ACL not working in ASA 8.4

An ACL has been applied on the inside interface to of the ASA 8.4 but it is not working. The aim of this list to allow only a few host for outside access and deny rest of the hosts for outside access. The syntex of the access list is
access-list ACL-Inside extended permit ip host 192.168.100.101 any
access-list ACL-Inside extended permit ip host 192.168.100.108 any
access-list ACL-Inside extended permit ip host 192.168.100.109 any
access-list ACL-Inside extended permit ip host 192.168.100.243 any
access-list ACL-Inside extended permit ip host 192.168.100.241 any
access-group ACL-Inside in interface inside

Did you configure the NAT statement for the inside hosts to be mapped to a public IP? The below config will NAT 192.168.100.0 -100.254 to outside interface and the access-list you defined only allow those hosts to go out.
object network Inside_Net
subnet 192.168.100.0 255.255.255.0
nat  (inside, outside)  dynamic interface
If you alread did the above config please send us the packet capture as Mike requested.

Similar Messages

  • ACL not working on 3750 Switch Stack on a trunk port

    I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.
    What am I doing wrong?
    Access-List:
    Standard IP access list 10
        10 deny   10.101.15.13 log
        20 permit any log
    Access-List Interface:
    interface GigabitEthernet7/0/10
     description ESX Trunk
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,2,60-63
     switchport mode trunk
     ip access-group 10 in
    Mac-Address on the Switch Port:
    63    0050.569a.6d9f    DYNAMIC     Gi7/0/10
    Windows Machine MAC:
    Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
    Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
    Windows Connection (which should be denied):
     TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

    PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.
    In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

  • ACL not working with RAID array

    Posted this before but it wasn't clear.
    Brand new install of Leopard Server 10.5.1. Have an HFS+ SCSI RAID array attached. I am unable to get ACLs to work using this volume.
    Using the command sudo fsaclctl -a I get the following:
    <CFDictionary 0x106580 0xa00c5174>{type = mutable, count = 9, capacity = 12, pairs = (
    0 : <CFString 0x1020f0 0xa00c5174>{contents = "device_manufacturer"} = <CFString 0x106140 0xa00c5174>{contents = "HPT"}
    1 : <CFString 0x1066b0 0xa00c5174>{contents = "spparallelscsidevicetype"} = <CFNumber 0x1066e0 0xa00c5174>{value = +0, type = kCFNumberSInt32Type}
    3 : <CFString 0x101ac0 0xa00c5174>{contents = "device_revision"} = <CFString 0x106170 0xa00c5174>{contents = "4.00"}
    4 : <CFString 0x106660 0xa00c5174>{contents = "spparallelscsidevicefeatures"} = <CFArray 0x106690 0xa00c5174>{type = immutable, count = 0, values = (
    5 : <CFString 0x106740 0xa00c5174>{contents = "spparallelscsi_target"} = <CFString 0xa00d16b4 0xa00c5174>{contents = "0"}
    6 : <CFString 0x101a60 0xa00c5174>{contents = "device_model"} = <CFString 0x106150 0xa00c5174>{contents = "DISK 1_0"}
    7 : <CFString 0x1066f0 0xa00c5174>{contents = "spparallelscsiit_nexusfeatures"} = <CFArray 0x106720 0xa00c5174>{type = immutable, count = 0, values = (
    9 : <CFString 0x1018f0 0xa00c5174>{contents = "_items"} = <CFArray 0x106030 0xa00c5174>{type = mutable-small, count = 1, values = (
    0 : <CFDictionary 0x106070 0xa00c5174>{type = mutable, count = 14, capacity = 24, pairs = (
    0 : <CFString 0x103c80 0xa00c5174>{contents = "os9_drivers"} = <CFString 0xa00d4024 0xa00c5174>{contents = "no"}
    1 : <CFString 0x106180 0xa00c5174>{contents = "partitionmaptype"} = <CFString 0x1061a0 0xa00c5174>{contents = "applepartition_maptype"}
    2 : <CFString 0x1029b0 0xa00c5174>{contents = "volumes"} = <CFArray 0x106250 0xa00c5174>{type = mutable-small, count = 1, values = (
    0 : <CFDictionary 0x106290 0xa00c5174>{type = mutable, count = 7, capacity = 12, pairs = (
    5 : <CFString 0x1026b0 0xa00c5174>{contents = "mount_point"} = <CFString 0x1063a0 0xa00c5174>{contents = "/Volumes/SUPERBACKUP"}
    9 : <CFString 0x101940 0xa00c5174>{contents = "_name"} = <CFString 0x106270 0xa00c5174>{contents = "SUPERBACKUP"}
    10 : <CFString 0x103820 0xa00c5174>{contents = "writable"} = <CFString 0xa00d4024 0xa00c5174>{contents = "no"}
    12 : <CFString 0x101f40 0xa00c5174>{contents = "bsd_name"} = <CFString 0x106350 0xa00c5174>{contents = "disk3s3"}
    13 : <CFString 0x1025d0 0xa00c5174>{contents = "free_space"} = <CFString 0x106380 0xa00c5174>{contents = "3.27 TB"}
    14 : <CFString 0x1024f0 0xa00c5174>{contents = "file_system"} = <CFString 0x106370 0xa00c5174>{contents = "HFS+"}
    15 : <CFString 0xa00d4ca4 0xa00c5174>{contents = "size"} = <CFString 0x1061d0 0xa00c5174>{contents = "4.09 TB"}
    3 : <CFString 0x101ac0 0xa00c5174>{contents = "device_revision"} = <CFString 0x106170 0xa00c5174>{contents = "4.00"}
    6 : <CFString 0x101a60 0xa00c5174>{contents = "device_model"} = <CFString 0x106150 0xa00c5174>{contents = "DISK 1_0"}
    9 : <CFString 0x101940 0xa00c5174>{contents = "_name"} = <CFString 0x106050 0xa00c5174>{contents = "SCSI Logical Unit @ 0"}
    10 : <CFString 0x103720 0xa00c5174>{contents = "volumes_anonymous"} = <CFArray 0x1060b0 0xa00c5174>{type = mutable-small, count = 1, values = (
    0 : <CFDictionary 0x1060f0 0xa00c5174>{type = mutable, count = 5, capacity = 12, pairs = (
    9 : <CFString 0x101940 0xa00c5174>{contents = "_name"} = <CFString 0x106350 0xa00c5174>{contents = "disk3s3"}
    10 : <CFString 0x103820 0xa00c5174>{contents = "writable"} = <CFString 0xa00d4024 0xa00c5174>{contents = "no"}
    12 : <CFString 0x1025d0 0xa00c5174>{contents = "free_space"} = <CFString 0x106380 0xa00c5174>{contents = "3.27 TB"}
    14 : <CFString 0x1024f0 0xa00c5174>{contents = "file_system"} = <CFString 0x106370 0xa00c5174>{contents = "HFS+"}
    15 : <CFString 0xa00d4ca4 0xa00c5174>{contents = "size"} = <CFString 0x1061d0 0xa00c5174>{contents = "4.09 TB"}
    12 : <CFString 0x101f40 0xa00c5174>{contents = "bsd_name"} = <CFString 0x106130 0xa00c5174>{contents = "disk3"}
    13 : <CFString 0x106230 0xa00c5174>{contents = "spparallelscsi_lun"} = <CFString 0xa00d16b4 0xa00c5174>{contents = "0"}
    14 : <CFString 0x101a40 0xa00c5174>{contents = "detachable_drive"} = <CFString 0xa00d4024 0xa00c5174>{contents = "no"}
    16 : <CFString 0x1020f0 0xa00c5174>{contents = "device_manufacturer"} = <CFString 0x106140 0xa00c5174>{contents = "HPT"}
    17 : <CFString 0x101ec0 0xa00c5174>{contents = "removable_media"} = <CFString 0xa00d4024 0xa00c5174>{contents = "no"}
    30 : <CFString 0x1061f0 0xa00c5174>{contents = "smart_status"} = <CFString 0x106210 0xa00c5174>{contents = "Not Supported"}
    31 : <CFString 0xa00d4ca4 0xa00c5174>{contents = "size"} = <CFString 0x1061d0 0xa00c5174>{contents = "4.09 TB"}
    10 : <CFString 0x101940 0xa00c5174>{contents = "_name"} = <CFString 0x106640 0xa00c5174>{contents = "SCSI Target Device @ 0"}
    ProcessVolume: processing /
    Access control lists are supported on /.
    ProcessVolume: processing /Volumes/Superserver Internal 750
    Access control lists are supported on /Volumes/Superserver Internal 750.
    Does this mean that the RAID volume is incompatible with ACLs despite being a HFS+ formatted array? Would a fresh install of server fix this?
    Completely lost here...can someone help?
    Many thanks,
    Joel.

