Cisco ASA 8.4 Command logging in ACS

Hello,
I have set up command authorisation on a ASA 8.4 firewall, and everything seems to work fine.
The only problem is that the commands executed on the device such as ssh or asdm access does not show up in the TACACS+ Administration log on de ACS 4.2 server.
While on switches and routers the commands executed does show up in the log.
I googled the web, but did not find any similar item for this issue.
Please help....

You need to look at the latency between the initial connection after the pause and the beginning of when data is returned to the client. I will virtually guarantee the application is timing the user out before restarting the session.
Sent from Cisco Technical Support iPad App

Similar Messages

  • Correlating Cisco ASA-SSM-IPS Events/Logs

    I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

    Hi Chris,
    Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

  • Cisco ASA 5500x with FirePower logging & syslog Format/reference

    Hello everyone,
    Can anyone explain how Cisco ASA 5500x Firepower logging works?
    http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/white_paper_c11-532091.html
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sbaSIEM_deployG.pdf
    I referred above links and found syslog for botnet filtering.
    ASA-4-338002: Dynamic filter permitted black listed TCP traffic from inside: 10.1.1.45/6798 (209.165.201.1/7890) to outside: 209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com
    It is cisco asa 5500 log. is it same for Firepower? If yes, is Firepower generate syslog for all events like this?
    Please refer me syslog reference guide for Cisco ASA 5500x Firepower if exist.
    Thanks & Regards
    Revathi

    Firepower logging is to a Firesight management center (FMC) via https. It does not use SDEE.
    Just like the old IPS, syslog messages are only about the module status, not about actual IPS events.

  • Command to View LDAP Password on Cisco ASA 5520

    Hello
    I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
    Thanks!
    Matt

    Thankyou Jennifer for the responds.
    Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
    i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
    [454095] sAMAccountName: value = testvendor
    [454095] sAMAccountType: value = 805306368
    [454095] userPrincipalName: value = [email protected]
    [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
    [454095] msNPAllowDialin: value = TRUE
    [454095] dSCorePropagationData: value = 20111026081253.0Z
    [454095] dSCorePropagationData: value = 20111026080938.0Z
    [454095] dSCorePropagationData: value = 16010101000417.0Z
    Is their any other settings that i need to do it on AD ?
    Kindly advice
    Regards
    Shiji

  • Can't save Cisco ASA configuration in GNS3 via write memory command

    Hi all,
    I’m having a problem to save Cisco ASA configuration in GNS3 via write memory command.
       ciscoasa(config)# wr mem
       Building configuration…
       Cryptochecksum: c066a7ab b5b9071e bb5ee1f6 2d93be53
       %Error copying system:/running-config (Not enough space on device)
       Error executing command
       [FAILED]
       ciscoasa(config)#
    Here are the details of the lab setup.
    PC DETAILS:
       Windows 7 Enterprise SP1 64bit
       GNS3 v0.8.6 all-in-one (installer for 32-bit and 64-bit which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark)
    ASA DETAILS:
       13,279,888 asa802-k8.bin.unpacked.initrd
       1,095,856 asa802-k8.bin.unpacked.vmlinuz
    Please advise. Thanks in advance.
    http://firewallengineer.wordpress.com/2014/02/19/problem-cisco-asa-in-gns3-error-copying-systemrunning-config-not-enough-space-on-device/

    instead of this:
    To create a flash file
    cd "C:\Program Files\GNS3\qemu-2.1.0"
    qemu-img.exe create c:\FLASH 256M
    try this:
    To create a flash file
    cd "C:\Program Files\GNS3\qemu-2.1.0"
    qemu-img.exe create c:\User\usuario\GNS3\FLASH 256M
    Let me know if is helpfull.

  • Cisco ASA disable command line interface (CLI) vor VPN Remote Access users

    Hi,
    I have local database for a couple of VPN Remote Access users on our Cisco ASA 5510 firewall. When adding users i asigned them the privilege leve 0. Is it possible to completly disable CLI for theses users as they will only be using VPN Remote Access and do not need to access the appliance cli.
    Thanks in advance.
    Kind Regards,
    Marco

    Hi,
    We will need to use the vpn-filter or the ssh command to block ssh from the vpn pool.
    Regards,
    Vivek

  • Interactive Commands in NetConfig for Cisco ASA

    Hi,
    Maybe anyone knows, does CiscoWorks LMS supports this feature for Cisco ASA or I'm doing something wrong? I've sent interactive command "copy tftp: flash: <R>ip_address<R>asa841-k8.bin<R><R>"  to my ASA using netconfig tool and recived error "Command(s) failed on the device Insufficient no. of interactive responses(or timeout) for command: copy tftp: flash: ." For Cisco Catalyst it works fine. I have a last version of CiscoWorks 4.0.1.

    No, SWIM doesn't support ASDM upgrades, but what you're doing here is a system software upgrade.  What you might try doing is to increase the telnet timeout for this device.  Unfortunately, that feature is hidden in LMS 4.0, but see this document on how to do that:
    https://supportforums.cisco.com/docs/DOC-15162
    The document talks about inventory collection, but the interface to adjust the telnet timeout is in the same location as the SNMP timeout.  You'll want to time the transfer to know how long to make the timeout.

  • Cisco ASA Logging

    I have been experiencing some problems at a customer site with a Cisco ASA 5510 where a reboot clears the problem. I am setting up a syslog server to capture the events in  the hope that TAC can assist after the reboot using the captured logs.
    My issue right now is that setting the logging to debugging or informational generates a large file in a short time. Given the situation what is the best option when selecting a logging trap so that when TAC reviews the file it is useful to them.
    Thanks.

