Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?
Dear All,
Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?
I have problem on this, so how can i protect on this, some time i saw on my log like this
"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
Please help me to solve this issue?
Best Regards,
Rechard
Hi Rechard..Those are tcp connection values
ip inspect max-incomplete high value (default 500)---------------->embryonic connection upper threshold value
ip inspect max-incomplete low value (default 400)-------------------->embryonic connection lower threshold value
ip inspect one-minute high value (default 500)------------------------>total connection in 1 minute, upper threshold
ip inspect one-minute low value (default 400)--------------------------->total connection in 1 min, lower threshold
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
Therefore by implementing IOSFW in your router and tweaking these values you may protect your internal servers from being bombwarded by SYM flood or any DOS flood, keeping in mind if there is a trrue attack then your router will proctect your internal servers however router itself will take a toll on itself, ideally to mitigate an attack the thumb rule is to mitigate by going as close to the source of the attack as possible
you may also want to read:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html
Similar Messages
-
How to configure Cisco ASA 5500 to work with the iPhone
We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
I noticed that many people are having these problems.
Please do not post to this topic if you have ANY OTHER Cisco device.
Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
Thank you!
Oleg RWe found the solution and a bug in Cisco firmware (seems to be a bug).
First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set iphone esp-3des esp-sha-hmac
crypto ipsec transform-set iphone mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
crypto map outside_map 10 match address vpn
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
group-policy iphone internal
group-policy iphone attributes
wins-server value <insert ip> <insert ip>
dns-server value <insert ip> <insert ip>
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iphone_splitTunnelAcl
default-domain value <insert domain name>
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool VPN-Pool
authentication-server-group ActiveDirectory2
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key <insert pre-shared key>
For iPhone you have to be using IPSec tab for configuration.
We tried to set up this config using the wizards, but it would not work.
Later it turned out that wizards by default set this setting:
"crypto isakmp nat-traversal 20"
equal to zero and there is no way to change it from the GUI.
Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
Please let me know how it works out for you.
Message was edited by: Rogik
Message was edited by: Rogik -
How we archieve configuration for Cisco ASA 5500 series appliances
Hi,
We need to archieve configuration for Cisco ASA 5500 series appliances.
We have Cisco works LMS 3.0.1.
Device package installed is 4.2
Any help would be appricated.
Thanks in advance.
SamirHi ,
Thanks for your answer.
Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
Cisoworks. Am I correct ?
Waiting for your reply.
thanks,
Samir -
Does Cisco ASA support android ?
Dear all,
Does Cisco ASA 5505 support android ? for smartnet phone and other systerm use anddroid.?
Best Regards,
RechardRechard,
Just adding my two cents:
ASA and Native L2TP-IPSec Android Client Configuration Example
Android and L2TP/IPsec Clients
AnyConnect Mobile License
HTH.
Message was edited by: Javier Portuguez -
Cannot ping inside IP behind sonicwall from Cisco ASA 5500
I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
I have another office that also has a sonicwall (same config) and I can ping that inside IP from Site A.
I can not see why I can ping one site and not the other.
What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
I prefer the wizard over the CLI.
Thanks,Hi
AFAIK No you can not make vpn, transparent and routing in the same unit.
I would not want the DMZ and the outside interface to have overlapping ip address ranges.
logging and trying to keep track of it all would be way to confusing for me.
so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
good luck
HTH -
How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?
Hello there!
I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS throughput), what main points I should consinder?If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
- Bob -
Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!
Hello,
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
Any advice would be greatly appreciated. Thank you.
UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/Hi Srinath,
If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
If you've access to ASDM.
You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
You will still need to generate crypto keys and create a username in order to get ssh working
For this you can click at the TOP at TOOLS>> Command Line Interface.
And in the box below type this
crypto key generate rsa modulus 1024
add a username
username <> password <> priv 15
and enable aaa authentication for ssh like this
aaa authentication ssh console LOCAL
Let me know if this helps.