    I tried our old "unimporant" SCSI RAID and it reported:
    "Support for access control lists is unknown."
    I guess our RAID was formated/initialized ona a pre Intel server, yours too?
    But your volume doesn't support a journaled HFS + (easliy changed in Disk Utility)
    Better/faster if you get a server hang (takes much less time to "replay" the disk at boot than to wait for fsck to finish on such a large volume).
    Ours look like this :
    <CFString 0x1024b0 [0xa016a1a0]>{contents = "file_system"} = <CFString 0x106490 [0xa016a1a0]>{contents = "Journaled HFS+"} <-------------
    It might be worth while trying a repartition on the new server beacuse our say:
    <CFString 0x1062a0 [0xa016a1a0]>{contents = "partitionmaptype"} = <CFString 0x1062c0 [0xa016a1a0]>{contents = "applepartition_maptype"} <------ maybe not really important but (doesn't support booting on Intel systems). What should be used on Intel systems?). Should be GUID instead? Doesn't matter for non boot drives???
    You haven't got too much data on it yet : Size "4.09 TB" - "3.27 TB" free.
    In Tiger you set up the volume to use ACLs in WGM.
    In Leopard SA it's a bit bewildering (haven't look at it since before 10.5.2 update though)...

  • Remote Desktop not working via ASA

    Hi Everyone,
    ASA has 2 interfaces inside and sales.
    There is ACL on interface sales that allow RDP on tcp port 3389 from sales to inside subnet 10.0.0.15.
    Interface sales is attached to switch.
    I did test from switch
    2950A#telnet 10.0.0.15 3389
    Trying 10.0.0.15, 3389 ...
    % Connection refused by remote host
    2950A#ping 10.0.0.15
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.15, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
    2950A#
    logs on firewall show
    May 18 2014 18:50:34: %ASA-6-302013: Built inbound TCP connection 313812 for sales:10.12.12.2/24066 (10.12.12.2/24066) to inside:10.0.0.15/3389 (10.0.0.15/3389)
    May 18 2014 18:50:34: %ASA-6-302014: Teardown TCP connection 313812 for sales:10.12.12.2/24066 to inside:10.0.0.15/3389 duration 0:00:00 bytes 0 TCP Reset-I
    Where 10.0.0.15 is PC and this PC is configured to allow Remote desktop connection coming in.
    Any ideas what can i check?
    Regards
    MAhesh

    Hi Jennifer,
    I tested the RDP in both directions no luck.
    Sales has security level
    interface Vlan3
     nameif sales
     security-level 50
     ip address 10.12.12.1 255.255.255.0
    interface Vlan1
     nameif inside
     security-level 100
     ip address 10.0.0.1 255.255.255.0
    Ping works fine in both directions means from switch to PC and PC to switch  so this should rule out routing right?
    Seems NAT is not configured between inside and sales.
    Regards
    MAhesh

  • Certificate Revocation List not working on ASA 8.3(1)