    When logging is set to informational or debug the ASA certainly does generate a lot of log messages. Perhaps an option to consider would be to set console logging to informational or debug and then to connect a PC to the console running some terminal emulator that allows you to specify a fairly large buffer for its screen display. (I like SecureCRT because it allows me to do this and probably there are other emulators that allow this also).
    Let the logging to the console run until the problem happens. When the problem happens, go to the PC and do a copy paste of the content of the screen buffer to a file and send the file to TAC. I have done this before and it worked pretty well for me.
    HTH
    Rick

  • CISCO ASA Commands - No Object Resolution

    How can I dump the configuration on a Cisco ASA where it does not resolve defined objects in the configuration?
    For example: show route produces an output with object name instead of network address

    Hi,
    If I understood you correctly then your problem is that instead of IP addresses you are seein names/text in the configurations?
    If this is true then I think your problem is probably because of the "name" configurations
    You can use the following command to view the current configurations
    show run names
    If you want to disable the name/IP pairing from showing on the configuration you can use the following command
    no names
    It should not remove any of the "name" configurations but rather disables them from being used/viewed in the configuration. You can re-enable it with  the command "names"
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • Cisco ASA sla and track commands

    Cisco ASA 5520's running 8.2.5 and using sla and track commands
    Am I right in thinking that sla and track can be used for any pair of routes using diverse routes between 2 locations, these commands are NOT just restricted to being sued for a default route?
    Example: I have 2 MPLS carriers between the 2 sites, the networks advertised by the MPLS carriers would be idnetical
    e.g.Site A has
    route outside 172.16.0.0 255.255.0.0 2.2.2.2 1 track 1
    route outside 172.16.0.0 255.255.0.0 3.3.3.3 128
    There would of course be the track 1 rtr...command and some corresponding sla commands

    Matthew
    Am I right in thinking that sla and track can be used for any pair of routes
    As far as I know, yes, they don't need to be default routes, it's just that they usually are.
    I would have thought if both routes are pointing via the outside interface though the next hop IPs would be in the same subnet ?
    Jon

  • Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the Network

    I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3)
    Device Manager Version 5.2(3)
    in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and users are compaining that they cannot load any pages.
    My setup looks like:
    Internet --> Cisco 1700 --> Cisco ASA 5505 --> LAN
    The license information is:
    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs                       : 3, DMZ Restricted
    Inside Hosts                : Unlimited
    Failover                    : Disabled
    VPN-DES                     : Enabled
    VPN-3DES-AES                : Enabled
    VPN Peers                   : 10
    WebVPN Peers                : 2
    Dual ISPs                   : Disabled
    VLAN Trunk Ports            : 0
    This platform has a Base license.
    The flash activation key is the SAME as the running key.
    My running-config looks like:
    ASA Version 7.2(3)
    firewall transparent
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    no shut
    interface Vlan2
    nameif outside
    security-level 0
    no shut
    interface Ethernet0/0
    switchport access vlan 2
    no shut
    interface Ethernet0/1
    no shut
    interface Ethernet0/2
    no shut
    interface Ethernet0/3
    no shut
    interface Ethernet0/4
    no shut
    interface Ethernet0/5
    no shut
    interface Ethernet0/6
    no shut
    interface Ethernet0/7
    no shut
    passwd 2KFQnbNIdI.2KYOU encrypted
    regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
    regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
    regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
    regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
    regex domainlist1 "\.facebook\.com"
    regex domainlist2 "\.diretube\.com"
    regex domainlist3 "\.youtube\.com"
    regex domainlist4 "\.vimeo\.com"
    regex applicationheader "application/.*"
    regex contenttype "Content-Type"
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_in extended permit ip any any
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address 192.168.1.254 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map type regex match-any DomainBlockList
    match regex domainlist1
    match regex domainlist2
    match regex domainlist3
    match regex domainlist4
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map type regex match-any URLBlockList
    match regex urllist1
    match regex urllist2
    match regex urllist3
    match regex urllist4
    class-map inspection_default
    match default-inspection-traffic
    class-map type inspect http match-all AppHeaderClass
    match response header regex contenttype regex applicationheader
    class-map httptraffic
    match access-list inside_mpc
    class-map type inspect http match-all BlockURLsClass
    match request uri regex class URLBlockList
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
      protocol-violation action drop-connection
    class AppHeaderClass
      drop-connection log
    match request method connect
      drop-connection log
    class BlockDomainsClass
      reset log
    class BlockURLsClass
      reset log
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    policy-map inside-policy
    class httptraffic
      inspect http http_inspection_policy
    service-policy global_policy global
    service-policy inside-policy interface inside
    prompt hostname context
    Cryptochecksum:8ab1a53df6ae3c202aee236d6080edfd
    : end
    Could the slow internet connection be due to license limitations? Or is there something wrong with my configuration?
    Please see the configuration and help.
    Thanks