Puneet -
Does Cisco ASA understand every Sun RPC applicactions?
We have a customized program using Sun RPC. The server is located on lower security interface, client on higher security interface (sorry, have to do this)
If we give IP any any rules on lower security interface, by examine all relative packets by wireshark, this program seems do all normal Sun RPC activities: client use a ephemeral port call server's 111 port, get portmap, end TCP session. Then client start a new TCP session and talk to server using this negotiated ports.
However, if we remove the ip any any rules on lower security interface (server side), we can only observe the port negotiation TCP session. The firewall seems forgot the negotiated ports and blocks all server to client (low to high) packets.
When we test this for NFS which is also using Sun RPC protocol, with the same interfaces and settings (client interface(security level 100) - ip any any, server interface (security level 0) - deny all), everything works fine. All packets pass the firewall and connection is stateful. All works good.
I don't really understand why this is happening, since all connection initialized by client side (higher security level) using only TCP, every thing should pass through and stateful.
The ONLY ABNOMORMAL thing about our customized program is: it using random port from 600-1000 as source negotiate port to talk to server ephemeral ports (32000-61000) for transfering data. And, the connection is through VPN. (there is no special rules or inspections used for VPN connection, without deny all on server side (low security interface), every thing works fine)
Is Cisco ASA 5510 doesn't support our Sun RPC application or is there anything I did is wrong?
Thanks for any help!Just find out: It is because of VPN. VPN will not automatical allow TCP packets coming back. Is there any solution for that? Or any options I can tune wiht VPN settings?
-
Doese Cisco ASA 5500 has module increase performance VPN?
Dear All,
Doese Cisco ASA 5510 and 5505 has module for increase performance VPN ?
Best Regards,
RechardRechard,
There is one built into every ASA. If you need better performance because you're limited by engine performance... you need to most likely move up to a bigged model.
Here is the datasheet for reference:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
M. -
Fairly new to cisco ASA 5505 - Can someone look through my config?
Hi.
Can some one tell me if I did the NAT part right? Both dynamic and static.
To be able to reach one vlan from another I created a Nat between them, is this the right way to do it?
I can still limit the access between the vlans based on the access list.
I also getting slow throughput over the VPN tunnel. Is there something wrong with my config. I used the wizard to set it up. There is also a cisco asa5505 on the other end.
If there is some thing else that seems wrong, please let me know.
Any help would be greatfully appreciated!
Config:
: Saved
ASA Version 7.2(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
names
name 192.168.1.250 DomeneServer
name 192.168.1.10 NotesServer
name 192.168.1.90 OvServer
name 192.168.1.97 TerminalServer
name 192.168.1.98 w8-eyeshare
name 192.168.50.10 w8-print
name 192.168.1.94 w8-app
name 192.168.1.89 FonnaFlyMedia
interface Vlan1
nameif Vlan1
security-level 100
ip address 192.168.200.100 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address 79.x.x.226 255.255.255.224
ospf cost 10
interface Vlan400
nameif vlan400
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan450
nameif Vlan450
security-level 100
ip address 192.168.210.1 255.255.255.0
ospf cost 10
interface Vlan460
nameif Vlan460-SuldalHotell
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
interface Vlan461
nameif Vlan461-SuldalHotellGjest
security-level 100
ip address 192.168.3.1 255.255.255.0
ospf cost 10
interface Vlan462
nameif Vlan462-Suldalsposten
security-level 100
ip address 192.168.4.1 255.255.255.0
ospf cost 10
interface Vlan470
nameif vlan470-Kyrkjekontoret
security-level 100
ip address 192.168.202.1 255.255.255.0
ospf cost 10
interface Vlan480
nameif vlan480-Telefoni
security-level 100
ip address 192.168.20.1 255.255.255.0
ospf cost 10
interface Vlan490
nameif Vlan490-QNapBackup
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
interface Vlan500
nameif Vlan500-HellandBadlands
