3G VPN established but no traffic using ASA 5505
Hi All,
hoping that someone can help me here. We are able to esatblish VPN connection but we cannot pass traffic out.
Here are the details.
ISP has a range of 25.16.0.0/15 and they are doing Natting.
We are using Raven X and ASA5505 is connected. Session is established but can't pass traffic or ping.
router output:
ASA Version 8.2(2)
hostname DR-5505-50
domain-name dont know
enable password xxxxxx encrypted passwd kOuREZbrVpcZibgH encrypted names name 192.168.0.0 Corp name 10.10.0.0 device !
interface Vlan1
nameif inside
security-level 100
ip address 10.10.254.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name network.comsame-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network never network-object Jobsites 255.255.0.0 network-object Corp 255.255.0.0 access-list outside_1_cryptomap extended permit ip 10.10.254.0
255.255.255.0 object-group network access-list inside_nat0_outbound extended permit ip 10.10.254.0
255.255.255.0 object-group networkn
access-list inside_access_in extended permit ip 10.10.254.0 255.255.255.0 any pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside snmp-server host inside 192.168.152.28 community edsnmp version 2c no snmp-server location no snmp-server contact snmp-server community edsnmp snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 204.101.74.2 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp identity hostname crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 management-access inside dhcpd auto_config outside !
dhcpd address 10.10.254.70-10.10.254.169 inside dhcpd dns 192.168.152.21 192.168.160.21 interface inside dhcpd lease 432000 interface inside dhcpd domain name.com interface inside dhcpd option 3 ip 10.10.254.254 interface inside dhcpd enable inside !
vpnclient management clear
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept webvpn tunnel-group-list enable username admin password Xhasdfuasdhsdfh encrypted privilege 15 tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.xipsec-attributes pre-shared-key dynamicvpn !
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
whatever.com
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
Log file:
6|May 06 2013|07:00:01|302016|192.168.160.21|53|10.10.254.70|57967|Teardown UDP connection 245 for outside:192.168.160.21/53 to inside:10.10.254.70/57967 duration 0:02:07 bytes 148
6|May 06 2013|07:00:01|302016|192.168.152.21|53|10.10.254.70|57967|Teardown UDP connection 243 for outside:192.168.152.21/53 to inside:10.10.254.70/57967 duration 0:02:08 bytes 111
6|May 06 2013|06:59:58|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:57|302015|192.168.160.21|53|10.10.254.70|52108|Built outbound UDP connection 349 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/52108 (10.10.254.70/52108)
6|May 06 2013|06:59:56|302015|192.168.160.21|53|10.10.254.70|50503|Built outbound UDP connection 348 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/50503 (10.10.254.70/50503)
6|May 06 2013|06:59:56|302016|192.168.160.21|53|10.10.254.70|54304|Teardown UDP connection 241 for outside:192.168.160.21/53 to inside:10.10.254.70/54304 duration 0:02:07 bytes 236
6|May 06 2013|06:59:56|302016|192.168.152.21|53|10.10.254.70|54304|Teardown UDP connection 240 for outside:192.168.152.21/53 to inside:10.10.254.70/54304 duration 0:02:08 bytes 177
6|May 06 2013|06:59:56|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:56|302015|192.168.152.21|53|10.10.254.70|52108|Built outbound UDP connection 346 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/52108 (10.10.254.70/52108)
6|May 06 2013|06:59:55|302015|192.168.152.21|53|10.10.254.70|50503|Built outbound UDP connection 345 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/50503 (10.10.254.70/50503)
6|May 06 2013|06:59:55|302016|192.168.160.21|53|10.10.254.70|65422|Teardown UDP connection 238 for outside:192.168.160.21/53 to inside:10.10.254.70/65422 duration 0:02:07 bytes 136
6|May 06 2013|06:59:55|302016|192.168.152.21|53|10.10.254.70|65422|Teardown UDP connection 237 for outside:192.168.152.21/53 to inside:10.10.254.70/65422 duration 0:02:08 bytes 102
6|May 06 2013|06:59:54|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:54|302015|192.168.160.21|53|10.10.254.70|51008|Built outbound UDP connection 344 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/51008 (10.10.254.70/51008)
6|May 06 2013|06:59:53|302015|192.168.152.21|53|10.10.254.70|51008|Built outbound UDP connection 343 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/51008 (10.10.254.70/51008)
6|May 06 2013|06:59:53|302016|192.168.160.21|53|10.10.254.70|50300|Teardown UDP connection 236 for outside:192.168.160.21/53 to inside:10.10.254.70/50300 duration 0:02:07 bytes 152
6|May 06 2013|06:59:53|302016|192.168.152.21|53|10.10.254.70|50300|Teardown UDP connection 234 for outside:192.168.152.21/53 to inside:10.10.254.70/50300 duration 0:02:08 bytes 114
6|May 06 2013|06:59:53|302016|192.168.160.21|53|10.10.254.70|49286|Teardown UDP connection 235 for outside:192.168.160.21/53 to inside:10.10.254.70/49286 duration 0:02:07 bytes 152
6|May 06 2013|06:59:53|302016|192.168.152.21|53|10.10.254.70|49286|Teardown UDP connection 233 for outside:192.168.152.21/53 to inside:10.10.254.70/49286 duration 0:02:08 bytes 114
6|May 06 2013|06:59:52|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:50|302016|192.168.160.21|53|10.10.254.70|57306|Teardown UDP connection 231 for outside:192.168.160.21/53 to inside:10.10.254.70/57306 duration 0:02:07 bytes 152
6|May 06 2013|06:59:50|302016|192.168.152.21|53|10.10.254.70|57306|Teardown UDP connection 229 for outside:192.168.152.21/53 to inside:10.10.254.70/57306 duration 0:02:08 bytes 114
6|May 06 2013|06:59:50|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:49|302014|129.22.177.79|31663|10.10.254.70|34470|Teardown TCP connection 322 for outside:129.22.177.79/31663 to inside:10.10.254.70/34470 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:59:49|302016|192.168.160.21|53|10.10.254.70|54646|Teardown UDP connection 230 for outside:192.168.160.21/53 to inside:10.10.254.70/54646 duration 0:02:07 bytes 160
6|May 06 2013|06:59:49|302016|192.168.152.21|53|10.10.254.70|54646|Teardown UDP connection 227 for outside:192.168.152.21/53 to inside:10.10.254.70/54646 duration 0:02:08 bytes 120
6|May 06 2013|06:59:49|302016|192.168.160.21|53|10.10.254.70|64481|Teardown UDP connection 228 for outside:192.168.160.21/53 to inside:10.10.254.70/64481 duration 0:02:07 bytes 152
6|May 06 2013|06:59:49|302016|192.168.152.21|53|10.10.254.70|64481|Teardown UDP connection 226 for outside:192.168.152.21/53 to inside:10.10.254.70/64481 duration 0:02:08 bytes 114
6|May 06 2013|06:59:48|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:47|305012|10.10.254.70|34468|192.168.13.100|55721|Teardown dynamic TCP translation from inside:10.10.254.70/34468 to outside:192.168.13.100/55721 duration 0:01:30
6|May 06 2013|06:59:46|305012|10.10.254.70|34467|192.168.13.100|48446|Teardown dynamic TCP translation from inside:10.10.254.70/34467 to outside:192.168.13.100/48446 duration 0:01:30
6|May 06 2013|06:59:46|302016|192.168.152.21|53|10.10.254.70|63417|Teardown UDP connection 224 for outside:192.168.152.21/53 to inside:10.10.254.70/63417 duration 0:02:07 bytes 111
6|May 06 2013|06:59:46|302016|192.168.160.21|53|10.10.254.70|63417|Teardown UDP connection 223 for outside:192.168.160.21/53 to inside:10.10.254.70/63417 duration 0:02:08 bytes 148
6|May 06 2013|06:59:46|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:44|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:42|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:40|302015|192.168.152.21|53|10.10.254.70|62424|Built outbound UDP connection 339 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/62424 (10.10.254.70/62424)
6|May 06 2013|06:59:40|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:39|302015|192.168.160.21|53|10.10.254.70|62424|Built outbound UDP connection 337 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/62424 (10.10.254.70/62424)
6|May 06 2013|06:59:38|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:37|302016|192.168.152.21|53|10.10.254.70|59943|Teardown UDP connection 219 for outside:192.168.152.21/53 to inside:10.10.254.70/59943 duration 0:02:07 bytes 108
6|May 06 2013|06:59:37|302016|192.168.160.21|53|10.10.254.70|59943|Teardown UDP connection 218 for outside:192.168.160.21/53 to inside:10.10.254.70/59943 duration 0:02:08 bytes 144
6|May 06 2013|06:59:37|302015|192.168.152.21|53|10.10.254.70|58710|Built outbound UDP connection 336 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/58710 (10.10.254.70/58710)
6|May 06 2013|06:59:36|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:36|302015|192.168.160.21|53|10.10.254.70|58710|Built outbound UDP connection 334 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/58710 (10.10.254.70/58710)
6|May 06 2013|06:59:36|302016|192.168.152.21|53|10.10.254.70|51377|Teardown UDP connection 217 for outside:192.168.152.21/53 to inside:10.10.254.70/51377 duration 0:02:07 bytes 114
6|May 06 2013|06:59:36|302016|192.168.160.21|53|10.10.254.70|51377|Teardown UDP connection 215 for outside:192.168.160.21/53 to inside:10.10.254.70/51377 duration 0:02:08 bytes 152
6|May 06 2013|06:59:34|302016|192.168.152.21|53|10.10.254.70|56751|Teardown UDP connection 214 for outside:192.168.152.21/53 to inside:10.10.254.70/56751 duration 0:02:07 bytes 111