    I've configured my SSL VPN to certificate authentication, in wich the authentication with certificates is working fine. However the ASA is not able to store (cache) the CRL.
    Based on debug bellow the asa downloads the CRL file but is not able to open it.
    Does anyone know this sitation?
    Here is te debug output:
    fwlpasa01/pri/act# crypto ca crl request SSL-VPN
    CRYPTO_PKI: CRL is being polled from CDP http://10.151.1.9/certlist/certcrl.crl.
    crypto_pki_req(7ae32bf0, 24, ...)
    CRYPTO_PKI: Crypto CA req queue size = 1.
    Crypto CA thread wakes up!
    CRYPTO_PKI: http connection opened
    CRYPTO_PKI: content dump count 75----------
    CRYPTO_PKI: For function crypto_http_send
    GET /certlist/certcrl.crl HTTP/1.0
    Host: 10.151.1.9
    CRYPTO_PKI: For function crypto_http_send
    CRYPTO_PKI: content dump-------------------
    CRYPTO_PKI: HTTP response header:
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Length: 1482
    Content-Type: application/pkix-crl
    Server: Microsoft-IIS/7.5
    Set-Cookie: ASPSESSIONIDACBQATBA=IEGHHGMBOHNIGEJIEPJKCFCE; path=/
    Date: Mon, 26 Nov 2012 15:47:38 GMT
    Connection: close
    CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20    |  -----BEGIN X509
    43 52 4c 2d 2d 2d 2d 2d 0d 0a 4d 49 49 45 44 44    |  CRL-----..MIIEDD
    43 43 41 76 51 43 41 51 45 77 44 51 59 4a 4b 6f    |  CCAvQCAQEwDQYJKo
    5a 49 68 76 63 4e 41 51 45 46 42 51 41 77 57 54    |  ZIhvcNAQEFBQAwWT
    45 53 4d 42 41 47 43 67 6d 53 4a 6f 6d 54 38 69    |  ESMBAGCgmSJomT8i
    78 6b 41 52 6b 57 41 6e 70 73 0d 0a 4d 52 4d 77    |  xkARkWAnps..MRMw
    45 51 59 4b 43 5a 49 6d 69 5a 50 79 4c 47 51 42    |  EQYKCZImiZPyLGQB
    47 52 59 44 61 57 35 30 4d 52 67 77 46 67 59 4b    |  GRYDaW50MRgwFgYK
    43 5a 49 6d 69 5a 50 79 4c 47 51 42 47 52 59 49    |  CZImiZPyLGQBGRYI
    65 6d 6c 73 62 47 39 79 5a 57 34 78 0d 0a 46 44    |  emlsbG9yZW4x..FD
    41 53 42 67 4e 56 42 41 4d 54 43 31 70 4a 54 45    |  ASBgNVBAMTC1pJTE
    78 50 55 6b 56 4f 4c 55 4e 42 46 77 30 78 4d 6a    |  xPUkVOLUNBFw0xMj
    45 78 4d 54 6b 78 4e 6a 4d 7a 4d 44 68 61 46 77    |  ExMTkxNjMzMDhaFw
    30 78 4d 6a 45 78 4d 6a 63 77 4e 44 55 7a 0d 0a    |  0xMjExMjcwNDUz..
    4d 44 68 61 4d 46 63 77 47 77 49 4b 52 66 65 4b    |  MDhaMFcwGwIKRfeK
    6b 67 41 41 41 41 41 42 67 52 63 4e 4d 54 49 78    |  kgAAAAABgRcNMTIx
    4d 44 49 35 4d 54 4d 79 4d 7a 41 77 57 6a 41 62    |  MDI5MTMyMzAwWjAb
    41 67 70 46 31 4f 55 76 41 41 41 41 41 41 47 41    |  AgpF1OUvAAAAAAGA
    0d 0a 46 77 30 78 4d 6a 45 77 4d 6a 6b 78 4d 7a    |  ..Fw0xMjEwMjkxMz
    49 7a 4d 44 42 61 4d 42 73 43 43 6a 75 71 30 79    |  IzMDBaMBsCCjuq0y
    41 41 41 41 41 41 41 58 6f 58 44 54 45 79 4d 54    |  AAAAAAAXoXDTEyMT
    41 79 4f 54 45 7a 4d 6a 49 77 4d 46 71 67 67 67    |  AyOTEzMjIwMFqggg
    49 4d 0d 0a 4d 49 49 43 43 44 41 66 42 67 4e 56    |  IM..MIICCDAfBgNV
    48 53 4d 45 47 44 41 57 67 42 52 73 73 75 79 64    |  HSMEGDAWgBRssuyd
    63 2b 6c 54 32 66 6a 75 62 39 66 70 7a 67 42 38    |  c+lT2fjub9fpzgB8
    76 45 36 59 78 54 41 51 42 67 6b 72 42 67 45 45    |  vE6YxTAQBgkrBgEE
    41 59 49 33 0d 0a 46 51 45 45 41 77 49 42 41 44    |  AYI3..FQEEAwIBAD
    41 4c 42 67 4e 56 48 52 51 45 42 41 49 43 41 31    |  ALBgNVHRQEBAICA1
    55 77 48 41 59 4a 4b 77 59 42 42 41 47 43 4e 78    |  UwHAYJKwYBBAGCNx
    55 45 42 41 38 58 44 54 45 79 4d 54 45 79 4e 6a    |  UEBA8XDTEyMTEyNj
    45 32 4e 44 4d 77 0d 0a 4f 46 6f 77 67 63 77 47    |  E2NDMw..OFowgcwG
    41 31 55 64 4c 67 53 42 78 44 43 42 77 54 43 42    |  A1UdLgSBxDCBwTCB
    76 71 43 42 75 36 43 42 75 49 61 42 74 57 78 6b    |  vqCBu6CBuIaBtWxk
    59 58 41 36 4c 79 38 76 51 30 34 39 57 6b 6c 4d    |  YXA6Ly8vQ049WklM
    54 45 39 53 52 55 34 74 0d 0a 51 30 45 73 51 30    |  TE9SRU4t..Q0EsQ0
    34 39 63 33 5a 73 63 47 46 6b 62 54 4d 78 4c 45    |  49c3ZscGFkbTMxLE
    4e 4f 50 55 4e 45 55 43 78 44 54 6a 31 51 64 57    |  NOPUNEUCxDTj1QdW
    4a 73 61 57 4d 6c 4d 6a 42 4c 5a 58 6b 6c 4d 6a    |  JsaWMlMjBLZXklMj
    42 54 5a 58 4a 32 61 57 4e 6c 0d 0a 63 79 78 44    |  BTZXJ2aWNl..cyxD
    54 6a 31 54 5a 58 4a 32 61 57 4e 6c 63 79 78 44    |  Tj1TZXJ2aWNlcyxD