security-level 100
ip address 192.168.30.1 255.255.255.0
ospf cost 10
interface Vlan510
nameif Vlan510-IsTak
security-level 100
ip address 192.168.40.1 255.255.255.0
ospf cost 10
interface Vlan600
nameif Vlan600-SafeQ
security-level 100
ip address 192.168.50.1 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 500
switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
switchport mode trunk
interface Ethernet0/3
switchport access vlan 490
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd x encrypted
ftp mode passive
clock timezone WAT 1
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Lotus_Notes_Utgaaande tcp
description Frim Notes og ut til alle
port-object eq domain
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq pop3
port-object eq pptp
port-object eq smtp
object-group service Lotus_Notes_inn tcp
description From alle og inn til Notes
port-object eq www
port-object eq lotusnotes
port-object eq pop3
port-object eq smtp
object-group service Reisebyraa tcp-udp
port-object range 3702 3702
port-object range 5500 5500
port-object range 9876 9876
object-group service Remote_Desktop tcp-udp
description Tilgang til Remote Desktop
port-object range 3389 3389
object-group service Sand_Servicenter_50000 tcp-udp
description Program tilgang til Sand Servicenter AS
port-object range 50000 50000
object-group service VNC_Remote_Admin tcp
description Frå oss til alle
port-object range 5900 5900
object-group service Printer_Accept tcp-udp
port-object range 9100 9100
port-object eq echo
object-group icmp-type Echo_Ping
icmp-object echo
icmp-object echo-reply
object-group service Print tcp
port-object range 9100 9100
object-group service FTP_NADA tcp
description Suldalsposten NADA tilgang
port-object eq ftp
port-object eq ftp-data
object-group service Telefonsentral tcp
description Hoftun
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq telnet
object-group service Printer_inn_800 tcp
description Fra 800 nettet og inn til 400 port 7777
port-object range 7777 7777
object-group service Suldalsposten tcp
description Sending av mail vha Mac Mail programmet - åpner smtp
port-object eq pop3
port-object eq smtp
object-group service http2 tcp
port-object range 81 81
object-group service DMZ_FTP_PASSIVE tcp-udp
port-object range 55536 56559
object-group service DMZ_FTP tcp-udp
port-object range 20 21
object-group service DMZ_HTTPS tcp-udp
port-object range 443 443
object-group service DMZ_HTTP tcp-udp
port-object range 8080 8080
object-group service DNS_Query tcp
port-object range domain domain
object-group service DUETT_SQL_PORT tcp-udp
description For kobling mellom andre nett og duett server
port-object range 54659 54659
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list vlan400_access_in extended deny ip any host 149.20.56.34
access-list vlan400_access_in extended deny ip any host 149.20.56.32
access-list vlan400_access_in extended permit ip any any
access-list Vlan450_access_in extended deny ip any host 149.20.56.34
access-list Vlan450_access_in extended deny ip any host 149.20.56.32
access-list Vlan450_access_in extended permit ip any any
access-list Vlan460_access_in extended deny ip any host 149.20.56.34
access-list Vlan460_access_in extended deny ip any host 149.20.56.32
access-list Vlan460_access_in extended permit ip any any
access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
access-list Vlan500_access_in extended deny ip any host 149.20.56.34
access-list Vlan500_access_in extended deny ip any host 149.20.56.32
access-list Vlan500_access_in extended permit ip any any
access-list vlan470_access_in extended deny ip any host 149.20.56.34
access-list vlan470_access_in extended deny ip any host 149.20.56.32
access-list vlan470_access_in extended permit ip any any
access-list Vlan490_access_in extended deny ip any host 149.20.56.34
access-list Vlan490_access_in extended deny ip any host 149.20.56.32
access-list Vlan490_access_in extended permit ip any any
access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan1_access_out extended permit ip any any
access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan1_access_out extended deny ip any any
access-list Vlan1_access_out extended permit icmp any any echo-reply
access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan480_access_out extended permit ip any any
access-list Vlan510_access_in extended permit ip any any