6|May 06 2013|06:59:34|302016|192.168.160.21|53|10.10.254.70|56751|Teardown UDP connection 213 for outside:192.168.160.21/53 to inside:10.10.254.70/56751 duration 0:02:08 bytes 148
6|May 06 2013|06:59:34|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:32|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:32|302016|192.168.152.21|53|10.10.254.70|63965|Teardown UDP connection 212 for outside:192.168.152.21/53 to inside:10.10.254.70/63965 duration 0:02:07 bytes 114
6|May 06 2013|06:59:32|302016|192.168.160.21|53|10.10.254.70|63965|Teardown UDP connection 210 for outside:192.168.160.21/53 to inside:10.10.254.70/63965 duration 0:02:08 bytes 152
6|May 06 2013|06:59:30|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:28|302016|192.168.152.21|137|10.10.254.70|137|Teardown UDP connection 211 for outside:192.168.152.21/137 to inside:10.10.254.70/137 duration 0:02:04 bytes 150
6|May 06 2013|06:59:28|302015|192.168.152.21|53|10.10.254.70|57795|Built outbound UDP connection 332 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/57795 (10.10.254.70/57795)
6|May 06 2013|06:59:28|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:28|302016|192.168.152.21|53|10.10.254.70|60822|Teardown UDP connection 206 for outside:192.168.152.21/53 to inside:10.10.254.70/60822 duration 0:02:07 bytes 114
6|May 06 2013|06:59:28|302016|192.168.160.21|53|10.10.254.70|60822|Teardown UDP connection 205 for outside:192.168.160.21/53 to inside:10.10.254.70/60822 duration 0:02:08 bytes 152
6|May 06 2013|06:59:27|302015|192.168.160.21|53|10.10.254.70|57795|Built outbound UDP connection 330 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/57795 (10.10.254.70/57795)
6|May 06 2013|06:59:26|302015|192.168.152.21|53|10.10.254.70|54989|Built outbound UDP connection 329 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/54989 (10.10.254.70/54989)
6|May 06 2013|06:59:26|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:25|302015|192.168.160.21|53|10.10.254.70|54989|Built outbound UDP connection 328 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/54989 (10.10.254.70/54989)
6|May 06 2013|06:59:25|302015|192.168.152.21|53|10.10.254.70|58248|Built outbound UDP connection 327 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/58248 (10.10.254.70/58248)
6|May 06 2013|06:59:24|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:24|302015|192.168.160.21|53|10.10.254.70|58248|Built outbound UDP connection 325 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/58248 (10.10.254.70/58248)
6|May 06 2013|06:59:22|302016|192.168.152.21|53|10.10.254.70|52148|Teardown UDP connection 204 for outside:192.168.152.21/53 to inside:10.10.254.70/52148 duration 0:02:07 bytes 111
6|May 06 2013|06:59:22|302016|192.168.160.21|53|10.10.254.70|52148|Teardown UDP connection 201 for outside:192.168.160.21/53 to inside:10.10.254.70/52148 duration 0:02:08 bytes 148
6|May 06 2013|06:59:22|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:20|302013|129.22.177.79|31663|10.10.254.70|34471|Built outbound TCP connection 324 for outside:129.22.177.79/31663 (129.22.177.79/31663) to inside:10.10.254.70/34471 (192.168.13.100/60918)
6|May 06 2013|06:59:20|305011|10.10.254.70|34471|192.168.13.100|60918|Built dynamic TCP translation from inside:10.10.254.70/34471 to outside:192.168.13.100/60918
6|May 06 2013|06:59:20|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:20|302016|192.168.152.21|53|10.10.254.70|50470|Teardown UDP connection 200 for outside:192.168.152.21/53 to inside:10.10.254.70/50470 duration 0:02:07 bytes 135
6|May 06 2013|06:59:20|302016|192.168.160.21|53|10.10.254.70|50470|Teardown UDP connection 199 for outside:192.168.160.21/53 to inside:10.10.254.70/50470 duration 0:02:08 bytes 180
6|May 06 2013|06:59:20|302014|71.207.1.189|1761|10.10.254.70|34468|Teardown TCP connection 275 for outside:71.207.1.189/1761 to inside:10.10.254.70/34468 duration 0:01:02 bytes 376 TCP FINs
6|May 06 2013|06:59:19|302013|129.22.177.79|31663|10.10.254.70|34470|Built outbound TCP connection 322 for outside:129.22.177.79/31663 (129.22.177.79/31663) to inside:10.10.254.70/34470 (192.168.13.100/64832)
6|May 06 2013|06:59:19|305011|10.10.254.70|34470|192.168.13.100|64832|Built dynamic TCP translation from inside:10.10.254.70/34470 to outside:192.168.13.100/64832
6|May 06 2013|06:59:18|302014|67.86.118.52|17365|10.10.254.70|34467|Teardown TCP connection 274 for outside:67.86.118.52/17365 to inside:10.10.254.70/34467 duration 0:01:02 bytes 453 TCP FINs
6|May 06 2013|06:59:18|302013|173.164.60.149|12864|10.10.254.70|34469|Built outbound TCP connection 321 for outside:173.164.60.149/12864 (173.164.60.149/12864) to inside:10.10.254.70/34469 (192.168.13.100/39628)
6|May 06 2013|06:59:18|305011|10.10.254.70|34469|192.168.13.100|39628|Built dynamic TCP translation from inside:10.10.254.70/34469 to outside:192.168.13.100/39628
6|May 06 2013|06:59:18|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:17|302016|192.168.152.21|53|10.10.254.70|54536|Teardown UDP connection 198 for outside:192.168.152.21/53 to inside:10.10.254.70/54536 duration 0:02:07 bytes 114
6|May 06 2013|06:59:17|302016|192.168.160.21|53|10.10.254.70|54536|Teardown UDP connection 197 for outside:192.168.160.21/53 to inside:10.10.254.70/54536 duration 0:02:08 bytes 152
6|May 06 2013|06:59:16|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:14|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:13|302016|192.168.152.21|53|10.10.254.70|57635|Teardown UDP connection 196 for outside:192.168.152.21/53 to inside:10.10.254.70/57635 duration 0:02:07 bytes 102
6|May 06 2013|06:59:13|302016|192.168.160.21|53|10.10.254.70|57635|Teardown UDP connection 195 for outside:192.168.160.21/53 to inside:10.10.254.70/57635 duration 0:02:08 bytes 136
6|May 06 2013|06:59:12|302015|192.168.152.21|53|10.10.254.70|60510|Built outbound UDP connection 319 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/60510 (10.10.254.70/60510)
6|May 06 2013|06:59:12|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:12|302015|192.168.152.21|53|10.10.254.70|50779|Built outbound UDP connection 317 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/50779 (10.10.254.70/50779)
6|May 06 2013|06:59:11|302015|192.168.160.21|53|10.10.254.70|60510|Built outbound UDP connection 316 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/60510 (10.10.254.70/60510)
6|May 06 2013|06:59:11|302016|192.168.152.21|53|10.10.254.70|49716|Teardown UDP connection 194 for outside:192.168.152.21/53 to inside:10.10.254.70/49716 duration 0:02:07 bytes 111
6|May 06 2013|06:59:11|302016|192.168.152.21|53|10.10.254.70|57570|Teardown UDP connection 193 for outside:192.168.152.21/53 to inside:10.10.254.70/57570 duration 0:02:07 bytes 156
6|May 06 2013|06:59:11|302016|192.168.160.21|53|10.10.254.70|49716|Teardown UDP connection 192 for outside:192.168.160.21/53 to inside:10.10.254.70/49716 duration 0:02:08 bytes 148
6|May 06 2013|06:59:11|302016|192.168.160.21|53|10.10.254.70|57570|Teardown UDP connection 191 for outside:192.168.160.21/53 to inside:10.10.254.70/57570 duration 0:02:08 bytes 208
6|May 06 2013|06:59:11|302015|192.168.160.21|53|10.10.254.70|50779|Built outbound UDP connection 315 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/50779 (10.10.254.70/50779)
6|May 06 2013|06:59:10|302015|192.168.152.21|53|10.10.254.70|64783|Built outbound UDP connection 314 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/64783 (10.10.254.70/64783)
6|May 06 2013|06:59:10|302016|192.168.152.21|53|10.10.254.70|63136|Teardown UDP connection 190 for outside:192.168.152.21/53 to inside:10.10.254.70/63136 duration 0:02:07 bytes 111
6|May 06 2013|06:59:10|302016|192.168.160.21|53|10.10.254.70|63136|Teardown UDP connection 189 for outside:192.168.160.21/53 to inside:10.10.254.70/63136 duration 0:02:08 bytes 148
6|May 06 2013|06:59:10|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:09|302015|192.168.160.21|53|10.10.254.70|64783|Built outbound UDP connection 313 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/64783 (10.10.254.70/64783)
6|May 06 2013|06:59:08|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:06|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:04|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:03|305012|10.10.254.70|34458|192.168.13.100|26157|Teardown dynamic TCP translation from inside:10.10.254.70/34458 to outside:192.168.13.100/26157 duration 0:01:00
6|May 06 2013|06:59:02|302016|192.168.160.21|53|10.10.254.70|54985|Teardown UDP connection 186 for outside:192.168.160.21/53 to inside:10.10.254.70/54985 duration 0:02:07 bytes 152
6|May 06 2013|06:59:02|302016|192.168.152.21|53|10.10.254.70|54985|Teardown UDP connection 184 for outside:192.168.152.21/53 to inside:10.10.254.70/54985 duration 0:02:08 bytes 114
6|May 06 2013|06:59:02|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:59:00|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:58|305012|10.10.254.70|34457|192.168.13.100|43659|Teardown dynamic TCP translation from inside:10.10.254.70/34457 to outside:192.168.13.100/43659 duration 0:01:00
6|May 06 2013|06:58:58|305012|10.10.254.70|34456|192.168.13.100|47534|Teardown dynamic TCP translation from inside:10.10.254.70/34456 to outside:192.168.13.100/47534 duration 0:01:00
6|May 06 2013|06:58:58|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:57|305012|10.10.254.70|34455|192.168.13.100|4536|Teardown dynamic TCP translation from inside:10.10.254.70/34455 to outside:192.168.13.100/4536 duration 0:01:00