    I have re-configured the ASA 5505 yesterday and so far it's working fine. I am not sure if the problem will re-appear later on. Anyways here is my sh tech-support
    ciscoasa# sh tech-support
    Cisco Adaptive Security Appliance Software Version 7.2(3)
    Device Manager Version 5.2(3)
    Compiled on Wed 15-Aug-07 16:08 by builders
    System image file is "disk0:/asa723-k8.bin"
    Config file at boot was "startup-config"
    ciscoasa up 14 hours 16 mins
    Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                                 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
    0: Int: Internal-Data0/0    : address is 001f.9ee8.ffa2, irq 11
    1: Ext: Ethernet0/0         : address is 001f.9ee8.ff9a, irq 255
    2: Ext: Ethernet0/1         : address is 001f.9ee8.ff9b, irq 255
    3: Ext: Ethernet0/2         : address is 001f.9ee8.ff9c, irq 255
    4: Ext: Ethernet0/3         : address is 001f.9ee8.ff9d, irq 255
    5: Ext: Ethernet0/4         : address is 001f.9ee8.ff9e, irq 255
    6: Ext: Ethernet0/5         : address is 001f.9ee8.ff9f, irq 255
    <--- More --->
    7: Ext: Ethernet0/6         : address is 001f.9ee8.ffa0, irq 255
    8: Ext: Ethernet0/7         : address is 001f.9ee8.ffa1, irq 255
    9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
    10: Int: Not used            : irq 255
    11: Int: Not used            : irq 255
    Licensed features for this platform:
    Maximum Physical Interfaces : 8        
    VLANs                       : 3, DMZ Restricted
    Inside Hosts                : Unlimited
    Failover                    : Disabled
    VPN-DES                     : Enabled  
    VPN-3DES-AES                : Enabled  
    VPN Peers                   : 10       
    WebVPN Peers                : 2        
    Dual ISPs                   : Disabled 
    VLAN Trunk Ports            : 0        
    This platform has a Base license.
    Serial Number: JMX1211Z2N4
    Running Activation Key: 0xaf0ed046 0xbcf18ebf 0x80b38508 0xba785cc0 0x05250493
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    <--- More --->
    ------------------ show clock ------------------
    18:32:58.254 UTC Tue Nov 26 2013
    ------------------ show memory ------------------
    Free memory:       199837144 bytes (74%)
    Used memory:        68598312 bytes (26%)
    Total memory:      268435456 bytes (100%)
    ------------------ show conn count ------------------
    1041 in use, 2469 most used
    ------------------ show xlate count ------------------
    0 in use, 0 most used
    ------------------ show blocks ------------------
      SIZE    MAX    LOW    CNT
         0    100     68    100
    <--- More --->
         4    300    299    299
        80    100     92    100
       256    100     94    100
      1550   6174   6166   6174
      2048   1124    551    612
    ------------------ show blocks queue history detail ------------------
    History buffer memory usage: 2136 bytes (default)
    ------------------ show interface ------------------
    Interface Internal-Data0/0 "", is up, line protocol is up
      Hardware is y88acs06, BW 1000 Mbps
    (Full-duplex), (1000 Mbps)
    MAC address 001f.9ee8.ffa2, MTU not set
    IP address unassigned
    18491855 packets input, 11769262614 bytes, 0 no buffer
    Received 213772 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops, 0 demux drops
    18185861 packets output, 11626494317 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 late collisions, 0 deferred
    <--- More --->
    0 input reset drops, 0 output reset drops
    input queue (curr/max packets): hardware (0/0) software (0/0)
    output queue (curr/max packets): hardware (0/55) software (0/0)
      Control Point Interface States:
    Interface number is unassigned
    Interface Internal-Data0/1 "", is administratively down, line protocol is up
      Hardware is 88E6095, BW 1000 Mbps
    (Full-duplex), (1000 Mbps)
    MAC address 0000.0003.0002, MTU not set
    IP address unassigned
    18184216 packets input, 11625360131 bytes, 0 no buffer
    Received 206655 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 switch ingress policy drops
    18490057 packets output, 11768078777 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Loopback0 "_internal_loopback", is up, line protocol is up
      Hardware is VirtualMAC address 0000.0000.0000, MTU 1500
    IP address 127.1.0.1, subnet mask 255.255.0.0
    <--- More --->
      Traffic Statistics for "_internal_loopback":
    1 packets input, 28 bytes
    1 packets output, 28 bytes
    1 packets dropped
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
      Control Point Interface States:
    Interface number is 28
    Interface config status is active
    Interface state is active
    Interface Vlan1 "inside", is up, line protocol is up
      Hardware is EtherSVI
    MAC address 001f.9ee8.ffa2, MTU 1500
    IP address 192.168.1.254, subnet mask 255.255.255.0
      Traffic Statistics for "inside":
    7742275 packets input, 903584114 bytes
    10645034 packets output, 10347291114 bytes
    184883 packets dropped
          1 minute input rate 320 pkts/sec,  35404 bytes/sec
          1 minute output rate 325 pkts/sec,  313317 bytes/sec
    <--- More --->
          1 minute drop rate, 17 pkts/sec
          5 minute input rate 399 pkts/sec,  59676 bytes/sec
          5 minute output rate 483 pkts/sec,  503200 bytes/sec
          5 minute drop rate, 9 pkts/sec
      Control Point Interface States:
    Interface number is 1
    Interface config status is active
    Interface state is active
    Interface Vlan2 "outside", is up, line protocol is up
      Hardware is EtherSVI
    MAC address 001f.9ee8.ffa3, MTU 1500
    IP address 192.168.1.254, subnet mask 255.255.255.0
      Traffic Statistics for "outside":
    10750090 packets input, 10432619059 bytes
    7541331 packets output, 870613684 bytes
    109911 packets dropped
          1 minute input rate 328 pkts/sec,  313770 bytes/sec
          1 minute output rate 301 pkts/sec,  32459 bytes/sec
          1 minute drop rate, 2 pkts/sec
          5 minute input rate 485 pkts/sec,  503789 bytes/sec
          5 minute output rate 387 pkts/sec,  57681 bytes/sec
          5 minute drop rate, 2 pkts/sec
      Control Point Interface States:
    Interface number is 2
    <--- More --->
    Interface config status is active
    Interface state is active
    Interface Ethernet0/0 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9a, MTU not set
    IP address unassigned
