar Messages

  • Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!

    Hello,
    We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
    When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
    I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
    Any advice would be greatly appreciated. Thank you.
    UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
    http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/

    Hi Srinath,
    If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
    If you've access to ASDM.
    You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
    You will still need to generate crypto keys and create a username in order to get ssh working
    For this you can click at the TOP at TOOLS>> Command Line Interface.
    And in the box below type this
    crypto key generate rsa modulus 1024
    add a username
    username <> password <> priv 15
    and enable aaa authentication for ssh like this
    aaa authentication ssh console LOCAL
    Let me know if this helps.
    Puneet

  • Cisco ASA 5505 can ping gateway but can't ping internet

    Good day to all!
    Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
    It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
    Any help greatly appreciated.
    TIA!
    : Saved
    ASA Version 8.4(3)
    hostname ciscoasan
    enable password bD3fGYMFeJJTATOJ encrypted
    passwd 2KF1w9ErdI.2KYOU encrypted
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     description INSIDE
     nameif inside
     security-level 100
     ip address 10.10.10.2 255.255.255.0
    interface Vlan2
     description OUTSIDE
     nameif outside
     security-level 0
     ip address 203.127.68.2 255.255.255.240
    ftp mode passive
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    object network obj_any
     nat (inside,outside) dynamic interface
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    http authentication-certificate inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny  
      inspect sunrpc
      inspect xdmcp
      inspect sip  
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
    : end

    Hi badingdong,
    Remove these lines:
    no nat (inside,outside) after-auto source dynamic any interface
    no access-group outside_access_in in interface outside
    If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
    route inside 10.0.0.0 255.0.0.0 10.10.10.1
    Also make sure that you have a correct DNS server is assigned on your internal hosts.
    Thanks
    Rizwan Rafeek

  • Cisco ASA 5505 doesn't forware incoming connection to LAN

    Hello everybody.
    I just got a Cisco asa 5505 with the next OS and ASDM info
    ASA 5505 OS 8.4(3) ASDM 6.47
    I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
    Problem 1
    I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
    Problem 2.
    I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
    Facts:
    SMTP.
    Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
    PORT 6001 (outside)
    this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
    Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
    I will appreciate any help.
    Thanks a lot..
    CONFIGURATION.
    : Saved
    ASA Version 8.4(3)
    hostname saturn1
    domain-name mydominio.com
    enable password SOMEPASS encrypted
    passwd SOMEPASS encrypted
    names
    name 192.168.250.11 CAPITOLA-LAN
    name 192.168.250.15 OBIi110-LAN
    name 192.168.250.21 DRP1260-LAN
    name 192.168.250.22 HPOJ8500-LAN
    name 192.168.250.30 AP-W77-NG-LAN
    name 192.168.250.97 AJ-DTOP-PC-LAN
    name 192.168.250.96 SWEETHEART-PC-LAN
    name 192.168.250.94 KIDS-PC-LAN
    name XX.YY.ZZ.250 EXTERNALIP
    name XX.YY.ZZ.251 EXTERNALIP2
    name XX.YY.ZZ.1 GTWAY
    dns-guard
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.250.2 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address EXTERNALIP 255.255.255.0
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name mydominio.com
    object network CAPITOLA-LAN
    host 192.168.250.11
    object network EXTERNALIP
    host XX.YY.ZZ.250
    description Created during name migration
    object network CAPITOLA-PUBLIC
    host XX.YY.ZZ.251
    object network capitola-int
    host 192.168.250.11
    object network capitola-int-vnc
    host 192.168.250.11
    object network aj-dtop-int-vnc
    host 192.168.250.97
    object network sweetheart-int-vnc
    host 192.168.250.96
    object network kids-int-vnc
    host 192.168.250.94
    object network VPNNetwork
    subnet 10.10.20.0 255.255.255.0
    object network InsideNetwork
    subnet 192.168.250.0 255.255.255.0
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network capitola-int-smtp
    host 192.168.250.11
    object-group service capitola-int-smtp-service tcp
    port-object eq smtp
    object-group service capitola-int-services tcp
    port-object eq smtp
    port-object eq https
    port-object eq www
    port-object eq 444
    object-group service capitola-int-vnc-service tcp
    port-object eq 6001
    object-group service aj-dtop-int-vnc-service tcp
    port-object eq 6002
    object-group service sweetheart-int-vnc-service tcp
    port-object eq 6003
    object-group service kids-int-vnc-service tcp
    port-object eq 6004
    access-list incoming extended permit icmp any any
    access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
    access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
    access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
    access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
    access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
    access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
    access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any object VPNNetwork
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
    object network capitola-int
    nat (any,any) static XX.YY.ZZ.251
    object network capitola-int-vnc
    nat (inside,outside) static interface service tcp 5900 6001
    object network aj-dtop-int-vnc
    nat (inside,outside) static interface service tcp 5900 6002
    object network sweetheart-int-vnc
    nat (inside,outside) static interface service tcp 5900 6003
    object network kids-int-vnc
    nat (inside,outside) static interface service tcp 5900 6004
    object network obj_any
    nat (inside,outside) dynamic interface
    object network capitola-int-smtp
    nat (any,outside) static interface service tcp smtp smtp
    access-group incoming in interface outside
    route outside 0.0.0.0 0.0.0.0 GTWAY 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http server idle-timeout 2
    http server session-timeout 1
    http 192.168.1.0 255.255.255.0 inside
    http CAPITOLA-LAN 255.255.255.255 inside
    http AJ-DTOP-PC-LAN 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh CAPITOLA-LAN 255.255.255.255 inside
    ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
    ssh timeout 15
    console timeout 0
    vpn-addr-assign local reuse-delay 2
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username admin password SOMEPASS encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect pptp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
    : end
    asdm image disk0:/asdm-647.bin
    no asdm history enable

    Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
    access list rule:
    access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
    nat rule:
    nat (inside,outside) source static server interface service voip-range voip-range
    - 'server' is a network object *
    - 'voip-range' is a service group range
    I'd assume you can do something similar here in combination with my earlier comment:
    access-list incoming extended permit tcp any any eq 5900
    Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

  • Cisco ASA 5505 Password Problem

    I recently ran into a telnet, console, and enable password issue that was unexpected and I am hoping someone can explain what happened. 
    I had two working Cisco ASA 5505's that were two end-points of a Site-to-Site VPN.  I had used the ASDM file management tools to copy disk0 startup-config.cfg to a file named old-startup-config.cfg on disk0, on both ASA systems, and I wanted those two files to function as good working startup-config backups that I could return to, right there on the firewall, if I had to.  I also used the ASDM file management tools to make configuration "zip" backups to my local computer.  I am aware that the actual startup-config file is some type of hidden file.
    I had made some changes to both Cisco ASA 5505s, but no password changes, and everything was working great and was reloading great.  Then, I suddenly found that I needed to revert back to the old working configurations that I had backed up previously.  I used the ASDM file management tools to copy old-startup-config.cfg back to startup-config.cfg on disk0 on both machines.  I think I may have also issued the CLI command copy old-startup-config.cfg startup-config.  I asked both systems to reload without writing the running-config's to memory.
    When the systems reloaded, the console, telnet, and enable passwords were no longer recognized on the CLI and Web interface.  The interfaces loaded normally, but the passwords didn't work and the cisco default passwords didn't work either.  I had to go to each unit's physical location and perform a power cycle and console password recovery.
    I am not sure why that happened.  Is the startup-config.cfg file on disk0 an altered version of the actual startup-config configuration with missing or encrypted password credentials?  I would have never guessed in a million years that my procedure would have knocked out the enable password.
    Instead of copy startup-config.cfg old-startup-config.cfg, should I have issued the command copy startup-config old-startup-config.cfg to make a local backup of a working configuration?
    I have one more semi-related question.  If one uses ASDM file management to create a zip backup of a startup-config or running-config and then proceeds to restore a running-config, when does the restored running-config take effect? 

    If password recovery is disabled then you are locked out hard. You have to sacrifice the config to "re-admin" the appliance. Sorry for the bad news but that's the way it is by design. If there was a "back door" it would hardly be a security appliance would it?

  • Cisco asa 5505 issues ( ROUTING AND PAT)