    54 6a 31 44 62 32 35 6d 61 57 64 31 63 6d 46 30    |  Tj1Db25maWd1cmF0
    61 57 39 75 4c 45 52 44 50 58 70 70 62 47 78 76    |  aW9uLERDPXppbGxv
    63 6d 56 75 4c 45 52 44 50 57 6c 75 0d 0a 64 43    |  cmVuLERDPWlu..dC
    78 45 51 7a 31 36 62 44 39 6b 5a 57 78 30 59 56    |  xEQz16bD9kZWx0YV
    4a 6c 64 6d 39 6a 59 58 52 70 62 32 35 4d 61 58    |  Jldm9jYXRpb25MaX
    4e 30 50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57    |  N0P2Jhc2U/b2JqZW
    4e 30 51 32 78 68 63 33 4d 39 59 31 4a 4d 0d 0a    |  N0Q2xhc3M9Y1JM..
    52 47 6c 7a 64 48 4a 70 59 6e 56 30 61 57 39 75    |  RGlzdHJpYnV0aW9u
    55 47 39 70 62 6e 51 77 67 64 67 47 43 53 73 47    |  UG9pbnQwgdgGCSsG
    41 51 51 42 67 6a 63 56 44 67 53 42 79 6a 43 42    |  AQQBgjcVDgSByjCB
    78 7a 43 42 78 4b 43 42 77 61 43 42 76 6f 61 42    |  xzCBxKCBwaCBvoaB
    0d 0a 75 32 78 6b 59 58 41 36 4c 79 38 76 51 30    |  ..u2xkYXA6Ly8vQ0
    34 39 57 6b 6c 4d 54 45 39 53 52 55 34 74 51 30    |  49WklMTE9SRU4tQ0
    45 73 51 30 34 39 63 33 5a 73 63 47 46 6b 62 54    |  EsQ049c3ZscGFkbT
    4d 78 4c 45 4e 4f 50 55 4e 45 55 43 78 44 54 6a    |  MxLENOPUNEUCxDTj
    31 51 0d 0a 64 57 4a 73 61 57 4d 6c 4d 6a 42 4c    |  1Q..dWJsaWMlMjBL
    5a 58 6b 6c 4d 6a 42 54 5a 58 4a 32 61 57 4e 6c    |  ZXklMjBTZXJ2aWNl
    63 79 78 44 54 6a 31 54 5a 58 4a 32 61 57 4e 6c    |  cyxDTj1TZXJ2aWNl
    63 79 78 44 54 6a 31 44 62 32 35 6d 61 57 64 31    |  cyxDTj1Db25maWd1
    63 6d 46 30 0d 0a 61 57 39 75 4c 45 52 44 50 58    |  cmF0..aW9uLERDPX
    70 70 62 47 78 76 63 6d 56 75 4c 45 52 44 50 57    |  ppbGxvcmVuLERDPW
    6c 75 64 43 78 45 51 7a 31 36 62 44 39 6a 5a 58    |  ludCxEQz16bD9jZX
    4a 30 61 57 5a 70 59 32 46 30 5a 56 4a 6c 64 6d    |  J0aWZpY2F0ZVJldm
    39 6a 59 58 52 70 0d 0a 62 32 35 4d 61 58 4e 30    |  9jYXRp..b25MaXN0
    50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 4e 30    |  P2Jhc2U/b2JqZWN0
    51 32 78 68 63 33 4d 39 59 31 4a 4d 52 47 6c 7a    |  Q2xhc3M9Y1JMRGlz
    64 48 4a 70 59 6e 56 30 61 57 39 75 55 47 39 70    |  dHJpYnV0aW9uUG9p
    62 6e 51 77 44 51 59 4a 0d 0a 4b 6f 5a 49 68 76    |  bnQwDQYJ..KoZIhv
    63 4e 41 51 45 46 42 51 41 44 67 67 45 42 41 4a    |  cNAQEFBQADggEBAJ
    51 6f 2f 78 73 4e 79 34 67 34 31 66 69 45 2b 67    |  Qo/xsNy4g41fiE+g
    46 4d 31 39 62 65 59 2b 52 77 36 74 4c 61 42 52    |  FM19beY+Rw6tLaBR
    34 33 58 64 45 7a 46 4d 63 61 0d 0a 72 55 74 2f    |  43XdEzFMca..rUt/
    70 39 33 73 63 4c 38 63 45 4a 54 48 6d 42 54 33    |  p93scL8cEJTHmBT3
    73 33 79 30 50 42 55 59 6d 35 52 58 36 6f 4c 42    |  s3y0PBUYm5RX6oLB
    41 41 74 4f 42 63 5a 4b 62 33 76 77 58 47 33 2f    |  AAtOBcZKb3vwXG3/
    34 72 65 71 72 6a 39 47 42 61 49 42 0d 0a 30 2b    |  4reqrj9GBaIB..0+
    4f 34 66 37 43 67 4f 78 42 38 47 6d 44 32 69 42    |  O4f7CgOxB8GmD2iB
    31 70 79 56 55 7a 76 52 72 44 37 65 30 69 6a 31    |  1pyVUzvRrD7e0ij1
    35 63 76 6e 58 46 63 6f 75 31 34 50 45 53 6c 6f    |  5cvnXFcou14PESlo
    30 2b 34 75 6b 4e 6d 42 4a 44 57 74 67 6c 0d 0a    |  0+4ukNmBJDWtgl..
    45 47 46 65 6f 4e 30 78 37 2f 63 52 59 53 70 71    |  EGFeoN0x7/cRYSpq
    52 44 48 71 56 59 39 75 34 69 63 44 49 7a 31 4c    |  RDHqVY9u4icDIz1L
    75 78 5a 72 69 35 76 69 63 41 59 4b 62 44 69 4b    |  uxZri5vicAYKbDiK
    30 4b 77 69 64 39 59 71 4b 43 63 76 2f 73 4c 37    |  0Kwid9YqKCcv/sL7
    0d 0a 32 77 2b 53 7a 46 46 75 72 73 54 6c 70 2f    |  ..2w+SzFFursTlp/
    36 74 4c 4d 41 72 6c 30 37 49 4f 65 52 63 51 38    |  6tLMArl07IOeRcQ8
    4c 2b 6a 71 69 6e 44 30 6f 6f 62 53 5a 78 49 30    |  L+jqinD0oobSZxI0
    6b 42 64 54 47 6a 6c 38 68 44 42 77 6d 6a 74 63    |  kBdTGjl8hDBwmjtc
    33 63 0d 0a 6b 39 68 53 58 78 42 65 65 4d 74 74    |  3c..k9hSXxBeeMtt
    53 72 33 48 6f 4c 42 63 6c 76 4d 75 78 64 77 72    |  Sr3HoLBclvMuxdwr
    41 6f 52 49 48 61 64 4f 4b 52 35 54 70 52 34 3d    |  AoRIHadOKR5TpR4=
    0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 58 35 30 39 20    |  ..-----END X509
    43 52 4c 2d 2d 2d 2d 2d 0d 0a                      |  CRL-----..
    CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!
    CRYPTO_PKI: Failed to retrieve CRL for trustpoint: SSL-VPN.
      Retrying with next CRL DP...