    10749794 packets input, 10630700889 bytes, 0 no buffer
    Received 2506 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    3 switch ingress policy drops
    7541070 packets output, 1028190148 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/1 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    <--- More --->
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9b, MTU not set
    IP address unassigned
    7741977 packets input, 1064586806 bytes, 0 no buffer
    Received 211282 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    10644663 packets output, 10543362751 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/2 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9c, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    <--- More --->
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/3 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9d, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    <--- More --->
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/4 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9e, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    <--- More --->
    Interface number is unassigned
    Interface Ethernet0/5 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9f, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/6 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    <--- More --->
    MAC address 001f.9ee8.ffa0, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/7 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ffa1, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    <--- More --->
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    ------------------ show cpu usage ------------------
    CPU utilization for 5 seconds = 12%; 1 minute: 11%; 5 minutes: 11%
    ------------------ show cpu hogging process ------------------
    Process:      Dispatch Unit, NUMHOG: 1, MAXHOG: 133, LASTHOG: 140
    LASTHOG At:   04:45:59 UTC Nov 26 2013
    PC:           8be0f7
    Traceback:    8bed19  8bf553  302b87  3030a5  2fad69  7674bf  75ca16
                  c6251d  c62a4c  c62f6c  75c653  767820  797f64  769c85
    <--- More --->
    ------------------ show process ------------------
        PC       SP       STATE       Runtime    SBASE     Stack Process
    Mwe 00c9bb24 01bb8700 013e3250          0 01733fc8 15616/16384 emweb/cifs
    Lwe 001072ac 0176f9c4 013e32d0          0 0176d9f0 8132/8192 block_diag
    Mrd 00223a67 01783d5c 013e33b0     314854 0177be18 25752/32768 Dispatch Unit
    Msi 00f82847 01b07b84 013e3250        229 01b05bc0 7984/8192 y88acs06 OneSec Thread
    Mwe 0011b1a5 01b09cfc 013e3250          0 01b07d88 7864/8192 Reload Control Thread
    Mwe 00120606 01b1260c 013e5258          0 01b10988 7256/8192 aaa
    Mwe 001486aa 01b19404 013e5ae8          0 01b15450 16020/16384 CMGR Server Process
    Mwe 0014c3c5 01b1b4d4 013e3250          0 01b19570 7968/8192 CMGR Timer Process
    Lwe 002227a1 01b239b4 013ee360          0 01b219f0 7524/8192 dbgtrace
    Mwe 004e1ba5 01b29c34 013e3250        157 01b27d50 6436/8192 eswilp_svi_init
    Mwe 01064b1d 01b4a7f4 013e3250          0 01b48890 7848/8192 Chunk Manager
    Msi 008b61b6 01b52d54 013e3250        230 01b50da0 7856/8192 PIX Garbage Collector
    Lsi 00ecb6ac 01b54e94 013e3250         12 01b52ec0 7552/8192 route_process
    Mwe 008a5ddc 01b5dc04 0133b430          0 01b5bc40 8116/8192 IP Address Assign
    Mwe 00acb779 01b60604 01346e10          0 01b5e640 8116/8192 QoS Support Module
    Mwe 0091eba9 01b6275c 0133c530          0 01b60798 8116/8192 Client Update Task
    Lwe 01083c8e 01b656d4 013e3250     123088 01b63770 7840/8192 Checkheaps
    Mwe 00acfd7d 01b6b824 013e3250        623 01b69ad0 3476/8192 Quack process
    Mwe 00b2a260 01b6dad4 013e3250         22 01b6bbf0 7364/8192 Session Manager
    Mwe 00c55efd 01b78564 031d0478          4 01b74a50 14768/16384 uauth
    <--- More --->
    Mwe 00be3c9e 01b7aaec 0135c010          0 01b78b28 7524/8192 Uauth_Proxy
    Mwe 00c52759 01b80e0c 01361770          0 01b7ee88 7712/8192 SMTP
    Mwe 00c3f7b9 01b82eec 01361710          0 01b80fa8 7412/8192 Logger
    Mwe 00c3fd26 01b8502c 013e3250          0 01b830c8 7492/8192 Thread Logger
    Mwe 00f62272 01b9596c 013ac520          0 01b939c8 7188/8192 vpnlb_thread
    Msi 00b4097c 01c598c4 013e3250        190 01c578f0 8000/8192 emweb/cifs_timer
    Msi 005bd338 017a909c 013e3250      25855 017a7108 7412/8192 arp_timer
    Mwe 005c76bc 01b486e4 013fba50      20643 01b46770 7348/8192 arp_forward_thread
    Mwe 00c5a919 023fa5fc 013619e0          0 023f8648 7968/8192 tcp_fast
    Mwe 00c5a6e5 023fc624 013619e0          0 023fa670 7968/8192 tcp_slow
    Mwe 00c754d1 0240d42c 013628a0          0 0240b478 8100/8192 udp_timer
    Mwe 0019cb17 01b404a4 013e3250          0 01b3e530 7984/8192 CTCP Timer process
    Mwe 00efe8b3 0308c15c 013e3250          0 0308a208 7952/8192 L2TP data daemon
    Mwe 00efef23 0308e194 013e3250          0 0308c230 7968/8192 L2TP mgmt daemon
    Mwe 00eea02b 030c62ac 013a5c10         43 030c2338 16244/16384 ppp_timer_thread
    Msi 00f62d57 030c82f4 013e3250        264 030c6360 7924/8192 vpnlb_timer_thread
    Mwe 001b96e6 01b7cbbc 01b1e9c8          1 01b7ac48 7728/8192 IPsec message handler
    Msi 001c9bac 01b8d4dc 013e3250       2917 01b8b548 7648/8192 CTM message handler
    Mwe 00af93b8 031465b4 013e3250          0 03144640 7984/8192 ICMP event handler
    Mwe 00831003 0314a724 013e3250        387 031467b0 16100/16384 IP Background
    Mwe 0021b267 031a83c4 013123c0         31 03188450 123488/131072 tmatch compile thread
    Mwe 009f2405 03290044 013e3250          0 0328c0c0 16072/16384 Crypto PKI RECV
    Mwe 009f305a 03294144 013e3250          0 032901e0 16040/16384 Crypto CA
    Mwe 0064d4fd 01b3e24c 013e3250          8 01b3c2f8 7508/8192 ESW_MRVL switch interrupt service
    <--- More --->
    Msi 00646f5c 032c134c 013e3250    3059378 032bf448 7184/8192 esw_stats
    Lsi 008cbb80 032dc704 013e3250          3 032da730 7908/8192 uauth_urlb clean
    Lwe 008afee7 034a0914 013e3250        197 0349e9b0 6636/8192 pm_timer_thread
    Mwe 0052f0bf 034a35ac 013e3250          0 034a1648 7968/8192 IKE Timekeeper
    Mwe 00520f6b 034a8adc 0132e2b0          0 034a4e38 15448/16384 IKE Daemon
    Mwe 00bf5c78 034ac7ac 01360680          0 034aa7f8 8100/8192 RADIUS Proxy Event Daemon
    Mwe 00bc32de 034ae79c 034dcbe0          0 034ac918 7208/8192 RADIUS Proxy Listener
    Mwe 00bf5e0f 034b099c 013e3250          0 034aea38 7968/8192 RADIUS Proxy Time Keeper
