Problem Packet Flow through Cisco ASA Firewall

I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
show
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 1374599592, using existing flow
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
if you change the source or destination port, the packet is successfully
clear conn did not help
please tell me how to solve the problem?

Hi,
I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
- Jouni

Similar Messages

  • Hi, I am getting the following error while booting up cisco asa firewall .

    Hi,
    I'm getting the following error form console when booting up Cisco ASA firewall...
    How do we determine the issue if its hardware or software related?
    ERROR: Type:2; Severity:80; Class:1; Subclass:3; Operation: 3

    Dear Ravi,
    You are getting the message of time out because you must be loading huge volume of data and BW runs for a specific peroid of time and then it gives a dump with message as processing is overdue.what you can do is first you should drop the indexes of the cube and then you should manually load the data-packets.I think you can again load the failed data package.select the failed data package in the monitor screen.then go to edit(on upper left next to monitor).In Edit select Init update then select "settings for further update" now select that process should be run in the background.Now right click on the failed datapacket and select Manual update.
    Hope this works for you.
    With Regards,
    Prafulla

  • Configure our own Public IP pool on Cisco ASA firewall

    Hey everyone,
    I need some assistance on the below requirement...Today we have only one internet circuit connected with our external firewall where we are using /26 public IP address for all external traffic. Now we managed to obtain our own subnet (/24) from ARIN and would like to configure on the firewall/internet router for all external services. Is my approach right in order to configure our own subnet on the firewall?
    1. Create a dedicated interface on the Cisco ASA firewall for new public pool...if there is no free interface; then virtual interface also should be fine.
    2. Make sure an appropriate route towards Internet router ( or create default route towards OUTSIDE interface)
    3. Speak to Internet service provider and explain that you are planning to use this specific public IP address on your n/w and ask them to publish in their BGP world with proper prefix#
    4.Implement one external static NAT and make sure everything works as expected.
    Thanks in advance Network Experts!!!
    Regards
    VGS

    You have the basics. but I do have a couple comments / questions
    1. What ASA are you running? If you do not have a free interface and plan to create subinterfaces, you will need to remove the configuration of one of the interfaces, then create subinterfaces and then re-apply the configuration you removed to one of the subinterfaces there...So, why not just overwrite the existing external interface?  Also, keep in mind that the ASA does not support two default routes.  (though I have heard some rumours that this might be added to the 9.3 release, but I have not had this confirmed)
    4. You don't really say what you are going to use this new setup for, but if you are using it for internet then adding just a static NAT will not be enough, you will also need a dynamic NAT.
    Please remember to select a correct answer and rate helpful posts

  • I Want Buy Cisco ASA Firewall Supporting SIP

    Hello Guys I want to buy cisco ASA Firewall , that support SIP and Session Border Controller  (SBC) So please can any one tell me the most power full that support this protocols ,, Than you guys

    Hi Vijay,
    If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
    HTH,

  • How to display date for each packet in a Cisco ASA packet capture

    Hello,
    Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
    When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 
    Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
    ASA5505# sh cap test
       1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
       2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
       3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
       4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
       5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
       6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
    Thanks for any help.
    Joe

    Hi,
    I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
    For example
    copy /pcap capture:test tftp://x.x.x.x/test.pcap
    This should copy the current data in the capture to the mentioned location with the mentioned filename.
    I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
    Hope this helps :)
    - Jouni

