Cisco asa 5505 issues ( ROUTING AND PAT)

Similar Messages

• CISCO ASA 5505 bandwidth Controll and split

  Dear All,
  Below am giving the infrastructure which i like to do please help me.
  I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
  in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
  i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
  each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
  after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)
  Compiled on Sun 06-Apr-08 13:39 by builders
  System image file is "disk0:/asa724-k8.bin"
  so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.  
  Thanks 
  Lalu R.S

  There's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
  You can do some crude controls with QoS - the configuration guide chapter on doing that is here.

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Cisco asa 5505 with Router 881w Configuration Help

  Hello all,
  I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
  Thanks in advance.
  here are the show runs:
  Cisco ASA 5505 show run:
  ASA Version 8.3(1)
  names
  interface Vlan1
   no nameif
   no security-level
   no ip address
  interface Vlan5
   mac-address xxxx.xxxx.xxxx
   nameif OUTSIDE
   security-level 0
   ip address dhcp setroute
  interface Vlan10
   nameif INSIDE
   security-level 100
   ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 5
  interface Ethernet0/1
   switchport access vlan 10
  interface Ethernet0/2
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object network INTERNAL_LAN
   subnet 192.168.5.0 255.255.255.0
  object network PRIVATE_LAN_192
   subnet 192.168.15.0 255.255.255.224
   description PRIVATE_LAN_192
  access-list INSIDE_access_in extended permit ip any any
  access-list INSIDE_access_in extended deny ip any any
  access-list OUTSIDE_access_in extended permit ip any any
  access-list OUTSIDE_access_in extended deny ip any any
  pager lines 24
  logging enable
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  ip verify reverse-path interface OUTSIDE
  ip verify reverse-path interface INSIDE
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INTERNAL_LAN
   nat (INSIDE,OUTSIDE) dynamic interface
  object network PRIVATE_LAN_192
   nat (INSIDE,OUTSIDE) dynamic interface
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  dhcpd dns 8.8.8.8 75.75.76.76
  dhcpd address 192.168.5.10-192.168.5.100 INSIDE
  dhcpd enable INSIDE
  Router 881w show run:
  Current configuration : 4912 bytes
  version 12.4
  no ip source-route
  ip dhcp excluded-address 192.168.15.1 192.168.15.10
  ip dhcp pool PRIVATE_LAN
     network 192.168.15.0 255.255.255.224
  interface FastEthernet0
   switchport trunk allowed vlan 1,15,1002-1005
   switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
   ip address 192.168.5.2 255.255.255.0
   duplex auto
   speed auto
  interface wlan-ap0
   description Service module interface to manage the embedded AP
   no ip address
   arp timeout 0
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
  interface Vlan1
   no ip address
  interface Vlan15
   ip address 192.168.15.1 255.255.255.224
  no ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  no ip http server
  ip http authentication local
  ip http secure-server

  The cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above  configuration. My problem is just vlan 15.

• Cisco ASA 5505 VPN Routing/Networking Question

  I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 
  Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
  What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

  You can do it in several different ways.
  One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
  In windows this is done via the route command
  do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
  in unix/linux
  It is also the route command
  Or you can tell your "default gateway" to route that network to the ASA
  Good luck
  HTH

• Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

  Hello,
  We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
  Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
  : Saved
  ASA Version 8.4(2)
  hostname domainasa
  domain-name adomain.local
  enable password cTfsR84pqF5Xohw. encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 205.101.1.240 255.255.255.248
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 192.168.2.60
  domain-name adomain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network SBS_2011
  host 192.168.2.60
  object network NETWORK_OBJ_192.168.2.0_24
  subnet 192.168.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.5.192_
  27
  subnet 192.168.5.192 255.255.255.224
  object network Https_Access
  host 192.168.2.90
  description Spam Hero
  object-group network DM_INLINE_NETWORK_1
  network-object object SPAM1
  network-object object SPAM2
  network-object object SPAM3
  network-object object SPAM4
  network-object object SPAM5
  network-object object SPAM6
  network-object object SPAM7
  network-object object SPAM8
  object-group service RDP tcp
  description Microsoft RDP
  port-object eq 3389
  access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
  access-list outside_access_in extended permit tcp any object SBS_2011 eq https
  access-list outside_access_in extended permit icmp any interface outside
  access-list outside_access_in remark External RDP Access
  access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
  access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
  ip local pool VPN_Users 192.168.5.194-192.168.5.22
  0 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
  NETWORK_OBJ_192.168.2.0_24
  destination static NETWORK_OBJ_192.168.5.192_
  27 NETWORK_OBJ_192.168.5.192_
  27 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SBS_2011
  nat (inside,outside) static interface service tcp smtp smtp
  object network Https_Access
  nat (inside,outside) static interface service tcp https https
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-reco
  rd DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.160-192.168.2.19
  9 inside
  dhcpd dns 192.168.2.60 24.29.99.36 interface inside
  dhcpd wins 192.168.2.60 24.29.99.36 interface inside
  dhcpd domain adomain interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy domain internal
  group-policy domain attributes
  wins-server value 192.168.2.60
  dns-server value 192.168.2.60
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value adomain.local
  username ben password zWCAaitV3CB.GA87 encrypted privilege 0
  username ben attributes
  vpn-group-policy domain
  username sdomain password FATqd4I1ZoqyQ/MN encrypted
  username sdomain attributes
  vpn-group-policy domain
  username adomain password V5.hvhZU4S8NwGg/ encrypted
  username adomain attributes
  vpn-group-policy domain
  service-type admin
  username jdomain password uODal3Mlensb8d.t encrypted privilege 0
  username jdomain attributes
  vpn-group-policy domain
  service-type admin
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool VPN_Users
  default-group-policy domain
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e2466a5b754
  eebcdb0cef
  f051bef91d
  9
  : end
  no asdm history enable
  Thanks again

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• ASA 5505:Static Routing and Deny TCP connection because of bad flag

  Hi Everybody,
  I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
  In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
  When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
  %PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
  the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
  thanks!
  EDIT: On the schema, The interface of the main asa is 172.16.18.148...

  Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.

• Cisco ASA 5505 and PAT

  So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
  Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
  Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
  Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
  Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
  Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
  Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
  Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
  Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
  Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
  Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
  A

  Hello ras,
  As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
  Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
  http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
  Hope this information is helpful.

• VPN Between Cisco ASA 5505 and Cisco Router 881

  Hi All,
  I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
  Cisco ASA 5505.
  Version 8.4(3)
  HQ-ASA5505(config)# crypto ikev1 policy 888
  HQ-ASA5505(config-ikev1-policy)# authentication pre-share
  HQ-ASA5505(config-ikev1-policy)# encryption 3des
  HQ-ASA5505(config-ikev1-policy)# hash md5
  HQ-ASA5505(config-ikev1-policy)# lifetime 86400
  HQ-ASA5505(config-ikev1-policy)# group 2
  HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
  HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
  HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
  HQ-ASA5505(config)#object network HQ-Users
  HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
  HQ-ASA5505(config)# object-group network HQ.grp
  HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
  HQ-ASA5505(config)#object network FSP_DATA
  HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
  HQ-ASA5505(config)#object-group network FSP.grp
  HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
  HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
  HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
  HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
  HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
  HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
  HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
  HQ-ASA5505(config)# crypto ikev1 enable outside
  HQ-ASA5505(config)# crypto map ouside_map interface outside
  Router 881
  Version 12.4
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  LAB_ROuter(config)#object-group network HQ
  LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
  LAB_ROuter(config)#object-group network FSP
  LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
  ip access-list extended FSP_VPN
   permit ip object-group FSP object-group HQ
  LAB_ROuter(config)#crypto isakmp policy 888
  LAB_ROuter(config-isakmp)#encryption 3des
  LAB_ROuter(config-isakmp)#authentication pre-share
  LAB_ROuter(config-isakmp)#hash md5
  LAB_ROuter(config-isakmp)#group 2
  LAB_ROuter(config-isakmp)#lifetime 86400
  LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
  LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
  crypto map outside_map 888 ipsec-isakmp
   set peer 2.2.2.2
   set transform-set TS
   match address FSP_VPN
  interface fast4 --> Outside Interface (where public IP address is assigned) 
  crypto map outside_map
  Thank you in advance for your prompt advice!