    Mwe 005aac4c 034b3154 013fb980          0 034b1250 7492/8192 Integrity FW Task
    M*  008550a5 0009fefc 013e33b0       3183 034e3b20 24896/32768 ci/console
    Msi 008eb694 034ed9d4 013e3250       2370 034ebc40 6176/8192 update_cpu_usage
    Msi 008e6415 034f7dac 013e3250       1096 034f5eb8 6124/8192 NIC status poll
    Mwe 005b63e6 03517d1c 013fbd10       1963 03515d78 7636/8192 IP Thread
    Mwe 005becbe 03519e4c 013fbcb0          3 03517e98 7384/8192 ARP Thread
    Mwe 004c2b36 0351befc 013fbae0          0 03519fe8 7864/8192 icmp_thread
    Mwe 00c7722e 0351e06c 013e3250          0 0351c108 7848/8192 udp_thread
    Mwe 00c5d126 0352008c 013fbd00          0 0351e228 7688/8192 tcp_thread
    Mwe 00bc32de 03a6982c 03a5ee18          0 03a679b8 7512/8192 EAPoUDP-sock
    Mwe 00266c15 03a6b614 013e3250          0 03a699e0 7032/8192 EAPoUDP
    Mwe 005a6728 01b27b94 013e3250          0 01b25c30 7968/8192 Integrity Fw Timer Thread
    -     -        -         -      47686621    -         -     scheduler
    -     -        -         -      51253819    -         -     total elapsed
    ------------------ show failover ------------------
    <--- More --->
    ERROR: Command requires failover license
    ------------------ show traffic ------------------
    inside:
    received (in 51429.740 secs):
    7749585 packets905087345 bytes
    67 pkts/sec17013 bytes/sec
    transmitted (in 51429.740 secs):
    10653162 packets10355908020 bytes
    40 pkts/sec201026 bytes/sec
          1 minute input rate 412 pkts/sec,  51803 bytes/sec
          1 minute output rate 475 pkts/sec,  522952 bytes/sec
          1 minute drop rate, 24 pkts/sec
          5 minute input rate 399 pkts/sec,  59676 bytes/sec
          5 minute output rate 483 pkts/sec,  503200 bytes/sec
          5 minute drop rate, 9 pkts/sec
    outside:
    received (in 51430.240 secs):
    10758403 packets10441440193 bytes
    42 pkts/sec203021 bytes/sec
    transmitted (in 51430.240 secs):
    7548339 packets872053854 bytes
    <--- More --->
    63 pkts/sec16037 bytes/sec
          1 minute input rate 479 pkts/sec,  523680 bytes/sec
          1 minute output rate 387 pkts/sec,  46796 bytes/sec
          1 minute drop rate, 3 pkts/sec
          5 minute input rate 485 pkts/sec,  503789 bytes/sec
          5 minute output rate 387 pkts/sec,  57681 bytes/sec
          5 minute drop rate, 2 pkts/sec
    _internal_loopback:
    received (in 51430.740 secs):
    1 packets28 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51430.740 secs):
    1 packets28 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Aggregated Traffic on Physical Interface
    <--- More --->
    Ethernet0/0:
    received (in 51431.740 secs):
    10758462 packets10640075825 bytes
    42 pkts/sec206042 bytes/sec
    transmitted (in 51431.740 secs):
    7548383 packets1029818127 bytes
    63 pkts/sec20023 bytes/sec
          1 minute input rate 485 pkts/sec,  537048 bytes/sec
          1 minute output rate 395 pkts/sec,  54546 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 485 pkts/sec,  511723 bytes/sec
          5 minute output rate 387 pkts/sec,  65495 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/1:
    received (in 51433.570 secs):
    7749780 packets1066328930 bytes
    67 pkts/sec20064 bytes/sec
    transmitted (in 51433.570 secs):
    10653359 packets10552787020 bytes
    40 pkts/sec205006 bytes/sec
          1 minute input rate 419 pkts/sec,  59621 bytes/sec
          1 minute output rate 480 pkts/sec,  533950 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 399 pkts/sec,  67618 bytes/sec
    <--- More --->
          5 minute output rate 482 pkts/sec,  511073 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/2:
    received (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/3:
    received (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
    <--- More --->
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/4:
    received (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/5:
    received (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    <--- More --->
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/6:
    received (in 51435.010 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51435.010 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/7:
    received (in 51435.010 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51435.010 secs):
    <--- More --->
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Internal-Data0/0:
    received (in 51435.510 secs):
    18513901 packets11784250044 bytes
    25 pkts/sec229023 bytes/sec
    transmitted (in 51435.510 secs):
    18207269 packets11641332179 bytes
    19 pkts/sec226078 bytes/sec
          1 minute input rate 891 pkts/sec,  595715 bytes/sec
          1 minute output rate 863 pkts/sec,  588935 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 885 pkts/sec,  584035 bytes/sec
          5 minute output rate 870 pkts/sec,  580393 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Internal-Data0/1:
    received (in 51436.010 secs):
    18207323 packets11641364184 bytes
    <--- More --->
    19 pkts/sec226076 bytes/sec
    transmitted (in 51436.010 secs):
    18513954 packets11784281987 bytes
    25 pkts/sec229022 bytes/sec
          1 minute input rate 855 pkts/sec,  575808 bytes/sec
          1 minute output rate 884 pkts/sec,  582339 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 869 pkts/sec,  578350 bytes/sec
          5 minute output rate 883 pkts/sec,  581924 bytes/sec
          5 minute drop rate, 0 pkts/sec
    ------------------ show perfmon ------------------
    PERFMON STATS:    Current      Average
    Xlates               0/s          0/s
    Connections         17/s          6/s
    TCP Conns            8/s          2/s
    UDP Conns            7/s          2/s
    URL Access           0/s          0/s
    URL Server Req       0/s          0/s
    TCP Fixup            0/s          0/s
    TCP Intercept        0/s          0/s
    HTTP Fixup           0/s          0/s
    <--- More --->
    FTP Fixup            0/s          0/s
    AAA Authen           0/s          0/s
    AAA Author           0/s          0/s
    AAA Account          0/s          0/s
    ------------------ show counters ------------------
    Protocol     Counter                     Value   Context
    IP           IN_PKTS                  168960   Summary
    IP           OUT_PKTS                 169304   Summary
    IP           TO_ARP                       61   Summary