    I have some issues with my cisco asa 5505 config. Please see details below:
    NETWORK SETUP:
    gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 )  -
    ISSUES:
    1)
    no route from DMZ to outside
    example:
    ping from 172.16.3201 to the gateway
    6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
    2)
    not working access from external to DMZ AT ALL
    ASA DETAILS:
    cisco asa5505
    Device license          Base
    Maximum Physical Interfaces          8          perpetual
    VLANs          3      DMZ Restricted
    Inside Hosts          Unlimited          perpetual
    configuration:
    firewall200(config)# show run
    : Saved
    ASA Version 9.1(3)
    hostname firewall200
    domain-name test1.com
    enable password xxxxxxxxxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd XXXXXXXXXXX encrypted
    names
    interface Ethernet0/0
    switchport access vlan 100
    interface Ethernet0/1
    switchport access vlan 200
    interface Ethernet0/2
    switchport access vlan 200
    interface Ethernet0/3
    switchport access vlan 200
    interface Ethernet0/4
    switchport access vlan 300
    interface Ethernet0/5
    switchport access vlan 300
    interface Ethernet0/6
    switchport access vlan 300
    interface Ethernet0/7
    switchport access vlan 300
    interface Vlan100
    nameif outside
    security-level 0
    ip address 192.168.223.200 255.255.255.0
    interface Vlan200
    mac-address 001b.539c.597e
    nameif inside
    security-level 100
    ip address 172.16.2.253 255.255.255.0
    interface Vlan300
    no forward interface Vlan200
    nameif DMZ
    security-level 50
    ip address 172.16.3.253 255.255.255.0
    boot system disk0:/asa913-k8.bin
    boot config disk0:/startup-config.cfg
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name test1.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network office1-int
    host 172.16.2.1
    object network firewall-dmz-gateway
    host 172.16.3.253
    object network firewall-internal-gateway
    host 172.16.2.253
    object network com1
    host 192.168.223.227
    object network web2-ext
    host 192.168.223.201
    object network web2-int
    host 172.16.3.201
    object network gateway
    host 192.168.223.191
    object network office1-int
    host 172.16.2.1
    object-group network DMZ_SUBNET
    network-object 172.16.3.0 255.255.255.0
    object-group service www tcp
    port-object eq www
    port-object eq https
    access-list DMZ_access_in extended permit icmp any any
    access-list DMZ_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any object web2-ext eq www
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500 
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp DMZ 172.16.4.199 001b.539c.597e alias
    arp DMZ 172.16.3.199 001b.539c.597e alias
    arp timeout 14400
    no arp permit-nonconnected
    object network web2-int
    nat (DMZ,outside) static web2-ext service tcp www www
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
    route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.223.227 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 192.168.223.227 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 inside
    ssh timeout 60
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 172.16.2.10-172.16.2.10 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 176.58.109.199 source outside prefer
    ntp server 81.150.197.169 source outside
    ntp server 82.113.154.206
    username xxxx password xxxxxxxxx encrypted
    class-map DMZ-class
    match any
    policy-map global_policy
    policy-map DMZ-policy
    class DMZ-class
      inspect icmp
    service-policy DMZ-policy interface DMZ
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
    : end

    Thank you one more time for everthing. It is workingin indeed
    Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
    show run
    : Saved
    ASA Version 9.1(3)
    hostname firewall200
    domain-name test1.com
    enable password xxxxxxxxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd xxxxxxxxxxxx encrypted
    names
    interface Ethernet0/0
    switchport access vlan 100
    interface Ethernet0/1
    switchport access vlan 200
    interface Ethernet0/2
    switchport access vlan 200
    interface Ethernet0/3
    switchport access vlan 200
    interface Ethernet0/4
    switchport access vlan 300
    interface Ethernet0/5
    switchport access vlan 300
    interface Ethernet0/6
    switchport access vlan 300
    interface Ethernet0/7
    switchport access vlan 300
    interface Vlan100
    nameif outside
    security-level 0
    ip address 192.168.223.200 255.255.255.0
    interface Vlan200
    mac-address 001b.539c.597e
    nameif inside
    security-level 100
    ip address 172.16.2.253 255.255.255.0
    interface Vlan300
    no forward interface Vlan200
    nameif DMZ
    security-level 50
    ip address 172.16.3.253 255.255.255.0
    boot system disk0:/asa913-k8.bin
    boot config disk0:/startup-config.cfg
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns domain-lookup DMZ
    dns server-group DefaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    domain-name test1.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network firewall-dmz-gateway
    host 172.16.3.253
    object network firewall-internal-gateway
    host 172.16.2.253
    object network com1
    host 192.168.223.227
    object network web2-ext
    host 192.168.223.201
    object network web2-int
    host 172.16.3.201
    object network gateway
    host 192.168.223.191
    object network office1-int
    host 172.16.2.1
    object-group network DMZ_SUBNET
    network-object 172.16.3.0 255.255.255.0
    object-group service www tcp
    port-object eq www
    port-object eq https
    access-list DMZ_access_in extended permit icmp any any
    access-list DMZ_access_in extended permit ip any any
    access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
    access-list outside_access_in extended permit tcp any object web2-int eq www
    access-list outside_access_in extended permit tcp any object web2-int eq ssh
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any DMZ
    asdm image disk0:/asdm-714.bin
    no asdm history enable
    arp DMZ 172.16.4.199 001b.539c.597e alias
    arp DMZ 172.16.3.199 001b.539c.597e alias
    arp timeout 14400
    no arp permit-nonconnected
    object network web2-int
    nat (DMZ,outside) static web2-ext net-to-net
    access-group outside_access_in in interface outside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.223.227 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 outside
    http 172.163.2.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 192.168.223.227 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 outside
    ssh 172.16.3.253 255.255.255.255 outside
    ssh 172.163.2.5 255.255.255.255 inside
    ssh timeout 60
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 176.58.109.199 source outside prefer
    ntp server 81.150.197.169 source outside
    ntp server 82.113.154.206
    username xxxxx password xxxxxxxxx encrypted
    class-map DMZ-class
    match any
    policy-map global_policy
    policy-map DMZ-policy
    class DMZ-class
      inspect icmp
    service-policy DMZ-policy interface DMZ
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
    : end