    Hello everyone!
    I've got the issue solved. The issue ware in CA CDP. I published the new http CDP, and it's working fine.
    Windows CA
    - At Server Manager -> Right click on Certificate Athotity object name -> click properties then extentions
    - Create an extention to genearate the following URL
    http://winca.pmmagalhaes.com.br/CertEnroll/WINCA.crl
    - Then apply -> ok
    - Under Windows PKI right click Certificate Athotity object name then Refresh
    ASA
    Under retrieval policy set for static a then put the url above.
    It's done

  • TACACS not working in ASA 8.0(3)

    We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454
    even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?
    thnx in advance

    we have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh
    local device configs:
    aaa-server protocol tacacs+
    aaa-server host < ip>
    aaa authentication ssh console
    aaa authentication http console
    access-list extended permit ip any
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map 20 match address
    crypto map 20 set peer x.x.x.x
    crypto map 20 set transform-set ESP-3DES-MD5
    crypto map 20 set reverse-route
    crypto map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 20
    crypto isakmp policy 65535
    remote ASA
    access-list remark MobileAL
    access-list extended permit ip any ip add subnet
    crypto map 1925 match address outside_1925_cryptomap
    crypto map 1925 set peer
    crypto map 1925 set transform-set ESP-3DES-MD5
    crypto map 1925 set security-association lifetime seconds 86400
    crypto map 1925 set nat-t-disable
    crypto map 1925 set reverse-route

  • TACACS Authentication not working with ASA

    I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.
    I added the configuration below but the authentication fails and no requests come to the ACS server
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ host 10.x.x.x
    key password
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication http console TACACS+ LOCAL
    Any help would be greatly appreciated

    Please check shared secret key. Remember NDG key overwrites aaa client key.
    Make sure acs should have correct ip address of asa in network configuration.
    Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec.

  • ACL not Working with Keepalive Configuration

    Hi,
    I have configured ACL on CSS 11506 with software version 07.50.1_03.0 .After configuring we observed in show keepalive-summary all Server serivce are up except the App server service where keepalive type TCP & Port is configured we tried by removing keepalive configuration from App server afterwhich it is working fine does any specfic port needs to be allowed in ACL for Keepalive.Below is the conifguration which is done CSS.
    acl enable
    acl log enable
    acl 1
    clause 1 permit tcp any destination any eq 8080
    clause 2 permit tcp any destination any eq 80
    clause 3 permit tcp any destination any eq 443
    clause 4 permit any any destination 224.0.0.18
    clause 5 permit icmp any destination any
    apply all
    service WEBSERVER 1
    ip address 1.1.1.11
    redundant-index 1
    protocol tcp
    port 80
    active
    service WEBSERVER 2
    ip address 1.1.1.12
    redundant-index 2
    protocol tcp
    port 80
    active
    service APP1
    ip address 1.1.2.11
    redundant-index 10
    Keepalive type tcp
    Keepalive port 8080
    active
    service APP2
    ip address 1.1.2.12
    redundant-index 11
    Keepalive type tcp
    Keepalive port 8080
    active