    ------------------ show history ------------------
    ------------------ show firewall ------------------
    Firewall mode: Transparent
    ------------------ show running-config ------------------
    <--- More --->
    : Saved
    ASA Version 7.2(3)
    firewall transparent
    hostname ciscoasa
    enable password
    names
    interface Vlan1
    nameif inside
    security-level 100
    interface Vlan2
    nameif outside
    security-level 0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    <--- More --->
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd
    regex domain1 ".facebook\.com"
    regex domain2 ".fb\.com"
    regex domain3 ".youtube\.com"
    ftp mode passive
    access-list ACL_IN extended permit ip any any
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    ip address 192.168.1.254 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    <--- More --->
    arp timeout 14400
    access-group ACL_IN in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map type regex match-any DomainBlockList
    match regex domain1
    match regex domain2
    match regex domain3
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    <--- More --->
      message-length maximum 512
    match domain-name regex class DomainBlockList
      drop-connection log
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:bb5115ea1d14ee42e7961ef0c9aaed86
    : end
    <--- More --->
    ------------------ show startup-config errors ------------------
    INFO: No configuration errors
    ------------------ console logs ------------------
    Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
    Total SSMs found: 0
    Message #15 :
    Total NICs found: 10
    Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 :  MAC: 0000.0003.0002
    Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 :  MAC: 001f.9ee8.ffa1
    Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 :  MAC: 001f.9ee8.ffa0
    Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 :  MAC: 001f.9ee8.ff9f
    Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 :  MAC: 001f.9ee8.ff9e
    Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 :  MAC: 001f.9ee8.ff9d
    Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 :  MAC: 001f.9ee8.ff9c
    Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 :  MAC: 001f.9ee8.ff9b
    Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 :  MAC: 001f.9ee8.ff9a
    Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.9ee8.ffa2
    Message #35 :
    Licensed features for this platform:
    Message #36 : Maximum Physical Interfaces : 8        
    <--- More --->
    Message #37 : VLANs                       : 3, DMZ Restricted
    Message #38 : Inside Hosts                : Unlimited
    Message #39 : Failover                    : Disabled
    Message #40 : VPN-DES                     : Enabled  
    Message #41 : VPN-3DES-AES                : Enabled  
    Message #42 : VPN Peers                   : 10       
    Message #43 : WebVPN Peers                : 2        
    Message #44 : Dual ISPs                   : Disabled 
    Message #45 : VLAN Trunk Ports            : 0        
    Message #46 :
    This platform has a Base license.
    Message #47 :
    Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Message #49 :                              Boot microcode   : CNlite-MC-Boot-Cisco-1.2
    Message #50 :                              SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
    Message #51 :                              IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
    Message #52 :   --------------------------------------------------------------------------
    Message #53 :                                  .            .                            
    Message #54 :                                  |            |                            
    Message #55 :                                 |||          |||                           
    Message #56 :                               .|| ||.      .|| ||.                         
    Message #57 :                            .:||| | |||:..:||| | |||:.                      
    Message #58 :                             C i s c o  S y s t e m s                       
    Message #59 :   --------------------------------------------------------------------------
    <--- More --->
    Message #60 :
    Cisco Adaptive Security Appliance Software Version 7.2(3)
    Message #61 :
    Message #62 :   ****************************** Warning *******************************
    Message #63 :   This product contains cryptographic features and is
    Message #64 :   subject to United States and local country laws
    Message #65 :   governing, import, export, transfer, and use.
    Message #66 :   Delivery of Cisco cryptographic products does not
    Message #67 :   imply third-party authority to import, export,
    Message #68 :   distribute, or use encryption. Importers, exporters,
    Message #69 :   distributors and users are responsible for compliance
    Message #70 :   with U.S. and local country laws. By using this
    Message #71 :   product you agree to comply with applicable laws and
    Message #72 :   regulations. If you are unable to comply with U.S.
    Message #73 :   and local laws, return the enclosed items immediately.
    Message #74 :
    Message #75 :   A summary of U.S. laws governing Cisco cryptographic
    Message #76 :   products may be found at:
    Message #77 :   http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    Message #78 :
    Message #79 :   If you require further assistance please contact us by
    Message #80 :   sending email to [email protected].
    Message #81 :   ******************************* Warning *******************************
    Message #82 :
    <--- More --->
    Message #83 : Copyright (c) 1996-2007 by Cisco Systems, Inc.
    Message #84 :                 Restricted Rights Legend
    Message #85 : Use, duplication, or disclosure by the Government is
    Message #86 : subject to restrictions as set forth in subparagraph
    Message #87 : (c) of the Commercial Computer Software - Restricted
    Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph
    Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer
    Message #90 : Software clause at DFARS sec. 252.227-7013.
    Message #91 :                 Cisco Systems, Inc.
    Message #92 :                 170 West Tasman Drive
    Message #93 :                 San Jose, California 95134-1706
    ciscoasa#   