  • I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

    I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
    I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
    I need to allow the following IP addresses to have RDP access to my server:
    66.237.238.193-66.237.238.222
    69.195.249.177-69.195.249.190
    69.65.80.240-69.65.80.249
    My external WAN server info is - 99.89.69.333
    The internal IP address of my server is - 192.168.6.2
    The other server shows up as 99.89.69.334 but is working fine.
    I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
    THE FOLLOWING IS MY CONFIGURATION FILE
    Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
    Also the bolded lines are the modifications I made but that arent working.
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password DowJbZ7jrm5Nkm5B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.6.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.89.69.233 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network EMRMC
    network-object 10.1.2.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.11.0 255.255.255.0
    network-object 172.16.0.0 255.255.0.0
    network-object 192.168.9.0 255.255.255.0
    object-group service RDP tcp
    description RDP
    port-object eq 3389
    object-group service GMED tcp
    description GMED
    port-object eq 3390
    object-group service MarsAccess tcp
    description MarsAccess
    port-object range pcanywhere-data 5632
    object-group service MarsFTP tcp
    description MarsFTP
    port-object range ftp-data ftp
    object-group service MarsSupportAppls tcp
    description MarsSupportAppls
    port-object eq 1972
    object-group service MarsUpdatePort tcp
    description MarsUpdatePort
    port-object eq 7835
    object-group service NM1503 tcp
    description NM1503
    port-object eq 1503
    object-group service NM1720 tcp
    description NM1720
    port-object eq h323
    object-group service NM1731 tcp
    description NM1731
    port-object eq 1731
    object-group service NM389 tcp
    description NM389
    port-object eq ldap
    object-group service NM522 tcp
    description NM522
    port-object eq 522
    object-group service SSL tcp
    description SSL
    port-object eq https
    object-group service rdp tcp
    port-object eq 3389
    access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
    access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
    access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
    access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
    access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.6.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 68.156.148.5
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    tunnel-group 68.156.148.5 type ipsec-l2l
    tunnel-group 68.156.148.5 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
    : end
    ciscoasa(config-network)#

    Unclear what did not work.  In your original post you include said some commands were added but don't work:
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    and later you state you add another command that gets an error:
    static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
    You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
    The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
    Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

  • Cisco ASA 5505 and comodo SSL certificate

    Hey All,
    I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
    Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
    On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
    What am I missing here? I can post config if anyone needs it.
    (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