    Hi,
    Thanks for reply kindly find the below required output & let me your views.
    CSS11506_Backup# sh keepalive-sum
    Keepalives:
    AUTO_nexthop00001 State: Alive 1.1.3.1
    AUTO_nexthop00002 State: Alive 1.1.3.1
    AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11
    AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12
    AUTO_WEBSERVER-01 State: Alive 1.1.4.6
    AUTO_WEBSERVER-02 State: Alive 1.1.4.7
    AUTO_chk-con-pix103 State: Alive 1.1.3.4
    AUTO_chk-con-pix225 State: Alive 1.1.3.17
    AUTO_chk-con-web104 State: Alive 1.1.4.5
    AUTO_chk-con-web224 State: Alive 1.1.1.18
    AUTO_chk-con-pix227 State: Alive 1.1.4.4
    AUTO_chk-con-app226 State: Alive 1.1.2.4
    AUTO_SEZAPP1 State: Down 1.1.2.11
    AUTO_SEZAPP2 State: Dying 1.1.2.12
    AUTO_nexthop00005 State: Alive 1.1.4.1
    CSS11506_Backup# sh keepalive-sum
    Keepalives:
    AUTO_nexthop00001 State: Alive 1.1.3.1
    AUTO_nexthop00002 State: Alive 1.1.3.1
    AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11
    AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12
    AUTO_WEBSERVER-01 State: Alive 1.1.4.6
    AUTO_WEBSERVER-02 State: Alive 1.1.4.7
    AUTO_chk-con-pix103 State: Alive 1.1.3.4
    AUTO_chk-con-pix225 State: Alive 1.1.3.17
    AUTO_chk-con-web104 State: Alive 1.1.4.5
    AUTO_chk-con-web224 State: Alive 1.1.1.18
    AUTO_chk-con-pix227 State: Alive 1.1.4.4
    AUTO_chk-con-app226 State: Alive 1.1.2.4
    AUTO_SEZAPP1 State: Down 1.1.2.11
    AUTO_SEZAPP2 State: Down 1.1.2.12
    AUTO_nexthop00005 State: Alive 1.1.4.1
    CSS11506_Backup# sh keepalive
    Keepalives:
    Name: AUTO_nexthop00001 Index: 0 State: Alive
    Description: Auto generated for service nexthop00001
    Address: 1.1.3.1 Port: Any
    Type: ICMP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    nexthop00001
    Name: AUTO_nexthop00002 Index: 1 State: Alive
    Description: Auto generated for service nexthop00002
    Address: 1.1.3.1 Port: Any
    Type: ICMP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    nexthop00002
    Name: AUTO_-WEBSERVER-03 Index: 2 State: Down
    Description: Auto generated for service -WEBSERVER-03
    Address: 1.1.1.11 Port: 80
    Type: TCP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    -WEBSERVER-03
    Name: AUTO_-WEBSERVER-04 Index: 3 State: Down
    Description: Auto generated for service -WEBSERVER-04
    Address: 1.1.1.12 Port: 80
    Type: TCP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    -WEBSERVER-04
    Name: AUTO_WEBSERVER-01 Index: 4 State: Alive
    Description: Auto generated for service WEBSERVER-01
    Address: 1.1.4.6 Port: 80
    Type: ICMP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    WEBSERVER-01
    Name: AUTO_WEBSERVER-02 Index: 5 State: Alive
    Description: Auto generated for service WEBSERVER-02
    Address: 1.1.4.7 Port: 80
    Type: ICMP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    WEBSERVER-02
    Name: AUTO_chk-con-pix103 Index: 6 State: Alive
    Description: Auto generated for service chk-con-pix103
    Address: 1.1.3.4 Port: Any
    Type: SCRIPT ap-kal-pinglist
    Script Arguments: "1.1.3.4"
    Script Error: None
    Script Run Time: 0 seconds
    Script Using Output parsing: No
    Encryption: Disabled
    Frequency: 2
    Max Failures: 2
    Retry Frequency: 2
    Dependent Services:
    chk-con-pix103
    Name: AUTO_chk-con-pix225 Index: 7 State: Alive
    Description: Auto generated for service chk-con-pix225
    Address: 1.1.3.17 Port: Any
    Type: SCRIPT ap-kal-pinglist
    Script Arguments: "1.1.3.17"
    Script Error: None
    Script Run Time: 0 seconds
    Script Using Output parsing: No
    Encryption: Disabled
    Frequency: 2
    Max Failures: 2
    Retry Frequency: 2
    Dependent Services:
    chk-con-pix225
    Name: AUTO_chk-con-web104 Index: 8 State: Alive
    Description: Auto generated for service chk-con-web104
    Address: 1.1.4.5 Port: Any
    Type: SCRIPT ap-kal-pinglist
    Script Arguments: "1.1.4.5"
    Script Error: None
    Script Run Time: 0 seconds
    Script Using Output parsing: No
    Encryption: Disabled
    Frequency: 2
    Max Failures: 2
    Retry Frequency: 2
    Dependent Services:
    chk-con-web104
    Name: AUTO_chk-con-web224 Index: 9 State: Alive
    Description: Auto generated for service chk-con-web224
    Address: 1.1.1.18 Port: Any
    Type: SCRIPT ap-kal-pinglist
    Script Arguments: "1.1.1.18"
    Script Error: None
    Script Run Time: 0 seconds
    Script Using Output parsing: No
    Encryption: Disabled
    Frequency: 2
    Max Failures: 2
    Retry Frequency: 2
    Dependent Services:
    chk-con-web224
    Name: AUTO_chk-con-pix227 Index: 10 State: Alive
    Description: Auto generated for service chk-con-pix227
    Address: 1.1.4.4 Port: Any
    Type: SCRIPT ap-kal-pinglist
    Script Arguments: "1.1.4.4"
    Script Error: None
    Script Run Time: 0 seconds
    Script Using Output parsing: No
    Encryption: Disabled
    Frequency: 2
    Max Failures: 2
    Retry Frequency: 2
    Dependent Services:
    chk-con-pix227
    Name: AUTO_chk-con-app226 Index: 11 State: Alive
    Description: Auto generated for service chk-con-app226
    Address: 1.1.2.4 Port: Any
    Type: SCRIPT ap-kal-pinglist
    Script Arguments: "1.1.2.4"
    Script Error: None
    Script Run Time: 0 seconds
    Script Using Output parsing: No
    Encryption: Disabled
    Frequency: 2
    Max Failures: 2
    Retry Frequency: 2
    Dependent Services:
    chk-con-app226
    Name: AUTO_APP1 Index: 12 State: Down
    Description: Auto generated for service APP1
    Address: 1.1.2.11 Port: 8080
    Type: TCP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    APP1
    Name: AUTO_APP2 Index: 13 State: Down
    Description: Auto generated for service APP2
    Address: 1.1.2.12 Port: 8080
    Type: TCP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:
    APP2
    Name: AUTO_nexthop00005 Index: 14 State: Alive
    Description: Auto generated for service nexthop00005
    Address: 1.1.4.1 Port: Any
    Type: ICMP
    Encryption: Disabled
    Frequency: 5
    Max Failures: 3
    Retry Frequency: 5
    Dependent Services:

  • Arp inspection not working on ASA

    Folks,
    I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?

    For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode.. 
    You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed

  • 3560 QoS ACL not working as expected...

    I am putting together some QoS access-lists for some testing I am doing...
    When I try to classify/mark traffic based on TCP port, the packets don't seem to get tagged.
    When I remove the port qualification, "eq telnet" from the end of an ACL entry, the packets do get tagged.
    For instance: I get no tagged packets when I use the following ACL:
    ip access-list extended ftp-acl
    permit tcp host <ip-address> any eq ftp-data
    permit tcp host <ip-address> any eq ftp
    When I reduce it to the following, the packets that match are tagged with the set value:
    ip access-list extended ftp-acl
    permit tcp host <ip-address> any
    Any ideas???

