AAA on ASA 8.2(1) issue
I'm trying to set up AAA on a new ASA running 8.2(1) and I can't get the ACS (4.2(0) Build 124 Patch 6) and ASA keys to agree for TACACS+. I've done this before on a bunch of systems and it's always been a typo, but I've set both ends to a key of 'a' and it still doesn't work. I get this in the ASA logs:
4 Sep 29 2009 22:03:48 109027 [ TACACS ] Unable to decypher response message Server = x.y.z.a, User = blah
3 Sep 29 2009 22:03:48 109026 [ TACACS ] Invalid reply digest received; shared server key may be mismatched.
and on the ACS box I get:
09/29/2009 22:03:48 Authen failed .. default .. Key Mismatch .. .. .. b.c.d.e
The setting on both sides match up to what other working ASAs have. Is there something in 8.2(1) that changes something?
Thanks
Hi,
As you are sure that key is correct on both the sides. I would like you to check this:
On the ACS > Go to Network Configuration > Select the Network Device Group (NDG) under which we have ASA added as AAA client.
Once we are in the Network Device Group take a look at the bottom of the page, you'll see an option which says "Edit Properties", click on that bottom,
Then make sure that we don't have anything configured for "Shared Secret", if we have something, remove it and make this field blank, and then press "Submit"
Then try to authenticate.
Any key defined in above section overrides the key defined on per device basis.
For more detail, please refer,
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp342738
HTH
JK
Similar Messages
-
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
Thanks
Dave
Result of the command: "sh run"
: Saved
: Serial Number: *****
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(5)21
hostname Main-ASA
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 12
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.252
interface Vlan12
nameif Outside
security-level 0
ip address dhcp setroute
banner login *************************************
banner login Unuathorized access is prohibited !!
banner login *************************************
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DefaultDNS
domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN54
subnet 192.168.54.0 255.255.255.0
description VLAN 54
object network Management
subnet 192.168.80.0 255.255.255.0
description Management
object network VLAN51
subnet 192.168.51.0 255.255.255.0
description VLAN 51
object network VLAN52
subnet 192.168.52.0 255.255.255.0
description VLAN 52
object network VLAN53
subnet 192.168.53.0 255.255.255.0
description VLAN 53
object network VLAN55
subnet 192.168.55.0 255.255.255.0
description VLAN 55
object network VLAN56
subnet 192.168.56.0 255.255.255.0
description VLAN 56
object service 443
service tcp destination eq https
object service 80
service tcp destination eq www
object service 8245
service tcp destination eq 8245
object service 25295
service udp destination eq 25295
description Blocking 25295
object network VPN-Connections
subnet 192.168.59.0 255.255.255.0
description VPN Connections
object-group service No-IP
description no-ip.com DDNS Update
service-object object 80
service-object object 8245
service-object object 443
access-list inside_access_in remark No-ip DDNS Update
access-list inside_access_in extended permit object-group No-IP object VLAN51 any
access-list inside_access_in extended permit ip any any
access-list VPN standard permit 192.168.0.0 255.255.0.0
access-list Outside_access_in remark Blocking 25295 to HTPC
access-list Outside_access_in extended deny object 25295 any object VLAN54
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
router eigrp 1
no auto-summary
network 192.168.0.0 255.255.255.252
network 192.168.59.0 255.255.255.0
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.51.1
server-port 636
ldap-base-dn cn=users,dc=spicerslocal
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=users,dc=*****
sasl-mechanism digest-md5
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Main-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
group-policy GroupPolicy_AnyC-SSL-VPN internal
group-policy GroupPolicy_AnyC-SSL-VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value *****
webvpn
anyconnect profiles value AnyC-SSL-VPN_client_profile type user
username Dave password ***** encrypted privilege 15
username Don password ***** encrypted privilege 15
tunnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
: endHi Dave,
It seems to be an issue with the NAT, I saw your VPN configuration:
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
unnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
access-list VPN standard permit 192.168.0.0 255.255.0.0
You will need to set up a NAT exemption as follow:
object-group network obj-192.168.59.0-Pool
network-object 192.168.59.0 255.255.255.0
object-group network obj-192.168.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
Please proceed to rate and mark as correct this post, if it helps!