access-list Vlan600_access_in extended permit ip any any
access-list Vlan600_access_out extended permit icmp any any
access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_in_1 extended permit ip any any
access-list Vlan461_access_in extended permit ip any any
access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list Vlan462-Suldalsposten_access_in extended permit ip any any
access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Vlan1 1500
mtu outside 1500
mtu vlan400 1500
mtu Vlan450 1500
mtu Vlan460-SuldalHotell 1500
mtu Vlan461-SuldalHotellGjest 1500
mtu vlan470-Kyrkjekontoret 1500
mtu vlan480-Telefoni 1500
mtu Vlan490-QNapBackup 1500
mtu Vlan500-HellandBadlands 1500
mtu Vlan510-IsTak 1500
mtu Vlan600-SafeQ 1500
mtu Vlan462-Suldalsposten 1500
no failover
monitor-interface Vlan1
monitor-interface outside
monitor-interface vlan400
monitor-interface Vlan450
monitor-interface Vlan460-SuldalHotell
monitor-interface Vlan461-SuldalHotellGjest
monitor-interface vlan470-Kyrkjekontoret
monitor-interface vlan480-Telefoni
monitor-interface Vlan490-QNapBackup
monitor-interface Vlan500-HellandBadlands
monitor-interface Vlan510-IsTak
monitor-interface Vlan600-SafeQ
monitor-interface Vlan462-Suldalsposten
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan400) 0 access-list vlan400_nat0_outbound
nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
access-group Vlan1_access_out out interface Vlan1
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan400_access_in in interface vlan400
access-group vlan400_access_out out interface vlan400
access-group Vlan450_access_in in interface Vlan450
access-group Vlan450_access_out out interface Vlan450
access-group Vlan460_access_in in interface Vlan460-SuldalHotell
access-group Vlan460_access_out out interface Vlan460-SuldalHotell
access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
access-group vlan480_access_out out interface vlan480-Telefoni
access-group Vlan490_access_in in interface Vlan490-QNapBackup
access-group Vlan490_access_out out interface Vlan490-QNapBackup
access-group Vlan500_access_in in interface Vlan500-HellandBadlands
access-group Vlan500_access_out out interface Vlan500-HellandBadlands
access-group Vlan510_access_in in interface Vlan510-IsTak
access-group Vlan510_access_out out interface Vlan510-IsTak
access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
access-group Vlan600_access_out out interface Vlan600-SafeQ
access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username x password x encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 Vlan450
http 192.168.200.0 255.255.255.0 Vlan1
http 192.168.1.0 255.255.255.0 vlan400
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 62.92.159.137
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable vlan400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 62.92.159.137 type ipsec-l2l
tunnel-group 62.92.159.137 ipsec-attributes
pre-shared-key *
telnet 192.168.200.0 255.255.255.0 Vlan1
telnet 192.168.1.0 255.255.255.0 vlan400
telnet timeout 5
ssh 171.68.225.216 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd update dns both
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
dhcpd address 192.168.1.100-192.168.1.225 vlan400
dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
dhcpd option 3 ip 192.168.1.1 interface vlan400
dhcpd enable vlan400
dhcpd address 192.168.210.100-192.168.210.200 Vlan450
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
dhcpd option 3 ip 192.168.210.1 interface Vlan450
dhcpd enable Vlan450
dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
dhcpd enable Vlan460-SuldalHotell
dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
dhcpd enable Vlan461-SuldalHotellGjest
dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
dhcpd enable vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
dhcpd enable Vlan500-HellandBadlands
dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
dhcpd enable Vlan510-IsTak
dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
dhcpd enable Vlan600-SafeQ
dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
dhcpd enable Vlan462-Suldalsposten
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
prompt hostname context
Cryptochecksum:x
: endI was just wondering if this is the way to do the "connection" between vlans.. or should it be routed?