6|May 06 2013|06:58:57|302016|192.168.160.21|53|10.10.254.70|57758|Teardown UDP connection 182 for outside:192.168.160.21/53 to inside:10.10.254.70/57758 duration 0:02:07 bytes 152
6|May 06 2013|06:58:57|302016|192.168.160.21|53|10.10.254.70|56258|Teardown UDP connection 181 for outside:192.168.160.21/53 to inside:10.10.254.70/56258 duration 0:02:07 bytes 148
6|May 06 2013|06:58:57|302016|192.168.152.21|53|10.10.254.70|57758|Teardown UDP connection 180 for outside:192.168.152.21/53 to inside:10.10.254.70/57758 duration 0:02:08 bytes 114
6|May 06 2013|06:58:57|302016|192.168.152.21|53|10.10.254.70|56258|Teardown UDP connection 179 for outside:192.168.152.21/53 to inside:10.10.254.70/56258 duration 0:02:08 bytes 111
6|May 06 2013|06:58:57|305012|10.10.254.70|34454|192.168.13.100|39886|Teardown dynamic TCP translation from inside:10.10.254.70/34454 to outside:192.168.13.100/39886 duration 0:01:00
6|May 06 2013|06:58:56|302015|192.168.152.21|53|10.10.254.70|65123|Built outbound UDP connection 309 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/65123 (10.10.254.70/65123)
6|May 06 2013|06:58:56|305012|10.10.254.70|34453|192.168.13.100|34856|Teardown dynamic TCP translation from inside:10.10.254.70/34453 to outside:192.168.13.100/34856 duration 0:01:00
6|May 06 2013|06:58:56|305012|10.10.254.70|34452|192.168.13.100|33908|Teardown dynamic TCP translation from inside:10.10.254.70/34452 to outside:192.168.13.100/33908 duration 0:01:00
6|May 06 2013|06:58:56|302016|67.84.253.214|56426|10.10.254.70|64582|Teardown UDP connection 185 for outside:67.84.253.214/56426 to inside:10.10.254.70/64582 duration 0:02:01 bytes 44
6|May 06 2013|06:58:56|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:56|302015|192.168.152.21|53|10.10.254.70|65511|Built outbound UDP connection 307 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/65511 (10.10.254.70/65511)
6|May 06 2013|06:58:56|302016|192.168.160.21|53|10.10.254.70|54190|Teardown UDP connection 178 for outside:192.168.160.21/53 to inside:10.10.254.70/54190 duration 0:02:07 bytes 148
6|May 06 2013|06:58:56|302016|192.168.152.21|53|10.10.254.70|54190|Teardown UDP connection 177 for outside:192.168.152.21/53 to inside:10.10.254.70/54190 duration 0:02:08 bytes 111
6|May 06 2013|06:58:55|302015|192.168.160.21|53|10.10.254.70|65123|Built outbound UDP connection 306 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/65123 (10.10.254.70/65123)
6|May 06 2013|06:58:55|302015|192.168.160.21|53|10.10.254.70|65511|Built outbound UDP connection 305 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/65511 (10.10.254.70/65511)
6|May 06 2013|06:58:54|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:53|302016|192.168.160.21|53|10.10.254.70|57069|Teardown UDP connection 175 for outside:192.168.160.21/53 to inside:10.10.254.70/57069 duration 0:02:07 bytes 236
6|May 06 2013|06:58:53|302016|192.168.152.21|53|10.10.254.70|57069|Teardown UDP connection 173 for outside:192.168.152.21/53 to inside:10.10.254.70/57069 duration 0:02:08 bytes 177
6|May 06 2013|06:58:52|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:51|302015|192.168.152.21|53|10.10.254.70|51914|Built outbound UDP connection 303 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/51914 (10.10.254.70/51914)
6|May 06 2013|06:58:51|302016|192.168.160.21|53|10.10.254.70|53582|Teardown UDP connection 169 for outside:192.168.160.21/53 to inside:10.10.254.70/53582 duration 0:02:07 bytes 120
6|May 06 2013|06:58:51|302016|192.168.152.21|53|10.10.254.70|53582|Teardown UDP connection 166 for outside:192.168.152.21/53 to inside:10.10.254.70/53582 duration 0:02:08 bytes 90
6|May 06 2013|06:58:50|302016|178.46.108.7|36497|10.10.254.70|64582|Teardown UDP connection 96 for outside:178.46.108.7/36497 to inside:10.10.254.70/64582 duration 0:02:34 bytes 108
6|May 06 2013|06:58:50|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:50|302015|192.168.160.21|53|10.10.254.70|51914|Built outbound UDP connection 302 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/51914 (10.10.254.70/51914)
6|May 06 2013|06:58:48|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:48|302015|192.168.152.21|53|10.10.254.70|65020|Built outbound UDP connection 300 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/65020 (10.10.254.70/65020)
6|May 06 2013|06:58:47|302014|50.72.9.170|12248|10.10.254.70|34454|Teardown TCP connection 252 for outside:50.72.9.170/12248 to inside:10.10.254.70/34454 duration 0:00:50 bytes 389 TCP FINs
6|May 06 2013|06:58:47|302014|174.91.241.232|53766|10.10.254.70|34458|Teardown TCP connection 260 for outside:174.91.241.232/53766 to inside:10.10.254.70/34458 duration 0:00:44 bytes 384 TCP FINs
6|May 06 2013|06:58:47|302014|24.202.182.58|43715|10.10.254.70|34452|Teardown TCP connection 249 for outside:24.202.182.58/43715 to inside:10.10.254.70/34452 duration 0:00:51 bytes 440 TCP FINs
6|May 06 2013|06:58:47|302015|192.168.160.21|53|10.10.254.70|65020|Built outbound UDP connection 299 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/65020 (10.10.254.70/65020)
6|May 06 2013|06:58:46|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:45|305012|10.10.254.70|34448|192.168.13.100|53786|Teardown dynamic TCP translation from inside:10.10.254.70/34448 to outside:192.168.13.100/53786 duration 0:01:30
6|May 06 2013|06:58:44|305012|10.10.254.70|34447|192.168.13.100|43394|Teardown dynamic TCP translation from inside:10.10.254.70/34447 to outside:192.168.13.100/43394 duration 0:01:30
6|May 06 2013|06:58:44|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:44|302016|192.168.152.21|53|10.10.254.70|62190|Teardown UDP connection 162 for outside:192.168.152.21/53 to inside:10.10.254.70/62190 duration 0:02:07 bytes 111
6|May 06 2013|06:58:44|302016|192.168.160.21|53|10.10.254.70|62190|Teardown UDP connection 158 for outside:192.168.160.21/53 to inside:10.10.254.70/62190 duration 0:02:08 bytes 148
6|May 06 2013|06:58:42|302015|192.168.152.21|53|10.10.254.70|57574|Built outbound UDP connection 297 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/57574 (10.10.254.70/57574)
6|May 06 2013|06:58:42|302016|192.168.152.21|53|10.10.254.70|52009|Teardown UDP connection 157 for outside:192.168.152.21/53 to inside:10.10.254.70/52009 duration 0:02:07 bytes 111
6|May 06 2013|06:58:42|302016|192.168.152.21|53|10.10.254.70|56201|Teardown UDP connection 156 for outside:192.168.152.21/53 to inside:10.10.254.70/56201 duration 0:02:07 bytes 114
6|May 06 2013|06:58:42|302016|192.168.160.21|53|10.10.254.70|56201|Teardown UDP connection 154 for outside:192.168.160.21/53 to inside:10.10.254.70/56201 duration 0:02:08 bytes 152
6|May 06 2013|06:58:42|302016|192.168.160.21|53|10.10.254.70|52009|Teardown UDP connection 153 for outside:192.168.160.21/53 to inside:10.10.254.70/52009 duration 0:02:08 bytes 148
6|May 06 2013|06:58:42|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:41|302015|192.168.152.21|53|10.10.254.70|54805|Built outbound UDP connection 296 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/54805 (10.10.254.70/54805)
6|May 06 2013|06:58:41|302015|192.168.160.21|53|10.10.254.70|57574|Built outbound UDP connection 295 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/57574 (10.10.254.70/57574)
6|May 06 2013|06:58:40|302015|192.168.160.21|53|10.10.254.70|54805|Built outbound UDP connection 294 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/54805 (10.10.254.70/54805)
6|May 06 2013|06:58:40|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:39|302016|192.168.152.21|53|10.10.254.70|49838|Teardown UDP connection 149 for outside:192.168.152.21/53 to inside:10.10.254.70/49838 duration 0:02:07 bytes 165
6|May 06 2013|06:58:39|302016|192.168.160.21|53|10.10.254.70|49838|Teardown UDP connection 142 for outside:192.168.160.21/53 to inside:10.10.254.70/49838 duration 0:02:08 bytes 220
6|May 06 2013|06:58:38|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:37|302016|192.168.152.21|53|10.10.254.70|65386|Teardown UDP connection 138 for outside:192.168.152.21/53 to inside:10.10.254.70/65386 duration 0:02:07 bytes 105
6|May 06 2013|06:58:37|302016|192.168.160.21|53|10.10.254.70|65386|Teardown UDP connection 136 for outside:192.168.160.21/53 to inside:10.10.254.70/65386 duration 0:02:08 bytes 140
6|May 06 2013|06:58:36|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:35|302016|76.119.99.25|62111|10.10.254.70|64582|Teardown UDP connection 140 for outside:76.119.99.25/62111 to inside:10.10.254.70/64582 duration 0:02:04 bytes 220
6|May 06 2013|06:58:34|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:33|302016|192.168.1.134|34097|10.10.254.70|64582|Teardown UDP connection 143 for outside:192.168.1.134/34097 to inside:10.10.254.70/64582 duration 0:02:02 bytes 56
6|May 06 2013|06:58:33|302015|192.168.152.21|53|10.10.254.70|64940|Built outbound UDP connection 291 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/64940 (10.10.254.70/64940)
6|May 06 2013|06:58:32|302016|213.199.179.150|443|10.10.254.70|64582|Teardown UDP connection 141 for outside:213.199.179.150/443 to inside:10.10.254.70/64582 duration 0:02:01 bytes 44
6|May 06 2013|06:58:32|302015|192.168.160.21|53|10.10.254.70|64940|Built outbound UDP connection 290 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/64940 (10.10.254.70/64940)
6|May 06 2013|06:58:32|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:32|302016|192.168.160.21|53|10.10.254.70|62327|Teardown UDP connection 133 for outside:192.168.160.21/53 to inside:10.10.254.70/62327 duration 0:02:07 bytes 148