David Castro,
Regards, -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
ASA 5505 vpn connection issues
Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
hostname ciscoasa
domain-name .com
enable password w3iW.W8jLtqmhFnt encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 72.xxx.xx.xx 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name .com
access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
55.255.0
access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
.255.0
access-list OUTSIDEACL extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/flash
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONATACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDEACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 13 match address VPNACL
crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
crypto map VPNMAP 13 set transform-set ESPDESMD5
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 13
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.1.1.6 192.1.1.4
dhcpd wins 192.1.1.6 192.1.1.4
dhcpd ping_timeout 750
dhcpd domain .com
dhcpd auto_config outside
dhcpd address 10.10.10.10-10.10.10.40 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 76.xxx.xxx.xx type ipsec-l2l
tunnel-group 76.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 68.xx.xxx.xxx type ipsec-l2l
tunnel-group 68.xx.xxx.xxx ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:229af8a14b475d91b876176163124158
: end
ciscoasa(config)#reciatedHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Cisco ASA 8.6 configuration issues
Hello all ,
internet router-----------outside------------- ASA -------inside-------------cisco 3750 (----A----)
|
|
DMZ
|
|
Cisco 3750 (-----B---)
1- switch A -- wireless User + Cisco Wireless Ip phones
2- Switch B -- CUCM
Problem discriptiom :
--- from switch A i can not ping SwitchB (DMZ) so ip phones can not reached to CUCM
--- on switchA 4 VLANS are configured with Different SSIDs and internet is working fine .
--- on Switch A i want 2 VLANs (vlan60 and vlan 80) to communicate with DMZ also (Not working )
## some relevent Config is as under :
SWITCH A CONFIG
===============
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
shutdown
interface GigabitEthernet1/0/1
switchport access vlan 60
switchport mode access
spanning-tree portfast
|
|
|
|
|
|
interface GigabitEthernet1/0/23
description **connected to ASA-Inside**
switchport access vlan 100
switchport mode access
interface Vlan10
ip address X.X.100.5 255.255.255.0
interface Vlan50
ip address X.X.6.12 255.255.255.0
interface Vlan60
ip address X.X.8.251 255.255.255.0
interface Vlan80
ip address X.X.10.251 255.255.255.0
interface Vlan100
ip address X.X.20.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.20.2
=========================================
ASA CONFIG
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address X.X.20.2 255.255.255.0
|
|
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address X.X.21.2 255.255.255.0
|
|
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 192.168.2.5 255.255.255.0
|
|
object network IN-OUT
subnet 0.0.0.0 0.0.0.0
object network W-PHONE
subnet X.X.10.0 255.255.255.0
object network BECA-WIRELESS-USER
subnet X.X.8.0 255.255.255.0
pager lines 24
|
|
nat (inside,outside) source dynamic IN-OUT interface
nat (inside,DMZ) source dynamic W-PHONE interface
nat (inside,DMZ) source dynamic BECA-WIRELESS-USER interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside X.X.6.0 255.255.255.0 X.X.20.1 1
route inside X.X.7.0 255.255.255.0 X.X.20.1 1
route inside X.X.8.0 255.255.255.0 X.X.20.1 1
route inside X.X.10.0 255.255.255.0 X.X.20.1 1
timeout xlate 3:00:00
============================================
switch B
interface GigabitEthernet1/0/17
switchport access vlan 50
switchport mode access
switchport voice vlan 20
spanning-tree portfast
interface GigabitEthernet1/0/18
switchport access vlan 50
switchport mode access
interface Vlan10
ip address X.X.100.1 255.255.255.0
interface Vlan20
ip address X.X.7.1 255.255.255.0
ip helper-address X.X.6.6
interface Vlan50
ip address X.X.6.30 255.255.255.0
ip helper-address X.X.6.6
interface Vlan60
ip address X.X.8.252 255.255.255.0
interface Vlan101
ip address X.X.21.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.6.4
ip route X.X.6.0 255.255.255.0 X.X.21.2
ip route X.X.7.0 255.255.255.0 X.X.21.2We would also need to see the ACL configuration of the ASA as this is what actually controls the flow of traffic, that is if routing is correct which it seems to be from your configuration.
What you can do is run a packet-tracer on the ASA to see if the packet is allowed through the ASA:
packet-tracer input inside tcp 12345 detail
This should give you an indication where or if there is a misconfiguration on the ASA.
Please post the output here if you require further assistance. Also a full ASA configuration (remove public IPs and passwords) would help to identify the issue.
Please remember to rate and select a correct answer -
Hello,
We have recently implemented a new Cisco ASA 5512-X firewall replacing and old Cisco ASA 5505 Firewall.
We have a number of issues which we are encountering and have so far been unable to rectify. The config was copied visually across to the new firewall from the old so the majority of the config matches the old firewall. I have attached the config.