The traffic between the vlan is working as intended. There are not much traffice only some RDP connection and some printing jobs.
But i'm getting some of these errors: (not alle like this, but portmap translation creation failed)
305006 192.168.10.200 portmap translation creation failed for udp src Vlan460-SuldalHotell:192.168.2.112/59133 dst Vlan490-QNapBackup:192.168.10.200/161
I did the sh interface commends:
Result of the command: "sh interface"
Interface Vlan1 "Vlan1", is down, line protocol is down
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.200.100, subnet mask 255.255.255.0
Traffic Statistics for "Vlan1":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 79.x.x.226, subnet mask 255.255.255.224
Traffic Statistics for "outside":
1780706730 packets input, 1221625431570 bytes
1878320718 packets output, 1743030863134 bytes
5742216 packets dropped
1 minute input rate 558 pkts/sec, 217568 bytes/sec
1 minute output rate 803 pkts/sec, 879715 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 621 pkts/sec, 482284 bytes/sec
5 minute output rate 599 pkts/sec, 428957 bytes/sec
5 minute drop rate, 1 pkts/sec
Interface Vlan400 "vlan400", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "vlan400":
1093422654 packets input, 1191121436317 bytes
784209789 packets output, 374041914789 bytes
11465163 packets dropped
1 minute input rate 751 pkts/sec, 870445 bytes/sec
1 minute output rate 462 pkts/sec, 116541 bytes/sec
1 minute drop rate, 11 pkts/sec
5 minute input rate 474 pkts/sec, 415304 bytes/sec
5 minute output rate 379 pkts/sec, 197861 bytes/sec
5 minute drop rate, 7 pkts/sec
Interface Vlan450 "Vlan450", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.210.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan450":
139711812 packets input, 27519985266 bytes
202793062 packets output, 233679075458 bytes
12523100 packets dropped
1 minute input rate 68 pkts/sec, 9050 bytes/sec
1 minute output rate 83 pkts/sec, 88025 bytes/sec
1 minute drop rate, 6 pkts/sec
5 minute input rate 145 pkts/sec, 15068 bytes/sec
5 minute output rate 241 pkts/sec, 287093 bytes/sec
5 minute drop rate, 6 pkts/sec
Interface Vlan460 "Vlan460-SuldalHotell", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.2.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan460-SuldalHotell":
177971988 packets input, 161663208458 bytes
193137004 packets output, 137418896469 bytes
4003957 packets dropped
1 minute input rate 13 pkts/sec, 2295 bytes/sec
1 minute output rate 14 pkts/sec, 15317 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 4 pkts/sec, 794 bytes/sec
5 minute output rate 1 pkts/sec, 477 bytes/sec
5 minute drop rate, 2 pkts/sec
Interface Vlan461 "Vlan461-SuldalHotellGjest", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan461-SuldalHotellGjest":
332909692 packets input, 351853184942 bytes
312038518 packets output, 156669956740 bytes
583171 packets dropped
1 minute input rate 0 pkts/sec, 6 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan462 "Vlan462-Suldalsposten", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.4.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan462-Suldalsposten":
33905 packets input, 14303320 bytes
28285 packets output, 27536357 bytes
10199 packets dropped
1 minute input rate 0 pkts/sec, 6 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan470 "vlan470-Kyrkjekontoret", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.202.1, subnet mask 255.255.255.0
Traffic Statistics for "vlan470-Kyrkjekontoret":
12176257 packets input, 4305665570 bytes
10618750 packets output, 5982598969 bytes
974796 packets dropped
1 minute input rate 2 pkts/sec, 770 bytes/sec
1 minute output rate 1 pkts/sec, 861 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2 pkts/sec, 708 bytes/sec
5 minute output rate 1 pkts/sec, 980 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan480 "vlan480-Telefoni", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.20.1, subnet mask 255.255.255.0
Traffic Statistics for "vlan480-Telefoni":
246638 packets input, 43543149 bytes
10 packets output, 536 bytes
226674 packets dropped
1 minute input rate 0 pkts/sec, 126 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 56 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan490 "Vlan490-QNapBackup", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.10.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan490-QNapBackup":