6|May 06 2013|06:58:32|302016|192.168.152.21|53|10.10.254.70|62327|Teardown UDP connection 131 for outside:192.168.152.21/53 to inside:10.10.254.70/62327 duration 0:02:08 bytes 111
6|May 06 2013|06:58:31|302016|111.221.77.161|443|10.10.254.70|64582|Teardown UDP connection 101 for outside:111.221.77.161/443 to inside:10.10.254.70/64582 duration 0:02:14 bytes 88
6|May 06 2013|06:58:31|302016|192.168.160.21|53|10.10.254.70|50601|Teardown UDP connection 132 for outside:192.168.160.21/53 to inside:10.10.254.70/50601 duration 0:02:07 bytes 136
6|May 06 2013|06:58:31|302016|192.168.152.21|53|10.10.254.70|50601|Teardown UDP connection 130 for outside:192.168.152.21/53 to inside:10.10.254.70/50601 duration 0:02:08 bytes 102
6|May 06 2013|06:58:31|302016|69.142.74.136|5370|10.10.254.70|64582|Teardown UDP connection 97 for outside:69.142.74.136/5370 to inside:10.10.254.70/64582 duration 0:02:14 bytes 88
6|May 06 2013|06:58:30|302016|187.35.72.228|9426|10.10.254.70|64582|Teardown UDP connection 98 for outside:187.35.72.228/9426 to inside:10.10.254.70/64582 duration 0:02:13 bytes 36
6|May 06 2013|06:58:30|302015|192.168.152.21|53|10.10.254.70|52963|Built outbound UDP connection 288 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/52963 (10.10.254.70/52963)
6|May 06 2013|06:58:30|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:30|302015|192.168.152.21|53|10.10.254.70|50141|Built outbound UDP connection 287 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/50141 (10.10.254.70/50141)
6|May 06 2013|06:58:30|302016|192.168.160.21|53|10.10.254.70|49975|Teardown UDP connection 129 for outside:192.168.160.21/53 to inside:10.10.254.70/49975 duration 0:02:07 bytes 160
6|May 06 2013|06:58:30|302016|192.168.152.21|53|10.10.254.70|49975|Teardown UDP connection 127 for outside:192.168.152.21/53 to inside:10.10.254.70/49975 duration 0:02:08 bytes 120
6|May 06 2013|06:58:29|302016|192.168.160.21|53|10.10.254.70|57658|Teardown UDP connection 128 for outside:192.168.160.21/53 to inside:10.10.254.70/57658 duration 0:02:07 bytes 136
6|May 06 2013|06:58:29|302016|192.168.152.21|53|10.10.254.70|57658|Teardown UDP connection 126 for outside:192.168.152.21/53 to inside:10.10.254.70/57658 duration 0:02:08 bytes 102
6|May 06 2013|06:58:29|302015|192.168.160.21|53|10.10.254.70|52963|Built outbound UDP connection 286 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/52963 (10.10.254.70/52963)
6|May 06 2013|06:58:29|302015|192.168.160.21|53|10.10.254.70|50141|Built outbound UDP connection 285 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/50141 (10.10.254.70/50141)
6|May 06 2013|06:58:28|302014|184.64.37.48|80|10.10.254.70|34457|Teardown TCP connection 257 for outside:184.64.37.48/80 to inside:10.10.254.70/34457 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:58:28|302014|184.64.37.48|443|10.10.254.70|34456|Teardown TCP connection 256 for outside:184.64.37.48/443 to inside:10.10.254.70/34456 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:58:28|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:27|302014|184.64.37.48|53578|10.10.254.70|34455|Teardown TCP connection 254 for outside:184.64.37.48/53578 to inside:10.10.254.70/34455 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:58:27|302015|192.168.152.21|53|10.10.254.70|57349|Built outbound UDP connection 283 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/57349 (10.10.254.70/57349)
6|May 06 2013|06:58:26|302015|192.168.152.21|53|10.10.254.70|54841|Built outbound UDP connection 282 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/54841 (10.10.254.70/54841)
6|May 06 2013|06:58:26|302014|184.64.37.48|53578|10.10.254.70|34453|Teardown TCP connection 250 for outside:184.64.37.48/53578 to inside:10.10.254.70/34453 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:58:26|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:26|302015|192.168.160.21|53|10.10.254.70|57349|Built outbound UDP connection 281 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/57349 (10.10.254.70/57349)
6|May 06 2013|06:58:25|302015|192.168.160.21|53|10.10.254.70|54841|Built outbound UDP connection 280 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/54841 (10.10.254.70/54841)
6|May 06 2013|06:58:25|302016|192.168.160.21|53|10.10.254.70|63377|Teardown UDP connection 118 for outside:192.168.160.21/53 to inside:10.10.254.70/63377 duration 0:02:07 bytes 236
6|May 06 2013|06:58:25|302016|192.168.152.21|53|10.10.254.70|63377|Teardown UDP connection 104 for outside:192.168.152.21/53 to inside:10.10.254.70/63377 duration 0:02:08 bytes 177
6|May 06 2013|06:58:24|302016|192.168.160.21|53|10.10.254.70|53894|Teardown UDP connection 107 for outside:192.168.160.21/53 to inside:10.10.254.70/53894 duration 0:02:07 bytes 164
6|May 06 2013|06:58:24|302016|192.168.160.21|53|10.10.254.70|53008|Teardown UDP connection 106 for outside:192.168.160.21/53 to inside:10.10.254.70/53008 duration 0:02:07 bytes 164
6|May 06 2013|06:58:24|302016|192.168.160.21|53|10.10.254.70|62979|Teardown UDP connection 105 for outside:192.168.160.21/53 to inside:10.10.254.70/62979 duration 0:02:07 bytes 164
6|May 06 2013|06:58:24|302016|192.168.152.21|53|10.10.254.70|53894|Teardown UDP connection 92 for outside:192.168.152.21/53 to inside:10.10.254.70/53894 duration 0:02:08 bytes 123
6|May 06 2013|06:58:24|302016|192.168.152.21|53|10.10.254.70|53008|Teardown UDP connection 91 for outside:192.168.152.21/53 to inside:10.10.254.70/53008 duration 0:02:08 bytes 123
6|May 06 2013|06:58:24|302016|192.168.152.21|53|10.10.254.70|62979|Teardown UDP connection 90 for outside:192.168.152.21/53 to inside:10.10.254.70/62979 duration 0:02:08 bytes 123
6|May 06 2013|06:58:24|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:24|302016|192.168.160.21|53|10.10.254.70|54579|Teardown UDP connection 100 for outside:192.168.160.21/53 to inside:10.10.254.70/54579 duration 0:02:07 bytes 128
6|May 06 2013|06:58:24|302016|192.168.152.21|53|10.10.254.70|54579|Teardown UDP connection 86 for outside:192.168.152.21/53 to inside:10.10.254.70/54579 duration 0:02:08 bytes 96
6|May 06 2013|06:58:22|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:22|302016|192.168.160.21|53|10.10.254.70|50518|Teardown UDP connection 94 for outside:192.168.160.21/53 to inside:10.10.254.70/50518 duration 0:02:05 bytes 80
6|May 06 2013|06:58:22|302016|192.168.152.21|53|10.10.254.70|50518|Teardown UDP connection 93 for outside:192.168.152.21/53 to inside:10.10.254.70/50518 duration 0:02:05 bytes 80
6|May 06 2013|06:58:22|302016|192.168.160.21|53|10.10.254.70|61054|Teardown UDP connection 89 for outside:192.168.160.21/53 to inside:10.10.254.70/61054 duration 0:02:06 bytes 74
6|May 06 2013|06:58:22|302016|192.168.152.21|53|10.10.254.70|61054|Teardown UDP connection 88 for outside:192.168.152.21/53 to inside:10.10.254.70/61054 duration 0:02:06 bytes 74
6|May 06 2013|06:58:20|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:19|302016|192.168.160.21|53|10.10.254.70|49862|Teardown UDP connection 124 for outside:192.168.160.21/53 to inside:10.10.254.70/49862 duration 0:02:01 bytes 41
6|May 06 2013|06:58:19|302016|192.168.160.21|53|10.10.254.70|52028|Teardown UDP connection 123 for outside:192.168.160.21/53 to inside:10.10.254.70/52028 duration 0:02:01 bytes 41
6|May 06 2013|06:58:19|302016|192.168.152.21|53|10.10.254.70|52028|Teardown UDP connection 122 for outside:192.168.152.21/53 to inside:10.10.254.70/52028 duration 0:02:01 bytes 41
6|May 06 2013|06:58:19|302016|192.168.152.21|53|10.10.254.70|49862|Teardown UDP connection 121 for outside:192.168.152.21/53 to inside:10.10.254.70/49862 duration 0:02:01 bytes 41
6|May 06 2013|06:58:19|302016|192.168.160.21|53|10.10.254.70|63772|Teardown UDP connection 120 for outside:192.168.160.21/53 to inside:10.10.254.70/63772 duration 0:02:01 bytes 41
6|May 06 2013|06:58:19|302016|192.168.152.21|53|10.10.254.70|63772|Teardown UDP connection 119 for outside:192.168.152.21/53 to inside:10.10.254.70/63772 duration 0:02:01 bytes 41
6|May 06 2013|06:58:19|302016|192.168.160.21|53|10.10.254.70|55207|Teardown UDP connection 117 for outside:192.168.160.21/53 to inside:10.10.254.70/55207 duration 0:02:01 bytes 40
6|May 06 2013|06:58:19|302016|192.168.152.21|53|10.10.254.70|55207|Teardown UDP connection 116 for outside:192.168.152.21/53 to inside:10.10.254.70/55207 duration 0:02:01 bytes 40
6|May 06 2013|06:58:19|302016|192.168.160.21|53|10.10.254.70|51370|Teardown UDP connection 115 for outside:192.168.160.21/53 to inside:10.10.254.70/51370 duration 0:02:02 bytes 32
6|May 06 2013|06:58:19|302016|192.168.152.21|53|10.10.254.70|51370|Teardown UDP connection 114 for outside:192.168.152.21/53 to inside:10.10.254.70/51370 duration 0:02:02 bytes 32
6|May 06 2013|06:58:18|302016|192.168.160.21|53|10.10.254.70|54447|Teardown UDP connection 113 for outside:192.168.160.21/53 to inside:10.10.254.70/54447 duration 0:02:01 bytes 38
6|May 06 2013|06:58:18|302016|192.168.152.21|53|10.10.254.70|54447|Teardown UDP connection 112 for outside:192.168.152.21/53 to inside:10.10.254.70/54447 duration 0:02:01 bytes 38
6|May 06 2013|06:58:18|302016|192.168.160.21|53|10.10.254.70|53196|Teardown UDP connection 111 for outside:192.168.160.21/53 to inside:10.10.254.70/53196 duration 0:02:01 bytes 32
6|May 06 2013|06:58:18|302016|192.168.152.21|53|10.10.254.70|53196|Teardown UDP connection 110 for outside:192.168.152.21/53 to inside:10.10.254.70/53196 duration 0:02:01 bytes 32
6|May 06 2013|06:58:18|302016|192.168.160.21|53|10.10.254.70|59127|Teardown UDP connection 109 for outside:192.168.160.21/53 to inside:10.10.254.70/59127 duration 0:02:01 bytes 32