    It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
    ASA Version 9.0(2)
    hostname MyDomain-firewall-1
    domain-name MyDomain.com
    enable password omitted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd omitted
    names
    name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
    name 10.200.0.0 MyDomain_New_IP description MyDomain_New
    name 10.100.0.0 MyDomain-Old description Inside_Old
    name XXX.XXX.XX.XX Provider description Provider_Wireless
    name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
    name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
    ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
    ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address Cisco_ASA_5505 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Provider 255.255.255.252
    boot system disk0:/asa902-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 10.0.3.21
    domain-name MyDomain.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network MyDomain-Employee
    subnet 192.168.208.0 255.255.255.0
    description MyDomain-Employee
    object-group network Inside-all
    description All Networks
    network-object MyDomain-Old 255.255.254.0
    network-object MyDomain_New_IP 255.255.192.0
    network-object host MyDomain-Inside
    access-list inside_access_in extended permit ip any4 any4
    access-list split-tunnel standard permit host 10.0.13.1
    pager lines 24
    logging enable
    logging buffered errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
    route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
    route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
    route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record "Network Access Policy Allow VPN"
    description "Must have the Network Access Policy Enabled to get VPN access"
    aaa-server LDAP_Group protocol ldap
    aaa-server LDAP_Group (inside) host 10.0.3.21
    ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http MyDomain_New_IP 255.255.192.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    no validation-usage
    no accept-subordinates
    no id-cert-issuer
    crl configure
    crypto ca trustpoint VPN
    enrollment terminal
    fqdn vpn.mydomain.com
    subject-name CN=vpn.mydomain.com,OU=IT
    keypair vpn.mydomain.com
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpool policy
    crypto ca server
    shutdown
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
        omitted
      quit
    crypto ca certificate chain VPN
    certificate
        omitted
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca
        omitted
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint VPN
    telnet timeout 5
    ssh MyDomain_New_IP 255.255.192.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
    ssl trust-point VPN outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
    anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
    anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
    anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value MyDomain.com
    group-policy MyDomain-Employee internal
    group-policy MyDomain-Employee attributes
    wins-server none
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value MyDomain.com
    webvpn
      anyconnect profiles value MyDomain-employee type user
    username MyDomainadmin password omitted encrypted privilege 15
    tunnel-group MyDomain-Employee type remote-access
    tunnel-group MyDomain-Employee general-attributes
    address-pool MyDomain-Employee-Pool
    authentication-server-group LDAP_Group LOCAL
    default-group-policy MyDomain-Employee
    tunnel-group MyDomain-Employee webvpn-attributes
    group-alias MyDomain-Employee enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
    : end
    asdm image disk0:/asdm-712.bin
    asdm location MyDomain_New_IP 255.255.192.0 inside
    asdm location MyDomain-Inside 255.255.255.255 inside
    asdm location MyDomain-Old 255.255.254.0 inside
    no asdm history enable

  • Cisco ASA 5505 and PAT

    So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
    Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
    Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
    A

    Hello ras,
    As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
    Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
    http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
    Hope this information is helpful.

  • Cisco asa 5505: No traffic lan to wan with IPv6

    Hello everybody,
    I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
    This is my configuration.
    interface Vlan1
     nameif inside
     security-level 100
     ip address PRIV-Saturn1 255.255.255.0
     ipv6 address fc00::1/7
     ipv6 enable
    interface Vlan2
     nameif outside
     security-level 0
     ip address PUBLIC26 255.255.255.248
     ipv6 address xxxx:yyyy:67:36::2/64
     ipv6 enable
     ipv6 nd suppress-ra
    access-list Dynamic_Filter_ACL extended permit tcp any6 any6
    ipv6 route outside ::/0 xxx:yyyy:67:36::1
    Am I omitting anything?
    Thanks in advance for the help.
    Jos P

    Since you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
    Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT.

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

    Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
    I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
    Please help me to find where is the issue.
    I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
    192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
    Here is my current configuration.
    Thanks for your help.
    IOS Configuration
    version 15.2
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key cisco address 198.0.183.225
    crypto isakmp invalid-spi-recovery
    crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
    mode transport
    crypto map static-map 1 ipsec-isakmp
    set peer S2.S2.S2.S2
    set transform-set AES-SET
    set pfs group2
    match address 100
    interface GigabitEthernet0/0
    ip address S1.S1.S1.S1 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map static-map
    interface GigabitEthernet0/1
    ip address 192.168.17.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
    ASA Configuration
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.83.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address S2.S2.S2.S2 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network inside-network
    subnet 192.168.83.0 255.255.255.0
    object network datacenter
    host S1.S1.S1.S1
    object network datacenter-network
    subnet 192.168.17.0 255.255.255.0
    object network NETWORK_OBJ_192.168.83.0_24
    subnet 192.168.83.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic inside-network interface
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
    crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn-transform-set mode transport
    crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set L2L_SET mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
    crypto map vpn 1 match address outside_cryptomap
    crypto map vpn 1 set pfs
    crypto map vpn 1 set peer S1.S1.S1.S1
    crypto map vpn 1 set ikev1 transform-set L2L_SET
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    group-policy GroupPolicy_S1.S1.S1.S1 internal
    group-policy GroupPolicy_S1.S1.S1.S1 attributes
    vpn-tunnel-protocol ikev1
    group-policy remote_vpn_policy internal
    group-policy remote_vpn_policy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
    username admin password rqiFSVJFung3fvFZ encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn_pool
    default-group-policy remote_vpn_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group S1.S1.S1.S1 type ipsec-l2l
    tunnel-group S1.S1.S1.S1 general-attributes
    default-group-policy GroupPolicy_S1.S1.S1.S1
    tunnel-group S1.S1.S1.S1 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f55f10c19a0848edd2466d08744556eb
    : end