  • SFTP through Cisco ASA

    Hi,
    We are trying to get SFTP working from a server (x.x.128.13) within our network to another companies server (x.x.114.132) which we connect to via the Internet.  From our server the connection hits our ASA Firewall where we have rules in place to allow the connection on a customised port of 29052. The firewall then NAT's the Source IP of our server to a Public IP (x.x.36.60), thus making it routable on the Internet.
    We have done some packet captures on our ingress (inside) interface and egress (internet) interface and we can see that the 3 way TCP handshake is successful between the two servers but then all further communication fails.
    We see no further packets on our ingress interface but we do see further packets on the egress side.  What we see is a "RST+ACK" from the destination server but this is never passed on to the server within our network.  We also see our ack packet from the 3 way handshake being sent back to the destination server but again this only appears for the egress capture, and is not being sent by the server.  Both of these packets repeat about 6 times and then we see nothing further.
    I have attached the packet capture.
    At the far end the 3rd party don't see any of our repeated ACK's and when the connection works normally through a different infrastructure/firewall we see the 4th packet as a normal packet.  The initial payload of this RST+ACK is the same payload we see in the 4th packet when the connection works.
    Any help with this would be appreciated.
    Regards
    Stuart

    Hello Soliver,
    So basically you are using a customized program that will allow you to run SFTP over port 29052? Right?
    Either way it's just a single channel so it should not be any problem regarding the firewall not being able to identify the data channel ( as there is only one for both the control/data communication)
    Is there a way you could share those captures on wireshark.....
    Also do the following capture
    cap asp type asp-drop all circular-buffer
    Then try to connect and share
    show cap asp | include x.x.114.132
    This will show us if the firewall is dropping some traffic based on it's code ( Acellerated Security Path algorithm)
    Regards,
    Julio Carvajal

  • Oracle 8i through CISCO PIX Firewall

    HI all,
    I Need some help here with CISCO PIX Firewall 506e series. The ORACLE Server 8i on Windows NT.4, placed at the inside interface of PIX Firewall.
    The Firewall has been configured to allow all the port to come from outside interface (this is where the Oracle client reside). When the client from outside try the oracle client application (where the login promt for username and password) when pressed enter the error msg
    =============================
    oracle error con 440
    unable to make connection oracle - 12514 tns.couldn't resolve service name
    the menu was not connectable with oracle. a menu is ended
    ==============================
    Many thanks for PIX and Oracle config.
    HATO

    Varun,
    Thank you for your help.
    I have one quick question, this pix is not in failover, it is standalone but it has Unrestricted license. It only has 64Mb of Ram. Will I have any problems based on your link recommendation?
    Memory Requirements:
    If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses
    What is the difference between the restricted Licenses and the Unrestricted Licenses?
    Thanks!

  • Difficulty of moving from Meraki MX to Cisco ASA firewall / IDS

    Maybe a region thing. I have had excellent support from my Fortigate re-seller here in the UK. I used Cisco TAC once and have vowed to never use them again. It took them a month to sort out a single CME issue that when I showed it to a colleague took 10 mins to figure out the solution and pretty much showed the TAC solution was just about the worst way to go!
    Fortigate also come out ahead of Cisco in the Gartner analysis, so they can't be all bad.
    Horses for courses I guess...

    I'm running a Meraki MX60 and find it underwhelming. It's expensive for what it is, performance isn't great, and I want an SSL VPN.
    Would like to move to Cisco ASA, maybe something like a 5512-X. 
    How difficult is this going to be? I'm technical and know more than nothing about networking, but I'm not a Cisco person. Not afraid to read/learn and use a CLI though.
    This topic first appeared in the Spiceworks Community

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

  • Cisco ASA 5505 Site to Site VPN Problem

    Hi All,
    We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
    We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
    When I dial into the modem which is connected to the firewall I see the following messages in the logs:
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
    Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
    Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
    Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
    Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
    I have checked both firewalls for any mis-matched parameters and do not see any.
    Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
    Thanks!

    Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
    hostname
    domain-name
    enable passwordpasswd names
    interface Vlan701
    nameif inside
    security-level 100
    ip address 10.65.0.69 255.255.255.252
    interface Vlan999
    nameif outside
    security-level 0
    ip address ******  255.255.255.248
    interface Ethernet0/0
    description Link to Internet
    switchport access vlan 999
    interface Ethernet0/1
    description
    switchport access vlan 701
    interface range Ethernet0/2 - 0/7
    switchport access vlan 2
    shutdown
    ftp mode passive
    dns server-group DefaultDNS
    domain-name******
    access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging buffered warnings
    logging trap warnings
    logging asdm informational
    logging host outside *****
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list nonat
    route inside ******
    route outside 0.0.0.0 0.0.0.0 ********
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    snmp-server location **:
    snmp-server contact **
    snmp-server community shortkey
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
    crypto map CASGMAP 50 match address 101
    crypto map CASGMAP 50 set pfs group1
    crypto map CASGMAP 50 set peer ********
    crypto map CASGMAP 50 set transform-set 3desmd5
    crypto map CASGMAP 50 set security-association lifetime seconds 3600
    crypto map CASGMAP interface outside
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet **** inside
    telnet timeout 5
    ssh **** inside
    ssh **** outside
    ssh timeout 5
    console timeout 30
    management-access inside
    dhcpd ping_timeout 750
    priority-queue outside
    ntp server **
    username ***
    tunnel-group ******** type ipsec-l2l
    tunnel-group ******** ipsec-attributes
    pre-shared-key ***
    class-map VoIP
    match dscp ef
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map General-purpose
    class VoIP
    priority
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect http
    service-policy General-purpose interface outside
    prompt hostname context

  • IPSec Pass Through on ASA

    I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
    Any thoughts?

    Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?
    Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..
    packet-tracer input outside udp 500 500 detail
    If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?
    Please reply with packet-tracer results.
    Kind Regards,
    Kevin
    **Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

  • Tacacs+ access issue with ASA firewall after integrating with RSA SecureID

    Hi,
    In my earlier post,  I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
    Did any one face similar issue with ASA access ?
    Rgds
    Siddhesh

    Hi Siddesh,
    In order to help you here, I need to know few things:
    1.] Show run | in aaa
    2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
    3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ASA - Web Server Publishing

    My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.
    The users will be using secure https acccess to the Web Server.
    I have only 1 Public IP Address assigned to access both the Web Servers.
    Wanted to know what are the things required in the Cisco ASA firewall.
    1. What type of licenses ?
    2. What type of certificates ?
    3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.
    I dont want any client software on the end users PC.....

    ThanksI do have 2 Public IP address for my 2 servers.That is clear.
    I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.
    Prior 8.3:
    static (inside,outside) public_ip1 web_server1 
    static (inside,outside) public_ip2 web_server2
    8.3 or later:
    object network web_server1_real
    host web_server1
    nat (inside,outside) static public_ip1
    object network web_server2_real
    host web_server2
    nat (inside,outside) static public_ip2
    Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.
    About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.
    Regards,
    AM

  • Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

    I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.
    The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
    Can some one please advise?
    CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

    We can troubleshoot this issue. Please provide me the following outputs:
    show run aaa-server
    show run ldap
    Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
    Regards,
    Jatin Katyal
    *Do rate helpful posts*

  • LDAP Authentcation on Cisco ASA 8.2(1)