6|May 06 2013|06:58:18|302016|192.168.152.21|53|10.10.254.70|59127|Teardown UDP connection 108 for outside:192.168.152.21/53 to inside:10.10.254.70/59127 duration 0:02:01 bytes 32
6|May 06 2013|06:58:18|302016|157.55.130.158|443|10.10.254.70|64582|Teardown UDP connection 102 for outside:157.55.130.158/443 to inside:10.10.254.70/64582 duration 0:02:01 bytes 44
6|May 06 2013|06:58:18|302016|126.159.50.221|5081|10.10.254.70|64582|Teardown UDP connection 95 for outside:126.159.50.221/5081 to inside:10.10.254.70/64582 duration 0:02:02 bytes 18
6|May 06 2013|06:58:18|302015|192.168.152.21|53|10.10.254.70|57615|Built outbound UDP connection 277 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/57615 (10.10.254.70/57615)
6|May 06 2013|06:58:18|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:17|302015|192.168.160.21|53|10.10.254.70|57615|Built outbound UDP connection 276 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/57615 (10.10.254.70/57615)
6|May 06 2013|06:58:17|302014|65.183.143.163|10103|10.10.254.70|34448|Teardown TCP connection 203 for outside:65.183.143.163/10103 to inside:10.10.254.70/34448 duration 0:01:02 bytes 353 TCP FINs
6|May 06 2013|06:58:17|302013|71.207.1.189|1761|10.10.254.70|34468|Built outbound TCP connection 275 for outside:71.207.1.189/1761 (71.207.1.189/1761) to inside:10.10.254.70/34468 (192.168.13.100/55721)
6|May 06 2013|06:58:17|305011|10.10.254.70|34468|192.168.13.100|55721|Built dynamic TCP translation from inside:10.10.254.70/34468 to outside:192.168.13.100/55721
6|May 06 2013|06:58:16|302014|184.37.189.185|60952|10.10.254.70|34447|Teardown TCP connection 202 for outside:184.37.189.185/60952 to inside:10.10.254.70/34447 duration 0:01:02 bytes 400 TCP FINs
6|May 06 2013|06:58:16|302016|112.208.137.190|25040|10.10.254.70|64582|Teardown UDP connection 29 for outside:112.208.137.190/25040 to inside:10.10.254.70/64582 duration 0:02:08 bytes 184
6|May 06 2013|06:58:16|302013|67.86.118.52|17365|10.10.254.70|34467|Built outbound TCP connection 274 for outside:67.86.118.52/17365 (67.86.118.52/17365) to inside:10.10.254.70/34467 (192.168.13.100/48446)
6|May 06 2013|06:58:16|305011|10.10.254.70|34467|192.168.13.100|48446|Built dynamic TCP translation from inside:10.10.254.70/34467 to outside:192.168.13.100/48446
6|May 06 2013|06:58:16|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:16|302016|37.229.14.159|5806|10.10.254.70|64582|Teardown UDP connection 28 for outside:37.229.14.159/5806 to inside:10.10.254.70/64582 duration 0:02:07 bytes 184
6|May 06 2013|06:58:15|305012|10.10.254.70|34441|192.168.13.100|33964|Teardown dynamic TCP translation from inside:10.10.254.70/34441 to outside:192.168.13.100/33964 duration 0:01:30
6|May 06 2013|06:58:15|302015|192.168.152.21|53|10.10.254.70|55062|Built outbound UDP connection 272 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/55062 (10.10.254.70/55062)
6|May 06 2013|06:58:14|302015|192.168.160.21|53|10.10.254.70|55062|Built outbound UDP connection 271 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/55062 (10.10.254.70/55062)
6|May 06 2013|06:58:14|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:12|302015|192.168.152.21|53|10.10.254.70|61073|Built outbound UDP connection 270 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/61073 (10.10.254.70/61073)
6|May 06 2013|06:58:12|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:11|302015|192.168.160.21|53|10.10.254.70|61073|Built outbound UDP connection 268 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/61073 (10.10.254.70/61073)
6|May 06 2013|06:58:10|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:10|302016|157.55.130.155|443|10.10.254.70|64582|Teardown UDP connection 31 for outside:157.55.130.155/443 to inside:10.10.254.70/64582 duration 0:02:01 bytes 18
6|May 06 2013|06:58:10|302016|111.221.77.166|443|10.10.254.70|64582|Teardown UDP connection 30 for outside:111.221.77.166/443 to inside:10.10.254.70/64582 duration 0:02:01 bytes 18
6|May 06 2013|06:58:08|302015|192.168.152.21|53|10.10.254.70|50088|Built outbound UDP connection 267 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/50088 (10.10.254.70/50088)
6|May 06 2013|06:58:08|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:08|302016|10.10.254.70|68|10.10.254.254|67|Teardown UDP connection 19 for inside:10.10.254.70/68 to identity:10.10.254.254/67 duration 0:02:01 bytes 641
6|May 06 2013|06:58:08|302016|255.255.255.255|68|10.10.254.254|67|Teardown UDP connection 17 for inside:255.255.255.255/68 to identity:10.10.254.254/67 duration 0:02:01 bytes 249
6|May 06 2013|06:58:08|302016|0.0.0.0|68|255.255.255.255|67|Teardown UDP connection 16 for inside:0.0.0.0/68 to identity:255.255.255.255/67 duration 0:02:01 bytes 948
6|May 06 2013|06:58:07|302015|192.168.160.21|53|10.10.254.70|50088|Built outbound UDP connection 265 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/50088 (10.10.254.70/50088)
6|May 06 2013|06:58:06|302015|192.168.152.21|53|10.10.254.70|63993|Built outbound UDP connection 264 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/63993 (10.10.254.70/63993)
6|May 06 2013|06:58:06|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:05|302015|192.168.160.21|53|10.10.254.70|63993|Built outbound UDP connection 263 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/63993 (10.10.254.70/63993)
6|May 06 2013|06:58:04|302016|70.171.138.105|9016|10.10.254.70|64582|Teardown UDP connection 5 for outside:70.171.138.105/9016 to inside:10.10.254.70/64582 duration 0:02:01 bytes 18
6|May 06 2013|06:58:04|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:03|302015|192.168.152.21|53|10.10.254.70|53734|Built outbound UDP connection 261 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/53734 (10.10.254.70/53734)
6|May 06 2013|06:58:03|302013|174.91.241.232|53766|10.10.254.70|34458|Built outbound TCP connection 260 for outside:174.91.241.232/53766 (174.91.241.232/53766) to inside:10.10.254.70/34458 (192.168.13.100/26157)
6|May 06 2013|06:58:03|305011|10.10.254.70|34458|192.168.13.100|26157|Built dynamic TCP translation from inside:10.10.254.70/34458 to outside:192.168.13.100/26157
6|May 06 2013|06:58:03|302014|10.10.225.18|443|10.10.254.70|34451|Teardown TCP connection 221 for outside:10.10.225.18/443 to inside:10.10.254.70/34451 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:58:02|302015|192.168.160.21|53|10.10.254.70|53734|Built outbound UDP connection 259 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/53734 (10.10.254.70/53734)
6|May 06 2013|06:58:02|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:58:00|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:58|302013|184.64.37.48|80|10.10.254.70|34457|Built outbound TCP connection 257 for outside:184.64.37.48/80 (184.64.37.48/80) to inside:10.10.254.70/34457 (192.168.13.100/43659)
6|May 06 2013|06:57:58|305011|10.10.254.70|34457|192.168.13.100|43659|Built dynamic TCP translation from inside:10.10.254.70/34457 to outside:192.168.13.100/43659
6|May 06 2013|06:57:58|302013|184.64.37.48|443|10.10.254.70|34456|Built outbound TCP connection 256 for outside:184.64.37.48/443 (184.64.37.48/443) to inside:10.10.254.70/34456 (192.168.13.100/47534)
6|May 06 2013|06:57:58|305011|10.10.254.70|34456|192.168.13.100|47534|Built dynamic TCP translation from inside:10.10.254.70/34456 to outside:192.168.13.100/47534
6|May 06 2013|06:57:58|305012|10.10.254.70|34446|192.168.13.100|3562|Teardown dynamic TCP translation from inside:10.10.254.70/34446 to outside:192.168.13.100/3562 duration 0:01:00
6|May 06 2013|06:57:58|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:58|302015|192.168.152.21|53|10.10.254.70|56866|Built outbound UDP connection 255 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/56866 (10.10.254.70/56866)
6|May 06 2013|06:57:57|302013|184.64.37.48|53578|10.10.254.70|34455|Built outbound TCP connection 254 for outside:184.64.37.48/53578 (184.64.37.48/53578) to inside:10.10.254.70/34455 (192.168.13.100/4536)
6|May 06 2013|06:57:57|305011|10.10.254.70|34455|192.168.13.100|4536|Built dynamic TCP translation from inside:10.10.254.70/34455 to outside:192.168.13.100/4536
6|May 06 2013|06:57:57|302014|74.56.154.191|62152|10.10.254.70|34441|Teardown TCP connection 170 for outside:74.56.154.191/62152 to inside:10.10.254.70/34441 duration 0:01:11 bytes 6953 TCP FINs
6|May 06 2013|06:57:57|302015|192.168.160.21|53|10.10.254.70|56866|Built outbound UDP connection 253 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/56866 (10.10.254.70/56866)
6|May 06 2013|06:57:57|302013|50.72.9.170|12248|10.10.254.70|34454|Built outbound TCP connection 252 for outside:50.72.9.170/12248 (50.72.9.170/12248) to inside:10.10.254.70/34454 (192.168.13.100/39886)
6|May 06 2013|06:57:57|305011|10.10.254.70|34454|192.168.13.100|39886|Built dynamic TCP translation from inside:10.10.254.70/34454 to outside:192.168.13.100/39886
6|May 06 2013|06:57:56|302014|96.228.226.64|48962|10.10.254.70|34446|Teardown TCP connection 188 for outside:96.228.226.64/48962 to inside:10.10.254.70/34446 duration 0:00:58 bytes 363 TCP FINs
6|May 06 2013|06:57:56|302015|192.168.152.21|53|10.10.254.70|59590|Built outbound UDP connection 251 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/59590 (10.10.254.70/59590)
6|May 06 2013|06:57:56|302013|184.64.37.48|53578|10.10.254.70|34453|Built outbound TCP connection 250 for outside:184.64.37.48/53578 (184.64.37.48/53578) to inside:10.10.254.70/34453 (192.168.13.100/34856)