1. VOIP Phones not conencting to ntp uk.pool.ntp.org - Our VOIP network is on its own vlan inside the network. The phones were able to conenct to the ntp externally before the new firewall was inplace. I have tested numerous access rules but with no luck.
2. VPN - We have setup a site to site VPN between the new Firewall and a SonicWall. The SonicWALL is showing the following errors from our firewall
07/10/2013 12:38:24.192
Info
VPN IKE
Received IKE SA delete request
77.107.90.203, 500
164.40.213.246, 500
VPN Policy: New_VPN
6
07/10/2013 12:38:24.192
Warning
VPN IKE
Received notify. NO_PROPOSAL_CHOSEN
77.107.90.203, 500
164.40.213.246, 500
7
07/10/2013 12:38:24.160
Info
VPN IKE
IKE Initiator: Start Quick Mode (Phase 2).
164.40.213.246, 500
77.107.90.203, 500
VPN Policy: New_VPN
3. Firewall rules for outside coming in do not allow pointing to the NAT object of a device we have to use the internal network object instead.
Any help would be much appreciated.
Many Thanks
JamesNo, there is no web filtering feature build in to ASA5512-X, however you can configure ASA5512-X to send web traffic towards cloud based (Cisco ScanSafe) web filtering solution. You would need to purchase ScanSafe user base license.
-
Hi,
Please anyone let me know how to fix this issue?
We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key?
Can we generate PAK or Activation Key using SO (service order) number?You can request new license after perfoming RMA to have same feature set.
Check via:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
Under:
RMA License Transfer -
Secondary ASA interface Flap when issue write Standby
Hi,
i never see this before, but on newly purchased just configured firewall.
when i do wrtie standby.
All interfaces on standby unit flaps.
is it some IOS bug? my firewalls are
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
and image
asa861-2-smp-k8.bin
what could be the reason? FYI i am using lan base failover and not doing any statful failover.Hi Ahmad,
This is expected behavior and when we issue the command "write standby", we see the device configuration getting erased and then re-configured from the active device. Device goes in the Sync config and Bulk Sync state in transition. Here is more info regarding the same :
write standby
. This is a misleading message and a cosmetic issue is filed with this defect id :
CSCuc63634 This is expected behavior and when we issue the command "write standby", we see the device configuration getting erased and then re-configured from the active device. Device goes in the Sync config and Bulk Sync state in transition. Here is more info regarding the same : write standby. This is a misleading message and a cosmetic issue is filed with this defect id : CSCuc63634
Due to the configuration being removed and re-applied we saw the link flap on the standby devices.
Please rate this if helpful. -
Can any one help me out how to resolve this issue.
ASA 8.4 version
inside to TEST working fine.
nat (inside,TEST) source dynamic interface
my main concern is TEST (192.168.2.1) lan wants to access inside subnets with real ip addresses (ex: 11.11.11.1) with RDP connection.
please share the configuration.Hi Rajesh,
Do you expect router 11.11.11.1 to respond for your RDP connection?? or you want the pc behind that router if any to respond to your rdp connection??
Please put your present configuration and describe your question with more details on what do you want to achieve with this sample setup..... hopefully we will try to provide better suggestions to you....
Regards
Karthik -
Hi,
I am having an issue with auto update on the IPS module installed the ASA.
Auto Update Statistics
lastDirectoryReadAttempt = 06:00:34 UTC Wed Feb 23 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/loca
tor.pl
= Error: AutoUpdate exception: Receive HTTP response failed [3,212]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 06:00:00 UTC Thu Feb 24 2009
I can see from the above that there is a HTTP response error, I have checked and there does not seem to be any other unit stopping the responses. With regards to the ASA config do I need to allow the IPS module though the ACL's or NAT statements?
Many thanks MJHi
Many thanks for the respose.
Sorry I have not made any progress with this as yet: the only thing I have done is us the packet tracer, which passed I am just going to check the route of the packet once it has left the interface as it has got to be that or the URL is wrong.
Regards MJ -
"Broken" AAA between ASA 5505 and MS-AD
I have setup an AAA connection from my ASA5505 to my MS-AD domain controller for VPNs (SSL and client). It was working, however, last week the connection between the two failed and I cannot get it back up again.