    Yes, QoS is enabled globally...
    Here's the config. it's very basic. Internet access is on fas0/1. My Client is on Fas0/2. Both in VLAN 1.
    I am capturing traffic coming into my laptop from fas0/2.
    hostname Switch
    no aaa new-model
    ip subnet-zero
    ip routing
    mls qos
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    class-map match-any ftp-class
    match access-group name ftp-acl
    class-map match-any www-class
    match access-group name www-acl
    policy-map ingress
    class ftp-class
    set dscp ef
    interface FastEthernet0/1
    switchport mode access
    service-policy input egress
    interface FastEthernet0/2
    interface Vlan1
    ip address dhcp
    ip access-list extended ftp-acl
    permit tcp host 154.6.66.38 any eq ftp-data
    permit tcp host 154.6.66.38 any eq ftp
    ip access-list extended www-acl
    permit tcp any any eq www
    control-plane
    line con 0
    line vty 0 4
    no login
    line vty 5 15
    no login
    end

  • Route inside does not work on ASA 8.2(3), ASA cannot ping inside hosts

    Hi Guys,
    I have a problem on one our ASA seems to acting strange.
    I have copy these routes below on ASA, and able to ping only 10.126.0.32.
    route inside 10.126.0.10 255.225.255.255 10.20.3.1
    route inside 10.126.0.30 255.225.255.255 10.20.3.1
    route inside 10.126.0.31 255.225.255.255 10.20.3.1
    route inside 10.126.0.32 255.225.255.255 10.20.3.1
    route inside 10.126.0.140 255.225.255.255 10.20.3.1
    route inside 10.126.0.141 255.225.255.255 10.20.3.1
    route inside 10.126.0.142 255.225.255.255 10.20.3.1
    When I saved the configuration and checking back on ASA running-configuration, none of above routes exists.
    MYASA(config)# route inside 10.126.0.10 255.225.255.255 10.20.3.1
    MYASA(config)# route inside 10.126.0.30 255.225.255.255 10.20.3.1
    MYASA(config)# route inside 10.126.0.31 255.225.255.255 10.20.3.1
    MYASA(config)# route inside 10.126.0.32 255.225.255.255 10.20.3.1
    MYASA(config)# route inside 10.126.0.140 255.225.255.255 10.20.3.1
    MYASA(config)# route inside 10.126.0.141 255.225.255.255 10.20.3.1
    MYASA(config)# route inside 10.126.0.142 255.225.255.255 10.20.3.1
    MYASA(config)# end
    MYASA# show run | in route inside
    route inside 10.0.0.0 255.0.0.0 10.20.3.1 1
    route inside 10.96.0.0 255.224.0.0 10.20.3.1 1
    route inside 10.96.0.10 255.225.255.255 10.20.3.1 1
    route inside 10.96.0.30 255.225.255.255 10.20.3.1 1
    route inside 10.96.0.31 255.225.255.255 10.20.3.1 1
    route inside 10.96.0.32 255.225.255.255 10.20.3.1 1
    route inside 10.96.0.140 255.225.255.255 10.20.3.1 1
    route inside 10.96.0.141 255.225.255.255 10.20.3.1 1
    route inside 10.96.0.142 255.225.255.255 10.20.3.1 1
    route inside 10.100.1.61 255.255.255.255 10.20.3.1 1
    route inside 10.101.20.112 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.113 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.114 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.115 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.201 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.202 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.204 255.255.255.255 10.0.0.254 1
    route inside 10.101.20.205 255.255.255.255 10.0.0.254 1
    route inside 10.101.22.22 255.255.255.255 10.20.3.1 1
    route inside 10.101.24.100 255.255.255.255 10.0.0.254 1
    route inside 10.101.24.101 255.255.255.255 10.0.0.254 1
    route inside 10.101.25.0 255.255.255.0 10.20.3.1 1
    route inside 10.126.0.32 255.255.255.255 10.20.3.1 1
    route inside 67.215.65.132 255.255.255.255 10.20.3.1 1
    route inside 192.168.1.3 255.255.255.255 10.0.0.254 1
    route inside 192.168.1.4 255.255.255.255 10.0.0.254 1
    route inside 192.168.151.0 255.255.255.0 10.20.3.1 1
    route inside 192.168.151.48 255.255.255.240 10.0.0.254 1
    route inside 205.210.235.0 255.255.255.0 10.0.0.254 1
    route inside 205.210.236.0 255.255.255.0 10.20.3.1 1
    route inside 205.210.237.0 255.255.255.0 10.0.0.254 1
    route inside 205.210.238.0 255.255.255.0 10.0.0.254 1
    route inside 205.210.239.0 255.255.255.0 10.0.0.254 1
    route inside 205.210.240.0 255.255.255.0 10.0.0.254 1
    route inside 205.210.241.0 255.255.255.0 10.0.0.254 1
    MYASA#
    It maybe a bug on the ASA?
    Thanks
    Rizwan Rafeek

    Hi Vibhor,
    Well, problem is resolved from Cisco Tech support, it boiled down a bug.
    "route inside 10.126.0.32 255.225.255.255 10.20.3.1", this route already existed, and yet it only one route shows up out of 7 copied, that is a bug.
    Thanks for your reply.
    Regards
    Rizwan Rafeek.

  • Mail.app erasing emails and ACL not working

    Hi,
    I'm really surprised with this strange behavior. I decided to move all spams and hams I kept into o folder in my own account on the IMAP server to a folder of the "junkmail" and "notjunkmail" accounts.
    Messages were correctly moved (I've done that with Mail.app) but now, each time I launch Mail.app and select those folders in the junkmail and notjunkmail account all messages are erased !!!
    I tried everything I could think of but as soon as I select those folders all messages are gone ! Then, I decided to use SirAdmin and to remove the "delete" permission on those folders but... even with that, Mail.app erased everything.
    So this is clearly driving me crazy !
    Does someone have any idea ???

    I just answer to myself.
    As I didn't get any answer here I created a special account on the server to put those mails into. Perhaps those particular "junkmail" and "notjunkmail" accounts cannot have sub directories ?

  • ACE: probe with serverfarm not working

    Hello
    When i use one probe configured for port 8080 with serverfarm which users realservers port 8080 everything works fine. But i wanted to create one generic probe and use for all of my serverfarms. I hoped that this generic (tcp probe) probe will use ports of each serverfarm, but it uses default port 80. Is it possible to use one generic probe for all serverfarms which have different ports ? How ?
    It worked in CSM, but it does not work in ASA :(
    Thanx

    if you do not define a port in the probe config, it should take the one defined in the serverfarm.
    Just like the CSM.
    Gilles.