6|May 06 2013|06:57:56|305011|10.10.254.70|34453|192.168.13.100|34856|Built dynamic TCP translation from inside:10.10.254.70/34453 to outside:192.168.13.100/34856
6|May 06 2013|06:57:56|302013|24.202.182.58|43715|10.10.254.70|34452|Built outbound TCP connection 249 for outside:24.202.182.58/43715 (24.202.182.58/43715) to inside:10.10.254.70/34452 (192.168.13.100/33908)
6|May 06 2013|06:57:56|305011|10.10.254.70|34452|192.168.13.100|33908|Built dynamic TCP translation from inside:10.10.254.70/34452 to outside:192.168.13.100/33908
6|May 06 2013|06:57:56|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:55|302015|192.168.160.21|53|10.10.254.70|59590|Built outbound UDP connection 247 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/59590 (10.10.254.70/59590)
6|May 06 2013|06:57:55|302015|192.168.152.21|53|10.10.254.70|63756|Built outbound UDP connection 246 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/63756 (10.10.254.70/63756)
6|May 06 2013|06:57:54|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:54|302015|192.168.160.21|53|10.10.254.70|57967|Built outbound UDP connection 245 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/57967 (10.10.254.70/57967)
6|May 06 2013|06:57:54|302014|10.10.225.18|443|10.10.254.70|34450|Teardown TCP connection 209 for outside:10.10.225.18/443 to inside:10.10.254.70/34450 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:57:54|302014|10.10.225.18|443|10.10.254.70|34449|Teardown TCP connection 207 for outside:10.10.225.18/443 to inside:10.10.254.70/34449 duration 0:00:30 bytes 0 SYN Timeout
6|May 06 2013|06:57:54|302015|192.168.160.21|53|10.10.254.70|63756|Built outbound UDP connection 244 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/63756 (10.10.254.70/63756)
6|May 06 2013|06:57:53|302015|192.168.152.21|53|10.10.254.70|57967|Built outbound UDP connection 243 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/57967 (10.10.254.70/57967)
6|May 06 2013|06:57:52|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:50|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:49|302015|192.168.160.21|53|10.10.254.70|54304|Built outbound UDP connection 241 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/54304 (10.10.254.70/54304)
6|May 06 2013|06:57:48|302015|192.168.152.21|53|10.10.254.70|54304|Built outbound UDP connection 240 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/54304 (10.10.254.70/54304)
6|May 06 2013|06:57:48|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:48|302015|192.168.160.21|53|10.10.254.70|65422|Built outbound UDP connection 238 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/65422 (10.10.254.70/65422)
6|May 06 2013|06:57:47|302015|192.168.152.21|53|10.10.254.70|65422|Built outbound UDP connection 237 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/65422 (10.10.254.70/65422)
6|May 06 2013|06:57:46|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:46|302015|192.168.160.21|53|10.10.254.70|50300|Built outbound UDP connection 236 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/50300 (10.10.254.70/50300)
6|May 06 2013|06:57:46|302015|192.168.160.21|53|10.10.254.70|49286|Built outbound UDP connection 235 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/49286 (10.10.254.70/49286)
6|May 06 2013|06:57:45|302015|192.168.152.21|53|10.10.254.70|50300|Built outbound UDP connection 234 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/50300 (10.10.254.70/50300)
6|May 06 2013|06:57:45|302015|192.168.152.21|53|10.10.254.70|49286|Built outbound UDP connection 233 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/49286 (10.10.254.70/49286)
6|May 06 2013|06:57:44|302020|10.10.254.70|1|192.168.152.21|0|Built outbound ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:43|305012|10.10.254.70|34440|192.168.13.100|17057|Teardown dynamic TCP translation from inside:10.10.254.70/34440 to outside:192.168.13.100/17057 duration 0:01:00
6|May 06 2013|06:57:43|302015|192.168.160.21|53|10.10.254.70|57306|Built outbound UDP connection 231 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/57306 (10.10.254.70/57306)
6|May 06 2013|06:57:42|305012|10.10.254.70|34439|192.168.13.100|24448|Teardown dynamic TCP translation from inside:10.10.254.70/34439 to outside:192.168.13.100/24448 duration 0:01:00
6|May 06 2013|06:57:42|305012|10.10.254.70|34438|192.168.13.100|20628|Teardown dynamic TCP translation from inside:10.10.254.70/34438 to outside:192.168.13.100/20628 duration 0:01:00
6|May 06 2013|06:57:42|302015|192.168.160.21|53|10.10.254.70|54646|Built outbound UDP connection 230 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/54646 (10.10.254.70/54646)
6|May 06 2013|06:57:42|302015|192.168.152.21|53|10.10.254.70|57306|Built outbound UDP connection 229 for outside:192.168.152.21/53 (192.168.152.21/53) to inside:10.10.254.70/57306 (10.10.254.70/57306)
6|May 06 2013|06:57:42|302021|192.168.152.21|0|10.10.254.70|1|Teardown ICMP connection for faddr 192.168.152.21/0 gaddr 10.10.254.70/1 laddr 10.10.254.70/1
6|May 06 2013|06:57:42|302015|192.168.160.21|53|10.10.254.70|64481|Built outbound UDP connection 228 for outside:192.168.160.21/53 (192.168.160.21/53) to inside:10.10.254.70/64481 (10.10.254.70/64481)
6|May 06 2013|06:57:41|302015|192.168.152.21|53|10.1
First, make sure you correct the mask in the crypto ACL, per my other post.
You should check with the other admin and make sure your crypto ACLs are exact mirrors of each other. It wouldn't be a bad idea to put a sniffer on the WAN side to see if you can detect asymmetrical operation (packets that should be encapsulated, but are not).
It looks like the pool (192.168.100.0 255.255.255.248) is not part of a policy push from the other crypto endpoint.
Are they actually using a /24 mask on their side, or is that an assumption on your part?
Could it be that they are actually using a mask greater than /24 so as to not have an overlap?
My concern was how a host on the far side with a /24 mask would initiate/respond to a host on your side. The host on their side would ARP your host believing it was directly reachable, due to the mask.
Perhaps this might be resolved with "ip proxy-arp" configured on the internal interface of their router.
Is their 192.168.100.0 /? network the connected network on the inside of their router, or buried deeper in their topology?
Similar Messages
-
Cisco asa- vpn established but cant ping
I am using 2 cisco asa 5505 routers, i have established vpn between them but i cant ping client internal or outside interface, client can ping my outside interface. Only configuration on client is basic easy vpn settings and interfaces, here is server part configuration on my side:
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 10.1.2.0 255.255.255.0
object network outside
subnet 10.1.3.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit object-group DM_INLINE_PROTOCOL_2 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.1.3.0 255.255.255.0 echo-reply inside
icmp permit any inside
icmp permit any outside
icmp permit 10.1.3.0 255.255.255.0 echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static outside outside destination static inside inside no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group global_access global
route inside 0.0.0.0 0.0.0.0 10.1.3.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname *********
vpdn group iskon ppp authentication pap
vpdn username ***** password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN internal
group-policy VPN attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
vpn-session-timeout none
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2923b78a04ee8cfe9324e3e2733d78SOLVED!!! i just needed to configure nat here is configuration for any1 with same problem
: Saved
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ladimirevci
subnet 10.1.2.0 255.255.255.0
object network lekenik
subnet 10.1.3.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 101 extended permit ip object lekenik object ladimirevci
access-list 101 extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object lekenik object ladimirevci
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip object ladimirevci object lekenik
access-list inside_access_in extended permit ip object lekenik object ladimirevci
access-list inside_access_in extended permit ip any any
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip object lekenik object ladimirevci
access-list global_access extended permit ip object ladimirevci object lekenik
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static ladimirevci ladimirevci destination static lekenik lekenik
object network obj_any
nat (inside,outside) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set pfs
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto dynamic-map DYN-MAP 5 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname vivaindo@iskon-dsl
vpdn group iskon ppp authentication pap
vpdn username vivaindo@iskon-dsl password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-clientless
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-lock value VPN-TUNNEL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ddac35422ebbf57095be7a1d33b0b67d
: end
asdm image disk0:/asdm-712.bin
no asdm history enable -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
Inspect other firewall traffic using ASA 5585-X IPS SSP
Is it possible to inspect traffic from other firewalls (say checkpoint firewall) apart from the one the ASA firewall the ASA IPS SSP is running on?