I've checked password, usernames, object locations etc. but to no avail. When I do an auth test, this is the debug ldap 225 output:
[722] Session Start
[722] New request Session, context 0xd4e225c8, reqType = 1
[722] Fiber started
[722] Creating LDAP context with uri=ldap://w.x.y.z:389
[722] Connect to LDAP server: ldap://w.x.y.z:389, status = Successful
[722] supportedLDAPVersion: value = 3
[722] supportedLDAPVersion: value = 2
[722] Binding as administrator
[722] Performing Simple authentication for FirewallTest to w.x.y.z
[722] Simple authentication for FirewallTest returned code (49) Invalid credentials
[722] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[722] Fiber exit Tx=253 bytes Rx=583 bytes, status=-2
[722] Session End
I have tried the age-old "remove and re-add" fix, but this has not worked.
Any thoughts?Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.
Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name " and compare it to your ASA. -
ASA 5515X Serial Number Issues
I have an odd situation with regard to two new ASA5515Xs I have just purchased.
One is an ASA-5515-IPS-K9 and one is an ASA-5515-K9
Both units "show version" serial number is different than the chassis serial number.
More specifically, the serial number on the sales order, original box and chassis stickers are all the same - however, if I do a show version or show inv, the serial number is different.
My suspicion is one of two things have happened - either there was some error at the factory, and I am the unlucky recipient of two mislabeled units -or- the show version/inv serial numbers of these new units are not supposed to match the chassis serial numbers, which seems odd but possible.
Can anyone who has one of the new 5515Xs confirm that the chassis serial number sticker DOES match the show version serial number?I can confirm the same issue is present on the 5525X and software version 9.1(1). We issued the activation keys using the chassis serial numbers since the licensing tool wouldn't accept the "show version" ones, but the keys won't apply on the ASAs. I suspect they'll have to manually regenerate the activation keys for the "show version" serial number. I currently have a TAC case open.
dc-asa5525-vpngw-0-132# show verCisco Adaptive Security Appliance Software Version 9.1(1)Device Manager Version 7.1(1)52...Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores) ASA: 4096 MB RAM, 1 CPU (1 core)...Serial Number: FCHXXXXXXXXdc-asa5525-vpngw-0-132# show invName: "Chassis", DESCR: "ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"PID: ASA5525 , VID: V01 , SN: FGLXXXXXXXXdc-asa5525-vpngw-0-132# activation-key 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXX$Validating activation key. This may take a few minutes...not supported yet.ERROR: The requested activation key was not saved because it is notvalid for this system.
As a side note, the fix in the above referenced bug ID, CSCtz56314, changed the "show inventory" command to show the chassis serial number. Previously both "show version" and "show inventory" showed the PCB serial number. (Source:
ASA5500-X シリーズ製品 シリアル番号の確認に関する留意点 /
https://supportforums.cisco.com/docs/DOC-26952 / Japanese)
However, the activation keys still need to be issued against the PCB serial number and it appears that you need to open a case with Cisco Global Licensing Operations since the licensing tool still doesn't support the PCB serial number. -
I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
Any thoughts?Have you been using the ASDM to configure the VPN? In that case, you may have removed the required portforwarding or modified the access-list that allows traffic from the outside.
regards,
Leo -
Asa 5505 transparent firewall issue
hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
now i add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
i conigured vlan1 -- inside and vlan 2 as outside in asa 5505
in my uc 560 data is vlan 1 and my voice is vlan 100.
when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.hi rojas,
here is my problem,
my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
my data vlan1 is 192.168.123.x
and my voice vlan100 is 10.1.1.x
and the firewall ip 192.168.123.3
Maybe you are looking for
-
Does anyone have any informatio on this? In a DSO, if you right-click on Data Fields, you get two Hierarchy Node options? What are they used for? How are they used?
-
How can i get my name on the finder bar?
How do i get my name on the top right corner next to the search bar? I have OS X Mountain Lion 10.8.5
-
Urgent !!Report Fiscal year for each Month i.e.12mnths
Hi All, I have a cube with following details. 1.Revenue Value ==1200 2.Fiscal year==2007 3.Product type==A But If i need to create a Dashboard Report with this Cube, But it has display tht Fiscal Year Value 2000 for each month Like ..KF=1200/12(mon
-
Make Delivery note mandatory in MIGO
Hi Friends, My client want to make mandatory for Delivery note field in the Goods reciept in MIGO. can you please explain how to do this?
-
Re: Portege Z830-11J - Is is able to upgrade the Rapid start technology
Hi, i purchased my ultrabook, a Z830-11J very cheap, about 550 ... now i know why, it doesnt have rapid start technology. Intel claims that is a part of every ultrabook, but not of the Z830-11J. So, is there anything i can do, to convert it in any wa