137317833 packets input, 6066713912 bytes
223933623 packets output, 263191563744 bytes
531738 packets dropped
1 minute input rate 0 pkts/sec, 135 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 68 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan500 "Vlan500-HellandBadlands", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.30.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan500-HellandBadlands":
30816778 packets input, 4887486069 bytes
42403099 packets output, 47831750415 bytes
948717 packets dropped
1 minute input rate 3 pkts/sec, 707 bytes/sec
1 minute output rate 3 pkts/sec, 3459 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 23 bytes/sec
5 minute output rate 0 pkts/sec, 31 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan510 "Vlan510-IsTak", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.40.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan510-IsTak":
1253148 packets input, 245364736 bytes
1225385 packets output, 525528101 bytes
161567 packets dropped
1 minute input rate 0 pkts/sec, 6 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan600 "Vlan600-SafeQ", is up, line protocol is up
Hardware is EtherSVI
MAC address 001d.453a.ea0e, MTU 1500
IP address 192.168.50.1, subnet mask 255.255.255.0
Traffic Statistics for "Vlan600-SafeQ":
1875377 packets input, 1267279709 bytes
1056139 packets output, 290728055 bytes
521943 packets dropped
1 minute input rate 0 pkts/sec, 165 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 178 bytes/sec
5 minute output rate 0 pkts/sec, 9 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001d.453a.ea06, MTU not set
IP address unassigned
1782670655 packets input, 1256666911856 bytes, 0 no buffer
Received 95709 broadcasts, 0 runts, 0 giants
1978 input errors, 1978 CRC, 0 frame, 0 overrun, 1978 ignored, 0 abort
0 L2 decode drops
17179928790 switch ingress policy drops
1878320261 packets output, 1778955488577 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/2 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001d.453a.ea08, MTU not set
IP address unassigned
1790819459 packets input, 1783854920873 bytes, 0 no buffer
Received 27571913 broadcasts, 0 runts, 0 giants
614 input errors, 614 CRC, 0 frame, 0 overrun, 614 ignored, 0 abort
0 L2 decode drops
19768 switch ingress policy drops
1547507675 packets output, 991527977853 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/3 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001d.453a.ea09, MTU not set
IP address unassigned
137318166 packets input, 9176625008 bytes, 0 no buffer
Received 290030 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
335 switch ingress policy drops
223933623 packets output, 267222625073 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops -
Cisco ASA 5505 can ping gateway but can't ping internet
Good day to all!
Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
Any help greatly appreciated.
TIA!
: Saved
ASA Version 8.4(3)
hostname ciscoasan
enable password bD3fGYMFeJJTATOJ encrypted
passwd 2KF1w9ErdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description INSIDE
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip address 203.127.68.2 255.255.255.240
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
: endHi badingdong,
Remove these lines:
no nat (inside,outside) after-auto source dynamic any interface
no access-group outside_access_in in interface outside
If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
route inside 10.0.0.0 255.0.0.0 10.10.10.1
Also make sure that you have a correct DNS server is assigned on your internal hosts.
Thanks
Rizwan Rafeek -
Help with Cisco ASA 5500 and NAS drives
Hello:
I have 2 My Book World Edition II NAS drives. They both are configured to use a static IP address and both are on the same workgroup.
One of them is supposed to be replaced with a newer one that I just installed yesterday.
What I am trying to do is to transfer all the information from NAS1 to NAS2.
Both are connected to a Cisco VPN router.
I created a batch file that was basically several xcopy commands to copy all the information from NAS1 to NAS2.