Any help will be appreciated
O.Hello Amit,
Can you share :
show ips detail
show module 1 details
show service-policy
Now, can you explain a little about this:
on the switch end port tengig 1/8 is connected on nexus and specific vlans are monotored on that interface. But as of now i am not able to see any traffic on that interface. I dont know what wrong i am doing as this is the firstime on this IPS module. there is no ports connected on the firewall. only port connected is tengig 1/8 which is on the ips module which is in promisucs mode.
I mean the firewall is the one that will redirect the traffic to the IPS sensor so not sure I follow you!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
VPN session established but cannot access trusted LAN segment on the ASA
Just a roundup of my Cisco ASA configuration...
1) Configure remote access IPSec VPN
2) Group Policies - vpntesting
3) AES256 SHA DH group 5
4) Configure local user vpntesting
5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24
6) open access on outside interface
7) IKE group - vpntesting
A) Did I miss anything?
B) For example, there is a LAN segment - 10.27.40.x/24 on the trusted leg of the Cisco ASA but I can't access it. Do I need to create access lists to allow my VPN session to access the trust LANs?
C) Any good guide for configuring remote access VPN using ASDM?I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.
I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.
Thank you so much.
Configuration:
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname TQI-WN-RT2911
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
no ipv6 cef
ip source-route
ip cef
ip dhcp remember
ip domain name telquestintl.com
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2562258950
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2562258950
revocation-check none
rsakeypair TP-self-signed-2562258950
crypto pki certificate chain TP-self-signed-2562258950
certificate self-signed 01
quit
license udi pid CISCO2911/K9 sn ##############
redundancy
track 1 ip sla 1 reachability
delay down 10 up 20
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############## address 173.161.255.###
255.255.255.240
crypto isakmp client configuration group EASY_VPN
key ##############
dns 10.10.0.241 10.0.0.241
domain domain.com
pool EZVPN-POOL
acl VPN+ENVYPTED_TRAFFIC
save-password
max-users 50
max-logins 10
netmask 255.255.255.0
crypto isakmp profile EASY_VPN_IKE_PROFILE1
match identity group EASY_VPN
client authentication list default
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile EASY_VPN_IPSec_PROFILE1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile EASY_VPN_IKE_PROFILE1
crypto map VPN_TUNNEL 10 ipsec-isakmp
description ***TUNNEL-TO-FAIRFIELD***
set peer 173.161.255.241
set transform-set ESP-3DES-SHA
match address 105
interface Loopback1
ip address 10.10.30.1 255.255.255.0
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 173.161.255.241
tunnel path-mtu-discovery
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Optonline WAN secondary
ip address 108.58.179.### 255.255.255.248 secondary
ip address 108.58.179.### 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_TUNNEL
interface GigabitEthernet0/1
description T1 WAN Link
ip address 64.7.17.### 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN
ip address 10.10.0.1 255.255.255.0 secondary
ip address 10.10.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
router eigrp 1
network 10.10.0.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 172.16.0.0 0.0.0.255
router odr
router bgp 100
bgp log-neighbor-changes
ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
65535
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map OPTIMUM-ISP interface
GigabitEthernet0/0 overload
ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
overload
ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
extendable
ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
extendable
ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
12000 extendable
ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
extendable
ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
ip access-list extended VPN+ENVYPTED_TRAFFIC
permit ip 10.10.0.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
ip sla 1
icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
threshold 100
timeout 200
frequency 3
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.10.0.0 0.0.0.255
access-list 2 permit 10.10.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
access-list 105 permit gre host 108.58.179.### host 173.161.255.###
route-map T1-ISP permit 10
match ip address 100
match interface GigabitEthernet0/1
route-map OPTIMUM-ISP permit 10
match ip address 100
match interface GigabitEthernet0/0
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
end
TQI-WN-RT2911# -
Hello everyone,
First off, I apologize if this is something that I can google. My knowledge of network administration is all self-taught so if there is a guide to follow that I've missed please point me in the right direction, its often hard to Google terms for troubleshooting when your jargon isn't up to snuff.
The chief issue is that when pinging internal devices while connected to the results are very inconsistent.
Pinging 192.168.15.102 with 32 bytes of data:
Reply from 192.168.15.102: bytes=32 time=112ms TTL=128
Request timed out.
Request timed out.
Request timed out.
We've set up a IPSec VPN connection to a remote Cisco ASA 5505. There are no issues connecting, connection seems constant, packets good etc. At this point I can only assume I have configuration issues but I've been looking at this for so long, and coupled with my inexperience configuring these settings I have no clue where to start. My initial thoughts are that the LAN devices I am pinging are not sending their response back or the ASA doesn't know how to route packets back?
Here's a dump of the configuration:
Result of the command: "show config"
: Saved
: Written by enable_15 at 12:40:06.114 CDT Mon Sep 9 2013
ASA Version 8.2(5)
hostname VPN_Test
enable password D37rIydCZ/bnf1uj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.15.0 internal-network
ddns update method DDNS_Update
ddns both
interval maximum 0 4 0 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description VLAN to inside hosts
nameif inside
security-level 100
ddns update hostname 0.0.0.0
ddns update DDNS_Update
dhcp client update dns server both
ip address 192.168.15.1 255.255.255.0
interface Vlan2
description External VLAN to internet
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
name-server 216.221.96.37
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny icmp interface outside interface inside
access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
access-list Remote_splitTunnelAcl standard permit internal-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip internal-network 255.255.255.0 192.168.15.192 255.255.255.192
access-list inside_access_in remark Block Internet Traffic
access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
access-list inside_access_in remark Block Internet Traffic
access-list inside_access_in extended permit ip interface inside interface inside
access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_access_in remark Block Internet Traffic
access-list inside_nat0_outbound_1 extended permit ip 192.168.15.192 255.255.255.192 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.15.192 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http internal-network 255.255.255.0 inside
http yy.yy.yy.yy 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.15.200-192.168.15.250 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.15.101 source inside
ntp server 192.168.15.100 source inside prefer
webvpn
group-policy Remote internal
group-policy Remote attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_splitTunnelAcl
username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0
username StockUser attributes
vpn-group-policy Remote
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool VPN_IP_Pool
default-group-policy Remote
tunnel-group Remote ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3Hi Graham,
My first question is do you have a site to site VPN or Remote access client VPN.
After checking your configuration i see that you do not have any Site to SIte VPN configuration so i am assuming that you ara facing issue with the VPN client.
And if i understood correctly you are able to connect the VPN client but you not able to access the internal resources properly.
I would recommend you to tey and make teh following changes.
Remove the following configuration first:
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.15.192 255.255.255.192
You do not need the 1st one and i do not understand the reason of the second one
Second one is your pool IP subnet (192.168.15.200-192.168.15.250) and i am not sure why you have added this NAT.
If possible change your Pool subnet all together because we do not recommend to use th POOL ip which is simlar to your local LAN.
Try the above changes and let me know in case if you have any issue.
Thanks
Jeet Kumar -
Internet connexion problem for remote site in Site to site VPN asa 5505
Hi all
I'm configuring a site to site Ipsec VPN in 2 sites using ASA 5505 V 8.2, The VPN is working fine i can ping machine in the 2 sides but the problem is the remote site dont' have internet.
The architecture is, we 2 site Site1 is the main site and Site2 is secondary site there will be Site3, ...
The internet connection is based in Site1 and site2 and site 3 will have internet connection through Site1. Site1, Site2 and Site 3 is interconnected by Ipsec VPN.
Here is my ASA 5505 Configuration :
SITE 1:
ASA Version 8.2(5)
hostname test-malabo
domain-name test.mg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd ta.qizy4R//ChqQH encrypted
names
interface Ethernet0/0
description "Sortie Internet"
switchport access vlan 2
interface Ethernet0/1
description "Interconnexion"
switchport access vlan 171
interface Ethernet0/2
description "management"
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 41.79.49.42 255.255.255.192
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.100 255.255.0.0
interface Vlan171
nameif interco
security-level 0
ip address 10.22.19.254 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.mg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list interco_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
mtu interco 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any interco
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (interco) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 41.79.49.1 1
route interco 192.168.3.0 255.255.255.0 10.22.19.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map interco_map0 1 match address interco_1_cryptomap
crypto map interco_map0 1 set pfs group1
crypto map interco_map0 1 set peer 10.22.19.5
crypto map interco_map0 1 set transform-set ESP-3DES-SHA
crypto map interco_map0 interface interco
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable interco
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access interco
dhcpd option 3 ip 192.168.1.1
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 41.79.48.66 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.5 type ipsec-l2l
tunnel-group 10.22.19.5 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect snmp
inspect icmp
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5aa0d27f15e49ea597c8097cfdb755b8
: end
SITE2:
ASA Version 8.2(5)
hostname test-luba
domain-name test.eg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description "Sortie Interco-Internet"
switchport access vlan 2
interface Ethernet0/1
description "management"
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.22.19.5 255.255.255.0
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.101 255.255.0.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.eg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 10.22.19.254 1
route outside 192.168.1.0 255.255.255.0 10.22.19.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs group1
crypto map outside_map0 1 set peer 10.22.19.254
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.3.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.254 type ipsec-l2l
tunnel-group 10.22.19.254 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:185bd689118ba24f9a0ef2f7e80494f6
Can anybody help why my remote site can't connect to Internet.