  • No AutoUpdate feature working on ASA-SSM-20

    Hi!
    Autoupdate feature is not working on ASA-SSM-20 module.
    We have configure:
    https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
    And/Or:
    https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
    And/Or:
    https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
    And/Or:
    https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
    We get this errors on the ASA-SSM-20 module:
    evError: eventId=1280563964539644086  vendor=Cisco  severity=error 
      originator:  
        hostId: sensor1 
        appName: mainApp 
        appInstanceId: 356 
      time: nov 17, 2010 08:15:45 UTC  offset=60  timeZone=GMT+01:00 
      errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212]  name=errSystemError
    evError: eventId=1280563964539644079  vendor=Cisco  severity=error 
      originator:  
        hostId: sensor1 
        appName: mainApp 
        appInstanceId: 356 
      time: nov 17, 2010 08:10:02 UTC  offset=60  timeZone=GMT+01:00 
      errorMessage: http error response: 400  name=errSystemError
    Any Ideas?

    I am experiencing a similar issue currently with a new SSC-5 module.  I am working with TAC, however reposne has been slow.  I can see traffic with Wireshark for 198.133.219.25 but I never see the traffic for 198.133.219.243 that I was told to allow on the firewall.  I also found it confusing that I need to create exceptions on the firewall for outbound traffic to these two IP addresses when I do not have to make any exceptions for any other outbound traffic.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Here is what I see:
    IPS_Sensor# show stat host
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Auto Update Statistics
       lastDirectoryReadAttempt = 09:03:09 GMT-06:00 Wed Jan 19 2011
        =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
        =   Error: AutoUpdate exception: HTTP connection failed [1,110]
       lastDownloadAttempt = N/A
       lastInstallAttempt = N/A
       nextAttempt = 11:00:00 GMT-06:00 Wed Jan 19 2011 Auxilliary Processors Installed
    IPS_Sensor# show clock
    .09:24:05 GMT-06:00 Wed Jan 19 2011
    I know this thread is a few months old, but am hoping to spark an interest here.
    Thanks.

  • Pat is not working on my asa

    Hi there. 
    I just trying to do PAT with gns3. but not working and i don't have any idea.
    (Cisco Adaptive Security Appliance Software Version 8.4(2))
    and also i figure out that there are some changes in nat configuration. i did but didn't work. 
    I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8 
    i turn debug in R1 and i can see the icmp. 
    R1#
    *Mar  1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
    R1#
    *Mar  1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
    R1#
    And also can see xlate on ASA
    ASA-1# sh xlate
    1 in use, 9 most used
    Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
    ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
    ASA-1#
    This is my topology. 
    [ASA1]
    ASA-1# sh run ip
    interface GigabitEthernet0
     nameif outside
     security-level 0
     ip address 10.10.10.1 255.255.255.0
    interface GigabitEthernet1
     nameif inside
     security-level 100
     ip address 10.10.20.1 255.255.255.0
    ASA-1# sh run object network
    object network obj-192.168.100.0
     subnet 0.0.0.0 0.0.0.0
    ASA-1# conf t
    ASA-1(config)# ob
    ASA-1(config)# object net
    ASA-1(config)# object network obj-192.168.100.0
    ASA-1(config-network-object)# nat (in
    ASA-1(config-network-object)# nat (inside,ou
    ASA-1(config-network-object)# nat (inside,outside) dy
    ASA-1(config-network-object)# nat (inside,outside) dynamic inter
    ASA-1(config-network-object)# nat (inside,outside) dynamic interface
    ASA-1(config-network-object)# end
    [R4]
    interface FastEthernet0/0
     ip address 10.10.20.254 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     ip address 192.168.100.254 255.255.255.0
     duplex auto
     speed auto
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.10.20.1
    [HOST]
    ip address 192.168.100.116/24
    [R1]
    interface FastEthernet0/0
     ip address 10.10.10.254 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     ip address 1.1.12.1 255.255.255.0
     duplex auto
     speed auto
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    what am i mssing ?
    please corret me. 
    Thank you in advance. 

    just reload... .. i'm still stuck in the ping. 
    changed topology more simple. but still not working. 
    Here is all what i did. 
    [ASA]
    access-list ICMP extended permit icmp any any echo-reply
    access-list ICMP extended permit icmp any any time-exceeded
    access-group ICMP in interface outside
    interface GigabitEthernet0
     description To_UP
     nameif outside
     security-level 0
     ip address 10.10.10.2 255.255.255.0
    interface GigabitEthernet1
     description To_DOWN
     nameif inside
     security-level 100
     ip address 10.10.20.1 255.255.255.0
    [R1]
    interface FastEthernet0/0
     ip address 10.10.10.1 255.255.255.0
    ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
    [R4]
    interface FastEthernet0/0
     ip address 10.10.20.2 255.255.255.0
    ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
    [outout tracer]
    ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.10.10.0      255.255.255.0   outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP <---??????????????????????????
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    ciscoasa#
    [ASA]
    ciscoasa# show access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
                alert-interval 300
    access-list ICMP; 2 elements; name hash: 0x2d2cf426
    access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
    access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
    ciscoasa#
    I created acl and permit it
    Thank you. 

Maybe you are looking for

  • IPod has over 1000 songs on it. I can't get them into my library. Help?

    Yeah, so my dad has bought a bunch of iPods blahblahblah. it was used, and so we checked it out, and we installed iTunes, and put in the serial code for the iPod, the songs register on the ipod, but the library remains empty, and I can't get the song

  • JSF 2.0 FileUpload - form-data Issues

    Maestros, I am going to be a little lengthy here, but before I continue I would like to beg for your indulgence. I am currently working on a web application using a combination of JSF/Spring and have managed to get myself in a tight corner and need s

  • Random quiting and closing

    I was having problems yesterday. Heres an unneccesary story detailing everything. I was downloading a video from iTunes (and playing music), and converting a video with MPEG streamclip. (I deal with music and video primarily) For some reason when I o

  • Jndi connection problem

    I am trying to use oracle's proxy connection in order to connect to the Database, for security reasons. Now the problem is that for the purpose of doing so you have to use oracle.jdbc.OracleConnection. The container I am running on is JBoss and when

  • Difference between oracle join syntaxes and ANSI join syntaxes

    What is difference between oracle join syntaxes and ANSI join syntaxes ? why oracle is having different syntaxes for joins than ANSI syntaxes ? Also Join syntaxes are different in some oracle vesrions ?