    Dear Security Experts,
    i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
    I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
    The name of user account is testvendor that belongs to the group of Test-vendor.
    Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
    The configuration and debug output is shown below.
    SHOW RUN
    ldap attribute-map ABC-VENDOR
      map-name  memberOf Group-Policy
      map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
    aaa-server ldapvend protocol ldap
    aaa-server ldapvend (INSIDE) host 10.1.141.7
    ldap-base-dn DC=abc,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *
    ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
    server-type microsoft
    ldap attribute-map ABC-VENDOR
    group-policy NOACCESS internal
    group-policy NOACCESS attributes
    vpn-simultaneous-logins 0
    group-policy Allow-Vendor internal
    group-policy Allow-Vendor attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol IPSec
    dns-server value 10.1.141.7
    default-domain value abc.org
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_acl
    tunnel-group ABC-AD-VENDOR type remote-access
    tunnel-group ABC-AD-VENDOR general-attributes
    address-pool vendor_pool
    authentication-server-group ldapvend
    default-group-policy NOACCESS
    tunnel-group ABC-AD-VENDOR ipsec-attributes
    pre-shared-key *
    Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
    map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
    map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
    map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
    DEBUG LDAP 255
    [454095] Session Start
    [454095] New request Session, context 0xb1f296b0, reqType = Authentication
    [454095] Fiber started
    [454095] Creating LDAP context with uri=ldap://10.1.141.7:389
    [454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
    [454095] supportedLDAPVersion: value = 3
    [454095] supportedLDAPVersion: value = 2
    [454095] Binding as ldapvpn
    [454095] Performing Simple authentication for ldapvpn to 10.1.141.7
    [454095] LDAP Search:
            Base DN = [DC=abc,DC=local]
            Filter  = [sAMAccountName=testvendor]
            Scope   = [SUBTREE]
    [454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
    [454095] Talking to Active Directory server 10.1.141.7
    [454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
    [454095] Read bad password count 0
    [454095] Binding as testvendor
    [454095] Performing Simple authentication for testvendor to 10.1.141.7
    [454095] Processing LDAP response for user testvendor
    [454095] Message (testvendor):
    [454095] Checking password policy
    [454095] Authentication successful for testvendor to 10.1.141.7
    [454095] Retrieved User Attributes:
    [454095]        objectClass: value = top
    [454095]        objectClass: value = person
    [454095]        objectClass: value = organizationalPerson
    [454095]        objectClass: value = user
    [454095]        cn: value = testvendor
    [454095]        givenName: value = testvendor
    [454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
    [454095]        instanceType: value = 4
    [454095]        whenCreated: value = 20111019133739.0Z
    [454095]        whenChanged: value = 20111030135415.0Z
    [454095]        displayName: value = testvendor
    [454095]        uSNCreated: value = 20258545
    [454095]        uSNChanged: value = 20899179
    [454095]        name: value = testvendor
    [454095]        objectGUID: value = ).u>.v.H.6>..u.Z
    [454095]        userAccountControl: value = 66048
    [454095]        badPwdCount: value = 0
    [454095]        codePage: value = 0
    [454095]        countryCode: value = 0
    [454095]        badPasswordTime: value = 129644550477428806
    [454095]        lastLogoff: value = 0
    [454095]        lastLogon: value = 129644551251183846
    [454095]        pwdLastSet: value = 129635050595360564
    [454095]        primaryGroupID: value = 513
    [454095]        userParameters: value = m:                    d.                       
    [454095]        objectSid: value = ...............n."J.h.0.....
    [454095]        accountExpires: value = 9223372036854775807
    [454095]        logonCount: value = 0
    [454095]        sAMAccountName: value = testvendor
    [454095]        sAMAccountType: value = 805306368
    [454095]        userPrincipalName: value = [email protected]
    [454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
    [454095]        msNPAllowDialin: value = TRUE
    [454095]        dSCorePropagationData: value = 20111026081253.0Z
    [454095]        dSCorePropagationData: value = 20111026080938.0Z
    [454095]        dSCorePropagationData: value = 16010101000417.0Z
    [454095]        lastLogonTimestamp: value = 129638228546025674
    [454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
    [454095] Session End

    Thankyou Jennifer for the responds.
    Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
    i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
    [454095] sAMAccountName: value = testvendor
    [454095] sAMAccountType: value = 805306368
    [454095] userPrincipalName: value = [email protected]
    [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
    [454095] msNPAllowDialin: value = TRUE
    [454095] dSCorePropagationData: value = 20111026081253.0Z
    [454095] dSCorePropagationData: value = 20111026080938.0Z
    [454095] dSCorePropagationData: value = 16010101000417.0Z
    Is their any other settings that i need to do it on AD ?
    Kindly advice
    Regards
    Shiji

Maybe you are looking for