As this process was going to take like 8 hours I ran the batch file yesterday at 4:00PM when everyone was logged off the NAS drives.
To my surprise this morning I found out that only a portion of the files were copied from the NAS1 to the NAS2.
After reading the system logs of the NAS1 drive I found a lot of errors.For example:
getpeername failed. Error was Transport endpoint is not connected
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
getpeername failed. Error was Transport endpoint is not connected
Someone suggested that the problem has to do with the network configuration.
The suggestion was to change from "auto-negotiate" to Full Duplex 100 on the Cisco VPN router configuration.
What do you think? Could this be the problem?
Thanks and help is greatly appreciated.Hello:
I have 2 My Book World Edition II NAS drives. They both are configured to use a static IP address and both are on the same workgroup.
One of them is supposed to be replaced with a newer one that I just installed yesterday.
What I am trying to do is to transfer all the information from NAS1 to NAS2.
Both are connected to a Cisco VPN router.
I created a batch file that was basically several xcopy commands to copy all the information from NAS1 to NAS2.
As this process was going to take like 8 hours I ran the batch file yesterday at 4:00PM when everyone was logged off the NAS drives.
To my surprise this morning I found out that only a portion of the files were copied from the NAS1 to the NAS2.
After reading the system logs of the NAS1 drive I found a lot of errors.For example:
getpeername failed. Error was Transport endpoint is not connected
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
getpeername failed. Error was Transport endpoint is not connected
Someone suggested that the problem has to do with the network configuration.
The suggestion was to change from "auto-negotiate" to Full Duplex 100 on the Cisco VPN router configuration.
What do you think? Could this be the problem?
Thanks and help is greatly appreciated. -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
Cisco ASA 5500x with FirePower logging & syslog Format/reference
Hello everyone,
Can anyone explain how Cisco ASA 5500x Firepower logging works?
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/white_paper_c11-532091.html
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sbaSIEM_deployG.pdf
I referred above links and found syslog for botnet filtering.
ASA-4-338002: Dynamic filter permitted black listed TCP traffic from inside: 10.1.1.45/6798 (209.165.201.1/7890) to outside: 209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com
It is cisco asa 5500 log. is it same for Firepower? If yes, is Firepower generate syslog for all events like this?
Please refer me syslog reference guide for Cisco ASA 5500x Firepower if exist.
Thanks & Regards
RevathiFirepower logging is to a Firesight management center (FMC) via https. It does not use SDEE.
Just like the old IPS, syslog messages are only about the module status, not about actual IPS events. -
Guys,
Can you help me,
I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
Best Regards,
Rizal FerdiyanHi Rizal,
Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
-Mike
Maybe you are looking for
-
Checking rows in One Table versus another Table.
I have 2 Tables. Table1 contains 100 rows Table2 contains 85 rows I need to check if a row from Table2 doesnt not exist as a row in Table1 The composite primary key is for both tables are: id_entity,id_object How can I use the NOT exists operator to
-
BW 3.5 Web Service set up error
Hello, I am trying to set up SAP BI Webservice for XML Query Result Set on BW 3.5. When I try to maintain the external aliases (SICF) for my default host, I get the following error: Target service not available - repair table Message no. SR053 Does a
-
Sending to multiple addresses and using BCC
I'm using Mail and Address book to send a basic email (no images or anything like that) to my mailing list. I beleive my server (Sympatico) has a restriction on the number of recipients - 99. But I'm sending to less than that. When I put the addresse
-
Double in Scientific Notation after Marshal
Hi, I have an element defined as an xsd:double. If I try and place a value say 100 into the element and then I marshal it I get an output of <Quantity>100.0</Quantity>... That is fine.... However, if I put a value in of say 1000000000, I get an outpu
-
while playing scrabble on my iphone, a message appears that i have to log in to orgins again, that my time expired. When I try to log in, it reads..auto log in...then it never finishes logging in....what can i do to login to orgins and stay logged i