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

  • Cisco ASA 5505 not able to access flash

    Hi All:
    I have searched and searched all over the net for an answer to this question and have decided to just post it. I have a 5505 that was given to me by my job to use for working on my CCNA Sec. cert and did the following:
    I plugged it in and booted it up just fine. Made config changes as I followed along with the examples in my CCNA Security book. Got to the point in chapter 14 where the initial setup happens to configure it for working with ASDM. I never did a write mem on it and decided to take it back to square one by unplugging it to allow it to lose the changes that I made. This is where things got ugly.
    When it booted back up it got stuck in a bootup loop and couldn't find an IOS. After following all kinds of steps to boot to rommon and tftp another IOS and such (several times) I decided to follow another posting that said that the flash could be corrupted and to just delete it and start anew. Did that and through rommon as it would not boot up normally any more. After trying this over and over for the last couple hours I realized that it would boot from tftp so I did that in hopes of fixing the flash issue.
    I've tried deleting it, and re-initializing it and formating it. But the thing is that it no longer SEES the disk0: mount point. I've used two different flash cards...the one that came with it and the one that I already had. With the cover off I can see that there is no activity light next to the flash drive when I issue a delete or initialize or format command.
    Here is a copy of some of the output file. Any help or suggestions are greatly appreciated.
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.                              
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Use ? for help.
    rommon #0> format disk0:
    Invalid or incorrect command.  Use 'help' for help.
    rommon #0> ADDRESS=10.10.10.110
    rommon #1> GATEWAY=10.10.10.1
    rommon #2> SERVER=10.10.10.98
    rommon #3> IMAGE=asa914-k8.bin
    rommon #4> tftp
    ROMMON Variable Settings:
      ADDRESS=10.10.10.110
      SERVER=10.10.10.98
      GATEWAY=10.10.10.1
      PORT=Ethernet0/0
      VLAN=untagged
      IMAGE=asa914-k8.bin
      CONFIG=
      LINKTIMEOUT=20
      PKTTIMEOUT=4
      RETRY=20
    tftp [email protected] via 10.10.10.1
    Received 27076608 bytes
    Launching TFTP Image...
    Cisco Security Appliance admin loader (3.0) #0: Thu Dec  5 19:38:43 PST 2013
    Platform ASA5505
    Loading...
    IO memory blocks requested from bigphys 32bit: 9956
    Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
    Currently, only 1 or 2 FATs are supported, not 42.
    dosfsck(/dev/hda1) returned 1
    mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
    mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
    Processor memory 343932928, Reserved memory: 62914560
    Total SSMs found: 0
    Total NICs found: 10
    88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
    88E6095 rev 2 Ethernet @ index 08 MAC: 0023.339e.2a90
    88E6095 rev 2 Ethernet @ index 07 MAC: 0023.339e.2a8f
    88E6095 rev 2 Ethernet @ index 06 MAC: 0023.339e.2a8e
    88E6095 rev 2 Ethernet @ index 05 MAC: 0023.339e.2a8d
    88E6095 rev 2 Ethernet @ index 04 MAC: 0023.339e.2a8c
    88E6095 rev 2 Ethernet @ index 03 MAC: 0023.339e.2a8b
    88E6095 rev 2 Ethernet @ index 02 MAC: 0023.339e.2a8a
    88E6095 rev 2 Ethernet @ index 01 MAC: 0023.339e.2a89
    y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0023.339e.2a91
    INFO: Unable to read firewall mode from flash
           Writing default firewall mode (single) to flash
    INFO: Unable to read cluster interface-mode from flash
           Writing default mode "None" to flash
    Verify the activation-key, it might take a while...
    Failed to retrieve permanent activation key.
    Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
    The Running Activation Key is not valid, using default settings:
    Licensed features for this platform:
    Maximum Physical Interfaces       : 8              perpetual
    VLANs                             : 3              DMZ Restricted
    Dual ISPs                         : Disabled       perpetual
    VLAN Trunk Ports                  : 0              perpetual
    Inside Hosts                      : 10             perpetual
    Failover                          : Disabled       perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 10             perpetual
    Total VPN Peers                   : 12             perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has a Base license.
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
    Cisco Adaptive Security Appliance Software Version 9.1(4)
      ****************************** Warning *******************************
      This product contains cryptographic features and is
      subject to United States and local country laws
      governing, import, export, transfer, and use.
      Delivery of Cisco cryptographic products does not
      imply third-party authority to import, export,
      distribute, or use encryption. Importers, exporters,
      distributors and users are responsible for compliance
      with U.S. and local country laws. By using this
      product you agree to comply with applicable laws and
      regulations. If you are unable to comply with U.S.
      and local laws, return the enclosed items immediately.
      A summary of U.S. laws governing Cisco cryptographic
      products may be found at:
      http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
      If you require further assistance please contact us by
      sending email to [email protected].
      ******************************* Warning *******************************
    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)
    Copyright (C) 1995-1998 Eric Young ([email protected])
    All rights reserved.
    Copyright (c) 1998-2011 The OpenSSL Project.
    All rights reserved.
    This product includes software developed at the University of
    California, Irvine for use in the DAV Explorer project
    (http://www.ics.uci.edu/~webdav/)
    Copyright (c) 1999-2005 Regents of the University of California.
    All rights reserved.
    Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    Busybox comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111-1307
    675 Mass Ave, Cambridge, MA 02139
    DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111-1307
    grub comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
    libgcc comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenseSee User Manual (''Licensing'') for details.
    libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
    libstdc++ comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
    Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    Linux kernel comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
    Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
    module-init-tools comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    numactl, version 2.0.3, Copyright (C) 2008 SGI.
    Author: Andi Kleen, SUSE Labs
    Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
    numactl comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    pciutils comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111 USA
    readline comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    udev comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    Cisco Adapative Security Appliance Software, version 9.1,
    Copyright (c) 1996-2013 by Cisco Systems, Inc.
    Certain components of Cisco ASA Software, Version 9.1 are licensed under the GNU
    Lesser Public License (LGPL) Version 2.1.  The software code licensed under LGPL
    Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY.  You can
    redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
    (http://www.gnu.org/licenses/lgpl-2.1.html).  See User Manual for licensing
    details.
                    Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
                    Cisco Systems, Inc.
                    170 West Tasman Drive
                    San Jose, California 95134-1706
    Insufficient flash space available for this request:
      Size info: request:32 free:0  delta:32
    Could not initialize system files in flash.
    config_fetcher: channel open failed
    ERROR: MIGRATION - Could not get the startup configuration.
    INFO: Power-On Self-Test in process.
    INFO: Power-On Self-Test complete.
    INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_200804300128.log'
    Pre-configure Firewall now through interactive prompts [yes]? n
    Type help or '?' for a list of available commands.
    ciscoasa> en
    Password:
    ciscoasa# format disk0:
    Format operation may take a while. Continue? [confirm]
    Format operation will destroy all data in "disk0:".  Continue? [confirm]
    Initializing partition - done!
    Creating FAT16 filesystem
    mkdosfs 2.11 (12 Mar 2005)
    System tables written to disk
    Format of disk0 complete
    ciscoasa# format disk:
                     ^
    ERROR: % Invalid input detected at '^' marker.
    ciscoasa# format flash:
    Format operation may take a while. Continue? [confirm]
    Format operation will destroy all data in "flash:".  Continue? [confirm]
    Initializing partition - done!