    Thanks for helping me again. I really appreciate.
    I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
    Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
    Because on Cisco ASA I guess I have everything.
    Here is show crypto session detail
    router(config)#do show crypto session detail
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    Interface: GigabitEthernet0/0
    Session status: DOWN
    Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    Should I see something in crypto isakmp sa?
    pp-border#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA
    Thanks again for your help.

  • Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

    Hello,
    I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    ip address outside xxx.xxx.xxx.94 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

    Hey Craig,
    Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
    On 8.4 for interface defining use below mentioned example :
    int eth0/0
    ip add x.x.x.x y.y.y.y
    nameif outside
    no shut
    int eth0/1
    ip add x.x.x.x y.y.y.y
    nameif inside
    no shut
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
    If you're still not able to reach.Paste your entire config and version that you are using on ASA.

  • Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

    Problem : Unable to access user A to user B
    User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} )  --- User B
    After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
    Ping is unsuccessful from user A to user B
    Ping is successful from user B to user A, data is accessable
    After done the packet tracer from user A to user B,
    Result :
    Flow-lookup
    Action : allow
    Info: Found no matching flow, creating a new flow
    Route-lookup
    Action : allow
    Info : 192.168.5.203 255.255.255.255 identity
    Access-list
    Action : drop
    Config Implicit Rule
    Result - The packet is dropped
    Input Interface : inside
    Output Interface : NP Identify Ifc
    Info: (acl-drop)flow is denied by configured rule
    Below is Cisco ASA 5505's show running-config
    ASA Version 8.2(1)
    hostname Asite
    domain-name ssms1.com
    enable password ZZZZ encrypted
    passwd WWWW encrypted
    names
    name 82 B-firewall description Singapore office firewall
    name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
    name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
    name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
    name 122 A-forti
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.5.203 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 93 255.255.255.240
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ssms1.com
    object-group network obj_any
    network-object 0.0.0.0 0.0.0.0
    access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
    access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
    access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
    access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
    access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 81 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http B-inside-subnet 255.255.255.0 inside
    http fw-inside-subnet 255.255.255.0 inside
    http 0.0.0.0 255.255.255.255 outside
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer A-forti
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 2 match address outside_cryptomap
    crypto map outside_map 2 set peer B-firewall
    crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption aes-192
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.5.10-192.168.5.20 inside
    dhcpd dns 165 165 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    username admin password XXX encrypted privilege 15
    tunnel-group 122 type ipsec-l2l
    tunnel-group 122 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    class-map outside-class
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
      message-length maximum client auto
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
    policy-map outside-policy
    description ok
    class outside-class
      inspect dns
      inspect esmtp
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect icmp
      inspect icmp error
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect sip
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
    service-policy global_policy global
    service-policy outside-policy interface outside
    prompt hostname context
    Cryptochecksum: XXX
    : end
    Kindly need your expertise&help to solve the problem

    any1 can help me ?

Maybe you are looking for

  • How do I move settings from one Airport unit to another?

    I am considering buying one of those new Airport Expresses, the one with dual band. I have a few questions about importing the settings (from my existing Extreme unit): - Is it true that it's better to start from scratch when setting up the new unit

  • Date separate year, month and day

    Hello everyone and thanks in advance, I'm new to this and the truth is not doing this. Well, I have a PDF with several pages which I designed and has been asking me in a complete date in the format dd / mm / yy and subsequent pages he asks me the sam

  • Installed Program (Themes) Not Display in Applicat...

    Dear ALL: Hi I am Amer. I have a problem. After successfully installation of theme when I want to un-install any of them I can't found in Application Manager list. What is the problem.

  • Translation of standard texts that appear in applications

    Hi Experts, I am building my webdynpro applications in a Language in which translations are not provided by SAP but it supports the language in Unicode. My issue is that when I am running the application, the standard texts like 'Please Wait'  while

  • Content has been indexed with Info only. Resubmit should only be performed

    Hi All, Im using the Oracle Content Server (OCS) , When im trying to checkin new document then i get the below mentioned error message can any one plz tell me that what is the problem. Error Message:_ Text conversion of the file failed. Content has b