REgards,
RaitsarevoHi Carv,
Thanks for your reply. i have done finally
i used no crypto ipsec nat-transparency udp-encapsulation in my end router only.
and in remote access VPN i have enabled UDP for client configuration. the most imprtant is i have given IP add of same LAN pool to VPN user,
Regards,
Satya.M -
Hi! First of all I appologize for posting a similar question in another forum. I think this one is the right place.
Im trying to connect to a PIX 501 with easy vpn in nem mode with a ASA 5505. Currently running 7.2.2-22 (had to download a interim release due to dhcp problems with the ISP in 7.2.2) and ASDM 5.2.
The problem is that when using nem mode i cannot ping the other side at all. When using client mode this works fine but i need the two way traffic.
Our Head unit is 192.168.1.1 and the connecting ASA 5505 is 192.168.10.1. When I try to ping a machine (192.168.1.201) from the remote site I get this in the ASA log:
With network extension mode
302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.10.2/512 laddr 192.168.10.2/512
With only client mode
302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.1.9/1 laddr 192.168.10.2/512
It seemes to me that the ASA sets an incorrect gateway address in nem mode ?
The PIX 501 has been working fine for some years with software clients connecting.
Any ideas ?
Thanks!When configured in Easy VPN Network Extension Mode, the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.
Try this link:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html -
ASA 5505 & VPN Client blocking access to local lan
I have setup a IPSec vpn client connection to a Cisco ASA 5505, when I connect to the unit it fully authenticates and issues me an ip address on the local lan however when I attempt to connect to any service on the local lan the following message is displayed in the log can you help:
Teardown UDP connection 192.168.110.200 53785 192.168.110.21 53 outside:192.168.110.200/53785(LOCAL\username) to inside 192.168.110/53
See the attached file for a sanitised version of the config.This is a sanitised version of the crypto dump, I have changed the user and IP addresses
ASA5505MAN# debug crypto ikev1 7
ASA5505MAN# debug crypto ipsec 7
ASA5505MAN# Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fbc167de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb72)
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb72)
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=515fbf7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2fe7cf10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb73)
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb73)
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=e450c971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=e6c212e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb74)
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb74)
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=af5953c7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
This is the isakmp dump
ASA5505MAN# show crypto isakmp
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 40
In Octets: 322076
In Packets: 2060
In Drop Packets: 84
In Notifys: 1072
In P2 Exchanges: 35
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 24
Out Octets: 591896
Out Packets: 3481
Out Drop Packets: 0
Out Notifys: 2101
Out P2 Exchanges: 275
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 284
Initiator Tunnels: 231
Initiator Fails: 221
Responder Fails: 76
System Capacity Fails: 0
Auth Fails: 54
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 30
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 12
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
ASA5505MAN#
and this is the ipsec dump
ASA5505MAN# show crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.110.200/255.255.255.255/0/0)
current_peer: x.x.x.x, username: username
dynamic allocated peer ip: 192.168.110.200
#pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778
#pkts decaps: 1959, #pkts decrypt: 1959, #pkts verify: 1959
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 778, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/54599
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 532B60D0
current inbound spi : 472C8AE7
inbound esp sas:
spi: 0x472C8AE7 (1194101479)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26551
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x532B60D0 (1395351760)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26551
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map0, seq num: 1, local addr: x.x.x.x
access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 39333117, #pkts encrypt: 39333117, #pkts digest: 39333117
#pkts decaps: 24914965, #pkts decrypt: 24914965, #pkts verify: 24914965
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 39333117, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F6943017
current inbound spi : E6CDF924
inbound esp sas:
spi: 0xE6CDF924 (3872258340)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163840, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (3651601/15931)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF6943017 (4136906775)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163840, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (3561355/15931)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5505MAN# -
VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042
Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
ThanksOn ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
Existing configuration
object network email
host 172.16.0.0
description 255.255.0.0
Correct configuration
object network email
subnet 172.16.0.0 255.255.0.0 -
ASA 5505:Static Routing and Deny TCP connection because of bad flag
Hi Everybody,
I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
%PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
thanks!
EDIT: On the schema, The interface of the main asa is 172.16.18.148...Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.
-
ASA 5505 version 9.1(4) NAT issue
Hi,
I am using ASA 5505 version 9.1(4) and using dynamic NAT command to NAT(PAT) inside subnet 192.168.3.0/24 with outside interface 192.168.100.2/24
But unable to ping from inside host to internet or router interface 192.168.100.1 . Please suggest the show running is mentioned below.
Following is the logical diagram
192.168.100.1/24 192.168.100.2/24 192.168.3.1
Internet(ISP) ------------------->------------------ Router------------------------->(e0/0) ASA 5505 (9.1) eth0/4 ----- ---------- Host (192.168.3.22)
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ciscoasa(config)# object network Generic_All_Network
ciscoasa(config-network-object)# sub
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# nat (inside,outside) source dynamic Generic_All_Network inte$
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: fe5175c6 25dfd45a 117bd6e3 867486db
3211 bytes copied in 1.120 secs (3211 bytes/sec)
[OK]
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source dynamic Generic_All_Network interface
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:fe5175c625dfd45a117bd6e3867486db
: endyep I have already removed nat (inside,outside) source dynamic Generic_All_Network interface
Following is the latest show-running
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list capi extended permit ip host 192.168.3.22 host 192.168.100.1
access-list capi extended permit ip host 192.168.100.1 host 192.168.3.22
access-list capo extended permit ip host 192.168.100.2 any
access-list capo extended permit ip any host 192.168.100.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:b5958fd342c81895465887026d1423b3
: end -
Hello,
I am using ASA 5505 as a transparent firewall. I have assigned ethernet 0/0 as outside interface and ethernet0/1-7 as inside interface. There are 3 departments in office. So, i connected ethernet 0/1 to Dept A, ethernet 0/2 to Dept B and ethernet 0/3 to Dept C.
Now, I want to limit bandwidth to each department, e.g, 1 Mbps download/upload to Dept A, 512 kbps download/upload to Dept B and 512 kbps download/upload to Dept C.
So, how can i do this in ASA 5505...? Please help me doing this configuration.
Your help will be much appreciable.
Thanks,Hello Robin,
When you talk about policing on the input direction you have to be aware that the traffic already hit your interface, So this is why you are still seeing a higher rate,
Different than from output direction where the traffic has not been send to the interface TX,
Regards,
Julio Carvajal -
ASA 5505 Dual WAN - Ping inactive wan from outside?
I currently have some small branch offices using ASA 5505 with Security Plus license and dual wan connections. They are configured wil an sla monitor so if the primary WAN goes down the secondary connection becomes active. This works as expected, however...
I can't ping the non-active interface from an outside source. I beleive this is by design or due to some limitation on the 5505. The problem is that I don't know if the backup WAN connection is functioning normally without forcing the ASA to make it active. We use a flaky wireless connection for the backups. The problem recently bit me because both WAN connections were offline.
I'm looking for an easy way to monitor the inactive wan interface, preferably by pinging from an outside location. Is this possible?Hello,
This wont work because the ASA receives the ping on the backup link but has the default route pointing to the outside.
You would have to add a more spefic route for your IP.
Example:
If you want to ping coming from IP 1.1.1.1
route outside 0 0 x.x.1.1 1 track 1
route backup 0 0 x.x.2.2 250
route backup 1.1.1.1 255.255.255.255 x.x.2.2
Regards,
Felipe.
Remember to rate useful posts. -
X3500 wont work in Bridge mode with ASA 5505
Hi Everyone, I am currently running Linksys X3500 v1.0.0 and plan to use ASA 5505 as a PPPoE client. While PPPoE connection is working fine when i configure the linksys for PPoE, but When I configure the ASA 5505 to act as PPPoE client I'm unable to get the Linksys get the Internet up and running. I have opened support ticket with Cisco and per them X3500 is unable to provide PPPoE details in bridge mode. Cisco Ticket # 62968611 (PPPoE connection not working) The error on Cisco console is - asa5505# PPPoE: send_padiSnd) Dest:ffff.ffff.ffff Src:c8b3.735d.4e13 Type:0x8863=PPPoE-Discovery PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12 PPPoE: Type:0101VCNAME-Service Name Len:0 PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4 PPPoE: 00000002 PPPoE: padi timer expired Can Linksys help.. What's the issue. Regards, Sumit
Hi! I'm not so familiar with the Cisco ASA 5505 device. If you set your X3500 to a Bridge Mode, it will not give any PPPoE mode details and vice versa. Which of the two devices would you like to connect to the ISP's connection, is it the X3500 or the ASA 5505?
Maybe you are looking for
-
After purchasing a new Mac, I wish to donate my old PowerBook G4 to a friend. I intend to create a new Admin account with the friend's name, then delete my old User folder. The applications folder will remain untouched. Are there any pitfalls that I
-
SWI1_RULE - Agent Determination
Hi Everyone, I have a problem where a workitem is not finding an Approver. After I run SWI1_RULE for the workitem then it is routed to the correct approver, which is fine. However I keep having to run SWI1_RULE each time for the same workflow problem
-
Text positioning not correct while typing in Flex Mobile Text Area
When I try to write text in Flex mobile TextArea, the text positioning is not correct. What might be the issue? Do I need to specify some Skin Class for it?
-
Getting Email Value from web.xml and displaying in JSF
HI, I have a web.xml with the entry: <env-entry> <description>The email address for the Support Team.</description> <env-entry-name>support</env-entry-name> <env-entry-type>java.lang.String</env-entry-type> <env-entry-
-
Need your advice on a visual ide part 2
thanks to everyone who responded to my previous thread. from the feedback i think my best plan is to try and code things myself rather than use the gui building of a visual ide, but use the ide's for code completion and file organization. i've used x