  If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
  This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead.

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable

• Cisco ASA 5505 Failover issue..

  Hi,
   I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login  by console i found out that the failover has been disabled .So again I connected  to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.

  Please find the logs...
  Secondary Firewall While Sync..
  cisco-asa(config)# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 06:01:10 GMT Apr 29 2015
  This host: Secondary - Sync Config 
  Active time: 55 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): No Link (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Active 
  Active time: 177303 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  =======================================================================================
  Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
  cisco-asa# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:06:12 GMT Apr 29 2015
  This host: Secondary - Active 
  Active time: 44 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): Normal (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Not Detected 
  Active time: 0 (sec)
  slot 0: empty
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  ==========================================================================================
  After Active firewall got rebootted failover off,whole network gone down.
  cisco-asa# sh failover 
  Failover Off 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ===========================================================================================
  Primary Firewall after rebootting
  cisco-asa# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:17:29 GMT Apr 29 2015
          This host: Primary - Active
                  Active time: 24707 (sec)
                  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
                    Interface outside (27.251.167.246): Normal (Waiting)
                    Interface inside (10.11.0.20): Normal (Waiting)
                    Interface mgmt (10.11.200.21): Normal (Waiting)
                  slot 1: empty
          Other host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: empty
                    Interface outside (27.251.167.247): Unknown (Waiting)
                    Interface inside (10.11.0.21): Unknown (Waiting)
                    Interface mgmt (10.11.200.22): Unknown (Waiting)
                  slot 1: empty
  cisco-asa# sh failover history
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:43 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:29 GMT Apr 29 2015
  Negotiation                Just Active                No Active unit found
  06:17:29 GMT Apr 29 2015
  Just Active                Active Drain               No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Drain               Active Applying Config     No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Applying Config     Active Config Applied      No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Config Applied      Active                     No Active unit found
  ==========================================================================
  cisco-asa#
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Primary
                 Active         None
  Other host -   Secondary
                 Failed         Comm Failure             06:17:43 GMT Apr 29 2015
  ====Configuration State===
  ====Communication State===
  ==================================================================================
  Secondary Firewall
  cisc-asa# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (down)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ecs-pune-fw-01# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Secondary
                 Disabled       None
  Other host -   Primary
                 Not Detected   None
  ====Configuration State===
  ====Communication State===
  Thanks...

• Cisco asa 5505 vpn issue

  I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

  Post the config of your ASA and someone will be able to assist.

• Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues

  Hey all,
  I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
  Things I have successfully been able to do:
  1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
  2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
  3. Install and run ASDM 7.3(2)
  4. Went through the start-up  wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
  The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy. 
  http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
  Attached is a copy of my running-config and version. Any help with this would be greatly appreciated. 

  Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
  So your Exchange server in the 10.10.12.0/24 subnet  will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
  I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well.

• Cisco ASA 5505 and Airport Extreme

  We have an office that uses an Airport Extreme as part of the network. The Airport Extreme uses a Cisco ASA 5505 as its gateway. The Cisco provides site to site VPN capabilities with other remote offices. We just got this configuration partially working and it works great for outbound connections.
  But I have been unable to get an inbound connection to machines that are behind the Airport Extreme.
  The goal is to access machines behind the Airport Extreme by way of RDP and also for use as drive and printer shares.
  What do I need to do on the Airport to achieve this goal?
  Thank you,
  Lebby

  Lebby,
  I suspect it's not the AX that's the problem but the Cisco router, no doubt you have NAT enabled on that so that any inbound connection not initiated from inside just get's blocked.
  You'll need to configure NAT on the Cisco first.
  Regards,
  Shawn

• Cisco ASA 5505 - 2 questions - VPN Licensing; Routing

  Hi,
  I have a client that has a Cisco ASA 5505 security appliance.  Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN.  The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users.  25 users is the max on this device I believe.
  I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
  The second question I have is routing capability.  We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located.  A Cisco 2851 is used for this connection.  We are wanting to bring in a high speed Internet connection for the VPN access and Internet access.  What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
  Thanks!
  --Kent

  Hi Kent,
  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  Regards,
  David Dunlap
  SBSC Engineer