    Yeah...I think I found that one out the hard way already. I'll cross that bridge when I get to it. I want to get this issue fixed before I start thinking about the license issue.
    ciscoasa#
    ciscoasa#
    ciscoasa#
    ciscoasa# sh flash
    --#--  --length--  -----date/time------  path
    2403  0           Apr 30 2008 02:00:56  test
    2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
    2283  0           Apr 30 2008 01:28:20  coredumpinfo
    2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
    2280  0           Apr 30 2008 01:27:56  crypto_archive
    2267  0           Apr 30 2008 01:27:38  log
    0 bytes total (0 bytes free)
    ciscoasa#
    ciscoasa#
    ciscoasa#
    ciscoasa# sh disk0
    --#--  --length--  -----date/time------  path
    2403  0           Apr 30 2008 02:00:56  test
    2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
    2283  0           Apr 30 2008 01:28:20  coredumpinfo
    2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
    2280  0           Apr 30 2008 01:27:56  crypto_archive
    2267  0           Apr 30 2008 01:27:38  log
    0 bytes total (0 bytes free)
    ciscoasa#

  • I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

    I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
    I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
    I need to allow the following IP addresses to have RDP access to my server:
    66.237.238.193-66.237.238.222
    69.195.249.177-69.195.249.190
    69.65.80.240-69.65.80.249
    My external WAN server info is - 99.89.69.333
    The internal IP address of my server is - 192.168.6.2
    The other server shows up as 99.89.69.334 but is working fine.
    I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
    THE FOLLOWING IS MY CONFIGURATION FILE
    Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
    Also the bolded lines are the modifications I made but that arent working.
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password DowJbZ7jrm5Nkm5B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.6.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.89.69.233 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network EMRMC
    network-object 10.1.2.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.11.0 255.255.255.0
    network-object 172.16.0.0 255.255.0.0
    network-object 192.168.9.0 255.255.255.0
    object-group service RDP tcp
    description RDP
    port-object eq 3389
    object-group service GMED tcp
    description GMED
    port-object eq 3390
    object-group service MarsAccess tcp
    description MarsAccess
    port-object range pcanywhere-data 5632
    object-group service MarsFTP tcp
    description MarsFTP
    port-object range ftp-data ftp
    object-group service MarsSupportAppls tcp
    description MarsSupportAppls
    port-object eq 1972
    object-group service MarsUpdatePort tcp
    description MarsUpdatePort
    port-object eq 7835
    object-group service NM1503 tcp
    description NM1503
    port-object eq 1503
    object-group service NM1720 tcp
    description NM1720
    port-object eq h323
    object-group service NM1731 tcp
    description NM1731
    port-object eq 1731
    object-group service NM389 tcp
    description NM389
    port-object eq ldap
    object-group service NM522 tcp
    description NM522
    port-object eq 522
    object-group service SSL tcp
    description SSL
    port-object eq https
    object-group service rdp tcp
    port-object eq 3389
    access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
    access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
    access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
    access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
    access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.6.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 68.156.148.5
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    tunnel-group 68.156.148.5 type ipsec-l2l
    tunnel-group 68.156.148.5 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
    : end
    ciscoasa(config-network)#

    Unclear what did not work.  In your original post you include said some commands were added but don't work:
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    and later you state you add another command that gets an error:
    static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
    You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
    The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
    Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

Maybe you are looking for

  • First use of store confusion

    I am at a complete loss. I'm trying to purchase some music for the first time. I opened my account and added a gift card. The 20 balace appeared. When I tried to purchase some music by hitting "buy" a screen appeared to download 7.2. Nothing worked h

  • HD Video server...

    Hi I am the marketing production specialist for a University and I produce photo, video and motion graphic files (mainly 2D). Presantly, my workflow consists of 2 Mac Pro work stations and multiple (like 15) LaCie firewire 800 drives. The project dem

  • How to turn off mobile service and leave wifi on - iPhone 5

    how do I turn off the cellular mobile phone service but leave wifi on when I am travelling (I have a second phone for travel use). Is it really as easy as hitting OFF on cellular in iOS6?

  • Best settings for exporting to play in Windows Media Player on Powerpoint

    I'm trying to export from FCP X by sending clips to Compressor 4.04 however the online lessons on lynda.com - my go-to source - and in Compressor manuals don't appear up-to-date with the actual latest revisions and I'm confused about whether to use Q

  • New Subscription Troubles

    I just bought a monthly subscription and I go to make call and I cannot.. It comes up that I need to buy credit or a subscription...... help